ISC2 CISSP Exam Questions

Correct answer: Malicious software

Malware is any software that has malicious intent. It may offer something productive for a user to help hide the malicious side of the software. Malware is classed into several categories. Phishing, viruses, worms, keyloggers, spyware, adware, rootkits, and ransomware are all examples of malware.

The other three terms are simply descriptions of software in different states. There is plenty of poorly designed software out there. When it is poorly designed it will likely malfunction. State-sponsored software could be something that a government has created. Perhaps something that is created to make it easier for people to file their taxes.

Correct answer: Administrative control

Mandatory vacations are considered to be administrative controls that can help detect fraudulent activity. A mandatory vacation policy allows other department members to discover something that an employee was potentially hiding. It helps uncover employee misconduct and forces cross-training among department members.

Physical controls include walls, fences, locks, guards, dogs, etc. A mandatory vacation is a surprise vacation that lasts a minimum amount of time so that the employees' work can be audited, which is not a physical control. Technical or logical controls include encryption, logical access controls, firewalls, etc. Corrective controls are controls that return the environment to a working condition after an incident of some kind occurs.

Correct answer: A salt was used with the hash

Adding a salt to a password hash enhances security. A salt is a unique random value combined with the password before hashing. This prevents identical passwords from having the same hash, thwarting precomputed attacks and increasing complexity, making it harder for attackers to crack passwords.

A password not being in the rainbow table is not likely. The hackers have a rainbow table with precomputed hashes for passwords at least 16 characters long and all smaller than that. The potential that the rainbow computed incorrectly is slightly possible, but if she is using any of the normal products that pen testers use, this would not be a problem. The system being a honeypot is irrelevant to the scenario. Ashley has a password file, she is trying to figure out the passwords based on that file. The file only contains the hash values for the passwords or the passwords with salts, which is more likely here.

Correct answer: Compartmentalized environment

In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for each security domain. For example, a general may have access to Top Secret information about troop movements but not Top Secret information about nuclear missile construction.

Hierarchical environments are probably very familiar. The classic government classification scheme is hierarchical in nature. There is a low level, a medium level, a high level, and so on. Common names seen through the government and industry would be ‘unclassified’ or ‘public’ for example. Medium would be ‘secret’ and high level would be ‘top secret’. (To be clear these are examples and are not necessarily accurate to a government agency's particular name usage.) Hybrid environments combine both compartmentalized and hierarchical together. A matrix is used in risk management or access control, but not as a mandatory control matrix.

Correct answer: Provide the backup data to a trusted third party in another state

By providing backup data to a trusted third party in another state, an organization can ensure the data is secure and untouched by their local natural disaster. A fire in California won't impact New York, so the backup data can be transferred to a hot site or rebuilt data center as needed.

Providing the backup data to an entity across town would still risk the consequences of a natural disaster. Providing the data to a party in another country would be possible, but this risks potentially violating agreements between the organization and customers. Data in another country may require additional regulatory precautions and increase risk if data governance practices are not followed carefully. While natural disasters are a risk for any organization, many businesses take precautions instead of simply accepting the risk as a whole because it is something that can reasonably be worked around.

Correct answer: Optimization

Optimization is a critical concept in networking design, hardware design, software design as well as other areas of business such as processes.

The three objectives for security systems are confidentiality, integrity, and availability. This is known as the CIA triad. Confidentiality strives to protect assets from unauthorized access, integrity focuses on ensuring the accuracy and reliability of data and systems, and availability focuses on maintaining uninterrupted access for authorized individuals.

Correct answer: Vishing

Vishing is using the voice as a means for phishing. A prime example of this would be calling and pretending to be someone else as a means to mislead someone to gain information.

Whaling is a type of phishing, that specifically targets upper-level management of a company. In this example, someone calls someone who represents the CEO. The CEO was not the primary target of this attack, so the answer would not be whaling. Phishing is the acquisition of information through social engineering mechanisms. While this occurs in the example given, vishing is the better and more specific answer. Vishing, whaling, and phishing all fall under the category of asset handling and management. Duping is a fabricated term.

Correct answer: Authentication

Identity and Access Management (IAM) follows the process of IAAA. IAAA stands for Identification, Authentication, Authorization, and Accounting; however, it consists of five services.

Identification is when a user makes a claim as to who they are. This is done by providing a user identification, email address, personal number, etc.

Authentication is the verification or proof of the identity claim. This is done through the use of one or more of the three authentication factors. Factor 1 is knowledge, e.g. password, passphrase, or cognitive password. Factor 2 is possession, e.g. token, X.509 certificate, or mobile phone (for the receiving of an SMS (Short Message Shared)). Factor 3 is biometrics, e.g. fingerprint, facial recognition, etc.

Authorization is then granting an appropriate level of permissions if the user is allowed access. Permissions include read, write, tag, list, execute, etc.

Accounting (Accountability or Auditing) is the process of creating a log or audit trail so that there is a record of actions taken. This allows companies to know what happened and hold users accountable for their actions if necessary.

Correct answer: Double door installation

Double door installations, or mantraps, force individuals into a small room with an ingress and egress door. Before the person can exit through the egress door, the ingress door must be closed and locked. If the individual is authorized, the egress door will unlock, and they can proceed. If they are not authorized, both doors remain locked until a security guard or police officer arrives and escorts them off the property or arrests them for trespassing. It is common for mantraps to have a weight scale across the floor to ensure only one person is in the room at a time.

Identification badges, bollards, and administrative policy would be additional controls, but mantraps are considered the most effective at preventing piggybacking.

Correct answer: A record retention policy

Record retention, or data retention, policies define what type of data to keep, the length of retention, how to maintain the data, and how to destroy the information when it is no longer needed.

An E-Discovery Order is a court order to maintain and not delete information relevant to a case. Data classification is the process of marking or categorizing an organization's data. A chain of custody procedure defines how evidence should be collected and preserved to be used in court.

Correct answer: SAML is a universal standard used for authentication and authorization information to be transmitted and interpreted by any security domains being interacted with.

Security Assertion Markup Language (SAML) is typically found with Federated Identity Management (FIM) systems, where a user authenticating into any service can do so through a secure and uniform process with which all involved parties are familiar.

SAML is not for the exchange of information necessarily visible to the public. A Sender Policy Framework (SPF) record would be a list of e-mails associated with a domain. Domain Key Infrastructure Management (DKIM) is the use of a digital signature by e-mail servers to provide authentication and integrity of messages.

Correct answer: Access control list

An Access Control List (ACL) is a table that includes subjects and assigned privileges. Access control lists are bound to a specific object. When a subject attempts an action on the object, the system checks the access control list to determine if the subject has the appropriate privileges to perform the action.

A compatibility matrix is a table that shows which systems or applications are compatible with each other. It maps systems/applications to other systems/applications. An access control matrix is a table that shows which subjects are granted access to which objects. Both subjects and objects are visible in the access control matrix. Role-based access is a security model that assigns permissions based on a user's role in the organization. The roles are mapped to the objects and the permissions that the role is granted.

Correct answer: Business Continuity Plan

A Business Continuity Plan (BCP) is a series of procedures and plans that help an organization maintain operations in a long-term disaster. They are often confused with Disaster Recovery Plans (DRPs) but differ in their scope. A BCP is generally focused on the business as a whole, whereas a DRP is generally focused on hardware, software, and facilities, for example, a data center. A BCP and DRP are used together to recover from and maintain operations during a disaster.

An Incident Response Plan (IRP) is incorrect because it focuses on an organization's response to a suspected security event. The IRP is usually the first of the plans that is used when systems are disrupted in some way. In the event of a natural disaster, it is not likely to be used at all. A Crisis Communications Plan (CCP) is incorrect because it focuses on maintaining communications during a disaster.

Correct answer: Twofish

Twofish is a symmetric-key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest. It has since been placed in the public domain. Twofish is related to the earlier Blowfish algorithm. Twofish operates on 128-bit blocks, employing 16 rounds with variable key lengths up to 256 bits.

Elliptical Curve Cryptosystem (ECC) is an asymmetric algorithm. Schnorr is also an asymmetric algorithm. Rivest Cipher 4 is a symmetric stream algorithm.

Correct answer: Cryptoshredding

Data remanence refers to information that remains after a disk, USB drive, etc. has been erased. Simply deleting a file isn’t enough, since additional information will be left behind. Some methods of securely deleting data include:

• Cryptoshredding: Cryptoshredding, or cryptographic erasure, destroys the cryptographic keys used to protect encrypted data. This runs the risk that the encryption algorithm may be broken in the future or a backup key might be discovered. However, it is often the only available option in cloud environments.
• Erasing: Erasing uses the built-in delete functionality on a computer to remove pointers to the data. However, the actual data remains on disk until it is overwritten by something else.
• Clearing: Clearing overwrites data with other data. Depending on the number of passes, the storage medium, and data written, data may be retrievable using specialized technology.
• Purging: Purging repeats the clearing process multiple times to completely remove all data. However, this isn’t always trusted and is not a method approved by the U.S. government for clearing Top Secret media.
• Degaussing: Degaussing uses a magnetic field to wipe data from magnetic tapes and hard disk drives (HDDs). It doesn’t work on optical disks or flash storage (including USBs, SSDs, and SD cards).
• Destruction: Destruction physically damages the media to the point that it is impossible to retrieve data from it.

Correct answer: Electronic Code Book (ECB)

An Electronic Code Book (ECB) is extremely ineffective and simply encrypts data with the chosen secret key. It is susceptible to frequency analysis.

Cipher Block Chaining (CBC) is incorrect because it XORs the plaintext and also uses the Data Encryption Standard (DES) algorithm. Cipher Feedback (CFB) is incorrect because it is just like CBC, except it is a stream cipher rather than a block cipher. Output Feedback (OFB) is incorrect because it uses a combination of XOR and DES encryption as well. CBC, CFB, and OFB all use a random value to hide patterns by randomizing the values through the use of an initialization vector before encrypting.

Correct answer: Synchronize (SYN) scans

Synchronize (SYN) scans would be least likely to meet this criterion, as the penetration tester would alert the client that a SYN packet reached their port. A pattern of these SYN packets to different ports would then trigger an alert in an intrusion detection system.

Searching Domain Name System (DNS) records involves using command line input to gather open-source information which the client would not be alerted to. Physical observation and visiting the company's website would not necessarily alert a client. In both instances, there is an opportunity for the penetration tester to blend in with the environment. Being in an outdoor or crowded area would significantly reduce the chance of a specific person being noticed, and a website may experience a lot of traffic.

Correct answer: The higher the level, the more public their disclosures become

As Security Organizational Controls (SOC) engagement reports increase in level, their public disclosure is more likely. Additionally, SOC 1 and SOC 2 audit reports function similarly. The greater the involvement of people, the higher the level. SOC 1 reports are based on documentation review. SOC 2 reports are based on a more thorough review of security practices and physical evaluation.

All three SOC engagement reports stress the Confidentiality, Integrity, Availability (CIA) triad. As we get closer to SOC 3, each aspect of the CIA triad also changes. The levels usually begin at level one with low availability and confidentiality and end at level three with availability to the public and no confidentiality.

Correct answer: fdw

The Caesar cipher shifts each letter of the alphabet three places to the right. A becomes D, B becomes E, C becomes F, etc.

c = f

a = d

t = w

This is a great example of a substitution cipher. The exam is not likely to have you actually do any encryption, but this is a good test of comprehension in preparation for the exam.

Correct answer: Endpoint Data Loss Prevention (DLP)

Endpoint Data Loss Prevention (DLP) is an agent/program installed on an endpoint. It applies protection for data at rest and in use. It can block a user from saving sensitive data to a removable media device or printing sensitive information on an attached printer.

Network DLP is used to prevent sensitive information from being transmitted over the network. For example, network DLP can catch when a user places sensitive information such as credit card numbers in an email. Anti-malware is used to search for, find, and isolate malicious software on a device. Malicious software includes viruses, worms, trojans, and keystroke loggers. It is possible that malicious software could send sensitive information out of an endpoint device, but that would not normally include placing that software on a thumb drive. Network-based Intrusion Detection System (NIDS) is used to detect intrusion attempts. Normally this would be coming in from the outside network, for example, the internet. The question is looking for a way to protect sensitive information from leaving.