[2022] Use Valid CISSP Exam - Actual Exam Question & Answer [Q556-Q580]

[2022] Use Valid CISSP Exam - Actual Exam Question & Answer

Test Engine to Practice CISSP Test Questions

Exam Outline

According to the vendor, the CISSP test is available in two options: CAT (English exam) and Linear (test in other languages). As for the CAT variation, it has 100-150 questions in multiple-choice and advances innovative formats. The exam duration is 3 hours. The passing score for this test is 700 out of 1000 points. When it comes to the Linear exam, it will last for 6 hours with 250 items to complete. In all, the candidates who prepare for either exam variation are expected to have in-depth knowledge of software development security and its risks across eight security areas, which are as follows:

• Security of Assets;
• Security for Software Development.
• Security Testing and Assessment;
• Operations for Security;
• Network Security along with Communication;
• Risk Management alongside Security Concepts;
• Engineering & Security Architecture;
• Identity & Access Management;

Finally, you can schedule your CISSP certification exam by creating a Pearson VUE account. Make sure you can then select your nearest testing center.

ISC2 CISSP Exam Certification Details:

Schedule Exam	Pearson VUE
Sample Questions	ISC2 CISSP Sample Questions
Exam Name	ISC2 Certified Information Systems Security Professional (CISSP)
Passing Score	700/1000
Duration	180 mins
Number of Questions	100-150
Exam Code	CISSP
Exam Price	$699 (USD)

NEW QUESTION 556
Which of the following threats exists with an implementation of digital signatures?

• A. Substitution
• B. Spoofing
• C. Content tampering
• D. Eavesdropping

Answer: B

 

NEW QUESTION 557
Which of the following is the MAIN reason for using configuration management?

• A. To provide consistency in security controls
• B. To provide centralized administration
• C. To reduce the number of changes
• D. To reduce errors during upgrades

Answer: A

Explanation:
Section: Software Development Security

 

NEW QUESTION 558
The Federal Intelligence Surveillance Act (FISA) of 1978, the Electronic Communications Privacy Act (ECPA) of 1986, and the Communications Assistance for Law Enforcement Act (CALEA) of 1994 are legislative acts passed by the United States Congress. These acts all address what major information security issue?

• A. Unlawful use of and access to government computers and networks
• B. Computer fraud
• C. Wiretapping
• D. Malicious code

Answer: C

Explanation:
These laws reflected different views concerning wiretapping as technology progresseD. The Federal Intelligence Surveillance Act (FISA) of 1978 limited wiretapping for national security purposes as a result of the record of the Nixon Administration in using illegal wiretaps. The Electronic Communications Privacy Act (ECPA) of 1986 prohibited eavesdropping or the interception of message contents without distinguishing between private or public systems. The Communications Assistance for Law Enforcement Act (CALEA) of 1994 required all communications carriers to make wiretaps possible in ways approved by the FBI.

 

NEW QUESTION 559
Which of the following phases of a system development life-cycle is most concerned with maintaining proper authentication of users and processes to ensure appropriate access control decisions?

• A. Implementation
• B. Initiation
• C. Operation/Maintenance
• D. Development/acquisition

Answer: C

Explanation:
The operation phase of an IT system is concerned with user authentication.
Authentication is the process where a system establishes the validity of a transmission, message,
or a means of verifying the eligibility of an individual, process, or machine to carry out a desired
action, thereby ensuring that security is not compromised by an untrusted source.
It is essential that adequate authentication be achieved in order to implement security policies and
achieve security goals. Additionally, level of trust is always an issue when dealing with cross-
domain interactions. The solution is to establish an authentication policy and apply it to cross-
domain interactions as required.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST
Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 15).

 

NEW QUESTION 560
The access matrix model has which of the following common implementations?

• A. Capabilities.
• B. Access control lists.
• C. Access control lists and capabilities.
• D. Access control list and availability.

Answer: C

Explanation:
The two most used implementations are access control lists and capabilities. Access control lists are achieved by placing on each object a list of users and their associated rights to that object.

 

NEW QUESTION 561
In SSL/TLS protocol, what kind of authentication is supported?

• A. Role based authentication scheme
• B. Server authentication (mandatory) and client authentication (optional)
• C. Only server authentication (optional)
• D. Peer-to-peer authentication

Answer: B

Explanation:
"The server sends a message back to the client indicating that a secure session needs to be established, and the client sends it security parameters. The server compares those security parameters to its own until it finds a match. This is the handshaking phase. The server authenticates to the client by sending it a digital certificate, and if the client decides to trust the server the process continues. The server can require the client to send over a digital certificate for mutual authentication, but that is rare."
Pg. 523 Shon Harris: All-In-One CISSP Certification Exam Guide

 

NEW QUESTION 562
Which of the following is a physical security control that protects Automated Teller
Machines (ATM) from skimming?

• A. Anti-tampering
• B. Radio Frequency (RF) scanner
• C. Intrusion Prevention System (IPS)
• D. Secure card reader

Answer: A

 

NEW QUESTION 563
Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security?

• A. Hashing digest
• B. Session encryption
• C. Peer authentication
• D. Payload data encryption

Answer: B

Explanation:
Section: Mixed questions

 

NEW QUESTION 564
Which division of the Orange Book deals with discretionary protection (need-to-know)?

• A. D
• B. B
• C. A
• D. C

Answer: D

Explanation:
C deals with discretionary protection. See metric below:

TCSEC Metric
The following are incorrect answers:
D is incorrect. D deals with minimal security.
B is incorrect. B deals with mandatory protection.
A is incorrect. A deals with verified protection.
Reference(s) used for this question:
CBK, p. 329 - 330
and
Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393

 

NEW QUESTION 565
Which of the following would best describe the difference between white-box testing and black-box testing?

• A. White-box testing examines the program internal logical structure.
• B. Black-box testing uses the bottom-up approach.
• C. Black-box testing involves the business units
• D. White-box testing is performed by an independent programmer team.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
White box software testing gives the tester access to program source code, data structures, variables, etc.
White box testing gives the tester access to the internal logical structure of the program, while black box testing gives the tester no internal details: The software is treated as a black box that receives inputs.
Incorrect Answers:
A: White-box testing can be performed by any programmer who has access the source code.
B: Black-box testing just hides the internal details of the program. Black-box testing does not use either a bottom-up, or top down approach.
D: Black-box testing is blind to business units, as it has not access to any internal details of the program.
References:
Conrad, Eric, Seth Misenar and Joshua Feldman, CISSP Study Guide, 2nd Edition, Syngress, Waltham,
2012, p. 194

 

NEW QUESTION 566
What is a hot-site facility?

• A. A site in which space is reserved with pre-installed wiring and raised floors.
• B. A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS.
• C. A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.
• D. A site with ready made work space with telecommunications equipment, LANs, PCs, and terminals for work groups.

Answer: C

Explanation:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

NEW QUESTION 567
The BEST technique to authenticate to a system is to:

• A. maintain correct and accurate ACLs (access control lists) to allow access to applications.
• B. allow access only through user ID and password.
• C. establish biometric access through a secured server or Web site.
• D. ensure the person is authenticated by something he knows and something he has.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
This is a tricky question. Normally, biometrics is the preferred answer as it is a more secure means of authentication than even multi-factor authentication. However, you would not establish biometric access through a secured server or Web site. Therefore, the answer must be "Ensure the person is authenticated by something he knows and something he has". This is an example of two-factor authentication.
Incorrect Answers:
A: You would not establish biometric access through a secured server or Web site.
C: Maintain correct and accurate ACLs is always a good idea. However, this provides no authentication solution as required by the question.
D: A user ID and password is single-factor authentication. The user ID and the password are both
"something you

 

NEW QUESTION 568
Which of the following addresses a portion of the primary memory by specifying the actual address of the memory location?

• A. indexed addressing
• B. Indirect addressing
• C. direct addressing
• D. implied addressing

Answer: C

Explanation:
+------+-----+--------------------------------------+
| load | reg | address |
+------+-----+--------------------------------------+
(Effective address = address as given in instruction)
This requires space in an instruction for quite a large address. It is often available on CISC
machines which have variable-length instructions, such as x86.
Some RISC machines have a special Load Upper Literal instruction which places a 16-bit constant
in the top half of a register. An OR literal instruction can be used to insert a 16-bit constant in the
lower half of that register, so that a full 32-bit address can then be used via the register-indirect
addressing mode, which itself is provided as "base-plus-offset" with an offset of 0.
http://en.wikipedia.org/wiki/Addressing_mode (Very good coverage of the subject)
also see:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, page 186.
also see:
http://www.comsci.us/ic/notes/am.html

 

NEW QUESTION 569
While referring to physical security, what does positive pressurization means?

• A. The pressure inside your sprinkler system is greater than zero.
• B. A series of measures that increase pressure on employees in order to make them more productive.
• C. The air goes out of a room when a door is opened and outside air does not go into the room.
• D. Causes the sprinkler system to go off.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Ventilation has several requirements that must be met to ensure a safe and comfortable environment. A closed-loop recirculating air-conditioning system should be installed to maintain air quality. "Closed-loop" means the air within the building is reused after it has been properly filtered, instead of bringing outside air in. Positive pressurization and ventilation should also be implemented to control contamination. Positive pressurization means that when an employee opens a door, the air goes out, and outside air does not come in. If a facility were on fire, you would want the smoke to go out the doors instead of being pushed back in when people are fleeing.
Incorrect Answers:
A: Positive pressurization does not mean the pressure inside your sprinkler system is greater than zero.
Therefore, this answer is incorrect.
C: Positive pressurization does not cause the sprinkler system to go off. Therefore, this answer is incorrect.
D: Positive pressurization is not a series of measures that increase pressure on employees in order to make them more productive. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 467

 

NEW QUESTION 570
Which type of password token involves time synchronization?

• A. Synchronous dynamic password tokens
• B. Challenge-response tokens
• C. Static password tokens
• D. Asynchronous dynamic password tokens

Answer: A

Explanation:
Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the password to be accepted. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (page 136).

 

NEW QUESTION 571
Which of the following is generally indicative of a replay attack when dealing with biometric authentication?

• A. False Rejection Rate (FRR) is greater than 5 in 100
• B. Inadequately specified templates
• C. Exact match
• D. False Acceptance Rate (FAR) is greater than 1 in 100,000

Answer: C

 

NEW QUESTION 572
Compared to RSA, which of the following is true of Elliptic Curve Cryptography (ECC)?

• A. It has been mathematically proved to be more secure.
• B. It is believed to require shorter keys for equivalent security.
• C. It has been mathematically proved to be less secure.
• D. It is believed to require longer key for equivalent security.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides:
digital signatures, secure key distribution, and encryption. One differing factor is ECC's efficiency. ECC is more efficient than RSA and any other asymmetric algorithm.
Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, efficiency of resource use is very important.
ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices.
In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device.
Incorrect Answers:
A: ECC is not more secure than RSA; it just requires a shorter key length to provide equivalent security.
B: ECC is not less secure than RSA; it just requires a shorter key length to provide equivalent security.
C: ECC requires a shorter key length to provide equivalent security.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 818-819

 

NEW QUESTION 573
Who vouches for the binding between the data items in a digital certificate?

