QUESTION 132
Which of the following BEST describes a chosen plaintext attack?
A. The cryptanalyst can generate ciphertext from arbitrary text.
B. The cryptanalyst examines the communication being sent back and forth.
C. The cryptanalyst can choose the key and algorithm to mount the attack.
D. The cryptanalyst is presented with the ciphertext from which the original message is determined.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 133
For network based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?
A. Alert data
B. User data
C. Content data D. Statistical data
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 134
The PRIMARY outcome of a certification process is that it provides documented
A. interconnected systems and their implemented security controls.
B. standards for security assessment, testing, and process evaluation. C. system weakness for remediation.
D. security analyses needed to make a risk-based decision.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 135
A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized?
A. Confidentiality B. Integrity
C. Availability
D. Accessibility
Correct Answer: A
Section: Software Development Security Explanation
Explanation:
Mandatory Access Control (MAC) is system-enforced access control based on a subject’s clearance and an object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret, and top secret. A subject may access an object only if the subject’s clearance is equal to or greater than the object’s label. Subjects cannot share objects with other subjects who lack the proper clearance, or “write down” objects to a lower classification level (such as from top secret to secret). MAC systems are usually focused on preserving the confidentiality of data.
Reference: https://www.sciencedirect.com/topics/co ... ss-control QUESTION 136
A vulnerability in which of the following components would be MOST difficult to detect?
A. Kernel
B. Shared libraries C. Hardware
D. System application
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 137
During which of the following processes is least privilege implemented for a user account?
A. Provision B. Approve C. Request D. Review
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 138
Which of the following is a document that identifies each item seized in an investigation, including date and time seized, full name and signature or initials of the person who seized the item, and a detailed description of the item?
A. Property book
B. Chain of custody form C. Search warrant return D. Evidence tag
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 139
Which of the following is needed to securely distribute symmetric cryptographic keys?
A. Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates
B. Officially approved and compliant key management technology and processes
C. An organizationally approved communication protection policy and key management plan D. Hardware tokens that protect the user’s private key.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 140
Reciprocal backup site agreements are considered to be
A. a better alternative than the use of warm sites.
B. difficult to test for complex systems.
C. easy to implement for similar types of organizations. D. easy to test and implement for complex systems.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 141
In order to assure authenticity, which of the following are required?
A. Confidentiality and authentication B. Confidentiality and integrity
C. Authentication and non-repudiation D. Integrity and non-repudiation
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 142
At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled?
A. Transport Layer B. Data-Link Layer C. Network Layer D. Application Layer
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 143
An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?
A. Third-party vendor with access to the system B. System administrator access compromised C. Internal attacker with access to the system D. Internal user accidentally accessing data
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 144
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?
A. Asset Management, Business Environment, Governance and Risk Assessment B. Access Control, Awareness and Training, Data Security and Maintenance
C. Anomalies and Events, Security Continuous Monitoring and Detection Processes D. Recovery Planning, Improvements and Communications
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 145
What is the difference between media marking and media labeling?
A. Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures.
B. Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures.
C. Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy.
D. Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 146
What balance MUST be considered when web application developers determine how informative application error messages should be constructed?
A. Risk versus benefit
B. Availability versus auditability
C. Confidentiality versus integrity
D. Performance versus user satisfaction
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 147
What operations role is responsible for protecting the enterprise from corrupt or contaminated media?
A. Information security practitioner B. Information librarian
C. Computer operator
D. Network administrator
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 148
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?
A. Reduced risk to internal systems.
B. Prepare the server for potential attacks.
C. Mitigate the risk associated with the exposed server. D. Bypass the need for a firewall.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 149
Network-based logging has which advantage over host-based logging when reviewing malicious activity about a victim machine?
A. Addresses and protocols of network-based logs are analyzed. B. Host-based system logging has files stored in multiple locations.
C. Properly handled network-based logs may be more reliable and valid. D. Network-based systems cannot capture users logging into the console.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 150
Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device?
A. Transport and Session B. Data-Link and Transport C. Network and Session
D. Physical and Data-Link
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 151
Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?
