CISSP - Security and Risk Management Pratice Questions

If an attacker is using Distributed Denial of Service (DDoS) attacks, which part of the CIA triad is the attacker targeting?

Options are :

  • Authentication.
  • Confidentiality.
  • Availability. (Correct)
  • Integrity.

Answer : Availability.

Explanation Availability threats: Malicious attacks (DDOS, Physical, System compromise, Staff). To mitigate this we use redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.

Our board of directors has decided our data integrity is the most important to our organization. Which of these could we implement to prove we have data integrity?

Options are :

  • Hashes. (Correct)
  • Multifactor authentication.
  • Redundant hardware.
  • None of these.

Answer : Hashes.

Explanation Hashing ensures the data was not altered, proving the integrity of the data.

When an attacker has obtained our sensitive data, and chooses to disclose it on a website, which leg of the CIA triad would be MOST affected?

Options are :

  • Authentication.
  • Confidentiality. (Correct)
  • Availability.
  • Integrity.

Answer : Confidentiality.

Explanation Disclosure is the opposite of confidentiality someone not authorized getting access to your information.

When authenticating against our access control systems, you are using your passphrase. Which type of authentication are you using?

Options are :

  • A possession factor.
  • A knowledge factor. (Correct)
  • A biometric factor.
  • A location factor.

Answer : A knowledge factor.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are. This is the most commonly used form of authentication, and a password is the most common knowledge factor.

In our identity and access management, we are talking about the IAAA model. Which of these is NOT one of the A's of that model?

Options are :

  • Authentication.
  • Availability. (Correct)
  • Authorization.
  • Auditing.

Answer : Availability.

Explanation IAAA is Identification and Authentication, Authorization and Accountability (also called auditing). Availability is part of the CIA triad not IAAA.

If we are wanting to implement a governance standard and control framework focused on IT service management, which of these should we implement?

Options are :

  • COBIT.
  • ITIL. (Correct)
  • COSO.
  • FRAP

Answer : ITIL.

Explanation ITIL (Information Technology Infrastructure Library) focuses on ITSM (IT Service Management).

We are in a court of law and the proof must be "beyond a reasonable doubt", which type of court are we in?

Options are :

  • Criminal court. (Correct)
  • Civil court.
  • Administrative court.
  • Probation court.

Answer : Criminal court.

Explanation Criminal Law: “Society? is the victim and proof must be “beyond a reasonable doubt?. Incarceration, Death and Financial fines to “Punish and Deter?.

As an IT Security professional, you are expected to perform your due diligence. What does this mean?

Options are :

  • Researching and acquiring the knowledge to do your job right. (Correct)
  • Do what is right in the situation and your job. Act on the knowledge.
  • Continue the security practices of your company.
  • Apply patches annually.

Answer : Researching and acquiring the knowledge to do your job right.

Explanation Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.

You can MOST LIKELY be held liable when you display which of these?

Options are :

  • Due care.
  • Due diligence.
  • Negligence. (Correct)
  • Remorse.

Answer : Negligence.

Explanation Negligence (and Gross Negligence) is the opposite of Due Care. If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable. If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.

After a security incident, our legal counsel presents the logs from the time of the attack in court. They constitute which type of evidence?

Options are :

  • Real evidence.
  • Direct evidence.
  • Secondary evidence. (Correct)
  • Circumstantial evidence.

Answer : Secondary evidence.

Explanation Secondary Evidence – This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

What is something that could make evidence inadmissible in court?

Options are :

  • Complete chain of custody.
  • Alterations to the data. (Correct)
  • Taking a bit level copy of the compromised hard drive, hashing both drives, hashes are identical. Do forensics on the copy drive, hash after forensics is identical too.
  • Enticement.

Answer : Alterations to the data.

Explanation Altering the data makes it inadmissible, this is similar to planting evidence at the crime scene.

Our organization is considering different types of intellectual protection options. Which of these is something that can be patented?

