CISSP Practice Exam: Free Online Sample Questions

Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For
example, an intrusion prevention system or a firewall would be appropriate in this framework.
There are three other primary control frameworks. A preventative framework helps establish security policies and
security awareness training. A detective framework is focused on finding unauthorized activity in your environment
after a security incident. A corrective framework focuses on activities to get your environment back after a security
incident. There isn’t an assessment framework.

Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk.
STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.

Explanation: The RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover), the RPO establishes the maximum data loss that is tolerable, the MTD covers the maximum tolerable downtime, and MDT is just a made-up phrase used as a distraction. In this scenario, with the focus on the data loss, the correct answer is RPO.

Explanation: Each data owner is responsible for approving access to data that they own. This is typically handled via approving data access policies that are then implemented by the operations team. As part of a formal access approval process, a data owner should be the ultimate person responsible for the data access.

Explanation: When you perform a typical operating system deletion, the data remains on the media but the space on the media is marked as available. Thus, the data is often recoverable. There are 3 established methods for preventing data recovery: overwriting the data (sometimes referred to as a “secure deletion” or “wiping”), degaussing with magnets and physical destruction.
Formatting a volume does not render data unrecoverable, and neither does data encryption (if somebody had the decryption key, the data is at risk).

Explanation: In this scenario, your goal is to evaluate the solutions presented, not the vendors, so you should use a standards selection process. This will enable the team to select the solution that best fits the organization’s needs. While a vendor selection process is part of engaging with a vendor, this scenario specifically calls for the evaluation of the solutions.

Explanation: In this scenario, the existing model focused on confidentiality. To round out the model and meet the goal of preventing “write up,” you need to supplement the existing model with a model that focuses on integrity (such as Biba). Focusing on integrity will ensure that you don’t have “write up” (or “read down” either, although that wasn’t a requirement in this scenario).

Explanation: An injection attack provides invalid input to an application or web page. The goal is to craft that input so that a backend interpreter either performs an action not intended by the organization (such as running administrative commands) or crashes. Injection attacks are mature and routinely used, so it is important to be aware of them and how to protect against them.

Explanation: When designing a PKI, keep in mind the basic security tenets — the more tiers, the more security, and the more flexibility. Of course, having more tiers also means more cost and complexity. In this scenario, to maximize security and flexibility, you need to use a three-tier hierarchy with the root CAs and the policy CAs being offline. Offline CAs enhance security. Multiple tiers, especially with the use of policy CAs, enhance flexibility because you can revoke one section of the hierarchy without impacting the other (for example, if one of the issuing CAs had a key compromised).

Explanation: In this scenario, the information indicates that the issue is with the routing of the network communication. Routing occurs at Layer 3 of the OSI model. Layer 3 is typically handled by a router or the routing component of a network device.

Explanation: In this scenario, collision avoidance is used. Wireless networks use collision avoidance specifically to address the issue described in the scenario (which is known as the “hidden node problem”).

Explanation: SIP is a communications protocol used for multimedia communication such as internal voice calls. In this scenario, you need to capture SIP traffic to ensure that you are only capturing traffic related to the phone calls.

Explanation: The three factors are something you know (such as a password), something you have (such as a smartcard or authentication app), and something you are (such as a fingerprint or retina). Using methods from multiple factors for authentication enhances security and mitigates the risk of a stolen or cracked password.

Explanation: With the rapid expansion to the cloud and the type of services in the cloud unknown, a cloud-based identity service, especially one from your public cloud vendor, is the best choice. Such services are compatible with IaaS, SaaS and PaaS solutions. While a third-party identity service can handle SaaS, it will not be as capable in non-SaaS scenarios. A federated identity solution is also limited to certain authentication scenarios and requires more time to deploy and more work to manage.

Explanation: Because you found individual users being granted permissions, and an IT administrator had manually changes permissions on the folder, DAC is in use. RBAC uses roles, and rule-based access control relies on rules and user attributes, so you would not find individual users configured with permissions on the folder with either of these. MAC is based on clearance levels, so, again, users aren’t individually granted permissions on a folder; instead, a group for each clearance is used.

Explanation: In black box testing, testers have no knowledge of the system they are testing.

Explanation: Third-party testing is specifically geared to ensuring that the other auditors (internal and external) are properly following your policies and procedures.

Explanation: In a penetration test, teams attempt to bypass controls, whether technically or non-technically.

Explanation: When a vulnerability exists but there is no patch to fix it, it is a zero-day vulnerability. When exploit code exists to take advantage of a zero-day vulnerability, it is called a zero-day exploit. In this scenario, because the computer was up to date on patches, we can conclude that there was a zero-day vulnerability and a zero-day exploit.

Explanation: Quality of service provides priority service to a specified application or type of communication. In this scenario, call quality is being impacted by other services on the network. By prioritizing the network communication for the IP phones, you can maximize their performance (though that might impact something else).

Explanation: The first key requirement in this scenario is that the data center must not be impacted by the testing. This eliminates the partial interruption and full interruption tests because those impact the data center. The other key requirement is that IT teams must perform recovery steps. This requirement eliminates the tabletop testing because tabletop testing involves walking through the plans, but not performing recovery operations.

Explanation: Agile development emphasizes efficiency and iterations during the development process. Agile focuses on user stories to work through the development process.

Explanation: The text fields that the users interact with should have input validation to ensure that the character limit has not been exceeded and that no special characters that might cause database inconsistencies are used.

Explanation: Generation 5 languages are associated with artificial intelligence. The constraints of the application and its goal are defined; then the program learns more on its own to achieve the goal.