• Home
  • Articles
  • ISC CISSP Exam Questions (Updated 2021) 100% Real Question Answers [Q464-Q486]

ISC CISSP Exam Questions (Updated 2021) 100% Real Question Answers [Q464-Q486]

Share

ISC CISSP Exam Questions (Updated 2021) 100% Real Question Answers

Pass ISC CISSP Exam Quickly With ExamcollectionPass


Understanding specialized and utilitarian capacities of CISSP test: Certified Information Systems Security Professional

The accompanying will be examined in ISC CISSP dumps:

  • Classify Information and Supporting Assets
  • Determine and Maintain Ownership
  • Determine Data Security Controls
  • Establish Handling Requirements
  • Ensure Appropriate Retention
  • Protect Privacy

 

NEW QUESTION 464
Which of the following is NOT true concerning Application Control?

  • A. It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
  • B. Only specific records can be requested through the application controls
  • C. Particular usage of the application can be recorded for audit purposes
  • D. It limits end users use of applications in such a way that only particular screens are visible.

Answer: A

Explanation:
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, Auerbach.

 

NEW QUESTION 465
The process of mutual authentication involves a computer system authenticating a user and authenticating the

  • A. computer system to the user.
  • B. user's access to all authorized objects.
  • C. user to the audit process.
  • D. computer system to the audit process.

Answer: A

 

NEW QUESTION 466
The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to certain types of health information created or maintained by health care providers

  • A. who do not engage in certain electronic transactions, health plans, and health care clearinghouses
  • B. regardless of whether they engage in certain electronic transactions, health plans, and health care clearinghouses
  • C. who engage in certain electronic transactions, health plans, and health care clearinghouses
  • D. if they engage for a majority of days in a year in certain electronic transactions, health plans, and health care clearinghouses.

Answer: C

 

NEW QUESTION 467
Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are examples of:

  • A. Deterrent controls
  • B. Output controls
  • C. Asset controls
  • D. Information flow controls

Answer: B

Explanation:
Output controls are used for two things: for verifying the integrity and protecting the confidentiality of an output. These are examples of proper output controls. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 6: Operations Security (page 218).

 

NEW QUESTION 468
A group of processes that share access to the same resources is called:

  • A. A protection domain
  • B. An access control triple
  • C. A Trusted Computing Base (TCB)
  • D. An access control list

Answer: A

Explanation:
In answer a, an access control list (ACL) is a list denoting which users have what privileges to a particular resource. Table illustrates an ACL. The table shows the subjects or users that have access to the object, FILE X and what privileges they have with respect to that file. For answer "An access control triple", an access control triple consists of the user, program, and file with the corresponding access privileges noted for each user.
The TCB, of answer "A Trusted Computing Base (TCB", is defined in the answers as the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy.

 

NEW QUESTION 469
Which of the following protocols that provide integrity and authentication for IPSec, can also provide non-repudiation in IPSec?

  • A. Authentication Header (AH)
  • B. Secure Shell (SSH-2)
  • C. Secure Sockets Layer (SSL)
  • D. Encapsulating Security Payload (ESP)

Answer: A

Explanation:
As per the RFC in reference, the Authentication Header (AH) protocol is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending on which cryptographic algorithm is used and how keying is performed. For example, use of an asymmetric digital signature algorithm, such as RSA, could provide non-repudiation.
from a cryptography point of view, so we will cover it from a VPN point of view here. IPSec is a suite of protocols that was developed to specifically protect IP traffic. IPv4 does not have any integrated security, so IPSec was developed to bolt onto IP and secure the data the protocol transmits. Where PPTP and L2TP work at the data link layer, IPSec works at the network layer of the OSI model. The main protocols that make up the IPSec suite and their basic functionality are as follows: A. Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks. B. Encapsulating Security Payload (ESP) provides confidentiality, data-origin authentication, and data integrity. C. Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. D. Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP.
The following are incorrect answers:
ESP is a mechanism for providing integrity and confidentiality to IP datagrams. It may also provide authentication, depending on which lgorithm and algorithm mode are used. Non-repudiation and protection from traffic analysis are not provided by ESP (RFC 1827).
SSL is a secure protocol used for transmitting private information over the Internet. It works by using a public key to encrypt data that is transferred of the SSL connection. OIG 2007, page 976
SSH-2 is a secure, efficient, and portable version of SSH (Secure Shell) which is a secure replacement for telnet.
Reference(s) used for this question:
Shon Harris, CISSP All In One, 6th Edition , Page 705
and
RFC 1826, http://tools.ietf.org/html/rfc1826, paragraph 1.

 

NEW QUESTION 470
When referring to the Cloud Computing Service models. What would you call a service model where the consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment?

  • A. Infrastructure as a Service (IaaS)
  • B. Platform as a Service (PaaS)
  • C. Code as a Service (CaaS)
  • D. Software as a Service (SaaS)

Answer: B

Explanation:
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Platform-as-a-Service (PaaS) is a model of service delivery whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed. Its main purpose is to reduce the cost and omplexity of buying, housing, and managing the underlying hardware and software components of the platform, including any needed program and database development tools. The development environment is typically special purpose, determined by the cloud provider and tailored to the design and architecture of its platform. The cloud consumer has control over applications and application environment settings of the latform. Security provisions are split between the cloud provider and the cloud consumer.
The following answers are incorrect:
Software-as-a-Service.
Software-as-a-Service (SaaS) is a model of service delivery whereby one or more applications and the computational resources to run them are provided for use on demand as a turnkey service. Its main purpose is to reduce the total cost of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the cloud provider. The cloud consumer does not manage or control the underlying cloud infrastructure or individual applications, except for preference selections and limited administrative application settings.
Infrastructure-as-a-Service.
Infrastructure-as-a-Service (IaaS) is a model of service delivery whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on- demand service upon which a platform to develop and execute applications can be established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware and software infrastructure components, and instead obtain those resources as virtualized objects controllable via a service interface. The cloud consumer generally has broad freedom to choose the operating system and development environment to be hosted. Security provisions beyond the basic infrastructure are carried out mainly by the cloud consumer
Code as a Service (CaaS)
CaaS does not exist and is only a detractor. This is no such service model.

Cloud Deployment Models
NOTE: WHAT IS A CLOUD INFRASTRUCTURE?
A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.
The following reference(s) were/was used to create this question:
NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud
Computing
and
NIST Special Publication 800-145 The NIST definition of Cloud Computing

 

NEW QUESTION 471
What is the main issue with media reuse?

  • A. Purging
  • B. Media destruction
  • C. Degaussing
  • D. Data remanence

Answer: D

Explanation:
The main issue with media reuse is data remanence, where residual information still resides on a media that has been erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002
(page 5).

 

NEW QUESTION 472
A confidential number used as an authentication factor to verify a user's identity is called a:

  • A. Challenge
  • B. PIN
  • C. Password
  • D. User ID

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Personal Identification Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system.
Incorrect Answers:
B: User ID is used for identification, not authentication.
C: A password is a word or string of characters used for user authentication.
D: Challenge-response authentication involves one party presenting a question ("challenge") and another party providing a valid answer ("response") to be authenticated. It does not specifically be a number sequence.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 162
https://en.wikipedia.org/wiki/Personal_identification_number
https://en.wikipedia.org/wiki/Password
https://en.wikipedia.org/wiki/Challenge-response_authentication#Cryptographic_techniques

 

NEW QUESTION 473
The PRIMARY outcome of a certification process is that it provides documented

  • A. interconnected systems and their implemented security controls.
  • B. system weakness for remediation.
  • C. standards for security assessment, testing, and process evaluation.
  • D. security analyses needed to make a risk-based decision.

Answer: D

Explanation:
Section: Software Development Security

 

NEW QUESTION 474
What does the prudent man rule require?

  • A. Senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances
  • B. Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur
  • C. Senior officials to follow specified government standards
  • D. Senior officials to post performance bonds for their actions

Answer: A

Explanation:
*Answer "Senior officials to post performance bonds for their actions" is a distracter and is not part of the prudent man rule.
* Answer "Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur" is incorrect because it is not possible to guarantee that breaches of security can never occur.
* Answer "Senior officials to follow specified government standards" is incorrect because the prudent man rule does not refer to a specific government standard but relates to what other prudent persons would do.

 

NEW QUESTION 475
What is the MOST important reason to configure unique user IDs?

  • A. Supporting Single Sign On (SSO)
  • B. Preventing password compromise
  • C. Reducing authentication errors
  • D. Supporting accountability

Answer: D

 

NEW QUESTION 476
When should an application invoke re-authentication in addition to initial user authentication?

  • A. At the application sign-off
  • B. For each business process
  • C. After a period of inactivity
  • D. Periodically during a session

Answer: C

 

NEW QUESTION 477
Which of the following cannot be undertaken in conjunction or while computer incident handling is ongoing?

  • A. System Imaging
  • B. System development activity
  • C. Help-desk function
  • D. Risk management process

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The computer system should not be changed, while the incident handling is ongoing. System development should not occur during incident handling.
Incorrect Answers:
B: As part of the ongoing incident handling employees, vendors, customers, partner, devices or sensors report the event to Help Desk.
C: System imaging would not affect the ongoing incident handling and should take place to D: The Risk management process would not affect the ongoing incident handling.
References:
https://en.wikipedia.org/wiki/Computer_security_incident_management

 

NEW QUESTION 478
Why are packet filtering routers NOT effective against mail bomb attacks?

  • A. The bomb code is hidden in the header and appears as a normal routing information.
  • B. Mail bombs are polymorphic and present no consistent signature to filter on.
  • C. The bomb code is obscured by the message encoding algorithm.
  • D. Filters do not examine the data portion of a packet.

Answer: D

 

NEW QUESTION 479
Which of the following would be the best reason for separating the test and development environments?

  • A. To control the stability of the test environment.
  • B. To segregate user and development staff.
  • C. To secure access to systems under development.
  • D. To restrict access to systems under test.

Answer: A

Explanation:
This is the right answer, with a separation of the two environments (Test and development), we can get a more stable and more "in control" environment, Since we are making tests in the development environment, we don't want our production processes there, we don't want to experiment things in our production processes. With a separation of the environments we can get a more risk free production environment and more control and flexibility over the test environment for the developers.

 

NEW QUESTION 480
A form of digital signature where the signer is not privy to the content
of the message is called a:

  • A. Encrypted signature
  • B. Zero knowledge proof
  • C. Masked signature
  • D. Blind signature

Answer: D

Explanation:
A blind signature algorithm for the message M uses a blinding factor, f; a modulus m; the private key, s, of the signer and the public key, q, of the signer. The sender, who generates f and knows q, presents the message to the signer in the form: Mf q (mod m) Thus, the message is not in a form readable by the signer since the signer does not know f. The signer signs Mf q (mod m) with his/her private key, returning (Mf q)s (mod m) This factor can be reduced to fMs (mod m) since s and q are inverses of each other. The sender then divides fMs (mod m) by the blinding factor, f, to obtain Ms (mod m) Ms (mod m) is, therefore, the message, M, signed with the private key, s, of the signer.
Answer Zero knowledge proof refers to a zero knowledge proof. In general, a zero knowledge proof involves a person, A, trying to prove that he/she knows something, S, to another person, B, without revealing S or anything about S.Answers Masked signature and Encrypted signature are distracters.

 

NEW QUESTION 481
Which of the following enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks?

  • A. Business units
  • B. Residual risks
  • C. Security controls
  • D. Risk assessment

Answer: D

Explanation:
The risk assessment is critical because it enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks. The risk management process includes the risk assessment and determination of suitable technical, management, and operational security controls based on the level of threat the risk imposes. Business units should be included in this process. Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 7).

 

NEW QUESTION 482
Which of the following would an internal technical security audit BEST validate?

  • A. Support for security programs by executive management
  • B. Whether managerial controls are in place
  • C. Appropriate third-party system hardening
  • D. Implementation of changes to a system

Answer: D

Explanation:
Section: Mixed questions

 

NEW QUESTION 483
During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant.
What is the best approach for the CISO?
During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant.
What is the best approach for the CISO?

  • A. Perform a quantitative threat assessment
  • B. Document the system as high risk
  • C. Perform a vulnerability assessment
  • D. Notate the information and move on

Answer: C

 

NEW QUESTION 484
Another example of Computer Incident Response Team (CIRT) activities is:

  • A. Management of the network logs, including collection, retention, review, and analysis of data
  • B. Management of the netware logs, including collection, retention, review, and analysis of data
  • C. Management of the network logs, including collection and analysis of data
  • D. Management of the network logs, including review and analysis of data

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The network logs contain information which can give clues on computer incidents that have occurred. This information must be collected, saved for future use (retained), reviewed, and analyzed. These activities related to handling incidents are the responsibility of the Computer Incident Response Team.
Incorrect Answers:
A: Data in the network logs, not the netware logs, contain information related to network incidents.
B: Data must be kept and reviewed.
C: Data must be collected and kept.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1034

 

NEW QUESTION 485
You are an information systems security officer at a mid-sized business and are called upon to investigate a threat conveyed in an email from one employee to another.
You gather the evidence from both the email server transaction logs and from the computers of the two individuals involved in the incident and prepare an executive summary.
You find that a threat was sent from one user to the other in a digitally signed email. The sender of the threat says he didn't send the email in question.
What concept of PKI - Public Key Infrastructure will implicate the sender?

  • A. The digital signature of the recipient
  • B. Authentication
  • C. Integrity
  • D. Non-repudiation

Answer: D

Explanation:
PKI - Public Key Infrastructure is an infrastructure of hardware, software, people,
policies and procedures that makes use of the technology to provide some sort of confidentiality,
integrity and authenticity as well as non-repudiation in our daily digital lives.
In the case of the email threat, the fact that the email was digitally signed by the sender proves
that he is guilty of conveying the threat. Non-repudiation is the aspect of PKI that proves that
nobody else could have digitally signed the email using his private key that exists only on his
identity card.
In the Digital World:
Regarding digital security, the cryptological meaning and application of non-repudiation shifts to
mean:
A service that provides proof of the integrity and origin of data.
An authentication that can be asserted to be genuine with high assurance .
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash,
such as SHA2, is usually sufficient to establish that the likelihood of data being undetectably
changed is extremely low. Even with this safeguard, it is still possible to tamper with data in transit,
either through a man-in-the-middle attack or phishing. Due to this flaw, data integrity is best
asserted when the recipient already possesses the necessary verification information.
The most common method of asserting the digital origin of data is through digital certificates, a
form of public key infrastructure, to which digital signatures belong. They can also be used for
encryption. The digital origin only means that the certified/signed data can be, with reasonable
certainty, trusted to be from somebody who possesses the private key corresponding to the
signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can
become a major concern.
The following answers are incorrect:
-The digital signature of the recipient: No, this isn't right. The recipient's signature won't indict the sender of the threat. The sender's digital signature will prove his involvement.
-Authentication: This is incorrect. Authentication is the process of proving one's identity.
-Integrity: Sorry, this isn't the right answer either. Integrity in PKI only verifies that messages and content aren't altered in transit.
The following reference(s) was used to create this question: http://en.wikipedia.org/wiki/Non-repudiation

 

NEW QUESTION 486
......


What to Explore: (ISC)2 CISSP Exam Topics

The CISSP exam evaluates the applicants’ knowledge and expertise in a wide range of areas. The skills measured in this certification test are typically combined in 8 objectives that are listed below:

  • Security Architecture and Engineering (13%)

    This subject encompasses the individuals’ proficiency in implementing and designing physical security as well as mitigating and assessing vulnerabilities in systems. Also, the candidates need to know how to use secure design principles to accomplish engineering processes. Within this domain, they should be knowledgeable regarding the security capabilities of information systems and fundamental concepts of security models.

  • Asset Security (10%)

    Answering the questions from the second topic area, the test takers need to be well versed with all the physical requirements of information security. This means that they need to show that they have knowledge of ownership and classification of information and assets, as well as data security controls. In addition, they should be able to explain privacy, handling requirements, and retention periods.

  • Communications and Network Security (14%)

    This objective encompasses the protection and design of the organization’s networks. This means that answering the questions in this area requires that the learners have knowledge of the processes that include securing communication channels, securing network components, and securing design principles for network infrastructure.

  • Security and Risk Management (15%)

    This is the first and largest domain in the (ISC)2 CISSP exam content, covering a comprehensive overview of everything one should know about information systems management. By answering the questions from this section, the students need to prove their knowledge of the confidentiality, availability, and integrity of information. They should also prove that they have a deep understanding of security governance principles, regulatory and legal issues related to information security, compliance requirements, risk-based management concepts, and IT policies and procedures.

  • Security Operations (13%)

    This section focuses on how plans are properly implemented. It specifically involves skills in incident management, business continuity, disaster recovery, and management of physical security. The candidates also need to demonstrate that they understand and can support investigations, as well as accomplish logging and monitoring activities. Besides that, they are required to prove that they have the ability to apply resource protection techniques and secure the provision of resources. The examinees also need to have a thorough understanding of the basic concepts of security operations and the requirements for investigation types.

  • Identity and Access Management (13%)

    Within this domain, the information security professionals demonstrate that they know how to control the process of user access to data. This topic generally covers authorization mechanisms and logical and physical access to assets. It also involves the skills associated with the access and identity provisioning lifecycle, identification and authentication, and Identity-as-a-Service integration.

  • Software Development Security (10%)

    Before answering the questions from this topic, the professionals need to understand software security and know how to apply and enforce it. In this last area, the individuals need to demonstrate that they have the ability to secure coding standards and guidelines and provide security controls in development environments. They also need to show that they can ensure the effectiveness of software security and ensure security in the lifecycle of software development.

  • Security Assessment and Testing (12%)

    In the framework of this subject, the focus is on the design, analysis, and performance of security testing. This includes test outputs, security control testing, and collecting security process data. Some questions from this area also require that the individuals demonstrate their expertise in the third-party and internal security audits as well as test and assessment strategies.

 

Real ISC CISSP Exam Questions [Updated 2021]: https://www.examcollectionpass.com/ISC/CISSP-practice-exam-dumps.html

Prepare CISSP Question Answers - CISSP Exam Dumps: https://drive.google.com/open?id=1Uj2t_figeIfteU5kYcUDnFc8zrXiIuV6

Related Articles

more
ISC CISSP Certification Practice Exam