CISSP Exam Dumps - ISC 2 Credentials Questions and Answers

Secure Sockets Layer (SSL) is the only option that secures web transactions at the transport layer of the OSI model. SSL is a protocol or a standard that provides security and privacy for the data or the messages exchanged between a web browser and a web server, or between any two applications that use the TCP/IP protocol. SSL uses cryptographic techniques, such as encryption, decryption, hashing, and digital signatures, to protect the confidentiality, integrity, and authenticity of the data or the messages. SSL also uses certificates and public key infrastructure (PKI) to establish the identity and the trustworthiness of the parties involved in the web transactions.

• A. Secure HyperText Transfer Protocol (S-HTTP) is not a protocol or a standard that secures web transactions at the transport layer of the OSI model, but rather a protocol or a standard that secures web transactions at the application layer of the OSI model. S-HTTP is a protocol or a standard that provides security and privacy for the individual messages or requests within a web transaction, such as a web page, a form, or a file, by using cryptographic techniques, such as encryption, decryption, hashing, and digital signatures. S-HTTP is not widely used, and it is not compatible with SSL or its successor, Transport Layer Security (TLS).
• C. Socket Security (SOCKS) is not a protocol or a standard that secures web transactions at the transport layer of the OSI model, but rather a protocol or a standard that enables web transactions across different network protocols or architectures, by using a proxy server. SOCKS is a protocol or a standard that allows applications to communicate with other applications on a different network, without requiring any changes to the applications or the networks. SOCKS can provide some security features, such as authentication or encryption, but it is not designed to secure web transactions.
• D. Secure Shell (SSH) is not a protocol or a standard that secures web transactions at the transport layer of the OSI model, but rather a protocol or a standard that secures remote access or administration of a system or a network, by using a secure channel. SSH is a protocol or a standard that provides security and privacy for the commands or the data exchanged between a client and a server, or between two systems or networks, by using cryptographic techniques, such as encryption, decryption, hashing, and digital signatures. SSH also uses public key authentication and key exchange to establish the identity and the trustworthiness of the parties involved in the remote access or administration.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 215; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 182

 If an identification process using a biometric system detects a 100% match between a presented template and a stored template, the interpretation of this result is suspected tampering. A biometric system is a system that uses physical or behavioral characteristics of a person to verify their identity, such as fingerprint, iris, voice, or face. A biometric system compares the presented template, which is the biometric data captured from the person at the time of identification, with the stored template, which is the biometric data enrolled and stored in the system database. A biometric system usually does not produce a 100% match, as there are always some variations or errors in the biometric data due to environmental, physiological, or technical factors. A biometric system uses a threshold or a tolerance level to determine whether the match is acceptable or not. A 100% match is very unlikely and suspicious, as it may indicate that someone has tampered with the biometric system or the biometric data, such as by copying, modifying, or spoofing the stored template or the presented template12 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, p. 267; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management, p. 647.

When planning a penetration test, the tester will be most interested in the exploits that can attack the weaknesses of the target system or network. Exploits are the techniques or tools that take advantage of the vulnerabilities to compromise the security or functionality of the system or network. The tester will use the exploits to simulate a real attack and test the effectiveness of the security controls and defenses.

• A. Places to install back doors is not the information that the tester will be most interested in when planning a penetration test, but rather the possible outcome or objective of the test. Back doors are the hidden or unauthorized access points that allow the attacker to bypass the security mechanisms and gain persistent access to the system or network.
• B. The main network access points is not the information that the tester will be most interested in when planning a penetration test, but rather the preliminary information that the tester will need to obtain during the reconnaissance phase of the test. The main network access points are the devices or interfaces that connect the network to other networks or the internet, such as routers, switches, firewalls, or gateways.
• C. Job application handouts and tours is not the information that the tester will be most interested in when planning a penetration test, but rather the potential source of information that the tester could use for social engineering or physical penetration. Job application handouts and tours are the materials or activities that the organization provides to the prospective employees or visitors, which could reveal some details about the organization’s structure, culture, or operations.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 424; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 378

