ISC2 CISSP Exam Questions

Correct answer: Disrupts a mission-critical business process

Within business continuity planning, a disaster is an event that disrupts a mission-critical business process. The effects of a disaster can be mitigated by a well-designed Disaster Recovery Plan (DRP). The National Institute of Standards and Technology (NIST) defines a DRP as “A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.” NIST also defines a Business Continuity Plan (BCP) as “The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”

Downtime, security events, and financial losses may accompany a disaster but, by themselves, they are not considered disasters.

Correct answer: When an employee is transferred from one position to another

Privilege creep happens when a user’s permissions are not revoked during role changes. This gives employees permissions to systems and resources they no longer need to do their jobs. This violates the principle of least privilege.

An employee refusing to take a vacation could be a sign of some kind of fraud occurring. They could be worried that someone will detect the bad activity they are up to. When an employee is hired they are simply given their permissions. The permission levels should follow the logic of least privilege. When an employee leaves the business for any reason, including being fired, their access needs to be revoked immediately.

Correct answer: Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is a Single Sign-On (SSO) technology based on eXtensible Markup Language (XML). SAML has three roles: the principal, the identity provider, and the service provider.

Both OAuth and OpenID utilize JavaScript Object Notation (JSON) instead of using the more complicated XML. Kerberos is a distinct networking protocol, originally developed at MIT.

Correct answer: Deterrent

Deterrent controls are used to discourage security violations and malicious behaviors. Examples include guards, fences, lighting, and security cameras. Deterrents work to dissuade an intruder from taking action.

Preventive controls are designed to ensure that something does not happen. They are not perfect, but they are designed to block traffic. For example, an Intrusion Prevention System (IPS). Corrective controls are designed to take a non-functional state back to functional. For example, a Disaster Recovery (DR) site. They allow a company to function after a disaster such as a fire in the data center. A compensating control is used to compensate for the anticipated failure of another control. It is with compensating controls that defense in depth is created.

Correct answer: Business Impact Analysis

The Business Impact Analysis (BIA) is performed to determine which areas would sustain the greatest impact in the event of a disaster or disruption. One purpose of this analysis is to identify critical systems and prioritize assets that are most critical to the business. A BIA involves quantitative risk assessments, qualitative risk assessments, and determining the Maximum Tolerable Downtime (MTD), Recovery Point Objective (RPO), and more.

A quantitative risk assessment involves calculating the Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE).

Correct answer: Implements security and necessary responsibilities in software development

A Software Assurance Maturity Model (SAMM) ensures proper development practices in software by combining five major aspects of the process into a framework to promote security. Essentially, SAMM ensures software development includes governance, design, implementation, verification, and operations.

SAMM certainly uses machine learning and aims to ensure the security of software, which in part includes ensuring it is created as intended. However, these are just two traits that only scratch the surface of SAMM. The goal of SAMM is not to avoid review; review should always be a practice in software development.

Correct answer: Removing unnecessary programs

System hardening is the process of reducing a system’s attack surface. Administrators can reduce the attack surface of a system by removing unnecessary programs from it. It is common for administrators to harden a system to an acceptable level. The goal of system hardening is to reduce the attack surface available for an attacker to try to access. System hardening would also include closing unnecessary ports, changing the default password, or even removing the default account if possible, as well as ensuring that all patches are applied. Once a system is hardened, that state should be the baseline.

Scheduling frequent snapshots does not harden the system, but it does ensure that a very recent snapshot is available if needed. Enabling file auditing and consistency checks are good things to do, but they are not how a system is hardened.

Correct answer: To break a code or decrypt data

Cryptanalysis is the study of methods for obtaining the meaning of encrypted information without access to the key. Cryptanalysis is also referred to as codebreaking or cracking the code. The ciphertext is generally the easiest part of a cryptosystem to obtain and, therefore, is an important part of cryptanalysis. Depending on what information is available and what type of cipher is being analyzed, cryptanalysts can follow one or more attack models to crack a cipher.

The authenticity of the messages is determined by digital signatures. Digital signatures are created using the private key to encrypt/sign something. Most commonly it is the hash of the message. Decryption tasks are part of cryptography. If you combine cryptography and cryptanalysis, you get to cryptology. There is no particular name given to the recording of key signatures.

Correct answer: Typo squatting

The practice of registering common misspellings or variations of a domain name (e.g. facebok.com, apples.com) is referred to as typosquatting. Such registrations typically direct traffic to destinations that advantage the squatter, rather than to the domain originally intended.

Clickjacking occurs when the user interface of a website is manipulated to misdirect intended click-throughs. Vishing refers to voice-based (rather than email-based) phishing. Baiting refers to the practice of leaving compromised portable media in a public location in a manner that entices its use from a secure, nonpublic location (for example, leaving an infected USB drive labeled "staff salaries" in the lobby of an office building).

Correct answer: A social engineering attack

Social engineers often try to gain an employee's trust so they can access a secure environment. Social engineering may involve a phone call or a face-to-face conversation with an internal employee. The attacker tries to convince the victim to give them access to the system. This can be over the phone or by gaining access to the physical location by piggybacking or claiming to be a repairman.

Shoulder surfing occurs when the attacker literally looks over the user's shoulder to watch the password they type (or Personal Identification Number (PIN), credit card number, or other sensitive info). It does not gain trust, although it might require a level of trust from the employee.

A Man-in-the-Middle (MitM) attack occurs when the bad actor inserts themselves into the middle of the communication path. That way they can at least monitor the transmission, but it is also possible that they could alter the transmission as well.  The employee/user would not even know of their existence.

A LAND attack is a network Denial of Service (DoS) attack. It occurs when a packet is sent to a device and the source and destination Internet Protocol (IP) addresses are the same value. Again the employee/user would not know of the attacker's presence until the machine fails.

Correct answer: Program design

The seven stages of the original waterfall model are as follows:

1. System requirements / Feasibility
2. Software requirements / Analysis
3. Analysis
4. Program design
5. Coding
6. Testing 
7. Operation

Correct answer: To prevent replay attacks

Kerberos uses tickets and a cryptographic key matched with a timestamp to allow users to prove their authenticity with trusted services. The timestamp on the certificate would state the time it was issued, so replay attacks at a later time would appear suspicious and be rejected by those services.

The timestamp could be associated with a log, future Quality of Service (QoS) implementation, or a Security Information & Event Manager (SIEM) that can correlate the events with the proper integration mechanisms. However, none of these options are the main reason Kerberos relies on time for authentication.

Correct answer: Lightweight directory access protocol

A directory service is a centralized database that includes information about subjects and objects. Many directory services are based on the Lightweight Directory Access Protocol (LDAP), such as Microsoft's Active Directory Domain Services.

Kerberos is an open protocol that was developed at MIT for Single Sign-On (SSO) within a business. It is the protocol that Microsoft built its Active Directory (AD) on. An SSO system allows users to utilize a single sign-on process that then allows the user access to all of the network resources that they are permitted to access. eXtensible Markup Language (XML) is a programming markup language and file format that allows developers to reconstruct data as well as store and transmit it.

Correct answer: Vulnerability mitigation

Under normal circumstances, mitigation should take place after the security assessment is finished, especially by the assessor.

Security assessments are comprehensive reviews of the security of a system, application, or other tested environments. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the environment that may allow a compromise and makes recommendations for remediation. A threat assessment is done as part of risk management. This could be done in relationship to just about any job/task/project/software/etc that a business engages in. This is not part of the security assessment. In the threat assessment, it would be normal to document the discovered risks. In a security assessment, it is the specific threats and vulnerabilities that are found. A threat is something bad that can happen. A vulnerability is an exploitable flaw or weakness.

Correct answer: Four

The Transmission Control Protocol/Internet Protocol (TCP/IP) model consists of four layers. The four layers are Application, Transport or Host-to-Host, Internet, and Network Access. They correspond to layers within the Open Systems Interconnection (OSI) model. Sometimes the TCP/IP model is shown as a five-layer model, as shown below. The TCP/IP was invented long ago, before the OSI model and therefore the names used for the layers are terms that we do not use today, so we have adopted a couple of different representations of the TCP/IP model.

The layers of the TCP/IP model are:

• Application
• Host-to-Host (or transport)
• Internet (or Internetwork, Internetworking or Network)
• Link (or combine this with physical and call it network access)
• Physical

The seven layers of the OSI model are:

• Application
• Presentation
• Session
• Transport
• Network
• Data Link
• Physical

Sometimes the physical and the link layers are considered one and called network access. The host-to-host layer equates to the transport layer of the OSI model and is sometimes called the transport layer. The top three layers of the OSI model are represented in the TCP/IP model as the application layer. There is often confusion in conversations due to this.

Correct answer: A system designed to lure attackers by intentionally weakening the security of the system

A honeypot is a system designed to lure attackers by intentionally weakening the security of the system. Honeypots are used to lure attackers away from the production environment and help identify attack methods and the attacker’s identity. Administrators of honeypots need to be careful not to solicit attackers into attacking a honeypot, as this is considered entrapment and is illegal. They should not be made too weak as more knowledgeable attackers will figure out that it is a honeypot much quicker and move on, possibly to critical business systems.

An extremely sensitive system should have additional security controls to protect it, but there is no specific term for this type of system. An unnecessary system is just that, unnecessary. There is no specific name for it such as ‘honeypot’. Actively soliciting the attacker into launching an attack is called entrapment and is illegal.

Correct answer: External and third-party audits of companies

The Statement on Standards for Attestation Engagements (SSAE) 18 and the International Standard for Attestation Engagements (ISAE) 3402 are Service Organization Controls (SOC) audits. SSAE 18 is a national auditing system while ISAE 3402 is a very similar system used internationally. Both are standards used by companies to audit other companies in their jurisdiction.

Companies both locally and internationally now have a way in which to conduct third-party audits in a structured manner. This is one of many steps taken to ensure fairness and impartiality when businesses audit each other. It also ensures a uniform and organized approach to maintaining the standards of the industry as a whole. Both a national standardization of security practices and proper auditing requirements of EU entities would not suffice for an answer, as the answers are separate and the audit structures listed in the question encompass national and international frameworks. Additionally, neither involve strictly commerce.

Correct answer: Review logs to determine if and where the malware spread

The first thing to do after removing the infected PC from a network is to determine if the malware has spread. This can be done by reviewing the Security Information and Event Management (SIEM) and seeing which IP addresses the infected machine interacted with. This would be the fastest way to determine if other workstations need to be taken offline too.

Individually asking employees questions will simply slow down the investigation. Shutting down all workstations immediately would have potentially drastic effects on the workplace as a whole and may be completely unnecessary. Immediately notifying customers of a breach would result in unnecessary attention when a breach hasn't been confirmed yet. If one machine was infected with malware and all customer info was encrypted, it likely doesn't have to be reported. It's important that a business try not to damage its reputation with customers. Unnecessarily damaging the company's reputation could impose serious financial hardships, especially after practicing due care by encrypting the information anyway.

Correct answer: Measures risk consistently and objectively according to a set formula

Quantitative risk management deals with the exact quantities of factors involved in risk. It measures the anticipated loss numerically using the Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE) formulas. Quantitative risk management assessments can utilize past data and information for details that might help predict the future.

Qualitative risk management attempts to assign priorities of importance, distinguishing lower risk from higher risk factors. This allows scenarios to be created to portray which risk is the most serious and needs the most attention. Quantitative loss can be measured numerically, but qualitative loss is measured subjectively.

Correct answer: Warm site

A warm site is generally equipped with some computers/servers and communication links already in place. However, it is missing some equipment and most if not all of the data. Recovery time is dependent on how fast the equipment can be added that is missing and for the data to be transferred and loaded. How much equipment must be present at a site to have it be classified as a warm site is standard or law specific. What is consistent with all of the different standards is that they all say ‘some’ or ‘partial’ in relationship to how much equipment must be present before the disaster happens. Warm sites are a good compromise between cost and benefit.

Hot sites already have servers, communication links, and some data, but there is definitely some data missing. Perhaps the last full backup has been loaded but the latest differential backup must be loaded. They can become live in a few hours (up to 40 or so hours). Cold sites are empty computer rooms or buildings with no server or communication equipment. Cold sites may take a week or more to become live since the equipment must be purchased and installed. Redundant or mirrored sites have all the equipment and software in place and operational. There would be a load balancer to split traffic between the sites. It is necessary for each site to have enough capacity to accommodate the other site’s (assuming two sites, there can be more) active traffic when one of the sites fails.