- Which of the following key lengths are available in the Rijndael encryption algorithm (Select all that apply)
(a) 64 bits
(b) 72 bits
(c) 128 bits
(d) 112 bits
(e) 168 bits
(f) 192 bits
(g) 256 bits
(h) 512 bits
Answers:
(c), (f), (g)
Explanation:
Technically, Rijndael supports key lengths of 128 bits up to 256 bits, in 32-bit increments, but the AES standard (which uses Rijndael) stipulates only 128, 192 or 256 bit keys.
- Which of the following are symmetric algorithms?
(a) Serpent
(b) RSA
(c) MQV
(d) Blowfish
(e) RC5
(f) Diffie-Hellman
Answers:
(a), (d), (e)
- Two different companies are preparing to connect their offices together via an Internet VPN. Before establishing the connection and beginning to share data, which of the following should be in place?
(a) ISA
(b) SLA
(c) BIA
(d) DLP
(e) IDS
Answer:
(a)
Explanation:
An ISA (Interconnection Security Agreement) is used when connecting two organisations with different policies etc. This covers what is going to be accessed, the extent of which, and how it’s going to be secured.
- Which of the following is a characteristic of ‘star’ topologies
(a) Collision-free
(b) Resistant to multi-node failure
(c) Can only be used with copper cabling
(d) Limited reliance on a central aggregating device
Answer:
(b)
Explanation:
(a) would be true only if the network was implemented using a switch, rather than a hub (both are allowed by the star topology, although hubs are very rarely used in modern networks)
(b) is true because each node has its own connection to the switch/hub, so the failure of one node (or multiple nodes) wouldn’t affect the remaining nodes
(c) the topology does not specify a media type
(d) the star topology relies completely on the central switch/hub
- Which of the following is NOT one of the five rules of evidence?
(a) Admissible
(b) Authentic
(c) Complete
(d) Auditable
(e) Reliable
(f) Believable
Answer:
(d)
- Which of the following is an example of tunnelling network traffic?
(a) NAT-T
(b) Masquerading
(c) PAT (Port Address Translation)
(d) SOCKS Proxy
(e) Stateless NAT64
Answer:
(a)
Explanation:
NAT-T = NAT Traversal is a technique that, in essence, allows you to “smuggle things” (tunnel) through an address translator. If you have a type of traffic that is not translatable (of which there are many), one of the things you can do is encapsulate it within something that is translatable.
With a SOCKS proxy, you establish a connection to the proxy, which in turn goes and fetches the data. There is no tunnelling involved.
NAT64 (available in stateful and stateless flavours) is an IPv6-IPv4 translation technique, not a tunnelling technique.
- You are evaluating the merits of differential & incremental backup strategies. Which of the following is true?
(a) Differentials begin with a full backup, incrementals do not
(b) Incremental backups do not evaluate the archive bit when determining if a file should be backed up
(c) Differential backups only backup files modified since the previous differential or full backup
(d) Compared to differentials, a complete restore will take longer if using an incremental strategy
(e) A ‘copy’ backup cannot be used if using a differential backup strategy
Answer:
(d)
Explanation:
(b) is incorrect – both differential & incremental evaluate the archive bit, although only full & incremental reset the archive bit
(c) is incorrect because differential backups backup files since the previous full backup (or the previous incremental backup), not the previous differential backup
(e) Note that a copy backup is just a full backup that doesn’t reset the archive bit
- 802.2 and 802.3 correspond to which of the following standards? (Choose two)
(a) 802.2 is a security standard for port-based access control
(b) 802.3 is an Ethernet standard for Media Access Control (MAC)
(c) 802.2 is a LAN standard for token ring
(d) 802.3 is a standard for wireless LANs
(e) 802.2 is an Ethernet standard for Logical Link Control (LLC)
(f) 802.3 is a standard for Bluetooth
(g) 802.2 is a standard for WiMAX
Answers:
(b), (e)
- Which of the choices listed in NOT a characteristic of IPv6?
