Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

The best way to verify the integrity of a software patch is to use cryptographic checksums. Cryptographic checksums are mathematical values that are computed from the data in the software patch using a hash function or an algorithm. Cryptographic checksums can be used to compare the original and the downloaded or installed version of the software patch, and to detect any alteration, corruption, or tampering of the data. Cryptographic checksums are also known as hashes, digests, or fingerprints, and they are often provided by the software vendor along with the software patch12. References: 1: What is a Checksum and How to Calculate a Checksum32: How to Verify File Integrity Using Hashes

Program change control is the maintenance activity that is responsible for defining, implementing, and testing updates to application systems. Program change control ensures that the changes are authorized, documented, reviewed, tested, and approved before being deployed to the production environment. Program change control also maintains a record of the changes and their impact on the system . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 823. : CISSP For Dummies, 7th Edition, Chapter 8, page 263.

 Creating a virus creation tool that can generate thousands of polymorphic viruses is not ethical, even if the intention is to use it in a controlled environment to test the company’s next generation virus scanning software. Such a tool could be leaked on the Internet, either intentionally or accidentally, and fall into the hands of malicious actors who could use it to create and spread harmful viruses that could compromise the security and privacy of millions of users and systems. The engineer should follow the code of ethics and professional conduct of the ISC2, which states that members and certificate holders shall protect society, the common good, necessary public trust and confidence, and the infrastructure . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 18. : CISSP For Dummies, 7th Edition, Chapter 1, page 11.

The best security solution for two companies that wish to share electronic inventory and purchase orders in a supplier and client relationship is to set up a Virtual Private Network (VPN) between the two companies. A VPN is a secure and encrypted connection that allows the two companies to exchange data over a public network, such as the internet, as if they were on a private network. A VPN protects the confidentiality, integrity, and availability of the data, and prevents unauthorized access, interception, or modification by third parties. A VPN also provides authentication, authorization, and accounting of the users and devices that access the data . References: : What is a VPN and how does it work? Your guide to internet privacy and security : What is a VPN?

A SYN flood attack is a type of denial-of-service attack that exploits the TCP three-way handshake process. The attacker sends a large number of SYN packets to the target server, often with spoofed IP addresses, and does not complete the handshake by sending the final ACK packet. This causes the server to allocate resources for half-open connections, which eventually consume all the available ports and prevent legitimate traffic from reaching the server

The components that are in the scope of PCI-DSS are the end devices, wireless access points, WLAN, switches, management console, and firewall. PCI-DSS is a set of standards and requirements that aim to ensure the security of the cardholder data and the payment transactions. PCI-DSS applies to any entity that stores, processes, or transmits cardholder data, or that provides services or devices that affect the security of the cardholder data. The scope of PCI-DSS includes all the system components that are connected to or support the cardholder data environment, such as the hardware, the software, the network, or the personnel. In this question, the end devices, wireless access points, WLAN, switches, management console, and firewall are all part of the system components that are connected to or support the cardholder data environment, as they are used to process the credit card transactions on the WLAN. Therefore, they are in the scope of PCI-DSS, and they must comply with the PCI-DSS requirements. The entire enterprise network infrastructure and the Internet are not in the scope of PCI-DSS, as they are not directly connected to or support the cardholder data environment, and they are separated from the private segment for credit card processing by the firewall. The border gateway is not a system component, but a term that refers to a device that connects two networks with different protocols, such as a router or a proxy server. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 548. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 564.

The best way to determine if a particular system is able to identify malicious software without executing it is to test it with an EICAR file. An EICAR file is a standard file that is used to test the functionality and performance of antivirus software, without using any real malware. An EICAR file is a harmless text file that contains a specific string of characters that is recognized by most antivirus software as a virus signature. An EICAR file can be used to check if the antivirus software is installed, configured, updated, and working properly, without risking any damage or infection to the system. Testing with a botnet, executing a binary shellcode, and running multiple antivirus programs are not the best ways to determine if a particular system is able to identify malicious software without executing it, as they may involve using or creating actual malware, which can be dangerous, illegal, or unethical, and may compromise the security or performance of the system. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, Security Assessment and Testing, page 813. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, Security Assessment and Testing, page 829.

A common challenge when implementing SAML for identity integration between on-premise environment and an external identity provider service is that some users are not provisioned into the service. Provisioning is a process of creating, updating, or deleting the user accounts or profiles in a service or an application, based on the user identity or credentials. When implementing SAML for identity integration, the on-premise environment acts as the identity provider, which authenticates the user and issues the SAML assertion, and the external service acts as the service provider, which receives the SAML assertion and grants access to the user. However, if the user account or profile is not provisioned or synchronized in the external service, the user may not be able to access the service, even if they have a valid SAML assertion. Therefore, a common challenge when implementing SAML for identity integration is to ensure that the user provisioning is consistent and accurate between the on-premise environment and the external service. SAML tokens are provided by the on-premise identity provider, single users can be revoked from the service, and SAML tokens contain user information are not common challenges when implementing SAML for identity integration, as they are related to the functionality, granularity, or content of the SAML protocol, not the provisioning of the user accounts or profiles. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 693. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 709.

 The best option for low maintenance and ease of deployment to enable student access to university resources from their homes is to use Secure Sockets Layer (SSL) VPN technology. SSL VPN is a type of virtual private network that uses the SSL protocol to provide secure and remote access to the network resources over the internet. SSL VPN does not require the installation or configuration of any special client software or hardware on the student’s device, as it can use the web browser as the client interface. SSL VPN can also support various types of devices, operating systems, and applications, and can provide granular access control and encryption for the network traffic. Providing students with Internet Protocol Security (IPSec) VPN client software, using Secure Shell (SSH) with public/private keys, and requiring students to purchase home router capable of VPN are not the best options for low maintenance and ease of deployment, as they involve more complexity, cost, and compatibility issues for the students and the university. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 507. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 523.

Automated application security testing tools are software tools that can scan, analyze, and test the code of an application for vulnerabilities, errors, or flaws. The primary advantage of using these tools is that they can test large amounts of code using fewer resources, such as time, money, and human effort, than manual testing. This can improve the efficiency, effectiveness, and coverage of the testing process. The application can be protected in the production environment, the application will fail less when tested using these tools, and detailed testing of code functions can be performed are all possible outcomes of using automated application security testing tools, but they are not the primary advantage of using them. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1017. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1039.

The action that must be taken if a vulnerability is discovered during the maintenance stage in a SDLC is to make changes following principle and design guidelines. Principle and design guidelines are the rules and standards that define the security objectives, requirements, and specifications of the system. They also provide the criteria and methods for evaluating and testing the security of the system. By making changes following principle and design guidelines, the organization can ensure that the vulnerability is fixed in a secure and consistent manner, and that the system maintains its functionality and quality. The other options are not actions that must be taken, as they either do not fix the vulnerability (B and D), or do not follow the principle and design guidelines ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 461; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 553.

The best description of Recovery Time Objective (RTO) is the time of application resumption after disaster. RTO is a metric that defines the maximum acceptable time that an application or a system can be unavailable or offline after a disaster or a disruption. RTO is based on the business impact analysis and the recovery requirements of the organization, and it helps to determine the recovery strategies and the resources needed to restore the application or the system to its normal operation. Time of data validation after disaster, time of data restoration from backup after disaster, and time of application verification after disaster are not the best descriptions of RTO, as they are related to the quality, accuracy, or completeness of the data or the application, not the availability or the downtime of the application or the system. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 899. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 915.

The access control mechanism that is detective is log review. Log review is a process of examining and analyzing the records or events of the system or network activity, such as user login, file access, or network traffic, that are stored in log files. Log review can help to detect and identify any unauthorized, abnormal, or malicious access or behavior, and to provide evidence or clues for further investigation or response. Log review is a detective access control mechanism, as it can discover or reveal the occurrence or the source of the security incidents or violations, after they have happened. Least privilege, password complexity, and non-disclosure agreement are not detective access control mechanisms, as they are related to the restriction, protection, or confidentiality of the access or information, not the detection or identification of the security incidents or violations. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 932. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 948.

 When using third-party software developers, the most effective method of providing software development Quality Assurance (QA) is to perform overlapping code reviews by both parties. Code reviews are the process of examining the source code of an application for quality, functionality, security, and compliance. Overlapping code reviews by both parties means that the code is reviewed by both the third-party developers and the contracting organization, and that the reviews cover the same or similar aspects of the code. This can ensure that the code meets the requirements and specifications, that the code is free of defects or vulnerabilities, and that the code is consistent and compatible with the existing system or environment. Retaining intellectual property rights through contractual wording, verifying that the contractors attend development planning meetings, and creating a separate contractor development environment are all possible methods of providing software development QA, but they are not the most effective method of doing so. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1026. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1050.

 A risk assessment is the best first step for determining if the appropriate security controls are in place for protecting data at rest. A risk assessment involves identifying the assets, threats, vulnerabilities, and impacts related to the data, as well as the likelihood and severity of potential breaches. Based on the risk assessment, the appropriate security controls can be selected and implemented to mitigate the risks to an acceptable level. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 35; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 41.