CISSP – Practice Test Questions – 2024 – Set 12 (53 Questions)

Prepare to conquer the CISSP exam with confidence as you delve into this series of practice tests. Explore topics such as security program development and management, enterprise security architecture, and information security governance to build a solid foundation of knowledge and skills required for CISSP certification.

1. Which group of individuals is notorious for targeting PBX and telecommunication infrastructures?

A. Novice hackers
B. Phreakers
C. System breakers
D. Ethical hackers

Correct Answer: B

2. What is the difference between validation and verification in the context of security assessment and testing?

A. Validation checks if the right product is being built, while verification checks if the product is being built correctly.
B. Validation checks if the product is being built correctly, while verification checks if the right product is being built.
C. Validation and verification both check if the right product is being built.
D. Validation and verification both check if the product is being built correctly.

Correct Answer: A

3. What is the purpose of fuzz testing?

A. To check if the application responds correctly to normal inputs
B. To check if the application responds correctly to erroneous inputs
C. To throw randomness at an application to see how it responds and where it might “break”
D. To check if the application responds correctly to both normal and erroneous inputs

Correct Answer: C

4. What is the difference between a vulnerability assessment and a penetration testing?

A. A vulnerability assessment identifies potential vulnerabilities and attempts to exploit them, while a penetration test only identifies potential vulnerabilities.
B. A vulnerability assessment only identifies potential vulnerabilities, while a penetration test identifies potential vulnerabilities and attempts to exploit them.
C. Both vulnerability assessment and penetration test identify potential vulnerabilities and attempt to exploit them.
D. Both vulnerability assessment and penetration test only identify potential vulnerabilities.

Correct Answer: B

5. What are the two primary types of vulnerability scans?

A. Credentialed/authenticated scans and uncredentialed/unauthenticated scans
B. Internal scans and external scans
C. Manual scans and automated scans
D. Static scans and dynamic scans

Correct Answer: A

6. What is the purpose of security assessment and testing in the context of an organization’s security strategy?

A. To ensure that security requirements/controls are defined, tested, and operating effectively
B. To ensure that the organization’s security strategy is aligned with its business goals
C. To ensure that the organization’s security strategy is compliant with regulatory requirements
D. To ensure that the organization’s security strategy is cost-effective

Correct Answer: A

7. What is the difference between a SOC 1 report and a SOC 2 report?

A. SOC 1 reports focus on financial reporting risks, while SOC 2 reports focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and privacy.
B. SOC 1 reports focus on the controls related to the five trust principles – security, availability, confidentiality, processing integrity, and privacy – while SOC 2 reports focus on financial reporting risks.
C. Both SOC 1 and SOC 2 reports focus on financial reporting risks.
D. Both SOC 1 and SOC 2 reports focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and privacy.

Correct Answer: A

8. What is the difference between positive testing, negative testing, and misuse testing?

A. Positive testing checks if the system is working as expected and designed, negative testing checks the system’s response to normal errors, and misuse testing applies the perspective of someone trying to break or attack the system.
B. Positive testing checks the system’s response to normal errors, negative testing checks if the system is working as expected and designed, and misuse testing applies the perspective of someone trying to break or attack the system.
C. Positive testing applies the perspective of someone trying to break or attack the system, negative testing checks if the system is working as expected and designed, and misuse testing checks the system’s response to normal errors.
D. All three types of testing check if the system is working as expected and designed.

Correct Answer: A

9. What is the purpose of regression testing?

A. To verify that previously tested and functional software still works after updates have been made
B. To verify that the software works as expected under heavy load
C. To verify that the software works as expected in different operating systems
D. To verify that the software works as expected with different types of inputs

Correct Answer: A

10. What does the term “test coverage” refer to in the context of security assessment and testing?

A. The number of test cases executed divided by the total number of test cases
B. The number of test cases passed divided by the total number of test cases
C. The amount of code covered divided by the total amount of code in the application
D. The amount of code tested divided by the total amount of code in the application

Correct Answer: C

11. What are the two well-known and often-used threat modeling methodologies mentioned in the content?

A. STRIDE and PASTA
B. DREAD and PASTA
C. STRIDE and DREAD
D. DREAD and OCTAVE

Correct Answer: A

12. What is the difference between Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)?

A. SAST tests an application while it’s running, while DAST tests the underlying source code of an application.
B. SAST tests the underlying source code of an application, while DAST tests an application while it’s running.
C. Both SAST and DAST test an application while it’s running.
D. Both SAST and DAST test the underlying source code of an application.

