• Home
  • Articles
  • Get ready to pass the CISSP Exam right now using our ISC Certification Exam Package [Q188-Q213]

Get ready to pass the CISSP Exam right now using our ISC Certification Exam Package [Q188-Q213]

Share

Get ready to pass the CISSP Exam right now using our ISC Certification Exam Package

A fully updated 2022 CISSP Exam Dumps exam guide from training expert ExamcollectionPass


Introduction of CISSP Exam

The CISSP certification is a globally recognized certification that utilizes a unique CBK (Credential Body of Knowledge) methodology. The CISSP credential is defined as conforming to the requirements of NCEES, the American Society for Testing and Materials (ASTM), and the International Information Systems Security Certification Consortium (ISC). The test will not earn a CISSP valid certification. The new CISSP Exam aims to deliver what the professionals need most the ability to demonstrate that they can apply their knowledge and skills effectively on the jobsite. This exam includes questions from five of the ten domains of knowledge: Access Controls, Application Development Security, Business Continuity and Disaster Recovery Planning, Cryptography, and Risk Management which are also covered in our CISSP Dumps. The CISSP certification exam was updated in May 2012. This guide provides an overview of the CISSP (ISC)2 domains and their respective weighting within the examination to further assist candidates with their studies. The guide also provides guidance on how to prepare for the exam, including how to use the ISC2 CBK (Credential Body of Knowledge) to help develop an individualized study plan. The guide also lists sample questions that can be used as part of a final review prior to taking the exam.

 

NEW QUESTION 188
Which of the following backup methods is most appropriate for off-site archiving?

  • A. Off-site backup method.
  • B. Incremental backup method.
  • C. Full backup method.
  • D. Differential backup method.

Answer: C

Explanation:
Since we want to maintain the backups offsite, its always better to send
FULL-Backups because they contain a consistent base of the system. We perform the beginning of a restore through a full backup. Remember that the backups stored offsite are in most cases in a secure place, full backup in there are a best practice for any network administrator. With incremental or differential backups we don't have all we need to restore a system to a consistent state. We need to start from the full backup. "Offsite Backup" is not a valid backup method.

 

NEW QUESTION 189
What is the primary reason why some sites choose not to implement Trivial File Transfer Protocol (TFTP)?

  • A. It cannot support the Lightwight Directory Access Protocol (LDAP)
  • B. Due to the inherent security risks
  • C. It is too complex to manage user access restrictions under TFTP
  • D. It does not offer high level encryption like FTP

Answer: B

Explanation:
Some sites choose not to implement Trivial File Transfer Protocol (TFTP) due to the inherent security risks. TFTP is a UDP-based file transfer program that provides no security. There is no user authentication. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 88.

 

NEW QUESTION 190
Of the various types of "Hackers" that exist, the ones who are not worried about being caught and spending time in jail and have a total disregard for the law or police force, are labeled as what type of hackers?

  • A. White Hat Hackers
  • B. Black Hat Hackers
  • C. Gray Hat Hackers
  • D. Suicide Hackers

Answer: D

Explanation:
Suicide Hackers are a type of hackers without fear, who disregard the authority, the police, or law. Suicide Hackers hack for a cause important to them and find the end goal more important than their individual freedom.
The term "Hacker" originally meant a Unix computer enthusiast but has been villainized in the media as a "Criminal Hacker" for a mass audience. A hacker used to be known as a good person who would add functionality within software or would make things work better. To most people today "Hacker" means criminal "Criminal Cracker", it is synonymous with Cracker or someone who get access to a system without the owner authorization.
As seen in news reports in 2011 and later hackers associated with the "Anonymous" movement have attacked finance and/or credit card companies, stolen enough information to make contributions to worthy charities on behalf of organizations they see as contrary to the public good. These sorts of attackers/hackers could be considered suicide hackers. Some did get caught and prosecuted while carrying out their cause. Nobody can know if they knew their activities would land them in court and/or prison but they had to have known of the risk and proceeded anyway.
The following answers are incorrect:
Black Hat hackers are also known as crackers and are merely hackers who "violates computer security for little reason beyond maliciousness or for personal gain". Black Hat Hackers are "the epitome of all that the public fears in a computer criminal". Black Hat Hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network.
White Hat Hackers are law-abiding, reputable experts defending assets and not breaking laws. A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. The term "white hat" in Internet slang refers to an ethical hacker. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. Often, this type of 'white hat' hacker is called an ethical hacker. The International Council of Electronic Commerce Consultants, also known as the EC-Council has developed certifications, courseware, classes, and online training covering the diverse arena of Ethical Hacking.
Note about White Hat: As reported by Adin Kerimov, a white hat would not be worried about going to jail as he is doing a test with authorization as well and he has a signed agreement. While this is a true point he BEST choice is Suicide Hackers for the purpose of the exam, a white hat hacker would not disregard law and the autority. . Gray Hat Hackers work both offensively and defensively and can cross the border between legal/ethical behavior and illegal/unethical behavior. A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee.
OTHER TYPES OF HACKERS Elite hacker is a social status among hackers, elite is used to describe the most skilled. Newly discovered exploits will circulate among these hackers. Elite groups such as Masters of Deception conferred a kind of credibility on their members.
Script kiddie A script kiddie(or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying
concept-hence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid,
child-an individual lacking knowledge and experience, immature). Often time they do not even
understand how they are taken advantage of the system, they do not underrstand the weakness
being exploited, all they know is how to use a tool that somone else has built.
Neophyte A neophyte, "n00b", or "newbie" is someone who is new to hacking or phreaking and
has almost no knowledge or experience of the workings of technology, and hacking.
Hacktivist A hacktivist is a hacker who utilizes technology to announce a social, ideological,
religious, or political message. In general, most hacktivism involves website defacement or denial-
of-service attacks.
The following reference(s) were/was used to create this question:
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 1,
Page. 15.
and
https://en.wikipedia.org/wiki/Hacker_%28computer_security%29

 

NEW QUESTION 191
What is the responsibility of the contingency planner regarding LAN backup and recovery if the LAN is part of a building server environment?

  • A. Classifying the recovery time frame of the business unit LAN
  • B. Recovering client/server systems owned and supported by internal staff
  • C. Getting a copy of the recovery procedures from the building server administrator
  • D. Identifying essential business functions

Answer: C

Explanation:
When any part of the LAN is not hosted internally, and is part of a building server environment, it is the responsibility of the contingency planner to identify the building server administrator, identify for him the recovery time frame required for your business applications, obtain a copy of the recovery procedures, and participate in the validation of the buildings server testing. If all or part of the business is not in the building server environment, then the other three choices are also the responsibility of the contingency planner. Source: Contingency Planning and Management, Contingency Planning 101, by Kelley Goggins, March 1999.

 

NEW QUESTION 192
When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets?

  • A. Provide links to security policies
  • B. Log all activities associated with sensitive systems
  • C. Confirm that confidentially agreements are signed
  • D. Employ strong access controls

Answer: D

Explanation:
Section: Asset Security

 

NEW QUESTION 193
Which security model uses an access control triple and also require separation of duty?

  • A. DAC
  • B. Clark-Wilson
  • C. Bell-LaPadula
  • D. Lattice

Answer: B

Explanation:
The following answers are incorrect:
DAC
Bell-LaPadula
Lattice
The following reference(s) were/was used to create this question:
Separation of duty is necessarily determined by conditions external to the computer system.
The Clark-Wilson scheme includes as a requirement maintenance of separation of duty as
expressed in the access control triples.
Enforcement is on a per-user basis, using the user ID from the access control triple.

 

NEW QUESTION 194
In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the following term?

  • A. Big CA
  • B. Top Level CA
  • C. Master CA
  • D. Subordinate CA

Answer: B

Explanation:
Reference: Arsenault, Turner, Internet X.509 Public Key Infrastructure: Roadmap, Chapter "Terminology".
Also note that sometimes other terms such as Certification Authority Anchor (CAA) might be used within some government organization, Top level CA is another common term to indicate the top level CA, Top Level Anchor could also be used.

 

NEW QUESTION 195
If your property Insurance has Replacement Cost Valuation (RCV) clause your damaged property will be compensated:

  • A. Based on new, comparable, or identical item for old regardless of condition of lost item
  • B. Based on the value of item on the date of loss
  • C. Based on value of item one month before the loss
  • D. Based on the value listed on the Ebay auction web site

Answer: A

Explanation:
RCV is the maximum amount your insurance company will pay you for damage to
covered property before deducting for depreciation. The RCV payment is based on the current
cost to replace your property with new, identical or comparable property.
The other choices were detractor:
Application and definition of the insurance terms Replacement Cost Value (RCV), Actual Cash
Value (ACV) and depreciation can be confusing. It's important that you understand the terms to
help settle your claim fairly.
An easy way to understand RCV and ACV is to think in terms of "new" and "used."
Replacement cost is the item's current price, new. "What will it cost when I replace it?"
Actual cash is the item's used price, old. "How much money is it worth since I used it for five
years?"
Hold Back
Most policies only pay the Actual Cash Value upfront, and then they pay you the "held back"
depreciation after you incur the expense to repair or replace your personal property items.
NOTE: You must remember to send documentation to the insurance company proving you've
incurred the additional expense you will be reimbursed.
Actual Cash Value (ACV)
ACV is the amount your insurance company will pay you for damage to covered property after
deducting for depreciation. ACV is the replacement cost of a new item, minus depreciation. If
stated as a simple equation, ACV could be defined as follows: ACV=RCV-Depreciation
Unfortunately, ACV is not always as easy to agree upon as a simple math equation. The ACV can
also be calculated as the price a willing buyer would pay for your used item.
Depreciation
Depreciation (sometimes called "hold back") is defined as the "loss in value from all causes,
including age, and wear and tear." Although the definition seems to be clear, in our experience,
value" as a real-world application is clearly subjective and varies widely. We have seen the same
adjuster apply NO depreciation (100 percent value) on one claim and 40 percent depreciation
almost half value) on an almost identical claim.
This shows that the process of applying depreciation is subjective and clearly negotiable.
Excessive Depreciation
When the insurance company depreciates more than they should, it is called "Excessive
depreciation." Although not ethical, it is very common. Note any items that have excessive
depreciation and write a letter to your insurance company.
References:
http://carehelp.org/downloads/category/1-insurance-handouts.html?download=17%3Ahandout08-
rcv-and-acv
and
http://www.schirickinsurance.com/resources/value2005.pdf
and
TIPTON, Harold F. & KRAUSE, MICKI, information Security Management Handbook, 4th Edition,
Volume 1
Property Insurance overview, Page 587.

 

NEW QUESTION 196
An organization's information security strategic plan MUST be reviewed

  • A. every three years, when the organization's strategic plan is updated.
  • B. whenever there are major changes to the business.
  • C. quarterly, when the organization's strategic plan is updated.
  • D. whenever there are significant changes to a major application.

Answer: B

 

NEW QUESTION 197
The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as?

  • A. Reliability
  • B. Availability
  • C. Confidentiality
  • D. Integrity

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components.
Incorrect Answers:
A: Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question.
C: Integrity ensures that data is unaltered. This is not what is described in the question.
D: Reliability could be used to describe the ability of system to serve data. However, data being accessible when required is described as availability, not reliability.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 23

 

NEW QUESTION 198
To understand the 'whys' in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM?

  • A. Means
  • B. Motivation
  • C. Methods
  • D. Opportunities

Answer: C

Explanation:
To understand the whys in crime, many times it is necessary to understand the Motivations, Opportunities, and Means (MOM). Motivations are the who and why of a crime. Opportunities are the where and when of a crime, and Means pertains to the capabilities a criminal would need to be successful. Methods is not a component of MOM.

 

NEW QUESTION 199
According to the Orange Book, which security level is the first to require a system to protect against covert timing channels?

  • A. B3
  • B. B1
  • C. A1
  • D. B2

Answer: A

Explanation:
B1 does not address covert channels. B2 requires a system to protect against covert storage channels but does not address covert timing channels. B3 and A1 both address covert storage channels and covert timing channels and must perform a covert channel analysis for both types.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 6: Operations
Security (page 220).
Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange
Book), DOD 5200.28-STD. December 1985 (also available here).

 

NEW QUESTION 200
Like the Kerberos protocol, SESAME is also subject to which of the following?

  • A. symmetric key guessing
  • B. timeslot replay
  • C. password guessing
  • D. asymmetric key guessing

Answer: C

Explanation:
Sesame is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA-style Privilege Attribute Service.
The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public Key authentication. When using Symmetric Key authentication as in Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be. The Symmetric key being used is based on the password used by the user when he logged on the system. If the user has a simple password it could be guessed or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong password discipline.
The Basic Mechanism in Sesame for strong authentication is as follow:
The user sends a request for authentication to the Authentication Server as in Kerberos, except that SESAME is making use of public key cryptography for authentication where the client will present his digital certificate and the request will be signed using a digital signature. The signature is communicated to the authentication server through the preauthentication fields. Upon receipt of this request, the authentication server will verifies the certificate, then validate the signature, and if all is fine the AS will issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage attribute server (PAS) when access to a resource is needed.
Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key cryptography is used, public key data is transported in preauthentication data fields to help establish identity. Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute Certificates (PAC), which contain the subject's identity, access capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from the trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access.
Reference(s) used for this question: http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 43

 

NEW QUESTION 201
Which of the following is NOT a good password deployment guideline?

  • A. Passwords must not be he same as user id or login id.
  • B. Passwords must be changed at least once every 60 days, depending on your environment.
  • C. Password aging must be enforced on all systems.
  • D. Password must be easy to memorize.

Answer: D

Explanation:
Passwords must be changed at least once every 60 days (depending on your environment).
Password aging or expiration must be enforced on all systems. Upon password expiration,
if the password is not changed, only three grace logins must be allowed then the
account must be disable until reset by an administrator or the help desk. Password
reuse is not allowed (rotating passwords).

 

NEW QUESTION 202
The Diffie-Hellman algorithm is used for:

  • A. Key agreement
  • B. Encryption
  • C. Digital signature
  • D. Non-repudiation

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The Diffie-Hellman algorithm is the first asymmetric key agreement algorithm, which was developed by Whitfield Diffie and Martin Hellman.
Incorrect Answers:
A, B: The Diffie-Hellman algorithm does not offer encryption or digital signature functionality.
D: Non-repudiation requires digital signature functionality, which the Diffie-Hellman algorithm does not offer.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 812, 813, 830

 

NEW QUESTION 203
Which of the following would best describe the difference between white-box testing and black-box testing?

  • A. Black-box testing involves the business units
  • B. Black-box testing uses the bottom-up approach.
  • C. White-box testing examines the program internal logical structure.
  • D. White-box testing is performed by an independent programmer team.

Answer: C

Explanation:
Black-box testing observes the system external behavior, while white-box testing is
a detailed exam of a logical path, checking the possible conditions.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor
2002 review manual, chapter 6: Business Application System Development, Acquisition,
Implementation and Maintenance (page 299).

 

NEW QUESTION 204
In configuration management, what baseline configuration information MUST be maintained for each computer system?

  • A. Last vulnerability assessment report and initial risk assessment report
  • B. Date of last update, test report, and accreditation certificate
  • C. Operating system and version, patch level, applications running, and versions.
  • D. List of system changes, test reports, and change approvals

Answer: C

Explanation:
Section: Software Development Security

 

NEW QUESTION 205
What is the foundation of cryptographic functions?

  • A. Encryption
  • B. Cipher
  • C. Entropy
  • D. Hash

Answer: B

Explanation:
Section: Security Architecture and Engineering

 

NEW QUESTION 206
Which of the following is the correct set of assurance requirements for EAL 5?

  • A. Semiformally tested and checked
  • B. Semiformally designed and tested
  • C. Semiformally verified design and tested
  • D. Semiformally verified tested and checked

Answer: B

Explanation:
Under the Common Criteria model, an evaluation is carried out on a product and is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed-oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is verified. The Orange Book and the Rainbow Series provide evaluation schemes that are too rigid and narrowly defined for the business world. ITSEC attempted to provide a more flexible approach by separating the functionality and assurance attributes and considering the evaluation of entire systems. However, this flexibility added complexity because evaluators could mix and match functionality and assurance ratings, which resulted in too many classifications to keep straight. Because we are a species that continues to try to get it right, the next attempt for an effective and usable evaluation criteria was the Common Criteria. In 1990, the International Organization for Standardization (ISO) identified the need for international standard evaluation criteria to be used globally. The Common Criteria project started in 1993 when several organizations came together to combine and align existing and emerging evaluation criteria (TCSEC, ITSEC, Canadian Trusted Computer Product Evaluation Criteria [CTCPEC], and the Federal Criteria). The Common Criteria was developed through a collaboration among national security standards organizations within the United States, Canada, France, Germany, the United Kingdom, and the Netherlands. The benefit of having a globally recognized and accepted set of criteria is that it helps consumers by reducing the complexity of the ratings and eliminating the need to understand the definition and meaning of different ratings within various evaluation schemes. This also helps vendors, because now they can build to one specific set of requirements if they want to sell their products internationally, instead of having to meet several different ratings with varying rules and requirements.
The full list of assurance requirements for the Evaluation Assurance Levels is provided below:
EAL 1: The product is functionally tested; this is sought when some assurance in accurate
operation is necessary, but the threats to security are not seen as serious.
EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of
independently guaranteed security.
EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level
of independently ensured security.
EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users
require a moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of
independently ensured security.
EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized
TOEs for high-risk situations.
EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for
application in extremely high-risk situations.
EALs are frequently misunderstood to provide a simple means to compare security products with
similar levels. In fact, products may be very different even if they are assigned the same EAL level,
since functionality may have little in common.
Reference(s) used for this question:
Corporate; (Isc)2 (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2
Press) (Kindle Locations 15157-15169). Taylor & Francis. Kindle Edition.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 8730-
8742). McGraw-Hill. Kindle Edition.

 

NEW QUESTION 207
A reference monitor is a system component that enforces access controls on an object. Specifically, the reference monitor concept is an abstract machine that mediates all access of subjects to objects. The hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept are called:

  • A. Identification and authentication (I & A) mechanisms
  • B. The authorization database
  • C. The auditing subsystem
  • D. The security kernel

Answer: D

Explanation:
The security kernel implements the reference model concept. The
reference model must have the following characteristics:
It must mediate all accesses.
It must be protected from modification.
It must be verifiable as correct.
Answer "the authorization database" is used by the reference monitor
to mediate accesses by subjects to objects. When a request for access
is received, the reference monitor refers to entries in the authorization database to verify that the operation requested by a subject for application to an object is permitted. The authorization database has entries or authorizations of the form subject, object, access mode.
In answer "Identification and authentication (I & A) mechanisms", the
I & A operation is separate from the reference monitor. The user enters his/her identification to the I & A function. Then the user must be authenticated. Authentication is verification that the user's claimed identity is valid. Authentication is based on the following three factor types:
Type 1. Something you know, such as a PIN or password
Type 2. Something you have, such as an ATM card or smart card
Type 3. Something you are (physically), such as a fingerprint or
retina scan
Answer "The auditing subsystem" is a key complement to the reference
monitor. The auditing subsystem is used by the reference
monitor to keep track of the reference monitor's activities. Examples
of such activities include the date and time of an access request, identification of the subject and objects involved, the access privileges requested and the result of the request.

