• Home
  • Articles
  • Prepare for your exam certification with our CISSP Certified ISC [Q801-Q821]

Prepare for your exam certification with our CISSP Certified ISC [Q801-Q821]

Share

Prepare for your exam certification with our CISSP Certified ISC

Free ISC CISSP Exam 2024 Practice Materials Collection

NEW QUESTION # 801
Access to which of the following is required to validate web session management?

  • A. Session state variables
  • B. Live session traffic
  • C. Test scripts
  • D. Log timestamp

Answer: B


NEW QUESTION # 802
According to the Orange Book, which security level is the first to require a system to protect against covert timing channels?

  • A. B3
  • B. B1
  • C. A1
  • D. B2

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The TCSEC defines two kinds of covert channels:
Storage channels - Communicate by modifying a "storage location"

Timing channels - Perform operations that affect the "real response time observed" by the receiver

The TCSEC, also known as the Orange Book, requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.
Incorrect Answers:
A: Level A1 requires a system to protect against covert timing channels. However, the lower level B3 also requires it.
C: Level B2 does not require a system to protect against covert timing channels.
D: Level B1 does not require a system to protect against covert timing channels.
References:
https://en.wikipedia.org/wiki/Covert_channel


NEW QUESTION # 803
Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both?

  • A. object-linking database
  • B. object-management database
  • C. object-relational database
  • D. object-oriented database

Answer: C

Explanation:
Explanation/Reference:
Explanation:
An object-relational database is described as is the marriage of object-oriented and relational technologies combining the attributes of both.
An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. A relational database just holds data in static two-dimensional tables. When the data are accessed, some type of processing needs to be carried out on it-otherwise, there is really no reason to obtain the data. If we have a front end that provides the procedures (methods) that can be carried out on the data, then each and every application that accesses this database does not need to have the necessary procedures. This means that each and every application does not need to contain the procedures necessary to gain what it really wants from this database.
Incorrect Answers:
B: An object-oriented database is a database designed to handle a variety of data types (images, audio, documents, video). This is not what is described in the question.
C: An object-linking database is not a valid database type.
D: An object-management database is not a valid database type.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1175


NEW QUESTION # 804
Which access model is most appropriate for companies with a high employee turnover?

  • A. Discretionary access control
  • B. Mandatory access control
  • C. Lattice-based access control
  • D. Role-based access control

Answer: D

Explanation:
The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company.
Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed appropriately.
Mandatory access control is incorrect. While controlling access based on the clearence level of
employees and the sensitivity of obects is a better choice than some of the other incorrect
answers, it is not the best choice when RBAC is an option and you are looking for the best solution
for a high number of employees constantly leaving or joining the company.
Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used
in formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an
abstract model of information flow is not an appropriate choice. CBK, pp. 324-325
Discretionary access control is incorrect. When an employee joins or leaves the company, the
object owner must grant or revoke access for that employee on all the objects they own. Problems
would also arise when the owner of an object leaves the company. The complexity of assuring that
the permissions are added and removed correctly makes this the least desirable solution in this
situation.
References:
Alll in One, third edition page 165
RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.


NEW QUESTION # 805
In order to enable users to perform tasks and duties without having to go through extra steps it is important that the security controls and mechanisms that are in place have a degree of?

  • A. Non-transparency
  • B. Transparency
  • C. Simplicity
  • D. Complexity

Answer: B

Explanation:
The security controls and mechanisms that are in place must have a degree of transparency.
This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them. If the controls are too obvious, an attacker can figure out how to compromise them more easily.
Security (more specifically, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work flow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user.
For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology
(such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area.
In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then specifically requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the specific resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on predefined need, not user preference.
When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work flow as little as possible.
The following answers were incorrect:
All of the other detractors were incorrect.
Reference(s) used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th edition. Operations
Security, Page 1239-1240
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
25278-25281). McGraw-Hill. Kindle Edition.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 713-729). Auerbach Publications. Kindle
Edition.


NEW QUESTION # 806
It is estimated that the Asia/Pacific region accounts for about $4 billion worth of loss of income to software publishers due to software piracy.
As with the Internet, cross-jurisdictional law enforcement issues make
investigating and prosecuting such crime difficult. Which of the
following items is NOT an issue in stopping overseas software piracy?

  • A. Lack of a central, nongovernmental organization to address the
    issue of software piracy.
  • B. The producers of the illegal copies of software are dealing in larger and larger quantities, resulting in faster deliveries of illicit software.
  • C. Obtaining the cooperation of foreign law enforcement agencies and
    foreign governments.
  • D. The quality of the illegal copies of the software is improving,
    making it more difficult for purchasers to differentiate between legal
    and illegal products.

Answer: A

Explanation:
The Business Software Alliance (BSA) is a nongovernmental antisoftware
piracy organization (www.bsa.org). The mission statement
of the BSA is:
The Business Software Alliance is an international organization representing leading software and e-commerce developers in 65 countries around the worlD . Established in 1988, BSA has offices in the
United States , Europe , and Asia . . . . Our efforts include educating computer users about software copyrights; advocating public policy that fosters innovation and expands trade opportunities; and fighting software piracy.


NEW QUESTION # 807
Which access control model achieves data integrity through well-formed transactions and separation of duties?

  • A. Biba model
  • B. Non-interference model
  • C. Sutherland model
  • D. Clark-Wilson model

Answer: D

Explanation:
The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The
Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non-interference model is related to the information flow model with restrictions on the information flow. The Sutherland model approaches integrity by focusing on the problem of inference.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 12).
And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security
Management, CRC Press, 1997, Domain 1: Access Control.


NEW QUESTION # 808
Which element of Configuration Management listed below involves the
use of Configuration Items (CIs)?

  • A. Configuration Accounting
  • B. Configuration Identification
  • C. Configuration Control
  • D. Configuration Audit

Answer: B

Explanation:
Configuration management entails decomposing the verification
system into identifiable, understandable, manageable, trackable
units known as Configuration Items (CIs). A CI is a uniquely
identifiable subset of the system that represents the smallest portion
to be subject to independent configuration control procedures. The
decomposition process of a verification system into CIs is called
configuration identification. CIs can vary widely in size, type, and
complexity. Although there are no hard-and-fast rules for
decomposition, the granularity of CIs can have great practical
importancE. A favorable strategy is to designate relatively large CIs
for elements that are not expected to change over the life of the
system, and small CIs for elements likely to change more frequently.
*Answer "Configuration Accounting", configuration accounting, documents the status of configuration control activities and in general provides the information needed to manage a configuration effectively. It allows managers to
trace system changes and establish the history of any developmental
problems and associated fixes.
Answer "Configuration Audit", configuration audit, is the quality assurance component of configuration management. It involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed.
Answer "Configuration Control", configuration control, is a means of assuring that system changes are approved before being implemented, only the proposed and approved changes are implemented, and the implementation is complete and accurate.
Source: NCSC-TG-014-89, Guidelines for Formal Verification Systems.


NEW QUESTION # 809
Which of the following is most relevant to determining the maximum effective cost of access control?

  • A. the value of information that is protected.
  • B. budget planning related to base versus incremental spending.
  • C. the cost to replace lost data.
  • D. management's perceptions regarding data importance.

Answer: A

Explanation:
The cost of access control must be commensurate with the value of the information that is being protected.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49


NEW QUESTION # 810
Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?

  • A. Mandatory Access Control (MAC) procedures
  • B. Discretionary Access Control (DAC) procedures
  • C. Data link encryption
  • D. Segregation of duties

Answer: A


NEW QUESTION # 811
Which of the following statements pertaining to block ciphers is NOT true?

  • A. Plain text is encrypted with a public key and decrypted with a private key.
  • B. It operates on fixed-size blocks of plaintext.
  • C. Some Block ciphers can operate internally as a stream.
  • D. It is more suitable for software than hardware implementations.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
It is not true that plain text is encrypted with a public key and decrypted with a private key with a block cipher. Block ciphers use symmetric keys.
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.
Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear- cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher.
Incorrect Answers:
A: It is true that a block cipher operates on fixed-size blocks of plaintext.
B: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level.
D: It is true that some Block ciphers can operate internally as a stream.
References:
https://en.wikipedia.org/wiki/Block_cipher
https://en.wikipedia.org/wiki/Stream_cipher


NEW QUESTION # 812
Which of the following activities would not be included in the contingency planning process phase?

  • A. Prioritization of applications
  • B. Development of test procedures
  • C. Assessment of threat impact on the organization
  • D. Development of recovery scenarios

Answer: B

Explanation:
Explanation/Reference:
Explanation:
When an incident strikes, more is required than simply knowing how to restore data from backups. Also necessary are the detailed procedures that outline the activities to keep the critical systems available and ensure that operations and processing are not interrupted. Contingency management defines what should take place during and after an incident. Actions that are required to take place for emergency response, continuity of operations, and dealing with major outages must be documented and readily available to the operations staff.
Development of test procedures is not part of contingency planning. This has nothing to do with recovering from an incident.
Incorrect Answers:
A: Prioritization of applications is used to determine which applications are most important to the company and should be recovered first. This should be part of your contingency planning.
C: Assessment of threat impact on the organization should be part of the contingency plan to determine what affect an incident would have. This should be part of your contingency planning.
D: Development of recovery scenarios are the most obvious part of a contingency plan. You need to plan how to recover from an incident. This should be part of your contingency planning.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1276


NEW QUESTION # 813
Which of the following needs to be taken into account when assessing vulnerability?

  • A. Risk identification and validation
  • B. Risk acceptance criteria
  • C. Threat mapping
  • D. Safeguard selection

Answer: A

Explanation:
Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC pg=PA478&lpg=PA478& dq=CISSP+taken+into+account+when+assessing+vulnerability &ots=riGvVpNN7I& sig=ACfU3U1isazG0OJlZdAAy91LvAW_rbXdAQ ved=2ahUKEwj6p9vg4qnpAhUNxYUKHdODDZ4Q6AEwDHoECBMQAQ#v=onepage& q=CISSP%20taken%20into%20account%20when%20assessing%20vulnerability&f=false


NEW QUESTION # 814
Which of the following is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet?

  • A. MONDEX
  • B. Secure Electronic Transaction (SET)
  • C. Secure Hypertext Transfer Protocol (S-HTTP)
  • D. Secure Shell (SSH-2)

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. SET has been waiting in the wings for full implementation and acceptance as a standard for quite some time. Although SET provides an effective way of transmitting credit card information, businesses and users do not see it as efficient because it requires more parties to coordinate their efforts, more software installation and configuration for each entity involved, and more effort and cost than the widely used SSL method.
SET is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and possibly their hardware:
Issuer (cardholder's bank) The financial institution that provides a credit card to the individual.

Cardholder The individual authorized to use a credit card.

Merchant The entity providing goods.

Acquirer (merchant's bank) The financial institution that processes payment cards.

Payment gateway This processes the merchant payment. It may be an acquirer.

Incorrect Answers:
B: MONDEX is a payment system that uses currency stored on smart cards. This is not what is described in the question.
C: Secure Shell (SSH-2) was not developed to send encrypted credit card numbers over the Internet.
D: Secure Hypertext Transfer Protocol (S-HTTP) is an early standard for encrypting HTTP documents. S- HTTP was overtaken by SSL. This is not what is described in the question.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 856


NEW QUESTION # 815
Which choice below is an accurate statement about the difference
between monitoring and auditing?

  • A. Monitoring is an ongoing activity that examines either the system or the users.
  • B. A system audit is an ongoing real-time activity that examines a system.
  • C. Monitoring is a one-time event to evaluate security.
  • D. A system audit cannot be automated.

Answer: A

Explanation:
System audits and monitoring are the two methods organizations use to maintain operational assurance. Although the terms are used loosely within the computer security community, a system audit is a one-time or periodic event to evaluate security, whereas monitoring refers to an ongoing activity that examines either the system or the users. In general, the more real-time an activity is, the more it falls into the category of monitoring. Source: NIST Special Publication 80014, Generally Accepted Principles and Practices for Securing Information Technology Systems.


NEW QUESTION # 816
Theoretically, quantum computing offers the possibility of factoring the products of large prime numbers and calculating discreet logarithms in polynomial time. These calculations can be accomplished in such a compressed time frame because:

  • A. A quantum computer exploits the time-space relationship that
    changes as particles approach the speed of light. At that interface,
    the resistance of conducting materials effectively is zero and
    exponential speed computations are possible.
  • B. Information can be transformed into quantum light waves that
    travel through fiber optic channels. Computations can be performed
    on the associated data by passing the light waves through various
    types of optical filters and solid-state materials with varying indices of refraction, thus drastically increasing the throughput over conventional computations.
  • C. A quantum computer takes advantage of quantum tunneling in
    molecular scale transistors. This mode permits ultra high-speed
    switching to take place, thus, exponentially increasing the speed of
    computations.
  • D. A quantum bit in a quantum computer is actually a linear
    superposition of both the one and zero states and, therefore, can
    theoretically represent both values in parallel. This phenomenon
    allows computation that usually takes exponential time to be
    accomplished in polynomial time since different values of the binary
    pattern of the solution can be calculated simultaneously.

Answer: D

Explanation:
In digital computers, a bit is in either a one or zero state. In a quantum computer, through linear superposition, a quantum bit can be in both states, essentially simultaneously. Thus, computations consisting of trail evaluations of binary patterns can take place simultaneously
in exponential time. The probability of obtaining a correct result is
increased through a phenomenon called constructive interference of
light while the probability of obtaining an incorrect result is decreased through destructive interference. Answer a describes optical computing that is effective in applying Fourier and other transformations to data to perform high-speed computations. Light representing large volumes of data passing through properly shaped physical objects can be subjected to mathematical transformations and recombined to provide the appropriate results. However, this mode of computation is not defined as quantum computing. Answers c and d are diversionary answers that do not describe quantum computing.


NEW QUESTION # 817
The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained within the IP datagram?

  • A. IGMP
  • B. ICMP
  • C. UDP
  • D. TCP

Answer: B

Explanation:
ICMP = 1 IGMP = 2 TCP = 6 UDP = 17
Pg. 55 Casad: Sams Teach Yourself TCP/IP in 24 hrs.


NEW QUESTION # 818
Match the access control type to the example of the control type.
Drag each access control type net to its corresponding example.

Answer:

Explanation:


NEW QUESTION # 819
Which of the following BEST describes the purpose of performing security certification?

  • A. To formalize the confirmation of compliance to security policies and standards
  • B. To verify that system architecture and interconnections with other systems are effectively implemented
  • C. To formalize the confirmation of completed risk mitigation and risk analysis
  • D. To identify system threats, vulnerabilities, and acceptable level of risk

Answer: A


NEW QUESTION # 820
A small office is running WiFi 4 APs, and neighboring offices do not want to increase the throughput to associated devices. Which of the following is the MOST cost-efficient way for the office to increase network performance?

  • A. Upgrade to WiFi 5.
  • B. Enable channel bonding.
  • C. Disable the 2.4GHz radios
  • D. Add another AP.

Answer: B


NEW QUESTION # 821
......

Pass ISC CISSP Actual Free Exam Q&As Updated Dump: https://certkiller.passleader.top/ISC/CISSP-exam-braindumps.html

Related Articles

more
ISC CISSP Certification Practice Exam