CISSP Topic 5
Q301. Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expected. To test the username field, the security practitioner creates a test that enters more characters into the field than is allowed. Which of the following BEST describes the type of test performed?
A. Misuse case testing
B. Interface testing
C. Web session testing
D. Penetration testing
A
Q302. A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client’s Controlled Unclassified
Information (CUI). What encryption strategy represents how to protect data at rest in the MOST efficient and cost-effective manner?
A. Perform logical separation of program information, using virtualized storage solutions with encryption management in the back-end disk systems
B. Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer
C. Perform physical separation of program information and encrypt only information deemed critical by the defense client
D. Implement data at rest encryption across the entire storage area network (SAN)
B
Q303. Which of the following is a limitation of the Bell-LaPadula model?
A. Segregation of duties (SoD) is difficult to implement as the “no read-up” rule limits the ability of an object to access information with a higher classification.
B. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC) impossible to implement.
C. It contains no provision or policy for changing data access control and works well only with access systems that are static in nature.
D. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure.
C
Q304. What is static analysis intended to do when analyzing an executable file?
A. Search the documents and files associated with the executable file.
B. Analyze the position of the file in the file system and the executable file’s libraries.
C. Collect evidence of the executable file’s usage, including dates of creation and last use.
D. Disassemble the file to gather information about the executable file’s function.
D
Q305. Which of the following attack types can be used to compromise the integrity of data during transmission?
A. Synchronization flooding
B. Session hijacking
C. Keylogging
D. Packet sniffing
B
Q306. An organization purchased a commercial off-the-shelf (COTS) software several years ago. The information technology (IT) Director has decided to migrate the application into the cloud, but is concerned about the application security of the software in the organization’s dedicated environment with a cloud service provider.
What is the BEST way to prevent and correct the software’s security weaknesses?
A. Follow the software end-of-life schedule
B. Implement a dedicated COTS sandbox environment
C. Transfer the risk to the cloud service provider
D. Examine the software updating and patching process
D
Q307. Security Software Development Life Cycle (SDLC) expects application code to be written in a consistent manner to allow ease of auditing and which of the following?
A. Protecting
B. Copying
C. Enhancing
D. Executing
A
Q308. While performing a security review for a new product, an information security professional discovers that the organization’s product development team is proposing to collect government-issued identification (ID) numbers from customers to use as unique customer identifiers. Which of the following recommendations should be made to the product development team?
A. Customer identifiers should be a variant of the user’s government-issued ID number.
B. Customer identifiers should be a cryptographic hash of the user’s government-issued ID number.
C. Customer identifiers that do not resemble the user’s government-issued ID number should be used.
D. Customer identifiers should be a variant of the user’s name, for example, “jdoe” or “john.doe.”
C
Q309. Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance?
A. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements
B. Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements
C. Data stewardship roles, data handling and storage standards, data lifecycle requirements
D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements
C
Q310. When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the
MOST secure?
A. EAP-Protected Extensible Authentication Protocol (PEAP)
B. EAP-Transport Layer Security (TLS)
C. EAP-Tunneled Transport Layer Security (TLS)
D. EAP-Flexible Authentication via Secure Tunneling
B
Q311. A network security engineer needs to ensure that a security solution analyzes traffic for protocol manipulation and various sorts of common attacks. In addition, all
Uniform Resource Locator (URL) traffic must be inspected and users prevented from browsing inappropriate websites. Which of the following solutions should be implemented to enable administrators the capability to analyze traffic, blacklist external sites, and log user traffic for later analysis?
A. Application-Level Proxy
B. Intrusion detection system (IDS)
C. Host-based Firewall
D. Circuit-Level Proxy
A
Q312. An information security consultant is asked to make recommendations for a small business to protect the access to information, stored on network drives. The small business supports several government agencies that manage highly sensitive information. Which of the following recommendations is BEST to achieve this objective?
A. Develop and implement a security information and event monitoring system.
B. Develop and implement access management policies and procedures.
C. Develop and implement data center access policies and procedures.
D. Develop and implement a security operations center (SOC) for access monitoring.
B
Q313. A vendor released a security patch for a dangerous vulnerability affecting thousands of computers in an organization. Which of the following actions will the security practitioner do FIRST to mitigate the security risk?
