Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

The method that prevents improper aggregation of privileges in role based access control (RBAC) is dynamic separation of duties. RBAC is a type of access control model that assigns permissions and privileges to users or devices based on their roles or functions within an organization, rather than their identities or attributes. RBAC can simplify and streamline the access control management, as it can reduce the complexity and redundancy of the permissions and privileges. However, RBAC can also introduce the risk of improper aggregation of privileges, which is the situation where a user or a device can accumulate more permissions or privileges than necessary or appropriate for their role or function, either by having multiple roles or by changing roles over time. Dynamic separation of duties is a method that prevents improper aggregation of privileges in RBAC, by enforcing rules or constraints that limit or restrict the roles or the permissions that a user or a device can have or use at any given time or situation.

A. Hierarchical inheritance is not a method that prevents improper aggregation of privileges in RBAC, but rather a method that enables proper delegation of privileges in RBAC. Hierarchical inheritance is a method that allows the roles or the permissions in RBAC to be organized and structured in a hierarchical or a tree-like manner, where the higher-level roles or permissions can inherit or include the lower-level roles or permissions. Hierarchical inheritance can facilitate the delegation of privileges in RBAC, as it can ensure that the roles or the permissions are consistent and compatible with the organizational hierarchy or the business logic.

C. The Clark-Wilson security model is not a method that prevents improper aggregation of privileges in RBAC, but rather a type of access control model that enforces the integrity or the accuracy of the data or the transactions within an information system. The Clark-Wilson security model is a type of access control model that defines and regulates the access and the operations that the users or the devices can perform on the data or the transactions, based on the concepts of well-formed transactions, separation of duties, and auditing. The Clark-Wilson security model can prevent unauthorized or improper modification or manipulation of the data or the transactions, by ensuring that the access and the operations are valid and verified.

D. The Bell-LaPadula security model is not a method that prevents improper aggregation of privileges in RBAC, but rather a type of access control model that enforces the confidentiality or the secrecy of the data or the information within an information system. The Bell-LaPadula security model is a type of access control model that defines and regulates the access and the operations that the users or the devices can perform on the data or the information, based on the concepts of security levels, security labels, and security rules. The Bell-LaPadula security model can prevent unauthorized or improper disclosure or leakage of the data or the information, by ensuring that the access and the operations are consistent and compliant with the security policies.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 349; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 310

 According to the CISSP CBK Official Study Guide, a vulnerability in hardware would be the most difficult to detect. A vulnerability is a weakness or exposure in a system, network, or application, which may be exploited by threats and cause harm to the organization or its assets. A vulnerability can exist in various components of a system, network, or application, such as the kernel, the shared libraries, the hardware, or the system application. A vulnerability in hardware would be the most difficult to detect, as it may require physical access, specialized tools, or advanced skills to identify and measure the vulnerability. Hardware is the physical or tangible component of a system, network, or application that provides the basic functionality, performance, and support for the system, network, or application, such as the processor, memory, disk, or network card. Hardware may have vulnerabilities due to design flaws, manufacturing defects, configuration errors, or physical damage. A vulnerability in hardware may affect the security, reliability, or availability of the system, network, or application, such as causing data leakage, performance degradation, or system failure. A vulnerability in the kernel would not be the most difficult to detect, although it may be a difficult to detect. The kernel is the core or central component of a system, network, or application that provides the basic functionality, performance, and control for the system, network, or application, such as the operating system, the hypervisor, or the firmware. The kernel may have vulnerabilities due to design flaws, coding errors, configuration errors, or malicious modifications. A vulnerability in the kernel may affect the security, reliability, or availability of the system, network, or application, such as causing privilege escalation, system compromise, or system crash. A vulnerability in the kernel may be detected by using various tools, techniques, or methods, such as code analysis, vulnerability scanning, or penetration testing. A vulnerability in the shared libraries would not be the most difficult to detect, although it may be a difficult to detect. The shared libraries are the reusable or common components of a system, network, or application, that provide the functionality, performance, and compatibility for the system, network, or application, such as the dynamic link libraries, the application programming interfaces, or the frameworks. 

