Free ISC CISSP Practice Exam with Questions & Answers | Set: 9

White box testing is the most effective method of testing custom application code because it involves examining the internal structure and logic of the code, which can reveal errors, vulnerabilities, and inefficiencies that may not be detected by other methods. White box testing can also help improve the design, quality, and security of the code by applying techniques such as code coverage, code analysis, and code review. White box testing requires access to the source code and knowledge of the programming language and tools used to develop the code. References:

• CISSP - Certified Information Systems Security Professional, Domain 8: Software Development Security, Section: Software Testing Methods
• (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition, Chapter 21: Software Development Security, Section: Software Testing Methods, Page: 1080
• CISSP Exam Outline, Domain 8: Software Development Security, Section: Implement security controls in development environments, Subsection: Assess the effectiveness of software security

According to the CISSP Official (ISC)2 Practice Tests3, the most effective way to dispose of data on multiple hard drives is to perform multiple passes on each drive using approved formatting methods. This means that the data on the hard drives should be overwritten with random or meaningless patterns several times, using software tools or commands that follow the standards and guidelines for secure data erasure. This can ensure that the data on the hard drives is irrecoverable and unreadable, even by using advanced forensic techniques or tools. Deleting every file on each drive is not an effective way to dispose of data on multiple hard drives, as it does not actually erase the data, but only removes the pointers or references to the data. The data can still be recovered and read by using undelete or recovery tools, or by accessing the slack or unallocated space on the drive. Destroying the partition table for each drive using the command line is not an effective way to dispose of data on multiple hard drives, as it does not actually erase the data, but only removes the information about how the drive is divided into logical sections. The data can still be recovered and read by using partition recovery tools, or by accessing the raw data on the drive. Degaussing each drive individually is not an effective way to dispose of data on multiple hard drives, as it may not work on modern hard drives that use perpendicular recording technology. Degaussing is a process that uses a strong magnetic field to erase the data on magnetic media, such as tapes or disks. However, modern hard drives have higher coercivity, which means they require a stronger magnetic field to be erased, and degaussing may not be able to generate such a field. Degaussing may also damage the hard drive components and render them unusable. References: 3

The factor that has the greatest impact on an organization’s security posture is the international and country-specific compliance requirements. Compliance requirements are the rules or the regulations that an organization must follow or adhere to, in order to meet the standards or the expectations of the authorities or the stakeholders, such as the governments, the customers, or the auditors. Compliance requirements can vary depending on the location, the industry, or the type of the organization, and they can affect the security policies, the controls, or the practices of the organization. Compliance requirements can have a significant impact on the organization’s security posture, as they can influence the security objectives, the risks, or the resources of the organization, and they can also impose penalties or sanctions for non-compliance or violations. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 23; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 31

Data-in-use controls are security measures that protect data while it is being processed or manipulated by an application or a user. Examples of data-in-use controls include encryption, masking, tokenization, and digital rights management. The primary benefit of implementing data-in-use controls is that they prevent unauthorized access to sensitive data in the event of data loss, theft, or leakage. If the data is lost, it will not be accessible to unauthorized users because it will be encrypted, masked, tokenized, or protected by digital rights. The other options are not benefits of data-in-use controls, but rather benefits of data-at-rest controls, data-in-transit controls, or access controls. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 142; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, page 118

Generic Routing Encapsulation (GRE) is a protocol that encapsulates a packet of one protocol type within another protocol type4. When using GRE tunneling over IPv4, the GRE header is inserted between the delivery header and the payload5. The delivery header contains the new source and destination IP addresses of the tunnel endpoints, while the payload contains the original IP packet4. The GRE header contains information such as protocol type, checksum, and key6.

A rogue Access Point (AP) is an AP connected to the wired infrastructure but not under the management of authorized network administrators. A rogue AP can pose a serious security threat, as it can allow unauthorized access to the network, bypass security controls, and expose sensitive data. The other options are not correct descriptions of a rogue AP. Option A is a description of an unsecured AP, which is an AP that is not protected by a firewall or other security measures. Option B is a description of an outdated AP, which is an AP not configured to use Wired Equivalent Privacy (WEP) with Triple Data Encryption Algorithm (3DES), which are weak encryption methods that can be easily cracked. Option D is a description of a compromised AP, which is an AP infected by any kind of Trojan or Malware, which can cause malicious behavior or damage to the network. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, p. 325; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, p. 241.

TLS is the successor to SSL and is considered to be the best option for encrypting web application communications. It provides secure communication between web browsers and servers, ensuring data integrity, confidentiality, and authentication. References: ISC2 CISSP

The modification of Certificate Revocation List (CRL) could elicit a Denial of Service (DoS) attack against a credential management system by altering the list of revoked certificates and preventing valid users from accessing the system or allowing invalid users to access the system. A CRL is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their expiration date and should not be trusted.

• A. Delayed revocation or destruction of credentials is not a factor that could elicit a DoS attack against a credential management system, but rather a risk that could compromise the security and validity of the credentials and the system.
• C. Unauthorized renewal or re-issuance is not a factor that could elicit a DoS attack against a credential management system, but rather a threat that could result in the misuse or impersonation of the credentials and the system.
• D. Token use after decommissioning is not a factor that could elicit a DoS attack against a credential management system, but rather an issue that could affect the availability and performance of the system.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 216; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 183

SSL encryption is used to secure communications over computer networks by encrypting data transmitted between two systems—usually your computer and a server.

References:

• CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, p. 303.
• CISSP practice exam questions and answers, Question 10.

According to the CISSP Official (ISC)2 Practice Tests3, the layer of the Open Systems Interconnect (OSI) model that handles the source and destination address for a datagram is the Network Layer. The OSI model is a conceptual framework that defines the functions, services, and protocols of the communication system or network, as well as the interactions and interfaces among them. The OSI model consists of seven layers, each of which performs a specific function or service for the communication system or network, such as the Physical Layer, the Data-Link Layer, the Network Layer, the Transport Layer, the Session Layer, the Presentation Layer, or the Application Layer. The Network Layer is the third layer of the OSI model, which provides the functionality and service of routing and forwarding the data or information across the communication system or network, such as the Internet Protocol (IP) or the Internet Control Message Protocol (ICMP). The Network Layer handles the source and destination address for a datagram, which is a unit or a packet of data or information that is transmitted or received over the communication system or network. The source and destination address for a datagram are the logical or numerical identifiers that specify the origin and the destination of the datagram, such as the IP address or the host name of the sender and the receiver of the datagram. The Network Layer uses the source and destination address for a datagram to determine the best path or route for the datagram to travel from the sender to the receiver, as well as to deliver the datagram to the correct destination. The Transport Layer is not the layer of the OSI model that handles the source and destination address for a datagram, although it may be the layer that handles the source and destination port for a segment. The Transport Layer is the fourth layer of the OSI model, which provides the functionality and service of ensuring the reliable and efficient transmission and reception of the data or information across the communication system or network, such as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP). The Transport Layer handles the source and destination port for a segment, which is a unit or a packet of data or information that is transmitted or received over the communication system or network. The source and destination port for a segment are the logical or numerical identifiers that specify the application or the service that is sending or receiving the segment, such as the port number or the socket number of the application or the service. The Transport Layer uses the source and destination port for a segment to establish, maintain, and terminate the connection or the session between the sender and the receiver, as well as to deliver the segment to the correct application or service. The Data-Link Layer is not the layer of the OSI model that handles the source and destination address for a datagram, although, it may be the layer that handles the source and destination address for a frame. The Data-Link Layer is the second layer of the OSI model, which provides the functionality and service of transferring and exchanging the data or information between the adjacent nodes or devices on the communication system or network, such as the Ethernet, the Wi-Fi, or the Bluetooth. The Data-Link Layer handles the source and destination address for a frame, which is a unit or a packet of data or information that is transmitted or received over the communication system or network. The source and destination address for a frame are the physical or hardware identifiers that specify the node or the device that is sending or receiving the frame, such as the Media Access Control (MAC) address or the Physical Address of the node or the device. The Data-Link Layer uses the source and destination address for a frame to identify, locate, and access the node or the device that is sending or receiving the frame, as well as to deliver the frame to the correct node or device. The Application Layer is not the layer of the OSI model that handles the source and destination address for a datagram, although it may be the layer that handles the source and destination address for a message.

A baseline is a standard or reference point against which something can be measured or compared. A system configuration baseline is a documented set of specifications for the hardware and software components of an information system, such as operating system, applications, patches, settings, etc. A system configuration baseline can be used to ensure that the system meets the security and performance requirements of the organization, and to detect any unauthorized or unwanted changes to the system. To verify that an information system’s current hardware and software match the standard system configuration, the organization can compare the actual configuration of the system against the baseline, using tools such as configuration management software, checksums, or hashes. Reviewing the configuration after the system goes into production is not sufficient, as it does not account for any changes that may occur after the initial deployment. Running vulnerability scanning tools on all devices in the environment is not specific, as it does not compare the system configuration against the baseline, but rather against a database of known vulnerabilities. Verifying all the approved security patches are implemented is not comprehensive, as it does not cover other aspects of the system configuration, such as applications, settings, etc. References: System Configuration Baseline, [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Architecture and Engineering]2

Cyclic redundancy check (CRC) is the only option that operates at the session, transport, or network layer of the OSI model. CRC is a technique or algorithm that calculates a checksum or a hash value for a data block or a packet, and appends it to the data or the packet. CRC can be used to detect errors or corruption in the data or the packet during transmission or storage, by comparing the checksum or the hash value at the sender and the receiver. CRC can operate at different layers of the OSI model, such as the session layer (e.g., NetBIOS), the transport layer (e.g., TCP), or the network layer (e.g., IP).

• A. Data at rest encryption is not a technique or algorithm that operates at the session, transport, or network layer of the OSI model, but rather a technique or algorithm that operates at the physical layer of the OSI model. Data at rest encryption is the process of transforming or encoding data into an unreadable or unintelligible form, using a secret key or algorithm, when the data is stored on a physical device, such as a disk, a tape, or a flash drive.
• B. Configuration management is not a technique or algorithm that operates at the session, transport, or network layer of the OSI model, but rather a process or function that operates at the application layer of the OSI model. Configuration management is the process of controlling and documenting the changes and updates to the software, hardware, or network components of an information system, to ensure the consistency, quality, and security of the system.
• C. Integrity checking software is not a technique or algorithm that operates at the session, transport, or network layer of the OSI model, but rather a technique or algorithm that operates at the application layer of the OSI model. Integrity checking software is the software that monitors and verifies the integrity or the authenticity of the files, programs, or systems, by using cryptographic techniques, such as hashing, digital signatures, or certificates.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 199; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 166

Value boundary analysis is a functional software testing technique that tests the behavior of a software system or component when it receives inputs that are at the boundary or edge of the expected range of values. Value boundary analysis is based on the assumption that errors are more likely to occur at the boundary values than at the normal values. Test inputs are obtained from the derived threshold of the given functional specifications, such as the minimum, maximum, or just above or below the boundary values. Value boundary analysis can help identify errors or defects in the software system or component that may cause unexpected or incorrect outputs, crashes, or failures34 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, p. 497; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 8: Software Development Security, p. 1015.

The organization will provide the limits and scope of the testing to the security services firm that will conduct a penetration test. The limits and scope of the testing define the boundaries, objectives, and rules of engagement for the penetration test, such as the target systems, the testing methods, the testing duration, the testing schedule, the testing team, the testing tools, the testing reporting, and the testing authorization. The limits and scope of the testing are essential for ensuring the legality, the ethics, and the effectiveness of the penetration test.

• B. Physical location of server room and wiring closet is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could compromise the security and the integrity of the network infrastructure and the testing results.
• C. Logical location of filters and concentrators is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could reveal the network architecture and the security controls and affect the testing accuracy and validity.
• D. Employee directory and organizational chart is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could violate the privacy and the confidentiality of the employees and the organization.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 427; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 381

According to the CISSP All-in-One Exam Guide2, the things that are required to assure authenticity are authentication and non-repudiation. Authenticity is the property that ensures that the data, information, system, network, or entity is genuine, original, and trustworthy, and is not counterfeit, altered, or impersonated. Authentication is the process of verifying and confirming the identity or the validity of a subject or an entity, such as a user, a device, or a message. Authentication helps to assure authenticity, as it ensures that the subject or the entity is who or what it claims to be, and is not an impostor, a fraud, or a forgery. Non-repudiation is the process of preventing or denying the denial or the dispute of an action or an event, such as the sending, receiving, or signing of a message. Non-repudiation helps to assure authenticity, as it ensures that the subject or the entity cannot deny or reject the authenticity or the validity of the action or the event, and is held accountable and responsible for it. Confidentiality is not the thing that is required to assure authenticity, although it may be a thing that is supported or enhanced by authenticity. Confidentiality is the property that ensures that the data or information is only accessible or disclosed to the authorized parties, and is protected from unauthorized or unintended access or disclosure. Confidentiality may be supported or enhanced by authenticity, as it ensures that the data or information is not accessed or disclosed by the impostors, frauds, or forgeries, and that the data or information is not counterfeit, altered, or impersonated. However, confidentiality is not the thing that is required to assure authenticity, as it does not verify or confirm the identity or the validity of the subject or the entity, or prevent or deny the denial or the dispute of the action or the event. Integrity is not the thing that is required to assure authenticity, although it may be a thing that is supported or enhanced by authenticity. Integrity is the property that ensures that the data or information is accurate, complete, and consistent, and is protected from unauthorized or unintended modification or corruption. Integrity may be supported or enhanced by authenticity, as it ensures that the data or information is not modified or corrupted by the impostors, frauds, or forgeries, and that the data or information is genuine, original, and trustworthy. However, integrity is not the thing that is required to assure authenticity, as it does not verify or confirm the identity or the validity of the subject or the entity, or prevent or deny the denial or the dispute of the action or the event.