A. Deploy the patch.
B. Accept the risk.
C. Transfer the risk.
D. Evaluate the patch.
D
Q314. Which of the following are common components of a Security Assertion Markup Language (SAML) based federation system?
A. Client, Service Provider, identity provider (IdP), Token
B. Client, Service Provider, Resource Server, Grant
C. Client, Authorization Server, identity provider (IdP), Claim
D. Client, Authorization Server, Resource Server, Assertion
D
Q315. Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to perform a vulnerability assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never performed this before. According to the (ISC)
Code of Professional Ethics, which of the following should the CISSP do?
A. Inform the CISO that they are unable to perform the task because they should render only those services for which they are fully competent and qualified
B. Since they are CISSP certified, they have enough knowledge to assist with the request, but will need assistance in order to complete it in a timely manner
C. Review the CISSP guidelines for performing a vulnerability assessment before proceeding to complete it
D. Review the PCI requirements before performing the vulnerability assessment
A
Q316. Recently, an unknown event has disrupted a single Layer-2 network that spans between two geographically diverse data centers. The network engineers have asked for assistance in identifying the root cause of the event. Which of the following is the MOST likely cause?
A. Smurf attack
B. Misconfigured routing protocol
C. Broadcast domain too large
D. Address spoofing
D
Q317. Which of the following BEST ensures the integrity of transactions to intended recipients?
A. Public key infrastructure (PKI)
B. Blockchain technology
C. Pre-shared key (PSK)
D. Web of trust
B
Q318. A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code. Which of the following is the FIRST Software Development Life Cycle (SDLC) phase where this takes place?
A. Deployment
B. Development
C. Test
D. Design
B
Q319. What is the overall goal of software security testing?
A. Identifying the key security features of the software
B. Ensuring all software functions perform as specified
C. Reducing vulnerabilities within a software system
D. Making software development more agile
C
Q320. Which of the following techniques evaluates the secure design principles of network or software architectures?
A. Risk modeling
B. Waterfall method
C. Threat modeling
D. Fuzzing
C
Q321. An information security administrator wishes to block peer-to-peer (P2P) traffic over Hypertext Transfer Protocol (HTTP) tunnels. Which of the following layers of the Open Systems Interconnection (OSI) model requires inspection?
A. Application
B. Transport
C. Session
D. Presentation
A
Q322. Which type of access control includes a system that allows only users that are type=managers and department=sales to access employee records?
A. Role-based access control (RBAC)
B. Attribute-based access control (ABAC)
C. Discretionary access control (DAC)
D. Mandatory access control (MAC)
B
Q323. Which of the following is the MAIN difference between a network-based firewall and a host-based firewall?
A. A network-based firewall is stateful, while a host-based firewall is stateless.
B. A network-based firewall blocks network intrusions, while a host-based firewall blocks malware.
C. A network-based firewall controls traffic passing through the device, while a host-based firewall controls traffic destined for the device.
D. A network-based firewall verifies network traffic, while a host-based firewall verifies processes and applications.
C
Q324. Which of the following protection is provided when using a Virtual Private Network (VPN) with Authentication Header (AH)?
A. Sender non-repudiation
B. Multi-factor authentication (MFA)
C. Payload encryption
D. Sender confidentiality
A
Q325. Which of the following is the MOST comprehensive Business Continuity (BC) test?
A. Full interruption
B. Full simulation
C. Full table top
D. Full functional drill
A
Q326. An organization’s retail website provides its only source of revenue, so the disaster recovery plan (DRP) must document an estimated time for each step in the plan. Which of the following steps in the DRP will list the GREATEST duration of time for the service to be fully operational?
A. Update the Network Address Translation (NAT) table.
B. Update Domain Name System (DNS) server addresses with domain registrar.
C. Update the Border Gateway Protocol (BGP) autonomous system number.
D. Update the web server network adapter configuration.
C
Q327. Which of the following is an example of a vulnerability of full-disk encryption (FDE)?
A. Data on the device cannot be restored from backup.
B. Data on the device cannot be backed up.
C. Data in transit has been compromised when the user has authenticated to the device.
D. Data at rest has been compromised when the user has authenticated to the device.
D
Q328. A security architect is reviewing plans for an application with a Recovery Point Objective (RPO) of 15 minutes. The current design has all of the application infrastructure located within one co-location data center. Which security principle is the architect currently assessing?
A. Disaster recovery (DR)
B. Availability
C. Redundancy
D. Business continuity (BC)
B
Q329. What type of investigation applies when malicious behavior is suspected between two organizations?
A. Regulatory
B. Operational
C. Civil
D. Criminal
C
Q330. The European Union (EU) General Data Protection Regulation (GDPR) requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Data Owner should therefore consider which of the following requirements?
A. Never to store personal data of EU citizens outside the EU
B. Data masking and encryption of personal data
C. Only to use encryption protocols approved by EU
D. Anonymization of personal data when transmitted to sources outside the EU
B
Q331. A Chief Information Officer (CIO) has delegated responsibility of their system security to the head of the information technology (IT) department. While corporate policy dictates that only the CIO can make decisions on the level of data protection required, technical implementation decisions are done by the head of the IT department. Which of the following BEST describes the security role filled by the head of the IT department?
A. System security officer
B. System processor
C. System custodian
D. System analyst
A
Q332. Which stage in the identity management (IdM) lifecycle constitutes the GREATEST risk for an enterprise if performed incorrectly?
A. Propagating
B. Deprovisioning
C. Provisioning
D. Maintaining
C
Q333. How does Radio-Frequency Identification (RFID) assist with asset management?
A. It uses biometric information for system identification.
B. It uses two-factor authentication (2FA) for system identification.
C. It transmits unique serial numbers wirelessly.
D. It transmits unique Media Access Control (MAC) addresses wirelessly.
C
Q334. A security professional was tasked with rebuilding a company’s wireless infrastructure. Which of the following are the MOST important factors to consider while making a decision on which wireless spectrum to deploy?
A. Facility size, intermodulation, and direct satellite service
B. Performance, geographic location, and radio signal interference
C. Existing client devices, manufacturer reputation, and electrical interference
D. Hybrid frequency band, service set identifier (SSID), and interpolation
C
Q335. Which of the following is a common term for log reviews, synthetic transactions, and code reviews?
A. Application development
B. Spiral development functional testing
C. Security control testing
D. DevOps Integrated Product Team (IPT) development
C
Q336. A company needs to provide employee access to travel services, which are hosted by a third-party service provider. Employee experience is important, and when users are already authenticated, access to the travel portal is seamless. Which of the following methods is used to share information and grant user access to the travel portal?
A. Single sign-on (SSO) access
B. Security Assertion Markup Language (SAML) access
C. Open Authorization (OAuth) access
D. Federated access
D
Q337. Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?
A. Asking the Information System Security Officer (ISSO) to describe the organization’s patch management processes
B. Ensuring that system audit logs capture all relevant data fields required by the security controls baseline
C. Logging into a web server using the default administrator account and a default password
D. Performing Port Scans of selected network hosts to enumerate active services
B
Q338. In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?
A. Parameterised
B. Controlled
C. Dynamic
D. Static
A
Q339. While dealing with the consequences of a security incident, which of the following security controls are MOST appropriate?
A. Detective and recovery controls
B. Corrective and recovery controls
C. Preventative and corrective controls
D. Recovery and proactive controls
B
Q340. What is the MOST effective way to mitigate distributed denial of service (DDoS) attacks?
A. Deploy a web application firewall (WAF).
B. Block access to Transmission Control Protocol (TCP) ports under attack.
C. Detect and block bad Internet Protocol (IP) subnets on the corporate firewall.
D. Engage an upstream Internet service provider (ISP).
D
Q341. An organization is implementing a bring your own device (BYOD) policy. What would be BEST for mitigating the risk of users managing their own devices and potentially bringing in malware?
A. Setting up access control lists (ACL) for these devices.
B. Installing a firewall on the organization’s primary network.
C. Setting up a separate network within the organization’s demilitarized zone (DMZ).
D. Setting up a separate, external wired or wireless network dedicated to these devices.
D
Q342. During a disruptive event, which security continuity objectives will maintain an organization’s information security to a predetermined level?
