Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

The goal of software assurance in application development is to prevent the creation of vulnerable applications. Software assurance is the process of ensuring that the software is designed, developed, and maintained in a secure, reliable, and trustworthy manner. Software assurance involves applying security principles, standards, and best practices throughout the software development life cycle, such as security requirements, design, coding, testing, deployment, and maintenance. Software assurance aims to prevent or reduce the introduction of vulnerabilities, defects, or errors in the software that could compromise its security, functionality, or quality . References: : Software Assurance : Software Assurance - OWASP Cheat Sheet Series

 By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the opportunity to sniff network traffic exists. A SAN is a dedicated network that connects storage devices, such as disk arrays, tape libraries, or servers, to provide high-speed data access and transfer. A SAN may use different protocols or technologies to communicate with storage devices, such as Fibre Channel, iSCSI, or NFS. By allowing storage communications to run on top of TCP/IP, a common network protocol that supports internet and intranet communications, a SAN may leverage the existing network infrastructure and reduce costs and complexity. However, this also exposes the storage communications to the same risks and threats that affect the network communications, such as sniffing, spoofing, or denial-of-service attacks. Sniffing is the act of capturing or monitoring network traffic, which may reveal sensitive or confidential information, such as passwords, encryption keys, or data. By allowing storage communications to run on top of TCP/IP with a SAN, the confidentiality of the traffic is not protected, unless encryption or other security measures are applied. The opportunity for device identity spoofing is not eliminated, as an attacker may still impersonate a legitimate storage device or server by using a forged or stolen IP address or MAC address. The storage devices are not protected against availability attacks, as an attacker may still disrupt or overload the network or the storage devices by sending malicious or excessive packets or requests.

The primary purpose of a security awareness program is to ensure that everyone understands the organization’s policies and procedures related to information security. A security awareness program is a set of activities, materials, or events that aim to educate and inform the employees, contractors, partners, and customers of the organization about the security goals, principles, and practices of the organization1. A security awareness program can help to create a security culture, improve the security behavior, and reduce the human errors or risks. Communicating that access to information will be granted on a need-to-know basis, warning all users that access to all systems will be monitored on a daily basis, and complying with regulations related to data and information protection are not the primary purposes of a security awareness program, as they are more specific or secondary objectives that may be part of the program, but not the main goal. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 28.

When returning electronic storage media to third parties for repair, it is important to ensure that the media does not contain any sensitive or confidential data that could be compromised or disclosed. One way to do this is to establish a contract with the third party that specifies the security requirements and obligations for the handling, storage, and disposal of the media. This contract should also include provisions for auditing, reporting, and remediation in case of any security incidents or breaches. The other options are not effective practices, as they either do not protect the data adequately (A), damage the media unnecessarily (B and C), or are not feasible or practical in some cases. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 239; CISSP For Dummies, 7th Edition, Chapter 2, page 43.

 A network security assessment is a process of evaluating the security posture of a network by identifying and analyzing vulnerabilities, threats, and risks. The results of the assessment can help measure how well the network controls are performing and where they need improvement.

B, C, and D are incorrect because they are not the main objectives or outcomes of a network security assessment. A penetration test is a type of security assessment that simulates an attack on the network, but it does not guarantee that the network will fail or succeed. The network may or may not be compliant to industry standards depending on the criteria and scope of the assessment. Not all unpatched vulnerabilities may be identified by the assessment, as some may be unknown or undetectable by the tools or methods used.

 Hashing files during chain of custody handling ensures integrity, which means that the files have not been altered or tampered with during the collection, preservation, or analysis of digital evidence1. Hashing is a process of applying a mathematical function to a file to generate a unique value, called a hash or a digest, that represents the file’s content. By comparing the hash values of the original and the copied files, the integrity of the files can be verified. Availability, accountability, and non-repudiation are not ensured by hashing files during chain of custody handling, as they are related to different aspects of information security. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 633.

 Code reviews are the best way to check for good security programming practices, as well as auditing for possible backdoors, in a software system. Code reviews involve examining the source code of the software for any errors, vulnerabilities, or malicious code that could compromise the security or functionality of the system. Code reviews can be performed manually by human reviewers, or automatically by tools that scan and analyze the code. The other options are not as effective as code reviews, as they either do not examine the source code directly (A and C), or only detect syntactic or semantic errors, not logical or security flaws (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 463; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 555.