A. Reversal B. Gray box C. Blind
D. White box
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 152
Which of the following countermeasures is the MOST effective in defending against a social engineering attack?
A. Mandating security policy acceptance B. Changing individual behavior
C. Evaluating security awareness training D. Filtering malicious e-mail content
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 153
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance?
A. Enterprise asset management framework
B. Asset baseline using commercial off the shelf software C. Asset ownership database using domain login records D. A script to report active user logins on assets
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 154
In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of
A. systems integration. B. risk management.
C. quality assurance.
D. change management.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 155
As a best practice, the Security Assessment Report (SAR) should include which of the following sections?
A. Data classification policy
B. Software and hardware inventory C. Remediation recommendations D. Names of participants
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 156
Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services?
A. Low-level formatting
B. Secure-grade overwrite erasure C. Cryptographic erasure
D. Drive degaussing
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 157
What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack?
A. Radio Frequency (RF) attack B. Denial of Service (DoS) attack C. Data modification attack
D. Application-layer attack
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 158
Which of the following is a remote access protocol that uses a static authentication?
A. Point-to-Point Tunneling Protocol (PPTP)
B. Routing Information Protocol (RIP)
C. Password Authentication Protocol (PAP)
D. Challenge Handshake Authentication Protocol (CHAP)
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 159
Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive controls or detected by monitoring?
A. Logging and audit trail controls to enable forensic analysis
B. Security incident response lessons learned procedures
C. Security event alert triage done by analysts using a Security Information and Event Management (SIEM) system D. Transactional controls focused on fraud prevention
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 160
Determining outage costs caused by a disaster can BEST be measured by the
A. cost of redundant systems and backups. B. cost to recover from an outage.
C. overall long-term impact of the outage. D. revenue lost during the outage.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 161
Which of the following is considered a secure coding practice?
A. Use concurrent access for shared variables and resources B. Use checksums to verify the integrity of libraries
C. Use new code for common tasks
D. Use dynamic execution functions to pass user supplied data
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 162
As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?
A. Use a web scanner to scan for vulnerabilities within the website.
B. Perform a code review to ensure that the database references are properly addressed.
C. Establish a secure connection to the web server to validate that only the approved ports are open.
D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 163
Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals?
A. Senior management
B. Information security department C. Audit committee
D. All users
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 164
Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise, occupied environment?
A. Acoustic sensor
B. Motion sensor
C. Shock sensor
D. Photoelectric sensor
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 165
Which of the following is the MOST effective practice in managing user accounts when an employee is terminated?
A. Implement processes for automated removal of access for terminated employees. B. Delete employee network and system IDs upon termination.
C. Manually remove terminated employee user-access to all systems and applications. D. Disable terminated employee network ID to remove all access.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 166
Which of the following is the MOST important part of an awareness and training plan to prepare employees for emergency situations?
A. Having emergency contacts established for the general employee population to get information
B. Conducting business continuity and disaster recovery training for those who have a direct role in the recovery C. Designing business continuity and disaster recovery training programs for different audiences
D. Publishing a corporate business continuity and disaster recovery plan on the corporate website
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 167
What is the process of removing sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique?
A. Purging
B. Encryption C. Destruction D. Clearing
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 168
Which one of the following considerations has the LEAST impact when considering transmission security?
A. Network availability B. Node locations
C. Network bandwidth D. Data integrity
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 169
The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end of which phase?
A. System acquisition and development B. System operations and maintenance C. System initiation
D. System implementation
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 170
Which of the following is the BEST reason for the use of security metrics?
A. They ensure that the organization meets its security objectives.
B. They provide an appropriate framework for Information Technology (IT) governance. C. They speed up the process of quantitative risk assessment.
D. They quantify the effectiveness of security processes.
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 171
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?
A. Code quality, security, and origin
B. Architecture, hardware, and firmware C. Data quality, provenance, and scaling D. Distributed, agile, and bench testing
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 172
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?
A. The Data Protection Authority (DPA) B. The Cloud Service Provider (CSP) C. The application developers
D. The data owner
Correct Answer: D
Section: Software Development Security
Explanation
QUESTION 173
What capability would typically be included in a commercially available software package designed for access control?
A. Password encryption B. File encryption
C. Source library control D. File authentication
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 174
An organization plan on purchasing a custom software product developed by a small vendor to support its business model.
Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?
A. A source code escrow clause
B. Right to request an independent review of the software source code
C. Due diligence form requesting statements of compliance with security requirements D. Access to the technical documentation
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 175
Which of the following is the MOST important security goal when performing application interface testing?
A. Confirm that all platforms are supported and function properly
B. Evaluate whether systems or components pass data and control correctly to one another
C. Verify compatibility of software, hardware, and network connections
D. Examine error conditions related to external interfaces to prevent application details leakage
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 176
Which of the following is the MOST common method of memory protection?
A. Compartmentalization
B. Segmentation
C. Error correction
D. Virtual Local Area Network (VLAN) tagging
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 177
Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OW ASP)?
A. The likelihood and impact of a vulnerability
B. Application interface entry and endpoints
C. Countermeasures and mitigations for vulnerabilities
D. A data flow diagram for the application and attack surface analysis
Correct Answer: D Section: Mixed questions Explanation
QUESTION 178
Continuity of operations is BEST supported by which of the following?
A. Confidentiality, availability, and reliability B. Connectivity, reliability, and redundancy C. Connectivity, reliability, and recovery
D. Confidentiality, integrity, and availability
Correct Answer: B Section: Mixed questions Explanation
QUESTION 179
Which of the following is true of Service Organization Control (SOC) reports?
A. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization’s controls B. SOC 2 Type 2 reports include information of interest to the service organization’s management
C. SOC 2 Type 2 reports assess internal controls for financial reporting
D. SOC 3 Type 2 reports assess internal controls for financial reporting
Correct Answer: B Section: Mixed questions Explanation
Reference: http://ssae16.businesscatalyst.com/SSAE16_reports.html QUESTION 180
What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities?
A. Manual inspections and reviews B. Penetration testing
C. Threat modeling
D. Source code review
Correct Answer: C Section: Mixed questions Explanation
Reference: https://owasp.org/www-project-web-secur ... ide_v4.pdf (15)
QUESTION 181
Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security?
A. Peer authentication
B. Payload data encryption C. Session encryption
D. Hashing digest
Correct Answer: C Section: Mixed questions Explanation
QUESTION 182
What is the MOST common component of a vulnerability management framework?
A. Risk analysis
B. Patch management C. Threat analysis
D. Backup management
Correct Answer: B Section: Mixed questions Explanation
Reference: https://www.helpnetsecurity.com/2016/10 ... t-process/
QUESTION 183
A new Chief Information Officer (CIO) created a group to write a data retention policy based on applicable laws. Which of the following is the PRIMARY motivation for the policy?
A. To back up data that is used on a daily basis
B. To dispose of data in order to limit liability
C. To reduce costs by reducing the amount of retained data D. To classify data according to what it contains
Correct Answer: B Section: Mixed questions Explanation
QUESTION 184
What determines the level of security of a combination lock?
A. Complexity of combination required to open the lock
B. Amount of time it takes to brute force the combination
C. The number of barrels associated with the internal mechanism D. The hardness score of the metal lock material
Correct Answer: A Section: Mixed questions Explanation
Reference: https://books.google.com.pk/books?id=Rb ... ombination +lock&source=bl&ots=ld6arg_Pl9&sig=ACfU3U0kh_Trrg6mQ65NmAP5PnUCIPmD0Q&hl=en&sa=X&ved=2ahUKEwjg69zN4KnpAhUJmRoKHR01B_MQ6AEwDHo ECBUQAQ#v=onepage&q=combination%20lock&f=false
QUESTION 185
A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the MOST likely reason for doing so?
A. It verifies the integrity of the file.
B. It checks the file for malware.
C. It ensures the entire file downloaded.
D. It encrypts the entire file.
Correct Answer: A Section: Mixed questions Explanation
Reference: https://blog.logsign.com/how-to-check-t ... of-a-file/
QUESTION 186
Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services?