• A. Certification authority
• B. Vouching authority
• C. Registration authority
• D. Issuing authority

Answer: A

Explanation:
A certification authority (CA) is an entity that issues digital certificates (especially
X.509 certificates) and vouches for the binding between the data items in a certificate. An issuing authority could be considered a correct answer, but not the best answer, since it is too generic. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

 

NEW QUESTION 574
A pen register is a:

• A. Device that records all the numbers dialed from a specific telephone line
• B. Device that records the caller-ID of incoming calls
• C. Device that records the URLs accessed by an individual
• D. Device that identifies the cell in which a mobile phone is operating

Answer: A

Explanation:
(Electronic Privacy Information Center, Approvals for Federal Pen Registers and Trap and Trace Devices 1987-1998, www.epic. org). Gathering information as to which numbers are dialed from a specific telephone line is less costly and time-consuming than installing a wiretap and recording the information.
*There is also equipment that can record the information listed in answers "Device that identifies the cell in which a mobile phone is operating" and "Device that records the URLs accessed by an individual".
*The device referred to in answer "Device that records the caller-ID of incoming calls" is called a trap-and-trace device. All of the answers in this question are a subset of the category of traffic analysis wherein patterns and frequency associated with communications are studied instead of the content of the communications.

 

NEW QUESTION 575
Which of the following are the two most well known access control models?

• A. Bell LaPadula and Biba
• B. Bell LaPadula and Info Flow
• C. Lattice and Biba
• D. Bell LaPadula and Chinese war

Answer: A

Explanation:
The two most well known models are Bell&LaPadula [1973] and Biba[1977]. Both were designed in and for military environments.

 

NEW QUESTION 576
What Cloud Deployment model consist of a cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)? Such deployment model may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

• A. Community Cloud
• B. Hybrid Cloud
• C. Public Cloud
• D. Private Cloud

Answer: D

Explanation:
A Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
Other Cloud Deployment Models are:
Community cloud.
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Public cloud.
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Hybrid cloud.
The cloud infrastructure is a composition of two or more distinct cloud infrastructures
(private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
The following reference(s) were/was used to create this question:
NIST Special Publication 800-145 The NIST definition of Cloud Computing and also see
NIST Special Publication 800-146 The Cloud Computing Synopsis and Recommendations

 

NEW QUESTION 577
What is an IP routing table?

• A. A list of station and network addresses with corresponding gateway IP address.
• B. A list of current network interfaces on which IP routing is enabled.
• C. A list of IP addresses and corresponding MAC addresses.
• D. A list of host names and corresponding IP addresses.

Answer: A

Explanation:
A routing table is used when a destination IP address is not located on the current LAN segment. It consists of a list of station and network addresses and a corresponding gateway IP address further along to which a routing equipment should send packets that match that station or network address. A list of IP addresses and corresponding MAC addresses is an ARP table. A DNS is used to match host names and corresponding IP addresses. The last choice is a distracter.
Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000,
Chapter 3: TCP/IP from a Security Viewpoint.

 

NEW QUESTION 578
When we encrypt or decrypt data there is a basic operation involving ones and zeros where they are compared in a process that looks something like this:
0101 0001 Plain text
0111 0011 Key stream
0010 0010 Output
What is this cryptographic operation called?

• A. Bit Swapping
• B. Logical-NOR
• C. Decryption
• D. Exclusive-OR

Answer: D

Explanation:
Explanation/Reference:
Explanation:
A plaintext message that needs to be encrypted is converted into bits, and the one-time pad is made up of random bits. This encryption process makes use of a binary mathematic function called exclusive-OR (XOR).
Incorrect Answers:
B: Bit-swapping is the essential adaptive hand-shaking mechanism used by DMT modems to adapt to line changes.
C: Logical-NOR is a truth-functional operator which produces a result that is the denial of Logical-Or.
D: Decryption is the process of translating encrypted data back into its original form.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 771
http://web.stanford.edu/group/cioffi/documents/bit_swapping.pdf
https://en.wikipedia.org/wiki/Logical_NOR
http://searchsecurity.techtarget.com/definition/data-encryption-decryption-IC

 

NEW QUESTION 579
In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network?

• A. Infrastructure as a service
• B. Data as a service
• C. Platform as a service
• D. Software as a service

Answer: D

Explanation:
Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models.
For your exam you should know below information about Cloud Computing:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Cloud Computing Image Reference http://osarena.net/wp-content/uploads/2013/04/cloud-computing3.jpg
Cloud computing service model Cloud computing service models

Image Reference http://www.esri.com/news/arcwatch/0110/graphics/feature2.jpg
Software as a Service (SaaS)
Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identifies two slightly different delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network-based access to a single copy of an application created specifically for SaaS distribution.
Provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created specifically for SaaS distribution and use.
Benefits of the SaaS model include: easier administration automatic updates and patch management
compatibility: All users will have the same version of software.
easier collaboration, for the same reason
global accessibility.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network
capacity over the Internet. The service delivery model allows the customer to rent virtualized
servers and associated services for running existing applications or developing and testing new
ones.
Cloud providers deliver a computing platform,which can include an operating system, database,
and web server as a holistic execution environment. Where IaaS is the "raw IT network," PaaS is
the software environment that runs on top of the IT network.
Platform as a Service (PaaS) is an outgrowth of Software as a Service (SaaS), a software
distribution model in which hosted software applications are made available to customers over the
Internet. PaaS has several advantages for developers. With PaaS, operating system features can
be changed and upgraded frequently. Geographically distributed development teams can work
together on software development projects. Services can be obtained from diverse sources that
cross international boundaries. Initial and ongoing costs can be reduced by the use of
infrastructure services from a single vendor rather than maintaining multiple hardware facilities that
often perform duplicate functions or suffer from incompatibility problems. Overall expenses can
also be minimized by unification of programming development efforts.
On the downside, PaaS involves some risk of "lock-in" if offerings require proprietary service
interfaces or development languages. Another potential pitfall is that the flexibility of offerings may
not meet the needs of some users whose requirements rapidly evolve.
Infrastructure as a Service (IaaS)
Cloud providers offer the infrastructure environment of a traditional data center in an on-demand
delivery method. Companies deploy their own operating systems, applications, and software onto
this provided infrastructure and are responsible for maintaining them.
Infrastructure as a Service is a provision model in which an organization outsources the equipment
used to support operations, including storage, hardware, servers and networking components. The
service provider owns the equipment and is responsible for housing, running and maintaining it.
The client typically pays on a per-use basis.
The following answers are incorrect:
Data as a service - Data Provided as a service rather than needing to be loaded and prepared on
premises.
Platform as a service - Platform as a Service (PaaS) is a way to rent hardware, operating systems,
storage and network capacity over the Internet. The service delivery model allows the customer to
rent virtualized servers and associated services for running existing applications or developing and
testing new ones.
Infrastructure as a service - Infrastructure as a Service is a provision model in which an
organization outsources the equipment used to support operations, including storage, hardware,
servers and networking components. The service provider owns the equipment and is responsible
for housing, running and maintaining it. The client typically pays on a per-use basis.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 102
Official ISC2 guide to CISSP 3rd edition Page number 689
http://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service
http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS
http://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS

 

NEW QUESTION 580
......

What to Know: (ISC)2 CISSP Exam Basics

(ISC)2 reveals very little concerning the details of its certification exams. However, it is possible to know that the CISSP test includes a mixture of advanced innovative and multiple-choice questions. The exam comes with about 250 questions across all 8 common knowledge domains for the non-English individuals. As for the standard format, you will have 100-150 questions. It is 6 hours long for the non-English speakers and 3 hours long as a standard. The passing score is 700 out of the possible 1000 points.

The exam costs $699 in the USA. The fee may vary from country to country due to tax policies. If you are not residing in the United States and want to take this test, you should check the official website to find out the exact actual cost.

To prepare for the CISSP exam with great deliberation, the candidates can choose from a variety of study approaches. The learners can sign up for an instructor-led training course, which is the most recommended preparation method. CISSP Accelerated Training Program is a paid training option designed for those IT professionals who already have 5 or more years of work experience in the field of IT security.

CISSP Actual Questions Answers PDF 100% Cover Real Exam Questions: https://www.actual4dumps.com/CISSP-study-material.html

CISSP Real Exam Questions Test Engine Dumps Training With 990 Questions: https://drive.google.com/open?id=17PqTYQ6ZY0gfBakbV90s4E8BvdpH5PNl