ISC2 CISSP Exam Questions

Correct answer: Six

The following are the six steps of a Fagan inspection:

1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework
6. Follow-up

Correct answer: Real user monitoring

Real User Monitoring (RUM) analyzes the traffic or status of transactions for real user traffic. This is also known as passive monitoring. RUM provides real-time updates on the status of user interactions for a given service.

Synthetic monitoring is incorrect because it actively makes transactions against a website to evaluate performance. Active monitoring is the same thing as synthetic monitoring. A network tap can be used as a tool when performing RUM.

Correct answer: Development Security Operations (DevSecOps)

DevSecOps is a software development approach incorporating automated cybersecurity checks into its CI/CD pipeline automation. DevSecOps is a combination of Development (Dev), Security (Sec), and Operations (Ops).

DevOps describes a software development approach that utilizes a CI/CD pipeline for automation without having automated cybersecurity checks incorporated into that pipeline. DevOps is a portmanteau of Development (Dev) and Operations (Ops). STRIDE and PASTA are not software development approaches but refer to threat modeling methodologies. They are used to find flaws in application environments through systematic analysis.

Correct answer: On a lithium-fed fire

Fires are classified according to what material is burning. Class D fires are combustible metal fires. Combustible metals include lithium, calcium, magnesium, lutetium, and cerium, for example. Class D fires require dry powder to extinguish them. Using water on a Class D fire can cause explosions and further feed the fire.

• Class A: Common combustibles, such as wood or paper
• Class B: Liquids, such as fuels and oils
• Class C: Electrical, such as wiring and equipment
• Class D: Combustible metals, such as magnesium or sodium
• Class K: Cooking media

Correct answer: Hire a qualified third party to conduct a security assessment

Security assessments are used to determine an organization's security posture. They should be conducted by qualified individuals who know how to properly assess controls and decide whether they are sufficient or not. When possible, these assessments should be undertaken by third parties to eliminate conflicts of interest. Once the assessment report is delivered to management, they can make the recommendations outlined in the report.

Performing a SOC 2 audit in particular could be a great idea. However, this specific audit should be included in the correct answer. Conducting a security assessment is a more broad answer.

Talking to the security team would be a good idea. The problem with asking for a list of recommendations, though, is that they could be biased. Using the Delphi method does help the process by making it anonymous, but the question is asking what would be the best action. Having a third party conduct a security assessment of some sort is best because of the impartiality that a third party should bring to the task.

Correct answer: Standard

A standard documents, in detail, the security requirements for a subset of technology. Standards are generally referenced by and enforced in a separate security policy.

Policies are high-level documents that align security objectives with business objectives. Guidelines are recommended actions or behaviors if a standard does not apply. Procedures are step-by-step instructions to accomplish a task.

Correct answer: National Institute of Standards and Technology

NIST stands for the "National Institute of Standards and Technology." NIST is part of the U.S. Department of Commerce and is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. NIST also helps develop standards and guidelines to be used by private sector companies.

Correct answer: Searching Domain Name System (DNS) records

Searching Domain Name System (DNS) records would be the least likely choice when scanning and probing since searching DNS records occurs in the phase prior to scanning and probing. During discovery and reconnaissance, DNS records are sought by the penetration tester.

Vulnerability scanning and port scanning to determine currently used services occur during the scanning and probing phase. Phishing is incorrect, as it occurs during the exploitation phase. Phishing typically occurs by committing social engineering attacks on a subject after gaining initial information and would likely involve interaction.

Correct answer: Tailoring

Tailoring is modifying standards in place to meet the needs of the current business. In this example, the CIO and CISO already had the practice of a secondary secure channel in place, but it had to be altered to conform to a more secure modern practice.

Scoping is similar to tailoring but, instead of altering standards, a business would completely remove the standards that are not needed. Change management is a more general term for implementing change in an organization; therefore, tailoring is changing and modifying protocols already in place to more specifically suit the needs of the organization. Tailor-made is a fabricated term.

Correct answer: Supervisory Control and Data Acquisition (SCADA)

Supervisory Control and Data Acquisition (SCADA) systems are large Industrial Control Systems (ICSs) that can span large geographic areas. SCADA systems control and supervise operations using inputs from Programmable Logic Controllers (PLCs), sensors, and Human-Machine Interfaces (HMI). The supervisory computers of the SCADA system use this input to send commands to Remote Terminal Units (RTUs) to alter a process or generate alarms.

A discrete controller is a simple controller that allows the operator to control the process manually. A PLC is a controller that can have multiple inputs and outputs. PLCs are often networked and controlled by a supervisory computer. A Distributed Control System (DCS) is a network of PLCs, sensors, and supervisory computers. Generally, a DCS is process-specific and does not span large geographical areas, whereas a SCADA system controls multiple processes and can span large geographical areas.

Correct answer: Human Resources

Human Resources is responsible for pre-employment screening and termination. They draw up papers and insist IT secures the system during employee termination. They also help with investigations into employee misconduct.

The legal department could become involved if the fraudulent act is a violation of a law or contract the company must be in compliance with, or if the act could result in a lawsuit. Physical security could be involved if there was a breach of physical security controls to perform the fraudulent act. For example, someone coat-tailing or tailgating into a secured area of the building. Senior management could become involved quickly if this is a small company. In a medium to large business, it would depend on the level and the type of fraud that could cause them to become involved.

Correct answer: DevSecOps

In DevSecOps, the security team is integrated into the development of software very early. Typically, the security team will follow the software creation progress and work with the developers during every step of the development phase. This helps to ensure secure practices occur at every stage of the software development life cycle, instead of potentially allowing things to be missed during the development. Additionally, this can make the development of software more efficient. In DevSecOps, the work will be checked for security flaws while it is being created, not after.

SecOps, short for Security Operations, refers to the practice of integrating security measures into an organization's overall operations. It involves the collaboration between security teams and operations teams to ensure the continuous protection of an organization's systems, data, and assets. The primary objective of SecOps is to detect, prevent, respond to, and recover from security incidents and breaches effectively.

DevOps, short for Development and Operations, is a set of practices and cultural philosophies that promote collaboration and integration between software development teams and IT operations teams within an organization. The primary goal of DevOps is to facilitate the rapid and reliable delivery of software products and services, ensuring high-quality, efficient, and scalable solutions.

The Agile methodology is a method of the software development lifecycle, which may play a role in DevSecOps revisiting a part of the software development lifecycle. However, Agile methodology does not explicitly describe the development and security operations team coming together.

Correct answer: Post Office Protocol 3 (POP3)

Post Office Protocol 3 (POP3) is used to pull email messages from an email server to an email client's inbox. With POP3, the email is generally deleted from the server after it's downloaded to the local inbox.

Simple Mail Transfer Protocol (SMTP) is incorrect because it is primarily used to transfer emails between servers. File Transfer Protocol (FTP) is incorrect because it is used specifically for file transfer, to move a file to a server or from a server. Telnet is incorrect because it is used for remote logins and should not be used today because it sends all data in the clear (including the password).

Correct answer: Wide Area Network (WAN)

The Wide Area Network (WAN) is a geographically broad network that can cover multiple cities or even countries. A WAN connects multiple Local Area Networks (LANs) and other WANs by using telecommunications devices and facilities to form an internetwork.

A Local Area Network (LAN) is incorrect because it is a data network that operates across a small geographic area such as a single building or floor. A Metropolitan Area Network (MAN) is incorrect because it extends across a large area, such as a city. A Personal Area Network (PAN) is a small, personal-use network such as Bluetooth.

Correct answer: Substitution cipher

In substitution ciphers, each letter is replaced by an alternative letter. For instance, each A is replaced with the letter G. ROT13 is an old, popular substitution cipher that substitutes each letter with the 13th letter from the current letter's position. For each A there is an N. For each B there is an O, etc.

Transposition ciphers alter the order of the letters of the plaintext. For example, encryption of the plaintext HELLO could become the ciphertext of LLEOH (depending on the cipher and key). But all the letters from the plaintext are still there, they are just in a different order. A one-time pad is a substitution cipher that uses a key that is as long as the plaintext and properly random and only used once. They are provably unbreakable by brute force attacks. A running key cipher is a substitution cipher that uses a key as long as the plaintext.

Correct answer: Type 3

Type 3 authentication factors are "something you are," such as a fingerprint, palm vein scan, or retina scan.

Type 1 authentication factors are "something you know," such as a passphrase. Type 2 authentication factors are "something you have," like a smart card or security token. There are no Type 4 authentication factors.

Correct answer: Kerberos

Kerberos offers a Single-Sign-On (SSO) solution for users and provides protection for credentials. The current version, Kerberos 5, relies on symmetric-key cryptography using Advanced Encryption Standard (AES). Kerberos provides confidentiality and integrity for authentication using end-to-end security and uses a system of keys and tickets to grant access to resources.

Kerberos is an SSO technology, but due to the details of the question, Kerberos is the better, more specific answer. New Technology Local Area Network (LAN) Manager (NTLM)) is an SSO technology as well. Again, the details of the question point to Kerberos. NTLM does not have a Key Distribution Center (KDC), tickets, or ticket-granting tickets. Those terms are specific to Kerberos. Security Assertion Markup Language (SAML) is an SSO technology, but it uses tokens rather than tickets. Functionally they are similar, but the term ticket belongs to Kerberos and tokens to SAML (and other technologies).

Correct answer: Decrease in service quality

Service quality would be measured in the degree to which the quality was lessened. Quantitative loss can be measured numerically, but qualitative loss is measured subjectively.

An increase in expenses, loss of revenue, and loss of asset value are all quantitative measurements.

Correct answer: Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is an organization that publishes articles for developers. It has nothing to do with centralized authentication.

Remote Authentication Dial-In User Service (RADIUS) is used for centralized authentication, typically for organizations with more than one network access server. Terminal Access Controller Access-Control System+ (TACACS+) was released after RADIUS and offers several improvements. Diameter was built to enhance RADIUS by supporting a wide range of additional protocols.

Correct answer: Least privilege

The least privilege principle is used to ensure that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes confused with the need-to-know principle. The primary difference is that the least privilege principle also includes the right to take action on a system.

Need to Know (NtK) addresses the access that an employee needs to data. It is not a question of what level of access (read, write, etc.) it is a question of do they need that data in any way. The permissions are addressed in least privilege. Separation of duties is the idea that a job is broken into tasks and then some of the tasks are assigned to one person and the rest of the tasks are assigned to a second person. There could be more people involved, but it must involve at least two people to be able to complete a task. For example, if someone can add an invoice to the accounts receivables, they should not also be able to process the payment. That task should be assigned to someone else, an accounts payable clerk perhaps so that they can verify that it is a real customer, real products/services, and that then they can send a payment to them. Implicit deny, also known as "default deny," is a concept used in access control mechanisms to define the default behavior when access requests do not match any specific allow rules. In implicit deny, if there is no explicit permission or rule granting access to a resource, the access request is automatically denied by default.