The primary characteristic of a Distributed Denial of Service (DDoS) attack is that it looks like normal network activity. A DDoS attack is a type of attack or a threat that aims or intends to disrupt or to degrade the availability or the performance of a system or a service, by overwhelming or flooding the system or the service with a large amount or a high volume of traffic or requests, from multiple or distributed sources or locations, such as the compromised or infected computers, devices, or networks, that are controlled or coordinated by the attacker or the malicious actor. The primary characteristic of a DDoS attack is that it looks like normal network activity, which means that it is difficult or challenging to detect or to prevent the DDoS attack, as it is hard or impossible to distinguish or to differentiate the legitimate or the authentic traffic or requests from the illegitimate or the malicious traffic or requests, and as it is hard or impossible to block or to filter the illegitimate or the malicious traffic or requests, without affecting or impacting the legitimate or the authentic traffic or requests. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 115; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 172

 The biggest weakness when using native Lightweight Directory Access Protocol (LDAP) for authentication is that passwords are passed in clear text over the network, exposing them to eavesdropping and interception attacks. To mitigate this risk, LDAP should be used with encryption protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), or with authentication protocols, such as Kerberos or Simple Authentication and Security Layer (SASL).

A. Authorizations are not included in the server response is not the biggest weakness when using native LDAP for authentication, but rather a limitation of the protocol that requires additional mechanisms to implement access control policies.

B. Unsalted hashes are passed over the network is not the biggest weakness when using native LDAP for authentication, but rather a potential vulnerability of the password storage scheme that could expose passwords to brute-force or dictionary attacks.

C. The authentication session can be replayed is not the biggest weakness when using native LDAP for authentication, but rather a possible threat that could compromise the confidentiality and integrity of the session data.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 281; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, page 230

According to the CISSP All-in-One Exam Guide3, a Host Based Intrusion Detection System (HIDS) identifies a potential attack by examining log messages or other indications on the system. This means that a HIDS is a type of intrusion detection system that monitors the activities and events that occur on a specific host, such as a server or a workstation, and analyzes them for signs of malicious or unauthorized behavior. A HIDS can examine various sources of data on the host, such as system logs, audit trails, registry entries, file system changes, network connections, and so on. A HIDS does not identify a potential attack by monitoring alarms sent to the system administrator, as this is a function of the intrusion detection system management console, which receives and displays the alerts generated by the HIDS. A HIDS does not identify a potential attack by matching traffic patterns to virus signature files, as this is a function of an antivirus software, which scans the incoming and outgoing data for known malware signatures. A HIDS does not identify a potential attack by examining the Access Control List (ACL), as this is a mechanism that defines the permissions and restrictions for accessing a resource, not a source of intrusion detection data. 

The organizational department that is ultimately responsible for information governance related to e-mail and other e-records is the legal department. Information governance is the process that involves defining, implementing, and enforcing the policies, standards, and procedures for the management and protection of the information assets of an organization, such as e-mail and other e-records. The legal department is ultimately responsible for information governance related to e-mail and other e-records, as it is responsible for ensuring the compliance of the information assets with the legal, regulatory, or contractual requirements, and for addressing the legal issues or risks associated with the information assets, such as litigation, discovery, or retention. The legal department can oversee and coordinate the information governance related to e-mail and other e-records, and collaborate with the other departments, such as IT, security, or audit, to implement and monitor the information governance policies, standards, and procedures . References: [CISSP CBK, Fifth Edition, Chapter 2, page 106]; [100 CISSP Questions, Answers and Explanations, Question 16].

The primary action that should be taken to improve SIEM performance in a situation where several unsuccessful login attempts are reported by a security audit but not by the SIEM system is to confirm alarm thresholds. A SIEM system is a tool that collects, correlates, analyzes, and reports on security events and incidents from various sources, such as logs, sensors, or agents. A SIEM system can also generate alerts or alarms based on predefined rules or thresholds that indicate a potential security issue or violation. However, if the SIEM system is not configured properly, it may miss some important events or incidents, or generate too many false positives or negatives. Therefore, it is important to confirm that the alarm thresholds are set appropriately, based on the risk appetite, the baseline behavior, and the security objectives of the organization. The alarm thresholds should be neither too high nor too low, to avoid missing or ignoring real threats, or overwhelming or desensitizing the security analysts. References: CISSP All-in-One Exam Guide, Chapter 7: Security Operations, Section: Security Information and Event Management, pp. 837-838.

The most comprehensive Business Continuity (BC) test is the full interruption test. A full interruption test is a type of BC test that involves shutting down the primary site or system and activating the alternate site or system, as if a real disaster has occurred. A full interruption test is the most realistic and effective way to evaluate the BC plan, as it tests the actual recovery capabilities and performance of the organization under a simulated disaster scenario. A full interruption test can measure the recovery time objective (RTO), recovery point objective (RPO), and other metrics of the BC plan, as well as identify any gaps, issues, or weaknesses in the plan. A full interruption test can also test the communication, coordination, and documentation of the BC team, as well as the awareness, readiness, and resilience of the organization. However, a full interruption test is also the most risky and costly type of BC test, as it can disrupt the normal operations and services of the organization, cause potential loss of revenue or reputation, and expose the organization to legal or regulatory liabilities. Therefore, a full interruption test should be carefully planned, approved, and executed, with proper backup, contingency, and rollback measures in place. A full functional drill, a full table top, and a full simulation are not the most comprehensive BC tests. A full functional drill is a type of BC test that involves performing the actual recovery procedures and tasks at the alternate site or system, without shutting down the primary site or system. A full functional drill is less realistic and effective than a full interruption test, as it does not test the actual switch-over and switch-back processes of the BC plan. A full table top is a type of BC test that involves discussing and reviewing the BC plan and procedures with the BC team and stakeholders, using a simulated disaster scenario. A full table top is less realistic and effective than a full interruption test, as it does not test the actual execution and performance of the BC plan. A full simulation is a type of BC test that involves simulating the recovery environment and activities at the alternate site or system, using a computer model or a virtual machine, without shutting down the primary site or system. A full simulation is less realistic and effective than a full interruption test, as it does not test the actual recovery capabilities and performance of the organization under a simulated disaster scenario. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7, Security Operations, page 736. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 697.

The activity that a forensic examiner should perform first when determining the priority of digital evidence collection at a crime scene is to establish the order of volatility. The order of volatility is a guideline that defines the sequence or the order in which the digital evidence should be collected, preserved, or analyzed, based on the volatility or the fragility of the evidence. The order of volatility helps to ensure that the most volatile or the most easily lost or altered evidence is collected first, and that the least volatile or the most stable or persistent evidence is collected last. The order of volatility also helps to prevent or minimize the contamination, corruption, or destruction of the evidence, and to maintain the integrity, authenticity, or admissibility of the evidence. The order of volatility typically follows this sequence: registers, cache, random access memory (RAM), routing table, kernel statistics, processes, network connections, executable files, temporary file systems, disk, remote logging and monitoring data, physical configuration, network topology, archival media. Gathering physical evidence, assigning responsibilities to personnel on the scene, or establishing a list of files to examine are not the activities that a forensic examiner should perform first when determining the priority of digital evidence collection at a crime scene, as they are not related to the order of volatility. Gathering physical evidence is an activity that involves collecting, documenting, or packaging the physical or tangible evidence, such as devices, media, or peripherals, that may contain or store the digital or intangible evidence, such as data, files, or logs. Assigning responsibilities to personnel on the scene is an activity that involves delegating or distributing the tasks or roles to the forensic team members or other authorized personnel, such as law enforcement, first responders, or witnesses, that are present or involved in the crime scene. Establishing a list of files to examine is an activity that involves identifying or selecting the files or the data that are relevant, significant, or useful for the forensic investigation, such as system files, user files, or hidden files. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 19: Security Operations, page 1910.

Remote network access is the ability to access a network from a distant location, such as a home office, a client site, or a public hotspot. Remote network access can provide benefits such as increased productivity, flexibility, and collaboration, but it also introduces security risks such as unauthorized access, data leakage, malware infection, and network compromise. Therefore, remote network access should only be granted to a third-party security service if there is a clear and justified business need, such as providing security monitoring, auditing, testing, or incident response. The other options are not sufficient explanations for providing remote network access, as they do not demonstrate the value or necessity of the service. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, p. 339; CISSP Practice Exam | Boson, Question 6

Access control models are frameworks that define how the access rights and permissions are granted and enforced for the subjects (such as users, processes, or devices) and the objects (such as files, folders, or databases) in a system or a network. The most restrictive access control model is Mandatory Access Control (MAC), which is a model that assigns a security label (such as a classification or a clearance level) to each subject and object, and allows access only if the subject’s security label matches or dominates the object’s security label. MAC is enforced by the system or the network, and cannot be modified by the subjects or the owners of the objects. MAC provides strong security and confidentiality for the objects, as it prevents unauthorized or unintended access by the subjects. Discretionary Access Control (DAC) is not the most restrictive access control model, as it is a model that allows the subjects or the owners of the objects to grant or revoke access rights and permissions to the objects, based on their discretion. DAC is enforced by the access control lists (ACLs) or the capabilities that are associated with the objects. DAC provides flexibility and convenience for the subjects and the owners of the objects, but it also increases the risk of unauthorized or unintended access by the subjects. Role Based Access Control (RBAC) is not the most restrictive access control model, as it is a model that assigns access rights and permissions to the subjects based on their roles or functions in the organization, rather than their identities or security labels. RBAC is enforced by the policies and rules that are defined by the organization. RBAC provides scalability and manageability for the subjects and the objects, as it simplifies the administration and the maintenance of the access rights and permissions. Rule based access control is not the most restrictive access control model, as it is a model that grants or denies access to the subjects based on a set of rules or conditions that are triggered by certain events or actions, such as the time, the location, or the frequency of the access. Rule based access control is enforced by the logic or the algorithm that is implemented by the system or the network. Rule based access control provides adaptability and dynamism for the subjects and the objects, as it allows the access rights and permissions to change according to the context or the situation. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 5: Identity and Access Management (IAM), page 211. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10: Identity and Access Management, page 591.

Information assets are any data or information that have value for the organization, such as financial records, customer data, intellectual property, or trade secrets. Information assets are essential for the organization to achieve its objectives and to maintain its competitive advantage. Information assets should be identified, classified, and protected according to their value, sensitivity, and criticality. International Organization for Standardization (ISO) 27001 compliance does not specify which information assets must be included in asset inventory, but rather provides a framework and a set of requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). Building an information assets register is not necessarily a resource-intensive job, but rather a necessary and beneficial one, as it helps to document and manage the information assets of the organization, and to support the risk assessment and security planning processes. Information assets inventory is required for risk assessment, as it helps to determine the scope, impact, and likelihood of the risks that may affect the information assets, and to prioritize and implement the appropriate controls and measures to mitigate the risks. 

 The security principle that this company is affecting is availability, which is the ability of authorized users to access and use the resources and information of the system or network. By implementing a password complexity and an account lockout policy, the company is trying to enhance the security and authentication of the system or network, but it may also reduce the availability of the system or network for the legitimate users. If the users forget their passwords, or enter them incorrectly, or become victims of brute-force or denial-of-service attacks, they may be locked out of the system or network, and unable to perform their tasks or functions. Therefore, the company should balance the security and availability of the system or network, and consider the impact of the password and account lockout policy on the users and the business12. References: CISSP CBK, Fifth Edition, Chapter 1, page 17; CISSP Practice Exam – FREE 20 Questions and Answers, Question 13.

 A honeypot is a decoy system that is designed to attract and trap attackers who attempt to breach a network. A honeypot can provide a high level of confidence that attackers have breached the network, as it can record their activities, techniques, tools, and motives. A honeypot can also divert the attackers from the real network assets and alert the security organization of the intrusion. The other options are not as effective as deploying a honeypot at discovering a successful network breach. Developing a sandbox is a technique that isolates an application or a process from the rest of the system, such as a web browser or an email attachment. A sandbox can prevent malicious code from affecting the system, but it does not necessarily detect or identify the attackers. Installing an intrusion prevention system (IPS) is a technique that monitors and blocks malicious network traffic, such as denial-of-service, reconnaissance, or exploitation attempts. An IPS can prevent potential network breaches, but it may not discover successful ones that bypass or evade the IPS. Installing an intrusion detection system (IDS) is a technique that monitors and alerts on malicious network traffic, such as denial-of-service, reconnaissance, or exploitation attempts. An IDS can detect possible network breaches, but it may not discover successful ones that bypass or evade the IDS, or it may generate false positives that reduce the confidence level. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, pp. 311-312, 315-316; CISSP practice exam questions and answers | TechTarget, Question 4

User Acceptance Testing (UAT) before implementation is one of the steps included in change management. Change management is a process that ensures that any changes to the system or the environment are planned, approved, tested, implemented, and documented in a controlled and consistent manner. UAT is a type of testing that involves the end users or the stakeholders of the system, and it verifies that the system meets the functional and non-functional requirements and expectations. UAT is usually performed before the implementation of the system or the change, as a final validation step. The other options are not correct. Business continuity testing is a type of testing that evaluates the effectiveness and readiness of the business continuity plan, and it is not directly related to change management. Technical review by business owner is not a standard step in change management, although the business owner may be involved in the approval or the testing of the change. Cost-benefit analysis (CBA) after implementation is not a typical step in change management, although the CBA may be performed before the change to justify the need and the value of the change. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, page 704. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6: Security Assessment and Testing, page 702.