ISC2 CISSP Exam Questions

Correct answer: Availability

The third principle of the Confidentiality, Integrity, and Availability (CIA) triad is availability. The focus of availability is to ensure reliability and access to system resources or data. Of the available options, cryptography is least likely to be used to provide the availability of a system. If the cryptography key is lost or corrupted, the data will be inaccessible.

Cryptography is used in confidentiality in the form of encryption, for integrity in the form of hashing, and for authentication in the form of asymmetric digital signatures and hashing.

Correct answer: Cipher lock

A cipher lock is characterized by a keypad, requiring a specific numerical sequence on the keypad to unlock an entrance. Keypads are used in data centers or even within restricted areas to add an extra level of security.

A tumbler lock is a common type of lock mechanism found in many doors and padlocks. It consists of a series of spring-loaded pins (tumblers) that align when the correct key is inserted, allowing the lock to turn and open. Incorrect keys won't align the tumblers, preventing the lock from turning. Tumbler locks offer basic security but are vulnerable to lock-picking techniques.

A mortise lock is a type of door lock that is set within a rectangular cavity, or mortise, in the door. It typically consists of a lock body with a latch, a strike plate, and a cylinder or keyhole. Mortise locks are known for their durability and security, making them common in commercial and residential applications. They are often considered more secure than standard cylindrical locks due to their robust construction and the fact that they are more challenging to pick or force open.

A biometric lock is a security device that uses unique physical or behavioral characteristics, such as fingerprints, retinal patterns, or voice recognition, to authenticate and grant access. It's a modern, highly secure alternative to traditional key or card-based locking systems, enhancing both convenience and protection.

Correct answer: Penetration testers are provided with some information before testing

In grey-box or partial testing, the penetration testers are provided with partial information before testing. This can help the tester potentially find vulnerabilities and exploit them more than if the tester knew no information about the environment before testing.

When the penetration testers are provided no information, it is referred to as a zero-knowledge test (black box). When the penetration testers are provided detailed information, it is referred to as a full-knowledge test (white box). If the penetration testers are provided building and system access they could be performing a physical test or an internal test.

Correct answer: IOYYV

ROT6 stands for "rotate 6" and means to shift each letter in the alphabet six spaces to the right. A becomes G, B becomes H, C becomes I, etc.

C + 6 = I

I + 6 = O

S + 6 = Y

S + 6 = Y

P + 6 = V

Correct answer: Virtual Local Area Network (VLAN) hopping attack

Virtual Local Area Network (VLAN) hopping occurs when an attacker manipulates a frame so the switch moves it to a different VLAN. VLAN hopping can happen by spoofing a switch, setting up a dynamic trunk or tagged interface, or creating a double-encapsulated 802.1q tag. Network administrators should disable dynamic trunk or tagged interfaces and use separate VLANs for access interfaces.

Spanning Tree Protocol (STP) attack refers to malicious activities that exploit vulnerabilities or manipulate the STP in a network. Attackers may attempt to disrupt or manipulate the STP topology to create loops, leading to network outages or unauthorized access. Link Layer Discovery Protocol (LLDP) spoofing is a network attack where an attacker sends fake LLDP frames to deceive network devices about their neighbors. This can lead to misconfigurations, unauthorized access, or other security risks. Address Resolution Protocol (ARP) poisoning attacks, also known as ARP spoofing, are cyber-attacks where an attacker sends falsified ARP messages over a local area network. By linking their Media Access Control (MAC) address to the Internet Protocol (IP) address of a legitimate network device, the attacker can intercept and manipulate network traffic, leading to various security threats such as eavesdropping, man-in-the-middle attacks, or session hijacking.

Correct answer: 192.168.0.1 to 192.168.255.254

A network mapping tool scan can be instructed to use a valid Internet Protocol (IP) range as a target to ensure it scans the entire network. Request for Comments (RFC) 1918 reserves the following IPv4 address ranges for private networks:

• 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
• 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
• 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Correct answer: Elgamal

Elgamal is an asymmetric public-key algorithm created by Dr. Taher Elgamal. It was derived from Diffie-Hellman principles but was expanded to support an entire public-key cryptosystem. The main drawback of Elgamal is its performance. It also doubles the length of any message it encrypts.

Caesar cryptography was used by ancient Romans and worked by shifting the alphabet. Scytale cryptography was used by ancient Egyptians and Greeks. A message was wrapped around a stick of a given diameter. To read the message, you had to have a stick of the same diameter. Vigenère cryptography was developed in France in 1553. It uses a series of Caesar ciphers with different shift values. A keyword is used to create the shift values. This is a polyalphabetic substitution algorithm.

