Certified Information Systems Security Professional CISSP Real Exam Dumps [2022 Updated]

Eleanor2022-05-19T09:01:46+00:00

Certified Information Systems Security Professional CISSP, as a famous IT certification issued by (ISC)², is recommended by many candidates who have been a CISSP certified. Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. To a CISSP exam taker, he/she needs to choose the CISSP real dumps as the preparation materials for passing successfully. You will be right here to get the most updated CISSP real exam dumps with the precise questions and answers.

Read CISSP Free Demo Questions Below

Page 1 of 10

1. At a MINIMUM, a formal review of any Disaster Recovery Plan (DRP) should be conducted

monthly.

quarterly.

annually.

bi-annually.

2. With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?

Continuously without exception for all security controls

Before and after each change of the control

At a rate concurrent with the volatility of the security control

Only during system implementation and decommissioning

3. Logical access control programs are MOST effective when they are

approved by external auditors.

combined with security token technology.

maintained by computer security officers.

made part of the operating system.

4. Why must all users be positively identified prior to using multi-user computers?

To provide access to system privileges

To provide access to the operating system

To ensure that unauthorized persons cannot access the computers

To ensure that management knows what users are currently logged on

5. Which one of the following security mechanisms provides the BEST way to restrict the execution of privileged procedures?

Role Based Access Control (RBAC)

Biometric access control

Federated Identity Management (IdM)

Application hardening

6. In which of the following programs is it MOST important to include the collection of security process data?

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

7. Which of the following can BEST prevent security flaws occurring in outsourced software development?

Contractual requirements for code quality

Licensing, code ownership and intellectual property rights

Certification of the quality and accuracy of the work done

Delivery dates, change management control and budgetary control

8. Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

9. An input validation and exception handling vulnerability has been discovered on a critical web-based system .

Which of the following is MOST suited to quickly implement a control?

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

10. What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Page 2 of 10

11. Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

It has normalized severity ratings.

It has many worksheets and practices to implement.

It aims to calculate the risk of published vulnerabilities.

It requires a robust risk management framework to be put in place.

12. The birthday attack is MOST effective against which one of the following cipher technologies?

Chaining block encryption

Asymmetric cryptography

Cryptographic hash

Streaming cryptography

13. Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment?

Integration with organizational directory services for authentication

Tokenization of data

Accommodation of hybrid deployment models

Identification of data location

14. Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

15. Which of the following actions will reduce risk to a laptop before traveling to a high risk area?

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

16. The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using

INSERT and DELET

GRANT and REVOK

PUBLIC and PRIVAT

ROLLBACK and TERMINAT

17. A continuous information security monitoring program can BEST reduce risk through which of the following?

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

18. Which one of the following affects the classification of data?

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

19. An advantage of link encryption in a communications network is that it

makes key management and distribution easier.

protects data from start to finish through the entire network.

improves the efficiency of the transmission.

encrypts all information, including headers and routing information.

20. When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

Page 3 of 10

21. What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?

Implementation Phase

Initialization Phase

Cancellation Phase

Issued Phase

22. When implementing a data classification program, why is it important to avoid too much granularity?

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

23. Which of the following is an attacker MOST likely to target to gain privileged access to a system?

Programs that write to system resources

Programs that write to user directories

Log files containing sensitive information

Log files containing system calls

24. Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

25. Which of the following is an authentication protocol in which a new random number is generated uniquely for each login session?

Challenge Handshake Authentication Protocol (CHAP)

Point-to-Point Protocol (PPP)

Extensible Authentication Protocol (EAP)

Password Authentication Protocol (PAP)

26. A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies .

Which of the following is the BEST solution for the manufacturing organization?

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

27. Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?

Common Vulnerabilities and Exposures (CVE)

Common Vulnerability Scoring System (CVSS)

Asset Reporting Format (ARF)

Open Vulnerability and Assessment Language (OVAL)

28. An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer .

Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information?

Implement packet filtering on the network firewalls

Require strong authentication for administrators

Install Host Based Intrusion Detection Systems (HIDS)

Implement logical network segmentation at the switches

29. A disadvantage of an application filtering firewall is that it can lead to

a crash of the network as a result of user activities.

performance degradation due to the rules applied.

loss of packets on the network due to insufficient bandwidth.

Internet Protocol (IP) spoofing by hackers.

30. Which of the following is MOST important when assigning ownership of an asset to a department?

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

Page 4 of 10

31. An Intrusion Detection System (IDS) is generating alarms that a user account has over 100 failed login attempts per minute. A sniffer is placed on the network, and a variety of passwords for that user are noted .

Which of the following is MOST likely occurring?

A dictionary attack

A Denial of Service (DoS) attack

A spoofing attack

A backdoor installation

32. Which of the following is an initial consideration when developing an information security management system?

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

33. Checking routing information on e-mail to determine it is in a valid format and contains valid information is an example of which of the following anti-spam approaches?

Simple Mail Transfer Protocol (SMTP) blacklist

Reverse Domain Name System (DNS) lookup

Hashing algorithm

Header analysis

34. What is the ultimate objective of information classification?

To assign responsibility for mitigating the risk to vulnerable systems

To ensure that information assets receive an appropriate level of protection

To recognize that the value of any item of information may change over time

To recognize the optimal number of classification categories and the benefits to be gained from their use

35. A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation .

What MUST an administrator review to audit a user’s access to data files?

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

36. What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?

Take the computer to a forensic lab

Make a copy of the hard drive

Start documenting

Turn off the computer

37. What is the BEST approach to addressing security issues in legacy web applications?

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

38. An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer .

Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

39. An organization is designing a large enterprise-wide document repository system. They plan to have several different classification level areas with increasing levels of controls.

The BEST way to ensure document confidentiality in the repository is to

encrypt the contents of the repository and document any exceptions to that requirement.

utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected.

keep individuals with access to high security areas from saving those documents into lower security areas.

require individuals with access to the system to sign Non-Disclosure Agreements (NDA).

40. Which of the following represents the GREATEST risk to data confidentiality?

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

Page 5 of 10

41. What is the PRIMARY reason for implementing change management?

Certify and approve releases to the environment

Provide version rollbacks for system changes

Ensure that all applications are approved

Ensure accountability for changes to the environment

42. Users require access rights that allow them to view the average salary of groups of employees .

Which control would prevent the users from obtaining an individual employee’s salary?

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

43. Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations?

Walkthrough

Simulation

Parallel

White box

44. A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP) .

Which of the following failures should the IT manager be concerned with?

Application

Storage

Power

Network

45. Alternate encoding such as hexadecimal representations is MOST often observed in which of the following forms of attack?

Smurf

Rootkit exploit

Denial of Service (DoS)

Cross site scripting (XSS)

46. Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

47. Which of the following is of GREATEST assistance to auditors when reviewing system configurations?

Change management processes

User administration procedures

Operating System (OS) baselines

System backup documentation

48. In a basic SYN flood attack, what is the attacker attempting to achieve?

Exceed the threshold limit of the connection queue for a given service

Set the threshold to zero for a given service

Cause the buffer to overflow, allowing root access

Flush the register stack, allowing hijacking of the root account

49. A vulnerability test on an Information System (IS) is conducted to

exploit security weaknesses in the I

measure system performance on systems with weak security controls.

evaluate the effectiveness of security controls.

prepare for Disaster Recovery (DR) planning.

50. Which of the following methods protects Personally Identifiable Information (PII) by use of a full replacement of the data element?

Transparent Database Encryption (TDE)

Column level database encryption

Volume encryption

Data tokenization

Page 6 of 10

51. What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

52. Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

53. What is the purpose of an Internet Protocol (IP) spoofing attack?

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

54. A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?

Guaranteed recovery of all business functions

Minimization of the need decision making during a crisis

Insurance against litigation following a disaster

Protection from loss of organization resources

55. Which of the following BEST describes the responsibilities of a data owner?

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

56. Which of the following wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device?

Trusted Platform Module (TPM)

Preboot eXecution Environment (PXE)

Key Distribution Center (KDC)

Simple Key-Management for Internet Protocol (SKIP)

57. The BEST method of demonstrating a company's security level to potential customers is

a report from an external auditor.

responding to a customer's security questionnaire.

a formal report from an internal auditor.

a site visit by a customer's security team.

58. Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

59. What is the MOST important purpose of testing the Disaster Recovery Plan (DRP)?

Evaluating the efficiency of the plan

Identifying the benchmark required for restoration

Validating the effectiveness of the plan

Determining the Recovery Time Objective (RTO)

60. The use of private and public encryption keys is fundamental in the implementation of which of the following?

Diffie-Hellman algorithm

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Page 7 of 10

61. Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

62. Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?

An explanation of how long the data subject's collected information will be retained for and how it will be eventually disposed.

An explanation of who can be contacted at the organization collecting the information if corrections are required by the data subject.

An explanation of the regulatory frameworks and compliance standards the information collecting organization adheres to.

An explanation of all the technologies employed by the collecting organization in gathering information on the data subject.

63. Who in the organization is accountable for classification of data information assets?

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

64. Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices?

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

65. Which of the following BEST represents the principle of open design?

Disassembly, analysis, or reverse engineering will reveal the security functionality of the computer system.

Algorithms must be protected to ensure the security and interoperability of the designed system.

A knowledgeable user should have limited privileges on the system to prevent their ability to compromise security capabilities.

The security of a mechanism should not depend on the secrecy of its design or implementation.

66. In a data classification scheme, the data is owned by the

system security managers

business managers

Information Technology (IT) managers

end users

67. Which of the following is a PRIMARY advantage of using a third-party identity service?

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

68. What is the MOST important consideration from a data security perspective when an organization plans to relocate?

Ensure the fire prevention and detection systems are sufficient to protect personnel

Review the architectural plans to determine how many emergency exits are present

Conduct a gap analysis of a new facilities against existing security requirements

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

69. When is a Business Continuity Plan (BCP) considered to be valid?

When it has been validated by the Business Continuity (BC) manager

When it has been validated by the board of directors

When it has been validated by all threat scenarios

When it has been validated by realistic exercises

70. Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Page 8 of 10

71. What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24 hours?

Warm site

Hot site

Mirror site

Cold site

72. Which layer of the Open Systems Interconnections (OSI) model implementation adds information concerning the logical connection between the sender and receiver?

Physical

Session

Transport

Data-Link

73. In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?

Transport layer

Application layer

Network layer

Session layer

74. Which of the following could cause a Denial of Service (DoS) against an authentication system?

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

75. Which of the following is the FIRST step in the incident response process?

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

76. The goal of software assurance in application development is to

enable the development of High Availability (HA) systems.

facilitate the creation of Trusted Computing Base (TCB) systems.

prevent the creation of vulnerable applications.

encourage the development of open source applications.

77. An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit .

What would be the MOST probable cause?

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

78. When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

79. An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.

Which contract is BEST in offloading the task from the IT staff?

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

80. Which of the following mobile code security models relies only on trust?

Code signing

Class authentication

Sandboxing

Type safety

Page 9 of 10

81. Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?

Confidentiality

Integrity

Identification

Availability

82. Which of the following is the BEST method to prevent malware from being introduced into a production environment?

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

83. 1.Intellectual property rights are PRIMARY concerned with which of the following?

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

84. A software scanner identifies a region within a binary image having high entropy .

What does this MOST likely indicate?

Encryption routines

Random number generator

Obfuscated code

Botnet command and control

85. At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?

Link layer

Physical layer

Session layer

Application layer

86. Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?

Hashing the data before encryption

Hashing the data after encryption

Compressing the data after encryption

Compressing the data before encryption

87. A security consultant has been asked to research an organization's legal obligations to protect privacy-related information .

What kind of reading material is MOST relevant to this project?

The organization's current security policies concerning privacy issues

Privacy-related regulations enforced by governing bodies applicable to the organization

Privacy best practices published by recognized security standards organizations

Organizational procedures designed to protect privacy information

88. The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

System acquisition and development

System operations and maintenance

System initiation

System implementation

89. By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the

confidentiality of the traffic is protected.

opportunity to sniff network traffic exists.

opportunity for device identity spoofing is eliminated.

storage devices are protected against availability attacks.

90. Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?

Packet filtering

Port services filtering

Content filtering

Application access control

Page 10 of 10

91. In the area of disaster planning and recovery, what strategy entails the presentation of information about the plan?

Communication

Planning

Recovery

Escalation

92. Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

93. Passive Infrared Sensors (PIR) used in a non-climate controlled environment should

reduce the detected object temperature in relation to the background temperature.

increase the detected object temperature in relation to the background temperature.

automatically compensate for variance in background temperature.

detect objects of a specific temperature independent of the background temperature.

94. Which of the following actions should be performed when implementing a change to a database schema in a production system?

Test in development, determine dates, notify users, and implement in production

Apply change to production, run in parallel, finalize change in production, and develop a back-out strategy

Perform user acceptance testing in production, have users sign off, and finalize change

Change in development, perform user acceptance testing, develop a back-out strategy, and implement change

95. All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

96. An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

97. A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected .

What is the MOST probable security feature of Java preventing the program from operating as intended?

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

98. The three PRIMARY requirements for a penetration test are

A defined goal, limited time period, and approval of management

A general objective, unlimited time, and approval of the network administrator

An objective statement, disclosed methodology, and fixed cost

A stated objective, liability waiver, and disclosed methodology

99. Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?

Cross Origin Resource Sharing (CORS)

WebSockets

Document Object Model (DOM) trees

Web Interface Definition Language (IDL)

100. A system has been scanned for vulnerabilities and has been found to contain a number of communication ports that have been opened without authority. To which of the following might this system have been subjected?

Trojan horse

Denial of Service (DoS)

Spoofing

Man-in-the-Middle (MITM)

Certified Information Systems Security Professional CISSP Real Exam Dumps [2022 Updated]