Options are :

  • Software.
  • Logos.
  • Inventions. (Correct)
  • Public domain (CC0) photos.

Answer : Inventions.

Explanation Patents: Protects inventions for 20 years (normally) – Cryptography algorithms can be patented. Inventions must be: Novel (New idea no one has had before). Useful (It is actually possible to use and it is useful to someone). Nonobvious (Inventive work involved).

Who would be allowed to act in exigent circumstances?

Options are :

  • Those operating under the color of law. (Correct)
  • Our IT security team.
  • Our legal team.
  • Lawyers.

Answer : Those operating under the color of law.

Explanation Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law? – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

Who in our organization should approve the deployment of honeypots and honeynets?

Options are :

  • Our legal team. (Correct)
  • Our HR and payroll team.
  • The engineer deploying it.
  • A judge.

Answer : Our legal team.

Explanation Get approval from senior management and your legal department before deploying honeypots or honey nets, legal would know the legal ramifications and senior management are ultimately liable. Both can pose legal and practical risks.

We have had a major security breach. We lost 10,000 credit card files from a stolen laptop. We are in a state in the US that has a security breach notification law. What could allow us legally to NOT disclose the breach?

Options are :

  • Senior management's decision to not disclose.
  • The impact it would have on our revenue.
  • The laptop being encrypted. (Correct)
  • The laptop being backed up.

Answer : The laptop being encrypted.

Explanation US Security Breach Notification Laws. This is not federal; 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause where lost encrypted data may not require disclosure.

When exporting our products to certain countries we need to be compliant with the Wassenaar Arrangement. Which of these is NOT covered by the agreement?

Options are :

  • Rockets.
  • Encryption.
  • Telecommunications.
  • SIEM. (Correct)

Answer : SIEM.

Explanation Wassenaar Arrangement – Export/Import controls for Conventional Arms and Dual-Use Goods and Technologies. The Arrangement covers 10 Categories: 1. Special Materials and Related Equipment, 2. Materials Processing, 3. Electronics, 4. Computers, 5.1– Telecommunications, 5.2 "Information Security“, 6. Sensors and "Lasers“, 7. Navigation and Avionics, 8. Marine, 9. Aerospace and Propulsion.

What is the difference between awareness and training?

Options are :

  • Awareness is changing the behavior so they do the right thing, training is teaching them how to do it. (Correct)
  • Training is changing the behavior so they do the right thing, awareness is teaching them how to do it.
  • Training and awareness are the same.
  • Training is employees using the knowledge we have given them, awareness is them going to a class and getting the knowledge.

Answer : Awareness is changing the behavior so they do the right thing, training is teaching them how to do it.

Explanation Awareness – Change user behavior - this is what we want, we want them to change their behavior. Training – Provides users with a skillset - this is nice, but if they ignore the knowledge, it does nothing.

An employee has been coached and mentored over months, but it has not improved their performance and attitude. We are unfortunately forced to let them go immediately. When would we lock their accounts?

Options are :

  • Ahead of time.
  • As they are being told. (Correct)
  • After a week.
  • At the next user account cleanup we perform monthly.

Answer : As they are being told.

Explanation Employee Termination Practices – We want to coach and train employees before firing them. They get warnings. When terminating employees, we coordinate with HR to shut off access at the right time.

When we are hiring new employees, we do multiple checks to ensure they are who they say they are. What type of control is a background checks?

Options are :

  • Administrative deterrent.
  • Administrative preventative. (Correct)
  • Technical deterrent.
  • Technical preventative.

Answer : Administrative preventative.

Explanation Background checks are an administrative preventative control, we look at references, degrees, employment, criminal, credit history (less common, more costly). For sensitive positions the background check is an ongoing process.

Which type of hacker would publicize a vulnerability if we do NOT make a patch to fix the issue?

Options are :

  • Black hat.
  • Gray hat. (Correct)
  • White hat.
  • Red hat.

Answer : Gray hat.

Explanation Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish.