 

NEW QUESTION 208
In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to production programs?

  • A. Promoting programs to production without approval
  • B. Modifying source code without approval
  • C. Developers using Rapid Application Development (RAD) methodologies without approval
  • D. Developers checking out source code without approval

Answer: B

 

NEW QUESTION 209
Which type of fire extinguishing method contains standing water in the
pipe, and therefore generally does not enable a manual shutdown of
systems before discharge?

  • A. Deluge
  • B. Preaction
  • C. Wet pipe
  • D. Dry Pipe

Answer: C

Explanation:
The other three are variations on a dry
pipe discharge method with the water not standing in the pipe until a
fire is detected.

 

NEW QUESTION 210
Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider's customers?

  • A. Privacy
  • B. Security
  • C. Availability
  • D. Access

Answer: D

 

NEW QUESTION 211
For an organization considering two-factor authentication for secure network access, which of the following is MOST secure?

  • A. Digital certificates and Single Sign-On (SSO)
  • B. Challenge response and private key
  • C. Tokens and passphrase
  • D. Smart card and biometrics

Answer: D

 

NEW QUESTION 212
What is the name of a one way transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string? Such a transformation cannot be reversed?

  • A. DES
  • B. Substitution
  • C. Transposition
  • D. One-way hash

Answer: D

Explanation:
A cryptographic hash function is a transformation that takes an input (or
'message') and returns a fixed-size string, which is called the hash value (sometimes termed a message digest, a digital fingerprint, a digest or a checksum).
The ideal hash function has three main properties - it is extremely easy to calculate a hash for any given data, it is extremely difficult or almost impossible in a practical sense to calculate a text that has a given hash, and it is extremely unlikely that two different messages, however close, will have the same hash.
Functions with these properties are used as hash functions for a variety of purposes, both within and outside cryptography. Practical applications include message integrity checks, digital signatures, authentication, and various information security applications. A hash can also act as a concise representation of the message or document from which it was computed, and allows easy indexing of duplicate or unique data files.
In various standards and applications, the two most commonly used hash functions are
MD5 and SHA-1. In 2005, security flaws were identified in both of these, namely that a possible mathematical weakness might exist, indicating that a stronger hash function would be desirable. In 2007 the National Institute of Standards and Technology announced a contest to design a hash function which will be given the name SHA-3 and be the subject of a FIPS standard.
A hash function takes a string of any length as input and produces a fixed length string which acts as a kind of "signature" for the data provided. In this way, a person knowing the hash is unable to work out the original message, but someone knowing the original message can prove the hash is created from that message, and none other. A cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable.
A cryptographic hash function is considered "insecure" from a cryptographic point of view, if either of the following is computationally feasible:
finding a (previously unseen) message that matches a given digest
finding "collisions", wherein two different messages have the same message digest.
An attacker who can do either of these things might, for example, use them to substitute an authorized message with an unauthorized one.
Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor would one want an attacker to be able to learn anything useful about a message given only its digest. Of course the attacker learns at least one piece of information, the digest itself, which for instance gives the attacker the ability to recognise the same message should it occur again.
REFERENCES:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 40-41.
also see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function

 

NEW QUESTION 213
......


Salary you can get after getting ISC CISSP Certification:

The average salary of an ISC CISSP in different countries, defined in ISC CISSP Dumps, is as follows:

  • United States - 122,000 USD
  • Australia - 91,200 USD
  • Germany - €95,000 USD
  • Canada - 98,000 USD

 

Master 2022 Latest The Questions ISC Certification and Pass CISSP Real Exam!: https://www.examcollectionpass.com/ISC/CISSP-practice-exam-dumps.html

Practice To CISSP - ExamcollectionPass Remarkable Practice On your Certified Information Systems Security Professional Exam: https://drive.google.com/open?id=1eJ5ICUCsxv2_NMbrPi4evJG5ze1uZhnw

Related Articles

more
ISC CISSP Certification Practice Exam