Practice Exam I
You will have 90 minutes to complete this exam, which consists of 60 questions. The actual exam requires a minimum passing score of 700 out of 1,000. Ensure you read each question, looking for details that would rule out any of the answers. Many times there will be two or more correct answers; however, there is only one best answer that can be selected. This is a reflection of the real world, where the CISSP often has several options to secure his/her network but one best option. Such is the case when choosing the best encryption to secure data or wireless networks.
Remember that the CISSP exam asks many conceptual questions that may not have a perfect answer. In that case, choose the most correct answer. Leaving a question blank will count against you, so you are always better off taking your best guess. The exam may present you with drag-and-drop questions, or scenarios, or offer figures or diagrams. Examine each question carefully. It’s best to work through the entire test once, answering the questions that you can easily answer. On the second pass, work on the more difficult questions. Others that you have already answered could help you answer the remaining questions.
Practice Exam Questions
1. What type of access control features security labels?
A. Restricted access control
B. Discretionary access control
C. Mandatory access control
D. Role-based access control
2. Information security models bridge the gap between access control concepts and implementation of the concepts through the operating system. Place the following models into the category that best describes their design. Some categories may or may not be used.
A. Biba
B. Clark-Wilson
C. Bell-LaPadula
D. Brewer-Nash
3. What form of biometric system analyzes the features that exist in the colored tissue surrounding the pupil to validate access?
A. Retina
B. Cornea
C. Iris
D. Optic nerve
4. What is the most important item to consider when examining biometric systems?
A. The crossover acceptance rate—the lower the number, the better the biometric system
B. The crossover error rate—the higher the number, the better the biometric system
C. The crossover acceptance rate—the lower the number, the better the biometric system
D. The crossover error rate—the lower the number, the better the biometric system
5. You have been asked to help with an authentication problem that was reported after moving to biometric authentication. One of your company’s employees enrolled with a fingerprint reader and was able to authenticate for several weeks using the new system. Then, one day, the employee complained that after cutting his finger he could no longer authenticate and received a “Type 1” error. What is most likely the problem?
A. The system does not examine enough information to determine the user.
B. Fingerprint readers are not very good at handling type 1 errors by nature, since these are very dynamic.
C. Fingerprint readers are not very good at handling type 1 errors by nature, since they have high cross-over error rates.
D. The system examines too much information and needs to be configured to be less sensitive.
6. What height of fence will deter only casual trespassers?
A. 2–3 feet
B. 3–4 feet
C. 4–5 feet
D. 5–7 feet
7. When discussing policies and procedures, who is strictly responsible for the protection of the company’s assets and data?
A. User
B. Data owner
C. Data custodian
D. Security auditor
8. Which of the following is considered a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage?
A. Risk
B. Vulnerability
C. Exposure
D. Threat
9. Which of the following are the correct steps involved in determining the single loss expectancy?
A. Single loss expectancy = Asset value / Exposure factor
B. Single loss expectancy = Asset value × Exposure factor
C. Single loss expectancy = Risk / Exposure factor
D. Single loss expectancy = Vulnerability × Exposure factor
10. Estimating potential loss is an important task of CISSP-certified professionals. In order, which of the following are the steps used to perform a quantitative assessment?
A. Estimate potential losses, perform a vulnerability assessment, and determine annual loss expectancy.
B. Estimate potential losses, conduct a threat analysis, and rank losses as high, medium, or low.
C. Assemble a team, prepare a matrix of critical systems and services, and rank losses as high, medium, or low.
D. Estimate potential losses, conduct a threat analysis, and determine annual loss expectancy.
11. What is the Delphi Technique an example of?
A. A BCP analysis technique
B. A quantitative assessment technique
C. A DRP analysis technique
D. A qualitative assessment technique
12. What is the formula for total risk?
A. (Threat – Countermeasure) / Asset value = Total risk
B. (Threat – Countermeasure) × Asset value = Total risk
C. Threat × Vulnerability × Asset value = Total risk
D. Threat × Vulnerability / Asset value = Total risk
13. What method of dealing with risk occurs when individuals do a cost-benefit analysis and determine that the cost of the benefits outweigh the cost of the potential loss?
A. Risk reduction
B. Risk rejection
C. Risk transference
D. Risk acceptance
14. The security kernel is found at what protection ring level?
A. Ring 0
B. Ring 1
C. Ring 2
D. Ring 4
15. You have been brought in as a consultant for a small local startup firm. They have provided you the diagram shown below. Initially they want to connect to remote sites but would like to plan for remote user access in the future. With this in mind how do you advise them as to which VPN method is less likely to work through NAT?
NAT Tunnel
A. IPsec transport mode
B. IPsec tunnel with AH
C. IPsec tunnel with ESP
D. Suggest they use PPTP
16. Which of the following are considered temporary storage units within the CPU?
A. I/O buffer
B. Registers
C. Control circuitry
D. ALU
17. Confidentiality and integrity are important concepts when discussing security models. Which of the following was one the first models developed to address only one goal of integrity?
A. Biba
B. Clark-Wilson
C. Brewer and Nash
D. Chinese Wall
18. Which of the following is considered the first security model to be based on confidentiality?
A. Biba
B. Bell-LaPadula
C. Graham-Denning
D. Clark-Wilson
19. What country-specific standard was developed to evaluate integrity of individual systems and is broken into four categories?
A. ITSEC
B. TCSEC
C. Common Criteria
D. CTCPEC
20. You are a consultant for a contractor that is doing work for an individual government agency; the government requires that all people must have a clearance for most restricted information in the information systems, and a valid need to know. All people do not have to have a clearance for all information in the information system. What mode of security do you recommend for the GSA contractor?
A. Dedicated security mode
B. System high security mode
C. Compartmented security mode
D. Multi-level security mode
21. When using PKI there are two methods by which you can handle revocation of certificates, as shown in the following diagram. When using Online Certificate Status Protocol (OCSP), messages are encoded and typically transmitted over HTTP. When compared to certificate revocation lists (CRLs), which of the following is not true?
PKI
A. Does not mandate encryption
B. Contains more information than a typical CRL
C. Discloses that a particular network host used a particular certificate at a particular time
D. Places less burden on client resources
22. You have been asked to examine a database to evaluate referential integrity. Which of the following should you review?
A. Field
B. Aggregation
C. Composite key
D. Foreign key
23. Which of the following wireless standards uses frequency-hopping spread spectrum (FHSS) by default?
A. Bluetooth
B. 802.11a
C. 802.11b
D. 802.11g
24. Which of the following is the original technique used to digitize voice with 8 bits of sampling 8,000 times per second, which yields 64Kbps for one voice channel?
A. DAT
B. CDMA
C. PCM
D. GSM
25. How many DS0 channels are bundled to make a T1?
A. 18
B. 21
C. 24
D. 32
26. Which of the following protocols was developed in the mid-1970s for use in Systems Network Architecture (SNA) environments?
A. SDLC
B. ISDN
C. LAP-B
D. X.25
27. Which of the following best defines transaction persistence?
A. Database transactions should be all or nothing to protect the integrity of the database.
B. The database should be in a consistent state, and there should not be a risk of integrity problems.
C. The database should be the same before and after a transaction has occurred.
D. Databases should be available to multiple users at the same time without endangering the integrity of the data.
28. What is the capability to combine data from separate sources to gain information?
A. Metadata
B. Inference
C. Aggregation
D. Deadlocking
29. Ted considers himself a skillful hacker. He has devised a way to replace the existing startup programs between the moment that the system boots yet before the system actually executes these programs. He believes that if he can perfect his attack, he can gain control of the system. What type of attack is described here?
A. Synchronous attack
B. TOC/TOU attack
C. DCOM attack
D. Smurf attack
30. Which of the following is evidence that is not based on personal knowledge but that was told to the witness?
A. Best evidence
B. Secondary evidence
C. Conclusive evidence
D. Hearsay evidence
31. Which mode of DES functions by means of taking each block of cipher text and XORing it with the next plain text block to be encrypted, with the result being a dependency on all the previous blocks?
A. ECB
B. CBC
C. CFB
D. OFB
32. What mode of DES is susceptible to a meet-in-the-middle attack?
A. DES
B. 2DES
C. 3DES
D. 3DES EDE2
33. Which asymmetric cryptosystem is used for digital signatures?
A. DES
B. SHA1
C. Diffie-Hellman
D. ECC
34. When developing the organization’s contingency plan, which of the following should not be included in the process?
A. Damage-assessment team
B. Legal counsel
C. Salvage team
D. Red team
35. Which of the following is a valid form of attack against ARP?
A. Flooding
B. Spanning tree attack
C. Name server poisoning
D. Reverse lookups
36. Which of the following is considered an authentication type that can use smart cards and certificates?
A. CHAP
B. EAP
C. MS-CHAP
D. PAP
37. Which of the following address ranges is not listed in RFC 1918?
A. 10.0.0.0 to 10.255.255.255
B. 172.16.0.0 to 172.31.255.255
C. 172.16.0.0 to 172.63.255.255
D. 192.168.0.0 to 192.168.255.255
38. Which of the following is not a reason why email should be protected?
A. Encryption is a difficult, time-consuming process.
B. Faking email is easy.
C. Sniffing email is easy.
D. Stealing email is difficult.
39. Which of the following statements about instant messaging is incorrect?
A. No capability for scripting
B. Can bypass corporate firewalls
C. Lack of encryption
D. Insecure password management
40. ActiveX is used by which of the following technologies?
A. Java
B. CORBA
C. EJB
D. DCOM
41. Which of the following protocols is said to use “a web of trust”?
A. PKI
B. IGMP
C. PGP
D. PEM
42. Which of the following is considered the act of encouraging or inducing a person to commit a crime in order to bring criminal charges against him?
A. Inducement
B. Entrapment
C. Honeypotting
D. Enticement
43. Which of the following terms describes the coalition of nations that have been meeting since the 1970s to solve the world’s economic problems?
A. G8
B. MLAT
C. SWAT
D. UN Resolution 1154
44. Which of the following is not one of the main BCP testing strategies?
A. Partial interruption
B. Structured walk-through
C. Parallel
D. Full interruption
45. When discussing the BCP, critical resources are usually divided into five primary categories. The categories are which of the following groups?
A. Business, administrative, user, technical, and data
B. Administrative, policy, user, technical, and data
C. Business, facility and supply, user, technical, and nontechnical
D. Business, facility and supply, user, technical, and data
46. Which of the following is not one of the three layers used by the Java interpreter?
A. Java language
B. Java script
C. Java libraries
D. Java interpreter
47. Which of the following protocols is used for router multicasting?
A. ICMP
B. RIPv1
C. 224.0.0.1
D. IGMP
48. VoIP uses which of the following because network congestion can be such a critical problem?
A. Time-division multiplexing
B. TCP protocol
C. VLANs technology
D. Isochronous design
49. Which of the following is considered a network technology based on transferring data in cells or packets of a fixed size?
A. ATM
B. ISDN
C. SMDS
D. Frame Relay
50. WEP has vulnerabilities. Which of the following is not a reason why it is vulnerable?
A. Shared WEP keys among all clients
B. An RC4 engine not properly initialized
C. 20-bit initialization vector
D. 40-bit WEP keys
51. You are an advisory board member for a local charity. The charity has been given a new server, and members plan to use it to connect their 24 client computers to the Internet for email access. Currently, none of these computers has antivirus software installed. Your research indicates that there is a 95% chance these systems will become infected after email is in use. A local vendor has offered to sell 25 copies of antivirus software to the nonprofit organization for $400. Even though the nonprofit’s 10 paid employees make only about $9 an hour, there’s a good chance that a virus could bring down the network for an entire day. They would like you to tell them what the ALE for this proposed change would be. How will you answer them?
A. $423
B. $950
C. $720
D. $684
52. A Common Criteria rating of “structurally tested” means the design meets what level of verification?
A. EAL 1
B. EAL 2
C. EAL 4
D. EAL 5
53. Which of the following is not a valid Red Book rating?
A. A1
B. B2
C. C1
D. C2
54. What Bell-LaPadula model rule states that someone at one security level cannot write information to a lower security level?
A. Star * property
B. Simple security rule
C. Simple integrity property
D. Strong star rule
55. You are an advisory board member for a organization that has decided to go forward with a proposed Internet and email connectivity project. Here are the projected details:
24 computers connected to the Internet
95% probability of virus infection
10 paid employees who make $9 an hour
A successful virus outage could bring down the network for an entire day
25 copies of antivirus software will cost the nonprofit $399
The CEO would like to know how much money, if any, will be saved through the purchase of antivirus software. How much money will be saved?
A. $218
B. $285
C. $380
D. $490
56. Which of the following is considered the first line of defense against human attack?
A. Cryptography
B. Physical security
C. Business continuity planning
D. Policies
57. HVAC should provide which of the following?
A. HVAC should be a closed-loop system with negative pressurization.
B. HVAC should be an open-loop system with positive pressurization.
C. HVAC should be an open-loop system with negative pressurization.
D. HVAC should be a closed-loop system with positive pressurization.
58. Which of the following types of fire detectors uses rate-of-rise sensors?
A. Flame-activated
B. Heat-activated
C. Smoke-activated
D. Ion-activated
59. A fire caused by electrical equipment is considered which class of fire?
A. D
B. C
C. B
D. A
60. While Jim was examining the clapper valve of a failed fire suppression system on the loading dock, he started to wonder whether he installed the right fire suppression system. The facility is unheated and located in a major city in the northeastern United States. Based on this information, which system would you recommend to Jim?
A. Deluge
B. Wet pipe
C. Preaction
D. Dry pipe