Practice Exam II

You will have 90 minutes to complete this exam, which consists of 60 questions. The actual CISSP exam requires a minimum passing score of 700 out of 1,000. Ensure that you read each question, looking for details that would rule out any of the possible answers. Many times there will be two or more correct answers; however, there is only one best answer, and that is the one you should select. In the real world, a security professional often has several options to secure a network, but one option is better than the others. This is the case, for example, when choosing the best encryption to secure data or wireless networks.

Remember that the CISSP exam asks many conceptual questions for which there may not be perfect answers. If you encounter such a question, choose the best answer. Leaving a question blank will count against you, so you are always better off taking a guess than leaving a question blank. The exam may present you with drag-and-drop questions or scenarios, and it may offer figures or diagrams. Examine each question carefully, and if you are taking the adaptive exam, keep in mind that once you pass a question, you cannot go back to it.

Practice Exam Questions

1. What fence height is required to prevent a determined intruder?

images A. 4 feet

images B. 6 feet

images C. 8 feet

images D. None of these answers is correct.

2. A fire caused by combustible metals would be considered which class of fire?

images A. A

images B. B

images C. C

images D. D

3. Controls should be implemented using a layered approach. Review the following diagram. Which order does the diagram most closely represent?

images A. (1) Physical/preventive, (2) administrative/preventive, (3) technical/deterrent control layered approach

images B. (1) Physical/preventive/deterrent, (2) technical/preventive/detective/, (3) administrative/preventive layered approach

images C. (1) Deterrent/preventive, (2) administrative/detective, (3) preventive training

images D. (1) Physical/preventive/deterrent, (2) hardware/software preventive, (3) administrative/preventive layered approach

4. Which of the following types of card keys contains rows of copper strips?

images A. Magnetic strip

images B. Electronic circuit

images C. Magnetic stripe

images D. Active electronic

5. Tony’s company manufactures proprietary tractor-trailer tracking devices. Now that employees will be issued laptops, Tony is concerned about the loss of confidential information if an employee’s laptop is stolen. Which of the following would be the best defensive method?

images A. Use integrity programs such as MD5 and SHA to verify the validity of installed programs.

images B. Place labels on the laptops offering a reward for stolen or missing units.

images C. Issue laptop users locking cables to secure the units and prevent their theft.

images D. Encrypt the hard drives.

6. Under what conditions can halon be expected to degrade into toxic compounds?

images A. At temperatures greater than 500°F

images B. At temperatures greater than 900°F and concentrations greater than 10%

images C. At temperatures greater than 900°F

images D. At temperatures greater than 500°F and concentrations greater than 7%

7. According to NIST perimeter lighting standards, critical areas should be illuminated to what measurement?

images A. 10 feet in height, with 2 foot-candles of illuminance

images B. 12 feet in height, with 4 foot-candles of illuminance

images C. 8 feet in height, with 2 foot-candles of illuminance

images D. 8 feet in height, with 4 foot-candles of illuminance

8. What type of biometric error signifies that an authorized user has been denied legitimate access?

images A. Type I

images B. Type II

images C. Type III

images D. Type IV

9. In biometrics, the point at which the FAR equals the FRR is known as which of the following?

images A. Crossover error rate

images B. Error acceptance rate

images C. Crossover acceptance rate

images D. Failure acceptance rate

10. RSA’s SecurID is an example of which of the following?

images A. SSO system

images B. Synchronous authentication

images C. Token authentication

images D. Asynchronous authentication

11. Which of the following is a weak implementation of EAP?

images A. EAP-FAST

images B. LEAP

images C. PEAP

images D. EAP-TLS

12. When discussing the security of SSO systems, which of the following is considered a disadvantage?

images A. Single sign-on involves a lot of maintenance and overhead because all systems are tied together.

images B. The biggest disadvantage of single sign-on is that system time on all systems must be held to very tight standards; deviations from these standards can lead to serious access problems.

images C. There are no real disadvantages to single sign-on.

images D. Breaching single sign-on allows an intruder access to all systems tied to the SSO implementation.

13. Snort started as what type of system?

images A. Behavior-based IPS

images B. Signature-based IDS

images C. Behavior-based IDS

images D. Signature-based IPS

14. What type of attack is also known as a race condition?

images A. Synchronous attack

images B. Buffer overflow

images C. Asynchronous attack

images D. Scanlog attack

15. I/O drivers and utilities are typically found at what protected ring layer?

images A. Layer 1

images B. Layer 2

images C. Layer 3

images D. Layer 0

16. What type of CPU can interleave two or more programs for execution at any one time?

images A. Multiprogramming

images B. Multitasking

images C. Multiapp

images D. Multiprocessor

17. What portion of the CPU performs arithmetic and logical operations on binary data?

images A. I/O buffer

images B. Registers

images C. Control circuit

images D. ALU

18. You are a security consultant for a contracting agency. The agency chief wants to prevent subjects from writing information to a higher level than the subject’s security clearance. He also wants to ensure that subjects from a higher clearance level cannot read information at a lower level. The agency requires some type of access control model for its information systems to protect the integrity of its data. What is your best recommendation for the model to use in this case?

