150 likes | 161 Views
CISSP Practice Questions will be one of the most useful study materials you will come across during your CISSP certification journey. The more you practice, the more likely you are to pass the CISSP exam on your first try.
E N D
CISSP Practice Questions — FREE 10 Questions and Answers CISSP, or Certified Information Systems Security Professional, is one of the world’s most valuable and sought-after information security certifications. The CISSP certification exam is difficult. As a result, passing it requires in-depth knowledge and a solid understanding of the fundamental concepts of information security. Not only that, but you must devote 40 to 70 hours of study time to exam preparation, pay the CISSP certification fee, and fully understand the CISSP study material in order to pass the exam. And CISSP Practice Questions will be
one of the most useful study materials you will come across during your CISSP certification journey. The more you practice, the more likely you are to pass the CISSP exam on your first try. Why Should You Go Through the CISSP Practice Exam? Once you’ve decided to embark on your CISSP certification journey, make sure you succeed. Practicing the CISSP practice exam multiple times is one of the proven 7 steps in the CISSP Study Guide to fully prepare for the CISSP certification exam. Taking the CISSP practice exam allows you to identify your weaknesses and strengths. You will be able to determine which domain of the CISSP content you need to focus on more with the help of the CISSP practice exam. If you are not scoring more than 70% on your CISSP practice exams, we strongly advise you to enroll in and complete a comprehensive CISSP certification training programme. Please keep in mind that before embarking on your CISSP journey, we recommend that you check the CISSP certification requirements to see if you meet them. You can view our 30-minute free CISSP training demo.
The 10 CISSP Practice Questions The CISSP practice exam in this post covers the key concepts in each of the eight domains covered in the CISSP certification exam. The CISSP Practice Questions include answers as well as rationales to help you better understand the subject. These 10 sample CISSP questions will help you become acquainted with the CISSP Practice Questions. These will also help you to reinforce your learning and prepare for the real CISSP exam, which is coming up soon. Let’s Begin the CISSP Practice Exam! Let us walk you through our CISSP practise exam sample below. After you’ve finished with this, you can use our free CISSP exam simulator to get more CISSP practise exam questions. So, go ahead and put your knowledge of the CISSP exam content to the test right now. CISSP Practice Questions and Answers #1 The “State Machine Model” security model requires that a system be protected in all of its states (startup, function, and shutdown) or else it is insecure. This requirement necessitates
responding to security events in order to prevent further compromises. What security concept is this response method an example of? 1. Open Design 2. Closed Design 3. Trusted Recovery 4. Least Privilege Answer: C Trusted Recovery is required for high-security systems and allows a system to safely terminate its processes. If a system crashes, it must restart in a secure mode that prevents any further compromise of system policy. According to the principle of open design, the security of a mechanism should not be dependent on the secrecy of its design or implementation. The open-closed principle in object-oriented programming states that “software entities (classes, modules, functions, etc.) should be open for extension but closed for modification,” which means that such an entity can allow its behaviour to be extended without modifying its source code. The least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities.
CISSP Sample Questions and Answers #2 The Heartbleed virus recently compromised OpenSSL because versions of OpenSSL were vulnerable to memory content read attempts, which ultimately led to the exposure of protected information including services provider private keys. Many practitioners believe that open design is better than closed design. What one consideration is usually necessary to allow an open design to provide greater security? 1. Peer Review 2. Security through obscurity 3. The complexity of design 4. Trusted hierarchy Answer: A Because open design allows for feedback from others in the community, it is often thought to be superior to closed design. The idea is that if others have access to the code, they will examine and review it, eventually improving it. Unfortunately, this was not the case with OpenSSL. If the code is not reviewed, it is effectively closed source. Furthermore, the quality of the code, rather than whether it is open or closed, ultimately determines security. Security through obscurity is the inverse of peer review and open design, and it is also known as design complexity. The hierarchical trust model is like an upside-down tree structure, the
root is the starting point of trust. All nodes of the model have to trust the root CA and keep a root CA’s public-key certificate. CISSP Practice Test Questions and Answers #3 When using private keys a security concern is that a user’s private key may become lost. In order to mitigate this risk, a practitioner may select a key recovery agent that is able to backup and recover his keys. Granting a single individual the ability to recover users’ private keys increases nonrepudiation risk because another party has key access. Which principle choice could be implemented to mitigate this risk? 1. Segregation of duties 2. Principle of least privilege 3. Dual control 4. Need to know Answer: C Dual Control is a security principle that necessitates the presence of multiple parties for a task that may have serious security implications. In this case, at least two network administrators should be present before a private key can be recovered. M of N control is a subset of dual
control. M and N are variables, but to recover a key, this control requires M out of a total of N administrators to be present. The concept of segregation of duties refers to the requirement of more than one person to complete a sensitive task. The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access or permissions needed to perform his job functions. The need-to-know principle is that access to secured data must be necessary for the conduct of the users’ job functions CISSP Practice Questions and Answers # 4 At what BCP development phase must Senior Management provide its commitment to support, fund, and assist the BCP’s creation? 1. Project Initiation 2. Planning 3. Implementation 4. Development Answer: A Traditionally, the phase of project initiation is when senior management pledges its support for the project. Management frequently provides a project charter during this phase, which is
a formal written document in which the project is officially authorised, a project manager is selected and named, and management commits to support. For the BCP to be successful, management must provide BCP support throughout the development process, including review and feedback as well as resources. CISSP Questions and Answers #5 What is the most proactive (and minimum effort) way to mitigate the risk of an attacker gaining network access and using a protocol analyzer to capture and view (sniff) unencrypted traffic? 1. Implement a policy that forbids the use of packet analyzers/sniffers. Monitor the network frequently. 2. Scan the network periodically to determine if unauthorized devices are connected. If those devices are detected, disconnect them immediately, and provide management a report on the violation 1. Provide security such as disabling ports and mac filtering on the enterprise switches to prevent an unauthorized device from connecting to the network. Implement software restriction policies to prevent unauthorized software from being installed on systems. 2. Install anti-spyware software on all systems on the network.