We are seeing attacks on one of our servers. The attack is using zombies. Which type of an attack is it?

Options are :

  • DDOS. (Correct)
  • Viruses.
  • Worms.
  • Trojans.

Answer : DDOS.

Explanation Botnets is a C&C (Command and Control) network, controlled by people (bot-herders, they can control thousands or even hundreds of thousands of bots (also called zombies) in a botnet.

In an implementation we are planning, we need to ensure we are HIPAA compliant. What is the HIPAA compliance built around?

Options are :

  • PHI. (Correct)
  • Credit cards.
  • PII.
  • ITSM.

Answer : PHI.

Explanation HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act. Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).

With which of these is your work NOT be protected if someone were to copy your work?

Options are :

  • Trademark.
  • Patent.
  • Copyright.
  • Trade secret. (Correct)

Answer : Trade secret.

Explanation Trade Secrets. You tell no one about your formula, your secret sauce. If discovered, anyone can use it; you are not protected.

What could be a security concern we would need to address in a procurement situation?

Options are :

  • Who gets the IT Infrastructure?
  • How do we ensure their security standards are high enough?
  • Security is part of the SLA. (Correct)
  • All of these.

Answer : Security is part of the SLA.

Explanation Procurement: When we buy products or services from a 3rd party, security part of the SLA.

Which of these could be an example of a type of corrective access control?

Options are :

  • Encryption.
  • Alarms
  • Backups.
  • Patches. (Correct)

Answer : Patches.

Explanation Corrective: Controls that Correct an attack – Anti-virus, Patches, IPS.

In our risk analysis, we are looking at the risk. What would that comprise of?

Options are :

  • Threat + vulnerability.
  • Threat x vulnerability. (Correct)
  • Threat * vulnerability * asset value.
  • (threat * vulnerability * asset value) - countermeasures.

Answer : Threat x vulnerability.

Explanation Risk = Threat x Vulnerability.

During our risk analysis, we are rating our incident likelihood as rare, unlikely, possible, likely, and certain. Which type of risk analysis are we using?

Options are :

  • Quadratic risk analysis.
  • Cumulative risk analysis.
  • Quantitative risk analysis.
  • Qualitative risk analysis. (Correct)

Answer : Qualitative risk analysis.

Explanation Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.

We are discussing our risk responses and we are considering not issuing our employees laptops. What type of risk response would that be?

Options are :

  • Risk transference.
  • Risk rejection.
  • Risk avoidance. (Correct)
  • Risk mitigation.

Answer : Risk avoidance.

Explanation Risk Avoidance – We don't issue employees laptops (if possible) or we build the Data Center in an area that doesn't flood. (Most often done before launching new projects – this could be the Data Center build).

What would we call social engineering through emails that target specific individuals, where the attacker has specific knowledge about the company?

Options are :

  • Spear phishing. (Correct)
  • Whale phishing.
  • Phishing.
  • Vishing.

Answer : Spear phishing.

Explanation Spear Phishing: Targeted Phishing, not just random spam, but targeted at specific individuals. Sent with knowledge about the target (person or company); familiarity increases success.

If we are using a qualitative risk analysis approach, which of these would we use?

Options are :

  • Risk analysis matrix. (Correct)
  • Cost per incident.
  • Exposure factor.
  • Asset value.

Answer : Risk analysis matrix.

Explanation Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.

Prior to us deploying honeypots and honeynets, who should sign off on the deployment?

Options are :

  • Our HR and payroll team.
  • Senior management. (Correct)
  • The engineer deploying it.
  • A judge.

Answer : Senior management.

Explanation Get approval from senior management and your legal department before deploying honeypots or honey nets, legal would know the legal ramifications and senior management are ultimately liable. Both can pose legal and practical risks.

In quantitative risk analysis, what does the ALE tell us?

Options are :

  • The value of the asset.
  • How often that asset type is compromised per year.
  • What it will cost us per year if we do nothing. (Correct)
  • How much of the asset is lost per incident.

Answer : What it will cost us per year if we do nothing.

Explanation Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.

In a risk analysis, we are looking at the upfront cost and ongoing support of a mitigation solution. What would that be called?

Options are :

  • ALE.
  • ARO.
  • TCO. (Correct)
  • SLE.

Answer : TCO.

Explanation Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)

Jane is doing quantitative risk analysis for our senior management team. They want to know what a data center flooding will cost us. The data center is valued at $10,000,000. We would lose 10% of our infrastructure and the flooding happens on average every 4 years. How much would the annualized loss expectancy be?

Options are :

  • 1000000
  • 100000
  • 2500000
  • 250000 (Correct)

Answer : 250000

Explanation The data center is valued at $10,000,000, we would lose 10% per incident and it happens every 4 years. $10,000,000 * 0.1 (10%) * 0.25 (happens every 4 years, we need to know the chance per year) = $250,000.

Jane has determined our Annualized Loss Expectancy (ALE) for laptops is $250,000. She is recommending we implement full disk encryption and remote wiping capabilities on all our laptops. The $1,000 laptop value is still lost, but the $9,000 value loss from Personally identifiable information (PII) exposure would be mitigated. How many laptops do we lose per year?

Options are :

  • 25 (Correct)
  • 50
  • 10
  • 15

Answer : 25

Explanation With an current ALE of $250,000 and a AV of $10,000 ($1,000 + $9,000) we lose 25 laptops per year.

In our risk analysis, we know there is a risk, but we do not analyze how bad an impact would be. Which type of risk response is that an example of?

Options are :

  • Risk transference.
  • Risk mitigation.
  • Risk avoidance.
  • Risk rejection. (Correct)

Answer : Risk rejection.

Explanation Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

Using highly targeted emails to senior management, an attacker has sent an email threatening a lawsuit if attached documents are not filled out and returned by a certain date. What is this an example of?

Options are :

  • Vishing.
  • Social engineering.
  • Whale phishing. (Correct)
  • MITM.

Answer : Whale phishing.

Explanation This is whale phishing, which is a social engineering attack. Whale Phishing (Whaling): Spear phishing targeted at senior leadership of an organization. This could be: “Your company is being sued if you don't fill out the attached documents (With Trojan in them) and return them to us within 2 weeks?.

We have applied for a trademark and it has been approved. How are we protected?

Options are :

  • Protected for 70 years after the creators death or 95 years for corporations.
  • You tell no one, if discovered you are not protected.
  • Protected for 20 years after filing.
  • Protected 10 years at a time, and it can be renewed indefinitely. (Correct)

Answer : Protected 10 years at a time, and it can be renewed indefinitely.

Explanation Trademarks ™ and ® (Registered Trademark). Brand Names, Logos, Slogans – Must be registered, is valid for 10 years at a time, can be renewed indefinitely.

Which of these are COMMON attacks on trade secrets?

Options are :

  • Software piracy.
  • Industrial espionage, trade secrets are security through obscurity, if discovered nothing can be done. (Correct)
  • Counterfeiting.
  • Someone using your protected design in their products.

Answer : Industrial espionage, trade secrets are security through obscurity, if discovered nothing can be done.

Explanation Trade Secrets. While a organization can do nothing if their Trade Secret is discovered, how it is done can be illegal. You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.

You are talking to a new manager of our helpdesk. You are explaining how we do disk analysis. They ask you: "How do you define a vulnerability?"

Options are :

  • How bad is it if we are compromised?
  • A potential harmful incident.
  • A weakness that can possibly be exploited. (Correct)
  • The total risk after we have implemented our countermeasures.

Answer : A weakness that can possibly be exploited.

Explanation Vulnerability – A weakness that can allow the threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and antivirus, …

Which of these could be a countermeasure we have in place that could help us recover after an incident?

Options are :

  • Encryption.
  • Backups. (Correct)
  • Patches.
  • Intrusion detection systems.

Answer : Backups.

