oe f x Master of Project Academy CISSP Practice Exam Questions and Answers #1 “The State Machine Mode” security model mandates that a system must be protected inall ofits states (Startup, Function, and Shutdown), or else the system is not secure This requirement necessitates responding to security events so that no further compromises can be successful This method of response is an example of what security concept? a.Open Design Closed Design Trusted Recovery 4. Least Privilege Answer: Trusted Recovery isnecessary for high-security systems and allows a system to terminate its processesina secure manner. Iasystem crashes it must restart ina secure mode in which no further compromise of system policy can occur. The principle of open design states thatthe security ofa mechanism should not ‘depend on the secrecy ofits design or implementation, In object-oriented programming, the open-closed principle states that “software entities (classes, ‘modules, functions et) should be open for extension, but closed for modification’; thats, such an entity can allow its behavior tobe extended without modiyingits source code. The least privilege the concept and practice of restricting access rightsfor users accounts, ancl computing processes to anly those resources absolutely required to perform routine, legitimate activities. CISSP Sample Questions and Answers #2 ‘The Heartbleed virus recently compromised OpenSSl. because versions of ‘OpenSSL were vulnerable tomemory content read attempts, which ultimately led = — ‘AreYouaPMP?Earné0POUsEasily & Renew Your PMP 60 + PDU BUNDLE E ale - 18 Project Manager Interview Questions Answers -— ‘We've gathered the 18 Projecttothe exposure of protected information including services provider private keys "Many practitioners believe that open designs better than closed design, What one consideration is usually necessary to allow an open design to provide greater security? a. Peer Review be Security through obscurity Thecomplenity of design 4.Trusted hierarchy ‘Answer: A Open designisoften thought tobe better than closed design, as openness allows for review trom others in the community. The idea's that others have access to the code, they wil help examine and review the code, and ultimately improvelt, That wasnot the case unfortunately with OpenSSL. Ifthe code isnot reviewed. i right a5 well bea closed source. Also, ultimately the quality ofthe code dictates the security, much more so than whether itis open or closed. Security through obscurity isthe opposite of peer review and open design and could also be referred toasthe compleity ofthe design. The hierarchical trust model istike an upside down tre structure, the root isthe starting pint of trust. All nodes of the model have to trust the oot CA andkeep a oot CAs public-key certificate, CISSP Practice Test Questions and Answers #3 \When using private keys a security concern isthata user's private key may become lost.Inorder to mitigate this isk, apractitoner may select akey recovery agent thatis able to backup and recover hiskeys, Granting a single individual the ability to recover users private key increases nonrepudiation risk because another party has key access. Which principle choice could be implemented to mitigate tis risk? a Segregation of duties b Principle of least privilege Dual control 4.Need to know ‘Manager Interview Questions that you will be asked most probably in your project manager interview session. Get ready for your job interview session, Don't Risk Your PMP Success - Enrol In PMP Exam Simulator ‘oo taraet (Quiz: What should your salary beifyou work nthe US? ‘Answer the following {questions and we will show you the average project‘management eee salary in the US! Dual Controlisa security principle tat requires multiple parties tobe present fora ts that mipt ove severest npn nse is ly best have atleast two network administrators present before private key can be recovered, A subset of dal cotrlis called MN control Mand Nae variables, but hiscontro requires M out of totalof N administrators tobe present to recover a ey. Segregation of Duties the concept of having morethan one person quired to complete a sensitive task The principle feast privilege PMP Salary ll (PoLP) refers toan information security concept in which auseris given the ine oe Aspects: How much ‘minimum levels of access or permissions needed to perform his job functions. The acess yal eet pipes that access to secured data mute neces forthe setPP? conduct ofthe ser obinctions You know PMP. . . Project CISSP Practice Exam Questions and Answers # 4 ‘Management Acwhat 2P development phase mst Senor Management provides exctccslnal commento ppt fin and asi the BP'sre ston? ‘ery important projet managers, 2. Project inition Rsacos savy Planing projet manager, | ually important Sseseqenmeiseelceenen is the PMP Salary 4. Development hike expected or never a ghatisny nar Project Initiation is traditionally the phase in which senior management pledges Investment. You " aan agement plese can understand issupportfor the projet ten inthis phase management provides project ee charter hich sa foal writen document nwt te projects oficialy Increase, the cost axthorie, project nanager selected ard named and management ales a fnvolved, beneits commitment support Managerents BCP suport mst continue trough the Tangle fom ‘whole development process and include review and feedback as well as resources PMP Certification. forthe BCP tobe succes CE ae Neen PosPMP Eligibility Quiz We have created a ‘i quiz that will evaluate your a mene experience, education level and contact hours euigiliny to ; ietermine CISSP Questions and Answers #5 ‘whether you are theriskot an eligible to sit for PMP certification attacker gaining network access and using a protocol analyzer to capture and view exam, Check (snitt unencrypted tratfe? ‘whether you are eligible to sit for 4 Implement a policy that forbid the use of packet analyzerssnitirs Monitor the PMP Exam, network frequently Scan the network periodically to determine if unauthorized devices are (What s the most proactive (and minimum effort) way to mit connected, I those devices are etected, cisconnect themimmediately, and provide management a report onthe Violation « Provide security such as disabling ports and mac filtering onthe enterprise ‘witches to prevent an unauthorized device from connecting to the network. Inmplement software restriction policies to prevent unauthorized software fron boeing installed on systems .nstall anti-spyware software onall ystems on the network. Answer: C “Tosignficanty mitigate risks onthe network, we have to implement security that fi concerned with monitoring software being installed on our hosts, so we want to its connectivity to our network from external devices Adlitionally, we are limit the ability of such software tobe installed. Further, we want to ensure thatother basic security requirements are satisfied such a using strong passwords, leckout policies on systems, physical security ste Remember: Proactive devices PREVENT an attack 2z opposed to responding tit. Network scans often detect these devices but they rarelyrevent them. Policies describe high-level enterprise intentions which can then be implemented. Installing antispyware isa detective/corrective control. nota roactive/preventative one, CISSP Practice Questions and Answers #6 Confidentiality canbe breached via social engineering attacks. Though trainings helpful reducing the number of these attacks it does not eliminate the risk Which of the following choices would be an administrative policy thats mos ikely tohelp mitigate this risk ‘4 Formal onboarding Policies ‘bob Rotation «Formal Off-boarding Policies Segregation of Duties Answer: D ‘Segregation of Duties is frequently used tlimit the amount of information to ‘which any one individual has access... auser cannot likely leak the password for file server because that informations exclusively availabe for those for whom jobs require access to that information. Segregation of duties frequently goes ‘hand-in-hand with need-to-know and the principle of least privilege. Formal ‘onboarding wouldincrease user awareness but would not necessarily bea preventative control. Jobrotation would limit thersk of auser conducting aud, ‘but not the risk of social engineering Formal oftboarding would not have any efect fon socal engineering risk CISSP Sample Questions and Answers #7 “Specific system components determine that systents security The trstin the ‘systems areflection ofthe trust in these components, These components arecollectively referred toas the ofthe system, Ring 1elements b-Trusted Computing Base ‘© Operating System Kernel Firmware Answer “The TB (rusted Computer Base describes the elements of asystem that enforce the security policy and are used to determine the security capabilities of system. Tis term was coined by the Orange Book Ring 1 elements isa ‘mathematical term. The kernelis a computer program at the core of acomputer's ‘operating system that has complete control over everythingin the system.Itis the “portion of the operating system code thats always resident inmemory’ and c tates interactions between hardware and software components. (Alzoknawn, asthe Trusted Computer System evaluation criteria). ‘Some components includedin the TCB are the system BIOS, the CPU, Memory.and the OS kernel. In computing, firmware[a]is a specific class of computer software ‘hat provides low-level control for a device's specfichardware.Firmwrarecan «ther provide a standardized operating environment for more complex device software allowing more hardware independence or, for less complex devices, act asthe device's complete operating system, performing all contol, monitoring, and ‘data manipulation functions. ‘Learn more nour Free CISSP Training, + Doyouwant to gain the essential Exel sil for business analyst? Check out ‘our new Excel for business analyst course offering. + Doyouwant to improve your business decision-making? Check out our new Financial Forecasting and Modeling Training course! ne eSi, CISSP Practice Exam Questions and Answers #8 ‘Whenever asubject attempts to access an object, that acess must be authorized, During this acces, the set of conceptual requirements must be verified by the part ‘ofthe operating system kernel that dels with security. The conceptual ulesetis krownas he __ while the enforcement mechanisms reerred to asthe Access Control List Security Enforcer b Security Enforcer, Access ContrlList «Reference Monitor Securlty Kernel «Security Kernel, Reference Monitor Answer: C [Asa subject attempts to access an object, two ofthe main elements that control access are the Reference Monitor nd the Security Kernel. The Reference Monitor isthe conceptual ruleset that defines access while the Security Kernel includes the hardware. software, or firmware that enforces therules et An access controllst (ACL is table that tells acomputer operating system what access Fights each user has to particular system object, such as filecvectory or individual file Security enforcer isa made-upterm CISSP Sample Questions and Answers #9 ‘A fundamental security principles that security controls must be aligned with business objectives Based onthe impact security has upon an organization's success, ys the concept of business alignment important? 2 There fs always atradeoft for security, soan organization has to weigh the cost vebenefits ofthe security measures. b Security is cheap and easly implemented compared to the potential for loss.Security should be Implemented everywhere possible, «Security iso important that every organization mustimplement as muchas possible. 4. Security too costly to implement in small organizations. ‘Answer: A ‘Theres alvaysatrade-off for security Sometimes the cost comesin actual dollars spent, Often, other times, security negatively affects performance, backward ‘compatibility, and ease of use. An organization must look atthe overall objectives ‘of the business considering ts primary needs. Sensitive military information must be designed with much more security than a small home/office environment that has information of litle tono value to an attacker. The level of implemented security should be commensurate with business needs ata reasonable cost and needs tobe crafted tomatch each enterprise’ individual needs. CISSP Practice Exam Questions and Answers #10 ‘Asystems minimum security baseline references asystemsleast acceptable security configuration for a specific environment. Prior to determining the MSB, the system must be categorized base on ts datals Confidentiality, Integrity and ‘Availability needs. When evaluating a system where the potential impact of Unauthorized disclosureis‘high’ the impact of an integrity breach mel, and the impact ofthe data being temporarily unavailable slow, whats the overall, ‘categorization ofthe system? a.High b.Medium clow ‘d. Melum-high Answer For aninformation system, the potential impact values assigned tothe respective security objectives (confidentiality, integrity, availability) shallbe the highestvalues rom among those security categories that have been determined for each type of information resident in the information system. As the highest eategory is “Hight the system s clasiied as “High CISSP Questions and Answers #11 (While evaluating system per the TCSEC and the more recent Common Criteria, ‘Trust and Assurance are two elements that are included in the evaluation scope. Which of the following choices best describes trust and assurance? a. Trust describes how secure the systems, wile assurance describes performance capabilites. b. Assurance describes how secure the systemis, while trust describes, performance capabilites. Trust describes the function ofthe product while assurance describes the reliability ofthe process used to create the product 4. Assurance describes the function of the product, while trust describes the reliability ofthe process useto create the product ‘Answer: CTrusts typically defined in terms ofthe security features, functions, mechanisms, services procedures, and architectures implemented within asystem, Security assuranceis the measure of confidence thatthe security functionaltyis Implemented correctly, operating as intended, and producing the desired ‘outcome based on the reliability ofthe processes used to develop the system. CISSP Practice Questions and Answers #12 14918. Giber Verram created a means of proviingmathemstially unbreakable ncryptionby using one-time pad that served as ey. Which modern technology based on the ideas impleentedin the Vernam Cipher? a. Asymmetric Cryptography Digital signatures that provide authenticity «The handshake process used by IPSecand numerous other frameworks 4. Session keys Answer: D Sessions keys are used fora single session and are then discarded. asis the one- time pad. Additionally, each session key mustbe statistically unpredictable and Unrelated to the previous key, as the one-time pad requires, aswell Any technology that takes advantage of a short-term password or key can ultimately be traced back tothe one-time pad. Asymmetric Cryptography is often used to provide secure session key exchange. Digital signatures are used to verity a message sender and “content. IPSec handshaking is used to establish a secure channel CISSP Practice Exam Questions and Answers #13 ‘During World War I the Germans used the Enigma machine to exchange encrypted messages It was arotating disk-based system that used the starting rotor configuration as its secrecy mechanism. When the original system was “compromiced, the Germans added a fourth rotor to exponentially increase the ‘complexity necessary to break the code. Ths concept is seen inthe relationship betweena. AES and Kerberos b.DES/SDES| .RSAand DSA 6.RSA and DSA, Answer: B DES was originally the standard for protecting sensitive but unclassified Information forthe US Gavernment. Once DES was compromised the US {government needed a quick means toincrease its security. 3DES tripled the length of the key from S6bits to 168 bits, Often a quick means to strengthen compromised algrithm ist inerease the key length or the length ofthe Initialization vector. CISSP Practice Exam Questions and Answers #14 ‘Auser receives an emailthat they believe to have been sentby a colleague. In actuality the email was spoofed by an attacker. What security services would have Indicated that the message was spooted? a. Privacy Authorization clntegrity ‘.Nor-repuciation ‘Answer: D 'Non-repudiatin isthe combination of authenticity and integrity and is [implemented through the use of digital signatures, Privacy is involved in protecting private data from disclosure. Authorization i granting users access rights to objects. cope Maser of roe seen lg AGaenyCISSP Practice Exam Questions and Answers #15 Inmail messages, the contents ofthe message are often encrypted by asymmetric algorithm, ikely AES. Non-repudiation, however is obtained thraugh a combination ot hashing and an asymmetric algorithm, How is non-tepudiation accomplished? ‘a. By encrypting the document with the sender's private key, then hashing document .Byeeneryptng the document with the sender's publickey, then hashing the decument «By hashing the document and then encrypting the hash with the sender's private ey 4. By hashing the document then encrypting the hash withthe receiver's publickey ‘Answer: C A digital signature provides non-repudiation (a combination of integrity and authenticity fora message, With a gital signature, the message Is hashed with hashing algorithm like SHA-1 or SHA-256. The hashis then encrypted with the sender’ private key using an algorithm ike RSA. The recipient decrypts the signature with the sender's public key andrecaleulates the hash from the message. Ifthe two match then both the sender and the message's contents are authenticated, CISSP Practice Exam Questions and Answers #16 [hash should not be able tobe reversed ta reveal the source cantents ofthe message or file, What provides tis secrecyin ah hing algorthen?a.Apublickey b.Aprivate key One-way math 4.Acigital signature Answer Hashes are based on one-way math e.g. math that Is very easy to perform one way, butexceedingly difficult to reverse, Passwords are frequently stored as hashes for this reason. a passwords forgotten, a network administrator cant view the password though they can eset it CISSP Practice Exam Questions and Answers #17 ‘Whatisa birthday attack? 1. An attack on passwords based on the idea that many users choose weak passwords based on personal information such asbirthdays. b.Alogicbomi that triggers onthe date of the attacker's birthday -Anattack that attempts to find colsions in separate messages. 4.An attack that focuses on personnel databases nan attempt to compromise personal information for the purpose of identity theft. Answer ‘birthday attack s based onthe idea thatit is easier to find two hashes that just happen to match rather than trying to produce aspecifichash. is called bicthday attack based on the fat thatitis easier te ind two peopleina group ‘whose birthdays ust happen tomatch, rather than someone with a specific birthday. CISSP Practice Exam Questions and Answers #18 lWaLayer 1 network issue has caused the lack of communication between hosts, hich choice would be the most likely cause? a.CableRouter ce Switeh anic “Answer: A Layer 1of the OS1 Reference Modells teferted to asthe "Physical Layer" and provides physical connectivity tothe network. Cable, connectors, hubs, and any device thats only concerned with creating a means forthe physical signal to traverse the network are Layer 1 devices. hough thereisan element of NIC (Network Interface Card) that does provide physical connectivity, most consider it tobea Layer 2 device. A switch slayer 2device and router isa layer 3 device, CISSP Practice Exam Questions and Answers #19 ‘The Data Link Layer (layer 2 of the OS! Model has two sublayers. The frstis MAC. (Media Access Control) and it provides a means for determining which system or systems can have access tothe transmission media andl be allowed to transmit at any given time. Ethernet uses the second method called CSMAVCD (Carrier Sense “Multiple Access with Collision Detection) What does CSMA/CD imply? 2. Ethernet environments avoid colsions by detecting their likelihood before transmitting Ethernet environments only allow an individual host to-acess the cable at any sven time and are capable of detecting colsions as they happen. Even though Ethernet traffic is prone to collisions, a hub canallbut eliminate them. €4.Though mutiple systems can access the media simultaneously theresut willbe acollsion, which should be immediately detected. Answer: Ethernet Mecia Access uses CSMA/CD. This indicates that hosts will'sense" the cable to determine if datas transmitting However, multiple hosts could have sensed thatthe media was available atthe same time, In tis case, if multiple hoststranzmiton the cableitcauses a collision which shouldbe detected immediately. A hhubwould not help wit this problem. n order to limit colisions,a switchs necessary. CISSP Practice Exam Questions and Answers #20 Ian enterprises considering migrating resources to the cloud and wishes to ensue thatthe Cloud Service Provider has the ablity to provision and de-peavision resources in an automatic manner, <0 that available resources match the current ‘demand as closely as possible, which technique choice would be most appropriate? a Scalability elasticity Availability 4.Reliability Answer: B One ofthe big benefits of cloud infrastructures the elasticity it offers Elasticity is the degree to which systems are able to adapt to changes in workload by provisioning and de-provisioning needed resources automatically so that at each ‘moment, the available resources match the current demand as lasly as possible. Master of Project Academy CISSP Exam Simulator Inadditionto these sample 20 questions, we at Master of Project Academy also offer a free CISSP Exam simulator. [ti svailable ory for fee. The ree CISSP «exam simulatorhas 15 CISSP practice exam questions ani these let you get anidea ofthe quality of our CISSPquestionsin the paid simulator. Yes, we also have paid CISSP exam simulator. Our paid CISSP exam simulator contains 1050 sample rea-lke CISSP exam questions. The simulator ofers you seven CISSP mock exams to help you achieve the best result ae Nica