Cissp Practice Question
Mike Fowler
Once you have decided to start your CISSP certification journey, make sure you are successful in it. One of the proven 7 steps in the CISSP Study Guide to fully prepare for the CISSP certification exam is to practice the CISSP practice exam multiple times. Going through the CISSP practice exam helps you find out your weaknesses and strengths. With the help of the CISSP practice exam, you will be able to know which domain of the CISSP content you need to focus on more. If you are not scoring over 70% in the CISSP practice exams you are taking, we strongly recommend you enroll and proceed with a comprehensive CISSP certification training program. Note that, before starting your CISSP journey, we recommend you to check CISSP certification requirements if you satisfy them.
The CISSP practice exam that we have prepared in this post covers the key concepts in each of the 8 domains included in the CISSP certification exam. The CISSP practice test questions provide the answers as well as rationales to give you more understanding of the topic. These 20 sample CISSP questions will allow you to familiarize yourself with the CISSP exam questions. These will also help you reinforce your learning and prepare for the real CISSP test in the near future.
After helping thousands of professionals in more than 180 countries with a 99.6% first attempt pass rate, we have prepared a seven-step CISSP study guide. Read this CISSP study guide and create your own CISSP prep plan accordingly.
Let us take you through our sample CISSP practice exam below. Once you finish this, you may try our free CISSP exam simulator for more CISSP practice exam questions. So, move on and test your knowledge of the CISSP exam content now.
The Heartbleed virus recently compromised OpenSSL because versions of OpenSSL were vulnerable to memory content read attempts, which ultimately led to the exposure of protected information including services provider private keys. Many practitioners believe that open design is better than closed design. What one consideration is usually necessary to allow an open design to provide greater security?
a. Implement a policy that forbids the use of packet analyzers/sniffers. Monitor the network frequently.
b. Scan the network periodically to determine if unauthorized devices are connected. If those devices are
detected, disconnect them immediately, and provide management a report on the violation
c. Provide security such as disabling ports and mac filtering on the enterprise switches to prevent an unauthorized device from connecting to the network. Implement software restriction policies to prevent unauthorized software from being installed on systems.
d. Install anti-spyware software on all systems on the network.
To significantly mitigate risks on the network, we have to implement security that limits connectivity to our network from external devices. Additionally, we are concerned with monitoring software being installed on our hosts, so we want to limit the ability of such software to be installed. Further, we want to ensure that other basic security requirements are satisfied, such as using strong passwords, lockout policies on systems, physical security, etc.
Remember: Proactive devices PREVENT an attack, as opposed to responding to it. Network scans often detect these devices, but they rarely prevent them. Policies describe high-level enterprise intentions which can then be implemented. Installing antispyware is a detective/corrective control, not a proactive/preventative one.
Confidentiality can be breached via social engineering attacks. Though training is helpful in reducing the number of these attacks, it does not eliminate the risk. Which of the following choices would be an administrative policy that is most likely to help mitigate this risk?
Segregation of Duties is frequently used to limit the amount of information to which any one individual has access. E.G. a user cannot likely leak the password for a file server because that information is exclusively available for those for whom jobs require access to that information. Segregation of duties frequently goes hand-in-hand with need-to-know and the principle of least privilege. Formal onboarding would increase user awareness but would not necessarily be a preventative control. Job rotation would limit the risk of a user conducting fraud, but not the risk of social engineering. Formal offboarding would not have any effect on social engineering risk.
Whenever a subject attempts to access an object, that access must be authorized. During this access, the set of conceptual requirements must be verified by the part of the operating system kernel that deals with security. The conceptual ruleset is known as the __________, while the enforcement mechanism is referred to as the ____________
As a subject attempts to access an object, two of the main elements that control access are the Reference Monitor and the Security Kernel. The Reference Monitor is the conceptual rule set that defines access while the Security Kernel includes the hardware, software, or firmware that enforces the rules set. An access control list (ACL) is a table that tells a computer operating system what access rights each user has to a particular system object, such as a file directory or individual file. Security enforcer is a made-up term.
a. There is always a tradeoff for security, so an organization has to weigh the cost vs. benefits of the
security measures.
b. Security is cheap and easily implemented compared to the potential for loss. Security should be
implemented everywhere possible.
c. Security is so important that every organization must implement as much as possible.
d. Security is too costly to implement in small organizations.
While evaluating a system per the TCSEC and the more recent Common Criteria, Trust and Assurance are two elements that are included in the evaluation scope. Which of the following choices best describes trust and assurance?
a. Trust describes how secure the system is, while assurance describes performance capabilities.
b. Assurance describes how secure the system is, while trust describes performance capabilities.
c. Trust describes the function of the product, while assurance describes the reliability of the process used to create the product.
d. Assurance describes the function of the product, while trust describes the reliability of the process used to create the product.
Trust is typically defined in terms of the security features, functions, mechanisms, services, procedures, and architectures implemented within a system. Security assurance is the measure of confidence that the security functionality is implemented correctly, operating as intended, and producing the desired outcome based on the reliability of the processes used to develop the system.
In 1918, Gilbert Vernam created a means of providing mathematically unbreakable encryption by using a one-time pad that served as a key. Which modern encryption technology is based on the ideas implemented in the Vernam Cipher?
Sessions keys are used for a single session and are then discarded, as is the one-time pad. Additionally, each session key must be statistically unpredictable and unrelated to the previous key, as the one-time pad requires, as well. Any technology that takes advantage of a short-term password or key can ultimately be traced back to the one-time pad. Asymmetric Cryptography is often used to provide secure session key exchange. Digital signatures are used to verify a message sender and content. IPSec handshaking is used to establish a secure channel.
During World War II the Germans used the Enigma machine to exchange encrypted messages. It was a rotating disk-based system that used the starting rotor configuration as its secrecy mechanism. When the original system was compromised, the Germans added a fourth rotor to exponentially increase the complexity necessary to break the code. This concept is seen in the relationship between ___________.
DES was originally the standard for protecting sensitive but unclassified information for the US Government. Once DES was compromised the US government needed a quick means to increase its security. 3DES tripled the length of the key from 56 bits to 168 bits. Often a quick means to strengthen a compromised algorithm is to increase the key length or the length of the initialization vector.
A user receives an email that they believe to have been sent by a colleague. In actuality, the email was spoofed by an attacker. What security services would have indicated that the message was spoofed?
Non-repudiation is the combination of authenticity and integrity and is implemented through the use of digital signatures. Privacy is involved in protecting private data from disclosure. Authorization is granting users access rights to objects.
In mail messages, the contents of the message are often encrypted by a symmetric algorithm, likely AES. Non-repudiation, however, is obtained through a combination of hashing and an asymmetric algorithm. How is non-repudiation accomplished?
A birthday attack is based on the idea that it is easier to find two hashes that just happen to match rather than trying to produce a specific hash. It is called a birthday attack based on the fact that it is easier to find two people in a group whose birthdays just happen to match, rather than someone with a specific birthday.
The Data Link Layer (layer 2 of the OSI Model) has two sublayers. The first is MAC (Media Access Control) and it provides a means for determining which system or systems can have access to the transmission media and be allowed to transmit at any given time. Ethernet uses the second method called CSMA/CD (Carrier Sense Multiple Access with Collision Detection.) What does CSMA/CD imply?
c80f0f1006