ISC2 CISSP Exam Questions

Correct answer: System administrators

The modification of the label or classification of a resource in Mandatory Access Control (MAC) can only be performed by system administrators. Strict auditing should be implemented to ensure that system administrators do not modify resources that should not be modified.

Users should never be allowed to modify the label that contains the classification level, at least in theory. Managers might be the ones that are considered the ‘data owners,’ if that is the case they are responsible for the appropriate classification of data, but they would not normally do the actual modification of the label itself.

Physical security should not be determining the classification nor applying the label for the classification of data.

Correct answer: Turnstiles

Turnstiles allow only one person to enter at a time. As one person swipes a badge and enters the data center, the turnstile restricts the following person. It's a method of preventing tailgating, which happens when an unauthorized person follows an authorized person through an entrance.

Security cameras are a detective control. They would help understand who has been accessing the business, but they would not stop, slow, or prevent unauthorized access.

Identification badges by themselves are not preventive. If there is a locked door that is opened with the possession of an identification badge, that would help. However, the question is about tailgating which is when someone walks in behind an authorized person. So, it is still a weaker control than turnstiles.

When guards are very diligent, and they are combined with badges, and doors that open only with the badge, they could help with tailgating. However, the answer only says guards. Guards by themselves should rarely be considered preventive as humans are distractable. So, a turnstile is a better control.

Correct answer: Intangible

Intangible assets describe asset types that do not possess a physical substance. Copyrights, trademarks, patents, and similar intellectual property are all classified as (and are examples of) intangible assets. While such assets are without physical substance, they are not without value, making it essential to consider them in risk management planning.

Tangible assets describe assets with physical substance. Examples of tangible assets include computing devices, buildings, furniture, automobiles, and machinery. Waterfall and Agile are not asset classes but refer to software development methodologies. Waterfall follows a structured, linear approach while Agile utilizes an iterative approach that supports greater flexibility.

Correct answer: Domain Name System (DNS) poisoning

Domain Name System (DNS) poisoning occurs when an attacker is able to manipulate a DNS cache and replace legitimate records with malicious records. This can cause the client to access malicious servers when attempting to query legitimate DNS records. Attackers can target a client’s local cache or the DNS server’s cache.

DNS redirection is a normal practice. For example, it could be possible that Pocket Prep has alternate domain names that could be forwarded to their main site. Such as pocket-prep.com could be forwarded to pocketprep.com. (Just a hypothetical example.)

Address Resolution Protocol (ARP) poisoning is when the ARP cache is tampered with. ARP maps the Internet Protocol (IP) address to the Media Access Control (MAC) address. DNS maps names such as PocketPrep.com to an Internet Protocol (IP) address.

MitM attacks occur when the attacker inserts themselves in the middle of the end-to-end communication. There are many places that this could occur, but an example would be when a bad actor sets their computer up in the airport to act as a free Wi-Fi connection point. When a user connects to the fake access point, the bad actor then forwards the data onto the real network. The bad actor could then just read the traffic as it passes through, or they could change and alter some of the info.

Correct answer: Responsible disclosure

Responsible disclosure is a type of ethical disclosure in which vendors are informed but given time to remediate the issue. Doing so acknowledges an issue that needs a fix but gives companies an opportunity to do the right thing without alerting the public and increasing the likelihood of cyber attacks.

If this were not taken seriously by the company, it would fall under the category of whistleblowing to both hold the company accountable and inform other customers before an attacker exploits the vulnerability. Mandatory reporting describes being legally obligated to file a report with the police upon learning something, which is not specifically mentioned in this instance. A non-disclosure agreement is a written agreement between two or more parties to not disclose the contents of an event.

Correct answer: Secure Real-Time Transport Protocol (SRTP)

When discussing Voice over IP (VoIP) and the Session Initiation Protocol (SIP) protocol suite, it is crucial to distinguish between signaling and media traffic. Signaling references the traffic that controls and establishes the connection. SIP is what is used to set up the telephone ‘call’ by notifying each party how to reach each other. We still use phone numbers to place ‘calls’ on the data network even though the data network does not use phone numbers. It is necessary to resolve the address difference by linking the phone number to the IP (Internet Protocol) address. The media traffic is the actual audio broken up into packets. By default, media traffic uses the Real-Time Transport Protocol (RTP). If the media traffic needs to be encrypted, Secure Real-Time Transport Protocol (SRTP) can be used. SRTP does not encrypt the signaling traffic.

Secure Internet Protocol is not a real protocol. Neither is Session Initiation Protocol Secure (SIPS).

Correct answer: To prevent data loss at each endpoint by recognizing patterns or keywords

Endpoint-based DLP involves preventing data loss at each endpoint by recognizing patterns or keywords. Additionally, endpoint-based DLP can be used to conduct an initial scan to recognize potentially sensitive information on a device.

Endpoint-based DLP won't encrypt or decrypt data, so any patterns the software must recognize won't be available. Endpoint-based DLP will simply prevent certain data from leaving a device, potentially warning the user of their action to prevent future misbehavior.

Correct answer: Heuristic

Heuristic detection, sometimes called behavior detection, analyzes the characteristics and structure of code to detect malware. If the code has too many negative characteristics, it will be quarantined.

Signature detection compares hashes of known malware to software on a system. Sandbox is not a detection method. Sandboxing is a technique that lets the malware run in an isolated environment so that it can be analyzed. Reputation detection is similar to signature detection. Firewalls often have dynamic blacklists that block IP addresses known to be malicious, commonly called reputation detection.

Correct answer: Full-interruption

Full-interruption tests are similar to parallel tests except they involve the actual shutdown of operations at the main site and moving to the recovery site. These tests are extremely costly and risky due to the complete shutdown of operations at the main site.

A structured walk-through is when the disaster recovery team gathers in a conference room and does a role-play of a disaster. A simulation test is when the disaster recovery team is presented with a disaster scenario and is asked to come up with a response, and then that response is tested. A parallel test is when the disaster recovery team relocates personnel to the recovery site and implements site activation procedures, but the primary site is left fully operational.

Correct answer: Post Office Protocol, version 3

Post Office Protocol Version 3 (POP3) is an email transmission protocol. It allows client email software to access an email server and download it to the local computer.

POP3 is different from the alternative Internet Message Access Protocol (IMAP) because it's designed to delete the email after being retrieved. IMAP stores email on the server. POP3 should not be confused with Simple Mail Transport Protocol (SMTP), which is used to send email. POP3 is strictly meant for storing and receiving emails.

Correct answer: Record retention policy

Record retention policies define how data should be maintained within the organization. It includes what type of data to keep, the length of retention, how to maintain the data, and how to destroy the information when it is no longer needed. Careful work should be put into ensuring the policy is a match for business needs. Having legal counsel in the process is a good idea as there are laws and regulations that have a retention requirement or a deletion requirement.

An E-Discovery Order is a court order to maintain and not delete information relevant to a case. Data classification is the process of marking or categorizing an organization's data. The chain of custody refers to the chronological documentation or paper trail that records the handling, custody, control, transfer, and disposition of physical or digital evidence. It is a critical concept in various fields, including law enforcement, forensic science, legal proceedings, and information security.

Correct answer: Avoid windows

When picking a spot to place an antenna, windows should not have any bearing on the decision, since they do not significantly affect signal strength. Windows could be a potential security concern though as someone can be in the parking lot capturing that signal and listening to the transmission. The question though does not point to this kind of security concern, and the other three answers can cause the network to not even work from the beginning.

A central location is important to ensure that the signal covers the greatest area possible. Solid barriers reduce the strength of signals and reflective materials can cause signals to change direction and can also reduce signal strength.

Correct answer: Qualitative risk analysis

Qualitative risk analysis does exactly as it sounds: it takes in the qualities, or theories of value and risk, to evaluate risk. It is a subjective form of risk analysis. There are two main approaches to performing a risk assessment: quantitative and qualitative.

Quantitative takes a calculated value of an asset and the projected percentage of loss of an asset to calculate the projected loss if an incident were to occur. It then further calculates the projected annual loss by adding in the number of incidents that would be expected within a single year. Theoretical mathematical review and objective risk analysis are not real risk management terms.

Correct answer: Half-duplex

Half-duplex both sends and receives, but only one or the other can be done at a time. They must take turns. An example of a half-duplex device is a walkie-talkie. Each device can send and receive communication, but only one device can transmit at a time.

Simplex is incorrect because it is a one-way communication path established with a transmitter at one end of the connection and a receiver at the other end. Full-duplex is incorrect because it can transmit and then receive signals at the same time. Singular-plex is a fabricated term.

Correct answer: Encapsulation

Protocols based on the Open Systems Interconnection (OSI) model employ a mechanism called encapsulation, which adds a header or footer to data. As the message is encapsulated at each layer, the previous layer's header and payload combine to become the current layer's payload.

A checksum is similar to a cryptographic hash. It is on a lot of frames created by lower-layer networking protocols. It is used to validate the integrity of the frame after traversing the network. Embedded networking and network transformation are not terms used in relationship to networking protocols.

Correct answer: Rivest, Shamir, & Adleman (RSA)

Rivest, Shamir, & Adleman (RSA) is an asymmetric algorithm that uses public and private keys. RSA is often used to distribute symmetric encryption keys because asymmetric encryption is computationally expensive and can’t be used to efficiently encrypt large amounts of data. When using asymmetric algorithms like RSA, if a message is encrypted using the private key, it can only be decrypted using the public key; this rule also applies in reverse. If a message is encrypted with the public key, it can only be decrypted using the private key.

Diffie-Hellman (DH) is an asymmetric algorithm. Mr. Diffie and Mr. Hellman wrote a paper in 1976 that theorized public and private keys. However, the algorithm they came up with does not work that way. It is an algorithm for the purpose of exchanging a symmetric key only. They were unsuccessful in finding the math to use public and private keys. RSA did that in 1977. AES and Blowfish are both symmetric algorithms that are used to protect the confidentiality of data, voice, or video.

Correct answer: Hot site

A hot site provides the most rapid recovery capability because it is complemented by the full resources required for instant function and connectivity of IT systems. A hot site is only missing people and some data.

A cold site is incorrect because a cold site is an empty computer room with environmental facilities such as heating, ventilation, and air conditioning, but no computing equipment. A warm site is incorrect because a warm site is basically a cold site, but with computers and communication links already in place ready to be loaded with operating systems and data. Reciprocal site is incorrect because, in a reciprocal agreement, two organizations pledge the availability of their organization's data center in the event of a disaster but it could take a while to get over to that site and get working. This is not faster because the other company's site would not have any of the data and it can take a while to get the other company to let them in and release access to some of the systems.

Correct answer: Threat modeling

Threat modeling is the security process wherein potential threats and mitigations to assets are identified and analyzed. It can be used for software, hardware, business processes, Internet of Things (IoT), and more.

Threat hunting refers to a technique used in security operations in which production environments are actively scrutinized by an experienced analyst for threats and indications of compromise. Penetration testing attempts to discover and exploit potential vulnerabilities. Penetration testing does not analyze mitigations for the threats it discovers. After the penetration test has been performed and the report submitted the company can then look for mitigations. Control testing is performed to evaluate controls for sufficiency. It can be used to test the quality of a control before being sold to the public using something like Common Criteria (ISO 15408), or it can be used to test the control within a business.

Correct answer: Biometrics

Biometrics is another way to authenticate an individual's identity. This is usually accomplished with facial recognition, palm vein analysis, thumbprint analysis, or even gait analysis. These are forms of authentication that are least prone to replication or use without the proper person being present.

Physical tokens, key cards, and passwords are prone to being stolen and used without the owner's consent. Biometrics is an example of something you are, physical tokens and key cards are something you have, and passwords are something you know.

Correct answer: 50%

According to the Heating, Refrigerations and Air Conditioning Engineers (ASHRAE), the humidity range considered most favorable for computer operations is 35–55%. Since 50% is within that range, it is considered acceptable.

Although there are varying standards, ASHRAE's range fits within ISC2's wider range of 20–80% and is more accurate and specific for optimal computer operations.

Too much humidity causes corrosion. Too little humidity causes static electricity buildup that can damage computer parts.