Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

Password Authentication Protocol (PAP) is a remote access protocol that uses a static authentication method, which means that the username and password are sent in clear text over the network. PAP is considered insecure and vulnerable to eavesdropping and replay attacks, as anyone who can capture the network traffic can obtain the credentials. PAP is supported by Point-to-Point Protocol (PPP), which is a common protocol for establishing remote connections over dial-up, broadband, or wireless networks. PAP is usually used as a fallback option when more secure protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Extensible Authentication Protocol (EAP), are not available or compatible. 

Public Key Infrastructure (PKI) is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates and public keys. Digital signatures are a type of electronic signature that use public key cryptography to verify the authenticity and integrity of a message or document. A health care provider that is considering Internet access for their employees and patients should use PKI and digital signatures as the most secure solution for protection of data, because they provide confidentiality, integrity, authentication, non-repudiation, and accountability for the data exchanged over the Internet. The other options are not as secure as PKI and digital signatures, because they do not provide all the security services or they rely on weaker forms of encryption or authentication. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 211; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 178

According to the CXL blog1, the scenario that must be covered for the penetration test to be effective is the third-party vendor with access to the system. A third-party vendor is an external entity or organization that provides a service or a product to the organization, such as a software developer, a cloud provider, or a payment processor. A third-party vendor with access to the system is a potential source of vulnerability or risk for the organization, as it may introduce or expose some weaknesses or flaws in the system, such as the configuration, the authentication, or the encryption of the system. A third-party vendor with access to the system may also be a target or a vector of attack for the malicious users or hackers, as it may be compromised or exploited to gain unauthorized or unintended access to the system, or to perform malicious actions or activities on the system, such as stealing, modifying, or deleting the data or information on the system. Therefore, the scenario of the third-party vendor with access to the system must be covered for the penetration test to be effective, as it helps to identify and assess the security gaps or issues that may arise from the third-party vendor’s access to the system, as well as to recommend and implement the appropriate safeguards or countermeasures to prevent or mitigate the potential harm or damage to the system. System administrator access compromised is not the scenario that must be covered for the penetration test to be effective, although it may be a scenario that could be covered for the penetration test to be more comprehensive. A system administrator is an internal entity or person that manages and maintains the system, such as the network, the server, or the database of the organization. A system administrator access compromised is a scenario in which the system administrator’s account or credentials are stolen, hacked, or misused by the malicious users or hackers, who can then access or use the system with the system administrator’s privileges or permissions, such as creating, modifying, or deleting the users, the data, or the settings of the system. A system administrator access compromised is a scenario that could be covered for the penetration test to be more comprehensive, as it helps to identify and assess the security gaps or issues that may arise from the system administrator’s access to the system, as well as to recommend and implement the appropriate safeguards or countermeasures to prevent or mitigate the potential harm or damage to the system. However, a system administrator access compromised is not the scenario that must be covered for the penetration test to be effective, as it is not a common or realistic scenario that occurs in the real world, and as it is not directly related to the third-party vendor’s access to the system, which is the main focus of the penetration test. Internal attacker with access to the system is not the scenario that must be covered for the penetration test to be effective, although it may be a scenario that could be covered for the penetration test to be more comprehensive. An internal attacker is an internal entity or person that performs malicious actions or activities on the system, such as an employee, a contractor, or a partner of the organization. An internal attacker with access to the system is a scenario in which the internal attacker uses their legitimate or illegitimate access to the system to perform malicious actions or activities on the system, such as stealing, modifying, or deleting the data or information on the system. An internal attacker with access to the system is a scenario that could be covered for the penetration test to be more comprehensive, as it helps to identify and assess the security gaps or issues that may arise from the internal attacker’s access to the system, as well as to recommend and implement the appropriate safeguards or countermeasures to prevent or mitigate the potential harm or damage to the system. However, an internal attacker with access to the system is not the scenario that must be covered for the penetration test to be effective, as it is not directly related to the third-party vendor’s access to the system, which is the main focus of the penetration test. Internal user accidentally accessing data is not the scenario that must be covered for the penetration test to be effective, although it may be a scenario that could be covered for the penetration test to be more comprehensive. An internal user is an internal entity or person that uses the system for legitimate purposes or functions, such as an employee, a contractor, or a partner of the organization. An internal user accidentally accessing data is a scenario in which the internal user unintentionally or mistakenly accesses or views the data or information on the system that they are not supposed to access or view, such as the confidential, sensitive, or personal data or information of the organization or the customers. An internal user accidentally accessing data is a scenario that could be covered for the penetration test to be more comprehensive, as it helps to identify and assess the security gaps or issues that may arise from the internal user’s access to the system, as well as to recommend and implement the appropriate safeguards or countermeasures to prevent or mitigate the potential harm or damage to the system. However, an internal user accidentally accessing data is not the scenario that must be covered for the penetration test to be effective, as it is not a malicious or intentional scenario that poses a serious threat or risk to the system, and as it is not directly related to the third-party vendor’s access to the system, which is the main focus of the penetration test. References: 1

