Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

 Information Security Continuous Monitoring (ISCM) is a term used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. ISCM is a process that collects, analyzes, and reports on the security status and performance of an organization’s information systems and networks, using automated or manual tools and techniques. ISCM can help to identify and prioritize the security risks, gaps, and weaknesses, and to implement and evaluate the security controls and measures, in alignment with the organization’s security objectives and policies. ISCM can also help to comply with the legal and regulatory requirements, and to respond to the changing threat landscape and business environment. The other options are not terms used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, as they either do not involve continuous monitoring, do not focus on information security, or do not support risk management decisions. References: CISSP - Certified Information Systems Security Professional, Domain 7. Security Operations, 7.2 Understand and support investigations, 7.2.1 Conduct logging and monitoring activities, 7.2.1.2 Continuous monitoring; CISSP Exam Outline, Domain 7. Security Operations, 7.2 Understand and support investigations, 7.2.1 Conduct logging and monitoring activities, 7.2.1.2 Continuous monitoring

Static packet filtering is a type of filtering that examines the header of each packet and allows or denies it based on a set of predefined rules or criteria, such as the source and destination IP addresses, ports, protocols, or flags. Static packet filtering is simple, fast, and stateless, meaning that it does not keep track of the state or the context of the packets or the connections. Static packet filtering can be used to reduce the load on the firewall by filtering out unwanted or malicious traffic before it reaches the log collector. Uniform Resource Locator (URL) filtering is a type of filtering that blocks or allows access to specific websites or web pages based on their URLs or keywords. Web traffic filtering is a type of filtering that analyzes the content or the behavior of the web traffic and blocks or allows it based on a set of predefined rules or criteria, such as the type, the size, the origin, or the destination of the web traffic. Dynamic packet filtering is a type of filtering that examines the header and the payload of each packet and allows or denies it based on a set of predefined rules or criteria, as well as the state or the context of the packets or the connections. Dynamic packet filtering is more complex, slower, and stateful, meaning that it keeps track of the state or the context of the packets or the connections. References: CISSP CBK Reference, 5th Edition, Chapter 4, page 215; CISSP All-in-One Exam Guide, 8th Edition, Chapter 4, page 177

The reason why it is important for the initial security categorization to be done correctly is that it determines the security requirements. Security categorization is a process that assigns a security level or a classification to a system or an information asset, based on the potential impact or the risk of a loss of confidentiality, integrity, or availability. Security categorization is done early in the system life cycle, and it is reviewed periodically, as it helps to define the security objectives, requirements, and controls for the system or the information asset, and to ensure that they are aligned with the organizational mission, goals, or policies. Security categorization also helps to prioritize the security efforts and resources, and to balance the security needs and the costs. Security categorization does not affect other steps in the certification and accreditation process, determine the functional and operational requirements, or work with selected security controls, as these are not the reasons why it is important for the security categorization to be done correctly. Certification and accreditation is a process that evaluates and validates the security posture and compliance of a system or an information asset, and that authorizes its operation or use. Certification and accreditation is based on the security categorization, but it is not affected by it. Functional and operational requirements are the requirements that specify the functionality, performance, usability, or reliability of a system or an information asset, and that support the business or operational needs. Functional and operational requirements are not determined by the security categorization, but they may influence it. Security controls are the controls that implement or enforce the security requirements, and that protect the system or the information asset from threats or vulnerabilities. Security controls are not worked with by the security categorization, but they are derived from it. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 145.

A penetration test is a type of security assessment that simulates a real-world attack on a system or network, with the permission and authorization of the owner, to identify and exploit the vulnerabilities and weaknesses that may compromise the security of the system or network. A penetration test can help to evaluate the effectiveness and resilience of the security controls and measures that are implemented on the system or network, as well as to provide recommendations and solutions to improve the security posture of the system or network. One of the primary challenges when running a penetration test is determining the depth of coverage. The depth of coverage is the extent and level of detail that the penetration test will cover in terms of the scope, objectives, and methodology of the test. The depth of coverage can vary depending on the type, purpose, and budget of the penetration test, as well as the expectations and requirements of the organization and the stakeholders. The depth of coverage can affect the quality and accuracy of the penetration test results, as well as the time and resources that are needed to conduct the penetration test. Therefore, determining the depth of coverage is a critical and challenging task when running a penetration test, as it requires a careful balance and trade-off between the security and business needs of the organization and the stakeholders. Determining the cost, establishing a business case, or remediating found vulnerabilities are not the primary challenges when running a penetration test, as they are more related to the management, justification, or improvement aspects of the penetration test. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 18: Security Assessment and Testing, page 1003; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 6: Security Assessment and Testing, Question 6.10, page 246.

