[Nov 05, 2024] CISSP Exam Dumps - 100% Marks In CISSP Exam! [Q941-Q957]

[Nov 05, 2024] CISSP Exam Dumps - 100% Marks In CISSP Exam!

Exam Dumps Use Real ISC Certification Dumps With 1795 Questions!

The CISSP certification exam is considered one of the most challenging exams in the field of information security. CISSP exam consists of 250 multiple-choice questions that must be completed within six hours. The questions are designed to test an individual's knowledge in various areas of information security, including security concepts, access control, cryptography, and network security.

For more info visit:

ISC CISSP Exam Reference

 

NEW QUESTION # 941
Which of the following is a common term for log reviews, synthetic transactions, and code reviews?

• A. Spiral development functional testing
• B. Application development
• C. Security control testing
• D. DevOps Integrated Product Team (IPT) development

Answer: C

Explanation:
Organizations must manage the security control testing that occurs to ensure that all security controls are tested thoroughly by authorized individuals. The facets of security control testing that organizations must include are vulnerability assessments, penetration testing, log reviews, synthetic transactions, code review and testing, misuse case testing, test coverage analysis, and interface testing.

NEW QUESTION # 942
Which of the following steps should be one of the FIRST steps performed in a Business Impact Analysis (BIA)?

• A. Estimate the Recovery Time Objectives (RTO).
• B. Evaluate the impact of disruptive events.
• C. Identify all CRITICAL business units within the organization.
• D. Identify and Prioritize Critical Organization Functions

Answer: D

Explanation:
Explanation/Reference:
Explanation:
A business impact analysis includes identifying critical systems and functions of a company and interviewing representatives from each department. Once management's support is solidified, a business impact analysis needs to be performed to identify the threats the company faces and the potential costs of these threats.
Incorrect Answers:
A: Identifying critical business units is an initial step of a Business Impact Analysis. Business Impact Analysis focuses on business functions, not on business units.
B: Evaluating the impact of disruptive events is an initial step of a Business Impact Analysis.
C: Estimating the Recovery Time Objectives is an initial step of a Business Impact Analysis.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 972

NEW QUESTION # 943
In SQL, a relation that is actually existent in the database is called a(n):

• A. View
• B. Attribute
• C. Domain
• D. Base relation

Answer: D

Explanation:
Abase relation exists in the database while a view is a virtual relation that is not stored in the database. A view is derived by the SQL definition and is developed from base relations or, possibly, other views. An attribute, is a column in a relation table and
a domain is the set of permissible values of an attribute.

NEW QUESTION # 944
How many bits is the effective length of the key of the Data Encryption Standard algorithm?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: B

Explanation:
The correct answer is "56". This is actually a bit of a trick question, since the actual
key length is 64 bits. However, every eighth bit is ignored because it is used for parity. This makes
the "effective length of the key" that the question actually asks for 56 bits.
The other answers are not correct because:
168 - This is the number of effective bits in Triple DES (56 times 3).
128 - Many encryption algorithms use 128 bit key, but not DES. Note that you may see 128 bit
encryption referred to as "military strength encryption" because many military systems use key of
this length.
64 - This is the actual length of a DES encryption key, but not the "effective length" of the DES
key.
Reference:
Official ISC2 Guide page: 238
All in One Third Edition page: 622

NEW QUESTION # 945
Which of the following is a correct feature of a virtual local area network (VLAN)?

• A. Layer 3 routing is required to allow traffic from one VLAN to another.
• B. VLAN has certain security features such as where the devices are physically connected.
• C. There is no broadcast allowed within a single VLAN due to network segregation.
• D. A VLAN segregates network traffic therefore information security is enhanced significantly.

Answer: A

Explanation:
A virtual local area network (VLAN) is a logical grouping of network devices that share the same broadcast domain, regardless of their physical location or connection. A VLAN can improve network performance, security, and management by segregating network traffic based on criteria such as function, department, or security level. A VLAN operates at layer 2 of the OSI model, which means that it can only communicate within the same VLAN by default. To allow traffic from one VLAN to another, layer 3 routing is required, which involves using a router or a layer 3 switch to route packets based on their IP addresses. Layer 3 routing enables inter-VLAN communication and connectivity to other networks, such as the internet or a WAN. Layer
3 routing also provides additional security and control features, such as access control lists, firewalls, and quality of service. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 9: Communication and Network Security, page 591. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 4:
Communication and Network Security, page 677.

NEW QUESTION # 946
What type of database attack would allow a customer service employee to determine quarterly sales results before they are publically announced?