According to the CISSP All-in-One Exam Guide2, a characteristic of the initialization vector when using Data Encryption Standard (DES) is that it can be transmitted in the clear as a random number. An initialization vector (IV) is a value or a parameter that is used to initialize or modify the encryption or decryption process, such as the cipher block chaining (CBC) mode of operation. An IV is used to provide an additional layer of security and randomness to the encryption or decryption process, as it prevents the same plaintext from producing the same ciphertext, and vice versa. An IV can be transmitted in the clear as a random number, as it does not contain any sensitive or confidential information, and as it changes with each session or transaction, making it difficult for the attackers to predict or manipulate the encrypted or decrypted data patterns. An IV must be known to both sender and receiver is not a characteristic of the initialization vector when using Data Encryption Standard (DES), as it is a requirement or a condition for the initialization vector when using any symmetric encryption algorithm, not a specific characteristic for DES. A symmetric encryption algorithm is an encryption algorithm that uses the same key for both encryption and decryption, such as DES, Triple DES, or Advanced Encryption Standard (AES). A symmetric encryption algorithm requires that the IV must be known to both sender and receiver, as it is needed for both encryption and decryption, and as it is used to synchronize the encryption or decryption process between the sender and the receiver. An IV must be retained until the last block is transmitted is not a characteristic of the initialization vector when using Data Encryption Standard (DES), as it is a requirement or a condition for the initialization vector when using any block cipher algorithm, not a specific characteristic for DES. A block cipher algorithm is an encryption algorithm that divides the plaintext or the ciphertext into fixed-length blocks, and encrypts or decrypts each block separately, such as DES, Triple DES, or AES. A block cipher algorithm requires that the IV must be retained until the last block is transmitted, as it is used to link or chain the blocks together, and as it is needed for the encryption or decryption of the last block. An IV can be used to encrypt and decrypt information is not a characteristic of the initialization vector when using Data Encryption Standard (DES), as it is a function or a purpose of the initialization vector when using any encryption algorithm, not a specific characteristic for DES. An encryption algorithm is a mathematical function or procedure that transforms the plaintext or the original data into the ciphertext or the encrypted data, and vice versa, using a key or a parameter, such as DES, Triple DES, AES, or Rivest-Shamir-Adleman (RSA). An encryption algorithm uses the IV to encrypt and decrypt information, as it is a value or a parameter that is used to initialize or modify the encryption or decryption process, and as it provides an additional layer of security and randomness to the encryption or decryption process. References: 2

The primary concern when using an Internet browser to access a cloud-based service is the vulnerabilities within protocols that can expose confidential data. Protocols are the rules and formats that govern the communication and exchange of data between systems or applications. Protocols can have vulnerabilities or flaws that can be exploited by attackers to intercept, modify, or steal the data. For example, some protocols may not provide adequate encryption, authentication, or integrity for the data, or they may have weak or outdated algorithms, keys, or certificates. When using an Internet browser to access a cloud-based service, the data may be transmitted over various protocols, such as HTTP, HTTPS, SSL, TLS, etc. If any of these protocols are vulnerable, the data may be compromised, especially if the data is sensitive or confidential. Therefore, it is important to use secure and updated protocols, as well as to monitor and patch any vulnerabilities12 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, p. 338; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 456.

According to the CISSP All-in-One Exam Guide, the restoration priorities of a Disaster Recovery Plan (DRP) are based on the Business Impact Analysis (BIA). A DRP is a document that defines the procedures and actions to be taken in the event of a disaster that disrupts the normal operations of an organization. A restoration priority is the order or sequence in which the critical business processes and functions, as well as the supporting resources, such as data, systems, personnel, and facilities, are restored after a disaster. A BIA is a process that assesses the potential impact and consequences of a disaster on the organization’s business processes and functions, as well as the supporting resources. A BIA helps to identify and prioritize the critical business processes and functions, as well as the recovery objectives and time frames for them. A BIA also helps to determine the dependencies and interdependencies among the business processes and functions, as well as the supporting resources. Therefore, the restoration priorities of a DRP are based on the BIA, as it provides the information and analysis that are needed to plan and execute the recovery strategy. A Service Level Agreement (SLA) is not the document that the restoration priorities of a DRP are based on, although it may be a factor that influences the restoration priorities. An SLA is a document that defines the expectations and requirements for the quality and performance of a service or product that is provided by a service provider to a customer or client, such as the availability, reliability, scalability, or security of the service or product. An SLA may help to justify or support the restoration priorities of a DRP, but it does not provide the information and analysis that are needed to plan and execute the recovery strategy. A Business Continuity Plan (BCP) is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A BCP is a document that defines the procedures and actions to be taken to ensure the continuity of the essential business operations during and after a disaster. A BCP may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the continuity rather than the recovery of them. A BCP may also include other aspects or components that are not covered by a DRP, such as the prevention, mitigation, or response to a disaster. A crisis management plan is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A crisis management plan is a document that defines the procedures and actions to be taken to manage and resolve a crisis or emergency situation that may affect the organization, such as a natural disaster, a cyberattack, or a pandemic. A crisis management plan may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the management rather than the recovery of them. A crisis management plan may also include other aspects or components that are not covered by a DRP, such as the communication, coordination, or escalation of the crisis or emergency situation.