According to the CISSP CBK Official Study Guide, the countermeasure that is the most effective in defending against a social engineering attack is changing individual behavior. A social engineering attack is an attack that exploits or manipulates the human or the psychological aspects of the system or the network, such as the trust, curiosity, or greed of the users or the employees, rather than the technical or the logical aspects of the system or the network, such as the hardware, software, or firmware of the system or the network. A social engineering attack may use various techniques or methods, such as the phishing, the baiting, or the pretexting of the users or the employees, to persuade or deceive them into performing or disclosing something that may compromise or harm the security or the integrity of the system or the network, such as the passwords, usernames, or data of the system or the network. The countermeasure that is the most effective in defending against a social engineering attack is changing individual behavior, as it addresses or targets the root cause or the source of the social engineering attack, which is the human or the psychological aspect of the system or the network, such as the trust, curiosity, or greed of the users or the employees. Changing individual behavior is the process of modifying or altering the actions or the reactions of the users or the employees, by using or applying the appropriate methods or mechanisms, such as the education, training, or awareness of the users or the employees. Changing individual behavior helps to prevent or mitigate the social engineering attack, as it reduces or eliminates the vulnerability or the susceptibility of the users or the employees to the social engineering attack, by increasing or enhancing their knowledge, skills, or awareness of the social engineering attack, as well as their ability, confidence, or readiness to resist or respond to the social engineering attack. Mandating security policy acceptance is not the countermeasure that is the most effective in defending against a social engineering attack, although it may be a benefit or a consequence of changing individual behavior.

The best configuration management practice is to create and maintain a baseline configuration for all relevant systems. A baseline configuration is a documented and approved set of specifications and settings for a system or component that serves as a standard for comparison and evaluation. A baseline configuration can help ensure the consistency, security, and performance of the system or component, as well as facilitate the identification and resolution of any deviations or issues. A baseline configuration should be updated and reviewed regularly to reflect the changes and improvements made to the system or component12 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, p. 456; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7: Security Operations, p. 869.

According to the CISSP For Dummies1, the Maximum Tolerable Downtime (MTD) determines the estimated period of time a business can remain interrupted beyond which it risks never recovering. This means that the MTD is the maximum acceptable duration of a disruption that the organization can tolerate before it suffers unacceptable consequences, such as loss of revenue, reputation, or customers. The MTD is an important input for the business continuity planning and disaster recovery planning processes, as it helps to define the recovery objectives and strategies for each business process and function. The MTD is not the same as the estimated period of time a business critical database can remain down before customers are affected, the fixed length of time a company can endure a disaster without any DR planning, or the fixed length of time in a DR process before redundant systems are engaged, as these are different concepts that may or may not be related to the MTD. References: 1

The correct matches are:

• Security Risk Treatment: The method used to identify feasible security risk mitigation options and plans.
• Threat Assessment: A measure of the extent to which an entity is threatened by a potential circumstance or event, the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence.
• Protection Needs: The method used to identify and characterize the dangers anticipated throughout the life cycle of the system.
• Risk: The method used to identify the confidentiality, integrity, and availability requirements for organizational and system assets and to characterize the adverse impact or consequences should the asset be lost, modified, degraded, disrupted, compromised, or become unavailable.

Comprehensive Explanation: These terms and definitions are based on the glossary of the Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Engineering, pp. 293-2941

References: Official (ISC)2 CISSP CBK Reference, Fifth Edition

The entity that is ultimately accountable for data remanence vulnerabilities with data replicated by a cloud service provider is the data owner. A data owner is a person or an entity that has the authority or the responsibility for the data or the information within an organization, and that determines or defines the classification, the usage, the protection, or the retention of the data or the information. A data owner has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, as the data owner is ultimately accountable or liable for the security or the quality of the data or the information, regardless of who processes or handles the data or the information. A data owner can ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, by performing the tasks or the functions such as conducting due diligence, establishing service level agreements, defining security requirements, monitoring performance, or auditing compliance. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 61; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 67

SSL and TLS provide a generic channel security mechanism on top of TCP. This means that SSL and TLS are protocols that enable secure communication between two parties over a network, such as the internet, by using encryption, authentication, and integrity mechanisms. SSL and TLS operate at the transport layer of the OSI model, above the TCP protocol, which provides reliable and ordered delivery of data. SSL and TLS can be used to secure various application layer protocols, such as HTTP, SMTP, FTP, and so on. SSL and TLS do not provide nonrepudiation by default, as this is a service that requires digital signatures and certificates to prove the origin and content of a message. SSL and TLS do provide security for most routed protocols, as they can encrypt and authenticate any data that is transmitted over TCP. SSL and TLS do not provide header encapsulation over HTTP, as this is a function of the HTTPS protocol, which is a combination of HTTP and SSL/TLS.

The primary difference between security policies and security procedures is that policies are generic in nature, and procedures contain operational details. Security policies are the high-level statements or rules that define the goals, objectives, and requirements of security for an organization. Security procedures are the low-level steps or actions that specify how to implement, enforce, and comply with the security policies.

• A. Policies are used to enforce violations, and procedures create penalties is not a correct answer, as it confuses the roles and functions of policies and procedures. Policies are used to create penalties, and procedures are used to enforce violations. Penalties are the consequences or sanctions that are imposed for violating the security policies, and they are defined by the policies. Enforcement is the process or mechanism of ensuring compliance with the security policies, and it is carried out by the procedures.
• B. Policies point to guidelines, and procedures are more contractual in nature is not a correct answer, as it misrepresents the nature and purpose of policies and procedures. Policies are not merely guidelines, but rather mandatory rules that bind the organization and its stakeholders to follow the security principles and standards. Procedures are not contractual in nature, but rather operational in nature, as they describe the specific tasks and activities that are necessary to achieve the security goals and objectives.
• C. Policies are included in awareness training, and procedures give guidance is not a correct answer, as it implies that policies and procedures have different audiences and functions. Policies and procedures are both included in awareness training, and they both give guidance. Awareness training is the process of educating and informing the organization and its stakeholders about the security policies and procedures, and their roles and responsibilities in security. Guidance is the process of providing direction and advice on how to comply with the security policies and procedures, and how to handle security issues and incidents.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 17; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 13

According to the CISSP CBK Official Study Guide1, the Software Development Life Cycle (SDLC) phase that requires maintaining accurate hardware and software inventories is change management. SDLC is a structured process that is used to design, develop, and test good-quality software. SDLC consists of several phases or stages that cover the entire life cycle of the software, from the initial idea or concept to the final deployment or maintenance of the software. SDLC aims to deliver high-quality, maintainable software that meets the user’s requirements and fits within the budget and schedule of the project. Change management is the process of controlling or managing the changes or modifications that are made to the software or the system during the SDLC, by using or applying the appropriate methods or mechanisms, such as the policies, procedures, or tools of the project. Change management helps to ensure the security or the integrity of the software or the system, as well as the quality or the performance of the software or the system, by preventing or minimizing the risks or the impacts of the changes or modifications that may affect or impair the software or the system, such as the errors, defects, or vulnerabilities of the software or the system. Maintaining accurate hardware and software inventories is a critical part of change management, as it provides or supports a reliable or consistent source or basis to identify or track the hardware and software components or elements that are involved or included in the software or the system, as well as the changes or modifications that are made to the hardware and software components or elements during the SDLC, such as the name, description, version, status, or value of the hardware and software components or elements of the software or the system. Maintaining accurate hardware and software inventories helps to ensure the security or the integrity of the software or the system, as well as the quality or the performance of the software or the system, by enabling or facilitating the monitoring, evaluation, or improvement of the hardware and software components or elements of the software or the system, by using or applying the appropriate methods or mechanisms, such as the reporting, auditing, or optimization of the hardware and software components or elements of the software or the system. Systems integration is not the SDLC phase that requires maintaining accurate hardware and software inventories, although it may be a benefit or a consequence of change management. Systems integration is the process of combining or integrating the hardware and software components or elements of the software or the system, by using or applying the appropriate methods or mechanisms, such as the interfaces, protocols, or standards of the project. Systems integration helps to ensure the functionality or the interoperability of the software or the system, as well as the compatibility or the consistency of the hardware and software components or elements of the software or the system, by ensuring or verifying that the hardware and software components or elements of the software or the system work or operate together or with other systems or networks, as intended or expected by the user or the client of the software or the system. Systems integration may be a benefit or a consequence of change management, as change management may provide or support a framework or a guideline to perform or conduct the systems integration, by controlling or managing the changes or modifications that are made to the hardware and software components or elements of the software or the system, as well as by maintaining accurate hardware and software inventories of the software or the system. However, systems integration is not the SDLC phase that requires maintaining accurate hardware and software inventories, as it is not the main or the most important objective or purpose of systems integration, which is to combine or integrate the hardware and software components or elements of the software or the system. Risk management is not the SDLC phase that requires maintaining accurate hardware and software inventories, although it may be a benefit or a consequence of change management. Risk management is the process of identifying, analyzing, evaluating, and treating the risks or the uncertainties that may affect or impair the software or the system, by using or applying the appropriate methods or mechanisms, such as the policies, procedures, or tools of the project. Risk management helps to ensure the security or the integrity of the software or the system, as well as the quality or the performance of the software or the system, by preventing or minimizing the impact or the consequence of the risks or the uncertainties that may harm or damage the software or the system, such as the threats, attacks, or incidents of the software or the system. Risk management may be a benefit or a consequence of change management, as change management may provide or support a framework or a guideline to perform or conduct the risk management, by controlling or managing the changes or modifications that are made to the software or the system, as well as by maintaining accurate hardware and software inventories of the software or the system. However, risk management is not the SDLC phase that requires maintaining accurate hardware and software inventories, as it is not the main or the most important objective or purpose of risk management, which is to identify, analyze, evaluate, and treat the risks or the uncertainties of the software or the system. Quality assurance is not the SDLC phase that requires maintaining accurate hardware and software inventories, although it may be a benefit or a consequence of change management. Quality assurance is the process of ensuring or verifying the quality or the performance of the software or the system, by using or applying the appropriate methods or mechanisms, such as the standards, criteria, or metrics of the project. Quality assurance helps to ensure the security or the integrity of the software or the system, as well as the quality or the performance of the software or the system, by preventing or detecting the errors, defects, or vulnerabilities of the software or the system, by using or applying the appropriate methods or mechanisms, such as the testing, validation, or verification of the software or the system. Quality assurance may be a benefit or a consequence of change management, as change management may provide or support a framework or a guideline to perform or conduct the quality assurance, by controlling or managing the changes or modifications that are made to the software or the system, as well as by maintaining accurate hardware and software inventories of the software or the system. However, quality assurance is not the SDLC phase that requires maintaining accurate hardware and software inventories, as it is not the main or the most important objective or purpose of quality assurance, which is to ensure or verify the quality or the performance of the software or the system.

The 802.1x standard provides a framework for network authentication for wired and wireless networks. The 802.1x standard defines the Extensible Authentication Protocol (EAP), which is a protocol that enables the exchange of authentication information between a supplicant (a device that wants to access the network), an authenticator (a device that controls the access to the network), and an authentication server (a device that verifies the identity and credentials of the supplicant). The 802.1x standard supports various authentication methods, such as passwords, certificates, tokens, or biometrics. The other options are not correct descriptions of the 802.1x standard. Option A is a description of network authentication for only wireless networks, which is not the scope of the 802.1x standard, as it also applies to wired networks. Option C is a description of wireless encryption using the Advanced Encryption Standard (AES), which is not a function of the 802.1x standard, but rather a function of the Wi-Fi Protected Access 2 (WPA2) standard. Option D is a description of wireless network encryption using Secure Sockets Layer (SSL), which is not a function of the 802.1x standard, but rather a function of the Transport Layer Security (TLS) protocol. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, p. 310; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, p. 233.

The analysis that is performed to protect information assets is the cost benefit analysis, which is a method of comparing the costs and benefits of different security solutions or alternatives. The cost benefit analysis helps to justify the investment in security controls and measures by evaluating the trade-offs between the security costs and the security benefits. The security costs include the direct and indirect expenses of acquiring, implementing, operating, and maintaining the security controls and measures. The security benefits include the reduction of risks, losses, and liabilities, as well as the enhancement of productivity, performance, and reputation. The other options are not the analysis that is performed to protect information assets, but rather different types of analyses. A business impact analysis is a method of identifying and quantifying the potential impacts of disruptive events on the organization’s critical business functions and processes. A feasibility analysis is a method of assessing the technical, operational, and economic viability of a proposed project or solution. A data analysis is a method of processing, transforming, and modeling data to extract useful information and insights. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, p. 28; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, p. 21; CISSP practice exam questions and answers, Question 10.

WS-Authorization

The first step in protecting privacy in an information system is data minimization. Data minimization is the principle and practice of collecting and processing only the minimum amount and type of data that is necessary and relevant for the intended purpose, and retaining the data only for the required duration. Data minimization reduces the risk and impact of data breaches, as well as the cost and complexity of data protection.

• A. Data Redaction is not the first step in protecting privacy in an information system, but rather a technique or tool that can be used to protect privacy in an information system. Data redaction is the process of removing or obscuring sensitive or personal data from a document or a record, while preserving the rest of the data. Data redaction can be used to protect the privacy of the data subjects when the data is shared or disclosed to unauthorized or untrusted parties.
• C. Data Encryption is not the first step in protecting privacy in an information system, but rather a technique or tool that can be used to protect privacy in an information system. Data encryption is the process of transforming or encoding data into an unreadable or unintelligible form, using a secret key or algorithm. Data encryption can be used to protect the confidentiality and integrity of the data when the data is stored or transmitted over a network.
• D. Data Storage is not the first step in protecting privacy in an information system, but rather a component or function that is involved in an information system. Data storage is the process of saving or retaining data in a physical or logical medium, such as a disk, a tape, a cloud, or a database. Data storage can affect the privacy of the data, depending on the location, format, and security of the storage medium.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 83; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 79