Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

A flood attack is a type of denial-of-service (DoS) attack that aims to overwhelm the target system or network with a large volume of traffic. The best way to reduce the impact of a flood attack is to have the source service provider block the address of the attacker, as this will prevent the traffic from reaching the target. Blocking the source address at the firewall, option A, is not as effective as option D, as the traffic will still consume the bandwidth of the target network. Option B, having the service provider block the source address, is ambiguous and unclear, as it does not specify which service provider is meant. Option C, blocking all inbound traffic until the flood ends, is not a good solution, as it will also block legitimate traffic and cause a self-inflicted DoS. References: CISSP practice exam questions and answers | TechTarget, CISSP Practice Exam – FREE 20 Questions and Answers

A network availability attack is an attack that aims to disrupt or deny the normal functioning of a network or its resources. The most severe attack to the network availability is when the network is flooded with communication traffic by the attacker, which is also known as a denial-of-service (DoS) attack. A DoS attack can overwhelm the network bandwidth, consume the processing power of the network devices, or exhaust the memory or disk space of the servers, resulting in degraded performance, slow response, or complete shutdown of the network services. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, page 202; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Communication and Network Security, page 276]

Customer identifiers that do not resemble the user’s government-issued ID number should be used is the recommendation that should be made to the product development team. A customer identifier is a unique value that is assigned to a customer to identify and distinguish the customer from other customers, and to enable the customer to access the products or services of an organization, such as a username, a password, a token, or a biometric. A government-issued ID number is a unique value that is assigned to a person by a government authority to identify and verify the person’s identity, and to enable the person to access the government services or benefits, such as a social security number, a passport number, or a driver’s license number. Customer identifiers that do not resemble the user’s government-issued ID number should be used is the recommendation that should be made to the product development team, because it can provide the following benefits:

It can protect the privacy and security of the customers, and prevent or mitigate the risks of identity theft, fraud, or misuse of the government-issued ID numbers, which are sensitive and personal information that can reveal the customers’ identity, location, or status.

It can comply with the legal and regulatory requirements and standards that apply to the collection, use, and protection of the government-issued ID numbers, and avoid or minimize the liabilities or penalties that may arise from the non-compliance or violation of the requirements or standards.

It can reduce the complexity and cost of the product development and maintenance, and avoid the dependency or reliance on the government authorities or systems that issue or validate the government-issued ID numbers, which may have different formats, rules, or procedures. The other options are not the recommendations that should be made to the product development team, as they either do not protect the privacy and security of the customers, do not comply with the legal and regulatory requirements and standards, or do not reduce the complexity and cost of the product development and maintenance. References: CISSP - Certified Information Systems Security Professional, Domain 5. Identity and Access Management (IAM), 5.1 Control physical and logical access to assets, 5.1.1 Manage identification and authentication of people, devices, and services, 5.1.1.1 Identity management implementation; CISSP Exam Outline, Domain 5. Identity and Access Management (IAM),

The authorization standard that is built to handle Application Programming Interface (API) access for Federated Identity Management (FIM) is Open Authentication (OAuth). OAuth is a standard protocol that enables the delegation of authorization to access resources or services from one party to another, without sharing the credentials. OAuth can be used for FIM, which is a mechanism that allows the users to use a single identity across multiple domains or systems, such as social media platforms, cloud services, or web applications. OAuth can handle API access for FIM, which means that the users can authorize the applications to access their data or services from other providers, such as contacts, calendars, or photos, through the APIs. Security Assertion Markup Language (SAML), Remote Authentication Dial-in User Service (RADIUS), and Terminal Access Control Access Control System Plus (TACACS+) are not authorization standards that are built to handle API access for FIM, but they are standards or protocols that can be used or supported by FIM for authentication, authorization, or accounting purposes. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 656; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 439.

The Extended Identity principle is a concept that describes how an organization can extend its identity and access management (IAM) capabilities to external entities, such as customers, partners, or suppliers, by using common standards and protocols, such as SAML, OAuth, or OpenID Connect. Under this principle, the clothing retailer acts as an identity provider (IdP), which is the entity that authenticates and verifies the identity of the user using industry standards, such as passwords, tokens, or biometrics. The partner businesses act as service providers (SPs), which are the entities that provide access to the resources or services that the user requests, such as inventory, shipping, or payment. The clothing retailer sends the credentials of the user, such as a SAML assertion or an OAuth token, to the partner businesses, which use them to grant access to the user. This way, the user does not need to create or manage multiple accounts or passwords for each partner business, and the clothing retailer can maintain control and visibility over the user’s identity and access. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 12: Identity and Access Management, pp. 1179-1180; [Official (ISC)2 CISSP CBK Reference, Fifth Edition], Domain 5: Identity and Access Management, pp. 853-854.

The primary objective of the post-incident phase of the incident response process in the security operations center (SOC) is to improve the IR process. The incident response (IR) process is a set of activities that aims to detect, contain, analyze, eradicate, and recover from security incidents, and to prevent or minimize the impact and damage of the incidents. The IR process consists of six phases: preparation, identification, containment, analysis, eradication, and recovery. The post-incident phase is the last phase of the IR process, and it focuses on learning from the incident and improving the IR process for the future. The post-incident phase involves tasks such as:

Reviewing and documenting the incident, including the cause, impact, response, and lessons learned

Evaluating and updating the IR plan, policies, procedures, and tools, based on the feedback and recommendations from the incident

Conducting a post-incident review or debriefing with the IR team and the stakeholders, to share the findings, results, and best practices from the incident

Implementing the corrective and preventive actions, such as patching the vulnerabilities, restoring the systems, or enhancing the security controls, to prevent or mitigate the recurrence of the incident

Providing the training and awareness, such as conducting the exercises, simulations, or workshops, to improve the skills and knowledge of the IR team and the organization The other options are not the primary objective of the post-incident phase of the IR process in the SOC, as they either belong to other phases of the IR process, or are not the main focus of the post-incident phase. References: CISSP - Certified Information Systems Security Professional, Domain 7. Security Operations, 7.3 Understand and support forensic investigations, 7.3.2 Conduct incident response, 7.3.2.1 Incident handling; CISSP Exam Outline, Domain 7. Security Operations, 7.3 Understand and support forensic investigations, 7.3.2 Conduct incident response, 7.3.2.1 Incident handling

Certificates are the best way for mutual authentication of devices belonging to the same organization. Mutual authentication is a process that involves verifying the identity and the legitimacy of both parties involved in a communication or a transaction, and ensuring that they are authorized and trusted to access or exchange the information or the resources. Certificates are the digital documents that contain the identity and the public key of a device, a user, or an entity, and that are issued and signed by a trusted authority, such as a Certificate Authority (CA). Certificates can be used for mutual authentication of devices belonging to the same organization, as they can provide a secure and reliable way of verifying and exchanging the public keys of the devices, and of encrypting and decrypting the data or the messages that are transmitted between the devices. Certificates can also prevent or detect various attacks or threats that may compromise the mutual authentication of the devices, such as impersonation, spoofing, replay, or man-in-the-middle attacks. Therefore, certificates are the best way for mutual authentication of devices belonging to the same organization, as they can ensure the confidentiality, the integrity, and the authenticity of the communication or the transaction between the devices. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, page 187. CISSP Testking ISC Exam Questions, Question 18.

The most important factor in establishing an effective Information Security Awareness Program is to obtain management buy-in. Management buy-in is the support and commitment of the senior management or the executives of an organization for a project or an initiative, such as an Information Security Awareness Program. An Information Security Awareness Program is a program that educates and trains the employees or the users of an organization about the security policies, procedures, risks, and best practices, and aims to improve the security culture and behavior of the organization. Obtaining management buy-in is essential for establishing an effective Information Security Awareness Program, as it can help to define the goals and objectives of the program, allocate the resources and budget for the program, communicate the importance and value of the program, and monitor and evaluate the progress and outcomes of the program. Management buy-in can also help to demonstrate the leadership and accountability of the management, and to motivate and influence the employees or the users to participate and comply with the program. Conducting an annual security awareness event, mandating security training, and hanging information security posters on the walls are not the most important factors in establishing an effective Information Security Awareness Program. These are some of the methods or techniques that may be used to implement or deliver the Information Security Awareness Program, but they are not as crucial or influential as obtaining management buy-in. Conducting an annual security awareness event is a method that organizes a special event or a campaign once a year, to raise the awareness and knowledge of the employees or the users about the security topics or issues. Mandating security training is a method that requires the employees or the users to attend or complete a formal or structured training course or session, to learn the security skills or competencies. Hanging information security posters on the walls is a method that displays or distributes visual or graphical materials, such as posters, flyers, or stickers, to remind or inform the employees or the users about the security messages or tips. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1, Security and Risk Management, page 51. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security Governance Through Principles and Policies, page 53.

Residual risk is the risk that remains after implementing controls to mitigate the original risk. If a business line is unwilling to accept the residual risk in a system, one possible action is to purchase insurance to cover the potential losses or damages that may result from the residual risk. This is a form of risk transfer, which is one of the four risk management strategies, along with risk avoidance, risk mitigation, and risk acceptance. Notifying the audit committee, implementing operational safeguards, and finding another business line are not valid actions to deal with residual risk . References: [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 32]; [CISSP CBK, Fifth Edition, Chapter 2, page 151].

The greatest risk of relying only on Capability Maturity Models (CMMs) for software to guide process improvement and assess capabilities of acquired software is that CMMs do not explicitly address safety and security. CMMs are frameworks that measure and improve the maturity and quality of the software development processes and products. CMMs define different levels of maturity, from initial to optimized, based on the presence and effectiveness of the key process areas, such as requirements management, project planning, configuration management, quality assurance, or risk management. CMMs can help to evaluate and improve the software development processes and products, but they do not explicitly address the safety and security aspects of the software. Safety and security are important attributes of the software, especially for critical or sensitive applications, such as medical, military, or financial applications. Safety and security require specific processes and practices, such as threat modeling, secure coding, vulnerability testing, or incident response, that are not covered by the CMMs. Therefore, relying only on CMMs for software may result in overlooking or neglecting the safety and security issues of the software, which may lead to serious consequences, such as harm, loss, or breach. Organizations can only reach a maturity level 3 when using CMMs, CMMs can only be used for software developed in-house, and CMMs are vendor specific and may be biased are not the greatest risks of relying only on CMMs for software. These are some of the limitations or challenges of using CMMs for software, but they are not as significant or critical as the lack of safety and security. Organizations can reach higher maturity levels than level 3 when using CMMs, depending on the implementation and assessment of the CMMs. CMMs can be used for software developed in-house or outsourced, depending on the scope and criteria of the CMMs. CMMs are not vendor specific and may not be biased, as they are based on industry standards and best practices, such as ISO/IEC 15504 or ISO/IEC 33001. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 8, Software Development Security, page 831. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 767.

Air-gapping and hardening the host used for management purposes is the best way to manage the risk of a legacy Industrial Control System (ICS) that depends on a vulnerable version of the Java Runtime Environment (JRE). Air-gapping means disconnecting the host from any network or internet connection, so that it can only be accessed physically. Hardening means applying security patches, disabling unnecessary services, and configuring security settings to reduce the attack surface of the host. This way, the risk of remote exploitation of the JRE vulnerability is minimized, and the host is protected from other potential threats. Isolating the full ICS by moving it onto its own network segment may reduce the exposure of the system, but it does not eliminate the possibility of network-based attacks. Convincing the management to decommission the ICS and migrate to a modern technology may be the ideal solution, but it may not be feasible or cost-effective, especially if the ICS cannot be replaced. Deploying a restrictive proxy between all clients and the vulnerable management station may also help to filter and monitor the network traffic, but it does not address the root cause of the vulnerability, and it may introduce additional complexity and overhead to the system. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Architecture and Engineering, page 447. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Security Architecture and Engineering, page 321.

 A crime scene is a location where a security incident or breach has occurred and where potential evidence can be found. A computer is a device that can store, process, or transmit digital data that can be used as evidence in a security investigation. When an information security professional arrives at a crime scene where a computer was powered off, the best action to perform after the crime scene is isolated is to leave the computer off and prepare the computer for transportation to the laboratory. Leaving the computer off can help to preserve the integrity and authenticity of the data on the computer, as well as to prevent any further damage or tampering. Preparing the computer for transportation can help to protect the computer from physical harm or environmental factors during the movement. Transporting the computer to the laboratory can help to perform a proper forensic analysis of the data on the computer in a controlled and secure environment. Turning the computer on and collecting volatile data or network information, or removing the hard drive and leaving the hardware at the scene are not the best actions to perform, as they can compromise the evidence, violate the chain of custody, or destroy the original state of the computer. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 11: Security Operations, page 711; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 7: Security Operations, Question 7.13, page 276.

Email spoofing is a technique used to forge the origin of an email by altering the header fields, such as the sender’s address, name, or reply-to address. Email spoofing can be used for malicious purposes, such as phishing, spamming, or impersonating someone else. One technique used for spoofing the origin of an email that can successfully conceal the sender’s Internet Protocol (IP) address is onion routing. Onion routing is a method of anonymous communication that encrypts and routes the messages through multiple layers of intermediate nodes, called onion routers, before reaching the final destination. Each onion router only knows the previous and next hop of the message, but not the entire route or the origin and destination of the message. This way, the sender’s IP address is hidden from the recipient and any eavesdroppers. Therefore, the correct answer is C. The other options are incorrect because they are not techniques used for spoofing the origin of an email or concealing the sender’s IP address. Changing the In-Reply-To data can alter the email thread, but not the sender’s address. Web crawling is a process of collecting and indexing information from the web, not from emails. Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network, but it does not spoof the origin of an email. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Communication and Network Security, Section: Secure Network Components, Subsection: Email Security; CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, Section: Email Security.

Privacy is the right or ability of individuals or groups to control or limit the collection, use, disclosure, or retention of their personal or sensitive data by others. Privacy is an important concern for organizations that are considering outsourcing applications and data to a Cloud Service Provider (CSP). The most important concern regarding privacy is that the CSP may not be subject to the organization’s country legislation. The organization’s country legislation may have specific laws, regulations, or standards that govern the privacy of data, such as the General Data Protection Regulation (GDPR) in the European Union, or the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, the CSP may operate in a different country or jurisdiction that has different or less stringent privacy laws, regulations, or standards. This may create a conflict or a gap between the organization’s privacy obligations and the CSP’s privacy practices, and expose the organization to legal, regulatory, or reputational risks. Therefore, the organization should carefully review the CSP’s privacy policy and contract, and ensure that the CSP complies with the organization’s country legislation and the organization’s privacy requirements and expectations. The CSP determining data criticality, providing end-to-end encryption services, or allowing the organization to develop its privacy policy are not the most important concerns regarding privacy, as they are more related to data security, data protection, or data governance. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Data Security, page 186; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 2: Asset Security, Question 2.10, page 79.

The principle of least privilege states that every user, process, or system should have the minimum amount of access or privileges necessary to perform their functions, and no more. This principle reduces the attack surface, limits the potential damage of a compromise, and enforces the separation of duties and responsibilities. Applying the principle of least privilege at each level of the file system, such as directories, files, and permissions, is the best way to restrict access and protect the confidentiality, integrity, and availability of the data. Allowing a user group to restrict access may not be sufficient, as the group may have more privileges than needed, or may not follow the security policies. Using a third-party tool to restrict access may introduce additional risks, such as compatibility issues, vulnerabilities, or malicious code. Restricting access to all users may prevent legitimate access and disrupt the business operations or functions. References:

1 (Domain 1: Security and Risk Management, Objective 1.4: Understand and apply security principles to the CIA triad)

2 (Chapter 1: Security and Risk Management, Section 1.4.3: Security Principles)