CISSP - Mock Questions with all domains

What is the difference between awareness and training?

Options are :

  • Awareness is changing the behavior so they do the right thing, training is teaching them how to do it. (Correct)
  • Training is changing the behavior so they do the right thing, awareness is teaching them how to do it.
  • Training and awareness are the same.
  • Training is employees using the knowledge we have given them, awareness is them going to a class and getting the knowledge.

Answer : Awareness is changing the behavior so they do the right thing, training is teaching them how to do it.

Explanation Awareness – Change user behavior - this is what we want, we want them to change their behavior. Training – Provides users with a skillset - this is nice, but if they ignore the knowledge, it does nothing.

An employee has been coached and mentored over months, but it has not improved their performance and attitude. We are unfortunately forced to let them go immediately. When would we lock their accounts?

Options are :

  • Ahead of time.
  • As they are being told. (Correct)
  • After a week.
  • At the next user account cleanup we perform monthly.

Answer : As they are being told.

Explanation Employee Termination Practices – We want to coach and train employees before firing them. They get warnings. When terminating employees, we coordinate with HR to shut off access at the right time.

When we are hiring new employees, we do multiple checks to ensure they are who they say they are. What type of control is a background checks?

Options are :

  • Administrative deterrent.
  • Administrative preventative. (Correct)
  • Technical deterrent.
  • Technical preventative.

Answer : Administrative preventative.

Explanation Background checks are an administrative preventative control, we look at references, degrees, employment, criminal, credit history (less common, more costly). For sensitive positions the background check is an ongoing process.

Which type of hacker would publicize a vulnerability if we do NOT make a patch to fix the issue?

Options are :

  • Black hat.
  • Gray hat. (Correct)
  • White hat.
  • Red hat.

Answer : Gray hat.

Explanation Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish.

We are seeing attacks on one of our servers. The attack is using zombies. Which type of an attack is it?

Options are :

  • DDOS. (Correct)
  • Viruses.
  • Worms.
  • Trojans.

Answer : DDOS.

Explanation Botnets is a C&C (Command and Control) network, controlled by people (bot-herders, they can control thousands or even hundreds of thousands of bots (also called zombies) in a botnet.

In an implementation we are planning, we need to ensure we are HIPAA compliant. What is the HIPAA compliance built around?

Options are :

  • PHI. (Correct)
  • Credit cards.
  • PII.
  • ITSM.

Answer : PHI.

Explanation HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act. Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).

What would be the role of the Data custodian?

Options are :

  • Make the policies, procedures and standards that govern our data security.
  • Perform the backups and restores. (Correct)
  • Be trained in the policies, procedures and standards.
  • Assign the sensitivity labels and backup frequency of the data.

Answer : Perform the backups and restores.

Explanation Data Custodian: These are the technical hands-on employees who do the backups, restores, patches, system configuration. They follow the directions of the Data Owner.

Which of these could be a COMMON attack on our data in motion?

Options are :

  • Cryptanalysis.
  • Shoulder surfing.
  • Eavesdropping. (Correct)
  • All of these.

Answer : Eavesdropping.

Explanation Data in Motion (Data being transferred on a Network). We encrypt our network traffic, end to end encryption, this is both on internal and external networks.

We have added logs to our backup servers to see which of our employees is accessing which data. What is this an example of?

Options are :

  • Proper data handling. (Correct)
  • Proper data storage.
  • Proper data retention.
  • Proper data encryption.

Answer : Proper data handling.

Explanation Data Handling: Only trusted individuals should handle our data; we should also have policies on how, where, when, why the data was handled. Logs should be in place to show these metrics.

As part of our hardware disposal and no data remanence policy, we are getting rid of a pile of hard drives. What would we use on the damaged SSD drives to ensure there is NO data remanence?

Options are :

  • Degauss.
  • Overwrite.
  • Incinerate. (Correct)
  • Format.

Answer : Incinerate.

Explanation We can't degaussing SSDs, formatting does nothing, we can't overwrite since it is damaged, only option of the 4 is to incinerate the drive.

Who is responsible for the financial day to day leadership of our organization?

Options are :

  • The CEO.
  • The CFO (Correct)
  • The CIO.
  • The CSO.

Answer : The CFO

Explanation The Chief Financial officer is responsible for the organizations accounting and financial activities.

Which of these would be something we do during the e-discovery process?

