CISSP : Certified Information Systems Security Professional : Part 18
-
What is the BEST approach to addressing security issues in legacy web applications?
- Debug the security issues
- Migrate to newer, supported applications where possible
- Conduct a security assessment
- Protect the legacy application with a web application firewall
-
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
- Check arguments in function calls
- Test for the security patch level of the environment
- Include logging functions
- Digitally sign each application module
-
An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets. Which of the following BEST describes what has occurred?
- Denial of Service (DoS) attack
- Address Resolution Protocol (ARP) spoof
- Buffer overflow
- Ping flood attack
-
Which of the following command line tools can be used in the reconnaissance phase of a network vulnerability assessment?
- dig
- ipconfig
- ifconfig
- nbstat
-
In configuration management, what baseline configuration information MUST be maintained for each computer system?
- Operating system and version, patch level, applications running, and versions.
- List of system changes, test reports, and change approvals
- Last vulnerability assessment report and initial risk assessment report
- Date of last update, test report, and accreditation certificate
-
Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?
- Transference
- Covert channel
- Bleeding
- Cross-talk
-
An organization’s information security strategic plan MUST be reviewed
- whenever there are significant changes to a major application.
- quarterly, when the organization’s strategic plan is updated.
- whenever there are major changes to the business.
- every three years, when the organization’s strategic plan is updated.
-
When building a data classification scheme, which of the following is the PRIMARY concern?
- Purpose
- Cost effectiveness
- Availability
- Authenticity
-
Which technology is a prerequisite for populating the cloud-based directory in a federated identity solution?
- Notification tool
- Message queuing tool
- Security token tool
- Synchronization tool
-
What is an advantage of Elliptic Curve Cryptography (ECC)?
- Cryptographic approach that does not require a fixed-length key
- Military-strength security that does not depend upon secrecy of the algorithm
- Opportunity to use shorter keys for the same level of security
- Ability to use much longer keys for greater security
-
Backup information that is critical to the organization is identified through a
- Vulnerability Assessment (VA).
- Business Continuity Plan (BCP).
- Business Impact Analysis (BIA).
- data recovery analysis.
-
When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted?
- Into the options field
- Between the delivery header and payload
- Between the source and destination addresses
- Into the destination address
-
An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is
- organization policy.
- industry best practices.
- industry laws and regulations.
- management feedback.
-
Knowing the language in which an encrypted message was originally produced might help a cryptanalyst to perform a
- clear-text attack.
- known cipher attack.
- frequency analysis.
- stochastic assessment.
-
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
- Calculate the value of assets being accredited.
- Create a list to include in the Security Assessment and Authorization package.
- Identify obsolete hardware and software.
- Define the boundaries of the information system.
-
When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security?
- Accept the risk on behalf of the organization.
- Report findings to the business to determine security gaps.
- Quantify the risk to the business for product selection.
- Approve the application that best meets security requirements.
-
An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?
- Revoke access temporarily.
- Block user access and delete user account after six months.
- Block access to the offices immediately.
- Monitor account usage temporarily.
-
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
- Cost effectiveness of business recovery
- Cost effectiveness of installing software security patches
- Resource priorities for recovery and Maximum Tolerable Downtime (MTD)
- Which security measures should be implemented
-
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?
- Ownership
- Confidentiality
- Availability
- Integrity
-
What does the Maximum Tolerable Downtime (MTD) determine?
- The estimated period of time a business critical database can remain down before customers are affected.
- The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning
- The estimated period of time a business can remain interrupted beyond which it risks never recovering
- The fixed length of time in a DR process before redundant systems are engaged
Subscribe
0 Comments
Newest