 Digital forensics is the process of collecting, preserving, analyzing, and presenting digital evidence from various sources, such as computers, networks, mobile devices, etc. The information security professional who conducted the analysis is the most qualified person to formulate conclusions from the digital forensic investigation, as they have the technical expertise, the knowledge of the case, and the familiarity with the evidence. The information security professional should also document their findings and methods in a clear and concise report that can be used for legal or administrative purposes. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 14: Operations Security, page 713. CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 7: Security Operations, Question 17.

The principal task that the architect should undertake for building a platform to distribute music to thousands of users on a global scale is to establish a media caching methodology. A platform is a type of software or system that provides the foundation or the infrastructure for developing, running, or delivering other software or applications, such as music distribution. A platform can provide various benefits, such as facilitating or enabling the creation, operation, or delivery of the software or applications, and enhancing the functionality, performance, or usability of the software or applications. A platform can also pose various challenges or issues, such as scalability, availability, or latency. A media caching methodology is a type of technique or approach that involves storing or saving the copies or the versions of the media content or data, such as music, on various locations or servers that are closer or nearer to the users or the customers, and that are connected or linked to a network or a service, such as a content delivery network (CDN). A media caching methodology can provide various benefits, such as improving or optimizing the distribution, delivery, or access of the media content or data, and reducing the bandwidth, cost, or time of the distribution, delivery, or access of the media content or data. Establishing a media caching methodology is the principal task that the architect should undertake for building a platform to distribute music to thousands of users on a global scale, as it can address or solve the challenges or issues of the platform, such as scalability, availability, or latency, and as it can ensure or enhance the quality, efficiency, or effectiveness of the platform . References: [CISSP CBK, Fifth Edition, Chapter 3, page 241]; [CISSP Practice Exam – FREE 20 Questions and Answers, Question 15].

 A TPM is the best solution to securely store the private keys for the digital certificates generated by the internal certification authority. A TPM is a hardware device that is embedded in the motherboard of a computer and provides cryptographic functions and secure storage for encryption keys. A TPM can protect the private keys from unauthorized access, tampering, or theft. A physically secured storage device, such as a safe or a lockbox, may not provide adequate protection for the private keys, as they may still be vulnerable to physical attacks or environmental hazards. An encrypted flash drive may not provide sufficient security for the private keys, as it may be lost, stolen, or corrupted. A PKI is not a solution for storing the private keys, but rather a framework for managing the digital certificates and their associated keys. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Cryptography and Symmetric Key Algorithms, page 377.

Preventive controls are the most suitable for a system identified as critical in terms of data and function to the organization, because they aim to prevent or deter threats from compromising the system’s confidentiality, integrity, and availability. Examples of preventive controls include encryption, authentication, access control, firewalls, antivirus software, and backup systems. Monitoring, cost, and compensating controls are not as effective as preventive controls for protecting critical systems, because they either detect, measure, or mitigate the impact of threats after they have occurred, rather than preventing them in the first place. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 22. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 35.

 Live response is an evidence collecting technique that involves analyzing a system while it is still running, without shutting it down or altering it. Live response can be useful when it is believed that an attacker is employing a rootkit and a quick analysis is needed. A rootkit is a type of malicious software that hides itself and other malware from detection and removal by modifying the system’s core components, such as the kernel, drivers, or libraries. A rootkit may also erase or alter the evidence of its presence or activities on the system, such as log files, registry entries, or processes. Therefore, live response can help capture the volatile data that may be lost or changed if the system is powered off or rebooted, such as memory contents, network connections, or running processes. Live response can also help identify and isolate the rootkit before it causes more damage or spreads to other systems. References: CISSP All-in-One Exam Guide, Chapter 10: Legal, Regulations, Investigations, and Compliance, Section: Forensics, pp. 1328-1329.

The implementation of changes to a system is the aspect that an internal technical security audit would best validate. An internal technical security audit is a type of audit that is conducted by the organization’s own staff or a contracted third party, and that focuses on the technical aspects of the organization’s information systems and assets, such as the configuration, the functionality, the performance, and the security. An internal technical security audit can help ensure that the information systems and assets comply with the organization’s policies, standards, and regulations, and that they meet the organization’s security and business objectives. The implementation of changes to a system is the aspect that an internal technical security audit would best validate, as it involves verifying that the changes that are made to the system are authorized, documented, tested, and approved, and that they do not adversely affect the security and the functionality of the system. The implementation of changes to a system is part of the change management process, which is a process that ensures that any changes to the organization’s information systems and assets are controlled and managed, and that they align with the organization’s security and business requirements. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, page 467. CISSP Practice Exam – FREE 20 Questions and Answers, Question 17.

WEP uses a small range Initialization Vector (IV) is the factor that contributes to the weakness of Wired Equivalent Privacy (WEP) protocol. WEP is a security protocol that provides encryption and authentication for wireless networks, such as Wi-Fi. WEP uses the RC4 stream cipher to encrypt the data packets, and the CRC-32 checksum to verify the data integrity. WEP also uses a shared secret key, which is concatenated with a 24-bit Initialization Vector (IV), to generate the keystream for the RC4 encryption. WEP has several weaknesses and vulnerabilities, such as:

WEP uses a small range Initialization Vector (IV), which results in 16,777,216 (2^24) possible values. This might seem large, but it is not enough for a high-volume wireless network, where the same IV can be reused frequently, creating keystream reuse and collisions. An attacker can capture and analyze the encrypted data packets that use the same IV, and recover the keystream and the secret key, using techniques such as the Fluhrer, Mantin, and Shamir (FMS) attack, or the KoreK attack.

WEP uses a weak integrity check, which is the CRC-32 checksum. The CRC-32 checksum is a linear function that can be easily computed and manipulated by anyone who knows the keystream. An attacker can modify the encrypted data packets and the checksum, without being detected, using techniques such as the bit-flipping attack, or the chop-chop attack.

WEP uses a static and shared secret key, which is manually configured and distributed among all the wireless devices that use the same network. The secret key is not changed or refreshed automatically, unless the administrator does it manually. This means that the secret key can be exposed or compromised over time, and that all the wireless devices can be affected by a single key breach. An attacker can also exploit the weak authentication mechanism of WEP, which is based on the secret key, and gain unauthorized access to the network, using techniques such as the authentication spoofing attack, or the shared key authentication attack.

WEP has been deprecated and replaced by more secure protocols, such as Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2), which use stronger encryption and authentication methods, such as the Temporal Key Integrity Protocol (TKIP), the Advanced Encryption Standard (AES), or the Extensible Authentication Protocol (EAP).

The other options are not factors that contribute to the weakness of WEP, but rather factors that are irrelevant or incorrect. WEP does not use Message Digest 5 (MD5), which is a hash function that produces a 128-bit output from a variable-length input. WEP does not use Diffie-Hellman, which is a method for generating a shared secret key between two parties. WEP does use an Initialization Vector (IV), which is a 24-bit value that is concatenated with the secret key.

The transport layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) stack is responsible for negotiating and establishing a connection with another node. The TCP/IP stack is a simplified version of the OSI model, and it consists of four layers: application, transport, internet, and link. The transport layer is the third layer of the TCP/IP stack, and it is responsible for providing reliable and efficient end-to-end data transfer between two nodes on a network. The transport layer uses protocols, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), to segment, sequence, acknowledge, and reassemble the data packets, and to handle error detection and correction, flow control, and congestion control. The transport layer also provides connection-oriented or connectionless services, depending on the protocol used.

TCP is a connection-oriented protocol, which means that it establishes a logical connection between two nodes before exchanging data, and it maintains the connection until the data transfer is complete. TCP uses a three-way handshake to negotiate and establish a connection with another node. The three-way handshake works as follows:

The client sends a SYN (synchronize) packet to the server, indicating its initial sequence number and requesting a connection.

The server responds with a SYN-ACK (synchronize-acknowledge) packet, indicating its initial sequence number and acknowledging the client’s request.

The client responds with an ACK (acknowledge) packet, acknowledging the server’s response and completing the connection.

UDP is a connectionless protocol, which means that it does not establish or maintain a connection between two nodes, but rather sends data packets independently and without any guarantee of delivery, order, or integrity. UDP does not use a handshake or any other mechanism to negotiate and establish a connection with another node, but rather relies on the application layer to handle any connection-related issues.

 Packet filtering operates at the network layer of the Open System Interconnection (OSI) model. The OSI model is a conceptual framework that describes how data is transmitted and processed across different layers of a network. The OSI model consists of seven layers: application, presentation, session, transport, network, data link, and physical. The network layer is the third layer from the bottom of the OSI model, and it is responsible for routing and forwarding data packets between different networks or subnets. The network layer uses logical addresses, such as IP addresses, to identify the source and destination of the data packets, and it uses protocols, such as IP, ICMP, or ARP, to perform the routing and forwarding functions.

Packet filtering is a technique that controls the access to a network or a host by inspecting the incoming and outgoing data packets and applying a set of rules or policies to allow or deny them. Packet filtering can be performed by devices, such as routers, firewalls, or proxies, that operate at the network layer of the OSI model. Packet filtering typically examines the network layer header of the data packets, such as the source and destination IP addresses, the protocol type, or the fragmentation flags, and compares them with the predefined rules or policies. Packet filtering can also examine the transport layer header of the data packets, such as the source and destination port numbers, the TCP flags, or the sequence numbers, and compare them with the rules or policies. Packet filtering can provide a basic level of security and performance for a network or a host, but it also has some limitations, such as the inability to inspect the payload or the content of the data packets, the vulnerability to spoofing or fragmentation attacks, or the complexity and maintenance of the rules or policies.

The other options are not techniques that operate at the network layer of the OSI model, but rather at other layers. Port services filtering is a technique that controls the access to a network or a host by inspecting the transport layer header of the data packets and applying a set of rules or policies to allow or deny them based on the port numbers or the services. Port services filtering operates at the transport layer of the OSI model, which is the fourth layer from the bottom. Content filtering is a technique that controls the access to a network or a host by inspecting the application layer payload or the content of the data packets and applying a set of rules or policies to allow or deny them based on the keywords, URLs, file types, or other criteria. Content filtering operates at the application layer of the OSI model, which is the seventh and the topmost layer. Application access control is a technique that controls the access to a network or a host by inspecting the application layer identity or the credentials of the users or the processes and applying a set of rules or policies to allow or deny them based on the roles, permissions, or other attributes. Application access control operates at the application layer of the OSI model, which is the seventh and the topmost layer.

 Implementing logical network segmentation at the switches is the most effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information. Logical network segmentation is the process of dividing a network into smaller subnetworks or segments based on criteria such as function, location, or security level. Logical network segmentation can be implemented at the switches, which are devices that operate at the data link layer of the OSI model and forward data packets based on the MAC addresses. Logical network segmentation can provide several benefits, such as:

Isolating network traffic and reducing congestion and collisions

Enhancing performance and efficiency of the network

Improving security and confidentiality of the network

Restricting the scope and impact of attacks

Enforcing access control and security policies

Facilitating monitoring and auditing of the network

Logical network segmentation can mitigate the attacker’s ability to gain further information by limiting the visibility and access of the sniffer to the segment where it is installed. A sniffer is a tool that captures and analyzes the data packets that are transmitted over a network. A sniffer can be used for legitimate purposes, such as troubleshooting, testing, or monitoring the network, or for malicious purposes, such as eavesdropping, stealing, or modifying the data. A sniffer can only capture the data packets that are within its broadcast domain, which is the set of devices that can communicate with each other without a router. By implementing logical network segmentation at the switches, the organization can create multiple broadcast domains and isolate the sensitive or critical data from the compromised segment. This way, the attacker can only see the data packets that belong to the same segment as the sniffer, and not the data packets that belong to other segments. This can prevent the attacker from gaining further information or accessing other resources on the network.

The other options are not the most effective layers of security the organization could have implemented to mitigate the attacker’s ability to gain further information, but rather layers that have other limitations or drawbacks. Implementing packet filtering on the network firewalls is not the most effective layer of security, because packet filtering only examines the network layer header of the data packets, such as the source and destination IP addresses, and does not inspect the payload or the content of the data. Packet filtering can also be bypassed by using techniques such as IP spoofing or fragmentation. Installing Host Based Intrusion Detection Systems (HIDS) is not the most effective layer of security, because HIDS only monitors and detects the activities and events on a single host, and does not prevent or respond to the attacks. HIDS can also be disabled or evaded by the attacker if the host is compromised. Requiring strong authentication for administrators is not the most effective layer of security, because authentication only verifies the identity of the users or processes, and does not protect the data in transit or at rest. Authentication can also be defeated by using techniques such as phishing, keylogging, or credential theft.

 The purpose of an Internet Protocol (IP) spoofing attack is to convince a system that it is communicating with a known entity. IP spoofing is a technique that involves creating and sending IP packets with a forged source IP address, which is usually the IP address of a trusted or authorized host. IP spoofing can be used for various malicious purposes, such as:

Bypassing IP-based access control lists (ACLs) or firewalls that filter traffic based on the source IP address.

Launching denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by flooding a target system with spoofed packets, or by reflecting or amplifying the traffic from intermediate systems.

Hijacking or intercepting a TCP session by predicting or guessing the sequence numbers and sending spoofed packets to the legitimate parties.

Gaining unauthorized access to a system or network by impersonating a trusted or authorized host and exploiting its privileges or credentials.

The purpose of IP spoofing is to convince a system that it is communicating with a known entity, because it allows the attacker to evade detection, avoid responsibility, and exploit trust relationships.

The other options are not the main purposes of IP spoofing, but rather the possible consequences or methods of IP spoofing. To send excessive amounts of data to a process, making it unpredictable is a possible consequence of IP spoofing, as it can cause a DoS or DDoS attack. To intercept network traffic without authorization is a possible method of IP spoofing, as it can be used to hijack or intercept a TCP session. To disguise the destination address from a target’s IP filtering devices is not a valid option, as IP spoofing involves forging the source address, not the destination address.