CISSP : Certified Information Systems Security Professional : Part 25

CISSP : Certified Information Systems Security Professional : Part 25

1. Which of the following is the final phase of the identity and access provisioning lifecycle?

   • Recertification
   • Revocation
   • Removal
   • Validation

   Explanation:

   Reference: https://books.google.com.pk/books?id=W2TvAgAAQBAJ&pg=PA256&lpg=PA256&dq=process+in+the+access+provisioning+lifecycle+that+will+MOST+likely+identify+access+aggregation+issues&source=bl&ots=OBJo9fbGP3&sig=ACfU3U1eAWDu3q4EoiusrOi_hvtu6WyaIg&hl=en&sa=X&ved=2ahUKEwiu-Mac0anpAhXIxIUKHQi2BFsQ6AEwAXoECBAQAQ#v=onepage&q=process%20in%20the%20access%20provisioning%20lifecycle%20that%20will%20MOST%20likely%20identify%20access%20aggregation%20issues&f=false

2. Which of the following is mobile device remote fingerprinting?

   • Installing an application to retrieve common characteristics of the device
   • Storing information about a remote device in a cookie file
   • Identifying a device based on common characteristics shared by all devices of a certain type
   • Retrieving the serial number of the mobile device

3. Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider’s customers?

   • Security
   • Privacy
   • Access
   • Availability
   Explanation:
   Reference: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

4. Which of the following open source software issues pose the MOST risk to an application?

   • The software is beyond end of life and the vendor is out of business.
   • The software is not used or popular in the development community.
   • The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated.
   • The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classified as low risks.

5. Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject within different execution domains?

   • Process isolation
   • Data hiding and abstraction
   • Use of discrete layering and Application Programming Interfaces (API)
   • Virtual Private Network (VPN)
   Explanation:
   Reference: https://books.google.com.pk/books?id=LnjxBwAAQBAJ&pg=PT504&lpg=PT504&dq=CISSP+mechanism+used+to+limit+the+range+of+objects+available+to+a+given+subject+within+different+execution+domains&source=bl&ots=V-LJY4mkZy&sig=ACfU3U1adsKRObtT_l3tYTCLfHjS6gvLtg&hl=en&sa=X&ved=2ahUKEwi_jIPw16npAhWsxoUKHVoSA4AQ6AEwAHoECBMQAQ#v=onepage&q=CISSP%20mechanism%20used%20to%20limit%20the%20range%20of%20objects%20available%20to%20a%20given%20subject%20within%20different%20execution%20domains&f=false

6. Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized?

   • Information Owner (IO)
   • System Administrator
   • Business Continuity (BC) Manager
   • Chief Information Officer (CIO)

7. What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators?

   • Isolate and contain the intrusion.
   • Notify system and application owners.
   • Apply patches to the Operating Systems (OS).
   • Document and verify the intrusion.

8. Which of the following needs to be taken into account when assessing vulnerability?

   • Risk identification and validation
   • Threat mapping
   • Risk acceptance criteria
   • Safeguard selection
   Explanation:
   Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA478&lpg=PA478&dq=CISSP+taken+into+account+when+assessing+vulnerability&source=bl&ots=riGvVpNN7I&sig=ACfU3U1isazG0OJlZdAAy91LvAW_rbXdAQ&hl=en&sa=X&ved=2ahUKEwj6p9vg4qnpAhUNxYUKHdODDZ4Q6AEwDHoECBMQAQ#v=onepage&q=CISSP%20taken%20into%20account%20when%20assessing%20vulnerability&f=false

9. For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?

   • Network architecture
   • Integrity
   • Identity Management (IdM)
   • Confidentiality management

10. Which of the following is the key requirement for test results when implementing forensic procedures?

    • The test results must be cost-effective.
    • The test result must be authorized.
    • The test results must be quantifiable.
    • The test results must be reproducible.

11. Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) traffic?

    • Packet-filter firewall
    • Content-filtering web proxy
    • Stateful inspection firewall
    • Application-level firewall

12. An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of?

    • Reasonable data
    • Population of required fields
    • Allowed number of characters
    • Session testing
    Explanation:
    Reference: https://www.softwaretestinghelp.com/what-is-negative-testing/

13. An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application?

    • Reasonable data testing
    • Input validation testing
    • Web session testing
    • Allowed data bounds and limits testing

14. Which of the following techniques BEST prevents buffer overflows?

    • Boundary and perimeter offset
    • Character set encoding
    • Code auditing
    • Variant type and bit length
    Explanation: 
    Some products installed on systems can also watch for input values that might result in buffer overflows, but the best countermeasure is proper programming. This means use bounds checking. If an input value is only sup-posed to be nine characters, then the application should only accept nine characters and no more. Some languages are more susceptible to buffer overflows than others, so programmers should understand these issues, use the right languages for the right purposes, and carry out code review to identify buffer overflow vulnerabilities.

15. A security architect is responsible for the protection of a new home banking system. Which of the following solutions can BEST improve the confidentiality and integrity of this external system?

    • Intrusion Prevention System (IPS)
    • Denial of Service (DoS) protection solution
    • One-time Password (OTP) token
    • Web Application Firewall (WAF)

16. A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the benefits of this approach?

    • Reduce application development costs.
    • Potential threats are addressed later in the Software Development Life Cycle (SDLC).
    • Improve user acceptance of implemented security controls.
    • Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).

17. What principle requires that changes to the plaintext affect many parts of the ciphertext?

    • Encapsulation
    • Permutation
    • Diffusion
    • Obfuscation
    Explanation: 
    Diffusion, on the other hand, means that a single plaintext bit has influence over several of the ciphertext bits. Changing a plaintext value should change many ciphertext values, not just one. In fact, in a strong block cipher, if one plaintext bit is changed, it will change every ciphertext bit with the probability of 50 percent. This means that if one plaintext bit changes, then about half of the ciphertext bits will change.

18. A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

    • Select and procure supporting technologies.
    • Determine a budget and cost analysis for the program.
    • Measure effectiveness of the program’s stated goals.
    • Educate and train key stakeholders.

19. Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process?

    • Build and test
    • Implement security controls
    • Categorize Information System (IS)
    • Select security controls
    Explanation:
    Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP+Directive+controls+are+a+form+of+change+management+policy+and+procedures.+Which+of+the+following+subsections+are+recommended+as+part+of+the+change+management+process&source=bl&ots=riGvVpSS3E&sig=ACfU3U3dLYheW_GfTZcAYfN97fnDFlMmZg&hl=en&sa=X&ved=2ahUKEwjukoqK96npAhULtRoKHZEpBmcQ6AEwAHoECBQQAQ#v=onepage&q=CISSP%20Directive%20controls%20are%20a%20form%20of%20change%20management%20policy%20and%20procedures.%20Which%20of%20the%20following%20subsections%20are%20recommended%20as%20part%20of%20the%20change%20management%20process&f=false

20. Which of the following BEST describes how access to a system is granted to federated user accounts?

    • With the federation assurance level
    • Based on defined criteria by the Relying Party (RP)
    • Based on defined criteria by the Identity Provider (IdP)
    • With the identity assurance level
    Explanation:
    Reference: https://resources.infosecinstitute.com/cissp-domain-5-refresh-identity-and-access-management/