Correct Answer: B

13. What are the two types of alerts that often show up in any type of monitoring system?

A. False positives and false negatives
B. True positives and true negatives
C. False positives and true negatives
D. True positives and false negatives

Correct Answer: A

14. What is the purpose of log review and analysis in an organization’s security strategy?

A. To identify potential vulnerabilities in the system
B. To identify potential threats to the system
C. To identify errors and anomalies that point to problems, modifications, or breaches
D. To identify the effectiveness of the system’s security controls

Correct Answer: C

15. What is the difference between a Type 1 and a Type 2 SOC report?

A. A Type 1 report focuses on the design of controls at a point in time, while a Type 2 report examines the design of a control and its operating effectiveness over a period of time.
B. A Type 1 report examines the design of a control and its operating effectiveness over a period of time, while a Type 2 report focuses on the design of controls at a point in time.
C. Both Type 1 and Type 2 reports focus on the design of controls at a point in time.
D. Both Type 1 and Type 2 reports examine the design of a control and its operating effectiveness over a period of time.

Correct Answer: A

16. What is the purpose of a security audit in the context of an organization’s security strategy?

A. To identify potential vulnerabilities in the system
B. To ensure that security controls are operating effectively and as designed
C. To identify potential threats to the system
D. To identify the effectiveness of the system’s security controls

Correct Answer: B

17. What is the difference between a white box test and a black box test?

A. In a white box test, the tester has full knowledge of the system being tested, while in a black box test, the tester has no knowledge of the system.
B. In a white box test, the tester has no knowledge of the system being tested, while in a black box test, the tester has full knowledge of the system.
C. Both white box and black box tests require the tester to have full knowledge of the system being tested.
D. Both white box and black box tests require the tester to have no knowledge of the system being tested.

Correct Answer: A

18. What is the purpose of a code review in the context of security assessment and testing?

A. To identify potential vulnerabilities in the code
B. To identify potential threats to the system
C. To identify errors and anomalies that point to problems, modifications, or breaches
D. To identify the effectiveness of the system’s security controls

Correct Answer: A

19. What is the difference between a credentialed scan and an uncredentialed scan?

A. A credentialed scan is performed with system-level access, while an uncredentialed scan is performed without system-level access.
B. A credentialed scan is performed without system-level access, while an uncredentialed scan is performed with system-level access.
C. Both credentialed and uncredentialed scans are performed with system-level access.
D. Both credentialed and uncredentialed scans are performed without system-level access.

Correct Answer: A

20. What is the purpose of a security control self-assessment?

Correct Answer: B

21. What is the purpose of a risk-based approach to security testing?

A. To focus testing efforts on areas of greatest risk
B. To identify potential vulnerabilities in the system
C. To identify potential threats to the system
D. To identify the effectiveness of the system’s security controls

Correct Answer: A

22. What is the purpose of a security control in the context of an organization’s security strategy?

A. To identify potential vulnerabilities in the system
B. To protect the system against potential threats
C. To identify potential threats to the system
D. To identify the effectiveness of the system’s security controls

Correct Answer: B

23. What is the difference between a false positive and a false negative in the context of security monitoring?

A. A false positive is when the system claims a vulnerability exists, but there is none, while a false negative is when the system says everything is fine, but a vulnerability exists.
B. A false positive is when the system says everything is fine, but a vulnerability exists, while a false negative is when the system claims a vulnerability exists, but there is none.
C. Both false positives and false negatives are when the system claims a vulnerability exists, but there is none.
D. Both false positives and false negatives are when the system says everything is fine, but a vulnerability exists.