(a) Fixed-size header
(b) No IPv6 header checksum
(c) 128-bit source address
(d) 16-bit TTL field in header
(e) Extension Headers
(f) 20-bit Flow Label
Answer:
(d)
Explanation:
(a) IPv6 has a fixed-size header of 40 bits, unlike IPv4 with a variable size header
(b) IPv6 does not have a header checksum, unlike IPv4
(c) IPv6 addresses are 128 bits long
(d) IPv6 has no TTL (Time-To-Live) field – it is now called Hop Limit, and it’s a 8-bit field (as was the TTL field in IPv4)
(e) IPv6 has an Extension Headers field which essentially replaces the IPv4 Protocol ID field
- IPSec is comprised of a number of different protocols which work collectively to establish a level of security desired by a system administrator. Which of the following components of an IPSec connection is responsible for authenticating parties & establishing security associations?
(a) Authentication Headers (AH)
(b) Encapsulating Security Payload (ESP)
(c) Internet Key Exchange (IKE)
(d) User Datagram Protocol (UDP)
(e) Diffie-Hellman Key Exchange (DH)
Answer:
(c)
- Which of the following algorithms were considered by NIST to become the new Advanced Encryption Standard? (Choose four)
(a) RC6
(b) Blowfish
(c) Twofish
(d) Serpent
(e) scrypt
(f) Rijndael
(g) Whirlpool
(h) SHA-512
Answers:
(a), (c), (d), (f)
Explanation:
MARS was the other AES finalist, and of course Rijndael was the eventual winner.
- Which of the following best describes the domain of a relation in a relational database?
(a) A named set of possible values for an attribute, all of the same type
(b) All tuples in a relation
(c) All the attributes of a relation
(d) The cardinality of a relation
(e) The degree of attributes in a relation
Answer:
(a)
Explanation:
Relation = table
Attribute = column
Tuple = row
Cardinality = number of rows (tuples)
Degree = number of columns (attributes)
The domain of a relation (table) is all possible values of a column (attribute)
- Both IPv4 and IPv6 operate at Layer 3 of the OSI model. Which of the following is NOT a field in an IPv4 header?
(a) TTL
(b) Protocol ID
(c) Flow Label
(d) Version
(e) Source IP Address
(f) Fragment Offset
(g) Checksum
Answer:
(c)
Explanation:
Flow Label is a field in an IPv6 header, but does not exist in an IPv4 header
TTL, Protocol ID, Fragment Offset & Checksum are in IPv4, not IPv6
Version & Source IP address are in both
- Which of the following firewall types provides you the LEAST amount of control over network traffic?
(a) Application layer firewalls
(b) MAC filters on an L2 switch
(c) Packet filtering routers
(d) Stateful firewalls
(e) Proxy servers
Answer:
(c)
Explanation:
(a) gives a large amount of control
(b) is not a firewalling technique
(c) examine the source and/or destination of traffic at Layer 3 and/or 4, but that’s it (they don’t look at the payload, the relationship of one packet to another packet, whether it’s part of an established connection – every packet is evaluated in isolation)
(d) typically operate on the same sort of logic as (c) but take it a step further by maintaining a state table to determine traffic passing through the device and dynamically create reciprocal entries – greater level of control with lower administrative effort
(e) offer a higher level of control than (c)
- By what mechanism does an IPv6 node resolve an IP address to a MAC address?
(a) Using the Address Resolution Protocol
(b) Using mDNS for local name resolution
(c) Using Solicited Node Multicast Address
(d) Using SLAAC
(e) Sending a multicast query to FF02::1
(f) IPv6 does not use MAC addresses
Answer:
(c)
Explanation:
(a) ARP does not exist in IPv6.
(b) mDNS is multicast DNS (often used as a replacement for NetBIOS)
(c) IPv6 resolution of IP address to MAC address is via an ICMP multicast to a Solicited Node Multicast Address, a fixed 104-bit value concatenated with the low order 24 bits of the IP address you’re looking for. In most circumstances (although not guaranteed), this will produce a unique multicast address, meaning there is a high degree of likelihood that only the node you’re looking for will receive the solicitation (unlike ARP which broadcasts indiscriminately) – more efficient and marginally more secure.
