CISSP Certified Information Systems Security Professionals Questions + Answers Part 2
Posted: Mon Mar 07, 2022 7:54 am
QUESTION 29
Which security access policy contains fixed security attributes that are used by the system to determine a user’s access to a file or object?
A. Mandatory Access Control (MAC) B. Access Control List (ACL)
C. Discretionary Access Control (DAC) D. Authorized user control
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 30
Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 31
At a MINIMUM, audits of permissions to individual or group accounts should be scheduled
A. annually
B. to correspond with staff promotions C. to correspond with terminations
D. continually
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 32
In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to production programs?
A. Modifying source code without approval
B. Promoting programs to production without approval
C. Developers checking out source code without approval
D. Developers using Rapid Application Development (RAD) methodologies without approval
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 33
Which of the following combinations would MOST negatively affect availability?
A. Denial of Service (DoS) attacks and outdated hardware B. Unauthorized transactions and outdated hardware
C. Fire and accidental changes to data
D. Unauthorized transactions and denial of service attacks
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 34
Which of the following is a responsibility of a data steward?
A. Ensure alignment of the data governance effort to the organization.
B. Conduct data governance interviews with the organization.
C. Document data governance requirements.
D. Ensure that data decisions and impacts are communicated to the organization.
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 35
Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach?
A. End-to-end data encryption for data in transit
B. Continuous monitoring of potential vulnerabilities C. A strong breach notification process
D. Limited collection of individuals’ confidential data
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 36
What is the MAIN goal of information security awareness and training?
A. To inform users of the latest malware threats
B. To inform users of information assurance responsibilities C. To comply with the organization information security policy D. To prepare students for certification
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 37
Proven application security principles include which of the following?
A. Minimizing attack surface area
B. Hardening the network perimeter
C. Accepting infrastructure security controls D. Developing independent modules
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 38
From a security perspective, which of the following assumptions MUST be made about input to an application?
A. It is tested
B. It is logged C. It is verified D. It is untrusted
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 39
What is the PRIMARY goal of fault tolerance?
A. Elimination of single point of failure B. Isolation using a sandbox
C. Single point of repair
D. Containment to prevent propagation
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 40
Which of the BEST internationally recognized standard for evaluating security products and systems?
A. Payment Card Industry Data Security Standards (PCI-DSS) B. Common Criteria (CC)
C. Health Insurance Portability and Accountability Act (HIPAA) D. Sarbanes-Oxley (SOX)
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 41
Which one of the following data integrity models assumes a lattice of integrity levels?
A. Take-Grant
B. Biba
C. Harrison-Ruzzo D. Bell-LaPadula
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 42
Even though a particular digital watermark is difficult to detect, which of the following represents a way it might still be inadvertently removed?
A. Truncating parts of the data
B. Applying Access Control Lists (ACL) to the data
C. Appending non-watermarked data to watermarked data D. Storing the data in a database
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 43
What is the purpose of an Internet Protocol (IP) spoofing attack?
A. To send excessive amounts of data to a process, making it unpredictable B. To intercept network traffic without authorization
C. To disguise the destination address from a target’s IP filtering devices
D. To convince a system that it is communicating with a known entity
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 44
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?
A. Link layer
B. Physical layer
C. Session layer
D. Application layer
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 45
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
A. Transport layer B. Application layer C. Network layer D. Session layer
Correct Answer: A
Section: Communication and Network Security Explanation
QUESTION 46
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
A. Layer 2 Tunneling Protocol (L2TP)
B. Link Control Protocol (LCP)
C. Challenge Handshake Authentication Protocol (CHAP) D. Packet Transfer Protocol (PTP)
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 47
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
A. Packet filtering
B. Port services filtering
C. Content filtering
D. Application access control
Correct Answer: A
Section: Communication and Network Security Explanation
Reference: https://www.sans.org/reading-room/white ... urity-1309 (10)
QUESTION 48
An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?
A. Implement packet filtering on the network firewalls
B. Install Host Based Intrusion Detection Systems (HIDS) C. Require strong authentication for administrators
D. Implement logical network segmentation at the switches
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 49
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?
A. Add a new rule to the application layer firewall B. Block access to the service
C. Install an Intrusion Detection System (IDS)
D. Patch the application source code
Correct Answer: A
Section: Communication and Network Security Explanation
QUESTION 50
Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)?
A. Minimize malicious attacks from third parties B. Manage resource privileges
C. Share digital identities in hybrid cloud
D. Define a standard protocol
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 51
An organization has discovered that users are visiting unauthorized websites using anonymous proxies. Which of the following is the BEST way to prevent future occurrences?
A. Remove the anonymity from the proxy
B. Analyze Internet Protocol (IP) traffic for proxy requests
C. Disable the proxy server on the firewall
D. Block the Internet Protocol (IP) address of known anonymous proxies
Correct Answer: C
Section: Communication and Network Security Explanation
QUESTION 52
A post-implementation review has identified that the Voice Over Internet Protocol (VoIP) system was designed to have gratuitous Address Resolution Protocol (ARP) disabled.
Why did the network architect likely design the VoIP system with gratuitous ARP disabled?
A. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.
B. Gratuitous ARP requires the use of insecure layer 3 protocols.
C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone. D. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 53
Within the company, desktop clients receive Internet Protocol (IP) address over Dynamic Host Configuration Protocol (DHCP). Which of the following represents a valid measure to help protect the network against unauthorized access?
A. Implement path management
B. Implement port based security through 802.1x
C. Implement DHCP to assign IP address to server systems D. Implement change management
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 54
Transport Layer Security (TLS) provides which of the following capabilities for a remote access server?
A. Transport layer handshake compression B. Application layer negotiation
C. Peer identity authentication
D. Digital certificate revocation
Correct Answer: C
Section: Communication and Network Security Explanation
QUESTION 55
What does a Synchronous (SYN) flood attack do?
A. Forces Transmission Control Protocol /Internet Protocol (TCP/IP) connections into a reset state B. Establishes many new Transmission Control Protocol / Internet Protocol (TCP/IP) connections
C. Empties the queue of pending Transmission Control Protocol /Internet Protocol (TCP/IP) requests D. Exceeds the limits for new Transmission Control Protocol /Internet Protocol (TCP/IP) connections
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 56
A Denial of Service (DoS) attack on a syslog server exploits weakness in which of the following protocols?
A. Point-to-Point Protocol (PPP) and Internet Control Message Protocol (ICMP)
B. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
C. Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) D. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 57
In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the gateway to a network?
A. The second of two routers can periodically check in to make sure that the first router is operational.
B. The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is present.
C. The first of two routers fails and is reinstalled, while the second handles the traffic flawlessly.
D. The first of two routers can better handle specific traffic, while the second handles the rest of the traffic seamlessly.
Correct Answer: C
Section: Communication and Network Security Explanation
Which security access policy contains fixed security attributes that are used by the system to determine a user’s access to a file or object?
A. Mandatory Access Control (MAC) B. Access Control List (ACL)
C. Discretionary Access Control (DAC) D. Authorized user control
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 30
Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 31
At a MINIMUM, audits of permissions to individual or group accounts should be scheduled
A. annually
B. to correspond with staff promotions C. to correspond with terminations
D. continually
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 32
In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to production programs?
A. Modifying source code without approval
B. Promoting programs to production without approval
C. Developers checking out source code without approval
D. Developers using Rapid Application Development (RAD) methodologies without approval
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 33
Which of the following combinations would MOST negatively affect availability?
A. Denial of Service (DoS) attacks and outdated hardware B. Unauthorized transactions and outdated hardware
C. Fire and accidental changes to data
D. Unauthorized transactions and denial of service attacks
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 34
Which of the following is a responsibility of a data steward?
A. Ensure alignment of the data governance effort to the organization.
B. Conduct data governance interviews with the organization.
C. Document data governance requirements.
D. Ensure that data decisions and impacts are communicated to the organization.
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 35
Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach?
A. End-to-end data encryption for data in transit
B. Continuous monitoring of potential vulnerabilities C. A strong breach notification process
D. Limited collection of individuals’ confidential data
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 36
What is the MAIN goal of information security awareness and training?
A. To inform users of the latest malware threats
B. To inform users of information assurance responsibilities C. To comply with the organization information security policy D. To prepare students for certification
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 37
Proven application security principles include which of the following?
A. Minimizing attack surface area
B. Hardening the network perimeter
C. Accepting infrastructure security controls D. Developing independent modules
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 38
From a security perspective, which of the following assumptions MUST be made about input to an application?
A. It is tested
B. It is logged C. It is verified D. It is untrusted
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 39
What is the PRIMARY goal of fault tolerance?
A. Elimination of single point of failure B. Isolation using a sandbox
C. Single point of repair
D. Containment to prevent propagation
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 40
Which of the BEST internationally recognized standard for evaluating security products and systems?
A. Payment Card Industry Data Security Standards (PCI-DSS) B. Common Criteria (CC)
C. Health Insurance Portability and Accountability Act (HIPAA) D. Sarbanes-Oxley (SOX)
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 41
Which one of the following data integrity models assumes a lattice of integrity levels?
A. Take-Grant
B. Biba
C. Harrison-Ruzzo D. Bell-LaPadula
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 42
Even though a particular digital watermark is difficult to detect, which of the following represents a way it might still be inadvertently removed?
A. Truncating parts of the data
B. Applying Access Control Lists (ACL) to the data
C. Appending non-watermarked data to watermarked data D. Storing the data in a database
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 43
What is the purpose of an Internet Protocol (IP) spoofing attack?
A. To send excessive amounts of data to a process, making it unpredictable B. To intercept network traffic without authorization
C. To disguise the destination address from a target’s IP filtering devices
D. To convince a system that it is communicating with a known entity
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 44
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?
A. Link layer
B. Physical layer
C. Session layer
D. Application layer
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 45
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
A. Transport layer B. Application layer C. Network layer D. Session layer
Correct Answer: A
Section: Communication and Network Security Explanation
QUESTION 46
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
A. Layer 2 Tunneling Protocol (L2TP)
B. Link Control Protocol (LCP)
C. Challenge Handshake Authentication Protocol (CHAP) D. Packet Transfer Protocol (PTP)
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 47
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
A. Packet filtering
B. Port services filtering
C. Content filtering
D. Application access control
Correct Answer: A
Section: Communication and Network Security Explanation
Reference: https://www.sans.org/reading-room/white ... urity-1309 (10)
QUESTION 48
An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?
A. Implement packet filtering on the network firewalls
B. Install Host Based Intrusion Detection Systems (HIDS) C. Require strong authentication for administrators
D. Implement logical network segmentation at the switches
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 49
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?
A. Add a new rule to the application layer firewall B. Block access to the service
C. Install an Intrusion Detection System (IDS)
D. Patch the application source code
Correct Answer: A
Section: Communication and Network Security Explanation
QUESTION 50
Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)?
A. Minimize malicious attacks from third parties B. Manage resource privileges
C. Share digital identities in hybrid cloud
D. Define a standard protocol
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 51
An organization has discovered that users are visiting unauthorized websites using anonymous proxies. Which of the following is the BEST way to prevent future occurrences?
A. Remove the anonymity from the proxy
B. Analyze Internet Protocol (IP) traffic for proxy requests
C. Disable the proxy server on the firewall
D. Block the Internet Protocol (IP) address of known anonymous proxies
Correct Answer: C
Section: Communication and Network Security Explanation
QUESTION 52
A post-implementation review has identified that the Voice Over Internet Protocol (VoIP) system was designed to have gratuitous Address Resolution Protocol (ARP) disabled.
Why did the network architect likely design the VoIP system with gratuitous ARP disabled?
A. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.
B. Gratuitous ARP requires the use of insecure layer 3 protocols.
C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone. D. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 53
Within the company, desktop clients receive Internet Protocol (IP) address over Dynamic Host Configuration Protocol (DHCP). Which of the following represents a valid measure to help protect the network against unauthorized access?
A. Implement path management
B. Implement port based security through 802.1x
C. Implement DHCP to assign IP address to server systems D. Implement change management
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 54
Transport Layer Security (TLS) provides which of the following capabilities for a remote access server?
A. Transport layer handshake compression B. Application layer negotiation
C. Peer identity authentication
D. Digital certificate revocation
Correct Answer: C
Section: Communication and Network Security Explanation
QUESTION 55
What does a Synchronous (SYN) flood attack do?
A. Forces Transmission Control Protocol /Internet Protocol (TCP/IP) connections into a reset state B. Establishes many new Transmission Control Protocol / Internet Protocol (TCP/IP) connections
C. Empties the queue of pending Transmission Control Protocol /Internet Protocol (TCP/IP) requests D. Exceeds the limits for new Transmission Control Protocol /Internet Protocol (TCP/IP) connections
Correct Answer: D
Section: Communication and Network Security Explanation
QUESTION 56
A Denial of Service (DoS) attack on a syslog server exploits weakness in which of the following protocols?
A. Point-to-Point Protocol (PPP) and Internet Control Message Protocol (ICMP)
B. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
C. Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) D. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
Correct Answer: B
Section: Communication and Network Security Explanation
QUESTION 57
In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the gateway to a network?
A. The second of two routers can periodically check in to make sure that the first router is operational.
B. The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is present.
C. The first of two routers fails and is reinstalled, while the second handles the traffic flawlessly.
D. The first of two routers can better handle specific traffic, while the second handles the rest of the traffic seamlessly.
Correct Answer: C
Section: Communication and Network Security Explanation