Correct answer: Rotation of duties

Only rotation of duties would be effective in preventing this security breach, as it would help prevent Lily from having sufficient time in her role to discover and exploit weaknesses in the system.

Separation of duties is incorrect because it is not an access control measure and does not prevent "privilege creep" over time. Direct access control is incorrect because the correct term is Discretionary Access Control (DAC). With DAC, the data owner has the authority to specify what objects can be accessed. Least privilege is incorrect because least privilege access control only provides a user with the minimum amount of access needed for a system and would not result in bypassing safeguards.

Correct answer: ISO 15408

International Standards Organization (ISO) 15408 is known as the "Common Criteria for Information Technology Security." It was developed as a standard for evaluating information technology products. ISO 15408 has seven levels:

• EAL1 – Functionally tested
• EAL2 – Structurally tested
• EAL3 – Methodically tested and checked
• EAL4 – Methodically designed, tested, and reviewed
• EAL5 – Semiformally designed and tested
• EAL6 – Semiformally verified designed and tested
• EAL7 – Formally verified designed and tested

ISO 14001 is the environmental management standard used to establish an Environmental Management System (EMS). ISO 9000 covers the basic concepts of quality management systems. ISO 9001 sets the requirements of a quality management system.

Correct answer: Three networks created using two routers or firewalls

A screened subnet creates three networks using two routers or firewalls. One network is the internal trusted network, the second is the network attached to the external untrusted network (usually the Internet), and the third is the network usually referred to as a Demilitarized Zone (DMZ). Designated systems are placed in the DMZ with firewall policies that allow internet users access, such as web servers. This allows firewall administrators to expose only a small network to the Internet without adding private networks.

A network protected by a single router/firewall is sometimes referred to as a screened subnet, but the description above is more commonly accepted. A network that allows one-way connections only is not realistic. Transactions are not authenticated by a firewall; the description is not realistic at all.

Correct answer: To reduce disaster-related risks to an acceptable level

The best motive for developing a Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) is to reduce disaster-related risks to an acceptable level. Senior management should be involved because they set the risk appetite of the organization, and they should be the driving force behind the creation of a BCP. Senior management is accountable to the stakeholders for the effectiveness of the plan. Organizations that try to create a BCP or DRP without senior management often do not align the goals of the BCP or DRP with the organization's risk appetite.

Regulatory compliance is incorrect because, while it's a good motive, it's not the best motive. To eliminate all disaster-related risks is incorrect because it is not possible to eliminate all risks. Discussing only the concerns of the IT department is incorrect because this represents a bottom-up approach. BCP and DRP creation should have senior management buy-in to ensure the risk levels align with senior management's risk appetite.

Correct answer: Zero-knowledge testing

Zero-knowledge testing is most likely to simulate an outside non-credentialed attack, as the penetration tester has no knowledge of the network. In zero-knowledge testing, the penetration tester must combine their skills and resources to gain the information needed for an attack.

A full-knowledge test would involve the company being transparent and providing all necessary information to the penetration tester. A partial-knowledge test is where the tester has some knowledge of the company and its technology. This could be a user, contractor, customer, or vendor. For example, if the user knows the operating system on their computer they might know something about the operating systems and applications, but they do not know the network configuration, technologies, passwords, etc. A purple team is a term reserved for individuals with offensive and defensive skill sets. They are a combination of red and blue teams.

Correct answer: Split knowledge

Split knowledge is a subset of the separation of duties. Split knowledge is the principle where the knowledge or "know-how" required to perform a privileged task is divided among multiple users. Hence, no single person has sufficient knowledge to compromise system security.

Two-person control is incorrect because it requires two individuals to carry out critical tasks but does not prohibit individuals from knowing the entire process. It requires that both individuals are present at the same time in order to carry out that task. Collusion is essentially teamwork, however, people collude to accomplish bad activities, whereas teamwork allows people to accomplish good activities. Dual ownership is not a normal status for an object to have.

Correct answer: Cloud Access Security Broker (CASB)

A Cloud Access Security Broker (CASB) is a security tool or service that helps organizations secure their use of cloud services. It acts as an intermediary between cloud service providers and users, providing visibility, control, and security features to protect data and applications in the cloud. CASBs offer features such as data encryption, access control, threat detection, and compliance monitoring to address security concerns associated with cloud computing. So, it is able to detect what services the users are utilizing.