Explanation Recovery: Controls that help us Recover after an attack – DR Environment, Backups, HA Environments .

John has installed a backdoor to your system and he is using it to send spam emails to thousands of people. He is using a C&C structure. What is your system?

Options are :

  • A bot herder in a botnet.
  • A bot in a botnet. (Correct)
  • A botnet.
  • A standalone bot.

Answer : A bot in a botnet.

Explanation Bots and botnets (short for robot): Bots are a system with malware controlled by a botnet. The system is compromised by an attack or the user installing a Remote Access Trojan (game or application with a hidden payload). They often use IRC, HTTP or HTTPS. Some are dormant until activated. Others are actively sending data from the system (Credit card/bank information for instance). Active bots can also can be used to send spam emails. Botnets is a C&C (Command and Control) network, controlled by people (bot-herders). There can often be 1,000’s or even 100,000’s of bots in a botnet.

We have been using hashing with salting for our passwords for some years. One of our executives has just heard about the CIA triad and asks, "Which leg of the CIA triad does that support?". What do you answer?

Options are :

  • Integrity. (Correct)
  • Availability.
  • Confidentiality.
  • None of these.

Answer : Integrity.

Explanation System and data integrity, we use: Cryptography, check sums (This could be CRC), message Digests also known as a hash (This could be MD5, SHA1 or SHA2), digital signatures – non-repudiation. access control.

Which of these would be COMMON attacks focused on compromising our availability?

Options are :

  • DDOS. (Correct)
  • Social engineering.
  • Viruses.
  • All of these

Answer : DDOS.

Explanation For data availability we use: IPS/IDS. Patch Management. Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLA’s – How high uptime to we want (99.9%?) – (ROI) Threats: Malicious attacks (DDOS, physical, system compromise, staff, wireless jamming). Application failures (errors in the code). Component failure (hardware).

We are considering how we should protect our intellectual property. Which of these do you need to apply for to be protected? (Select all that apply).

Options are :

  • Copyright.
  • Trademarks. (Correct)
  • Patents. (Correct)
  • Trade Secrets.

Answer : Trademarks. Patents.

Explanation Trademarks and patents are both something you need to apply for. Copyright is automatically granted and trade secrets are not granted since it is just you telling no-one about your secret formula or product.

As part of a management level training class we are teaching all staff with manager or director in their title about basic IT Security. We are covering the CIA triad, which of these attacks focuses on compromising our confidentiality?

Options are :

  • Wireless jamming.
  • Social engineering. (Correct)
  • Malware.
  • All of these

Answer : Social engineering.

Explanation Confidentiality we use: Encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). Best practices for data in use - clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).Strong passwords, multi factor authentication, masking, access control, need-to-know, least privilege. Threats: Attacks on your encryption (cryptanalysis). Social engineering. Keyloggers (software/hardware), cameras, Steganography. Man-in-the-middle attacks.

There are many risks in today’s increasing complex IT world, how we deal with them should be part of an overarching strategy. We could for instance be risk neutral or averse. Who would decide our organization's risk appetite?

Options are :

  • The IT security team.
  • The IT leadership team.
  • Senior management. (Correct)
  • Rules and regulations.

Answer : Senior management.

Explanation Governance – This is C-level Executives (Not you). Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives. Risk appetite – Aggressive, neutral, adverse.

Looking at our information security governance, who would approve and sign off on our policies?

Options are :

  • Senior management. (Correct)
  • The IT teams.
  • IT security.
  • IT management.

Answer : Senior management.

Explanation Policies are mandatory, they are high level and non-specific. They are contain “Patches, updates, strong encryption?, but they will not be specific to “OS, encryption type, vendor technology?. They are approved and often written by senior management.

Jane is working on strengthening our preventative controls. What could she look at to do that?

Options are :

  • Drug tests. (Correct)
  • IDS.
  • Backups.
  • Patches.

Answer : Drug tests.

Explanation Preventative: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions