CISSP Exam Preparation (Question 311)

(311) Which one of the following is a characteristic of a penetration testing project?

A. The project is open-ended until all known vulnerabilities are identified.

B. The project schedule is plotted to produce a critical path.

C. The project tasks are to break into a targeted system.

D. The project plan is reviewed with the target audience.

Correct Answer: C

Explanation

Explanation/Reference:

"One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any means necessary." Pg 430 Tittel: CISSP Study Guide

- Idham Azhari

CISSP Exam Preparation (Question 310)

(310) Management can expect penetration tests to provide all of the following EXCEPT

A. identification of security flaws

B. demonstration of the effects of the flaws

C. a method to correct the security flaws.

D. verification of the levels of existing infiltration resistance

Correct Answer: C

Explanation

Explanation/Reference:

Explanation:

Penetration testing is a set of procedures designed to test and possibly bypass security controls of a system. Its goal is to measure an organization's resistance to an attack and to uncover any weaknesses within the environment...The result of a penetration test is a report given to management describing the list of vulnerabilities that were identified and the severity of those vulnerabilities. From here, it is up to management to determine how the vulnerabilities are dealt with and what countermeasures are implemented. - Shon Harris All-in-one CISSP Certification Guide pg 837-839

- Idham Azhari

CISSP Exam Preparation (Question 309)

(309) Why would an information security policy require that communications test equipment be controlled?

A. The equipment is susceptible to damage

B. The equipment can be used to browse information passing on a network

C. The equipment must always be available for replacement if necessary

D. The equipment can be used to reconfigure the network multiplexers

Correct Answer: B

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 308)

(308) Which of the following statements pertaining to ethical hacking is incorrect?

A. An organization should use ethical hackers who do not sell auditing, consulting, hardware, software, firewall, hosting, and/or networking services

B. Testing should be done remotely

C. Ethical hacking should not involve writing to or modifying the target systems

D. Ethical hackers should never use tools that have potential of exploiting vulnerabilities in the organizations IT system.

Correct Answer: D

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 307)

(307) What tool do you use to determine whether a host is vulnerable to known attacks?

A. Padded Cells

B. Vulnerability analysis

C. Honey Pots

D. IDS

Correct Answer: B

Explanation

Explanation/Reference:

Explanation:

Vulnerability analysis (also known as vulnerability assessment) tools test to determine whether a network or host is vulnerable to known attacks. Vulnerability assessment represents a special case of the intrusion detection process. The information sources used are system state attributes and outcomes of attempted attacks. The information sources are collected by a part of the assessment engine. The timing of analysis is interval-based or batch-mode, and the type of analysis is misuse detection. This means that vulnerability assessment systems are essentially batch mode misuse detectors that operate on system state information and results of specified test routines.

- Idham Azhari

CISSP Exam Preparation (Question 306)

(306) The absence or weakness in a system that may possibly be exploited is called a(n)?

A. Threat

B. Exposure

C. Vulnerability

D. Risk

Correct Answer: C

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 305)

(305) Which of the following is an advantage of a qualitative over quantitative risk analysis?

A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

B. It provides specific quantifiable measurements of the magnitude of the impacts

C. It makes cost-benefit analysis of recommended controls easier

Correct Answer: A

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 304)

(304) How should a risk be handled when the cost of the countermeasures outweighs the cost of the risk?

A. Reject the risk

B. Perform another risk analysis

C. Accept the risk

D. Reduce the risk

Correct Answer: C

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 303)

(303) Risk is commonly expressed as a function of the

A. Systems vulnerabilities and the cost to mitigate.

B. Types of countermeasures needed and the system's vulnerabilities.

C. Likelihood that the harm will occur and its potential impact.

D. Computer system-related assets and their costs.

Correct Answer: C

Explanation

Explanation/Reference:

The likelihood of a threat agent taking advantage of a vulnerability. A risk is the loss potential, or probability, that a threat will exploit a vulnerability. - Shon Harris All-in-one CISSP Certification Guide pg 937

- Idham Azhari

CISSP Exam Preparation (Question 302)

(302) Which one of the following risk analysis terms characterizes the absence or weakness of a risk-reducing safegaurd?

A. Threat

B. Probability

C. Vulnerability

D. Loss expectancy

Correct Answer: C

Explanation

Explanation/Reference:

A weakness in system security procedures, system design, implementation, internal controls, and so on that could be exploited to violate system security policy. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 927

- Idham Azhari

CISSP Exam Preparation (Question 301)

(301) When conducting a risk assessment, which one of the following is NOT an acceptable social engineering practice?

A. Shoulder surfing

B. Misrepresentation

C. Subversion

D. Dumpster diving

Correct Answer: A

Explanation/Reference:

Explanation:

Shoulder Surfing: Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing password files, and social engineering. These topics will be address more in-depth in later chapters, but shoulder surfing is when a person looks over another person's shoulder and watches keystrokes or data as it appears on the screen. Social engineering is tricking another person into sharing confidential information by posing as an authorized individual to that information. Shon Harris: CISSP Certification pg. 63. Shoulder surfing is not social engineering.

- Idham Azhari

CISSP Exam Preparation (Question 300)

(300) A new worm has been released on the Internet. After investigation, you have not been able to determine if you are at risk of exposure. Management is concerned as they have heard that a number of their counterparts are being affected by the worm. How could you determine if you are at risk?

A. Evaluate evolving environment.

B. Contact your anti-virus vendor.

C. Discuss threat with a peer in another organization.

D. Wait for notification from an anti-virus vendor.

Correct Answer: B

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 299)

(299) Which of the following is not a part of risk analysis?

A. Identify risks

B. Quantify the impact of potential threats

C. Provide an economic balance between the impact of the risk and the cost of the associated

countermeasures

D. Choose the best countermeasure

Correct Answer: D

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 298)

(298) Which one of the following is not one of the outcomes of a vulnerability analysis?

A. Quantative loss assessment

B. Qualitative loss assessment

C. Formal approval of BCP scope and initiation document

D. Defining critical support areas

Correct Answer: C

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 297)

(297) Risk analysis is MOST useful when applied during which phase of the system development process?

A. Project identification

B. Requirements definition

C. System construction

D. Implementation planning

Correct Answer: A

Explanation/Reference:

Reference: pg 684 Shon Harris: All-in-One CISSP Certification

- Idham Azhari

CISSP Exam Preparation (Question 296)

(296) Which of the following is not a compensating measure for access violations?

A. Backups

B. Business continuity planning

C. Insurance

D. Security awareness

Correct Answer: D

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 295)

(295) Which of the following best explains why computerized information systems frequently fail to meet the needs of users?

A. Inadequate quality assurance (QA) tools

B. Constantly changing user needs

C. Inadequate user participation in defining the system's requirements

D. Inadequate project management.

Correct Answer: C

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 294)

(294) Which of the following would be best suited to provide information during a review of the controls over the process of defining IT service levels?

A. Systems programmer

B. Legal stuff

C. Business unit manager

D. Programmer

Correct Answer: C

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 293)

(293) In developing a security awareness program, it is MOST important to

A. Understand the corporate culture and how it will affect security.

B. Understand employees preferences for information security.

C. Know what security awareness products are available.

D. Identify weakness in line management support.

Correct Answer: A

Explanation/Reference:

The controls and procedures of a security program should reflect the nature of the data being

processed...These different types of companies would also have very different cultures. For a security awareness program to be effective, these considerations must be understood and the program should be developed in a fashion that makes sense per environment - Shon Harris All-in-one CISSP Certification Guide pg 109

- Idham Azhari

CISSP Exam Preparation (Question 292)

(292) Which one of the following is the MAIN goal of a security awareness program when addressing senior management?

A. Provide a vehicle for communicating security procedures.

B. Provide a clear understanding of potential risk and exposure.

C. Provide a forum for disclosing exposure and risk analysis.

D. Provide a forum to communicate user responsibilities.

Correct Answer: B

Explanation/Reference:

Explanation:

When the Security Officer is addressing Senior Management, the focus would not be on user

responsibilities, it would be on making sure the Senior Management have a clear understanding of the risk and potential liability is Not D: Item D would be correct in a situation where Senior Management is addressing organizational staff.

- Idham Azhari

CISSP Exam Preparation (Question 291)

(291) Which of the following is most relevant to determining the maximum effective cost of access control?

A. the value of information that is protected

B. management's perceptions regarding data importance

C. budget planning related to base versus incremental spending.

D. the cost to replace lost data

Correct Answer: A

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 290)

(290) What is the MAIN purpose of a change control/management system?

A. Notify all interested parties of the completion of the change.

B. Ensure that the change meets user specifications.

C. Document the change for audit and management review.

D. Ensure the orderly processing of a change request.

Correct Answer: C

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 289)

(289) Within the organizational environment, the security function should report to an organizational level that

A. Has information technology oversight.

B. Has autonomy from other levels.

C. Is an external operation.

D. Provides the internal audit function.

Correct Answer: B

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 288)

(288) Organizations develop change control procedures to ensure that

A. All changes are authorized, tested, and recorded.

B. Changes are controlled by the Policy Control Board (PCB).

C. All changes are requested, scheduled, and completed on time.

D. Management is advised of changes made to systems.

Correct Answer: A

Explanation/Reference:

"Change Control: Changes must be authorized, tested, and recorded. Changed systems may require recertificationvand re-accreditation." Pg 699 Shon Harris: All-in-One CISSP Certification

- Idham Azhari

CHAP 1: Information Security Governance and Risk Management - Introduction

CHAPTER 1: Information Security Governance and Risk Management

Exam Objectives in this Chapter

• Risk analysis
• Information security governance

INTRODUCTION

Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate them. We work in various roles as firewall engineers, penetration testers, auditors, management, and the like. The common thread is risk: It is part of our job description.

The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. It also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful and those that fail in this realm is usually not tied to dollars or staff size: It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.

Speaking of leadership, learning to speak the language of leaders is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain also helps you speak this language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).

- Quoted by Idham Azhari from Eleventh Hour CISSP - Study Guide

CISSP Exam Preparation (Question 287)

(287) Information security is the protection of data. Information will be protected mainly based on:

A. Its sensitivity to the company.

B. Its confidentiality.

C. Its value.

D. All of the choices.

Correct Answer: D

Explanation/Reference:

Information security is the protection of data against accidental or malicious disclosure, modification, or destruction. Information will be protected based on its value, confidentiality, and/or sensitivity to the company, and the risk of loss or compromise. At a minimum, information will be update-protected so that only authorized individuals can modify or erase the information.

- Idham Azhari

CISSP Exam Preparation (Question 286)

(286) The security planning process must define how security will be managed, who will be responsible, and

A. Who practices are reasonable and prudent for the enterprise.

B. Who will work in the security department.

C. What impact security will have on the intrinsic value of data.

D. How security measures will be tested for effectiveness.

Correct Answer: D

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 285)

(285) Which one of the following is the MOST crucial link in the computer security chain?

A. Access controls

B. People

C. Management

D. Awareness programs

Correct Answer: C

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 284)

(284) The Structures, transmission methods, transport formats, and security measures that are used to provide integrity, availability, and authentication, and confidentiality for transmissions over private and public communications networks and media includes:

A. The Telecommunications and Network Security domain

B. The Telecommunications and Netware Security domain

C. The Technical communications and Network Security domain

D. The Telnet and Security domain

Correct Answer: A

Explanation/Reference:

The Telecommunications, Network, and Internet Security Domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media." Pg 515 Hansche: Official (ISC)2 Guide to the CISSP Exam

- Idham Azhari

CISSP Exam Preparation (Question 283)

(283) An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as:

A. Netware availability

B. Network availability

C. Network acceptability

D. Network accountability

Correct Answer: B

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 282)

(282) Which of the following are objectives of an information systems security program?

A. Threats, vulnerabilities, and risks

B. Security, information value, and threats

C. Integrity, confidentiality, and availability.

D. Authenticity, vulnerabilities, and costs.

Correct Answer: C

Explanation/Reference:

There are several small and large objectives of a security program, but the main three principles in all programs are confidentiality, integrity, and availability. These are referred to as the CIA triad. - Shon Harris All-in-one CISSP Certification Guide pg 62

- Idham Azhari

CISSP Exam Preparation (Question 281)

(281) Most computer attacks result in violation of which of the following security properties?

A. Availability

B. Confidentiality

C. Integrity and control

D. All of the choices.

Correct Answer: D

Explanation/Reference:

Explanation:

Most computer attacks only corrupt a system's security in very specific ways. For example, certain attacks may enable a hacker to read specific files but don't allow alteration of any system components. Another attack may allow a hacker to shut down certain system components but doesn't allow access to any files. Despite the varied capabilities of computer attacks, they usually result in violation of only four different security properties: availability, confidentiality, integrity, and control.

- Idham Azhari

CISSP Exam Preparation (Question 280)

(280) Which of the following describes elements that create reliability and stability in networks and systems and which assures that connectivity is accessible when needed?

A. Availability

B. Acceptability

C. Confidentiality

D. Integrity

Correct Answer: A

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 279)

(279) Making sure that the data is accessible when and where it is needed is which of the following?

A. Confidentiality

B. integrity

C. acceptability

D. availability

Correct Answer: D

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 278)

(278) Which of the following prevents, detects, and corrects errors so that the integrity, availability, and confidentiality of transactions over networks may be maintained?

A. Communications security management and techniques

B. Networks security management and techniques

C. Clients security management and techniques

D. Servers security management and techniques

Correct Answer: A

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 277)

(277) What are the three fundamental principles of security?

A. Accountability, confidentiality, and integrity

B. Confidentiality, integrity, and availability

C. Integrity, availability, and accountability

D. Availability, accountability, and confidentiality

Correct Answer: B

Explanation/Reference:

- Idham Azhari