ISC2 CISSP Exam Questions

Correct answer: Knowledge of operations and tasks

Role-Based Access Control (RBAC) is a model that maps a subject’s role with their needed operations and tasks. Therefore, it is required that the creator of the role understands the required operations and tasks prior to creating the role. Otherwise, the created role may provide insufficient or excessive access.

To complete the setup of RBAC it is necessary to figure out who to add to this group of users. The user group answer does not match the question. The question is about least privilege, which is the operations and tasks that the people in this role will need to do.

File server Access Control Lists (ACLs) are an alternative access control mechanism. If RBAC is in use, ACL would not be in use. It is possible to have them both operating within a business at the same time, but not controlling access between the same subjects and objects.

Application passwords are an authentication mechanism on an application. The question is about RBAC which is an authorization mechanism, so, it is not related to the question.

Correct answer: Telnet

Telnet uses port 23.

Secure Shell (SSH) uses port 22. File Transfer Protocol (FTP) uses ports 20 and 21. Domain Name System (DNS) uses port 53. Port numbers are used by TCP and UDP to identify the type of data they are carrying so as to deliver it to the right application layer protocol.

Correct answer: Biba

Biba is an integrity model that prevents subjects with lower security levels from writing to objects at higher security levels.

Take-Grant is incorrect because it dictates how rights can be passed from one subject to another. Brewer and Nash is incorrect because it dynamically changes access controls to protect against conflicts of interest. Bell-LaPadula is incorrect because it primarily focuses on confidentiality and prevents subjects with lower security levels from reading objects at higher security levels.

Correct answer: Discretionary Access Control (DAC)

A system that employs Discretionary Access Controls (DACs) allows the owner to control and define access to objects. All objects have owners and access control is based on the discretion or decision of the owner. Objects are files, folders, applications, functions, etc.

Mandatory Access Control (MAC) uses data classification and user clearances to determine the level of access to be granted. The system is programmed with the corporation's policy regarding classifications and clearances and how they relate to each other. The system then enforces these rules. It eliminates the discretion of the owner in granting access. The data or system owner would identify who has a need to know.

Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks. This is one of the most common implementations of access control that has been used over the years. It reduces the workload by identifying the access that a role such as a nurse or doctor requires as opposed to identifying the access each nurse requires.

Attribute-Based Access Control (ABAC) makes decisions based on attributes of either the subject, object, or actions. It has been used in networking under the name of Network Access Control (NAC) and is now commonly used in the cloud.

Correct answer: Employee hair color

Personally Identifiable Information (PII) is information that relates to an identified person according to the European Union's General Data Protection Regulation (GDPR), which is considered the leading law impacting the rest of the countries on the planet. Hair color could be considered an indirect identifier if combined with other indirect identifiers such as proximity and the individual's height. However, by itself, it would not be considered personal information or PII. For more information please refer to GDPR.eu for examples of personal information.

Government-issued identification, financial, and medical information can all pinpoint one person and identify them.

Correct answer: Chain of custody

The chain of custody (also called the evidence chain) is the process of logging access and location of evidence and its condition during investigations. It documents who had control of evidence at any given point to ensure that it is admissible during trial. It also documents what was done with the evidence, where it was, how it was treated, how it was moved from location to location, and when it was handled.

Electronic discovery, or E-discovery, is the process of identifying, collecting, and analyzing Electronically Stored Information (ESI) for legal purposes. It is used in legal investigations, litigation, and compliance. Electronic review involves the examination and analysis of ESI during the e-discovery process, typically for legal purposes, compliance, or investigation. Custody documentation would be for the chain of custody. Chain of custody is a documented, unbroken trail of evidence custody, detailing its collection, transfer, storage, and analysis. It ensures the integrity and admissibility of evidence in legal proceedings, particularly in forensic and investigative contexts. Documentation is just a part of the chain of custody. The question only addresses that there is documentation. Chain of custody is the bigger concept that must be able to document when, where, why, who, and what regarding the evidence. The critical element of the chain of custody is the ability to prove that the evidence was never left unattended. If there is a gap in the chain that documents when and where the evidence is, the possibility of it having been tampered with exists. That is not acceptable for evidence in a court case.

Correct answer: Transmission Control Protocol (TCP)

A three-way handshake is used to establish a Transmission Control Protocol (TCP) connection. A client establishing a connection with a server initiates the connection by sending a TCP SYN (synchronize) packet as the first part of the handshake. In the second part of the handshake, the server replies to the client with a SYN-ACK packet, which synchronizes it. In the third part of the handshake, the client responds with an ACK (acknowledge) packet back to the server.

The other three protocols, Internet Protocol (IP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP), are all connectionless protocols. They do not have a handshake and they do not do acknowledgments. They do not retransmit missing or lost frames/packets.

Correct answer: Assessing probability and quantifying potential opportunities for damage

The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat. By answering these questions, it is possible to understand the probability that a threat will occur. If the reproducibility is high and the discoverability is high, it makes it much easier for attackers to exploit that threat.

• Damage potential (What is the potential damage of this threat?)
• Reproducibility (How easy is it to reproduce this attack?)
• Exploitability (To what level can this threat be exploited?)
• Affected users (How many users are affected when this threat is realized?)
• Discoverability (How easy is it to discover the vulnerability that can be exploited with this threat?)

Through these five questions, it would be understood what the probability of the threat being realized is and how bad the damage would be.

This has nothing to do with the change management process, this is a threat modeling technique. Change management controls changes or alterations to the environment in some way. This has nothing to do with planning security deployment. Security deployment should be carefully controlled. This has nothing to do with penetration testing. Penetration testing is also known as ethical hacking. It is the process of launching an attack against yourself to find vulnerabilities and figure out if you can exploit them.

Correct answer: Post the certificate to the Certificate Revocation List (CRL)

A Certificate Revocation List (CRL) is a published list of revoked certificates. Certificate Authority (CA) administrators can invalidate a certificate before its expiration date by posting it to the CRL. When a device is authenticating a certificate before using the public key it contains, it can check the published CRL to verify it has not been revoked. Revoking the public key certificate is done when the private key is compromised. It is not possible to compromise a public key because it is already public.

Since the public-private key pair are two keys that are mathematically linked, it is not possible to just create a new certificate. It is necessary to create a new public-private key pair and then generate a new public key certificate that contains the new public key. The CA public key is the key that a device would use to validate Joe’s public key (in the question). The Public Key Infrastructure (PKI) is built as a hierarchy of CAs. The CA should never store anyone’s private key. The best practice is for the user to generate the public-private key pair to begin with so that they are the only ones that would ever have their private key. If the CA generates the public-private key pair they should not store the private key ever.

Correct answer: Management

Security assessments are generally performed at the direction of senior management. They evaluate the effectiveness of the organization's information security program. Reports should be written in non-technical language that management can understand. More technical info can be distributed by management to their teams to implement the report's recommendations.

Depending on what the assessment reports contain they may be passed along to engineers, auditors, or someone in the IT department. It is also possible the full report is not passed along, but only parts that an individual needs to take action on.

Correct answer: Align IT services with the needs of the business

ITIL (Information Technology Infrastructure Library) is focused on aligning IT services with the needs of the business. ITIL specifies processes and procedures that an organization’s IT department can use to serve business needs better. These include processes like change management, configuration management, capacity management, and others.

In a way, it does help to reduce organizational risk. However, the question is asking for the best description of ITIL, and aligning IT to the businesses' needs is a better answer. A culture of change is a good benefit of ITIL, however, it does not necessarily happen in shorter timeframes. Managing IT is not a simple, repeatable task.

Correct answer: Remediation

Remediation is least likely to be included in a penetration test. While important to do, it would occur after a test is conducted.

Discovery or reconnaissance is one of the first steps in a penetration test, in which a pentester conducts open-source intelligence gathering. Scanning and probing are more interactive than the discovery phase. This is where a pentester scans hosts and ports on a network to determine how a network is structured and what services are being used. Exploitation is attempting to gain access to the network through previously gathered information.

Correct answer: User Datagram Protocol (UDP)

User Datagram Protocol (UDP) is correct as it is a connectionless protocol that provides fast delivery of datagrams across a network at the transport layer.

Address Resolution Protocol (ARP) is a data link layer protocol. Its job is to translate the Internet Protocol (IP) address to a Media Access Control (MAC) address. File Transfer Protocol (FTP) is an application layer protocol. It is used to put or get files onto a server. Secure Shell (SSH) is a session layer protocol that is used to encrypt sessions. Commonly used for administrative sessions to configure devices such as routers and switches.

Correct answer: Network discovery scan

Network discovery scans check ranges of IP addresses in attempts to find open ports. This provides security assessors with a list of hosts to target for further analysis.

Penetration test is incorrect because it involves finding vulnerabilities and attempting to exploit them. One of the steps in a pen test could involve network discovery, but ‘network discovery scan’ is a direct answer to the question making it a better option. Network vulnerability scan is incorrect because it scans Internet Protocol (IP) addresses to find vulnerabilities. One of the steps here is also network discovery, but again, ‘network discovery scan’ is a direct answer to the question making it a better option. Log reviews is incorrect because it does not identify active hosts or open ports. Log reviews are performed to understand what has happened within the network. It could be looking for the source of an attack, where the bad activity has occurred, or more. Commonly today this is done through a Security Information and Event Manager (SIEM).

Correct answer: Faraday bag

A Faraday bag prevents electromagnetic interference and the ability to remotely wipe or otherwise interact with a device remotely.

Lock boxes provide physical security for a device, but do not prevent the transference or reception of radio waves. An anti-static bag prevents static electricity from damaging devices, such as motherboards, but does not prevent wireless communication to and from the mobile device. While Full-Disk Encryption (FDE) is great, it's still accessible by the very person who created the password. Therefore, the device could potentially be accessed remotely if configured to do so.

Correct answer: Bluetooth

Bluetooth, or IEEE 802.15, personal area networks are another area of wireless security concern. Many peripheral devices connect to cellphones via Bluetooth, such as headphones, mice, keyboards, and even other phones.

The IEEE 802.11n standard is for Wireless N and the IEEE 802.3 standard is the basis for Ethernet. Direct-Sequence Spread Spectrum (DSSS) is a modulation technique.

Correct answer: Personal use of a system

An Acceptable Use Policy (AUP) outlines the intended use of a system and what use is acceptable to the organization of any systems that the users are given access to. This use includes what and how systems are used for business purposes, but they should absolutely include personal use restrictions. At a minimum, an organization should require that all employees sign an AUP that outlines what is and is not acceptable behavior when using an information system.

Preventing the opening of phishing emails, or clicking on phishing links requires training. Having a phishing awareness program is essential today. To minimize the chance of the disclosure of trade secrets also requires training. A Non-Disclosure Agreement (NDA) should also be put in place to ensure that the users understand that they must control the disclosure of trade secrets that they know. Hacking should not be a behavior that is experienced by the users within a corporation. Training would be a good idea to ensure the users understand their jobs and the security in place around the corporation's assets to prevent any misbehavior.

Correct answer: Reduction analysis

A reduction analysis supports threat modeling by identifying elements common to underlying threats. If password attacks are a threat common to several applications but each of those applications relies on Microsoft Active Directory for authentication and authorization, then Microsoft Active Directory need only be evaluated once for password attacks (not for each application).

Tokenization refers to the technique of mapping sensitive data elements to, and replacing them with, an identifying token that is not itself sensitive if revealed. Deprovisioning refers to the deactivation or revocation of a user account. The deprovisioning process is a subset of (and typically completed during) the offboarding process. Geofencing is a security feature commonly utilized in conjunction with mobile devices to restrict access based on location. None of these are activities that directly support threat modeling.

Correct answer: Attempting to identify potential security flaws in a software’s design

Misuse case testing is used to help identify potential security flaws in a software’s design by examining how software could be abused or manipulated into doing something malicious. Essentially, the tester behaves as a bad user of the software to see what they can make it do that was not intended.

Attempting to exploit vulnerabilities, if they have permission, describes a penetration test. Recovering from a disaster is a Disaster Recovery Plan test, which could be a simulation, parallel, or full interruption test. Not compromising security when presented with an opportunity sounds like a vulnerability assessment, except that the security person is verifying employees, which is not normally a part of a vulnerability assessment.

Correct answer: Private key of the sender

A digital signature is a hash of the file/message that is encrypted with the sender's private key. The receiver can decrypt the hash using the sender's public key. If verification of the hash is successful after decryption, it would prove the source of the file/message, since the sender is the only entity with a copy of the private key. Digital signatures assure the recipient that the message has not been tampered with during transmission by comparing the decrypted hash with the hash generated by the receiver.

The private and public keys of the receiver play no role in this scenario. Only when that colleague becomes the sender are they used for signature purposes.