CISSP - Question Bank

Test your knowledge of CISSP with these multiple choice questions. Each Question Bank includes 20 practice questions that have been designed to measure your knowledge of key ideas.

A key factor to keep in mind is that guessing is better than not answering a question.

Every single question on the CISSP exam is a four-option multiple choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, such as asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response.

Start
Q1. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process?

A. Repeatable
B. Defined
C. Managed
D. Optimizing

View Answer
The Correct Answer is C.
Explanation: The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management.
Q2. You are the security administrator of a large law firm. You have been asked to select a security model that supports your organization’s desire to ensure data confidentiality and integrity. You must select one or more models that will protect data from internal and external attacks. What security model(s) will you choose? (Choose all that apply.)

A. Bell-LaPadula
B. Take Grant Model
C. Clark-Wilson
D. TCSEC

View Answer
The Correct Answers are A and C.
Explanation: Because your organization needs to ensure confidentiality, you should choose the Bell-LaPadula model. To ensure the integrity of your data, you should also use the Clark-Wilson model, which addresses separation of duties. This feature offers better protection from internal and external attacks.
Q3. Why are military and intelligence attacks among the most serious computer crimes?

A. The use of information obtained can have far-reaching detrimental strategic effect on national interests in an enemy's hands.
B. Military information is stored on secure machines, so a successful attack can be embarrassing.
C. The long-term political use of classified information can impact a country’s leadership.
D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe.

View Answer
The Correct Answer is A.
Explanation: The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very difficult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage.
Q4. What is the length of a message digest produced by the MD5 algorithm?

A. 64 bits
B. 128 bits
C. 256 bits
D. 384 bits

View Answer
The Correct Answer is B.
Explanation:The MD5 algorithm produces a 128-bit message digest for any input.
Q5. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS
B. Network-based IDS
C. Vulnerability scanner
D. Penetration testing

View Answer
The Correct Answer is B.
Explanation: Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.
Q6. How is annualized loss expectancy (ALE) calculated?

A. SLE*AS (single loss expectancy * asset value)
B. AS*EF (asset value * exposure factor)
C. ARO*V (annualized rate of occurrence * vulnerability)
D. SLE*ARO (single loss expectancy * annualized rate of occurrence

View Answer
The Correct Answer is D.
Explanation: Annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula SLE*ARO.
Q7. At what height and form will a fence deter determined intruders?

A. 3- to 4-feet high chain link
B. 6- to 7-feet high wood
C. 8-feet high with 3 strands of barbed wire
D. 4- to 5-feet high concrete

View Answer
The Correct Answer is C.
Explanation: A fence that is 8 feet high with 3 strands of barbed wire deters determined intruders.
Q8. A VPN can be established over which of the following?

A. Wireless LAN connection
B. Remote access dial-up connection
C. WAN link
D. All of the above

View Answer
The Correct Answer is D.
Explanation: A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an Internet connection used by a client for access to the office LAN.
Q9. What is the Biba access control model primarily based upon?

A. Identity
B. Analog
C. Military
D. Lattice

View Answer
The Correct Answer is D.
Explanation: Biba is also a state machine model based on a classification lattice with mandatory access controls.
Q10. Which one of the following database backup techniques requires the greatest expenditure of funds?

A. Transaction logging
B. Remote journaling
C. Electronic vaulting
D. Remote mirroring

View Answer
The Correct Answer is D.
Explanation: Remote mirroring maintains a live database server at the remote site and comes at the highest cost.
Q11. What is the value of the logical operation shown here?
X: 0 1 1 0 1 0
Y: 0 0 1 1 0 1
___________________________
X ∨ Y: ?

A. 0 1 1 1 1 1
B. 0 1 1 0 1 0
C. 0 0 1 0 0 0
D. 0 0 1 1 0 1

View Answer
The Correct Answer is A.
Explanation: The ∨ symbol represents the OR function, which is true when one or both of the input bits are true.
Q12. Which one of the following security modes does not require that a user have a valid security clearance for all information processed by the system?

A. Dedicated mode
B. System high mode
C. Compartmented mode
D. Multilevel mode

View Answer
The Correct Answer is D.
Explanation: In multilevel security mode, some users do not have a valid security clearance for all information processed by the system.
Q13. You are the security administrator for an international shipping company. You have been asked to evaluate the security of a new shipment tracking system for your London office. It is important to evaluate the security features and assurance of the system separately to compare it to other systems that management is considering. What evaluation criteria should you use (assume the year is 1998)?

A. TCSEC
B. ITSEC
C. The Blue Book
D. IPSec

View Answer
The Correct Answer is B.
Explanation: ITSEC was developed in Europe for evaluating systems. Although TCSEC (also called the Orange Book) would satisfy the evaluation criteria, only ITSEC evaluates functionality and assurance separately.
Q14. What is the last phase of the TCP/IP three-way handshake sequence?

A. SYN packet
B. ACK packet
C. NAK packet
D. SYN/ACK packet

View Answer
The Correct Answer is B.
Explanation: The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet and the connection is then established.
Q15. Which of the following is a requirement of change management?

A. Changes must comply with Internet standards.
B. All changes must be capable of being rolled back.
C. Upgrade strategies must be revealed over the Internet.
D. The audit reports of change management should be accessible to all users.

View Answer
The Correct Answer is B.
Explanation: One of the requirements of change management is that all changes must be capable of being rolled back.
Q16. Which of the following is a procedure designed to test and perhaps bypass a system's security controls?

A. Logging usage data
B. War dialing
C. Penetration testing
D. Deploying secured desktop workstations

View Answer
The Correct Answer is C.
Explanation: Penetration testing is the attempt to bypass security controls to test overall system security.
Q17. At which layer of the OSI model does a router operate?

A. Network layer
B. Layer 1
C. Transport layer
D. Layer 5

View Answer
The Correct Answer is A.
Explanation: Network hardware devices, including routers, function at layer 3, the Network layer.
Q18. Which of the following is considered a denial of service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password
B. While surfing the Web, sending to a web server a malformed URL that causes the system to use 100 percent of the CPU to process an endless loop
C. Intercepting network traffic by copying the packets as they pass through a specific subnet
D. Sending message packets to a recipient who did not request them simply to be annoying

View Answer
The Correct Answer is B.
Explanation: Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks.
Q19. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what?

A. Directive controls
B. Preventive controls
C. Detective controls
D. Corrective controls

View Answer
The Correct Answer is C.
Explanation: Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs.
Q20. Which one of the following vulnerabilities would best be countered by adequate parameter checking?

A. Time-of-check-to-time-of-use
B. Buffer overflow
C. SYN flood
D. Distributed denial of service

View Answer
The Correct Answer is B.
Explanation: Parameter checking is used to prevent the possibility of buffer overflow attacks.
Q21. What technology allows a computer to harness the power of more than one CPU?

A. Multitasking
B. Multiprocessing
C. Multiprogramming
D. Multithreading

View Answer
The Correct Answer is B.
Explanation: Multiprocessing computers use more than one processor, in either a symmetric multiprocessing (SMP) or massively parallel processing (MPP) scheme.
Q22. What type of backup stores all files modified since the time of the most recent full or incremental backup?

A. Full backup
B. Incremental backup
C. Partial backup
D. Differential backup

View Answer
The Correct Answer is D.
Explanation: Differential backups store all files that have been modified since the time of the most recent full or incremental backup.
Q23. What law allows ISPs to voluntarily provide government investigators with a large range of user information without a warrant?

A. Electronic Communications Privacy Act
B. Gramm-Leach-Bliley Act
C. USA Patriot Act
D. Privacy Act of 1974

View Answer
The Correct Answer is C.
Explanation: The USA Patriot Act granted broad new powers to law enforcement, including the solicitation of voluntary ISP cooperation.
Q24. What type of detected incident allows the most time for an investigation?

A. Compromise
B. Denial of service
C. Malicious code
D. Scanning

View Answer
The Correct Answer is D.
Explanation: Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early.
Q25. Auditing is a required factor to sustain and enforce what?

A. Accountability
B. Confidentiality
C. Accessibility
D. Redundancy

View Answer
The Correct Answer is A.
Explanation: Auditing is a required factor to sustain and enforce accountability.
Q26. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions?

A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Dynamic packet-filtering

View Answer
The Correct Answer is D.
Explanation: Dynamic packet-filtering firewalls enable real-time modification of the filtering rules based on traffic content.
Q27. Which one of the following is a layer of the ring protection scheme that is not normally implemented in practice?

A. Layer 0
B. Layer 1
C. Layer 3
D. Layer 4

View Answer
The Correct Answer is B.
Explanation: Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist.
Q28. In what type of cipher are the letters of the plaintext message rearranged to form the ciphertext?

A. Substitution cipher
B. Block cipher
C. Transposition cipher
D. One-time pad

View Answer
The Correct Answer is C.
Explanation: Transposition ciphers use an encryption algorithm to rearrange the letters of the plaintext message to form a ciphertext message.
Q29. What is the formula used to compute the ALE?

A. ALE = AV*EF
B. ALE = ARO*EF
C. ALE = AV*ARO
D. ALE = EF*ARO

View Answer
The Correct Answer is C.
Explanation: The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the annualized rate of occurrence (ARO). The other formulas displayed here do not accurately reflect this calculation.
Q30. Which of the following is the principle that objects retain their veracity and are only intentionally modified by authorized subjects?

A. Privacy
B. Authentication
C. Integrity
D. Data hiding

View Answer
The Correct Answer is C.
Explanation: The principle of integrity states that objects retain their veracity and are only intentionally modified by authorized subjects.
Q31. E-mail is the most common delivery vehicle for which of the following?

A. Viruses
B. Worms
C. Malicious code
D. All of the above

View Answer
The Correct Answer is D.
Explanation: E-mail is the most common delivery mechanism for viruses, worms, Trojan horses, documents with destructive macros, and other malicious code.
Q32. What type of physical security controls are access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression?

A. Technical
B. Administrative
C. Physical
D. Preventative

View Answer
The Correct Answer is A.
Explanation: Technical security controls include access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.
Q33. In the United States, how are the administrative determinations of federal agencies promulgated?

A. Code of Federal Regulations
B. United States Code
C. Supreme Court decisions
D. Administrative declarations

View Answer
The Correct Answer is A.
Explanation: Administrative determinations of federal agencies are published as the Code of Federal Regulations.
Q34. What is the first step of the Business Impact Assessment process?

A. Identification of priorities
B. Likelihood assessment
C. Risk identification
D. Resource prioritization

View Answer
The Correct Answer is A.
Explanation: Identification of priorities is the first step of the Business Impact Assessment process.
Q35. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

A. Renee's public key
B. Renee's private key
C. Mike's public key
D. Mike's private key

View Answer
The Correct Answer is C.
Explanation: Any recipient can use Mike’s public key to verify the authenticity of the digital signature.
Q36. The "something you are" authentication factor is also known as what?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

View Answer
The Correct Answer is C.
Explanation: A Type 3 authentication factor is something you are, such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, hand geometry, and so on.
Q37. What is the primary goal of risk management?

A. To produce a 100-percent risk-free environment
B. To guide budgetary decisions
C. To reduce risk to an acceptable level
D. To provide an asset valuation for insurance

View Answer
The Correct Answer is C.
Explanation: The primary goal of risk management is to reduce risk to an acceptable level.
Copyright © 2018 | All Rights Reserved | Designed & Developed by Yeahhub.com