ISC2 CISSP Exam Questions

Correct answer: Warm site

Recovery sites can be classified based on the level of infrastructure that they provide and the amount of work needed to bring them online. The main types include:

• Cold: A cold site provides a location and potentially infrastructure (power, Internet, etc.), but no devices. It is the cheapest site to maintain but the slowest and most expensive to bring online.
• Warm: A warm site has more equipment than a cold site, potentially including some devices but needing others to be added when needed.
• Hot: A hot site is an exact copy of the primary site with the same devices and the same data (potentially with some lag). It’s the most expensive type of site to maintain but the fastest to use.

Some disaster response groups use mobile sites, which build a server room in a shipping container or vehicle that can be easily transported to wherever it is needed.

Correct answer: Rootkit

A rootkit is used to achieve or maintain elevated privileges on a victim’s host. Rootkits frequently masquerade as system-level services to help remain undetected. Rootkits often have kernel-level access and are very difficult to detect or remove.

A covert channel is a hidden communication path created within a computer system. It allows unauthorized data transmission by exploiting system resources, protocols, or vulnerabilities, often evading detection and violating security policies. Spyware is malicious software that covertly gathers information from a user's device. It monitors online activities, collects sensitive data, and can track keystrokes or capture personal information, compromising privacy and security without user consent. A bot, short for robot, is an automated software program designed to perform tasks autonomously. Bots can execute actions online, from simple operations to complex interactions, often mimicking human behavior.

Correct answer: Strong encryption

While each answer option may provide security in transit, rest, or even at the end of the life cycle, strong encryption is the only method that would protect data at all stages. Data encryption is done using Transport Layer Security (TLS), Secure Shell (SSH), or Internet Protocol Security (IPSec) while in transit. It can be encrypted with AES 256 at rest and can be "erased" using a method called "cryptographic erasure," in which encrypted data has all keys associated with it destroyed. This leaves the data inaccessible by any key or by modern decryption when a strong enough encryption algorithm is used.

Transport Layer Security (TLS) would only protect data in transit. A Cloud Access Security Broker (CASB) manages cloud security at the edge of a network. If done properly, destruction only protects data at the end of its life cycle. The question involves data being stored and migrated, which is not the end of the lifecycle.

Correct answer: EOL is the end of life or the end of production of a product; EOS is the end of service or the end of vendor support. They should not be considered for future use, as these products may be open to vulnerabilities or require additional configurations.

Generally speaking, an organization would get the greatest return on investment (ROI) by purchasing new products that are supported by the vendor and are still being produced. Purchasing a product that is still mass produced means buying large quantities will not be an issue due to scarcity. Additionally, purchasing products that are past their end of life or end of service would likely require regulatory compensation measures to ensure these systems are still adequately protected.

Correct answer: AUP

An Acceptable Use Policy (AUP) describes how an employee is permitted to use company-owned IT assets. Employees may be required to sign one before being permitted to use these devices.

A Service Level Agreement (SLA) is a contract between a service provider and customer defining acceptable, contracted levels of service.

A Non-Disclosure Agreement (NDA) requires someone to protect sensitive company data against exposure to unauthorized parties.

A Non-Compete Agreement (NCA) specifies that a former employee cannot work for a competitor for a certain number of years after leaving the company.

Correct answer: False positive

A false positive is the false identification of a vulnerability. In this instance, a web server vulnerability was found on a workstation computer. Depending on the type of scan, whether credentialed or non-credentialed, a false positive can be detected. This is due to a non-credentialed scan being unable to gain full details on a system or network due to a firewall.

A true positive would involve a legitimate vulnerability being discovered in a scan. A false negative would also be considered a missed vulnerability that was not detected, while a true negative would accurately inform an analyst that a vulnerability does not exist.

Correct answer: FM-200

FM-200 uses HFC-227ea, leaves no residue, and does not require costly cleanup. FM-200 systems replaced halon. In 1994, the Montreal Protocol banned the creation of more halon. Halon is an environmental hazard because it destroys the ozone layer which protects the earth.

CO2 is incorrect because carbon dioxide will harm computers and humans. Nitrogen is incorrect because it has no impact on a fire. Halon is incorrect because it is harmful to humans and is an environmental hazard.