Options are :

  • Discover all the electronic files we have in our organization.
  • Produce electronic information to internal or external attorneys or legal teams. (Correct)
  • Make sure we keep data long enough in our retention policies for us to fulfil the legal requirements for our state and sector.
  • Delete data that has been requested if the retention period has expired.

Answer : Produce electronic information to internal or external attorneys or legal teams.

Explanation e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation and data to a court or external attorneys in a legal proceeding.

In the US government data classification scheme, data that, if disclosed, could cause damage to national security is classified as?

Options are :

  • Unclassified.
  • Confidential. (Correct)
  • Secret.
  • Top Secret.

Answer : Confidential.

Explanation Confidential information is information that, if compromised, could cause damage to national security.

Which of these is a COMMON attack against data in motion?

Options are :

  • Stealing unencrypted laptops.
  • MITM. (Correct)
  • Screen scrapers.
  • BCP.

Answer : MITM.

Explanation Man in the middle attacks are common attacks on our data as it traverses the internet.

Which of these should NOT be part of a data retention policy?

Options are :

  • Which data do we keep?
  • How long do we keep the data?
  • Where do we keep the backup data?
  • Which backup system we use for backing our data up. (Correct)

Answer : Which backup system we use for backing our data up.

Explanation A backup policy would address which systems and media we would use, the retention policy would only deal with what, how long, where and similar topics.

Which of these is NOT an acceptable form of dealing with remanence?

Options are :

  • Disk shredding.
  • Degaussing.
  • Overwriting.
  • Formatting. (Correct)

Answer : Formatting.

Explanation Formatting puts a new file structure over the old one, the data is still recoverable in most cases.

When we are talking about the different states of data, where would we have data in use?

Options are :

  • On our storage devices.
  • Traversing our network or the internet.
  • In memory. (Correct)
  • In a unsecured box.

Answer : In memory.

Explanation Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation. We would also use disk encryption for workstations when locked or shut off, the data is still there, if not encrypted someone can steal a laptop and access our data.

To ensure we have proper layered defense, we have implement a clean desk policy. Which of these should be part of that?

Options are :

  • Lock sensitive paper records away as soon as we are done with it. (Correct)
  • Cleaning your desk of all the clutter.
  • Full disk encryption on your hard disk.
  • Picking up anything you print as soon as you print it.

Answer : Lock sensitive paper records away as soon as we are done with it.

Explanation As part of a clean desk policy we should lock sensitive paperwork away as soon as we are done with it for the day.

If we are using the Bell-LaPadula *security property," what CAN'T we do?

Options are :

  • Read down.
  • Read up.
  • Write down. (Correct)
  • Write up.

Answer : Write down.

Explanation Bell-LaPadula: (Confidentiality) (Mandatory Access Control): * Security Property: “No Write DOWN?. Subjects with Top Secret clearance can’t write Top Secret information to Secret folders.

Lattice based access control uses which access control principle?

Options are :

  • DAC.
  • RBAC.
  • RUBAC.
  • MAC (Correct)

Answer : MAC

Explanation Lattice Based Access Control (LBAC) is a form of mandatory access control. A subject can have multiple access rights. A Subject with “Top Secret? {crypto, chemical} would be able to access everything in this lattice. A Subject with “Secret? {crypto} would only have access to that level.

On which layer of the ring model would we find the applications?

Options are :

  • -1
  • 0
  • 2
  • 3 (Correct)

Answer : 3

Explanation The Ring Model: 4 ring model that separates Users (Untrusted) from the Kernel (Trusted). The full model is slow and rarely used; most OS’ only use rings 0 and 3. The applications are at layer 3. There is a new addition to the Ring Model: Hypervisor mode is called Ring -1 and is for VM Hosts. Ring -1 sits below the Client kernel in Ring 0.

In computer architecture, what would the north bridge be connected to?

Options are :

  • CPU. (Correct)
  • Wireless.
  • Mouse/Keyboard.
  • All of these.

Answer : CPU.

Explanation The north bridge is connected to the CPU, the RAM and the video memory (and the south bridge).

Which part of the CPU controls fetching from memory and execution of instructions?

Options are :

  • RAM.
  • ROM.
  • ALU.
  • CU (Correct)

Answer : CU

Explanation Control unit (CU) handles fetching (from memory) and execution of instructions by directing the coordinated operations of the ALU, registers and other components. It also sends instructions to the ALU.

Most newer systems would have multiple Central Processing Units (CPUs). What is it called when multiple tasks share one CPU?

Options are :

  • Multithreading.
  • Multiprocessing.
  • Multitasking. (Correct)
  • Multiprogramming.

Answer : Multitasking.

Explanation Multitasking - Tasks sharing a common resource (1 CPU).

Depending on our implementation, we may choose to use asymmetric or symmetric encryption. Which of these are types of symmetric encryption? (Select all that apply).

Options are :

  • Diffie–Hellman (DH)
  • Twofish. (Correct)
  • Advanced Encryption Standard (AES). (Correct)
  • Data Encryption Standard (DES). (Correct)
  • Elliptic Curve Cryptography (ECC).

Answer : Twofish. Advanced Encryption Standard (AES). Data Encryption Standard (DES).

Explanation Twofish, AES and DES are types of symmetric encryption. DH and ECC are asymmetric types of encryption.

We are using cloud computing, and we are responsible for the operating system and up. Which type of cloud computing are we using?

Options are :

  • IaaS. (Correct)
  • SaaS
  • PaaS
  • IDaaS

Answer : IaaS.

Explanation In public cloud computing IaaS - (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.

We are looking at adding type 1 VM Hypervisors to our environments. What they run on top of?

Options are :

  • The OS.
  • The hardware. (Correct)
  • The virtual machine.
  • The hypervisor.

Answer : The hardware.

Explanation Hypervisor - Controls the access between the virtual guest/clients and the host hardware. Type 1 hypervisor (Bare Metal) is a part of a Virtualization OS that runs on top of the host hardware (Think Data Center).

Where would you suggest we place a guard at our perimeter to ensure only authorized employees can get onto our grounds?


Options are :

  • At the turnstiles.
  • At the building with the open door.
  • At the gate. (Correct)

Answer : At the gate.

Explanation We only have 2 entry points in the fence. The turnstiles already have fingerprint readers, we would want the guard at the gate for cars.

Which type of malware is embedded in another normal program?

Options are :

  • Worms.
  • Trojans. (Correct)
  • Rootkits.
  • Logic bombs.

Answer : Trojans.

Explanation Trojans - malicious code embedded in a program that is normal. This can be games, attachments, website clicks, etc. …

We are using different types of anti-virus in our organization. Which type MUST be constantly updated?

Options are :

  • Heuristic.
  • Signature. (Correct)
  • Formal.
  • Embedded.

Answer : Signature.

Explanation Antivirus Software - tries to protect us against malware. Signature based - looks for known malware signatures - MUST be updated constantly.

What would we use Distributed Control Systems (DSCs) for?

Options are :

  • Computerized control system for a process or plant. (Correct)
  • Controlling manufacturing processes.
  • Monitor our servers, workstations and network devices.
  • High level control supervisory management.

Answer : Computerized control system for a process or plant.

Explanation DCS (Distributed Control Systems) is a computerized control system for a process or plant in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control.

When we are using frequency analysis, what are we looking at?

Options are :

  • How often certain letters are used. (Correct)
  • How often pairs of letters are used.
  • How many messages are sent.
  • How often messages are sent.

Answer : How often certain letters are used.

Explanation Frequency Analysis (analyzing the frequency of a certain character) – In English “E? is used 12.7% of the time. Given enough encrypted substitution text, you can break it just with that.

The order of the plaintext should be dispersed in the ciphertext. What is this called?

Options are :

  • Confusion.
  • Diffusion. (Correct)
  • Substitution.
  • Permutation.

Answer : Diffusion.

Explanation Diffusion is how the order of the plaintext should be “diffused? (dispersed) in the ciphertext.

When our engineers are talking about "the internet", to what are they referring?

Options are :

  • Connected private intranets often between business partners or parent/child companies.
  • An organization's privately owned and operated internal network.
  • The global collection of peered WAN networks, often between ISPs or long haul providers. (Correct)
  • The local area network we have in our home.

Answer : The global collection of peered WAN networks, often between ISPs or long haul providers.

Explanation The Internet is a global collection of peered WAN networks, it really is a patchwork of ISP’s.

Our networking department is recommending we use a full duplex solution for an implementation. What is a KEY FEATURE of those?

Options are :

  • One way communication, one system transmits the other receives, direction can't be reversed.
  • Both systems can send and receive at the same time. (Correct)
  • Only one system on the network can send one signal at a time.
  • One way communication, one system transmits the other receives, direction can be reversed.

Answer : Both systems can send and receive at the same time.

Explanation Full-duplex communication send and receive simultaneously. (Both systems can transmit/receive simultaneously).

When we talk about proprietary software, we are referring to which of these?

Options are :

  • Open source.
  • Closed source.
  • Software not released into the public domain.
  • All of these. (Correct)

Answer : All of these.

Explanation Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software. Any software not released into the public domain is protected by copyright.

When we click the "I agree" button on a software license, what is it we are agreeing to?

Options are :

  • EMLA.
  • EULA. (Correct)
  • BSD.
  • GNU.

Answer : EULA.

Explanation EULAs (End-User License Agreements): Electronic form where the user clicks “I agree? to the software terms and conditions while installing the software.

Which software development methodology breaks the project into smaller tasks and builds multiple models of system design features?

Options are :

  • RAD.
  • Prototyping. (Correct)
  • XP.
  • Scrum.

Answer : Prototyping.

Explanation Prototyping: Breaks projects into smaller tasks, creating multiple prototypes of system design features. A working model of software with some limited functionality, rather than designing the full software up front. Has a high level of customer involvement, the customer has inspects the prototypes to ensure that the project is on track and meeting its objective.

In which database normalization form would we divide the data into tables?

Options are :

  • 1st normal form. (Correct)
  • 2nd normal form.
  • 3rd normal form.
  • 4th normal form.

Answer : 1st normal form.

Explanation Database normalization: Used to clean up the data in a database table to make it logically concise, organized, and consistent. Removes redundant data, and improves the integrity and availability of the database. Normalization has three forms (rules): First Normal Form: Divides the base data into tables, primary key is assigned to most or all tables. Second Normal Form: Move data that is partially dependent on the primary key to another table. Third normal Form: Remove data that is not dependent on the primary key.

In database query languages, which would use these statements: CREATE, ALTER, and DROP

Options are :

  • DDL. (Correct)
  • DML.
  • DRP.
  • BGP.

Answer : DDL.

Explanation Data Definition Language (DDL): A standard for commands that define the different structures in a database. Creates, modifies, and removes database objects such as tables, indexes, and users. Common DDL statements are CREATE, ALTER, and DROP.

Jane is looking at Java vulnerabilities for a report. She needs to present it to senior management at the end of the week. Which type of database does Java use?

Options are :

  • Object-oriented. (Correct)
  • Relational.
  • Document-oriented.
  • Hierarchical.

Answer : Object-oriented.

Explanation Object-Oriented Databases (Object Database Management Systems): Object databases store objects rather than data such as integers, strings or real numbers. Objects are used in object oriented languages such as Smalltalk, C++, Java, etc. Objects, in an object-oriented database, reference the ability to develop a product, then define and name it. The object can then be referenced, or called later, as a unit without having to go into its complexities.

Which programming concept uses short mnemonics like ADD and SUB, which is then matched to its full length binary code?

Options are :

  • Machine code.
  • Source code.
  • Assembler language. (Correct)
  • Compiler language.

Answer : Assembler language.

Explanation Assembler Language: Short mnemonics like ADD/SUB/JMP which is matched with the full length binary machine code, assemblers converts assembly language into machine language, a disassembler does the reverse.

Which software development methodology uses prototypes in addition to or in stead of design specifications?

Options are :

  • RAD. (Correct)
  • Prototyping.
  • XP.
  • Scrum.

Answer : RAD.

Explanation RAD (Rapid Application Development): Puts an emphasize adaptability and the necessity of adjusting requirements in response to knowledge gained as the project progresses. Prototypes are often used in addition to or sometimes even in place of design specifications. Very suited for developing software that is driven by user interface requirements. GUI builders are often called rapid application development tools.

When restoring functionality at our DR site, which applications would we move in last?

Options are :

  • Least critical. (Correct)
  • Most critical.
  • The most resource intensive.
  • The least resourse intensive.

Answer : Least critical.

Explanation The BCP team has sub-teams responsible for rescue, recovery and salvage in the event of a disaster or disruption. Recovery team (failover): Responsible for getting the alternate site up and running as fast as possible or for getting the systems rebuilt. We get the most critical systems up first.

Using RAID 0 on one of our servers Jane is adding which type of disk pool?

Options are :

  • Mirroring.
  • Striping. (Correct)
  • Striping with parity.
  • Mirroring with parity.

Answer : Striping.

Explanation RAID 0: Striping with no mirroring or parity, no fault tolerance, only provides faster read write speed, requires at least 2 disks.

To ensure our compliance an unstructured audit is done, what would that entail?

Options are :

  • Testing against a published standard.
  • External auditors comes in.
  • Internal auditors looking for flaws. (Correct)
  • Internal IT Security employees double checking their work.

Answer : Internal auditors looking for flaws.

Explanation Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.

Which type of hacker is skilled and often alert companies to vulnerabilities before publishing them?

Options are :

  • Black hat.
  • Gray hat. (Correct)
  • White hat.
  • Script kiddie.

Answer : Gray hat.

Explanation Gray/Grey Hat hackers: They are somewhere between the white and black hats, they often alert the company so they can fix the flaw, if the company does nothing they then publish it flaw.

Which authentication method are you expected to have?

Options are :

  • Type 1.
  • Type 2. (Correct)
  • Type 3.
  • Type 0.

Answer : Type 2.

Explanation Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC, these are called Possession factors. The subject uses these to authenticate their identity, if they have the item, they must be who they say they are.

When using magnetic stripe ID cards which of these would we implement for visual inspection and is the most secure?

Options are :

  • Picture of the user.
  • Embedded hologram. (Correct)
  • Name, title and department.
  • PHI.

Answer : Embedded hologram.

Explanation Embedded holograms on ID's are much harder to replicate than pictures and other things that can be printed on the card. We would never have PHI on an ID card.

In the IAAA model which is not one of the A's?

Options are :

  • Authentication.
  • Availability. (Correct)
  • Authorization.
  • Auditing.

Answer : Availability.

Explanation IAAA is Identification and Authentication, Authorization and Accountability (also called auditing). Availability is part of the CIA triad not IAAA.

We are implementing governance standard and control frameworks focused on IT service management. What should we implement?

Options are :

  • COBIT.
  • ITIL. (Correct)
  • COSO.
  • FRAP

Answer : ITIL.

Explanation ITIL (Information Technology Infrastructure Library) focuses on ITSM (IT Service Management).

With which of these is your work NOT be protected if someone were to copy your work?

Options are :

  • Trademark.
  • Patent.
  • Copyright.
  • Trade secret. (Correct)

Answer : Trade secret.

Explanation Trade Secrets. You tell no one about your formula, your secret sauce. If discovered, anyone can use it; you are not protected.

What could be a security concern we would need to address in a procurement situation?

Options are :

  • Who gets the IT Infrastructure?
  • How do we ensure their security standards are high enough?
  • Security is part of the SLA. (Correct)
  • All of these.

Answer : Security is part of the SLA.

Explanation Procurement: When we buy products or services from a 3rd party, security part of the SLA.

Which of these could be an example of a type of corrective access control?

Options are :

  • Encryption.
  • Alarms
  • Backups.
  • Patches. (Correct)

Answer : Patches.

Explanation Corrective: Controls that Correct an attack – Anti-virus, Patches, IPS.

In our risk analysis, we are looking at the risk. What would that comprise of?

Options are :

  • Threat + vulnerability.
  • Threat x vulnerability. (Correct)
  • Threat * vulnerability * asset value.
  • (threat * vulnerability * asset value) - countermeasures.

Answer : Threat x vulnerability.

Explanation Risk = Threat x Vulnerability.

During our risk analysis, we are rating our incident likelihood as rare, unlikely, possible, likely, and certain. Which type of risk analysis are we using?

Options are :

  • Quadratic risk analysis.
  • Cumulative risk analysis.
  • Quantitative risk analysis.
  • Qualitative risk analysis. (Correct)

Answer : Qualitative risk analysis.

Explanation Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.

We are discussing our risk responses and we are considering not issuing our employees laptops. What type of risk response would that be?

Options are :

  • Risk transference.
  • Risk rejection.
  • Risk avoidance. (Correct)
  • Risk mitigation.

Answer : Risk avoidance.

Explanation Risk Avoidance – We don't issue employees laptops (if possible) or we build the Data Center in an area that doesn't flood. (Most often done before launching new projects – this could be the Data Center build).

What would we call social engineering through emails that target specific individuals, where the attacker has specific knowledge about the company?

Options are :

  • Spear phishing. (Correct)
  • Whale phishing.
  • Phishing.
  • Vishing.

Answer : Spear phishing.

Explanation Spear Phishing: Targeted Phishing, not just random spam, but targeted at specific individuals. Sent with knowledge about the target (person or company); familiarity increases success.

If we are using a qualitative risk analysis approach, which of these would we use?

Options are :

  • Risk analysis matrix. (Correct)
  • Cost per incident.
  • Exposure factor.
  • Asset value.

Answer : Risk analysis matrix.

Explanation Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions