CISSP Exam Dumps - ISC 2 Credentials Questions and Answers

According to the CISSP Official (ISC)2 Practice Tests3, the most suitable approach that the administrator should take when a user requests read-only access to files that are not considered sensitive in a Discretionary Access Control (DAC) methodology is to request data owner approval to the user access. DAC is a type of access control that grants or denies access to an object based on the identity and permissions of the subject, and the discretion of the owner of the object. The owner of the object has the authority and responsibility to determine who can access the object and what level of access they can have, such as read, write, execute, or delete. The owner can also delegate the access rights to other subjects or groups, or revoke them as needed. The administrator is the person who manages and maintains the system and the access control mechanisms, but does not have the authority to grant or deny access to the objects without the owner’s consent. Therefore, the administrator should request data owner approval to the user access, regardless of the sensitivity of the files, to ensure that the access is authorized and compliant with the DAC methodology. Requesting manager approval for the user access is not the most suitable approach, as the manager may not be the owner of the files, and may not have the authority or knowledge to grant or deny access to the files. Directly granting the access to the non-sensitive files is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. Assessing the user access need and either granting or denying the access is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. References: 3

According to the CISSP For Dummies4, the activity that would present a significant security risk to organizations when employing a VPN solution is simultaneous connection to other networks. A VPN is a technology that creates a secure and encrypted tunnel over a public or untrusted network, such as the internet, to connect remote users or sites to the organization’s private network, such as the intranet. A VPN provides security and privacy for the data and communication that are transmitted over the tunnel, as well as access to the network resources and services that are available on the private network. However, a VPN also introduces some security risks and challenges, such as configuration errors, authentication issues, malware infections, or data leakage. One of the security risks of a VPN is simultaneous connection to other networks, which occurs when a VPN user connects to the organization’s private network and another network at the same time, such as a home network, a public Wi-Fi network, or a malicious network. This creates a potential vulnerability or backdoor for the attackers to access or compromise the organization’s private network, by exploiting the weaker security or lower trust of the other network. Therefore, the organization should implement and enforce policies and controls to prevent or restrict the simultaneous connection to other networks when using a VPN solution. VPN bandwidth is not an activity that would present a significant security risk to organizations when employing a VPN solution, although it may be a factor that affects the performance and availability of the VPN solution. VPN bandwidth is the amount of data that can be transmitted or received over the VPN tunnel per unit of time, which depends on the speed and capacity of the network connection, the encryption and compression methods, the traffic load, and the network congestion. VPN bandwidth may limit the quality and efficiency of the data and communication that are transmitted over the VPN tunnel, but it does not directly pose a significant security risk to the organization’s private network. Users with IP addressing conflicts is not an activity that would present a significant security risk to organizations when employing a VPN solution, although it may be a factor that causes errors and disruptions in the VPN solution. IP addressing conflicts occur when two or more devices or hosts on the same network have the same IP address, which is a unique identifier that is assigned to each device or host to communicate over the network.

 Retaining system logs for six months or longer can be valuable for forensics and incident response activities. System logs are records of events that occur on a system, such as user actions, system errors, security alerts, network traffic, etc. System logs can provide useful evidence and information for investigating and analyzing security incidents, such as the source, scope, impact, and timeline of the incident, as well as the potential vulnerabilities, threats, and attackers involved. System logs can also help with incident recovery and remediation, as well as with improving security controls and policies12 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, p. 437; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7: Security Operations, p. 849.

 Frequency analysis is a technique of cryptanalysis that exploits the statistical patterns of letters or symbols in an encrypted message. Frequency analysis assumes that the frequency distribution of the plaintext is preserved in the ciphertext, and that the frequency distribution of the plaintext is known or can be estimated. Knowing the language in which an encrypted message was originally produced might help a cryptanalyst to perform frequency analysis, as different languages have different letter frequencies, digraphs, and word lengths. For example, in English, the letter “e” is the most common, while in French, it is the letter “a”. By comparing the frequency distribution of the ciphertext with the expected frequency distribution of the plaintext language, a cryptanalyst can make educated guesses about the encryption key or algorithm23. References:

• Breaking the Vigenère Cipher Flashcards | Quizlet, Section: Terms in this set (6)
• Frequency Analysis: Breaking the Code - Crypto Corner, Section: The Method
• Cipher Identifier (online tool) | Boxentriq, Section: Frequency Analysis

 Regarding asset security and appropriate retention, the initial top three areas that are important to focus on are security control baselines, access controls, employee awareness and training. Asset security and appropriate retention are the processes of identifying, classifying, protecting, and disposing of the assets of an organization, such as data, systems, devices, or facilities. Asset security and appropriate retention can help prevent or reduce the loss, theft, damage, or misuse of the assets, as well as comply with the legal and regulatory requirements. The initial top three areas that can help achieve asset security and appropriate retention are:

• Security control baselines: These are the minimum set of security controls or measures that are applied to the assets based on their classification, value, and risk level. Security control baselines can help ensure the consistency, effectiveness, and efficiency of the security protection for the assets, as well as facilitate the monitoring and auditing of the security compliance. Security control baselines can include technical, administrative, or physical controls, such as encryption, authentication, policies, procedures, locks, alarms, etc34
• Access controls: These are the mechanisms that regulate who or what can access, use, modify, or delete the assets. Access controls can help prevent or limit the unauthorized or malicious access to the assets, as well as enforce the principle of least privilege and the separation of duties. Access controls can include identification, authentication, authorization, and accountability (IAAA) processes, as well as access control models, such as discretionary, mandatory, or role-based access control56
• Employee awareness and training: These are the activities that educate and inform the employees about the security policies, procedures, and best practices of the organization, as well as the roles and responsibilities of the employees regarding the asset security and appropriate retention. Employee awareness and training can help increase the knowledge, skills, and attitude of the employees towards security, as well as reduce the human errors, negligence, or violations that may compromise the asset security and appropriate retention. Employee awareness and training can include seminars, workshops, newsletters, posters, quizzes, etc.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2: Asset Security, pp. 61-62; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 2: Asset Security, pp. 163-164.

 A Denial of Service (DoS) attack is a type of wireless network attack that aims to prevent legitimate users from accessing or using a wireless network or service. An Electromagnetic Pulse (EMP) attack is a specific form of DoS attack that involves generating a powerful burst of electromagnetic energy that can damage or disrupt electronic devices and systems, including wireless networks. An EMP attack can cause permanent or temporary loss of wireless network availability, functionality, or performance. A Radio Frequency (RF) attack is a type of wireless network attack that involves interfering with or jamming the radio signals used by wireless devices and networks, but it does not necessarily involve an EMP. A data modification attack is a type of wireless network attack that involves altering or tampering with the data transmitted or received over a wireless network, but it does not necessarily cause a DoS. An application-layer attack is a type of wireless network attack that targets the applications or services running on a wireless network, such as web servers or email servers, but it does not necessarily involve an EMP. 

 The greatest challenge to identifying data leaks is having a documented asset classification policy and clear labeling of assets. Data leaks are the unauthorized or accidental disclosure or exposure of sensitive or confidential data, such as personal information, trade secrets, or intellectual property. Data leaks can cause serious damage or harm to the data owner, such as reputation loss, legal liability, or competitive disadvantage. The greatest challenge to identifying data leaks is having a documented asset classification policy and clear labeling of assets, which means that the organization has defined and implemented the rules and guidelines for categorizing and marking the data according to their sensitivity, value, or criticality. Having a documented asset classification policy and clear labeling of assets can help to identify data leaks by enabling the detection, tracking, and reporting of the data movements, access, or usage, and by alerting the data owner, custodian, or user of any unauthorized or abnormal data activities or incidents. The other options are not the greatest challenges, but rather the benefits or enablers of identifying data leaks. Available technical tools that enable user activity monitoring are not the greatest challenges, but rather the benefits, of identifying data leaks, as they can provide the means or mechanisms for collecting, analyzing, and auditing the data actions or behaviors of the users or devices. Senior management cooperation in investigating suspicious behavior is not the greatest challenge, but rather the enabler, of identifying data leaks, as it can provide the support or authority for conducting the data leak investigation and taking the appropriate actions or measures. Law enforcement participation to apprehend and interrogate suspects is not the greatest challenge, but rather the enabler, of identifying data leaks, as it can provide the assistance or collaboration for pursuing and prosecuting the data leak perpetrators or offenders. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, p. 29; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, p. 287.

Manual patch installation allows for thorough testing before deployment to ensure that the patch does not introduce new vulnerabilities or incompatibilities. Automated patch management can sometimes lead to unexpected issues if patches are not fully compatible with all systems and applications12 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, p. 452; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7: Security Operations, p. 863.

According to the CISSP CBK Official Study Guide, a chosen plaintext attack is a type of cryptanalysis that allows the cryptanalyst to generate ciphertext from arbitrary text. A cryptanalysis is the process of breaking or analyzing a cryptographic system or algorithm, by finding the plaintext, the key, or the algorithm from the ciphertext, or by exploiting the weaknesses or vulnerabilities of the system or algorithm. A chosen plaintext attack is a scenario where the cryptanalyst has access to the encryption function or device, and can choose any plaintext and obtain the corresponding ciphertext. A chosen plaintext attack can help the cryptanalyst to deduce the key or the algorithm, or to create a codebook or a dictionary that maps the plaintext to the ciphertext. The cryptanalyst does not examine the communication being sent back and forth, as this would be a ciphertext-only attack, where the cryptanalyst only has access to the ciphertext, and tries to infer the plaintext, the key, or the algorithm from the statistical or linguistic analysis of the ciphertext. The cryptanalyst does not choose the key and algorithm to mount the attack, as this would be a known plaintext attack, where the cryptanalyst has access to some pairs of plaintext and ciphertext that are encrypted with the same key and algorithm, and tries to find the key or the algorithm from the correlation or pattern between the plaintext and the ciphertext. The cryptanalyst is not presented with the ciphertext from which the original message is determined, as this would be a decryption problem, where the cryptanalyst has access to the ciphertext and the key or the algorithm, and tries to recover the plaintext from the ciphertext.

Public Key Infrastructure (PKI) is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates and public keys. Digital signatures are a type of electronic signature that use public key cryptography to verify the authenticity and integrity of a message or document. A health care provider that is considering Internet access for their employees and patients should use PKI and digital signatures as the most secure solution for protection of data, because they provide confidentiality, integrity, authentication, non-repudiation, and accountability for the data exchanged over the Internet. The other options are not as secure as PKI and digital signatures, because they do not provide all the security services or they rely on weaker forms of encryption or authentication. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 211; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 178

The component of the Security Content Automation Protocol (SCAP) specification that contains the data required to estimate the severity of vulnerabilities identified by automated vulnerability assessments is the Common Vulnerability Scoring System (CVSS). CVSS is a framework that provides a standardized and objective way to measure and communicate the characteristics and impacts of vulnerabilities. CVSS consists of three metric groups: base, temporal, and environmental. The base metric group captures the intrinsic and fundamental properties of a vulnerability that are constant over time and across user environments. The temporal metric group captures the characteristics of a vulnerability that change over time, such as the availability and effectiveness of exploits, patches, and workarounds. The environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user’s environment, such as the configuration and importance of the affected system. Each metric group has a set of metrics that are assigned values based on the vulnerability’s attributes. The values are then combined using a formula to produce a numerical score that ranges from 0 to 10, where 0 means no impact and 10 means critical impact. The score can also be translated into a qualitative rating that ranges from none to low, medium, high, and critical. CVSS provides a consistent and comprehensive way to estimate the severity of vulnerabilities and prioritize their remediation.

The other options are not components of the SCAP specification that contain the data required to estimate the severity of vulnerabilities identified by automated vulnerability assessments, but rather components that serve other purposes. Common Vulnerabilities and Exposures (CVE) is a component that provides a standardized and unique identifier and description for each publicly known vulnerability. CVE facilitates the sharing and comparison of vulnerability information across different sources and tools. Asset Reporting Format (ARF) is a component that provides a standardized and extensible format for expressing the information about the assets and their characteristics, such as configuration, vulnerabilities, and compliance. ARF enables the aggregation and correlation of asset information from different sources and tools. Open Vulnerability and Assessment Language (OVAL) is a component that provides a standardized and expressive language for defining and testing the state of a system for the presence of vulnerabilities, configuration issues, patches, and other aspects. OVAL enables the automation and interoperability of vulnerability assessment and management.

Compressing the data before encryption is a technique that can be used to make an encryption scheme more resistant to a known plaintext attack. A known plaintext attack is a type of cryptanalysis where the attacker has access to some pairs of plaintext and ciphertext encrypted with the same key, and tries to recover the key or decrypt other ciphertexts. A known plaintext attack can exploit the statistical properties or patterns of the plaintext or the ciphertext to reduce the search space or guess the key. Compressing the data before encryption can reduce the redundancy and increase the entropy of the plaintext, making it harder for the attacker to find any correlations or similarities between the plaintext and the ciphertext. Compressing the data before encryption can also reduce the size of the plaintext, making it more difficult for the attacker to obtain enough plaintext-ciphertext pairs for a successful attack.

The other options are not techniques that can be used to make an encryption scheme more resistant to a known plaintext attack, but rather techniques that can introduce other security issues or inefficiencies. Hashing the data before encryption is not a useful technique, as hashing is a one-way function that cannot be reversed, and the encrypted hash cannot be decrypted to recover the original data. Hashing the data after encryption is also not a useful technique, as hashing does not add any security to the encryption, and the hash can be easily computed by anyone who has access to the ciphertext. Compressing the data after encryption is not a recommended technique, as compression algorithms usually work better on uncompressed data, and compressing the ciphertext can introduce errors or vulnerabilities that can compromise the encryption.

The person in the organization who is accountable for the classification of data information assets is the data owner. The data owner is the person or entity that has the authority and responsibility for the creation, collection, processing, and disposal of a set of data. The data owner is also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. The data owner should be able to determine the impact of the data on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the data on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data. The data owner should also ensure that the data is properly labeled, stored, accessed, shared, and destroyed according to the data classification policy and procedures.

The other options are not the persons in the organization who are accountable for the classification of data information assets, but rather persons who have other roles or functions related to data management. The data architect is the person or entity that designs and models the structure, format, and relationships of the data, as well as the data standards, specifications, and lifecycle. The data architect supports the data owner by providing technical guidance and expertise on the data architecture and quality. The Chief Information Security Officer (CISO) is the person or entity that oversees the security strategy, policies, and programs of the organization, as well as the security performance and incidents. The CISO supports the data owner by providing security leadership and governance, as well as ensuring the compliance and alignment of the data security with the organizational objectives and regulations. The Chief Information Officer (CIO) is the person or entity that manages the information technology (IT) resources and services of the organization, as well as the IT strategy and innovation. The CIO supports the data owner by providing IT management and direction, as well as ensuring the availability, reliability, and scalability of the IT infrastructure and applications.

The second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management is the initialization phase. PKI is a system that uses public key cryptography and digital certificates to provide authentication, confidentiality, integrity, and non-repudiation for electronic transactions. PKI key/certificate life-cycle management is the process of managing the creation, distribution, usage, storage, revocation, and expiration of keys and certificates in a PKI system. The key/certificate life-cycle management consists of six phases: pre-certification, initialization, certification, operational, suspension, and termination. The initialization phase is the second phase, where the key pair and the certificate request are generated by the end entity or the registration authority (RA). The initialization phase involves the following steps:

• The end entity or the RA generates a key pair, consisting of a public key and a private key, using a secure and random method.
• The end entity or the RA creates a certificate request, which contains the public key and other identity information of the end entity, such as the name, email, organization, etc.
• The end entity or the RA submits the certificate request to the certification authority (CA), which is the trusted entity that issues and signs the certificates in the PKI system.
• The end entity or the RA securely stores the private key and protects it from unauthorized access, loss, or compromise.

The other options are not the second phase of PKI key/certificate life-cycle management, but rather other phases. The implementation phase is not a phase of PKI key/certificate life-cycle management, but rather a phase of PKI system deployment, where the PKI components and policies are installed and configured. The cancellation phase is not a phase of PKI key/certificate life-cycle management, but rather a possible outcome of the termination phase, where the key pair and the certificate are permanently revoked and deleted. The issued phase is not a phase of PKI key/certificate life-cycle management, but rather a possible outcome of the certification phase, where the CA verifies and approves the certificate request and issues the certificate to the end entity or the RA.

 Code signing is the mobile code security model that relies only on trust. Mobile code is a type of software that can be transferred from one system to another and executed without installation or compilation. Mobile code can be used for various purposes, such as web applications, applets, scripts, macros, etc. Mobile code can also pose various security risks, such as malicious code, unauthorized access, data leakage, etc. Mobile code security models are the techniques that are used to protect the systems and users from the threats of mobile code. Code signing is a mobile code security model that relies only on trust, which means that the security of the mobile code depends on the reputation and credibility of the code provider. Code signing works as follows:

• The code provider has a pair of public and private keys, and obtains a digital certificate from a trusted third party, such as a certificate authority (CA), that binds the public key to the identity of the code provider.
• The code provider signs the mobile code with its private key and attaches the digital certificate to the mobile code.
• The code consumer receives the mobile code and verifies the signature and the certificate with the public key of the code provider and the CA, respectively.
• The code consumer decides whether to trust and execute the mobile code based on the identity and reputation of the code provider.

Code signing relies only on trust because it does not enforce any security restrictions or controls on the mobile code, but rather leaves the decision to the code consumer. Code signing also does not guarantee the quality or functionality of the mobile code, but rather the authenticity and integrity of the code provider. Code signing can be effective if the code consumer knows and trusts the code provider, and if the code provider follows the security standards and best practices. However, code signing can also be ineffective if the code consumer is unaware or careless of the code provider, or if the code provider is compromised or malicious.

The other options are not mobile code security models that rely only on trust, but rather on other techniques that limit or isolate the mobile code. Class authentication is a mobile code security model that verifies the permissions and capabilities of the mobile code based on its class or type, and allows or denies the execution of the mobile code accordingly. Sandboxing is a mobile code security model that executes the mobile code in a separate and restricted environment, and prevents the mobile code from accessing or affecting the system resources or data. Type safety is a mobile code security model that checks the validity and consistency of the mobile code, and prevents the mobile code from performing illegal or unsafe operations.