Correct answer: Logic bomb

A physical attack on a smart card system occurs when physical conditions are altered or analyzed to gain unauthorized access. A logic bomb is a piece of malicious software that runs when a condition is met. An example of a logic bomb is when an employee programs actions into a custom-built application that are triggered if the creator is terminated from the company.

Differential Power Analysis (DPA) is a cryptographic attack technique that exploits variations in power consumption during cryptographic operations. By analyzing power differentials, attackers can infer secret encryption keys, potentially compromising the security of the system and revealing sensitive information.

A side-channel attack is a type of cryptographic attack that exploits unintended information leakage from a system, such as power consumption, electromagnetic radiation, or timing variations. By analyzing these side-channel signals, attackers can gain insights into the cryptographic keys or sensitive data being processed, potentially compromising the security of the system.

A clock frequency attack is a side-channel attack that exploits variations in the clock frequency of a computing device during cryptographic operations. By analyzing these fluctuations, attackers can infer information about the operations being performed, potentially revealing sensitive data or cryptographic keys. Countermeasures, such as constant-time algorithms, are used to mitigate the risks posed by clock frequency attacks.

Correct answer: Corrosion

Corrosion is a serious problem associated with the buildup of moisture that occurs with higher humidity. Data centers should have humidity controls that balance moisture in the air at the right levels.

Low humidity can lead to an increase in static electricity, which can lead to electrical shorts and data loss. An electrical short occurs when a 'hot' wire comes into contact with a neutral wire. It could happen if it comes in contact physically or if there is an arc of electricity from the hot wire. It does not have anything to do with humidity levels. Any of these problems could cause a loss of data. However, the way the question is worded focuses on humidity and the computer system, so corrosion is the most direct problem.

Correct answer: Stateful

A stateful firewall monitors the current state of network connections and blocks packets that are invalid in context (OSI Layers 3 and 4).

A static packet filtering, screening router, or stateless firewall evaluates each packet independently based on its header fields (OSI Layer 3).

A circuit-level firewall ensures that the TCP handshake was completed and conceals information about the protected network. (Theoretically OSI Layer 5, but also looks at TCP data at Layer 4.) SOCKS proxies are examples of circuit firewalls.

An application-level firewall understands application-specific traffic and can filter traffic accordingly (OSI Layer 7). A Web Application Firewall (WAF) is an example of an application-level firewall.

Correct answer: Trojan

A Trojan, sometimes called a Trojan Horse, is a malicious program disguised as a legitimate program. A well-designed Trojan won’t have any noticeable differences from legitimate software to the end-user. Administrators should ensure the software is signed by a trusted software provider to reduce the likelihood of a Trojan being introduced into the environment.

A worm is malicious software that replicates and spreads on its own. There is no interaction from the user necessary. A virus is malicious software that replicates and spreads after the user takes some action. It is possible that a Trojan contains a virus. The defining element in the question is the fact that the user downloaded something they wanted, a driver. That moves this to the Trojan Horse category. Something on the outside the user wants and something on the inside they do not. Ransomware is malicious software or actions taken by a bad actor to encrypt the user/target's data without their permission or knowledge.

Correct answer: Teardrop attack

A teardrop attack exploits a flaw in a system’s ability to reassemble oversized fragmented packets. Attackers intentionally send oversized fragmented packets with an offset and size that are incorrect, causing the victim system to crash when they are reassembled.

An Address Resolution Protocol (ARP) poisoning attack is a cyber-attack where an attacker sends false Address Resolution Protocol (ARP) messages to link their Media Access Control (MAC) address with a legitimate Internet Protocol (IP) address, intercepting and manipulating network traffic. Birthday attacks are a cryptographic exploit that leverages the probability of two different inputs producing the same hash value. Attackers use this likelihood to compromise hash functions and forge digital signatures or certificates. Buffer overflow attacks occur when a program writes more data to a memory buffer than it can hold, causing excess data to overflow into adjacent memory locations. This vulnerability can be exploited to execute malicious code or crash the system.

Correct answer: Implicit deny

A fundamental principle of access control is implicit deny. The implicit deny principle ensures that access to an object is rejected unless it has been explicitly granted to a subject. It is very common for firewalls to use implicit deny to block network access to resources that have not been granted.