Answer: C To significantly reduce network risks, we must implement security that restricts external device connectivity to our network. Furthermore, we are concerned about monitoring software being installed on our hosts, so we want to restrict its ability to be installed. Furthermore, we want to ensure that other basic security requirements are met, such as the use of strong passwords, system lockout policies, physical security, and so on. Remember that proactive devices PREVENT an attack rather than responding to it. Network scans often detect these devices, but they rarely prevent them. Policies describe high-level enterprise intentions which can then be implemented. CISSP Practice Questions and Answers #6 Confidentiality can be breached via social engineering attacks. Though training is helpful in reducing the number of these attacks, it does not eliminate the risk. Which of the following choices would be an administrative policy that is most likely to help mitigate this risk? 1. Formal onboarding Policies 2. Job Rotation 3. Formal Off-boarding Policies
4. Segregation of Duties Answer: D The term “segregation of duties” refers to the practise of limiting the amount of information to which any one person has access. For example, a user is unlikely to leak the password for a file server because that information is only available to those whose jobs require access to it. Duty segregation is frequently associated with need-to-know and the principle of least privilege. Formal onboarding would raise user awareness but would not be a preventative measure. Job rotation would reduce the possibility of a user committing fraud, but not the possibility of social engineering. Formal offboarding would have no effect on the risk of social engineering. CISSP Sample Questions and Answers #7 Specific system components determine that system’s security. The trust in the system is a reflection of the trust in these components. These components are collectively referred to as the __________ of the system. 1. Ring 1 elements 2. Trusted Computing Base 3. Operating System Kernel
4. Firmware Answer: B The TCB (Trusted Computer Base) describes the system elements that enforce security policies and are used to determine a system’s security capabilities. The Orange Book coined this phrase. Ring 1 elements are a mathematical concept. The kernel is a computer programme that runs at the heart of an operating system and has complete control over everything in the system. It is the “portion of the operating system code that is always resident in memory” that allows hardware and software components to interact. (This is also referred to as the Trusted Computer System evaluation criteria.) The TCB contains components such as the system BIOS, CPU, Memory, and the OS kernel. In computing, firmware[a] is a type of computer software that provides low-level control over the hardware of a device. Firmware can either provide a standardised operating environment for more complex device software (allowing greater hardware independence) or act as the device’s complete operating system, performing all control, monitoring, and data manipulation functions. Learn more in our CISSP Online Training.
CISSP Practice Exam Questions and Answers #8 Whenever a subject attempts to access an object, that access must be authorized. During this access, the set of conceptual requirements must be verified by the part of the operating system kernel that deals with security. The conceptual ruleset is known as the __________, while the enforcement mechanism is referred to as the ____________ 1. Access Control List, Security Enforcer 2. Security Enforcer, Access Control List 3. Reference Monitor, Security Kernel 4. Security Kernel, Reference Monitor Answer: C The Reference Monitor and the Security Kernel are two of the main elements that control access when a subject attempts to access an object. The Reference Monitor is the conceptual rule set that defines access, whereas the Security Kernel is the hardware, software, or firmware that enforces the rules. A table that tells a computer operating system what access rights each user has to a specific system object, such as a file directory or individual file, is known as an access control list (ACL). The term “security enforcer” is made up.
CISSP Sample Questions and Answers #9 A fundamental security principle is that security controls must be aligned with business objectives. Based on the impact security has upon an organization’s success, why is the concept of business alignment important? 1. There is always a tradeoff for security, so an organization has to weigh the cost vs. benefits of the security measures. 1. Security is cheap and easily implemented compared to the potential for loss. Security should be implemented everywhere possible. 1. Security is so important that every organization must implement as much as possible. 2. Security is too costly to implement in small organizations. Answer: A
There is always a cost to security. Sometimes the cost is monetary in nature. Security often has a negative impact on performance, backward compatibility, and ease of use. An organisation must consider its primary needs while considering the overall objectives of the business. Sensitive military information requires far greater security than a small home/office environment containing information of little to no value to an attacker. The level of security implemented should be commensurate with business needs at a reasonable cost, and it should be tailored to each enterprise’s specific requirements. CISSP Practice Exam Questions and Answers #10 A system’s minimum security baseline references a system’s least acceptable security configuration for a specific environment. Prior to determining the MSB, the system must be categorized based on its data’s Confidentiality, Integrity, and Availability needs. When evaluating a system where the potential impact of unauthorized disclosure is “high,” the impact of an integrity breach is medium, and the impact of the data being temporarily unavailable is low, what is the overall categorization of the system? 1. High 2. Medium 3. Low 4. Medium-high
Answer: A The potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) for an information system must be the highest values from among those security categories determined for each type of information resident in the information system. The system is classified as “High” because that is the highest category.