CISSP : Certified Information Systems Security Professional : Part 28

CISSP : Certified Information Systems Security Professional : Part 28

1. Which of the following is the MOST relevant risk indicator after a penetration test?

   • Lists of hosts vulnerable to remote exploitation attacks
   • Details of vulnerabilities and recommended remediation
   • Lists of target systems on the network identified and scanned for vulnerabilities
   • Details of successful vulnerability exploitations

2. Which of the following benefits does Role Based Access Control (RBAC) provide for the access review process?

   • Lowers the amount of access requests after review
   • Gives more control into the revocation phase
   • Gives more fine-grained access analysis to accesses
   • Lowers the number of items to be reviewed

3. Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH) implementation when network traffic traverses between a host and an infrastructure device?

   • Lightweight Directory Access Protocol (LDAP)
   • Public-key cryptography
   • Remote Authentication Dial-In User Service (RADIUS)
   • Private-key cryptography

   Explanation:

   Reference: https://books.google.com.pk/books?id=4K7LCgAAQBAJ&pg=PA284&lpg=PA284&dq=type+of+authentication+and+encryption+for+a+Secure+Shell+(SSH)+implementation+when+network+traffic+traverses+between+a+host+and+an+infrastructure+device&source=bl&ots=YEMNN8nfuN&sig=ACfU3U2QMbLySWQ_0Vs-GjsSJmaHZ_O9Iw&hl=en&sa=X&ved=2ahUKEwjDobCajqrpAhWMHRQKHW2FC4gQ6AEwAHoECBQQAQ#v=onepage&q=type%20of%20authentication%20and%20encryption%20for%20a%20Secure%20Shell%20(SSH)%20implementation%20when%20network%20traffic%20traverses%20between%20a%20host%20and%20an%20infrastructure%20device&f=false

4. Which of the following does Secure Sockets Layer (SSL) encryption protect?

   • Data availability
   • Data at rest
   • Data in transit
   • Data integrity

5. Lack of which of the following options could cause a negative effect on an organization’s reputation, revenue, and result in legal action, if the organization fails to perform due diligence?

   • Threat modeling methodologies
   • Service Level Requirement (SLR)
   • Service Level Agreement (SLA)
   • Third-party risk management

6. What is the BEST approach to annual safety training?

   • Base safety training requirements on staff member job descriptions.
   • Safety training should address any gaps in a staff member’s skill set.
   • Ensure that staff members in positions with known safety risks are given proper training.
   • Ensure that all staff members are provided with identical safety training.

7. Which of the following is a credible source to validate that security testing of Commercial Off-The-Shelf (COTS) software has been performed with international standards?

   • Common Criteria (CC)
   • Evaluation Assurance Level (EAL)
   • National Information Assurance Partnership (NIAP)
   • International Standards Organization (ISO)

8. What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization’s systems?

   • SOC 1 Type 1
   • SOC 1 Type 2
   • SOC 2
   • SOC 3
   Explanation:
   Reference: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html

9. Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)?

   • How the information is to be maintained
   • Why the information is to be collected
   • What information is to be destroyed
   • Where the information is to be stored

10. An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization’s general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas.

    Which of the following is the MOST probable attack vector used in the security breach?

    • Buffer overflow
    • Distributed Denial of Service (DDoS)
    • Cross-Site Scripting (XSS)
    • Weak password due to lack of complexity rules

11. A security engineer is tasked with implementing a new identity solution. The client doesn’t want to install or maintain the infrastructure. Which of the following would qualify as the BEST solution?

    • Microsoft Identity Manager (MIM)
    • Azure Active Directory (AD)
    • Active Directory Federation Services (ADFS)
    • Active Directory (AD)

12. Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?

    • The risk culture of the organization
    • The impact of the control
    • The nature of the risk
    • The cost of the control

13. What is the FIRST action a security professional needs to take while assessing an organization’s asset security in order to properly classify and protect access to data?

    • Verify the various data classification models implemented for different environments.
    • Determine the level of access for the data and systems.
    • Verify if confidential data is protected with cryptography.
    • Determine how data is accessed in the organization.

14. Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with the structure, interpretation and handling of information?

    • Presentation Layer
    • Session Layer
    • Application Layer
    • Transport Layer

15. When conveying the results of a security assessment, which of the following is the PRIMARY audience?

    • Information System Security Officer (ISSO)
    • Authorizing Official (AO)
    • Information System Security Manager (ISSM)
    • Security Control Assessor (SCA)

16. Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle?

    • Time-based
    • Enrollment
    • Least privilege
    • Access review

17. Why are mobile devices sometimes difficult to investigate in a forensic examination?

    • There are no forensics tools available for examination.
    • They may contain cryptographic protection.
    • They have password-based security at logon.
    • They may have proprietary software installed to protect them.

18. Which of the following global privacy legislation principles ensures that data handling policies and the name of the data controller are easily accessible to the public?

    • Use limitation
    • Openness
    • Purpose specification
    • Individual participation

19. Where would an organization typically place an endpoint security solution?

    • Web server and individual devices
    • Intrusion Detection System (IDS) and web server
    • Central server and individual devices
    • Intrusion Detection System (IDS) and central sever

20. Security categorization of a new system takes place during which phase of the Systems Development Life Cycle (SDLC)?

    • System implementation
    • System initiation
    • System operations and maintenance
    • System acquisition and development

21. What is the motivation for use of the Online Certificate Status Protocol (OCSP)?

    • To return information on multiple certificates
    • To control access to Certificate Revocation List (CRL) requests
    • To provide timely up-to-date responses to certificate queries
    • To issue X.509v3 certificates more quickly