[Oct 10, 2024] CISSP Questions Truly Valid For Your ISC Exam! [Q133-Q153]

[Oct 10, 2024] CISSP Questions Truly Valid For Your ISC Exam!

CISSP Actual Questions - Instant Download Tests Free Updated Today!

How to earn ACSA credential?

The candidate must earn 40 continuing education units (CEUs) for the ACSA credential. The CEUs may be earned through participation in the ISSA-certified training course, obtaining CEUs from any other Information Systems Security Association (ISSA) member, obtaining certification credits for passing the exam, or through participating in many other online sites.

The Associate level requires passing one exam to achieve. The ACSA credential is defined as conforming to the requirements of NCEES, the American Society for Testing and Materials (ASTM), and the International Information Systems Security Certification Consortium (ISC). Passing this exam does not qualify a candidate for any CISSP certification nor does it make an individual eligible for any other ISC credential. The Associate level of certification requires passing one exam to achieve. The ACSA credential is defined as conforming to the requirements of NCEES, the American Society for Testing and Materials (ASTM), and the International Information Systems Security Certification Consortium (ISC). The test will not earn a CISSP valid certification.

ISC CISSP certification is a prestigious credential that demonstrates an individual's commitment to the field of information security. It is a challenging certification to obtain, but the benefits are well worth the effort. With the demand for cybersecurity professionals on the rise, obtaining a CISSP certification can open up many rewarding career opportunities.

 

NEW QUESTION # 133
What enables users to validate each other's certificate when they are certified under different certification hierarchies?

• A. Redundant certification authorities
• B. Root certification authorities
• C. Cross-certification
• D. Multiple certificates

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Cross certification allows entities in one public key infrastructure (PKI) to trust entities in another PKI. This mutual trust relationship is typically supported by a cross-certification agreement between the certification authorities (CAs) in each PKI. This agreement determines the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issue a certificate to the other to establish the relationship in both directions. The path of trust is not hierarchal even though the separate PKIs may be certificate hierarchies.
Incorrect Answers:
B: Multiple certificates will not allow users to validate each other's certificate when they are certified under different certification hierarchies.
C: Redundant certification authorities will not allow users to validate each other's certificate when they are certified under different certification hierarchies.
D: A root certification authority is identified by a root certificate, which is an unsigned or a self-signed public key certificate.
References:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx
https://en.wikipedia.org/wiki/Root_certificate

NEW QUESTION # 134
Which of the following questions is less likely to help in assessing controls over hardware and software maintenance?

• A. Are integrity verification programs used by applications to look for evidences of data tampering, errors, and omissions?
• B. Is there version control?
• C. Is access to all program libraries restricted and controlled?
• D. Are system components tested, documented, and approved prior to promotion to production?

Answer: A

NEW QUESTION # 135
Which of the following encryption methods is known to be unbreakable?

• A. Elliptic Curve Cryptography.
• B. DES codebooks.
• C. Symmetric ciphers.
• D. One-time pads.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The one-time pad encryption scheme is considered unbreakable only if:

The pad is used only one time.

The pad is as long as the message.

The pad is securely distributed and protected at its destination.

The pad is made up of truly random values.

Incorrect Answers:
A, B: Symmetric ciphers and DES electronic code books are part of symmetric encryption, which are susceptible to brute force and cryptanalysis attacks.
D: Elliptic curve cryptography is not known to be unbreakable, as it is susceptible to a modified Shor's algorithm for solving the discrete logarithm problem on elliptic curves.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 771-773
http://www.encryptionanddecryption.com/encryption/symmetric_encryption.html
https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Security

NEW QUESTION # 136
A security practitioner has just been assigned to address an ongoing Denial of Service (DoS) attack against the company's network, which includes an e-commerce web site. The strategy has to include defenses for any size of attack without rendering the company network unusable. Which of the following should be a PRIMARY concern when addressing this issue?

• A. Ensure the web sites are properly backed up on a daily basis.
• B. Deal with end user education and training.
• C. Allow legitimate connections while blocking malicious connections.
• D. Pay more for a dedicated path to the Internet.

Answer: C

Explanation:
Section: Mixed questions

NEW QUESTION # 137
Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?

• A. Acceptance testing
• B. Negative testing
• C. Unit testing
• D. Integration testing

Answer: D

NEW QUESTION # 138
Which access control model achieves data integrity through well-formed transactions and separation of duties?

• A. Sutherland model
• B. Biba model
• C. Non-interference model
• D. Clark-Wilson model

Answer: D

Explanation:
The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The
Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non-interference model is related to the information flow model with restrictions on the information flow. The Sutherland model approaches integrity by focusing on the problem of inference.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 12).
And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security
Management, CRC Press, 1997, Domain 1: Access Control.

NEW QUESTION # 139
What is one way to mitigate the risk of security flaws in custom software?

• A. Include security language in the Earned Value Management (EVM) contract
• B. Include security assurance clauses in the Service Level Agreement (SLA)
• C. Purchase only software with no open source Application Programming Interfaces (APIs)
• D. Purchase only Commercial Off-The-Shelf (COTS) products

Answer: B

NEW QUESTION # 140
What is the BEST way to encrypt web application communications?

• A. Secure Hash Algorithm 1 (SHA-1)
• B. Transport Layer Security (TLS)
• C. Cipher Block Chaining Message Authentication Code (CBC-MAC)
• D. Secure Sockets Layer (SSL)

Answer: B

Explanation:
Section: Software Development Security
Explanation

NEW QUESTION # 141
A momentary high voltage is a:

• A. blackout
• B. spike
• C. fault
• D. surge

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Interference interrupts the flow of an electrical current, and fluctuations can actually deliver a different level of voltage than what was expected. Each fluctuation can be damaging to devices and people.
The following explains the different types of voltage fluctuations possible with electric power:
Power excess:
Spike Momentary high voltage

Surge Prolonged high voltage

Power loss:
Fault Momentary power outage

Blackout Prolonged, complete loss of electric power

Power degradation:
Sag/dip Momentary low-voltage condition, from one cycle to a few seconds

Brownout Prolonged power supply that is below normal voltage

In-rush current Initial surge of current required to start a load

Incorrect Answers:
B: A blackout is a prolonged complete loss of power, not a momentary high voltage. Therefore, this answer is incorrect.
C: A surge is prolonged high voltage, not a momentary high voltage. Therefore, this answer is incorrect.
D: A fault is a momentary power outage, not a momentary high voltage. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 462-463

NEW QUESTION # 142
At which of the basic phases of the System Development Life Cycle are security requirements formalized?

• A. Development and Implementation
• B. Functional Requirements Definition
• C. Disposal
• D. System Design Specifications

Answer: B

Explanation:
During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet end-user needs.
The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security requirements should be formalized.
The Development Life Cycle is a project management tool that can be used to plan, execute, and control a software development project usually called the Systems
Development Life Cycle (SDLC).
The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development. Because there is no industry-wide
SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be shown together or as separate elements. The model chosen should be based on the project.
For example, some models work better with long-term, complex projects, while others are more suited for short-term projects. The key element is that a formalized SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and implement) on up.
The basic phases of SDLC are:
Project initiation and planning
Functional requirements definition
System design specifications
Development and implementation
Documentation and common program controls
Testing and evaluation control, (certification and accreditation)
Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two additional phases:
Operations and maintenance support (post-installation)
Revisions and system replacement
System Design Specifications
This phase includes all activities related to designing the system and software. In this phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are designed, generally based on the overall security architecture for the company.
Development and Implementation
During this phase, the source code is generated, test scenarios and test cases are developed, unit and integration testing is conducted, and the program and system are documented for maintenance and for turnover to acceptance testing and production. As well as general care for software quality, reliability, and consistency of operation, particular care should be taken to ensure that the code is analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks.
Documentation and Common Program Controls
These are controls used when editing the data within the program, the types of logging the program should be doing, and how the program versions should be stored. A large number of such controls may be needed, see the reference below for a full list of controls.
Acceptance
In the acceptance phase, preferably an independent group develops test data and tests the code to ensure that it will function within the organization's environment and that it meets all the functional and security requirements. It is essential that an independent group test the code during all applicable stages of development to prevent a separation of duties issue. The goal of security testing is to ensure that the application meets its security requirements and specifications. The security testing should uncover all design and implementation flaws that would allow a user to violate the software security policy and requirements. To ensure test validity, the application should be tested in an environment that simulates the production environment. This should include a security certification package and any user documentation.
Certification and Accreditation (Security Authorization)
Certification is the process of evaluating the security stance of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements. The certification or evaluation document should contain an analysis of the technical and nontechnical security features and countermeasures and the extent to which the software or system meets the security requirements for its mission and operational environment.
Transition to Production (Implementation)
During this phase, the new system is transitioned from the acceptance phase into the live production environment. Activities during this phase include obtaining security accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if necessary, conducting any parallel operations.
Revisions and System Replacement
As systems are in production mode, the hardware and software baselines should be subject to periodic evaluations and audits. In some instances, problems with the application may not be defects or flaws, but rather additional functions not currently developed in the application. Any changes to the application must follow the same SDLC and be recorded in a change management system. Revision reviews should include security planning and procedures to avoid future problems. Periodic application audits should be conducted and include documenting security incidents when problems occur. Documenting system failures is a valuable resource for justifying future system enhancements.
Below you have the phases used by NIST in it's 800-63 Revision 2 document
As noted above, the phases will vary from one document to another one. For the purpose of the exam use the list provided in the official ISC2 Study book which is presented in short form above. Refer to the book for a more detailed description of activities at each of the phases of the SDLC.
However, all references have very similar steps being used. As mentioned in the official book, it could be as simple as three phases in it's most basic version (concept, design, and implement) or a lot more in more detailed versions of the SDLC.
The key thing is to make use of an SDLC.
SDLC phases
Reference(s) used for this question:
NIST SP 800-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-
Rev2/SP800-64-Revision2.pdf
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:
Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach
Publications. Kindle Edition.

NEW QUESTION # 143
Which of the following would best describe certificate path validation?

• A. Verification of the validity of all certificates of the certificate chain to the root certificate
• B. Verification of the integrity of the concerned private key
• C. Verification of the revocation status of the concerned certificate
• D. Verification of the integrity of the associated root certificate

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The certification path validation algorithm is the algorithm which verifies that a given certificate path is valid under a given public key infrastructure (PKI). A path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted Certification Authority (CA).
Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. For example, in a hierarchical PKI, a certificate chain starting with a web server certificate might lead to a small CA, then to an intermediate CA, then to a large CA whose trust anchor is present in the relying party's web browser.
Incorrect Answers:
B: Certificate path validation is not verification of the integrity of the associated root certificate.
C: Certificate path validation is not verification of the integrity of the concerned private key.
D: Certificate path validation is not verification of the revocation status of the concerned certificate; this is a Certificate Revocation Check.
References:
https://en.wikipedia.org/wiki/Certification_path_validation_algorithm

NEW QUESTION # 144
A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a thirdparty organization. The financial risk to the manufacturing organization starting production is high. What step should the manufacturing organization take to minimize its financial risk in the new venture prior to the purchase?

• A. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system's overall price.
• B. Place the machine behind a Layer 3 firewall.
• C. Hire a performance tester to execute offline tests on a system.
• D. Require that the software be thoroughly tested by an accredited independent software testing company.

Answer: D

Explanation:
The best step the manufacturing organization can take to minimize its financial risk in the new venture prior to the purchase is to require that the software be thoroughly tested by an accredited independent software testing company, because this will ensure that the software meets the quality, functionality, reliability, and security requirements of the organization, and that any defects or vulnerabilities are identified and fixed before the production starts. Hiring a performance tester to execute offline tests on a system, calculating the possible loss in revenue due to software bugs and vulnerabilities, and placing the machine behind a Layer 3 firewall are all good practices, but they are not sufficient to minimize the financial risk, as they do not address the root cause of the software problems, and they may not detect all the issues that could affect the production.
References: CISSP Official Study Guide, 9th Edition, page 1019; CISSP All-in-One Exam Guide, 8th Edition, page 1098

NEW QUESTION # 145
What is the effective key size of DES?

• A. 1024 bits
• B. 128 bits
• C. 64 bits
• D. 56 bits

Answer: D

Explanation:
Data Encryption Standard (DES) is a symmetric key algorithm. Originally developed by IBM, under project name Lucifer, this 128-bit algorithm was accepted by the NIST in 1974, but the total key size was reduced to 64 bits, 56 of which make up the effective key, plus and extra 8 bits for parity. It somehow became a national cryptographic standard in 1977, and an American National Standard Institute (ANSI) standard in 1978. DES was later replaced by the Advanced Encryption Standard (AES) by the NIST. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 8: Cryptography (page 525).

NEW QUESTION # 146
Which one of the following is an asymmetric algorithm?

• A. Knapsack
• B. Data Encryption Standard
• C. Enigma
• D. Data Encryption Algorithm.

Answer: A

Explanation:
Merkle-Hellman Knapsack is a Public Key Algorithm Pg 206 Krutz: CISSP Prep Guide: Gold Edition.
Not A:
"DES describes the Data Encryption Algorithm (DEA) and is the name of the Federal Information Processing Standard (FIPS) 46-1 that was adopted in 1977..." pg 195 Krutz: CISSP Prep Guide: Gold Edition.
Not B:
"The best-known symmetric key system is probably the Data Encryption Standard (DES)." pg 195 Krutz: CISSP Prep Guide: Gold Edition.
Not C:
"The German military used a polyalphabetic substitution cipher machine called the Enigma as its principal encipherment system during World War II." Pg 185 Krutz: CISSP Prep Guide: Gold Edition.

NEW QUESTION # 147
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?

• A. integrity and confidentiality
• B. integrity and availability
• C. none of the above
• D. confidentiality and availability

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A difference between ITSEC and TCSEC is that TCSEC bundles functionality and assurance into one rating, whereas ITSEC evaluates these two attributes separately. The other differences are that ITSEC was developed to provide more flexibility than TCSEC, and ITSEC addresses integrity, availability, and confidentiality, whereas TCSEC addresses only confidentiality. ITSEC also addresses networked systems, whereas TCSEC deals with stand-alone systems.
Incorrect Answers:
A: Both ITSEC and TCSEC address confidentiality.
B: Both ITSEC and TCSEC address confidentiality.
D: One of the answers given is correct.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 401

NEW QUESTION # 148
What kind of encryption is realized in the S/MIME-standard?

• A. Public key based, hybrid encryption scheme
• B. Asymmetric encryption scheme
• C. Elliptic curve based encryption
• D. Password based encryption scheme

Answer: A

Explanation:
S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633.
How S/MIME works
The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes
it possible to encrypt the content of messages but does not encrypt the communication.
The various sections of an electronic message, encoded according to the MIME standard, are
each encrypted using a session key.
The session key is inserted in each section's header, and is encrypted using the recipient's public
key. Only the recipient can open the message's body, using his private key, which guarantees the
confidentiality and integrity of the received message.
In addition, the message's signature is encrypted with the sender's private key. Anyone
intercepting the communication can read the content of the message's signature, but this ensures
the recipient of the sender's identity, since only the sender is capable of encrypting a message
(with his private key) that can be decrypted with his public key.
Reference(s) used for this question:
http://en.kioskea.net/contents/139-cryptography-s-mime
RFC 2630: Cryptographic Message Syntax;
OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House;
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page
570;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

NEW QUESTION # 149
Which of the following is an example of an active attack? Select one.

• A. Shoulder surfing
• B. Masquerading
• C. Traffic analysis
• D. Eavesdropping

Answer: B

Explanation:
Shoulder surfing is passive, like eavesdropping and traffic analysis.
Masquerading is the only one where you are actually doing something by changing something -
actively doing something.

NEW QUESTION # 150
Examine the following characteristics and identify which answer best indicates the likely cause of this behavior:
Core operating system files are hidden

Backdoor access for attackers to return

Permissions changing on key files

A suspicious device driver

Encryption applied to certain files without explanation

Logfiles being wiped

• A. Malware
• B. Kernel-mode Badware
• C. User-mode Rootkit
• D. Kernel-mode Rootkit

Answer: D

Explanation:
Explanation/Reference:
Explanation:
A rootkit is a set of tools placed on a system that has already been compromised. The attacker usually replaces default system tools with compromised tools, which share the same name. Most rootkits contain sniffers, so the data can be captured and reviewed by the attacker; and "log scrubbers," which remove traces of the attacker's activities from the system logs.
Incorrect Answers:
B: A user-level rootkit does not have as much access or privilege compared to a kernel-level rootkit and would not include device drivers.
C: Malware is a very broad term that describes any software that is written to do something nefarious.
D: Kernel-mode Badware is not a valid computer term.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 1202-1204

NEW QUESTION # 151
Intellectual property rights are PRIMARY concerned with which of the following?

• A. Owner's ability to realize financial gain
• B. Owner's ability to maintain copyright
• C. Right of the owner to enjoy their creation
• D. Right of the owner to control delivery method

Answer: D

NEW QUESTION # 152
What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account?

• A. Trojan horses
• B. Salami techniques
• C. Data diddling
• D. Data fiddling

Answer: B

NEW QUESTION # 153
......

Get instant access of 100% real exam questions with verified answers: https://easytest.exams4collection.com/CISSP-latest-braindumps.html