CISSP Exam Dumps - ISC 2 Credentials Questions and Answers

The term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source is spoofing. Spoofing is a type of attack that involves impersonating or masquerading as a legitimate entity, such as a user, a device, or a network, by altering or falsifying the source or destination address of a packet3. Spoofing can be used to bypass authentication, gain unauthorized access, or launch other attacks, such as denial-of-service or man-in-the-middle. Man-in-the-middle, smurfing, and session redirect are not terms that refer to a technique of authenticating one machine to another by forging packets from a trusted source, as they are related to different types of attacks or techniques. Man-in-the-middle is an attack that involves intercepting and modifying the communication between two parties. Smurfing is an attack that involves sending a large number of ICMP echo requests to a network broadcast address, using a spoofed source address of the intended victim. Session redirect is a technique that involves changing the destination address of a packet to redirect it to a different location. References: 3: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 4, page 199. : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 423.

The most important consideration when storing and processing PII is to adhere to the collection limitation laws and regulations that apply to the jurisdiction and context of the data processing. Collection limitation is a principle that states that PII should be collected only for a specific, legitimate, and lawful purpose, and only to the extent that is necessary for that purpose1. By following this principle, the data processor can minimize the amount of PII that is stored and processed, and reduce the risk of data breaches, misuse, or unauthorized access. Encrypting and hashing all PII, storing PII for no more than one year, and avoiding storing PII in a cloud service provider are also good practices for protecting PII, but they are not as important as adhering to the collection limitation laws and regulations. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 290.

When building a data center, site location and construction factors that increase the level of vulnerability to physical threats include proximity to high crime areas of the city. This factor increases the risk of theft, vandalism, sabotage, or other malicious acts that could damage or disrupt the data center operations. The other options are factors that decrease the level of vulnerability to physical threats, as they provide protection or deterrence against natural or human-made hazards. Hardened building construction with consideration of seismic factors (A) reduces the impact of earthquakes or other natural disasters. Adequate distance from and lack of access to adjacent buildings (B) prevents unauthorized entry or fire spread from neighboring structures. Curved roads approaching the data center © slow down the speed of vehicles and make it harder for attackers to ram or bomb the data center. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 637; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 10, page 699.

The main reason that system re-certification and re-accreditation are needed is to verify that the security protection of the system remains acceptable to the organizational security policy, especially after significant changes or updates to the system. Re-certification is the process of reviewing and testing the security controls of the system to ensure that they are still effective and compliant with the security policy. Re-accreditation is the process of authorizing the system to operate based on the results of the re-certification. The other options are not the main reason for system re-certification and re-accreditation, as they either do not relate to the security protection of the system (A and D), or do not involve re-certification and re-accreditation (B). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 633; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 10, page 695.

 Data validation is a method used to prevent Structured Query Language (SQL) injection attacks, which are a type of web application attack that exploit the input fields of a web form to inject malicious SQL commands into the underlying database. Data validation involves checking the input data for any illegal or unexpected characters, such as quotes, semicolons, or keywords, and rejecting or sanitizing them before passing them to the database34. References: 3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 6604: CISSP For Dummies, 7th Edition, Chapter 6, page 199.

The Encapsulating Security Payload (ESP) provides integrity and confidentiality for network communications. ESP is a protocol that is part of the IPsec suite, which is a set of protocols and standards that provide security for Internet Protocol (IP) communications. ESP encrypts the payload of an IP packet, which is the data portion of the packet, to provide confidentiality. ESP also adds a trailer and an authentication data field to the packet, to provide integrity. ESP does not provide authorization or availability for network communications. Authorization is the process of granting or denying access to resources based on the identity or role of the requester. Availability is the property of ensuring that resources are accessible and usable by authorized parties when needed. ESP does not perform authorization or availability functions, but it may support or complement them. 

A heterogeneous end-point network is a network that consists of different types of devices, such as computers, tablets, smartphones, printers, etc., that connect to the network and communicate with each other. Each device, or host, may have different operating systems, applications, configurations, and security requirements. When implementing controls in a heterogeneous end-point network, it is critical that common software security components be implemented across all hosts. Common software security components are software programs or features that provide security functions, such as antivirus, firewall, encryption, authentication, etc. Implementing common software security components across all hosts ensures that the hosts have a consistent and minimum level of security protection, and that the hosts can interoperate securely with each other and with the network. Implementing common software security components across all hosts does not mean that the hosts have to be identical or have the same security settings. The hosts can still have different hardware, software, and security configurations, as long as they meet the security requirements and standards of the organization and the network. Implementing common software security components across all hosts is not the same as ensuring that hosts are able to establish network communications, allowing users to make modifications to their security software configurations, or making firewalls running on each host fully customizable by the user. These are other aspects of security management that may or may not be relevant or desirable for a heterogeneous end-point network, depending on the organization’s policies and objectives.

A system’s criticality classification is important in large organizations because it provides for proper prioritization and scheduling of security and maintenance tasks. A system’s criticality classification is the level of importance or impact that a system has on the organization’s mission, objectives, operations, or functions. A system’s criticality classification may depend on factors such as the system’s availability, integrity, confidentiality, functionality, performance, or reliability. A system’s criticality classification helps the organization to allocate resources, implement controls, perform audits, apply patches, conduct backups, and respond to incidents according to the system’s priority and risk. A system’s criticality classification does not necessarily reduce critical system support workload or the time required to apply patches, as these may depend on other factors such as the system’s complexity, configuration, or vulnerability. A system’s criticality classification may allow for clear systems status communications to executive management, but this is not the primary reason for its importance. A system’s criticality classification may provide for easier determination of ownership, but this is not the main benefit of its importance. 

A privileged identity lifecycle management is a process of managing the access rights and activities of users who have elevated permissions to access sensitive data or resources in an organization2. An essential element of a privileged identity lifecycle management is to regularly perform account re-validation and approval, which means verifying that the privileged users still need their access rights and have them approved by the appropriate authority. This can help prevent unauthorized or excessive access, reduce the risk of insider threats, and ensure compliance with policies and regulations. Account provisioning based on multi-factor authentication, frequently review performed activities and request justification, and account information to be provided by supervisor or line manager are also important aspects of a privileged identity lifecycle management, but they are not as essential as account re-validation and approval. References: 2: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 5, page 283.

The most relevant reading material for researching an organization’s legal obligations to protect privacy-related information is the privacy-related regulations enforced by governing bodies applicable to the organization. These regulations define the legal requirements, standards, and penalties for collecting, processing, storing, and disclosing personal or sensitive information of individuals or entities. The organization must comply with these regulations to avoid legal liabilities, fines, or sanctions. The other options are not as relevant as privacy-related regulations, as they either do not reflect the legal obligations of the organization (A and C), or do not apply to all types of privacy-related information (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 22; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 31.

The primary device that should be used to define the physical perimeter of an organization if the organization’s perimeter must cost-efficiently deter casual trespassers is fences six to seven feet high with a painted gate. Physical perimeter is the boundary that separates the internal and external areas of an organization, where physical security devices, such as fences, gates, locks, or cameras, are used to control and monitor the access and movement of people, vehicles, or objects. Physical perimeter is an important part of the physical security, which is the protection of the physical assets and resources of an organization from unauthorized or malicious access, damage, or theft. Physical perimeter can be defined by using different types of devices, depending on the level of security, cost, and aesthetics required by the organization. Fences are one of the most common and effective devices for defining the physical perimeter, as they can provide the following benefits:

• They can deter or prevent the unauthorized or unwanted entry or exit of people, vehicles, or objects, by creating a physical barrier or obstacle.
• They can delay or slow down the authorized or wanted entry or exit of people, vehicles, or objects, by requiring the use of a gate, lock, or key.
• They can detect or alert the unauthorized or unwanted entry or exit of people, vehicles, or objects, by using sensors, alarms, or cameras.
• They can display or communicate the boundary or ownership of the organization, by using signs, symbols, or colors. Fences six to seven feet high with a painted gate can be a cost-efficient and effective device for defining the physical perimeter of an organization that wants to deter casual trespassers, which are the people who enter or exit the organization’s premises without permission or authorization, but without any malicious or criminal intent. Fences six to seven feet high can provide enough height to prevent most people from climbing over or jumping over the fence, while also allowing enough visibility to see what is happening on the other side of the fence. Fences with a painted gate can provide a clear and attractive indication of the entrance or exit point of the organization, as well as the identity or image of the organization. Fences six to seven feet high with a painted gate can also be relatively easy and inexpensive to install and maintain, compared to other types of devices, such as walls, barbed wires, or electric fences. References: CISSP All-in-One Exam Guide, Chapter 9: Physical Security Requirements, Section: Physical Security Perimeter, pp. 1096-1097.

The best approach to anonymizing personally identifiable information (PII) in a test environment is randomizing data. Randomizing data is a technique that replaces the original PII with fictitious but realistic data that preserves the format, structure, and statistical properties of the original data. Randomizing data can effectively protect the privacy and confidentiality of the individuals whose PII is used in the test environment, while maintaining the functionality and quality of the test results. The other options are not as effective as randomizing data, as they either do not change the original PII, do not preserve the data quality, or do not prevent unauthorized access or disclosure. References: CISSP - Certified Information Systems Security Professional, Domain 1. Security and Risk Management, 1.5 Understand and apply security governance principles, 1.5.2 Align security function to strategy, goals, mission, and objectives, 1.5.2.1 Data anonymization; CISSP Exam Outline, Domain 1. Security and Risk Management, 1.5 Understand and apply security governance principles, 1.5.2 Align security function to strategy, goals, mission, and objectives, 1.5.2.1 Data anonymization

The thing that should exist in order to perform a security audit is an industry framework to audit against. A security audit is a systematic and independent examination of the security policies, procedures, controls, and practices of an organization, system, or network, to verify their compliance, effectiveness, and efficiency. A security audit requires an industry framework to audit against, which is a set of standards, guidelines, or best practices that define the security requirements, objectives, and criteria for the audit. An industry framework to audit against can help to establish the scope, methodology, and expectations of the security audit, as well as to measure and report the performance, gaps, and recommendations of the security audit. An industry framework to audit against can also help to ensure the consistency, reliability, and validity of the security audit, as well as to facilitate the comparison, benchmarking, and improvement of the security audit. Some examples of industry frameworks to audit against are ISO/IEC 27001, NIST SP 800-53, COBIT, or CIS Controls. An external (third-party) auditor, an internal certified auditor, and the neutrality of the auditor are not things that should exist in order to perform a security audit. These are some of the factors or attributes that may affect the quality, credibility, and independence of the security audit, but they are not prerequisites or conditions for the security audit. A security audit can be performed by an external or internal auditor, depending on the purpose, scope, and resources of the audit. A security audit can be performed by a certified or non-certified auditor, depending on the qualifications, skills, and experience of the auditor. A security audit should be performed by a neutral or unbiased auditor, to avoid any conflict of interest, influence, or pressure from the auditee or other parties. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1, Security and Risk Management, page 28. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security Governance Through Principles and Policies, page 29.

The most important rule for digital investigations is to ensure that the original data is never modified. Digital investigations are the processes of collecting, preserving, analyzing, and presenting digital evidence from various sources, such as computers, mobile devices, networks, or cloud services. Digital evidence is any data that can support or refute a hypothesis or claim related to a criminal or civil case. Digital evidence is often fragile, volatile, and easily altered or destroyed, either intentionally or unintentionally. Therefore, it is crucial to ensure that the original data is never modified during the digital investigation, to maintain its integrity and authenticity, and to avoid compromising its validity and admissibility in court. To ensure that the original data is never modified, the following steps should be followed:

• Use write blockers or read-only mode to prevent any changes to the data source.
• Make a bit-by-bit copy or image of the data source and verify its accuracy using hashing or checksum techniques.
• Store the original data source and the copy or image in a secure and tamper-evident location or container.
• Perform the analysis and examination on the copy or image, not on the original data source.
• Document and justify any changes or modifications made to the copy or image during the analysis and examination. References: CISSP All-in-One Exam Guide, Chapter 10: Legal, Regulations, Investigations, and Compliance, Section: Forensics, pp. 1326-1327.

The Content-Security-Policy (CSP) HTTP response header allows web server administrators to control the sources and types of content that can be loaded and executed by web browsers. By specifying a CSP policy, the web server can prevent the execution of inline JavaScript and the execution of eval()-type functions, which are often used by attackers to inject malicious code into web pages. This can help mitigate cross-site scripting (XSS) attacks, which are a common web application security threat. The other options are not relevant to this question. Strict-Transport-Security is a header that enforces the use of HTTPS connections. X-XSS-Protection is a header that enables the browser’s built-in XSS filter. X-Frame-Options is a header that prevents the web page from being loaded in a frame or iframe, which can help prevent clickjacking attacks. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Security Operations, page 1019. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Security Architecture and Engineering, page 1020.