Correct Answer: A

24. What is the purpose of a security control baseline in the context of an organization’s security strategy?

A. To identify potential vulnerabilities in the system
B. To provide a starting point for the implementation of security controls
C. To identify potential threats to the system
D. To identify the effectiveness of the system’s security controls

Correct Answer: B

25. What is the purpose of the “Process for Attack Simulation and Threat Analysis” (PASTA) methodology in threat modeling?

A. To identify potential vulnerabilities in the system
B. To simulate potential attack scenarios and analyze threats
C. To identify potential threats to the system
D. To identify the effectiveness of the system’s security controls

Correct Answer: B

26. What is the difference between a Type 1 SOC report and a Type 3 SOC report?

A. A Type 1 report focuses on the design of controls at a point in time, while a Type 3 report examines the design of a control and its operating effectiveness over a period of time.
B. A Type 1 report examines the design of a control and its operating effectiveness over a period of time, while a Type 3 report focuses on the design of controls at a point in time.
C. Both Type 1 and Type 3 reports focus on the design of controls at a point in time.
D. Both Type 1 and Type 3 reports examine the design of a control and its operating effectiveness over a period of time.

Correct Answer: A

27. What is the purpose of the “Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-Service, Elevation of privilege” (STRIDE) methodology in threat modeling?

A. To identify potential vulnerabilities in the system
B. To categorize potential threats to the system
C. To simulate potential attack scenarios
D. To identify the effectiveness of the system’s security controls

Correct Answer: B

28. What is the difference between a Type 2 SOC report and a Type 3 SOC report?

A. A Type 2 report examines the design of a control and its operating effectiveness over a period of time, while a Type 3 report focuses on the design of controls at a point in time.
B. A Type 2 report focuses on the design of controls at a point in time, while a Type 3 report examines the design of a control and its operating effectiveness over a period of time.
C. Both Type 2 and Type 3 reports focus on the design of controls at a point in time.
D. Both Type 2 and Type 3 reports examine the design of a control and its operating effectiveness over a period of time.

Correct Answer: A

29. What is the purpose of Real User Monitoring (RUM) in operational testing?

A. RUM is a passive monitoring technique that monitors user interactions and activity with a website or application.
B. RUM is an active monitoring technique that monitors user interactions and activity with a website or application.
C. RUM is a passive monitoring technique that monitors the performance of a website or application under load.
D. RUM is an active monitoring technique that monitors the performance of a website or application under load.

Correct Answer: A

30. What is the purpose of the Common Vulnerability Scoring System (CVSS)?

A. CVSS reflects a method to characterize a vulnerability through a scoring system considering various characteristics.
B. CVSS is a list of records for publicly known cybersecurity vulnerabilities.
C. CVSS is a method to identify the unique characteristics of a system through an examination of how packets and other system-level information are formed.
D. CVSS is a method to identify a system’s operating system, applications, and versions.

Correct Answer: A

31. What is the purpose of Synthetic Performance Monitoring in operational testing?

A. Synthetic Performance Monitoring is a passive monitoring technique that monitors user interactions and activity with a website or application.
B. Synthetic Performance Monitoring examines functionality as well as functionality and performance under load.
C. Synthetic Performance Monitoring is a passive monitoring technique that monitors the performance of a website or application under load.
D. Synthetic Performance Monitoring is an active monitoring technique that monitors the performance of a website or application under load.

Correct Answer: B

32. What is the purpose of the Common Vulnerabilities and Exposures (CVE) dictionary in the context of interpreting and understanding results from activities like vulnerability scanning, banner grabbing, and fingerprinting?

A. CVE is a list of records for publicly known cybersecurity vulnerabilities.
B. CVE reflects a method to characterize a vulnerability through a scoring system considering various characteristics.
C. CVE is a method to identify the unique characteristics of a system through an examination of how packets and other system-level information are formed.
D. CVE is a method to identify a system’s operating system, applications, and versions.

Correct Answer: A

33. What is the difference between Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) in the context of runtime testing?

A. SAST involves examining the underlying source code when an application is not running, while DAST involves focusing on the application and system as the underlying code executes when an application is running.
B. SAST involves focusing on the application and system as the underlying code executes when an application is running, while DAST involves examining the underlying source code when an application is not running.
C. Both SAST and DAST involve examining the underlying source code when an application is not running.
D. Both SAST and DAST involve focusing on the application and system as the underlying code executes when an application is running.

Correct Answer: A

34. What is the difference between blind testing and double- blind testing in the context of vulnerability assessment and penetration testing?

A. Blind testing involves the assessor being given little to no information about the target being tested, while double-blind testing involves the assessor and the IT and Security Operations teams being given little to no information about the upcoming tests.
B. Blind testing involves the assessor and the IT and Security Operations teams being given little to no information about the upcoming tests, while double-blind testing involves the assessor being given little to no information about the target being tested.
C. Both blind testing and double-blind testing involve the assessor being given little to no information about the target being tested.
D. Both blind testing and double-blind testing involve the assessor and the IT and Security Operations teams being given little to no information about the upcoming tests.

Correct Answer: A

35. What is the difference between circular overwrite and clipping levels in the context of log file management?

A. Circular overwrite limits the maximum size of a log file by overwriting entries, starting from the earliest, while clipping levels focus on when to log a given event based upon threshold settings.
B. Circular overwrite focuses on when to log a given event based upon threshold settings, while clipping levels limit the maximum size of a log file by overwriting entries, starting from the earliest.
C. Both circular overwrite and clipping levels limit the maximum size of a log file by overwriting entries, starting from the earliest.
D. Both circular overwrite and clipping levels focus on when to log a given event based upon threshold settings.

Correct Answer: A

36. What are the three types of audit strategies mentioned in the context of organizational audit strategies?

A. Internal, external, and fourth party
B. Internal, external, and third party
C. First party, second party, and third party
D. Internal, external, and inter-party

Correct Answer: B

37. What are the different types of coverage testing you need to explain for the CISSP exam?

A. Black box, white box, dynamic, static, manual, automated, structural, functional, negative
B. Black box, white box, dynamic, static, manual, automated, structural, positive, negative
C. Black box, white box, dynamic, static, manual, automated, structural, functional, positive
D. Black box, white box, dynamic, static, manual, automated, structural, functional, neutral

Correct Answer: A

38. What is the difference between awareness, training, and education in the context of security process data collection?

A. Awareness refers to the “what” of an organization’s policy or procedure, training refers to the “how,” and education refers to the “why.”
B. Awareness refers to the “how” of an organization’s policy or procedure, training refers to the “why,” and education refers to the “what.”
C. Awareness refers to the “why” of an organization’s policy or procedure, training refers to the “what,” and education refers to the “how.”
D. Awareness, training, and education all refer to the “what” of an organization’s policy or procedure.

Correct Answer: A

39. What is the purpose of breach attack simulations in the context of security controls?

A. Breach attack simulations are where you simulate real-world attacks across your whole environment, typically both automatic and always running.
B. Breach attack simulations are where you simulate real-world attacks in a controlled environment, typically both manual and occasionally running.
C. Breach attack simulations are where you simulate hypothetical attacks across your whole environment, typically both automatic and always running.
D. Breach attack simulations are where you simulate hypothetical attacks in a controlled environment, typically both manual and occasionally running.

Correct Answer: A

40. What is the role of security control compliance checks?

A. Security control compliance checks are regularly performed to assess whether the organization is currently following their controls.
B. Security control compliance checks are occasionally performed to assess whether the organization is currently following their controls.
C. Security control compliance checks are regularly performed to assess whether the organization is currently violating their controls.
D. Security control compliance checks are occasionally performed to assess whether the organization is currently violating their controls.

Correct Answer: A

41. What is the main difference between internal, external, and third-party audit strategies?

A. Internal audits are closely aligned to the organization, external audits ensure procedures/compliance are being followed with regular checks, and third-party audits provide a more in-depth, neutral audit.
B. Internal audits ensure procedures/compliance are being followed with regular checks, external audits are closely aligned to the organization, and third-party audits provide a more in-depth, neutral audit.
C. Internal audits provide a more in-depth, neutral audit, external audits ensure procedures/compliance are being followed with regular checks, and third-party audits are closely aligned to the organization.
D. All three types of audits are closely aligned to the organization.

Correct Answer: A

42. What is the main objective of breach attack simulations?

A. To simulate real-world attacks across the whole environment, typically both automatic and always running
B. To simulate hypothetical attacks across the whole environment, typically both automatic and always running
C. To simulate real-world attacks in a controlled environment, typically both automatic and always running
D. To simulate hypothetical attacks in a controlled environment, typically both automatic and always running

Correct Answer: A

43. What is the main purpose of security control compliance checks?

A. To assess whether the organization is currently following their controls
B. To assess whether the organization is currently violating their controls
C. To assess whether the organization is currently updating their controls
D. To assess whether the organization is currently implementing their controls

Correct Answer: A

44. What is the main purpose of analyzing test output and generating reports in the context of security audits?

A. To handle test results and report any results of concern to management immediately so they can be aware of potential risks and alerts
B. To handle test results and report any results of concern to the IT department immediately so they can be aware of potential risks and alerts
C. To handle test results and report any results of concern to the security team immediately so they can be aware of potential risks and alerts
D. To handle test results and report any results of concern to the stakeholders immediately so they can be aware of potential risks and alerts.

Correct Answer: A

45. What are the two primary categories of assessments that you need to be aware of for the CISSP exam?

A. Formal assessments and informal assessments
B. Formal assessments and no-notice assessments
C. Informal assessments and no-notice assessments
D. Internal assessments and external assessments

Correct Answer: A

46. What are the key elements of an audit report?

A. Purpose, scope, results of the audit, audit events
B. Purpose, scope, results of the audit, audit strategies
C. Purpose, scope, results of the audit, audit techniques
D. Purpose, scope, results of the audit, audit procedures

Correct Answer: A

47. What are the four types of SOC reports?

A. SOC 1 Type 1, SOC 1 Type 2, SOC 2, SOC 3
B. SOC 1, SOC 2 Type 1, SOC 2 Type 2, SOC 3
C. SOC 1, SOC 2, SOC 3 Type 1, SOC 3 Type 2
D. SOC 1 Type 1, SOC 2 Type 1, SOC 3 Type 1, SOC 4

Correct Answer: A

48. What are the two phases in preparing for the SOC audit?

A. Preparations phase and Audit phase
B. Preparations phase and Reporting phase
C. Audit phase and Reporting phase
D. Preparations phase and Review phase

Correct Answer: A

49. What is the main purpose of analyzing test output and generating reports in the context of security audits?

A. To present the data in a meaningful way for most people who need the data
B. To present the data in a raw format for most people who need the data
C. To present the data in a meaningful way for a few gifted people who can draw salient conclusions
D. To present the data in a raw format for a few gifted people who can draw salient conclusions

Correct Answer: A

50. What is the main purpose of “no-notice” assessments?

A. To evaluate the situation without any forewarning of the evaluation
B. To evaluate the situation with prior notice of the evaluation
C. To evaluate the situation with occasional notice of the evaluation
D. To evaluate the situation with frequent notice of the evaluation

Correct Answer: A

51. What is the main purpose of internal assessments?

A. To see if controls meet risk expectations or to see if there are ways to improve efficiency of operations
B. To see if controls exceed risk expectations or to see if there are ways to improve efficiency of operations
C. To see if controls meet risk expectations or to see if there are ways to reduce efficiency of operations
D. To see if controls exceed risk expectations or to see if there are ways to reduce the efficiency of operations

Correct Answer: A

52. Among the following tools, which is predominantly designed to conduct network discovery scans to identify active hosts and open ports?

A. Nmap
B. OpenVAS
C. Metasploit Framework
D. lsof

Correct Answer: A

53. After executing a network port scan from an external network on an internal web server to simulate an attacker’s viewpoint, which scan results should be of utmost concern and warrant immediate attention?

A. Port 80 is open.
B. Port 22 is filtered.
C. Port 443 is open.
D. Port 1433 is open.

Correct Answer: D

You may also like: