CISSP - Questions with Answers
Advertisement Area

1. The goals of integrity do NOT include:

  1. Accountability of responsible individuals
  2. Prevention of the modification of infornation by unauthorized users
  3. Prevention of the unauthorized or unintentional modification of information by authorized users
  4. Preservation of internal and external consistency

Answer: A

Hint: The correct answer is A, Accountability is holding individuals responsible for their actions. Answers B, C, and D are the three goals of integrity.

2. Kerberos is an authentication scheme that can be used to implement:

  1. Public key cryptography
  2. Digital signatures
  3. Hash functions
  4. Single Sign-On(SSO)

Answer: D

Hint: The correct answer is D. Kerberos is a third-party authentication protocol that can be used to implement SSO. Answer a is incorrect because public key cryptography is not used in the basic Kerberos protocol. Answer B is a public key-based capability, and answer C is a one-way transformation used to disguise passwords or to implement digital signatures.

3. The fundamental entity in a relational database is the:

  1. Domain
  2. Relaion
  3. Pointer
  4. Cost

Answer: B

Hint: The correct answer is B. The fundamental entity in a relational database is the relation in the form of a table. Answer A is the set of allowable attribute values, and answers C and D are distracters.

4. In a relational database, security is provided to the access of data through:

  1. Candidate
  2. Views
  3. Joins
  4. Attributes

Answer: B

Hint: The correct answer is B. Candidate keys,(answer A) are the set of unique keys from which the primary key is selected. Answer C, joins, indicates operations that can be performed on the database, and the attributes(d) denote the columns in the relational table.

5. In biometrics, a one-to-one search to verify an individual's claim of an identity is called:

  1. Audit trail review
  2. Authentication
  3. Accountability
  4. Aggregation

Answer: B

Hint: The correct answer is B. Answer A is a review of audit system data, usually done after the fact. Answer C is holding individuals responsible for their actions, and answer D is obtaining higher-sensitivity information from a number of pieces of information of Jower sensitivity.

6. Biometrics is used for identification in the physical controls and for authentication in the:

  1. Detective controls
  2. Preventive controls
  3. Logical controls
  4. Corrective controls

Answer: C

Hint: The correct answer is C. The other answers are different coategories of controls where preventive controls attempt or reduce vulnerabilities before an attack occurs; detective controls attempt to determine that an attack is taking place or has taken place; and corrective controls involve taking action to restore the system to normal operation after a successful attack.

7. Referential integrity requires that for any foreign key attribute, the referenced relation must have :

  1. A tuple with the same value for its primary key
  2. A tuple with the same value for its secondary key
  3. An atteibute with the same value for its secondary key
  4. An attribute with the same value for its other foreign key

Answer: A

Hint: The correct answer is A. Answers B and C are incorrect because a secondary key is not a valid term. Answer D is a distracter because referential integrity has a foreign key referring to a primary key in another relation.

8. A password that is the same for each logon is called a :

  1. Dynamic password
  2. Static password
  3. Passphrase
  4. One-time pad

Answer: B

Hint: The correct answer is B. In answer A, the password changes at each logon. For answer C, a passphrase is a long word or phase that is converted by the system to a password. In answer D, a one-time pad refers to a using a random key only once when sending a cryptographic message.

9. Which one of the following is NOT an access attack ?

  1. Spoofing
  2. Back door
  3. Dictionary
  4. Penetration test

Answer: D

Hint: The correct answer is D, a distacter. A penetration test is conducted to obtain a high level evaluation of a system's defense or to perform a detailed analysis of the information system's weaknesses. A penetration test can determine how a system reacts to an attack, wheather or nota system's defenses can be breached, and what information can be acquired from the system. It is performed with the approval of the target organization.

10. An attack that uses a detailed listing of common passwords and words in general to gain unauthorized access to an information system is BEST described as:

  1. Password guessing
  2. Software exploitation
  3. Dictionary attack
  4. Spoofing

Answer: C

Hint: The correct answer is C. In a dictionary attack, a dictionary of common words and passwords are applied to attempt to gain unauthorized access to an information system. In answer A, password guessing, the attacker guesses passwords derived from sources such as notes on the user's desk, the user's birthday, a pet's name, applying social engineering techniques, and so on. Answer B refers to exploiting software vulnerabilities and answer D, spoofing, is a method used by an attacker to convince an information system that it is communicating with a known, trusted entity.

11. A statistical anomaly-based intrusion detection system :

  1. Acquires data to establish a normal system opertaing profile
  2. Refers to a database of known attack signatures
  3. Will detect an attack that does not significantly change the system's operating characteristics
  4. Does not report an event that caused a momentary anomaly in the system

Answer: A

Hint: The correct answer is A. A statistical anomaly-based intrusion detection system acquires data to establish a normal system opertaing profile. Answer B is incorrect because it is used in signature-based intrusion detection. Answer C is incorrect because a statistical anomaly-based intrusion detection system will not detect an attack tha does not significantly change the system operating characteristics. Similary, answer D is incorrect because the statistical anomaly-based IDS is susceptible to reporting an event that caused a momentary anomaly in the system.

12. Which one of the following definitions Best describes system scanning ?

  1. An attack that uses dial-up modems or asynchronous external connections to an information system in order to bypass information security control mechanisms.
  2. An attack that is perpetraed by intercepting and saving old messages and then sending them later, impersonating one of the communicating parties.
  3. Acquisition of information that is discarded by an individual or organization
  4. A process used to collect information about a device or network to facilitate an attack on an information system

Answer: D

Hint: The correct answer is D. Answer A describes a back door attack, answer B is a reply attack, and answer C refers to dumpster diving.

13. In which type of penetration test does the testing team have access to internal system code ?

  1. Closed box
  2. Transparent box
  3. Open box
  4. Coding box

Answer: C

Hint: The correct answer is C, open box testing. In answer A, closed box testing, the testing team does not have access to internal system code. The other answers are distracters.

14. A standard data manipulation and relational database definition language is:

  1. OOD
  2. SQL
  3. SLL
  4. Script

Answer: B

Hint: The correct answer is B. All other answers do not apply.

15. An attack that can be perpetracted against a remote user's callback access control is :

  1. Call fprwarding
  2. ATrojan horse
  3. A maintenance hook
  4. Redialing

Answer: A

Hint: The correct answer is A. A cracker can have a person's call forwarded to anoher number to foil the callback system. Answer B is incorrect because it is an example of malicious code embedded in useful code. Answer C is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer D is incorrect because it is a distracter.

16. The definition of CHAP is :

  1. Confidential Hash Authentication Protocol
  2. Challenge Handshake Authentication Protocol
  3. Challenge Handshake Approval Protocol
  4. Confidential Handshake Approval Protocol

Answer: B

17. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network and facilitates communications through the assignment of :

  1. Public keys
  2. Session keys
  3. Passwords
  4. Tokens

Answer: B

Hint: The correct answer is B. Session keys are temporary keys assigned by the KDC and used for an allotted period of time as the secret key between two entities. Answer A is incorrect because it refers to asymmetric encryption that is not used in the basic Kerberos protocol. Answer C is incorrect because it is not a key, and answer D is incorrect because a token generates dynamic passwords.

18. Three things that must be considered for the planning and implementation of access control mechanisms are :

  1. Threats, assests, and objectives
  2. Threats, vulnerabilities. and risks
  3. Vulnerabilities, secret keys, and exposures
  4. Exposures, threats, and countermeasures

Answer: B

Hint: The correct answer is B. Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; and the risk determines the probability of threats being realized. All three items must be present to meaningfully apply access control. Therefore, the other answers are incorrect.

19. In mandatory access control, the authorization of a subject to have access to an object is dependent upon :

  1. Lables
  2. Roles
  3. Tasks
  4. Identity

Answer: A

Hint: The correct answer is A. Mandatory access controls use lables to determine wheather subjects can have access to objects, depending on the subjects' clearances. Answer B, roles, is applied in nondiscretionary access control, as is answer C, tasks. Answer D, identity, is used in discretionary access control.

20. The type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can accessis called:

  1. Mandatory access control
  2. Rule-based access control
  3. Sensitivity-based access control
  4. Discretionary access control

Answer: D

Hint: The correct answer is D. Answers A and B require strict adherence to lables and clearances. Answer C is a made-up distracter.

21. Role-based access control is useful when :

  1. Access must be determined by the labels on the data.
  2. There are frequent personnel changes in an organization.
  3. Rules are needed to determine clearances.
  4. Security clearances must be used.

Answer: B

Hint: The correct answer is B. Role-based access control is part of nondiscretionary access control. Answers A, C and D relate to mandatory access control.

22. Clipping levels are used to :

  1. Limit the number of letters in a password.
  2. Set thresholds for voltage variations.
  3. Reduce the amount of data to be evaluated in audit logs.
  4. Limit errors in callback systems.

Answer: C

Hint: The correct answer is C. Reducing the amount of data to be evaluated by definition. Answer A is incorrect because clipping levels do not relate to letters in a password. Answer B is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer D is incorrect because they are not used to limit callback errors.

1. Identification is :

  1. A user being authenticated by the system
  2. A user providing a password to the system
  3. A user providing a shared secret to the system
  4. A user professing an identity to the system

Answer: D

Hint: The correct answer is D . A user presents an ID to the system as identification. Answer A is incorrect because presenting an ID is not an authentication act. Answer B is incorrect because a password is an authentication mechanism. Answer C is incorrect because it refers to cryptography or authentication.

24. Authentication is :

  1. The verification that the claimed identity is valid
  2. The presentation of a user's ID to the system
  3. Not accomplished through the use of a password
  4. Applied only to remote users

Answer: A

Hint: The correct answer is A. Answer B is incorrect because it is an identification act. Answer C is incorrect because authentication can be accomplished through the use of a password. Answer D is incorrect because authentication is applied to local and remote users.

25. An example of two-factor authentication is :

  1. A password and an ID
  2. An ID and a PIN
  3. A PIN and an ATM card
  4. A fingerprint

Answer: C

Hint: The correct answer is C. These items are something you know and something you have. Answer A is incorrect because essentially, only one factor is being used- something you know(password). Answer B is incorrect for the same reason. Answer D is incorrect because only one biometric is being used.

26. In biometrics, a good measure of the performance of a system is the :

  1. False detection
  2. Crossover Error Rate(CER)
  3. Positive acceptance rate
  4. Sensitivity

Answer: B

Hint: The correct answer is B. The other items are made-up distracters.

27. In finger scan technology :

  1. The full fingerprint is stored.
  2. Features extracted from the fingerprint are stored.
  3. More storage is required than in fingerprint technology.
  4. The technology is applicable to large, one-to-many database searches.

Answer: B

Hint: The correct answer is B. The features extracted from the fingerprint are stored. Answer A is incorrect because the equilvalent of the full fingerprint is not stored in finger scan technology. Answers C and D are incorrect because the opposite is true of finger scan technology.

28. An acceptable biometric throughput rate is :

  1. One subject per two minutes
  2. Two subjects per minute
  3. Ten subjects per minute
  4. Five subjects per minute

Answer: C

29. Which one of the following is NOT a type of penetration test ?

  1. Sparse knowledge test
  2. Full knowledge test
  3. Partial knowledge test
  4. Zero knowledge test

Answer: A

Hint: The correct answer is A, a distracter.

30. Object-Oriented Database(OODB) systems :

  1. Are ideally suited for text-only information
  2. Require minimal learning time for programmers
  3. Are useful in storing and manipulaing complex data, such as images and graphics
  4. Consume minimal system resources

Answer: C

Hint: The correct answer is C. The other answers are false because for answer A, relational databases are ideally suited to text-only information. For B and D, OODB systems have a steep learning curve and consume a large amount of system resources.

Suggested Read Articles:
Contents/Index
  1. Chapter 1 (30 Questions)
  2. Chapter 2 (30 Questions)
  3. Chapter 3 (46 Questions)
  4. Chapter 4 (35 Questions)
  5. Chapter 5 (34 Questions)
  6. Chapter 6 (30 Questions)
  7. Chapter 7 (30 Questions)
  8. Chapter 8 (32 Questions)
  9. Chapter 9 (30 Questions)
  10. Chapter 10 (30 Questions)
  11. Chapter 11 (30 Questions)
  12. Chapter 12 (30 Questions)
  13. Chapter 13 (30 Questions)
  14. Chapter 14 (30 Questions)
Advertisement Area