CISSP Practice Questions — FREE 10 Questions and Answers

1
CISSP Practice Questions FREE 10 Questions and
Answers
CISSP, or Certified Information Systems Security
Professional, is one of the worlds most valuable
and sought-after information security
certifications. The CISSP certification exam is
difficult. As a result, passing it requires
in-depth knowledge and a solid understanding of
the fundamental concepts of information
security. Not only that, but you must devote 40
to 70 hours of study time to exam preparation,
pay the CISSP certification fee, and fully
understand the CISSP study material in order to
pass the exam. And CISSP Practice Questions will
be
2
one of the most useful study materials you will
come across during your CISSP certification journe
y. The more you practice, the more likely you are
to pass the CISSP exam on your first try.
Why Should You Go Through the CISSP Practice
Exam? Once youve decided to embark on your CISSP
certification journey, make sure you succeed.
Practicing the CISSP practice exam multiple times
is one of the proven 7 steps in the CISSP Study
Guide to fully prepare for the CISSP
certification exam. Taking the CISSP practice
exam allows you to identify your weaknesses and
strengths. You will be able to determine which
domain of the CISSP content you need to focus on
more with the help of the CISSP practice exam.
If you are not scoring more than 70 on your
CISSP practice exams, we strongly advise you
to enroll in and complete a comprehensive CISSP
certification training programme. Please keep in
mind that before embarking on your CISSP journey,
we recommend that you check the CISSP
certification requirements to see if you meet
them.
You can view our 30-minute free CISSP training
demo.
3
The 10 CISSP Practice Questions The CISSP
practice exam in this post covers the key
concepts in each of the eight domains covered in
the CISSP certification exam. The CISSP Practice
Questions include answers as well as rationales
to help you better understand the subject.
These 10 sample CISSP questions will help you
become acquainted with the CISSP
Practice Questions. These will also help you to
reinforce your learning and prepare for the real
CISSP exam, which is coming up soon.
Lets Begin the CISSP Practice Exam!
Let us walk you through our CISSP practise exam
sample below. After youve finished with this,
you can use our free CISSP exam simulator to get
more CISSP practise exam questions. So, go ahead
and put your knowledge of the CISSP exam content
to the test right now.
CISSP Practice Questions and Answers 1 The
State Machine Model security model requires
that a system be protected in all of its states
(startup, function, and shutdown) or else it is
insecure. This requirement necessitates
4
responding to security events in order to prevent
further compromises. What security concept is
this response method an example of?
1.
Open Design

1. Closed Design
2. Trusted Recovery
3. Least Privilege

Answer C
Trusted Recovery is required for high-security
systems and allows a system to safely
terminate its processes. If a system crashes, it
must restart in a secure mode that prevents any
further compromise of system policy. According
to the principle of open design, the security of
a mechanism should not be dependent on the
secrecy of its design or implementation. The
open-closed principle in object-oriented
programming states that software entities
(classes, modules, functions, etc.) should be
open for extension but closed for modification,
which means that such an entity can allow its
behaviour to be extended without modifying its
source code. The least privilege is the concept
and practice of restricting access rights for
users, accounts, and computing processes to only
those resources absolutely required to perform
routine, legitimate activities.
5
CISSP Sample Questions and Answers 2 The
Heartbleed virus recently compromised OpenSSL
because versions of OpenSSL were vulnerable to
memory content read attempts, which ultimately
led to the exposure of protected information
including services provider private keys. Many
practitioners believe that open design is better
than closed design. What one consideration is
usually necessary to allow an open design to
provide greater security?
1.
Peer Review

1. Security through obscurity
2. The complexity of design
3. Trusted hierarchy

Answer A
Because open design allows for feedback from
others in the community, it is often thought
to be superior to closed design. The idea is that
if others have access to the code, they will
examine and review it, eventually improving it.
Unfortunately, this was not the case with
OpenSSL. If the code is not reviewed, it is
effectively closed source. Furthermore, the
quality of the code, rather than whether it is
open or closed, ultimately determines security.
Security through obscurity is the inverse of
peer review and open design, and it is also known
as design complexity. The hierarchical trust
model is like an upside-down tree structure, the
6
root is the starting point of trust. All nodes of
the model have to trust the root CA and keep a
root CAs public-key certificate.
CISSP Practice Test Questions and Answers 3 When
using private keys a security concern is that a
users private key may become lost. In order to
mitigate this risk, a practitioner may select a
key recovery agent that is able to backup and
recover his keys. Granting a single individual
the ability to recover users private keys
increases nonrepudiation risk because another
party has key access. Which principle choice
could be implemented to mitigate this risk?
1.
Segregation of duties

1. Principle of least privilege
2. Dual control
3. Need to know

Answer C
Dual Control is a security principle that
necessitates the presence of multiple parties for
a task that may have serious security
implications. In this case, at least two network
administrators should be present before a
private key can be recovered. M of N control is a
subset of dual
7
control. M and N are variables, but to recover a
key, this control requires M out of a total of
N administrators to be present. The concept of
segregation of duties refers to the requirement
of more than one person to complete a sensitive
task. The principle of least privilege (PoLP)
refers to an information security concept in
which a user is given the minimum levels of
access or permissions needed to perform his job
functions. The need-to-know principle is that
access to secured data must be necessary for the
conduct of the users job functions
CISSP Practice Questions and Answers 4 At what
BCP development phase must Senior Management
provide its commitment to support, fund, and
assist the BCPs creation?
1.
Project Initiation

1. Planning
2. Implementation
3. Development

Answer A
Traditionally, the phase of project initiation is
when senior management pledges its support for
the project. Management frequently provides a
project charter during this phase, which is
8
a formal written document in which the project is
officially authorised, a project manager
is selected and named, and management commits to
support. For the BCP to be successful,
management must provide BCP support throughout
the development process, including review and
feedback as well as resources.
CISSP Questions and Answers 5 What is the most
proactive (and minimum effort) way to mitigate
the risk of an attacker gaining network access
and using a protocol analyzer to capture and view
(sniff) unencrypted traffic?

• Implement a policy that forbids the use of packet
  analyzers/sniffers. Monitor the
• network frequently.
• Scan the network periodically to determine if
  unauthorized devices are connected. If those
  devices are

detected, disconnect them immediately, and
provide management a report on the violation

• Provide security such as disabling ports and mac
  filtering on the enterprise switches to
• prevent an unauthorized device from connecting to
  the network. Implement software restriction
  policies to prevent unauthorized software from
  being installed on systems.
• Install anti-spyware software on all systems on
  the network.

9
Answer C
To significantly reduce network risks, we must
implement security that restricts external device
connectivity to our network. Furthermore, we are
concerned about monitoring software being
installed on our hosts, so we want to restrict
its ability to be installed. Furthermore, we
want to ensure that other basic security
requirements are met, such as the use of strong
passwords, system lockout policies, physical
security, and so on.
Remember that proactive devices PREVENT an attack
rather than responding to it. Network scans often
detect these devices, but they rarely prevent
them. Policies describe high-level enterprise
intentions which can then be implemented.
CISSP Practice Questions and Answers
6 Confidentiality can be breached via social
engineering attacks. Though training is helpful
in reducing the number of these attacks, it does
not eliminate the risk. Which of the following
choices would be an administrative policy that is
most likely to help mitigate this risk?
1.
Formal onboarding Policies

1. Job Rotation
2. Formal Off-boarding Policies

10
4. Segregation of Duties
Answer D
The term segregation of duties refers to the
practise of limiting the amount of information
to which any one person has access. For example,
a user is unlikely to leak the password for a
file server because that information is only
available to those whose jobs require access to
it. Duty segregation is frequently associated
with need-to-know and the principle of least
privilege. Formal onboarding would raise user
awareness but would not be a preventative
measure. Job rotation would reduce the
possibility of a user committing fraud, but not
the possibility of social engineering. Formal
offboarding would have no effect on the risk of
social engineering.
CISSP Sample Questions and Answers 7 Specific
system components determine that systems
security. The trust in the system is a
reflection of the trust in these components.
These components are collectively referred to as
the of the system.
1.
Ring 1 elements

1. Trusted Computing Base
2. Operating System Kernel

11
4. Firmware
Answer B
The TCB (Trusted Computer Base) describes the
system elements that enforce security policies
and are used to determine a systems security
capabilities. The Orange Book coined this
phrase. Ring 1 elements are a mathematical
concept. The kernel is a computer programme that
runs at the heart of an operating system and has
complete control over everything in the system.
It is the portion of the operating system code
that is always resident in memory that allows
hardware and software components to interact.
(This is also referred to as the Trusted
Computer System evaluation criteria.)
The TCB contains components such as the system
BIOS, CPU, Memory, and the OS kernel.
In computing, firmwarea is a type of computer
software that provides low-level control over the
hardware of a device. Firmware can either
provide a standardised operating environment for
more complex device software (allowing greater
hardware independence) or act as the devices
complete operating system, performing all
control, monitoring, and data manipulation
functions.
Learn more in our CISSP Online Training.
12
CISSP Practice Exam Questions and Answers
8 Whenever a subject attempts to access an
object, that access must be authorized. During
this access, the set of conceptual requirements
must be verified by the part of the operating
system kernel that deals with security. The
conceptual ruleset is known as the , while the
enforcement mechanism is referred to as the
1.
Access Control List, Security Enforcer

1. Security Enforcer, Access Control List
2. Reference Monitor, Security Kernel
3. Security Kernel, Reference Monitor

Answer C
The Reference Monitor and the Security Kernel are
two of the main elements that control access when
a subject attempts to access an object. The
Reference Monitor is the conceptual rule set
that defines access, whereas the Security Kernel
is the hardware, software, or firmware that
enforces the rules. A table that tells a computer
operating system what access rights each user
has to a specific system object, such as a file
directory or individual file, is known as an
access control list (ACL). The term security
enforcer is made up.
13
CISSP Sample Questions and Answers 9 A
fundamental security principle is that security
controls must be aligned with business
objectives. Based on the impact security has upon
an organizations success, why is the concept of
business alignment important?
1. There is always a tradeoff for security, so an
organization has to weigh the cost vs. benefits
of the
security measures.
1. Security is cheap and easily implemented
compared to the potential for loss.
Security should be
implemented everywhere possible.
1.
Security is so important that every organization
must implement as much as possible.
2. Security is too costly to implement in small
organizations.
Answer A
14
There is always a cost to security. Sometimes the
cost is monetary in nature. Security often has a
negative impact on performance, backward
compatibility, and ease of use. An organisation
must consider its primary needs while considering
the overall objectives of the business.
Sensitive military information requires far
greater security than a small home/office
environment containing information of little to
no value to an attacker. The level of security
implemented should be commensurate with business
needs at a reasonable cost, and it should be
tailored to each enterprises specific
requirements.
CISSP Practice Exam Questions and Answers 10 A
systems minimum security baseline references a
systems least acceptable security configuration
for a specific environment. Prior to determining
the MSB, the system must be categorized based on
its datas Confidentiality, Integrity, and
Availability needs. When evaluating a system
where the potential impact of unauthorized
disclosure is high, the impact of an integrity
breach is medium, and the impact of the data
being temporarily unavailable is low, what is
the overall categorization of the system?
1.
High

1. Medium
2. Low
3. Medium-high

15
Answer A
The potential impact values assigned to the
respective security objectives (confidentiality, i
ntegrity, availability) for an information system
must be the highest values from among those
security categories determined for each type of
information resident in the information system.
The system is classified as High because that
is the highest category.