A. Disaster recovery plan (DRP)
B. Impact assessment report
C. Information security continuity plan
D. Business continuity plan (BCP)
C
Q343. An organization implements supply chain risk management (SCRM) into all phases of the Systems Development Life Cycle (SDLC). What methodology is MOST important to ensure that SCRM requirements are met?
A. Supplier self-assessment
B. Procurement assessment
C. Vulnerability assessment
D. Third-party assessment
D
Q344. A security operations center (SOC) discovers a recently deployed router beaconing to a malicious website. Replacing the router fixes the issue. What is the MOST likely cause of the router’s behavior?
A. The network administrator failed to reconfigure the router’s access control list (ACL).
B. The router was damaged during shipping or installed incorrectly.
C. The router was counterfeit and acquired through unauthorized channels.
D. The network administrator failed to update the router’s firmware.
C
Q345. Which of the following is the PRIMARY objective of performing scans with an active discovery tool?
A. Discovering virus and malware activity
B. Discovering changes for security configuration management (CM)
C. Asset identification (ID) and inventory management
D. Vulnerability management and remediation
C
Q346. Which of the following Secure Shell (SSH) remote access practices is MOST suited for scripted functions?
A. Restricting authentication by Internet Protocol (IP) address
B. Requiring multi-factor authentication (MFA)
C. Implementing access credentials management tools
D. Using public key-based authentication method
D
Q347. What are facets of trustworthy software in supply chain operations?
A. Functionality, safety, reliability, integrity, and accuracy
B. Confidentiality, integrity, availability, authenticity, and possession
C. Safety, reliability, availability, resilience, and security
D. Reparability, security, upgradability, functionality, and accuracy
C
Q348. An organization is implementing data encryption using symmetric ciphers and the Chief Information Officer (CIO) is concerned about the risk of using one key to protect all sensitive data. The security practitioner has been tasked with recommending a solution to address the CIO’s concerns. Which of the following is the
BEST approach to achieving the objective by encrypting all sensitive data?
A. Use a Secure Hash Algorithm 256 (SHA-256).
B. Use Rivest-Shamir-Adleman (RSA) keys.
C. Use a hierarchy of encryption keys.
D. Use Hash Message Authentication Code (HMAC) keys.
C
Q349. Which of the following documents specifies services from the client’s viewpoint?
A. Business Impact analysis (BIA)
B. Service level agreement (SLA)
C. Service Level Requirement (SLR)
D. Service level report
C
Q350. Which of the following goals represents a modern shift in risk management according to National Institute of Standards and Technology (NIST)?
A. Provide an improved mission accomplishment approach.
B. Focus on operating environments that are changing, evolving, and full of emerging threats.
C. Enable management to make well-informed risk-based decisions justifying security expenditure.
D. Secure information technology (IT) systems that store, mass, or transmit organizational information.
B
Q351. What is the MOST appropriate hierarchy of documents when implementing a security program?
A. Policy, organization principle, standard, guideline
B. Standard, policy, organization principle, guideline
C. Organization principle, policy, standard, guideline
D. Organization principle, guideline, policy, standard
C
Q352. Employee training, risk management, and data handling procedures and policies could be characterized as which type of security measure?
A. Preventative
B. Management
C. Non-essential
D. Administrative
D
Q353. A user is allowed to access the file labeled “Financial Forecast,” but only between 9:00 a.m. and 5:00 p.m., Monday through Friday. Which type of access mechanism should be used to accomplish this?
A. Minimum access control
B. Limited role-based access control (RBAC)
C. Access control list (ACL)
D. Rule-based access control
D
Q354. The initial security categorization should be done early in the system life cycle and should be reviewed periodically. Why is it important for this to be done correctly?
A. It determines the functional and operational requirements.
B. It determines the security requirements.
C. It affects other steps in the certification and accreditation process.
D. The system engineering process works with selected security controls.
B
Q355. When securing Hypertext Markup Language (HTML) text data, which is the purpose of the escape function?
A. Ending the current process to protect the code
B. Providing an exit path for user input
C. Replacing potentially harmful characters
D. Preventing unauthorized users from writing data
C
Q356. Which of the following BEST describes an example of evading intrusion detection system (IDS) signature detection?
A. Packet fragmentation
B. SQL injection (SQLi)
C. Cross-Site Scripting (XSS)
D. Encoding
A
Q357. An organization would like to secure a trusted and untrusted network. One of the requirements is to provide access to the trusted network from a few of the hosts from the untrusted network. Which of the following is the BEST device or system that should be deployed to enable this capability?
A. Router
B. Bastion host
C. Forward proxy host
D. Intrusion detection system (IDS)
B
Q358. An architect has observed the complexity of a new design has introduced increased risk. After review, the test team lead cannot determine how to test for some of the security controls the organization requires to be in place. Which of the following secure design principles has MOST likely been violated?
A. Complete remediation
B. Economy of mechanism
C. Psychological acceptability
D. Least privilege
B
Q359. Which of the following attacks describes the intent behind the pivoting method used by attackers or penetration testers?
A. Interrupt the communications flows on the network
B. Use a compromised or obsolete system to traverse the network
C. Extract sensitive data from resources on the network
D. Escalate compromised user permissions within the network
B
Q360. Which of the following processes is BEST used to determine the extent to which modifications to an information system affect the security posture of the system?
A. Patch management
B. Continuous monitoring
C. Configuration change control
D. Security impact analysis
D
Q361. Which of the following principles is intended to produce information security professionals that are capable of vision and proactive response?
A. Information security awareness
B. Information security program
C. Information security education
D. Information security certification
C
Q362. An application developer is developing a web application that will store and process personal information of European Union (EU) residents. Which of the following security principles explicitly specified in General Data Protection Regulation (GDPR), should the developer apply to safeguard the personal information in the application?
A. Authorization
B. Tokenization
C. Pseudonymization
D. Authentication
C
Q363. What security technique in the Software Development Life Cycle (SDLC) should be leveraged to BEST ensure secure development throughout a project?
A. Dynamic application security testing (DAST)
B. Waterfall
C. Simple Object Access Protocol
D. Static application security testing (SAST)
D
Q364. The defense strategy “never trust any input” is MOST effective against which of the following web-based system vulnerabilities?
A. Injection vulnerabilities
B. Sensitive data exposure
C. Man-in-the-browser attack
D. Broken authentication
A
Q365. A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not addressed. What is the BEST approach to address the issue?
A. Update the contract to require the vendor to perform security code reviews.
B. Update the service level agreement (SLA) to provide the organization the right to audit the vendor.
C. Update the contract so that the vendor is obligated to provide security capabilities.
D. Update the service level agreement (SLA) to require the vendor to provide security capabilities.
C
Q366. An organization needs to evaluate the effectiveness of security controls implemented on a new system. Which of the following roles should the organization entrust to conduct the evaluation?
A. Authorizing Official (AO)
B. System owner
C. Control assessor
D. Information System Security Officer (ISSO)
C
Q367. The principle that personally identifiable information (PII) should be kept up-to-date and relevant to the purposes for which they are to be used is attributed to which fair information practice per the United States (US) Organization for Economic Cooperation and Development (OECD)?
A. Purpose Specification
B. Security Safeguards
C. Collection Limitation
D. Data Quality
D
Q368. A large law firm would like to enable employees to participate in a bring your own device (BYOD) program. Only devices with up-to-date antivirus and operating system (OS) patches will be allowed on the network. Which solution will BEST enforce the security requirements?
A. Endpoint Detection and Response
B. Next-Generation Firewall
C. Intrusion detection and prevention system (IDPS)
D. Network Access Control (NAC)
D
Q369. To ensure compliance with the General Data Protection Regulation (GDPR), who in the organization should the help desk manager confer with before selecting a Software as a Service (SaaS) solution?
A. Data owner
B. Database administrator (DBA)
C. Data center manager
D. Data Protection Officer (DPO)
D
Q370. For a victim of a security breach to prevail in a negligence claim, what MUST the victim establish?