(d) SLAAC (StateLess Address AutoConfiguration) is the mechanism by which IPv6 nodes can automatically configure themselves, given an address prefix.
(e) FF02::1 is the all-nodes multicast address on an IPv6 local segment (the closest to an IPv4 broadcast, as broadcasts don’t exist in IPv6) but isn’t the method used to resolve an IP address to MAC address
(f) MAC is an Ethernet concept residing at Layer 1, so IPv6 still has to use MAC addresses
- An IT contigency planning process consists of seven broad steps. Which of the following is one of those steps? (Choose two)
(a) Define metrics to be gathered
(b) Develop recovery strategies
(c) Respond to management with mitigation steps
(d) Perform functional & security testing
(e) Identifying preventive controls
(f) Obtain formal authorisation to operate (ATO)
Answers:
(b), (e)
- Which of the following RAID solutions provides the SMALLEST net usable space?
(a) RAID 0
(b) RAID 1
(c) RAID 3
(d) RAID 5
Answer:
(b)
Explanation:
(a) provides the most space, no redundancy
(b) you lose half of your disk space
(c) you lose 1/x disk space (i.e. if you have 3 disks, 1/3rd)
(d) you lose 1/x disk space (minimum of 3 disks, so 1/3rd)
- What is the purpose of a Hamming code?
(a) It is used for data transposition in encryption processes
(b) It is used as a data encoding mechanism for 802.11 WLANs
(c) It is used to detect & correct errors in data
(d) It is used to calculate CRC checksums in Ethernet frames
Answer:
(c)
Explanation:
Often used in RAID to provide parity.
- Your organisation has been allocated a public network with a /28 prefix. There are 2,000 employees. You need to provide Internet connectivity for workstations, mobile devices and on-site Windows & Linux servers. Which of the following will allow this?
(a) NAT: configure static translations
(b) PAT: translate MAC, IP & TCP/UDP ports
(c) HTTP proxy: forward all Internet traffic to the proxy
(d) NAT: translate IP addresses dynamically from a pool
(e) PAT: translate IP & TCP/UDP ports to one or more public addresses
(f) SOCKS proxy: relay all device traffic through the proxy
Answer:
(e)
Explanation:
(a) The /28 prefix only gives you 14 public addresses, and you would need 2,000+ to configure static translations.
(b) PAT does not translate MAC addresses
(c) would only support HTTP, not all Internet services
(d) still wouldn’t work because you only have a pool of 14 public addresses between 2,000 devices
(e) PAT (which most people colloquially call NAT) will allow you to share one or more public addresses among multiple nodes
(f) is a viable solution but not the norm these days, and it’s not easy to configure devices
- Which of the following is a key concern for ephemeral Diffie-Hellman key exchanges?
(a) Forward secrecy is not available
(b) No authentication
(c) Weak encryption
(d) ‘Long-term’ private key compromise allows for viewing of data
Answer:
(b)
Explanation:
(a) Ephemeral Diffie-Hellman provides forward secrecy by generating new per-session keys each time you do a key exchange
(b) Both ephemeral and standard Diffie-Hellman don’t natively support authentication
(d) The private key is ephemeral so this is not true (even in static DH, a compromise of the long-term key would not allow for viewing of the data)
- Which audit framework and methodology focuses on the delivery of capability rather than focusing on a specific technology?
(a) COBIT
(b) ISO 27000
(c) ITIL
(d) COSO
Answer:
(b)
- Select the FOUR correct steps from the following list, and put them in order of a federated identity connection using SAML.
(a) Get SAML token
(b) Authenticate
(c) Generate SAML key
(d) Request access to resources
(e) Validate token
Answers:
(b), (a), (d), (e)
Explanation:
User authenticates, gets a SAML token and requests access to resources. The service will then validate the token, and then the access is provided.
Generating a SAML key is not part of this process.
- Which of these in-transit encryption types can be either symmetric or asymmetric?
(a) Circuit encryption
(b) Link encryption
(c) Tunnel encryption
(d) Transport encryption
Answer:
(d)
Explanation:
Link & tunnel encryption are based on symmetric encryption.
Transport encryption can be based on either symmetric or asymmetric encryption.
Circuit encryption is a distractor answer.
- The method of controlling which traffic is forwarded between network segments is commonly known as:
(a) Network perimeters
(b) Network segregation
(c) Network partitioning
(d) Network boundaries
Answer:
(c)
- An ACK storm starts with a(n) ______, confusing the receiving system since there is no preceding SYN or FIN flagged packet.
(a) SYN/ACK
(b) SYN
(c) FIN
(d) ACK
Answer:
(d)
- Which type of proxy can be defined as being able to relay traffic from a trusted end-point running a specific application to an untrusted end-point?
(a) Reverse proxy
(b) Application-level proxy
(c) Transparent proxy
(d) Suffix proxy
Answer:
(b)
Explanation:
The two basic types of proxies are:
– circuit-level, which creates a conduit through which a trusted host can communicate with an untrusted host, and encompasses a number of protocols
– application-level, which relays traffic from a trusted endpoint, running through a specific application to an untrusted end-point
- Which of the following is NOT considered a class of instant messaging presented to the public?
(a) Server-oriented networks
(b) Brokered communication
(c) Peer-to-peer networks
(d) Point-to-point tunnelling
Answer:
(d)
Explanation:
Instant messaging systems can generally be categorised in three classes: peer-to-peer networks, brokered communication, and server-oriented networks.
- Of the following, which is an example of multi-factor authentication? (Select all that apply)
(a) A split-knowledge system
(b) A username with an iris scan
(c) A smartcard and a PIN
(d) A password and a PIN
(e) A passphrase and a CAPTCHA challenge
(f) A passphrase and a Pre-Shared Key
Answer:
(c)
Explanation:
There is in fact only one correct answer.
(a) A split-knowledge system involves a password being split into two or more parts, where only one person knows each part. It’s still single factor.
(b) This is considered single-factor – an iris scan is “something you are” but a username doesn’t qualify as “something you know” since it’s considered public information
(c) A smartcard is “something you have” and a PIN is “something you know”, so this qualifies
(d) A password and a PIN are both “something you know” – two of the same factor is considered single factor
(e) CAPTCHA is not an authentication factor
(f) As (d), both “something you know”
- As it relates to the EU’s General Data Protection Regulation, which of these have been added (to what was already included in the EU Data Protection Directives) under the requirement to protect Personally Identifiable Information?
(a) Physical/physiological characteristics
(b) Genetics
(c) Identification number
(d) Mental status
(e) Location data
(f) Economic status
(g) Cultural or social identity
(h) Online identifiers
Answers:
(e), (h)
Explanation:
(a), (b), (c), (d), (f) & (g) already existed in the DPD
(e) & (h) were not in the DPD but are now part of GDPR
- Which of the following is a NEW requirement for the EU General Data Protection Regulation (GDPR)?
(a) Data cannot be disclosed without data subject’s consent
(b) Data can only be used for the purpose stated when collected
(c) Subjects can access their data and make corrections when inaccurate
(d) Subjects have the right to be forgotten
(e) Subjects must consent to data collection
(f) Collected data should be kept secure from potential abuse
Answer:
(d)
Explanation:
All the other options are included in GDPR, but also existed prior to GDPR.
- Which of the following is a violation of the principle of least privilege? (Select all that apply)
(a) Giving an auditor read & write permissions for system log files
(b) Installing access control units on elevators, limiting staff to job-related floors
(c) Requiring users to enter only a username and password to log into a system
(d) Placing a Linux sysadmin in the Domain Admins group in Active Directory
(e) Granting software developers access to production systems
Answers:
(a), (d)
Explanation:
(e) is not a violation of least privileges – remember, software developers are people too, so likely require access to production systems e.g. email, but this is in their capacity as regular users. Granting software developers access to production systems in their role of software developers is a problem, but would be a violation of separation of duties, not of least privilege.
- Confidentiality is a critical component of modern distributed computing systems. Which of the following represents the greatest challenge to providing confidentiality for such an environment?
(a) Heterogeneity of systems
(b) Lack of protocol standardisation
(c) Network scalability
(d) Inadequate system transparency
(e) Missing digital signatures
(f) Transmitting unencrypted data
Answer:
(f)
Explanation:
(a) & (b) are valid concerns, but are more related to interoperability/availability than confidentiality
(f) In a distributed computing system, you may have a secure connection to the node you’re immediately accessing, but this may send/receive unencrypted data further along the chain – do you have a guarantee of end-to-end encryption?
- Which of the following is NOT an element of the risk analysis process?
(a) Analysing an environment for risks
(b) Creating a cost/benefit report for safeguards, to present to upper management
(c) Selecting & implementing appropriate safeguards
(d) Evaluating each threat’s likelihood of occurring, and cost of damage
Answer:
(c)
Explanation:
Selecting safeguards is a task of upper management, based on the results of risk analysis. It falls under the wider risk management piece, but is not part of the risk analysis process.
- Which of the following represents accidental or intentional exploitations of vulnerabilities?
(a) Threat events
(b) Risks
(c) Threat agents
(d) Breaches
Answer:
(a)
- When a safeguard or a countermeasure is not present, or not sufficient, what remains?
(a) Vulnerability
(b) Exposure
(c) Risk
(d) Penetration
Answer:
(a)
Explanation:
Remember that vulnerability is the absence or weakness of a countermeasure.
- The Active Directory domain administrator has created a security group called “Project Z”, and added members of the Project Z team to the group. He then configures a Group Policy Object that allows only that group to access Project Z servers on the network. What type of access control is this an example of?
(a) Discretionary access control
(b) Context-dependent access control
(c) Non-discretionary access control
(d) View-based access control
Answer:
(c)
Explanation:
This is an example of role-based access control – granting privileges to roles, and adding users to those roles. RBAC is a type of non-discretionary access control.
Discretionary access control is granting users direct privileges, and context-dependent access control uses various metrics to control access (e.g. time of day).
View-based access control is associated with databases: creating constrained views to limit what users can see.
- You are developing an attack tree for a web application, and as part of the process you are attempting to anticipate your potential attackers. Which of the following will you need to identify in order to accurately characterise a likely adversary? (Choose three)
(a) Ease of vulnerability discovery
(b) Attacker motive
(c) Damage potential
(d) Opportunity
(e) Trust boundaries
(f) Means
(g) Exploitability
Answers:
(b), (d), (e)
Explanation:
Motive, opportunity & means (MOM!) are the three elements to characterise attackers.
(a), (c) & (g) are elements of the DREAD model for assessing risk, not attackers.
Trust boundaries are an element of the STRIDE threat modelling methodology.
- Which of the following are generally not included in BIA recovery timeframe assessments? (Select two)
(a) RPO
(b) MTBF
(c) MTD
(d) RTO
(e) MTBSI
(f) TTR
Answers:
(b), (e), (f)
Explanation:
MTBF (Mean Time Between Failures) and MTBSI (Mean Time Between Service Incidents) are not included in BIA recovery timeframe assessments.
TTR is is distractor answer.
- What are the four main steps of the business continuity planning process, in the correct order?
(a) Business organisation analysis, project scope & planning, continuity planning, approval & implementation
(b) Project scope & planning, business organisation analysis, continuity planning, approval & implementation
(c) Project scope & planning, business impact assessment, continuity planning, approval & implementation
(d) Business impact assessment, project scope & planning, continuity planning, approval & implementation
Answer:
(c)
- What critical components should be included in your business continuity training plan? (Select all that apply)
(a) Specific training for individuals with direct involvement (e.g. members of BCP team)
(b) Specific training for individuals with indirect involvement
(c) Specific training for all employees
(d) Plan overview briefing for all employees
Answers:
(a), (b), (d)
Explanation:
The BCP training plan should include a plan overview briefing for all employees, and specific training for individuals with direct or indirect involvement with BCP activities. Specific training (beyond an overview briefing) is not generally required for all employees.
- What is the first step that individuals responsible for the development of a business continuity plan should perform?
(a) BCP team selection
(b) Business organisation analysis
(c) Resource requirements analysis
(d) Legal & regulatory assessment
Answer:
(a)
- Once the BCP team is selected, what should be the first item placed on their agenda?
(a) Business impact assessment
(b) Business organisation analysis
(c) Resource requirements analysis
(d) Legal & regulatory assessment
Answer:
(b)
- What will be the major resource consumed during the BC planning phase?
(a) Hardware
(b) Software
(c) Processing time
(d) Personnel
Answer:
(d)
- Which task of BCP bridges the gap between the BIA and the continuity planning phases?
(a) Resource prioritisation
(b) Likelihood assessment
(c) Strategy development
(d) Provisions & processes
Answer:
(c)
- In which BCP task would you actually design procedures & mechanisms to mitigate risks deemed unacceptable by the BCP team.
(a) Strategy development
(b) Business impact assessment
(c) Provisions & processes
(d) Resource prioritisation
Answer:
(c)
- What type of mitigation provision is utilised when redundant comms links are installed?
(a) Hardening systems
(b) Defining systems
(c) Reducing systems
(d) Alternative systems
Answer:
(d)
Explanation:
The two main mitigation provisions for systems (and indeed facilities) are hardening systems and alternative systems. Hardening systems refers to improving protection of existing systems, while alternative systems include redundant components, systems, links or entire facilities.
- Which of the following are characteristics of both TCP and UDP? (Choose two)
(a) Both use sequence and acknowledgement
(b) Both can carry DNS payloads
(c) Both implement windowing
(d) Both implement a header checksum
(e) Both use control bits to track connection state
Answers:
(b), (d)
Explanation:
TCP is a connection-oriented protocol with all of the above characteristics.
UDP is a connectionless protocol so does not implement (a), (c) & (e). It does implement a header checksum.
Note that header checksums only check integrity of the header, not the payload. IPv4 also uses a header checksum, IPv6 does not – but TCP/UDP over IPv6 still retains its header checksum.
DNS uses UDP port 53 for lookups and TCP port 53 for zone transfers (it can also be configured to use TCP for lookups, but this is not the default).
- An organisation that uses PIV cards for desktop computer logins and physical access to locations in the facility wants to extend PIV-based authentication to the increasing number of company-issued smartphones & tablets. Which of the following will provide the BEST authentication security and the MOST seamless user experience?
(a) MicroSD authentication tokens
(b) TOTP authentication using a key fob or mobile app
(c) Derived PIV credentials stored security on device
(d) USB PIV card reader connected to device
Answer:
(c)
Explanation:
A PIV card (or CAC – Common Access Card) is a FIPS 401 compliant smart card. Derived PIV allows you to run a virtual PIV card on your mobile or desktop device, and would be the most secure and certainly most seamless option here. (a) is not really a practical answer, (b) is not seamless and (d) would work but using an external card reader with a mobile device would be cumbersome.
- You have been tasked with reducing the likelihood that nodes in your network can forward packets with spoofed source IP addresses. Which of the following is the BEST way to accomplish this?
(a) Use SNMP to generate a list of allowed MACs for each VLAN
(b) Implement ACLs on each router interface, allowing only traffic sourced from the local segment
(c) Enable MLD snooping on Layer 2 switches
(d) Configure Reverse Path Forwarding on the routers
Answer:
(d)
Explanation:
(a) would not help and neither would (c) – MLD snooping is a multicast distribution technique that is outside of the scope of CISSP.
(b) would work but is very labour-intensive and error prone
(d) Reverse Path Forwarding is essential where a router examines the source address of the packet presenting at the network interface, and asks “if I were sending a packet TO this address, would I send it from this interface”? If the answer is no, the packet is highly likely to be spoofed, and will be dropped.
- Which criminal law was the first to implement penalties for the creation of viruses, worms & other types of malicious code that cause harm to computer systems?
(a) Computer Security Act
(b) National Infrastructure Protection Act
(c) Computer Fraud & Abuse Act
(d) Electronic Communications Privacy Act
Answer:
(c)
- Comment
- Reblog
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
My CISSP Notes 