A baseline is a standard or reference point against which something can be measured or compared. A system configuration baseline is a documented set of specifications for the hardware and software components of an information system, such as operating system, applications, patches, settings, etc. A system configuration baseline can be used to ensure that the system meets the security and performance requirements of the organization, and to detect any unauthorized or unwanted changes to the system. To verify that an information system’s current hardware and software match the standard system configuration, the organization can compare the actual configuration of the system against the baseline, using tools such as configuration management software, checksums, or hashes. Reviewing the configuration after the system goes into production is not sufficient, as it does not account for any changes that may occur after the initial deployment. Running vulnerability scanning tools on all devices in the environment is not specific, as it does not compare the system configuration against the baseline, but rather against a database of known vulnerabilities. Verifying all the approved security patches are implemented is not comprehensive, as it does not cover other aspects of the system configuration, such as applications, settings, etc. References: System Configuration Baseline, [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Architecture and Engineering]2

A disaster recovery test plan is a document that describes the methods and procedures for testing the effectiveness and readiness of a disaster recovery plan (DRP), which is a subset of a BCP that focuses on restoring the organization’s IT systems and data after a disruption or disaster. A disaster recovery test plan can have different types and levels of testing, depending on the objectives, scope, and resources of the organization. A parallel test is a type of disaster recovery test plan that involves activating the backup site and running the critical systems and processes in parallel with the primary site, without disrupting the normal operations. A parallel test is the most effective type of disaster recovery test plan, as it simulates a realistic scenario of a disruption or disaster, and allows the organization to evaluate the performance and functionality of the backup site, as well as the communication and coordination between the primary and backup sites. A parallel test also provides minimal risk, as it does not affect the normal operations of the primary site, and does not require switching over to the backup site. A read-through test is a type of disaster recovery test plan that involves reviewing the DRP document and verifying its accuracy and completeness, without performing any actual actions. A read-through test is the least effective type of disaster recovery test plan, as it does not test the actual implementation and execution of the DRP, and does not identify any potential issues or gaps in the DRP. A full interruption test is a type of disaster recovery test plan that involves shutting down the primary site and switching over to the backup site, and performing the normal operations from the backup site. A full interruption test is the most realistic type of disaster recovery test plan, as it tests the actual implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a full interruption test also provides the highest risk, as it affects the normal operations of the primary site, and may cause data loss, downtime, or customer dissatisfaction. A simulation test is a type of disaster recovery test plan that involves simulating a disruption or disaster scenario and performing the actions and procedures of the DRP, without activating the backup site or affecting the normal operations. A simulation test is a moderately effective type of disaster recovery test plan, as it tests the implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a simulation test also provides moderate risk, as it does not test the performance and functionality of the backup site, and may not simulate a realistic scenario of a disruption or disaster. References: [Disaster Recovery Test Plan], [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations]2

 The best description of the purpose of performing security certification is to formalize the confirmation of compliance to security policies and standards. Security certification is the process of evaluating and validating the security posture and compliance of a system or network against a set of predefined criteria, such as security policies, standards, regulations, or best practices. Security certification results in a formal statement or document that attests the level of security and compliance achieved by the system or network.

A. To identify system threats, vulnerabilities, and acceptable level of risk is not the best description of the purpose of performing security certification, but rather the purpose of performing security assessment. Security assessment is the process of identifying and analyzing the security threats, vulnerabilities, and risks of a system or network, and determining the acceptable level of risk and the risk mitigation strategies.

C. To formalize the confirmation of completed risk mitigation and risk analysis is not the best description of the purpose of performing security certification, but rather the purpose of performing security accreditation. Security accreditation is the process of authorizing and approving the operation of a system or network based on the results of security certification and risk analysis, and the acceptance of residual risk.