A. Concern
B. Breach of contract
C. Proximate cause
D. Hardship
C
Q371. Single sign-on (SSO) for federated identity management (FIM) must be implemented and managed so that authorization mechanisms protect access to privileged information using OpenID Connect (OIDC) token or Security Assertion Markup Language (SAML) assertion. What is the BEST method to use to protect them?
A. Pass data in a bearer assertion, only signed by the identity provider.
B. Tokens and assertion should use base64 encoding to assure confidentiality.
C. Use a challenge and response mechanism such as Challenge Handshake Authentication Protocol (CHAP).
D. The access token or assertion should be encrypted to ensure privacy.
D
Q372. One of Canada’s leading pharmaceutical firms recently hired a Chief Data Officer (CDO) to oversee its data privacy program. The CDO has discovered the firm’s marketing department has been collecting information from individuals without their knowledge and consent via the company website. Which of the following privacy regulations should concern the CDO regarding this practice?
A. The Health Insurance Portability and Accountability Act (HIPAA)
B. The Privacy Act of 1974
C. The Fair Information Practice Principles (FIPPs)
D. The Personal Information Protection and Electronic Documents Act (PIPEDA)
D
Q373. Which of the following is a weakness of the Data Encryption Standard (DES)?
A. Block encryption scheme
B. Use of same key for encryption and decryption
C. Publicly disclosed algorithm
D. Inadequate key length
D
Q374. An organization has approved deployment of a virtual environment for the development servers and has established controls for restricting access to resources. In order to implement best security practices for the virtual environment, the security team MUST also implement which of the following steps?
A. Implement a dedicated management network for the hypervisor.
B. Deploy Terminal Access Controller Access Control System Plus (TACACS+) for authentication.
C. Implement complex passwords using Privileged Access Management (PAM).
D. Capture network traffic for the network interface.
A
Q375. Which of the following techniques is MOST useful when dealing with advanced persistent threat (APT) intrusions on live virtualized environments?
A. Memory forensics
B. Logfile analysis
C. Reverse engineering
D. Antivirus operations
A
Q376. What part of an organization’s strategic risk assessment MOST likely includes information on items affecting the success of the organization?
A. Threat analysis
B. Vulnerability analysis
C. Key Performance Indicator (KPI)
D. Key Risk Indiaitor (KRI)
D
Q377. Which of the following is a risk matrix?
A. A tool for determining risk management decisions for an activity or system.
B. A database of risks associated with a specific information system.
C. A two-dimensional picture of risk for organizations, products, projects, or other items of interest.
D. A table of risk management factors for management to consider.
A
Q378. Which of the following terms is used for online service providers operating within a federation?
A. Active Directory Federation Services (ADFS)
B. Relying party (RP)
C. Single sign-on (SSO)
D. Identity and access management (IAM)
B
Q379. Which mechanism provides the BEST protection against buffer overflow attacks in memory?
A. Address Space Layout Randomization (ASLR)
B. Memory management unit
C. Stack and heap allocation
D. Dynamic random access memory (DRAM)
A
Q380. Which of the (ISC)
Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?
A. Provide diligent and competent service to principles.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Advance and protect the profession.
D. Protect society, the commonwealth, and the infrastructure.
A
Q381. A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?
A. Information security requirements are captured in mandatory user stories.
B. All developers receive a mandatory targeted information security training.
C. The information security department performs an information security assessment after each sprint.
D. The non-financial information security requirements remain mandatory for the new model.
A
Q382. Which of the following is the MOST important consideration in selecting a security testing method based on different Radio-Frequency Identification (RFID) vulnerability types?
A. An understanding of the attack surface
B. Adaptability of testing tools to multiple technologies
C. The quality of results and usability of tools
D. The performance and resource utilization of tools
A
Q383. The Chief Information Security Officer (CISO) is concerned about business application availability. The organization was recently subject to a ransomware attack that resulted in the unavailability of applications and services for 10 working days that required paper-based running of all main business processes. There are now aggressive plans to enhance the Recovery Time Objective (RTO) and cater for more frequent data captures. Which of the following solutions should be implemented to fully comply to the new business requirements?
A. Virtualization
B. Antivirus
C. Host-based intrusion prevention system (HIPS)
D. Process isolation
A
Q384. A Simple Power Analysis (SPA) attack against a device directly observes which of the following?
A. Magnetism
B. Generation
C. Consumption
D. Static discharge
C
Q385. Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?
A. Unit testing
B. Acceptance testing
C. Integration testing
D. Negative testing
D
Q386. What is the PRIMARY reason that a bit-level copy is more desirable than a file-level copy when replicating a hard drives contents for an e-discovery investigation?
A. The corruption of files is less likely.
B. Files that have been deleted will be transferred.
C. The file and directory structure is retained.
D. File-level security settings will be preserved.
B
Q387. What is the FIRST step in reducing the exposure of a network to Internet Control Message Protocol (ICMP) based attacks?
A. Implement network access control lists (ACL).
B. Implement an intrusion prevention system (IPS).
C. Implement a web application firewall (WAF).
D. Implement egress filtering at the organization’s network boundary.
D
Q388. DRAG DROP –
Match the roles for an external audit to the appropriate responsibilities. Drag each role on the left to its corresponding responsibility on the right.
Select and Place:
Answer:
Q390. A hospital’s building controls system monitors and operates the environmental equipment to maintain a safe and comfortable environment. Which of the following could be used to minimize the risk of utility supply interruption?
A. Digital protection and control devices capable of minimizing the adverse impact to critical utility
B. Standardized building controls system software with high connectivity to hospital networks
C. Lock out maintenance personnel from the building controls system access that can impact critical utility supplies
D. Digital devices that can turn equipment off and continuously cycle rapidly in order to increase supplies and conceal activity on the hospital network
A
Q391. Which of the following is required to verify the authenticity of a digitally signed document?
A. Agreed upon shared secret
B. Digital hash of the signed document
C. Recipient’s public key
D. Sender’s private key
B
Q392. What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reflected by the retina
B. The pattern of blood vessels at the back of the eye
C. The size, curvature, and shape of the retina
D. The pattern of light receptors It the back of the eye
B
Q393. A security practitioner has been asked to model best practices for disaster recovery (DR) and business continuity. The practitioner has decided that a formal committee is needed to establish a business continuity policy. Which of the following BEST describes this stage of business continuity development?
A. Developing and Implementing business continuity plans (BCP)
B. Project Initiation and Management
C. Risk Evaluation and Control
D. Business impact analysis (BIA)
B
Q394. An organization has implemented a password complexity and an account lockout policy enforcing five incorrect logins tries within ten minutes. Network users have reported significantly increased account lockouts. Which of the following security principles is this company affecting?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
C
Q395. Which of the following is a PRIMARY security weakness in the design of Domain Name System (DNS)?
A. Each DNS server must hold the address of the root servers.
B. A DNS server can be disabled in a denial-of-service (DoS) attack.
C. A DNS server does not authenticate source of information.
D. A DNS server database can be injected with falsified checksums.
C
Q396. An organization plans to acquire a commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization’s security team FIRST get involved in this acquisition’s life cycle?
A. When the system is verified and validated
B. When the need for a system is expressed and the purpose of the system is documented
C. When the system is deployed into production
D. When the system is being designed, purchased, programmed, developed, or otherwise constructed
B
Q397. Which of the following statements is MOST accurate regarding information assets?
A. International Organization for Standardization (ISO) 27001 compliance specifies which information assets must be included in asset inventory.
B. Information assets include any information that is valuable to the organization.
C. Building an information assets register is a resource-intensive job.
D. Information assets inventory is not required for risk assessment.
B
Q398. The security architect has been mandated to assess the security of various brands of mobile devices. At what phase of the product lifecycle would this be MOST likely to occur?
A. Implementation
B. Operations and maintenance
C. Disposal
D. Development
D
Q399. During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented?
A. Security Assessment Report (SAR)
B. Security assessment plan
C. Unit test results
D. System integration plan
B
Q400. An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication
(MFA) in place. The application currently requires a username and password to login. Which of the following options would BEST implement MFA?
A. Geolocate the user and compare to previous logins
B. Require a pre-selected number as part of the login
C. Have the user answer a secret question that is known to them
D. Enter an automatically generated number from a hardware token
D
