ISC2 Certified Information Systems Security Professional CISSP Exam Questions

Answer : A

A dictionary attack is a type of brute-force attack that attempts to guess a user's password by trying a large number of possible words or phrases, often derived from a dictionary or a list of commonly used passwords. A dictionary attack can be detected by an Intrusion Detection System (IDS) if it generates a high number of failed login attempts per minute, as well as a variety of passwords for the same user.A sniffer can capture the network traffic and reveal the passwords being tried by the attacker34.Reference:3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 6574: CISSP For Dummies, 7th Edition, Chapter 6, page 197.

Answer : B

Secure Real-time Transport Protocol (SRTP) provides security for voice communication. SRTP is a protocol that extends the Real-time Transport Protocol (RTP) to provide confidentiality, integrity, and authentication for voice and video data over IP networks. SRTP can encrypt and authenticate the RTP packets, as well as prevent replay attacks and protect against traffic analysis. SRTP can be used for applications such as Voice over IP (VoIP), video conferencing, or streaming media. Time sensitive e-communication, satellite communication, and network communication for real-time operating systems are not the types of communication that SRTP provides security for, but they may use other protocols or mechanisms for security.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, page 760;Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 536.

Answer : D

Attribute Based Access Control (ABAC) is an access control method that is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context. ABAC uses attributes, which are characteristics or properties of users, resources, actions, or environments, to define access rules and enforce access decisions. ABAC allows for fine-grained, dynamic, and flexible access control that can accommodate complex and changing scenarios and requirements. Mandatory Access Control (MAC) is an access control method that is based on security labels assigned to users and resources, and a set of rules that determine the access permissions based on the comparison of those labels. MAC is rigid, static, and centralized, and it enforces a strict need-to-know policy. Role Based Access Control (RBAC) is an access control method that is based on roles assigned to users and permissions assigned to roles, and a set of rules that determine the access permissions based on the user's role membership. RBAC is simple, scalable, and decentralized, and it enforces the principle of least privilege. Discretionary Access Control (DAC) is an access control method that is based on the identity of users and the ownership of resources, and a set of rules that determine the access permissions based on the user's identity or the owner's discretion. DAC is flexible, user-controlled, and individualized, but it can also be inconsistent, insecure, and difficult to manage.Reference:CISSP CBK Reference, 5th Edition, Chapter 5, page 269;CISSP All-in-One Exam Guide, 8th Edition, Chapter 5, page 241

Answer : D

Digital certificates used in Transport Layer Security (TLS) support non-repudiation controls and data encryption. TLS is a protocol that provides secure communication over the internet, by using encryption, authentication, and integrity mechanisms. Digital certificates are electronic documents that contain the public key and identity information of an entity, such as a server, a client, or a user. Digital certificates are issued and verified by a trusted third party, called a certificate authority (CA). Digital certificates are used in TLS to support two features: non-repudiation controls and data encryption. Non-repudiation controls are the measures that prevent an entity from denying or disputing the validity or authenticity of a communication or transaction. Data encryption is the process of transforming data into an unreadable form, using a secret key, to protect the confidentiality of the data. Digital certificates support non-repudiation controls by using digital signatures, which are the encrypted hashes of the data, signed with the private key of the sender. Digital signatures can prove the origin, identity, and integrity of the data, and prevent the sender from denying or altering the data. Digital certificates support data encryption by using public key encryption, which is a type of encryption that uses a pair of keys: a public key and a private key. Public key encryption can encrypt the data with the public key of the receiver, and decrypt the data with the private key of the receiver. Public key encryption can ensure that only the intended receiver can access the data, and protect the data from unauthorized interception or modification. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, page 125; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3: Security Engineering, page 187]

Answer : A

SSL and TLS provide a generic channel security mechanism on top of TCP. This means that SSL and TLS are protocols that enable secure communication between two parties over a network, such as the internet, by using encryption, authentication, and integrity mechanisms. SSL and TLS operate at the transport layer of the OSI model, above the TCP protocol, which provides reliable and ordered delivery of data. SSL and TLS can be used to secure various application layer protocols, such as HTTP, SMTP, FTP, and so on. SSL and TLS do not provide nonrepudiation by default, as this is a service that requires digital signatures and certificates to prove the origin and content of a message. SSL and TLS do provide security for most routed protocols, as they can encrypt and authenticate any data that is transmitted over TCP.SSL and TLS do not provide header encapsulation over HTTP, as this is a function of the HTTPS protocol, which is a combination of HTTP and SSL/TLS.

Answer : A

According to the (ISC)2 ethics canon ''act honorably, honestly, justly, responsibly, and legally,' the order that should be used when resolving conflicts is public safety and duties to principals, individuals, and the profession. The (ISC)2 ethics canon is a set of ethical principles and guidelines that govern the professional and personal conduct of the (ISC)2 members and certification holders. The (ISC)2 ethics canon states that the (ISC)2 members and certification holders should act honorably, honestly, justly, responsibly, and legally, and that they should advance and protect the profession. The (ISC)2 ethics canon also provides a hierarchy of obligations that the (ISC)2 members and certification holders should follow when resolving conflicts or dilemmas that may arise from their professional or personal activities. The hierarchy of obligations is as follows: public safety and duties to principals, individuals, and the profession. Public safety is the highest obligation, and it refers to the protection of the health, welfare, and security of the general public from any harm or danger. Duties to principals are the second highest obligation, and they refer to the loyalty, fidelity, and honesty that the (ISC)2 members and certification holders owe to their employers, clients, or customers. Individuals are the third highest obligation, and they refer to the respect, dignity, and privacy that the (ISC)2 members and certification holders should show to other people, such as colleagues, peers, or users. The profession is the lowest obligation, and it refers to the advancement and protection of the information security profession and its reputation, standards, and ethics. The other options are not the correct order of the hierarchy of obligations according to the (ISC)2 ethics canon.Reference:Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 1: Security and Risk Management, page 35.

Answer : A

Requirements analysis is a process within the Systems Engineering Life Cycle (SELC) stage of Concept Development. It involves defining the problem, identifying the stakeholders, eliciting the requirements, analyzing the requirements, and validating the requirements. Requirements analysis is essential for ensuring that the system meets the needs and expectations of the users and customers.Reference:Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Architecture and Engineering, p. 295;CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Architecture and Design, p. 149.