• Home
  • Articles
  • [May-2023] Pass ISC CISSP Exam in First Attempt Guaranteed! [Q590-Q608]

[May-2023] Pass ISC CISSP Exam in First Attempt Guaranteed! [Q590-Q608]

Share

[May-2023] Pass ISC CISSP Exam in First Attempt Guaranteed!

Full CISSP Practice Test and 1481 unique questions with explanations waiting just for you, get it now!

NEW QUESTION # 590
Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?

  • A. A risk.
  • B. A countermeasure.
  • C. An exposure.
  • D. A residual risk.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
Incorrect Answers:
B: Residual risk is the risk that remains after countermeasures have been implemented.
C: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
D: A countermeasure is a step taken to mitigate a risk.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26


NEW QUESTION # 591
Which of the following backup sites is the most effective for disaster recovery?

  • A. Time brokers
  • B. Cold sites
  • C. Hot sites
  • D. Reciprocal Agreement

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Hot sites are a good choice for a company that needs to ensure a site will be available for it as soon as possible. The only missing resources from a hot site are usually the data. A hot site is a facility that is leased or rented and is fully configured and ready to operate within a few hours.
Incorrect Answers:
A: A time brokers backup solution would be less effective compared to hot or cold sites.
C: A cold site is less effective than a hot site since the cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and flooring, but none of the equipment or additional services. A cold site is essentially an empty data center.
D: Reciprocal agreements are less effective compared to hot or cold sites, since reciprocal agreements are Enforceable. This means that although company A said company B could use its facility when needed, when the need arises, company A legally does not have to fulfill this promise.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 921


NEW QUESTION # 592
Which of the following is NOT an administrative control?

  • A. Development of policies, standards, procedures and guidelines
  • B. Change control procedures
  • C. Logical access control mechanisms
  • D. Screening of personnel

Answer: C

Explanation:
It is considered to be a technical control.
Logical is synonymous with Technical Control. That was the easy answer.
There are three broad categories of access control: Administrative, Technical, and
Physical.
Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, as shown here:
Administrative Controls
* Policy and procedures
* Personnel controls
* Supervisory structure
* Security-awareness training
* Testing
Physical Controls
* Network segregation
* Perimeter security
* Computer controls
* Work area separation
* Data backups
Technical Controls
* System access
* Network architecture
* Network access
* Encryption and protocols
* Control zone
* Auditing
The following answers are incorrect :
Screening of personnel is considered to be an administrative control
Development of policies, standards, procedures and guidelines is considered to be an administrative control
Change control procedures is considered to be an administrative control.
Reference : Shon Harris AIO v3 , Chapter - 3 : Security Management Practices , Page : 52-
54


NEW QUESTION # 593
Which statement below is the BEST definition of need-to-know?

  • A. Need-to-know limits the time an operator performs a task.
  • B. Need-to-know requires that the operator have the minimum knowledge of the system necessary to perform his task.
  • C. Need-to-know ensures that no single individual (acting alone) can compromise security controls.
  • D. Need-to-know grants each user the lowest clearance required for their tasks.

Answer: B

Explanation:
The concept of need-to-know means that, in addition to whatever
specific object or role rights a user may have on the system, the
user has also the minimum amount of information necessary to perform
his job function.
* Answer "Need-to-know ensures that no single individual (acting alone) can compromise security controls." is separation of duties, assigning parts of tasks to different personnel.
*Answer "Need-to-know grants each user the lowest clearance required for their tasks." is least privilege, the user has the minimum security level required to perform his job function.
*Answer "Need-to-know limits the time an operator performs a task." is rotation of duties, wherein the amount of time an operator is assigned a security-sensitive task is limited before being moved to a different task with a different security classification.


NEW QUESTION # 594
A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal?

  • A. Purpose specification
  • B. Collection limitation
  • C. Use limitation
  • D. Individual participation

Answer: B


NEW QUESTION # 595
IT security measures should:

  • A. Be tailored to meet organizational security goals.
  • B. Not be developed in a layered fashion.
  • C. Be complex
  • D. Make sure that every asset of the organization is well protected.

Answer: A

Explanation:
In general, IT security measures are tailored according to an organization's unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security-related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.
The more complex the mechanism, the more likely it may possess exploitable flaws.
Simple mechanisms tend to have fewer exploitable flaws and require less maintenance.
Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.
Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more.
The need for layered protections is especially important when commercial-off-the-shelf
(COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).