Data Loss Prevention (DLP) is a set of technologies and strategies designed to protect sensitive data from unauthorized access, sharing, or theft. DLP solutions monitor and control data in motion, at rest, and in use to prevent data breaches, leaks, or loss. They use a combination of policies, encryption, monitoring, and blocking mechanisms to enforce data security policies and prevent confidential information from being exposed to unauthorized parties. DLP solutions are commonly used in organizations to safeguard sensitive data, comply with regulatory requirements, and mitigate the risks of data breaches.

An Intrusion Detection System (IDS) is a security tool or software application that monitors network or system activities for malicious activities or policy violations. IDS can detect unauthorized access attempts, malware activity, network scanning, and other suspicious behavior. It works by analyzing network traffic, system logs, and event data to identify potential security threats.

A Web Application Firewall (WAF) is a security tool designed to protect web applications from various cyber threats and attacks. It operates at the application layer of the Open Systems Interconnection (OSI) model, monitoring and filtering HTTP traffic between a web application and the internet. A WAF can detect and block malicious traffic, such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other web-based attacks.

Correct answer: Protect HVAC ducts with barriers and decrease the size of the ducts

You can protect the ducts by using barriers and decreasing the size. If done correctly, it should prevent someone from climbing through them. Of the listed controls, this is the only preventative control.

Adding motion sensors and analyzing the ducts for tampering would be good ideas, but having barriers is a better idea to prevent someone from entering the ducts. Decreasing the temperature would decrease the temperature of the office space. This is not likely to be a welcome change by the employees and will not stop someone from crawling through the ducts.

Correct answer: Limited support

Open-source products can sometimes have limited support, as the products aren't usually bound by stringent agreements with buyers as their closed-source counterparts may be. Open-source products may not have the same features as many closed-source/proprietary products in their market.

Incompatibility is not usually a large problem with modern technology. Open-source products can compete with proprietary solutions in different environments. Open-source does not necessarily mean that the software is free.

Correct answer: Business impact analysis

In business continuity planning, qualitative and quantitative evaluations are performed and relative priorities are established primarily during the Business Impact Analysis (BIA) stage. Qualitative evaluations might consider impacts on intangibles such as customer reputation, while quantitative evaluations typically rely on calculations such as Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) to measure the impact on tangible assets.

Project scope and planning, continuity planning, and approval and implementation each refer to different stages of business continuity planning. However, none of them are primarily focused on establishing relative priorities through qualitative and quantitative evaluations.

Correct answer: Jack the Ripper

Jack the Ripper is not likely to be used for the exploitation phase of a penetration test, as it is the name of a well-known former serial killer, not the name of a password-cracking program.

Metasploit is a program with built-in exploits for penetration testers to use, while Hydra is the name of a password-cracking program. Both can be found inside the Kali Linux operating system. Infection Monkey is an open-source Breach Attack Simulation (BAS) program, which can be found on Github or the Akamai website.

Correct answer: Product keys and cryptographic algorithms

Product keys and cryptographic algorithms work together to ensure the product key is legitimate to the asset. If the key does not function within this proprietary algorithm, the asset is useless to the user. This requires the user to connect to the internet one time to activate the key and provide it with the ability to interact with the algorithm. If the key has been activated, a company can confirm it is stolen.

Users may try to create their own key since they have access to the algorithm. However, the algorithm and code within the program can require activation of the key over the internet for its first use, but cannot force that to be required for every use of the asset. Digital watermarks allow owners to track and identify assets, not prevent their use. This may also allow for an audit trail and the prosecution of users who may have stolen the product. Homomorphic encryption would not prevent the unauthorized use of an asset. Instead, it allows for the creation and interaction of otherwise hidden code that may be sensitive or proprietary. Even with homomorphic encryption of assets, data must be visible while interacting with CPU registers and is not hidden from being read.

Correct answer: Scope defines the systems involved; depth defines the detail of the act

While scope and depth can sometimes be confused, scope defines what is involved and depth specifies how involved something is or how far businesses will go with a test.

Scope and depth come into play during every penetration test. A client will tell a penetration tester exactly what needs to be tested and how it will be tested. This is especially important, as failing to abide by these specifications may jeopardize an active workplace or even damage equipment. Scope and depth also relate to the permission given to a penetration tester, so going outside that permission range could lead to liability if things go wrong.  Depending on the Breach and Attack Simulation (BAS) programs, the depth and scope may be simple for a penetration tester to program and meet those requirements perfectly. This alleviates accidents and will certainly help a business prepare for any sort of audit with peace of mind.