• A. Aggregation
• B. Data mining
• C. Inference
• D. Polyinstantiation

Answer: C

Explanation:
The type of database attack that would allow a customer service employee to determine quarterly sales results before they are publicly announced is inference. Inference is a type of database attack where an attacker or a malicious user obtains or deduces some sensitive or confidential information or data from the database, by using some legitimate or authorized information or data, and applying some logic, reasoning, or analysis.
Inference can allow a customer service employee to determine quarterly sales results before they are publicly announced, because the customer service employee may have some legitimate or authorized access to some information or data from the database, such as the number of orders, the amount of sales, or the customer feedback, and they may use some logic, reasoning, or analysis to infer or estimate the quarterly sales results from that information or data. The other options are not the types of database attack that would allow a customer service employee to determine quarterly sales results before they are publicly announced.
Polyinstantiation is not a type of database attack, but rather a type of database technique that allows multiple versions or instances of the same information or data to exist in the database, at different levels of security or classification, and for different users or groups. Polyinstantiation can prevent or reduce the inference attacks, by creating some inconsistency or ambiguity in the information or data, and making it harder or impossible for the attacker or the malicious user to infer or deduce the sensitive or confidential information or data.
Aggregation is not a type of database attack, but rather a type of database operation that combines or summarizes some information or data from the database, and produces some output or result, such as the average, the sum, or the count. Aggregation can enable or facilitate the inference attacks, by providing some information or data that can be used by the attacker or the malicious user to infer or deduce the sensitive or confidential information or data. Data mining is not a type of database attack, but rather a type of database process that analyzes and extracts some useful or valuable information or data from the database, by using some techniques or methods, such as statistics, machine learning, or artificial intelligence. Data mining can enable or facilitate the inference attacks, by providing some techniques or methods that can be used by the attacker or the malicious user to infer or deduce the sensitive or confidential information or data. References:
[CISSP All-in-One Exam Guide, Eighth Edition], Chapter 6: Identity and Access Management, page 713.
[Official (ISC)2 CISSP CBK Reference, Fifth Edition], Chapter 6: Identity and Access Management, page
714.

NEW QUESTION # 947
Which of the following defines when RAID separates the data into multiple units and stores it on multiple disks?

• A. scanning
• B. shadowing
• C. screening
• D. striping

Answer: D

Explanation:
Basically, RAID separates the data into multiple units and stores it on multiple disks by using a process called "striping". Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 65.

NEW QUESTION # 948
Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks?

• A. Making sure only necessary phone numbers are made public
• B. Monitoring and auditing for such activity
• C. Using completely different numbers for voice and data accesses
• D. Require user authentication

Answer: D

Explanation:
Explanation/Reference:
Explanation:
War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.
To prevent possible intrusion or damage from wardialing attacks, you should configure the system to require authentication before a network connection can be established. This will ensure that an attacker cannot gain access to the network without knowing a username and password.
Incorrect Answers:
A: Monitoring wardialing attacks would not prevent an attacker gaining access to the network. It would just tell you that at attack has happened.
C: Making sure only necessary phone numbers are made public will not protect against intrusion. An attacker would still be able to gain access through one of the 'necessary' phone numbers.
D: Using completely different numbers for voice and data accesses will not protect against intrusion. An attacker would still be able to gain access through one of the data access phone numbers.
References:
http://en.wikipedia.org/wiki/War_dialing

NEW QUESTION # 949
The definition the science and art of specifying, designing,
implementing and evolving programs, documentation and operating
procedures whereby computers can be made useful to man is that of:

• A. An object-oriented system
• B. Structured analysis/structured design (SA/SD)
• C. Software engineering
• D. Functional programming

Answer: C

Explanation:
This definition of software engineering is a combination of popular definitions of engineering and software. One definition of engineering is the application of science and mathematics to the design and construction of artifacts which are useful to man. A definition of software is that it consists of the programs, documentation and operating procedures by which computers can be made useful to man.
*Answer SA/SD deals with developing specifications that are abstractions of the problem to be solved and not tied to any specific programming languages. Thus, SA/SD, through data flow diagrams (DFDs), shows the main processing entities and the data flow between them without any connection to a specific programming language implementation. *An object-oriented system is a group of independent objects that can be requested to perform certain operations or exhibit specific behaviors. These objects cooperate to provide the systems required functionality. The objects have an identity and can be created as the program executes (dynamic lifetime). To provide the desired characteristics of object-oriented systems, the objects are encapsulated, i.e., they can only be accessed through messages sent to them to request performance of their defined operations. The object can be viewed as a black box whose internal details are hidden from outside observation and cannot normally be modifieD. Objects also exhibit the substitution property, which means that objects providing compatible operations can be substituted for each other. In summary, an object-oriented system contains objects that exhibit the following properties: Identity each object has a name that is used to designate that object. Encapsulation an object can only be accessed through messages to perform its defined operations. Substitution objects that perform compatible operations can be substituted for each other. Dynamic lifetimes objects can be created as the program executes. *Answer functional programming uses only mathematical functions to perform computations and solve problems. This approach is based on the assumption that any algorithm can be described as a mathematical function. Functional languages have the characteristics that: They support functions and allow them to be manipulated by being passed as arguments and stored in data structures. Functional abstraction is the only method of procedural abstraction.

NEW QUESTION # 950
Which of the following is applicable to a publicly held company concerned about information handling and storage requirement specific to the financial reporting?

• A. Clinger-Cohan Act of 1996
• B. Privacy Act of 1974
• C. Sarbanes-Oxley (SOX) Act of 2002
• D. International Organization for Standardization (ISO) 27001

Answer: C

Explanation:
The Sarbanes-Oxley (SOX) Act of 2002 is applicable to a publicly held company concerned about information handling and storage requirements specific to the financial reporting. SOX is a federal law that aims to protect investors from fraudulent accounting activities by corporations. SOX requires public companies to establish and maintain internal controls over their financial reporting processes, and to have their financial statements audited by an independent auditor. SOX also mandates that public companies retain their financial records and related audit documents for at least five years, and that they implement proper security measures to protect the confidentiality, integrity, and availability of their financial information. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 19. CISSP Practice Exam | Boson, Question 8.

NEW QUESTION # 951
Which of the following is the MOST appropriate control for asset data labeling procedures?

• A. Logging data media to provide a physical inventory control
• B. Categorizing the types of media being used
• C. Reviewing off-site storage access controls
• D. Reviewing audit trails of logging records

Answer: A

Explanation:
Logging data media to provide a physical inventory control is the most appropriate control for asset data labeling procedures. Asset data labeling procedures are the procedures that define how the data media, such as tapes, disks, or drives, are labeled, classified, and handled, based on the sensitivity and value of the data they contain. Asset data labeling procedures are important for ensuring the security, confidentiality, and accountability of the data media, and for preventing any unauthorized access, disclosure, or loss of the data media. Logging data media to provide a physical inventory control is a control that supports the asset data labeling procedures, as it involves recording and tracking the details and locations of the data media, such as serial numbers, bar codes, owners, custodians, and storage locations. Logging data media to provide a physical inventory control can help to maintain the accuracy and completeness of the data media inventory, and to detect and report any missing, stolen, or damaged data media. References: [CISSP CBK, Fifth Edition, Chapter 2, page 105]; [100 CISSP Questions, Answers and Explanations, Question 16].

NEW QUESTION # 952
_______ are added to Linux passwords to increase their randomness.

• A. MD5 hashes
• B. Pepper
• C. Salts
• D. Grains
• E. Asymmetric algorithms

Answer: C

Explanation:
Salts are added to Linux passwords to increase their randomness. They are used to help insure that no two users have the same, hashed password.

NEW QUESTION # 953
Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized?

• A. System Administrator
• B. Information Owner (IO)
• C. Business Continuity (BC) Manager
• D. Chief Information Officer (CIO)

Answer: B

NEW QUESTION # 954
If the computer system being used contains confidential information, users must not:

• A. Share their desks.
• B. Communicate
• C. Encrypt their passwords.
• D. Leave their computer without first logging off.

Answer: D

Explanation:
If the computer system being used or to which a user is connected contains sensitive or confidential information, users must not leave their computer, terminal, or workstation
without first logging off. Users should be reminded frequently to follow this rule.

NEW QUESTION # 955
Convert Channel Analysis, Trusted Facility Management, and Trusted Recovery are parts of which book in the TCSEC Rainbow Series?

• A. Orange Book
• B. Green Book
• C. Dark Green Book
• D. Red Book

Answer: A

Explanation:
The correct answer is Orange Book.
*Answer the Red Book is the Trusted Network Interpretation (TNI) summary of network requirements (described in the Telecommunications and Network Security domain).
*The Green Book, is the Department of Defense (DoD) Password Management Guide-line;
*The Dark Green Book, is The Guide to Understanding Data Rema-nence in Automated Information Systems.

NEW QUESTION # 956
During the initial stage of configuration of your firewall, which of the following rules appearing in an Internet firewall policy is inappropriate?

• A. The firewall shall be configured to deny all services not expressly permitted.
• B. Appropriate firewall documentation and a copy of the rulebase shall be maintained on offline storage at all times.
• C. The firewall should be tested online first to validate proper configuration.
• D. The firewall software shall run on a dedicated computer.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
For security reasons, the firewall should be tested offline.
Incorrect Answers:
A: A firewall may take the form of either software installed on a regular computer using a regular operating system or a dedicated hardware appliance that has its own operating system. The second choice is usually more secure.
B: It is important to make a backup of the configuration of the firewall.
C: All unneeded ports should be closed, and all unneeded services should be denied.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 643

NEW QUESTION # 957
......

To earn the CISSP certification, candidates must pass a rigorous six-hour exam that covers eight domains of information security. These domains include security and risk management, asset security, security engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. Candidates must also have at least five years of relevant work experience in two or more of these domains.

 

Pass Your CISSP Exam Easily With 100% Exam Passing Guarantee: https://pass4sure.exam-killer.com/CISSP-valid-questions.html