Explicit deny is the process of specifically denying access to specific users. This would require a lot of work to ensure that each user, or Internet Protocol (IP) address, or Media Access Control (MAC) address, etc. is not allowed access. An access control matrix is a chart that explains the level of access subjects should be granted to objects. Least privilege is the concept that a user should only be granted the permission that they require to be able to perform their job. The least number of permissions possible, so, if the user only needs read access, they should only receive read access.

Correct answer: Means of remediation

Means of remediation is not a term defined with exception handling. However, it would be categorized most closely with compensating controls.

Compensating controls are the controls put in place to counter a weakness or vulnerability in a network. Compensating controls are used to "make up for" the lack of something else. Risk details describe the risk at hand, which leads to implementing a compensating control. Risk details can be a lack of encryption, lack of segmentation, open ports, etc. Time is also important, as this exception would likely be temporary until a permanent fix can be determined.

Correct answer: Follows a program as it runs to ensure each function and to spot and prevent unusual behavior

Runtime Application Self-Protection (RASP) is a security application that ensures all software runs as it should and does not execute behavior that may be malicious. RASP digs into the code associated with the program, views what is set to occur at runtime, and determines if it's malicious.

RASP doesn't necessarily prevent a program from crashing at boot, conduct a static analysis, or enhance the efficiency of a program. In fact, RASP is known to slow programs down and sometimes hinder performance. The protection it offers occurs during a dynamic analysis, not static.

Correct answer: To define the requirements for protecting data

Identifying the security classification for data and defining the requirements to protect the data is the primary purpose of data classification. It defines how to protect data at rest and in transit, and how to back it up. In this case, the best answer is the most inclusive answer. Protecting data is generic enough to include the other three answers.

The other three answers are not necessarily wrong, but protecting data is more all-encompassing.

Correct answer: Input validation

Structured Query Language (SQL) injection attacks happen when an application interface does not properly validate an input. This allows an attacker to send SQL commands as application input and manipulate or alter data within the database.

Open DataBase Connectivity (ODBC) is a standard Application Programming Interface (API) used to communicate with databases. It would not prevent an SQL injection attack. That needs to be done at the source, where the user entered text, or filtered at the database. ODBC is also a different protocol than SQL. Schema changes and making attributes read-only help to control certain attacks, but SQL attacks are not what they prevent.

Correct answer: Wave pattern

Wave pattern motion detectors send an ultrasonic or high-frequency microwave to a specific, secured area. The pattern is consistent when no object is present. When an object is present, it disrupts the wave pattern and triggers an alarm.

A mantrap is also known as a double-door system. It involves an outer door that the person can pass through after using something like a proximity card. Then there is a small area where the person is 'trapped'. To pass through the second door, they could use something like a biometric reader and a PIN. This type of system is good to place at the entrance to a data center.

A horizontal distribution system provides the connection area within the building that makes it possible to connect the cables from the data center/server room to the user's work areas. It typically includes switches and patch panels.

Proximity sensors are used to read things like smart cards. When you wave your badge/card near a reader, it is the proximity sensor that enables the reading of the card.

Correct answer: To ensure there are no errors with the expected output

Synthetic transactions ensure that whatever text is expected comes out when requested. This is excellent practice for testing code and validating input, especially against potential attacks. It goes beyond simply ensuring expected tasks are completed and increasing productivity, and does not provide software with additional packages. The main premise behind synthetic transactions is to put code in and determine what the output is. Any other benefit is additional, but should not be the focus of this practice.

Ensuring software completes the expected tasks is close, but the test should ensure that there are no errors in the completion of the task. So, the correct answer is more specific. Improving workplace productivity is a completely different topic. Synthetic transactions are about testing the software. Improving productivity could involve changing software or fixing software, but it could also be about processes that people follow, or changing management that improves productivity. Providing new software with additional packages is not a test, synthetic transactions are.

Correct answer: Reduction of replacement parts

A Central Processing Unit (CPU) that is at its End of Life (EOL) will immediately experience a reduction of replacement parts since there are no more of the CPUs being produced. This means a company can no longer immediately be promised a replacement by a manufacturer and will therefore have to rely on used parts and/or those still in stock by retailers. As time goes on, this supply will also decrease.

Customer support would still exist upon an asset entering EOL, as the CPU in this example is still within its service lifetime or End of Service Lifetime (EOSL) since EOL comes before EOSL. With that said, patching and security support will still exist. However, this does not necessarily mean there will be an immediate increase in vulnerabilities or that a rise in vulnerabilities will ever occur.