images A. Bell-LaPadula

images B. Biba

images C. State machine

images D. Clark-Wilson

19. How many stages are involved in the Lockheed Martin Cyber Kill Chain framework?

images A. 5

images B. 7

images C. 4

images D. 6

20. Which of the following has become a major trend in software development as an alternative or companion to virtualization?

images A. Microservices

images B. Serverless

images C. Containerization

images D. Embedded systems

21. Which of the following is considered the totality of protection mechanisms within a computer system and is responsible for enforcing security?

images A. Rings of protection

images B. The security kernel

images C. TCB

images D. Resource isolation

22. Johnny is worried that someone might be able to intercept and decrypt his VoIP phone calls. Which of the following protocols is most closely associated with VoIP?

images A. SKYP

images B. SLIP

images C. S/MIME

images D. SIP

23. Which of the following wireless standards uses direct-sequence spread spectrum (DSSS) by default?

images A. Bluetooth

images B. 802.11a

images C. 802.11b

images D. 802.11ac

24. What is a rogue AP?

images A. An individual connected to an unauthorized modem

images B. An unauthorized AP attached to a corporate network

images C. An unauthorized modem attached to a network

images D. An individual intercepting wireless traffic from inside or outside an organization

25. Which of the following is typically used with software to search for defects during various phases of the software development process to prevent issues and outages before the software is placed in production?

images A. Fuzzing

images B. Synthetic transactions

images C. Fagen inspection

images D. RASP

26. Which of the following does a T1 line use to multiplex DS0s into a composite T1?

images A. Channel division

images B. Frequency-hopping spread spectrum

images C. Frequency division

images D. Time division

27. Which of the following focuses on how to repair and restore a data center and the information at an original or new primary site?

images A. BCP

images B. BCM

images C. DRP

images D. BIA

28. What type of service is used to provide protection for source code in the event that the manufacturer declares bankruptcy or goes broke?

images A. Government access to keys

images B. MAD

images C. Electronic vaulting

images D. Software escrow

29. Which of the following describes the cooperative effort between the United States and Europe to exchange information about European citizens between European firms and North American parent corporations?

images A. SB 168

images B. Demar Act

images C. Safe Harbor Act

images D. Safety Shield Act

30. Which of the following best describes an approved type of forensic duplication?

images A. Logical copy

images B. Bit copy

images C. Microsoft Backup

images D. Xcopy

31. Which of the following best describes the SET protocol?

images A. Originated by Victor Miller and Neal Koblitz for use as a digital signature cryptosystem. It is useful in applications for which memory, bandwidth, or computational power is limited.

images B. Originated by MasterCard and Visa to be used on the Internet for credit card transactions. It uses digital signatures.

images C. Originated by Victor Miller and Neal Koblitz for use as a key exchange cryptosystem. It is useful in applications for which memory, bandwidth, or computational power is limited.

images D. Originated by MasterCard and Visa to be used on the Internet for credit card transactions. It uses the SSL protocol.

32. Which of the following information-management systems uses artificial intelligence?

images A. Polyinstantiation

images B. Known signature scanning

images C. Application programming interface

images D. Knowledge discovery in databases

33. DNS lookups that are less than 512 bytes are typically performed on which of the following protocols and ports?

images A. UDP port 53

images B. UDP port 69

images C. TCP port 53

images D. UDP port 161

34. Bob is worried that a program someone gave him at DEF CON has been altered from the original. Which of the following is a valid technique that Bob can use to verify the program’s authenticity?

images A. Run AES against the program.

images B. Compare the size and date with those of the version found on the developer’s website.

images C. Run md5sum and check against the md5sum from developer sites.

images D. Calculate a digital signature.

35. Which of the following is not an email encryption security standard?

images A. IMAP

images B. MOSS

images C. PGP

images D. PEM

36. Which of the following best describes link encryption?

images A. Data is encrypted at the point of origin and is decrypted at the destination.

images B. The message is decrypted and re-encrypted as it passes through each successive node, using a key common to the two nodes.

images C. The KDC shares a user-unique key with each user.

images D. It requires a session key that the KDC shares between the originator and the final destination.

37. Diameter uses which of the following as a base?

images A. TACACS

images B. TACACS+

images C. RADIUS

images D. Kerberos

38. The ACID test is used to describe what?

images A. Behavior-based intrusion detection systems

images B. Database transactions

images C. Signature-based intrusion detection systems

images D. The strength of a cryptographic function

39. Which fault-tolerant system can back up media in much the same way as disk striping?

images A. RAID

images B. RAIT

images C. JBOD

images D. SOAR

40. Which of the following is a stream cipher?

images A. DES

images B. Camellia

images C. RC4

images D. Twofish

41. Which of the following is considered the weakest mode of DES?

images A. Electronic Code Book

images B. Cipher Block Chaining

images C. Cipher Feedback

images D. Output Feedback

42. Which ethical standard states that “access and use of the Internet is a privilege and should be treated as such by all users”?

images A. RFC 1087

images B. (ISC)2 Code of Ethics

images C. The Ten Commandments of Computer Ethics

images D. RFC 1109

43. Which of the following would be considered the oldest and most well-known software development method?

images A. Spiral

images B. Clean room

images C. Waterfall

images D. V-shaped waterfall

44. Which of the following techniques would not be considered one of the techniques used by fileless malware?

images A. RAM

images B. Multipartite

images C. Memory code injection

images D. Windows register manipulation

45. HTTPS uses TCP and which of the following ports?

images A. 80

images B. 110

images C. 111

images D. 443

46. Which of the following is considered the oldest type of database system?

images A. Hierarchical

images B. Network

images C. Relational

images D. Object oriented

47. The IEEE separates the OSI data link layer into two sublayers. What are they?

images A. Media MAC Control and Media Access Control

images B. Logical Link Control and Media Access Control

images C. High-Level Data Link Control and Media MAC Control

images D. Data Link Control and Media MAC Control

Questions 48 and 49 refer to the following table.

User and Object List

Dwayne

Object 1

Object 2

Object 3

Mike

Write

Read

Read/write

Christine

No access

Read

Read

Betsy

Read/write

Read

Read

48. What does the model shown in the table represent?

images A. MAC

images B. RBAC

images C. LBAC

images D. Access control matrix

49. Using the model shown in the table, Mike, Christine, Dwayne, and Betsy are _________, and Object 1, Object 2, and Object 3 are _____.

images A. Objects; subjects

images B. Subject; objects

images C. Names of users; resources the users access

images D. Names of the users; objects the users access

50. 802.11 networks are identified by which of the following?

images A. Security identifier (SID)

images B. Broadcast name

images C. Kismet

images D. Service set identifier (SSID)

51. Which of the following refers to a dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network?

images A. Threat intelligence

images B. Intrusion detection and prevention (IDP)

images C. Security information and event management (SIEM)

images D. User and entity behavior analytics (UEBA)

52. The Common Criteria rating “functionality tested” means the design meets what level of verification?

images A. EAL 1

images B. EAL 2

images C. EAL 4

images D. EAL 5

53. Which of the following is not addressed by the Clark-Wilson security model?

images A. Blocking unauthorized individuals from making changes to data

images B. Maintaining internal and external consistency

images C. Protecting the confidentiality of information

images D. Blocking authorized individuals from making unauthorized changes to data

54. Which of the following individuals would be responsible for maintaining and protecting the company’s assets and data?

images A. User

images B. Data owner

images C. Data custodian

images D. Security auditor

55. Which of the following is the proper formula for calculating ALE?

images A. Single loss expectancy (SLE) × Annualized rate of occurrence (ARO)

images B. Asset value × Annualized rate of occurrence (ARO)

images C. Single loss expectancy (SLE) × Annualized rate of occurrence (ARO)

images D. Asset value / Annualized rate of occurrence (ARO)

56. Which of the following best describes a qualitative assessment?

images A. A qualitative assessment deals with real numbers and seeks to place dollar values on losses. These dollar amounts are then used to determine where to apply risk controls.

images B. A qualitative assessment assigns a rating to each risk.

images C. A qualitative assessment is performed by experts or external consultants who seek to place dollar values on losses.

images D. A qualitative assessment is performed by experts or external consultants, is based on risk scenarios, and assigns non-dollar values to risks.

57. Facilitated Risk Analysis Process (FRAP) is an example of what?

images A. A BCP analysis technique

images B. A quantitative assessment technique

images C. A DRP analysis technique

images D. A qualitative assessment technique

58. Classification levels like confidential and secret are tied to which data classification scheme?

images A. ISO 17799

images B. U.S. Department of Defense (DoD)

images C. RFC 2196 Site Security Guidelines

images D. Commercial Data Classification Standard (CDCS)

59. Which of the following methods of dealing with risk is considered the least prudent course of action?

images A. Risk reduction

images B. Risk rejection

images C. Risk transference

images D. Risk acceptance

60. Your employer is pleased that you have become CISSP certified and would now like you to evaluate your company’s security policy. Your boss believes that encryption should be used for all network traffic and that a $50,000 encrypted database should replace the current customer database. Based on what you know about risk management, on what should you base your decision to use encryption and purchase the new database? Choose the most correct answer.

images A. If an analysis shows that there is potential risk, the cost of protecting the network and database should be weighed against the cost of the deterrent.

images B. If an analysis shows that the company’s network is truly vulnerable, systems should be implemented to protect the network data and the customer database.

images C. If the network is vulnerable, systems should be implemented to protect the network and the database, regardless of the price.

images D. Because it is only a customer database and the company is not well known, the probability of attack is not great; therefore, the risk should be accepted or transferred through the use of insurance.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.91.106.157