A. The acquiring organization B. The service provider
C. The risk executive (function) D. The IT manager
Correct Answer: C Section: Mixed questions Explanation
QUESTION 187
Which of the following is a process in the access provisioning lifecycle that will MOST likely identify access aggregation issues?
A. Test
B. Assessment C. Review
D. Peer review
Correct Answer: C Section: Mixed questions Explanation
Reference: https://books.google.com.pk/books?id=W2 ... +will+MOST +likely+identify+access+aggregation+issues&source=bl&ots=OBJo9fbGP3&sig=ACfU3U1eAWDu3q4EoiusrOi_hvtu6WyaIg&hl=en&sa=X&ved=2ahUKEwiu-
Mac0anpAhXIxIUKHQi2BFsQ6AEwAXoECBAQAQ#v=onepage&q=process%20in%20the%20access%20provisioning%20lifecycle%20that%20will%20MOST% 20likely%20identify%20access%20aggregation%20issues&f=false
QUESTION 188
Which of the following is the PRIMARY reason a sniffer operating on a network is collecting packets only from its own host?
A. An Intrusion Detection System (IDS) has dropped the packets. B. The network is connected using switches.
C. The network is connected using hubs.
D. The network’s firewall does not allow sniffing.
Correct Answer: B Section: Mixed questions Explanation
QUESTION 189
Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject within different execution domains?
A. Process isolation
B. Data hiding and abstraction
C. Use of discrete layering and Application Programming Interfaces (API) D. Virtual Private Network (VPN)
Correct Answer: C Section: Mixed questions Explanation
Reference: https://books.google.com.pk/books?id=Ln ... of+objects +available+to+a+given+subject+within+different+execution+domains&source=bl&ots=V- LJY4mkZy&sig=ACfU3U1adsKRObtT_l3tYTCLfHjS6gvLtg&hl=en&sa=X&ved=2ahUKEwi_jIPw16npAhWsxoUKHVoSA4AQ6AEwAHoECBMQAQ#v=onepage&q=CI SSP%20mechanism%20used%20to%20limit%20the%20range%20of%20objects%20available%20to%20a%20given%20subject%20within%20different% 20execution%20domains&f=false
QUESTION 190
Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized?
A. Information Owner (IO)
B. System Administrator
C. Business Continuity (BC) Manager D. Chief Information Officer (CIO)
Correct Answer: A Section: Mixed questions Explanation
QUESTION 191
What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators?
A. Isolate and contain the intrusion.
B. Notify system and application owners.
C. Apply patches to the Operating Systems (OS). D. Document and verify the intrusion.
Correct Answer: B Section: Mixed questions Explanation
QUESTION 192
Which of the following needs to be taken into account when assessing vulnerability?
A. Risk identification and validation B. Threat mapping
C. Risk acceptance criteria
D. Safeguard selection
Correct Answer: A Section: Mixed questions Explanation
Reference: https://books.google.com.pk/books?id=9g ... +assessing +vulnerability&source=bl&ots=riGvVpNN7I&sig=ACfU3U1isazG0OJlZdAAy91LvAW_rbXdAQ&hl=en&sa=X&ved=2ahUKEwj6p9vg4qnpAhUNxYUKHdODDZ4Q6AE wDHoECBMQAQ#v=onepage&q=CISSP%20taken%20into%20account%20when%20assessing%20vulnerability&f=false
QUESTION 193
For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?
A. Network architecture
B. Integrity
C. Identity Management (IdM) D. Confidentiality management
Correct Answer: A Section: Mixed questions Explanation
QUESTION 194
Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) traffic?
A. Packet-filter firewall
B. Content-filtering web proxy C. Stateful inspection firewall D. Application-level firewall
Correct Answer: C Section: Mixed questions Explanation
QUESTION 195
An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of?
A. Reasonable data
B. Population of required fields
C. Allowed number of characters D. Session testing
Correct Answer: C Section: Mixed questions Explanation
Reference: https://www.softwaretestinghelp.com/wha ... e-testing/
QUESTION 196
An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application?
A. Reasonable data testing
B. Input validation testing
C. Web session testing
D. Allowed data bounds and limits testing
Correct Answer: B Section: Mixed questions Explanation
QUESTION 197
Which of the following techniques BEST prevents buffer overflows?
A. Boundary and perimeter offset B. Character set encoding
C. Code auditing
D. Variant type and bit length
Correct Answer: B Section: Mixed questions Explanation
Explanation:
Some products installed on systems can also watch for input values that might result in buffer overflows, but the best countermeasure is proper programming. This means use bounds checking. If an input value is only sup-posed to be nine characters, then the application should only accept nine characters and no more. Some languages are more susceptible to buffer overflows than others, so programmers should understand these issues, use the right languages for the right purposes, and carry out code review to identify buffer overflow vulnerabilities.
QUESTION 198
A security architect is responsible for the protection of a new home banking system. Which of the following solutions can BEST improve the confidentiality and integrity of this external system?
A. Intrusion Prevention System (IPS)
B. Denial of Service (DoS) protection solution C. One-time Password (OTP) token
D. Web Application Firewall (WAF)
Correct Answer: A Section: Mixed questions Explanation
QUESTION 199
What principle requires that changes to the plaintext affect many parts of the ciphertext?
A. Encapsulation B. Permutation C. Diffusion
D. Obfuscation
Correct Answer: C Section: Mixed questions Explanation
Explanation:
Diffusion, on the other hand, means that a single plaintext bit has influence over several of the ciphertext bits. Changing a plaintext value should change many ciphertext values, not just one. In fact, in a strong block cipher, if one plaintext bit is changed, it will change every ciphertext bit with the probability of 50 percent. This means that if one plaintext bit changes, then about half of the ciphertext bits will change.
QUESTION 200
Which of the following BEST describes how access to a system is granted to federated user accounts?
A. With the federation assurance level
B. Based on defined criteria by the Relying Party (RP)
C. Based on defined criteria by the Identity Provider (IdP) D. With the identity assurance level
Correct Answer: C Section: Mixed questions Explanation
Reference: https://resources.infosecinstitute.com/ ... anagement/
QUESTION 201
A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments BEST fits their need?
A. Cloud Virtual Machines (VM)
B. Cloud application container within a Virtual Machine (VM) C. On premises Virtual Machine (VM)
D. Self-hosted Virtual Machine (VM)
Correct Answer: B Section: Mixed questions Explanation
QUESTION 202
Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?
A. The criteria for measuring risk is defined.
B. User populations to be assigned to each role is determined. C. Role mining to define common access patterns is performed. D. The foundational criteria are defined.
Correct Answer: B Section: Mixed questions Explanation
QUESTION 203
Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities?
A. Definitions for each exposure type B. Vulnerability attack vectors
C. Asset values for networks
D. Exploit code metrics
Correct Answer: C Section: Mixed questions Explanation
QUESTION 204
Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?
A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 Type 1 D. SOC 2 Type 2
Correct Answer: D Section: Mixed questions Explanation
QUESTION 205
Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the following?
A. Personal belongings of organizational staff members B. Supplies kept off-site at a remote facility
C. Cloud-based applications
D. Disaster Recovery (DR) line-item revenues
Correct Answer: B Section: Mixed questions Explanation
QUESTION 206
What is the best way for mutual authentication of devices belonging to the same organization?
A. Token
B. Certificates
C. User ID and passwords D. Biometric
Correct Answer: B Section: Mixed questions Explanation
QUESTION 207
A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?
A. No, because the encryption solution is internal to the cloud provider.
B. Yes, because the cloud provider meets all regulations requirements.
C. Yes, because the cloud provider is GDPR compliant.
D. No, because the cloud provider is not certified to host government data.
Correct Answer: A Section: Mixed questions Explanation
QUESTION 208
Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved?
A. Data at rest protection
B. Transport Layer Security (TLS)
C. Role Based Access Control (RBAC) D. One-way encryption
Correct Answer: A Section: Mixed questions Explanation
QUESTION 209
Which of the following offers the BEST security functionality for transmitting authentication tokens?
A. JavaScript Object Notation (JSON)
B. Terminal Access Controller Access Control System (TACACS) C. Security Assertion Markup Language (SAML)
D. Remote Authentication Dial-In User Service (RADIUS)
Correct Answer: C Section: Mixed questions Explanation
QUESTION 210
What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)?
A. Establish lines of responsibility.
B. Minimize the risk of failure.
C. Accelerate the recovery process.
D. Eliminate unnecessary decision making.
Correct Answer: B Section: Mixed questions Explanation
QUESTION 211
Which of the following is the BEST reason to apply patches manually instead of automated patch management?
A. The cost required to install patches will be reduced.
B. The time during which systems will remain vulnerable to an exploit will be decreased. C. The target systems reside within isolated networks.
D. The ability to cover large geographic areas is increased.
Correct Answer: C Section: Mixed questions Explanation
QUESTION 212
When should the software Quality Assurance (QA) team feel confident that testing is complete?
A. When release criteria are met
B. When the time allocated for testing the software is met C. When senior management approves the test results D. When the software has zero security vulnerabilities
Correct Answer: A Section: Mixed questions Explanation
QUESTION 213
What is the MOST efficient way to verify the integrity of database backups?
A. Test restores on a regular basis.
B. Restore every file in the system to check its health.
C. Use checksum as part of the backup operation to make sure that no corruption has occurred.
D. Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database objects.
Correct Answer: C Section: Mixed questions Explanation
QUESTION 214
Which of the following are the FIRST two steps to securing employees from threats involving workplace violence and acts of terrorism?
A. Physical barriers impeding unauthorized access and security guards at each entrance B. Physical barriers and the ability to identify people as they enter the workplace
C. Security guards and metal detectors posted at each entrance
D. Metal detectors and the ability to identify people as they enter the workplace
Correct Answer: C Section: Mixed questions Explanation
QUESTION 215
Which step of the Risk Management Framework (RMF) identifies the initial set of baseline security controls?
A. Selection
B. Monitoring
C. Implementation
D. Assessment
Correct Answer: A Section: Mixed questions Explanation
Reference: https://csrc.nist.gov/projects/risk-man ... )-Overview QUESTION 216
What is the MAIN reason for having a developer sign a Non-Disclosure Agreement (NDA)?
A. Signing the NDA always gives consent to the developer to access tools and privileged company information to do their work. B. Signing the NDA allows the developer to use their developed coding methods.
C. Signing the NDA protects confidential, technical, or Intellectual Property (IP) from disclosure to others.
D. Signing the NDA is legally binding for up to one year of employment.
Correct Answer: C Section: Mixed questions Explanation
QUESTION 217
Which of the following provides for the STRONGEST protection of data confidentiality in a Wi-Fi environment?
A. Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP)
B. Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES)
C. Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) D. Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES)
Correct Answer: B Section: Mixed questions Explanation
QUESTION 218
What is a consideration when determining the potential impact an organization faces in the event of the loss of confidentiality of Personally Identifiable Information (PII)?
A. Quantity B. Availability C. Quality
D. Criticality
Correct Answer: A Section: Mixed questions Explanation
Reference: https://nvlpubs.nist.gov/nistpubs/Legac ... 00-122.pdf QUESTION 219
A security team member was selected as a member of a Change Control Board (CCB) for an organization. Which of the following is one of their responsibilities?
A. Approving or disapproving the change B. Determining the impact of the change C. Carrying out the requested change
D. Logging the change
Correct Answer: B Section: Mixed questions Explanation
QUESTION 220
A data owner determines the appropriate job-based access for an employee to perform their duties. Which type of access control is this?
A. Discretionary Access Control (DAC) B. Non-discretionary access control
C. Mandatory Access Control (MAC) D. Role-based access control (RBAC)
Correct Answer: D
Section: Mixed questions Explanation
Reference: https://searchsecurity.techtarget.com/d ... ntrol-RBAC QUESTION 221
Which of the following is the MOST relevant risk indicator after a penetration test?
A. Lists of hosts vulnerable to remote exploitation attacks
B. Details of vulnerabilities and recommended remediation
C. Lists of target systems on the network identified and scanned for vulnerabilities D. Details of successful vulnerability exploitations
Correct Answer: D Section: Mixed questions Explanation
QUESTION 222
Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH) implementation when network traffic traverses between a host and an infrastructure device?
A. Lightweight Directory Access Protocol (LDAP)
B. Public-key cryptography
C. Remote Authentication Dial-In User Service (RADIUS) D. Private-key cryptography
Correct Answer: B Section: Mixed questions Explanation
Reference: https://books.google.com.pk/books?id=4K ... cure+Shell +(SSH)+implementation+when+network+traffic+traverses+between+a+host+and+an+infrastructure +device&source=bl&ots=YEMNN8nfuN&sig=ACfU3U2QMbLySWQ_0Vs- GjsSJmaHZ_O9Iw&hl=en&sa=X&ved=2ahUKEwjDobCajqrpAhWMHRQKHW2FC4gQ6AEwAHoECBQQAQ#v=onepage&q=type%20of%20authentication%20and% 20encryption%20for%20a%20Secure%20Shell%20(SSH)%20implementation%20when%20network%20traffic%20traverses%20between%20a%20host%20and%
20an%20infrastructure%20device&f=false
QUESTION 223
Lack of which of the following options could cause a negative effect on an organization’s reputation, revenue, and result in legal action, if the organization fails to perform due diligence?
A. Threat modeling methodologies B. Service Level Requirement (SLR) C. Service Level Agreement (SLA) D. Third-party risk management
Correct Answer: C Section: Mixed questions Explanation
QUESTION 224
What is the BEST approach to annual safety training?
A. Base safety training requirements on staff member job descriptions.
B. Safety training should address any gaps in a staff member’s skill set.
C. Ensure that staff members in positions with known safety risks are given proper training. D. Ensure that all staff members are provided with identical safety training.
Correct Answer: C Section: Mixed questions Explanation
QUESTION 225
Which of the following is a credible source to validate that security testing of Commercial Off-The-Shelf (COTS) software has been performed with international standards?
A. Common Criteria (CC)
B. Evaluation Assurance Level (EAL)
C. National Information Assurance Partnership (NIAP) D. International Standards Organization (ISO)
Correct Answer: A Section: Mixed questions Explanation
QUESTION 226
What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization’s systems?
A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2
D. SOC 3
Correct Answer: D Section: Mixed questions Explanation
Reference: https://www.aicpa.org/interestareas/frc ... ement.html QUESTION 227
Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)?
A. How the information is to be maintained B. Why the information is to be collected C. What information is to be destroyed
D. Where the information is to be stored
Correct Answer: B Section: Mixed questions Explanation
QUESTION 228
An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization’s general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas.
Which of the following is the MOST probable attack vector used in the security breach?
A. Buffer overflow
B. Distributed Denial of Service (DDoS)
C. Cross-Site Scripting (XSS)
D. Weak password due to lack of complexity rules
Correct Answer: A Section: Mixed questions Explanation
QUESTION 229
Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?
A. The risk culture of the organization B. The impact of the control
C. The nature of the risk
D. The cost of the control
Correct Answer: B Section: Mixed questions Explanation
QUESTION 230
Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with the structure, interpretation and handling of information?
A. Presentation Layer
B. Session Layer
C. Application Layer D. Transport Layer
Correct Answer: D Section: Mixed questions Explanation
QUESTION 231
When conveying the results of a security assessment, which of the following is the PRIMARY audience?
A. Information System Security Officer (ISSO) B. Authorizing Official (AO)
C. Information System Security Manager (ISSM) D. Security Control Assessor (SCA)
Correct Answer: C Section: Mixed questions Explanation
QUESTION 232
What is the motivation for use of the Online Certificate Status Protocol (OCSP)?
A. To return information on multiple certificates
B. To control access to Certificate Revocation List (CRL) requests C. To provide timely up-to-date responses to certificate queries
D. To issue X.509v3 certificates more quickly
Correct Answer: C Section: Mixed questions Explanation
CISSP Certified Information Systems Security Professionals Questions + Answers Part 5
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am