ISC2 CISSP Exam Questions

Correct answer: Pass-the-hash

A pass-the-hash attack is a cryptographic attack that replays a captured password hash to authenticate. In a pass-the-hash attack, knowledge of the underlying password is not required.

A brute force attack attempts every possible combination of characters to crack a password. A spraying attack is a type of brute force attack that introduces a delay between attempts (by looping through different accounts and/or systems) to avoid tripping account lockout controls. A dictionary attack attempts every possible entry in a predefined dataset, such as a dictionary.

Correct answer: Inheritance

Inheritance refers to the process of objects getting characteristics from a class. Inheritance is a concept from Object Oriented Programming (OOP). The software development methodology allows developers to use code in different projects and sections of an application without recoding sections. It also organizes the code so that the developer can build software in components.

Encapsulation is incorrect because it is the packaging of an object where everything inside of the object is hidden. Class hierarchy is incorrect because it is a structure for the collection of objects and classes. Delegation is incorrect because it is when an object receives a message requesting a message it does not have.

Correct answer: Discretionary Access Control (DAC)

A system that employs Discretionary Access Controls (DACs) allows the data owner to control and define access to that object. All objects have owners and access control is based on the discretion or decision of the owner.

Mandatory Access Control (MAC) uses classification and labels to define user access. Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks. Attribute-Based Access Control (ABAC) uses a variety of attributes to determine access. These can be a variety of conditions such as time of day, location of data, and status of firewall/anti-virus/patch level of the client system.

Correct answer: Authentication

A Personal Identification Number (PIN) is a sequence of numbers that verifies or authenticates a user's identity. Examples of authentication mechanisms are passwords, biometrics, and encryption keys. In this scenario, the smart card provides the user's identification, and the PIN provides authentication.

Identification is the act of claiming to be someone or something. It is the equivalent of stating your name when you meet someone. Authentication is the act of proving that claimed identity. There are three factors that can be used to prove identity, they are something you know (factor 1), something you have (factor 2), and something you are (factor 3). Authorization is the granting of permissions such as read, write, full control, tag, or list. Accountability is the logging of the activities that have occurred, for example, mistyped passwords or logging in. It allows the corporation to hold the user accountable for the actions they take.

Correct answer: Data classification

Data must be correctly classified before the Data Loss Prevention (DLP) appliance can prevent it from being leaked. If data is incorrectly classified, the DLP appliance may allow sensitive information to leave the organization.

Endpoint protection is software added to the end device such as anti-virus, anti-malware, a firewall, etc. The question is about an appliance which would be a network-based device installed in the server room or data center. A proxy server is effectively a layer 7 firewall. It terminates the user's connection and then reinitiates that connection to the external server. This way, the proxy can analyze the traffic leaving or entering the network. A centralized network is when there is a central server that controls the network. It is one of the configurations for blockchains.

Correct answer: Internet Protocol Security (IPSec)

Internet Protocol Security (IPsec) is a suite of protocols that provides protection at the network layer of the Open System Interconnection (OSI) model. IPsec is frequently used to establish a Virtual Private Network (VPN) between two routers. IPsec protects the original IP packet by encrypting or hashing the IP packet and adding a new AH or ESP header with a new IP header. Layer 2 tunneling protocol (L2TP) uses IPsec to encrypt its tunnels. IPsec-specific protocols are:

• Authentication Header (AH) provides integrity of the packet and adds an AH header.
• Encapsulating Security Payload (ESP) provides the confidentiality of the packet and adds an ESP header.
• Internet Key Exchange (IKE) is used to negotiate tunnel parameters.

Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F) protocols do not offer any encryption. PPTP, L2F, and L2TP are in the order of evolution for these protocols. It is only once we get to L2TP that encryption is added through the use of IPSec. PPTP and L2F do not offer any encryption options.

Correct answer: Proper asset handling and management

Proper asset handling and management involves not only educating anyone involved in the process but setting up safety mechanisms as well. Although this is a clear indicator of a lack of security training on behalf of the employee, it's equally important to know that even the most trained personnel make mistakes sometimes. To ultimately prevent this from happening, the proprietary information should not have been stored on or accessible from the same network employees operate on for normal activities. Additionally, the information should have been encrypted to prevent it from even being readable by outsiders. This is a prime example of how proper asset handling and management can go a long way. Hopefully, the organization has the means to prove their trade secret was created by them first and is the same as what is being used by the competitor.

Forwarding the e-mail to a supervisor, asking other employees about the training first, and replying to the e-mail might assist the employee in ensuring the e-mail is legitimate. However, reaching out to the supervisor may not be helpful if the supervisor isn't the only one able to schedule and distribute training notifications. Other employees may not have any more knowledge about the information than this person does. Replying to the e-mail would involve the targeted employee trusting the attacker.

Correct answer: Open Web Application Security Project (OWASP) Top Ten list

The Open Web Application Security Project (OWASP) Top Ten list is a list of the ten most popular web application risks. Among the list are insufficient logging, security misconfiguration, and using components with known vulnerabilities. These are risks associated with any business, so educating employees properly will ensure these issues (and many more not on the list) are significantly reduced.

The MITRE ATT&CK Framework is a detailed explanation of techniques used by attackers, which can sometimes be used by penetration testers to replicate attacks. Although it would be helpful to the company, it would be comprised of plenty of unnecessary information not tailored to the business's needs. National Institute of Standards and Technology (NIST) 800 is a federal standard for all government systems and for anyone under contract with the government. Non-credentialed scans from the attacker's perspective may not be as accurate as one would hope, as they can provide inaccurate results and not provide information on the true vulnerabilities. This is typically caused by a firewall interfering with the vulnerability scans and hiding some information to prevent attacks.

Correct answer: An individual instruction set

A thread is an individual instruction set that must be worked on by the CPU. Threads can execute in parallel with other threads that are part of the same parent process. This is known as multithreading. Threads are dynamically built and destroyed by the parent process. A process is a program loaded in memory.

Computers use ones and zeros to represent data, operating systems, programs, and everything else. Eight ones and zeros are used to represent a single character, such as the letter ‘A.’

The path that a process follows could relate to the sequence of steps or operations that a process follows during its execution. In software, this might be represented by a series of function calls, method invocations, or state transitions.

The implementation string of a process is not a term commonly used.

Correct answer: Lessons learned

The following are the five phases of a penetration test:

1. Planning/Footprinting
2. Information gathering and discovery/Enumeration
3. Vulnerability scanning
4. Exploitation
5. Reporting

Correct answer: Polymorphic

Polymorphic viruses modify their code as they travel from system to system. The virus's propagation and destruction techniques remain the same, but the virus's software signature is different each time it infects a new system. This is because, as the code changes, the hash output of the virus also changes.

Multipartite is a virus with multiple elements together. For example, if there is a virus that spreads through the email system it is an email virus, but if it also mutates over time, it is a polymorphic virus as well. However, the question is only asking about a virus that mutates. Therefore, polymorphic is the better answer. Rootkits are installed at the root level of the system. They are often not visible when you are logged into the operating system. They also give the attacker full access to the computer. A worm spreads all on its own. The first was the Moris worm. It effectively crawls into a computer, does its damage, and then crawls back out looking for another computer to damage.

Correct answer: Waterfall model

Originally developed by Winston Royce in 1970, the waterfall model views a system's development life cycle as a series of iterative steps. The waterfall model has six stages. Generally, you cannot skip or go back to steps using the waterfall model. The waterfall model was one of the first comprehensive attempts to model the software development process.

Spiral was developed in 1986 by Barry Boehm. Agile was developed in 2001. Capability Maturity Model (CMM) is not a software development methodology. CMM was designed to determine a company's level of maturity in the skill of software development. It was replaced by the Capability Maturity Model Integration (CMMI) because CMM just did not integrate into the business well even though it was a very good maturity model. As a side note, there is another CMM today, specifically the Systems Security Engineering CMM, as defined in the International Standards Orgnaion (ISO) 21827.

Correct answer: Documents everyone who handled evidence

The chain of custody is chronological documentation or a paper trail showing the seizure, custody, control, transfer, analysis, and disposal of evidence. The chain of custody (also called the chain of evidence) documents all individuals who handled the evidence and helps ensure that evidence can be used in court proceedings.

The Initialization Vector (IV) used in Cipher Block Chaining (CBC) is a random number. The only similarity to the question is the word chain. A list of authorized individuals is called an access control list. A legal procedure to prove ownership of a stolen asset is just that, a legal procedure.

Correct answer: Preventive controls

Preventive controls are the best at reducing risk since they directly stop an unwanted action. Detective, corrective, deterrent, recovery, and compensating controls also reduce risk but work in a complementary manner with preventive controls that help create an organization's overall security posture. Preventive controls include gates, fences, anti-virus software, and smart cards.

Detective controls inform by recording or notifying the operations center that there are problems somewhere. Corrective controls return broken systems or services to a functional state. This state is likely not a normal state, but it does allow the business to continue. Recovery controls would return the system back to a normal state. Deterrent controls have the effect that the threat actor would be dissuaded from launching an attack.

Correct answer: Identification

Identification is the process of a subject claiming, or professing, an identity. A subject must provide an identity to a system to start the authentication, authorization, and accountability processes. Providing an identity might entail typing a username, Personal Identification Number (PIN), email address, account number, etc.

In this scenario, the username provides the user's identification, and the password provides authentication. Authentication is the process of verifying the identity using one or more factors of identification. The factors are 1- something you know, 2- something you have, and 3- something you are. Authorization is the process of granting permissions, e.g., read, write, full control, tag, etc. This could be done using Access Control Lists (ACL), Role-based Access Control (RBAC), etc. Accountability is the process of creating a log of what happened. This allows the corporation to hold the user accountable for their account and actions. This is also known as accounting or auditing at times.

Correct answer: Data traversing the network

Data traversing the network is considered to be in motion.

Data in RAM is in use. Data written to a disk is at rest. Data in a CPU register is in use.

Correct answer: Vulnerability

A vulnerability is a weakness in a system. When a threat agent exploits a vulnerability, it can cause loss. Vulnerabilities could be flaws in a system or flaws in a process.

Risk is defined, most commonly, with the two ideas of Likelihood and Impact. Risk is the likelihood, or chance of a threat being realized and the impact it would have on that system/business. A threat is any circumstance or event that has the possibility of impacting the confidentiality, integrity, and/or availability of a system, and therefore a business. For example the theft of a laptop.

A safeguard is defined in two ways. One school of thought says that safeguards, countermeasures, and controls are all the same thing. So, a safeguard is a control that is added to reduce the likelihood and/or the impact of a potential threat. The second school of thought defines safeguards and countermeasures as two different types of controls: safeguards as preventive in nature and countermeasures as reactive in nature. For example, a cable lock on a laptop has the intention of preventing the theft of the laptop (emphasis on intention). In the event the laptop is stolen, Mobile Device Management (MDM) could be used to locate the device or send a command to overwrite the existing data on the drive in that laptop.

Correct answer: Prepending

Prepending refers to the technique of adding a term or phrase to the header of a communication to enhance its effectiveness as a social engineering attack. Prepending is commonly employed in phishing e-mails. Examples include spoofed subject tags such as "RE:" or "[INTERNAL]" to support pretexts, or spoofed header tags in the content body (e.g. "X-SPAM-STATUS: NO") to trick spam filters.

Smishing refers to a phishing attack that is attempted or executed over SMS (Short Message Service) text messaging. Shoulder surfing refers to the technique of obtaining privileged information through observation from a position of proximity (e.g. watching a password or PIN being typed through an office window or reading the laptop display of someone adjacently seated on an airplane). Baiting refers to the practice of leaving compromised portable media in a public location in a manner that entices its use from a secure, nonpublic location (for example, leaving an infected USB drive labeled "staff salaries" in the lobby of an office building).

Correct answer: Mandatory vacations and job rotation

The purpose of job rotation and mandatory vacations is to act as a deterrent and a detection tool. If an employee knows that someone will be taking over their job functions soon, they are less likely to participate in fraudulent activities. If someone does do something fraudulent, job rotation increases the likelihood it will be discovered. If an employee is given a mandatory vacation, someone is able to audit their work and discover fraudulent activities.

A decrease in salary for causing security events will only keep people from coming forward if there is a security event. Random desk inspections are not as effective as mandatory vacations and job rotation. Frequent drug testing only detects drug use which may or may not impact the organization negatively.

Correct answer: Class

Object-Oriented Programming (OOP) relies on the relationship between classes and objects. Objects inherit information from their assigned class. This allows programmers to be more efficient with their code. OOP code scales better and is easier to modify.

A library is a collection of pre-written code, modules, functions, and resources that programmers can use to accelerate and simplify the development of software applications. Multithreading is a programming concept where multiple threads, or lightweight processes, run concurrently within a single program. It enhances performance by allowing tasks to be executed independently, improving efficiency in parallel processing. A software routine is a set of instructions or code designed to perform a specific task or function within a larger program, aiding in modularity and code reusability.