The main reason why all users must be positively identified prior to using multi-user computers is to ensure that unauthorized persons cannot access the computers. Positive identification is the process of verifying the identity of a user or a device before granting access to a system or a resource2. Positive identification can be achieved by using one or more factors of authentication, such as something the user knows, has, or is. Positive identification can enhance the security and accountability of the system, and prevent unauthorized or malicious access. Providing access to system privileges, providing access to the operating system, and ensuring that management knows what users are currently logged on are not the primary reasons why all users must be positively identified prior to using multi-user computers, as they are more related to the functionality or administration of the system, rather than the security. References: 2: CISSP For Dummies, 7th Edition, Chapter 4, page 89.

During an audit of system management, if auditors find that the system administrator has not been trained, the immediate action that needs to be taken to ensure the integrity of systems is a review of all systems by an experienced administrator. This is to verify that the systems are configured, maintained, and secured properly, and that there are no errors, vulnerabilities, or breaches that could compromise the system’s availability, confidentiality, or integrity. A review of hiring policies, departmental procedures, or training procedures are not urgent actions, as they are more related to the long-term improvement of the system management process, rather than the current state of the systems . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 829. : CISSP For Dummies, 7th Edition, Chapter 8, page 267.

The organization has experienced a covert channel attack, which is a technique of hiding or transferring data within a communication channel that is not intended for that purpose. In this case, the attacker has used the payload portion of the ping packet, which is normally used to carry diagnostic data, to move data into and out of the network. This way, the attacker can bypass the network security controls and avoid detection. Data leakage (A) is a general term for the unauthorized disclosure of sensitive or confidential data, which may or may not involve a covert channel. Unfiltered channel (B) is a term for a communication channel that does not have any security mechanisms or filters applied to it, which may allow unauthorized or malicious traffic to pass through. Data emanation © is a term for the unintentional radiation or emission of electromagnetic signals from electronic devices, which may reveal sensitive or confidential information to eavesdroppers. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 179; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 189.

Alternate encoding such as hexadecimal representations is most often observed in cross site scripting (XSS) attacks. XSS is a type of web application attack that involves injecting malicious code or scripts into a web page or a web application, usually through user input fields or parameters. The malicious code or script is then executed by the victim’s browser, and can perform various actions, such as stealing cookies, session tokens, or credentials, redirecting to malicious sites, or displaying fake content. Alternate encoding is a technique that is used by attackers to bypass input validation or filtering mechanisms, and to conceal or obfuscate the malicious code or script. Alternate encoding can use hexadecimal, decimal, octal, binary, or Unicode representations of the characters or symbols in the code or script . References: : What is Cross-Site Scripting (XSS)? : XSS Filter Evasion Cheat Sheet

 A sandbox is a security mechanism that isolates a potentially malicious code or application from the rest of the system, preventing it from accessing or modifying any sensitive data or resources1. A sandbox can be implemented at the operating system, application, or network level, and can provide a safe environment for testing, debugging, or executing untrusted code. A sandbox is the most effective countermeasure to a malicious code attack against a mobile system, as it can prevent the code from spreading, stealing, or destroying any information on the device. Change control, memory management, and PKI are not directly related to preventing or mitigating malicious code attacks on mobile systems. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 507.

 The first step to take when implementing a patch management program is to create a system inventory. A system inventory is a comprehensive list of all the hardware and software assets in the organization, such as servers, workstations, laptops, mobile devices, routers, switches, firewalls, operating systems, applications, firmware, etc. A system inventory helps to identify the scope and complexity of the patch management program, as well as the current patch status and vulnerabilities of each asset. A system inventory also helps to prioritize and schedule patch deployment, monitor patch compliance, and report patch performance56. References: 5: Patch Management Best Practices76: Patch Management Process8

The EU-US Safe Harbor Privacy Policy is a framework that was established in 2000 to enable the transfer of personal data from the European Union to the United States, while ensuring adequate protection of the data subject’s privacy rights3. The framework was invalidated by the European Court of Justice in 2015, and replaced by the EU-US Privacy Shield in 20164. However, the Safe Harbor Privacy Policy still serves as a reference for the principles and requirements of data protection across the Atlantic. One of the elements that a compliant Safe Harbor Privacy Policy must contain is an explanation of who can be contacted at the organization collecting the information if corrections are required by the data subject. This is part of the principle of access, which states that individuals must have access to their personal information and be able to correct, amend, or delete it where it is inaccurate. References: 3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 2954: CISSP For Dummies, 7th Edition, Chapter 10, page 284. : Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 5, page 293.

 Internet Key Exchange (IKE) is a protocol that defines the key exchange for Internet Protocol Security (IPSec). IPSec is a suite of protocols that provides security for IP-based communications, such as encryption, authentication, and integrity. IKE establishes a secure channel between two parties, negotiates the security parameters, and generates the cryptographic keys for IPSec . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 541. : CISSP For Dummies, 7th Edition, Chapter 5, page 157.