ISC2 CISSP Exam Questions

Correct answer: Mitigate risk

When patches are introduced to fix a security weakness in the system, they help mitigate risk. Software patching is often performed on a regular basis to maintain the security of production software.

Risk transfer occurs when someone else is involved in the responsibility of managing the risk or the outcome of the event(s) they are worried about. The most common example people use is insurance. There might be a feature that is enhanced when a patch is applied, but the question is about a security patch. Those are not to enhance features, they are to close or fix vulnerabilities in the software. Change management is a process that should be followed in applying the patch, but that is not the function that the question is asking about.

Correct answer: Smart card

Smart cards are "something you have" or a type 2 authentication factor. They are rarely used by themselves but are commonly combined with other authentication factors, providing Multi-Factor Authentication (MFA).

Personal Identification Number (PIN) and security questions are both "something you know" or a type 1 authentication factor. A palm vein scan is "something you are" or a type 3 authentication factor.

Correct answer: Unpatched server

An unpatched server is a vulnerability, not a threat.

The International Organization for Standardization and the International Electrotechnical Commission define a threat as a “potential cause of an unwanted incident, which may result in harm to a system or organization.” Earthquakes, hackers, and botnets are all forms of threats.

Correct answer: 12

The Payment Card Industry Data Security Standard (PCI-DSS) has 12 main requirements. Each requirement has additional sub-controls. The 12 requirements are as below:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

Correct answer: Rainbow table

A rainbow table is usually a large file with a list of pre-computed hashes and corresponding passwords. This reduces the time needed to crack a password since the attacker searches for a hash instead of generating passwords and hashes.

Pretexting is a social engineering technique. Brute-force attacks try every possible password for a given character set and generate the hash values during the attack, requiring a lot of Central Processing Unit (CPU) or Graphics Processing Unit (GPU) power. Dictionary attacks try all the words in the dictionary and generate the hash values during the attack.

Correct answer: TCP 3-way handshake

A 3-way handshake is used to establish a Transmission Control Protocol (TCP) connection. A client establishing a connection with a server initiates the connection by sending a TCP SYN packet as the first part of the handshake. In the second part of the handshake, the server replies to the client with a SYN-ACK packet, which synchronizes it. In the third part of the handshake, the client responds with an ACK packet back to the server. This handshake is considered a 3-way, not a 2-way.

TCP sockets are also known as port numbers. They are used to identify the type of traffic that is contained within the TCP packet. For example, socket or port number 80 indicates Hypertext Transfer Protocol (HTTP) traffic. The sliding window is the number of packets that can be sent before an acknowledgment must be sent back. If any packets are missing within that window they can be retransmitted.

Correct answer: A suite of protocols that provide secure connections

Internet Protocol Security (IPsec) is a suite of protocols that provide protection at the network layer of the Open System Interconnection (OSI) model. IPsec is frequently used to establish a Virtual Private Network (VPN) between two routers. IPsec protects the original IP packet by encrypting or hashing the IP packet and adding a new AH or ESP header with a new IP header. IPsec-specific protocols include:

• Authentication Header (AH), which provides integrity of the packet and adds an AH header.
• Encapsulating Security Payload (ESP), which provides the confidentiality of the packet and adds an ESP header.
• Internet Key Exchange (IKE), which is used to negotiate tunnel parameters.

Secure/Multipurpose Internet Mail Extension (S/MIME) is an encrypted email standard. There are no application layer (L7) VPN protocols. IPSec is layer 3, Transport Layer Security (TLS) is layer 4, and Secure Shell (SSH) is layer 5. Temporal Key Integrity Protocol (TKIP) is a combination of RC4 and the hashing algorithm of Michael that is used in Wireless Encryption Protocol (WEP).

Correct answer: Annual Loss Expectancy (ALE)

Annual Loss Expectancy (ALE) is a risk management metric used to quantify the financial impact of a specific risk over a one-year period. It is commonly used in the field of information security and risk assessment to evaluate the potential financial loss associated with security incidents or breaches. This can be used in comparison to the cost of the control that the business in the example is assessing. It is also possible to rerun the calculations that result in ALE based on what would happen if that control was added.

The formula to calculate Annual Loss Expectancy (ALE) is: ALE=SLE×ARO

Where:

SLE (Single Loss Expectancy): The estimated financial loss expected from a single occurrence of a specific risk event. SLE is typically calculated by multiplying the value of the asset at risk by the Exposure Factor (EF). The EF is the percentage of the asset that is expected to be impacted or lost if a single event occurs.

ARO (Annualized Rate of Occurrence): The estimated frequency or rate at which the specific risk event is expected to occur within a one-year period. ARO is often expressed as a probability or frequency (e.g. once per year, twice per month, etc.).

By multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO), the Annual Loss Expectancy (ALE) provides a comprehensive assessment of the potential financial impact of the risk over a year.

Key points about Annual Loss Expectancy (ALE):

Risk Prioritization: ALE helps organizations prioritize risks by identifying those with the highest potential financial impact. Risks with higher ALE values are typically given greater attention and resources for mitigation.

Decision Making: ALE provides valuable information for decision-making processes, such as allocating resources for risk mitigation measures or investing in security controls to reduce the likelihood or impact of security incidents.

Cost-Benefit Analysis: ALE enables organizations to conduct cost-benefit analyses of security investments by comparing the expected financial losses (ALE) against the costs of implementing security measures. This helps justify security spending and investment decisions.

Continuous Improvement: ALE can be recalculated periodically or after significant changes in the risk landscape to reflect updates in the estimated loss and occurrence rates. This allows organizations to monitor changes in risk exposure and prioritize ongoing risk management efforts.

Overall, Annual Loss Expectancy (ALE) is a valuable tool in risk management, providing a quantitative basis for assessing and prioritizing security risks and informing strategic decision-making processes.

Return On Investment (ROI) is the measure of the use received out of a product compared to what it was purchased for initially. Both asset inventories and ROI do not directly relate to products but assets as a whole, including data servers, workstations, and other company-owned devices.

Correct answer: Fagan inspection

A Fagan inspection is a formal step-by-step process of code review. It is considered the most in-depth code review in the industry and involves specific criteria for evaluation.

A peer review would be a good alternative, but not as in-depth as a Fagan inspection. There are no set criteria or standards for a peer review. Additionally, you're relying on the knowledge of another person instead of a standardized and proven formal approach to reviewing code. Static testing and fuzz testing would allow for testing code at a microscopic or active level, but would not be a formal methodical approach. Additionally, these processes may involve fewer people and provide less opportunity to observe errors and provide adequate feedback.

Ultimately, a Fagan inspection involves planning, overview, preparation, inspection, reworks, and follow-ups. None of these other review processes match that.

Correct answer: Redundant Array of Independent Disks

The CIA triad is built upon the principles of confidentiality, integrity, and availability, and is at the heart of information security. Confidentiality is the idea that sensitive data should be kept confidential and kept away from unauthorized individuals. Integrity is the idea that data remains authentic and unaltered. Availability ensures reliability and access to system resources.

Examples:

• Confidentiality: Advanced Encryption Standard (AES), Transport Layer Security (TLS)
• Integrity: Secure Hash Algorithm 3 (SHA-3)
• Availability: Redundant Array of Independent Disks (RAID)

Correct answer: The management process for baselines to ensure any deviations are authorized and documented

Configuration management is used to ensure secure baselines on systems are adequately maintained, and any deviations are authorized and documented. Configuration management seeks to establish safe, reliable configurations for systems.

Configuration management is not about the security program, it is about the parameters and making any changes to them within the systems.

Configuration management is part of ITIL (formerly Information Technology Infrastructure Library), not a government regulation. ITIL was invented by the United Kingdom (UK) government and it is not managed by Axelos in conjunction with the UK government.

Senior management first utilizes policies to direct their organization meaning configuration management is well out of their site. If senior management is concerned with a parameter on a computer, they are likely not actually doing their job. They should be guiding or directing the business in the direction of their visions.

Correct answer: An organization applying careful measurement to their software development and tailoring processes to their needs

An organization conducting careful measurement of their software development would fall under level four, which is quantitatively managed. These organizations are precise with measurements and know exactly what they need to thrive based on their data.

An inexperienced organization would fall under level zero and be considered incomplete, as software development is not a regular practice. An organization with basic steps in place would likely fall under level two, which is managed. Here, there is a basic structure, but not much more. An experienced organization that is at least proactive with its approach to software development and leading the industry through experience and measurement is likely a level five, or optimized software developer.

Correct answer: Permanent Virtual Circuit (PVC)

A virtual circuit is a logical path over a packet-switched network between two routers. Once created, a PVC always exists and can be used at any time by the customer. There are two main types of virtual circuits:

• Permanent Virtual Circuits (PVCs)
• Switched Virtual Circuits (SVCs)

An SVC is more like a dial-up connection and requires the circuit to be dynamically built at the time of use. An SVC is used for a temporary connection. PVCs can be used for phones that when you pick them up they connect directly to one destination. SVCs are seen in a normal telephone network that connects a phone to whomever the caller wishes. Digital Subscriber Line (DSL) is a digital connection that is an upgrade from traditional cable modem connections to the home. Integrated Services Digital Network (ISDN) came before DSL as an alternative connection type to the office. ISDN is very old technology at this point.

Correct answer: Rotational Access Control model

"Rotational" is not an access control model.

Discretionary Access Control (DAC) is a type of access control system found in many computing environments where access rights are assigned based on the discretion, or decision, of the owner of the information or resource. In a DAC model, the owner of a resource (such as a file, directory, or data object) has the authority to decide which other users or groups can have access to that resource and the extent of their permissions (e.g. read, write, execute, delete).

Attribute-Based Access Control (ABAC) is an advanced and flexible access control model that determines access rights based on attributes. In ABAC, access decisions are made by evaluating policies against the attributes of users, resources, and the environment within which access is being requested. Attributes can be characteristics of the user (such as role, department, or clearance level), characteristics of the resource (such as classification, owner, or sensitivity level), or contextual information (such as time of day, location, or the state of a system).

In Mandatory Access Control (MAC), each user and resource is assigned a classification label based on security levels, such as "Top Secret," "Secret," "Confidential," and "Unclassified." These labels represent the sensitivity or importance of the information. Access decisions are then made based on predefined rules that specify which security levels can access resources of a given classification. The rules are typically based on a hierarchical or lattice-based model, where higher-level users can access lower-level resources but not vice versa.

Correct answer: Hardware segmentation

Higher trust levels often require hardware segmentation of memory. This memory becomes physically separated, not just logically separated. The physical security controls add a protection level from outside processes accessing memory resources for a particular application.

Random Access Memory (RAM) is computer memory used for data storage and quick access by the CPU. It's volatile, meaning data is lost when powered off. RAM's speed and capacity significantly impact system performance. Cache memory is a high-speed, small-capacity storage unit located between a computer's main memory (RAM) and the CPU. It stores frequently used data and instructions, reducing the time needed to access them, thereby boosting overall system performance. Read-Only Memory (ROM) is a type of computer memory that stores data permanently. It contains firmware or software instructions essential for booting the computer or device. Unlike RAM, ROM is non-volatile, meaning it retains data even when the power is off, ensuring critical functions are available at startup.

Correct answer: Criminal record

An individual's criminal record should be categorized as Personally Identifiable Information (PII).

The National Institute of Standards and Technology (NIST) in Special Publication 800-122 states that PII is any information about an individual maintained by an agency, including the following:

1. Any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date, and place of birth, mother's maiden name, or biometric records; and
2. Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
3. The EU GDPR also includes political views, opinions, religion, gender identification, etc.

Correct answer: Adds replay resistance

A nonce (Number used Once) is a random number or value generated by the authentication server. When a client requests to authenticate, the server will reply with the nonce; this is often called the challenge. The client will combine the nonce with a predefined password and use a hashing algorithm to generate a response. The server will use the same nonce and predefined password to create a hash. If the hash generated by the client and server match, the server will authenticate the client. Each nonce can only be used once and helps prevent replay attacks.

The password should never be transmitted in clear text. The nonce makes the hash more effective which, by definition, removes the clear text password from the transmission. Random numbers such as nonces do help protect against rainbow table attacks. However, when discussing that random number, it is actually called a salt. It functions in much the same way as the nonce within Challenge-Handshake Authentication Protocol (CHAP) though. Hash collisions will occur. The way to prevent them is twofold, have a strong hashing algorithm with a larger message digest field, e.g. 512 bits long.

Correct answer: Identification

In order for any security system to operate, it must first identify the subject. Systems must perform Identification, Authentication, Authorization, and Accountability. These are the four elements of IAAA service. Identification is when a user asserts their identity using their user ID, user name, email, or personal number.

Authentication is the step to prove that identity assertion or verification. Authentication is done using one or more of the factors of authentication. Factor 1 is something that you know, such as a password. Factor 2 is something that you have, such as a token, card, or authentication tool. Factor 3 is something that you are, which would be biometrics such as a fingerprint, retinal pattern, or vocal pattern. Authorization is then granting the user permissions (or not) now that their identification has been verified. Accountability is then tracking the user's activity by creating a log of their activities.

Correct answer: <Highscore>198000092</Highscore>

eXtensible markup language (XML) was designed to store and transport data and be both human and machine-readable. It uses a simple text-based format for representing structured information such as documents, data, configuration, books, transactions, invoices, and much more. It was derived from an older standard format called SGML (International Standards Organization (ISO) 8879) and was modified to be more suitable for web use.

Highscore="198000092" would be a Windows batch command format.

SET @Highscore = '198000092'; is consistent with batch command format.

Set-Variable -Name "Highscore " -Value "198000092" is consistent with PowerShell.

Correct answer: Sliding windows

Flow control, or congestion control, is manipulated by using sliding windows in the Transmission Control Protocol (TCP). Sliding windows change the number of packets that can be sent before an acknowledgment is required. This allows the window size to change if congestion or packet loss is detected. Larger windows increase the number of packets that can be sent before an acknowledgment is required, and smaller windows decrease the number of packets that can be sent before an acknowledgment is required.

A sliding window is the correct term; the others are not terms that relate to TCP/IP in any way.