D. To verify that system architecture and interconnections with other systems are effectively implemented is not the best description of the purpose of performing security certification, but rather one of the possible aspects or objectives of security certification. Security certification can cover various aspects of system security, such as architecture, design, implementation, configuration, operation, maintenance, or interconnection.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 147; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, page 123

Access based on user’s role provides the minimum set of privileges required to perform a job function and restricts the user to a domain with the required privileges. This is also known as role-based access control (RBAC), which is a method of enforcing the principle of least privilege. RBAC assigns permissions to roles rather than individual users, and users are assigned roles based on their responsibilities and qualifications

The opening of a mechanical lock without the proper key by carefully aligning the pins in the lock is defined as lock picking. A mechanical lock is a device that secures an entry point, such as a door, a window, or a cabinet, by using a physical mechanism, such as a pin tumbler, a wafer, or a disc detainer. A mechanical lock requires a proper key to unlock it, which matches the configuration of the mechanism. Lock picking is a technique of manipulating the mechanism of the lock without the proper key, usually by using tools, such as picks, tension wrenches, or rakes. Lock picking can exploit the flaws or weaknesses of the lock, such as the variations, tolerances, or defects of the pins or the cylinder. Lock picking can be used for legitimate purposes, such as locksmithing, hobby, or sport, or for illegitimate purposes, such as burglary, espionage, or sabotage.References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, p. 136; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Engineering, p. 297.

Single Sign-On (SSO) is primarily designed to address accountability and assurance. SSO is a mechanism that enables a user to authenticate once and gain access to multiple systems or applications without having to reauthenticate. SSO improves accountability by providing a centralized and consistent way of managing user identities and access rights across different systems or applications. SSO also improves assurance by reducing the risk of password compromise, user fatigue, and human error, as users do not have to remember or enter multiple passwords. The other options are not the primary goals of SSO, but rather secondary benefits or challenges. Option A is a description of confidentiality and integrity, which are security properties that SSO can enhance by using strong encryption and authentication methods, but they are not the main purpose of SSO. Option B is a description of availability and accountability, which are security properties that SSO can improve by simplifying the user experience and reducing the authentication overhead, but they are not the primary objectives of SSO. Option C is a description of integrity and availability, which are security properties that SSO can support by ensuring the consistency and reliability of user data and access, but they are not the main focus of SSO. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, p. 281; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, p. 355.

Logging and audit trail controls are designed to record and monitor the activities and events that occur on a system or network. They can provide valuable information for forensic analysis, such as the source, destination, time, and type of an event, the user or process involved, the data or resources accessed or modified, and the outcome or status of the event. Logging and audit trail controls can help identify the cause, scope, impact, and timeline of an attack, as well as the evidence and artifacts left by the attacker. They can also help determine the effectiveness and gaps of the preventive and detective controls, and support the incident response and recovery processes. Logging and audit trail controls should be configured, protected, and reviewed according to the organizational policies and standards, and comply with the legal and regulatory requirements.

The correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment is that they should be inspected and sanitized following the organizational policy. The unlabeled, disconnected, and powered off devices are the devices or the systems that are not identified, not connected, or not turned on, and that are used or intended for storing or holding the data or the information, such as the hard disks, the flash drives, or the memory cards. The correct procedure for handling the unlabeled, disconnected, and powered off devices is that they should be inspected and sanitized following the organizational policy, which means that they should be examined or checked and cleaned or erased according to the rules or the guidelines that are established or defined by the organization, and that are based on the classification, the sensitivity, or the value of the data or the information that are stored or held on the devices or the systems. The inspection and the sanitization of the unlabeled, disconnected, and powered off devices can ensure or maintain the security or the privacy of the data or the information, as they can prevent or reduce the risk of unauthorized or inappropriate access or disclosure of the data or the information by the third parties or the attackers who access or compromise the devices or the systems.

A. They should be recycled to save energy is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is intended or aimed to conserve or to preserve the energy or the resources, by reusing or repurposing the devices or the systems, or by disposing or discarding them in an environmentally friendly or responsible manner.

B. They should be recycled according to NIST SP 800-88 is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is based or derived on the NIST SP 800-88, which is a special publication or a document that provides or offers the guidance or the recommendations for the media sanitization or the media disposal, and that is published or issued by the National Institute of Standards and Technology (NIST), which is a federal agency or an organization that develops or establishes the standards or the best practices for the science, the technology, or the engineering.

D. They should be inspected and categorized properly to sell them for reuse is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is intended or aimed to generate or to produce the revenue or the income, by selling or transferring the devices or the systems to the other parties or the entities, who can use or utilize the devices or the systems for their own purposes or needs.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 198; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 355

The entity that is ultimately accountable for data remanence vulnerabilities with data replicated by a cloud service provider is the data owner. A data owner is a person or an entity that has the authority or the responsibility for the data or the information within an organization, and that determines or defines the classification, the usage, the protection, or the retention of the data or the information. A data owner has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, as the data owner is ultimately accountable or liable for the security or the quality of the data or the information, regardless of who processes or handles the data or the information. A data owner can ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, by performing the tasks or the functions such as conducting due diligence, establishing service level agreements, defining security requirements, monitoring performance, or auditing compliance. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 61; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 67