ISC2 Certified Information Systems Security Professional CISSP Exam Practice Test

Answer : B

Identity as a Service (IDaaS) is the best contract in offloading the task of account management from the IT staff. IDaaS is a cloud-based service that provides identity and access management (IAM) functions, such as user authentication, authorization, provisioning, deprovisioning, password management, single sign-on (SSO), and multifactor authentication (MFA). IDaaS can help the organization to streamline and automate the account management process, reduce the workload and costs of the IT staff, and improve the security and compliance of the user accounts. IDaaS can also support the contractors who have limited onsite time, as they can access the organization's resources remotely and securely through the IDaaS provider.

The other options are not as effective as IDaaS in offloading the task of account management from the IT staff, as they do not provide IAM functions. Platform as a Service (PaaS) is a cloud-based service that provides a platform for developing, testing, and deploying applications, but it does not manage the user accounts for the applications. Desktop as a Service (DaaS) is a cloud-based service that provides virtual desktops for users to access applications and data, but it does not manage the user accounts for the virtual desktops. Software as a Service (SaaS) is a cloud-based service that provides software applications for users to use, but it does not manage the user accounts for the software applications.

Answer : D

A bastion host is a hardened server that is placed in the demilitarized zone (DMZ), a network segment that is exposed to the internet and separated from the internal network by firewalls. A bastion host provides a secure and controlled access point for remote users or administrators who need to connect to the internal network or systems. A bastion host can also act as a proxy server, a VPN gateway, or a jump server, depending on the configuration and the purpose. A bastion host should be protected by multiple layers of security, such as multi-factor authentication (MFA), encryption, logging, monitoring, and patching. A bastion host is the best solution to allow an IT employee who travels frequently to various locations to troubleshoot problems remotely, as it minimizes the exposure and the risk of unauthorized access. The other options are not as secure or feasible as a bastion host. Updating the firewall rules to include the static IP addresses of the locations where the employee connects from is not a good practice, as it creates unnecessary firewall rules and it assumes that the employee always connects from the same locations. Installing a third-party screen sharing solution that provides remote connection from a public website is not a secure option, as it relies on an external service that may not be trustworthy or compliant with the organization's policies. Implementing a Dynamic Domain Name Services (DDNS) account to initiate a VPN using the DDNS record is not a practical option, as it requires the employee to have a dynamic IP address and a DDNS client on their device, and it may not work with some firewalls or routers that block DDNS traffic.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, page 597.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5: Communication and Network Security, page 598.

Answer : A

Transport layer security (TLS) is a type of Extensible Authentication Protocol (EAP) that the organization would use during this authentication. EAP is a framework that supports various methods of authentication for network access. TLS is one of the EAP methods that uses digital certificates to authenticate both the client and the server, and to establish a secure session key for encryption. TLS provides strong security, mutual authentication, and resistance to replay attacks. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, page 189; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Communication and Network Security, page 263]

Answer : A

The goal that represents a modern shift in risk management according to National Institute of Standards and Technology (NIST) is to focus on operating environments that are changing, evolving, and full of emerging threats. Risk management is the process that involves identifying, assessing, and prioritizing the risks that affect an organization or a system, and applying the appropriate strategies and actions to mitigate or reduce the risks, and to achieve the objectives and goals of the organization or the system. NIST is a federal agency that develops and publishes standards, guidelines, and best practices for various fields, including information security and risk management. NIST has proposed a modern shift in risk management, which is to focus on operating environments that are changing, evolving, and full of emerging threats, rather than on static or fixed environments that are assumed to be stable or predictable.This modern shift in risk management recognizes the dynamic and complex nature of the current and future operating environments, and the need for adaptive and resilient risk management approaches that can respond to the changing and evolving risks and opportunities34.Reference:CISSP CBK, Fifth Edition, Chapter 1, page 19;2024 Pass4itsure CISSP Dumps, Question 20.

Answer : A

The technique that can be used to verify that all input fields protect against invalid input is application fuzzing. Application fuzzing is a technique that involves the generation, injection, or submission of random, malformed, or unexpected data or input, to an application, system, or resource, to test or evaluate the behavior, response, or output, of the application, system, or resource, to the data or input, as well as to identify or detect any errors, bugs, or vulnerabilities, that may exist or occur in the application, system, or resource, due to the data or input. Application fuzzing can be used to verify that all input fields protect against invalid input, by providing various types or formats of data or input, such as strings, numbers, symbols, or commands, to the input fields of the application, system, or resource, and by observing or analyzing the results or effects of the data or input, such as crashes, exceptions, or anomalies, on the application, system, or resource. Application fuzzing can help to ensure the functionality, performance, or security of the application, system, or resource, by discovering, testing, or validating the input validation, sanitization, or filtering mechanisms or functions, that are implemented or applied to the application, system, or resource, to prevent, mitigate, or handle the invalid input. Instruction set simulation, regression testing, or sanity testing are not the techniques that can be used to verify that all input fields protect against invalid input, as they are either more related to the methods, techniques, or tools, that are used to emulate, verify, or check the functionality, performance, or compatibility of the application, system, or resource, rather than to test or evaluate the behavior, response, or output of the application, system, or resource, to the random, malformed, or unexpected data or input.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 552;CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 8: Software Development Security, Question 8.14, page 306.

Answer : A

Internet Protocol (IP) source address spoofing is used to defeat address-based authentication, which is a method of verifying the identity of a user or a system based on their IP address. IP source address spoofing involves forging the IP header of a packet to make it appear as if it came from a trusted or authorized source, and bypassing the authentication check.IP source address spoofing can be used for various malicious purposes, such as denial-of-service attacks, man-in-the-middle attacks, or session hijacking34.Reference:3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 5274: CISSP For Dummies, 7th Edition, Chapter 5, page 153.

Answer : A

The most important thing to do when promoting a security awareness program to senior management is to show the need for security; identify the message and the audience. This means that you should demonstrate how security awareness can benefit the organization, reduce risks, and align with the business goals. You should also tailor your message and your audience according to the specific security issues and challenges that your organization faces.Ensuring that the security presentation is designed to be all-inclusive, notifying them that their compliance is mandatory, or explaining how hackers have enhanced information security are not the most effective ways to promote a security awareness program, as they may not address the specific needs, interests, or concerns of senior management.Reference:9: Seven Keys to Success for a More Mature Security Awareness Program1011: 6 Metrics to Track in Your Cybersecurity Awareness Training Campaign