NEW QUESTION # 596
By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the

  • A. opportunity to sniff network traffic exists.
  • B. storage devices are protected against availability attacks.
  • C. opportunity for device identity spoofing is eliminated.
  • D. confidentiality of the traffic is protected.

Answer: A


NEW QUESTION # 597
A post-implementation review has identified that the Voice Over Internet Protocol (VoIP) system was designed to have gratuitous Address Resolution Protocol (ARP) disabled.
Why did the network architect likely design the VoIP system with gratuitous ARP disabled?

  • A. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.
  • B. Gratuitous ARP requires the use of insecure layer 3 protocols.
  • C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone.
  • D. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.

Answer: A

Explanation:
Section: Communication and Network Security


NEW QUESTION # 598
What would you call the process that takes advantages of the security provided by a transmission protocol by carrying one protocol over another?

  • A. Concealing
  • B. Tunneling
  • C. Steganography
  • D. Piggy Backing

Answer: B

Explanation:
Computer networks use a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network.
Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The delivery protocol usually (but not always) operates at a higher level in the model than does the payload protocol, or at the same level. To understand a particular protocol stack, network engineers must understand both the payload and delivery protocol sets.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network. Secure Shell tunneling
A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security. Tunneling to circumvent firewall policy Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy.
Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client
issues the HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection
to a particular server:port, and relays data between that server:port and the client connection.
Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access
to the CONNECT method. The proxy allows access only to a whitelist of specific authorized
servers.
The following answers are incorrect:
Piggy Backing
In security, piggybacking refers to when a person tags along with another person who is
authorized to gain entry into a restricted area, or pass a certain. The act may be legal or illegal,
authorized or unauthorized, depending on the circumstances. However, the term more often has
the connotation of being an illegal or unauthorized act.
To describe the act of an unauthorized person who follows someone to a restricted area without
the consent of the authorized person, the term tailgating is also used. "Tailgating" implies without
consent (similar to a car tailgating another vehicle on the freeway), while "piggybacking" usually
implies consent of the authorized person.
Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses
were exposed in airport security. While a study showed that the majority of undercover agents
attempting to pass through checkpoints, bring banned items on planes, or board planes without
tickets were successful, piggybacking was revealed as one of the methods that was used in order
to enter off-limits areas.
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart
from the sender and intended recipient, suspects the existence of the message, a form of security
through obscurity. The word steganography is of Greek origin and means "concealed writing" from
the Greek words steganos () meaning "covered or protected", and graphein () meaning "to write".
The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a
treatise on cryptography and steganography disguised as a book on magic. Generally, messages
will appear to be something else: images, articles, shopping lists, or some other covertext and,
classically, the hidden message may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that messages do not attract
attention to themselves. Plainly visible encrypted messages-no matter how unbreakable-will
arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal.
Therefore, whereas cryptography protects the contents of a message, steganography can be said
to protect both messages and communicating parties.
Steganography includes the concealment of information within computer files. In digital
steganography, electronic communications may include steganographic coding inside of a
transport layer, such as a document file, image file, program or protocol. Media files are ideal for
steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.
Concealing Concealment (also called abscondence or hiding) is obscuring something from view or rendering it inconspicuous, the opposite of exposure. A military term is CCD: camouflage (object looks like its surroundings), concealment (object cannot be seen), and deception (object looks like something else); in a broad sense, all three are forms of concealment. The objective of hiding is often to keep the presence of an object or person secret, but in other cases not the presence is a secret, but only the location.
The following reference(s) were/was used to create this question: Ethical Hacking Countermeasures v6.1 Ethical Hacking Countermeasures v7.0 Introduction to Ethical hacking http://en.wikipedia.org/wiki/Tunneling_protocol http://en.wikipedia.org/wiki/Steganography http://en.wikipedia.org/wiki/Piggybacking_%28security%29


NEW QUESTION # 599
Which of the following is true about digital certificate?

  • A. You can only get digital certificate from Verisign, RSA if you wish to prove the key belong to a specific user.
  • B. It is the same as digital signature proving Integrity and Authenticity of the data
  • C. Electronic credential proving that the person the certificate was issued to is who they claim to be
  • D. Can't contain geography data such as country for example.

Answer: C

Explanation:
Digital certificate helps others verify that the public keys presented by users are genuine and valid. It is a form of Electronic credential proving that the person the certificate was issued to is who they claim to be.
The certificate is used to identify the certificate holder when conducting electronic transactions.
It is issued by a certification authority (CA). It contains the name of an organization or individual, the business address, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
Digital certificates are key to the PKI process. The digital certificate serves two roles. First, it ensures the integrity of the public key and makes sure that the key remains unchanged and in a valid state. Second, it validates that the public key is tied to the stated owner and that all
associated information is true and correct. The information needed to accomplish these goals is
added into the digital certificate.
A Certificate Authority (CA) is an entity trusted by one or more users as an authority in a network
that issues, revokes, and manages digital certificates.
A Registration Authority (RA) performs certificate registration services on behalf of a CA. The RA,
a single purpose server, is responsible for the accuracy of the information contained in a certificate
request. The RA is also expected to perform user validation before issuing a certificate request.
A Digital Certificate is not like same as a digital signature, they are two different things, a digital
Signature is created by using your Private key to encrypt a message digest and a Digital
Certificate is issued by a trusted third party who vouch for your identity.
There are many other third parties which are providing Digital Certifictes and not just Verisign,
RSA.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 14894-14903). Auerbach Publications. Kindle Edition.
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner
Study Guide Authorized Courseware: Exam CAS-001 (p. 24). Wiley. Kindle Edition.
Please refer to http://en.wikipedia.org/wiki/Digital_certificate
What is Digital certificate:
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.html
another deifination on http://www.webopedia.com/TERM/D/digital_certificate.html


NEW QUESTION # 600
Which of the following prevents improper aggregation of privileges in Role Based Access Control (RBAC)?

  • A. The Clark-Wilson security model
  • B. Hierarchical inheritance
  • C. The Bell-LaPadula security model
  • D. Dynamic separation of duties

Answer: D


NEW QUESTION # 601
What is the maximum number of different keys that can be used when encrypting with Triple DES?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Triple DES (3DES) can use a maximum of three keys.
3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out:
DES-EEE3 Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted.

DES-EDE3 Uses three different keys for encryption, and the data are encrypted, decrypted, encrypted.

DES-EEE2 The same as DES-EEE3, but uses only two keys, and the first and third encryption

processes use the same key.
DES-EDE2 The same as DES-EDE3, but uses only two keys, and the first and third encryption

processes use the same key.
Incorrect Answers:
A: A maximum of 3, not 1 different keys can be used when encrypting with Triple DES.
B: A maximum of 3, not 2 different keys can be used when encrypting with Triple DES.
D: A maximum of 3, not 4 different keys can be used when encrypting with Triple DES.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 808


NEW QUESTION # 602
DESX is a variant of DES in which:

  • A. The input plaintext is encrypted X times with the DES algorithm
    using different keys for each encryption.
  • B. Input plaintext is bitwise XORed with 64 bits of additional key
    material before encryption with DES, and the output of DES is also
    bitwise XORed with another 64 bits of key material.
  • C. The output of DES is bitwise XORed with 64 bits of key material.
  • D. Input plaintext is bitwise XORed with 64 bits of additional key
    material before encryption with DES.

Answer: B

Explanation:
DESX was developed by Ron Rivest to increase the resistance of
DES to brute force key search attacks; however, the resistance of
DESX to differential and linear attacks is equivalent to that of DES
with independent subkeys.


NEW QUESTION # 603
The only difference between RAID 3 and RAID 4 is that level 3 is implemented at the byte level while level
4 is usually implemented at which of the following?

  • A. Block level.
  • B. Buffer level.
  • C. Channel level.
  • D. Bridge level.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
RAID Levels 3 and 4 function in a similar way. The only difference is that level 3 is implemented at the byte level and level 4 is usually implemented at the block level. In this scenario, data is striped across several drives and the parity check bit is written to a dedicated parity drive. This is similar to RAID 0. They both have a large data volume, but the addition of a dedicated parity drive provides redundancy. If a hard disk fails, the data can be reconstructed by using the bit information on the parity drive. The main issue with this level of RAID is that the constant writes to the parity drive can create a performance hit. In this implementation, spare drives can be used to replace crashed drives.
Incorrect Answers:
B: RAID level 4 is not implemented at bridge level.
C: RAID level 4 is not implemented at channel level.
D: RAID level 4 is not implemented at buffer level.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 145


NEW QUESTION # 604
The equation Z = f [wn in ], where Z is the output, wn are weighting
functions, and in is a set of inputs describes:

  • A. A knowledge-based system
  • B. A knowledge acquisition system
  • C. An expert system
  • D. An artificial neural network (ANN)

Answer: D

Explanation:
The equation defines a single layer ANN as shown in Figure.

Each input, in, is multiplied by a weight, wn , and these products are fed into a summation transfer function, , that generates an output,
Z. Most neural networks have multiple layers of summation and weighting functions, whose interconnections can also be changed. There are a number of different learning paradigms for neural networks, including reinforcement learning and back propagation. In reinforcement learning a training set of inputs is provided to the ANN along with a measure of how close the network is coming to a solution. Then, the weights and connections are readjusted. In back propagation, information is fed back inside the neural network from the output and is used by the ANN to make weight and connection adjustments. *Answers An expert system and A knowledge-based system are distracters that describe systems that use knowledge-based rules of experts to solve problems using an inferencing mechanism. *A knowledge acquisition system refers to the means of identifying and acquiring the knowledge to be entered into the knowledge base of an expert system.


NEW QUESTION # 605
Programmed procedures which ensure that valid transactions are processed accurately and only once in the current timescale are referred to as

  • A. Physical controls
  • B. Operation controls
  • C. Data installation controls
  • D. Application controls

Answer: D


NEW QUESTION # 606
Kerberos depends upon what encryption method?

  • A. El Gamal cryptography.
  • B. Secret Key cryptography.
  • C. Blowfish cryptography.
  • D. Public Key cryptography.

Answer: B

Explanation:
Kerberos depends on Secret Keys or Symmetric Key cryptography.
Kerberos a third party authentication protocol. It was designed and developed in the mid 1980's by
MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's
secret keys. The password is used to encrypt and decrypt the keys.
This question asked specifically about encryption methods. Encryption methods can be
SYMMETRIC (or secret key) in which encryption and decryption keys are the same, or
ASYMMETRIC (aka 'Public Key') in which encryption and decryption keys differ.
'Public Key' methods must be asymmetric, to the extent that the decryption key CANNOT be easily
derived from the encryption key. Symmetric keys, however, usually encrypt more efficiently, so
they lend themselves to encrypting large amounts of data. Asymmetric encryption is often limited
to ONLY encrypting a symmetric key and other information that is needed in order to decrypt a
data stream, and the remainder of the encrypted data uses the symmetric key method for
performance reasons. This does not in any way diminish the security nor the ability to use a public
key to encrypt the data, since the symmetric key method is likely to be even MORE secure than
the asymmetric method.
For symmetric key ciphers, there are basically two types: BLOCK CIPHERS, in which a fixed
length block is encrypted, and STREAM CIPHERS, in which the data is encrypted one 'data unit'
(typically 1 byte) at a time, in the same order it was received in.
The following answers are incorrect:
Public Key cryptography. Is incorrect because Kerberos depends on Secret Keys or Symmetric
Key cryptography and not Public Key or Asymmetric Key cryptography.
El Gamal cryptography. Is incorrect because El Gamal is an Asymmetric Key encryption algorithm.
Blowfish cryptography. Is incorrect because Blowfish is a Symmetric Key encryption algorithm.
References:
OIG CBK Access Control (pages 181 - 184)
AIOv3 Access Control (pages 151 - 155)
Wikipedia http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 ;
http://en.wikipedia.org/wiki/El_Gamal
http://www.mrp3.com/encrypt.html


NEW QUESTION # 607
Which one of the following is a fundamental objective in handling an incident?

  • A. To restore control of the affected systems
  • B. To confiscate the suspect's computers
  • C. To perform full backups of the system
  • D. To prosecute the attacker

Answer: A


NEW QUESTION # 608
......

Prepare for your ISC certification with the updated TestValid CISSP exam questions: https://drive.google.com/open?id=1RaB96BWcUXjee1IB0k_46DHwKQuKoYl9

Get Latest CISSP Dumps Exam Questions in here: https://www.testvalid.com/CISSP-exam-collection.html

Related Articles

more
ISC CISSP Certification Practice Exam

Copyright © 2026 TestValid NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy