CISSP Exam Preparation (Question 311)

(311) Which one of the following is a characteristic of a penetration testing project?

A. The project is open-ended until all known vulnerabilities are identified.

B. The project schedule is plotted to produce a critical path.

C. The project tasks are to break into a targeted system.

D. The project plan is reviewed with the target audience.

Correct Answer: C

Explanation

Explanation/Reference:

"One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any means necessary." Pg 430 Tittel: CISSP Study Guide

- Idham Azhari

CISSP Exam Preparation (Question 310)

(310) Management can expect penetration tests to provide all of the following EXCEPT

A. identification of security flaws

B. demonstration of the effects of the flaws

C. a method to correct the security flaws.

D. verification of the levels of existing infiltration resistance

Correct Answer: C

Explanation

Explanation/Reference:

Explanation:

Penetration testing is a set of procedures designed to test and possibly bypass security controls of a system. Its goal is to measure an organization's resistance to an attack and to uncover any weaknesses within the environment...The result of a penetration test is a report given to management describing the list of vulnerabilities that were identified and the severity of those vulnerabilities. From here, it is up to management to determine how the vulnerabilities are dealt with and what countermeasures are implemented. - Shon Harris All-in-one CISSP Certification Guide pg 837-839

- Idham Azhari

CISSP Exam Preparation (Question 309)

(309) Why would an information security policy require that communications test equipment be controlled?

A. The equipment is susceptible to damage

B. The equipment can be used to browse information passing on a network

C. The equipment must always be available for replacement if necessary

D. The equipment can be used to reconfigure the network multiplexers

Correct Answer: B

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 308)

(308) Which of the following statements pertaining to ethical hacking is incorrect?

A. An organization should use ethical hackers who do not sell auditing, consulting, hardware, software, firewall, hosting, and/or networking services

B. Testing should be done remotely

C. Ethical hacking should not involve writing to or modifying the target systems

D. Ethical hackers should never use tools that have potential of exploiting vulnerabilities in the organizations IT system.

Correct Answer: D

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 307)

(307) What tool do you use to determine whether a host is vulnerable to known attacks?

A. Padded Cells

B. Vulnerability analysis

C. Honey Pots

D. IDS

Correct Answer: B

Explanation

Explanation/Reference:

Explanation:

Vulnerability analysis (also known as vulnerability assessment) tools test to determine whether a network or host is vulnerable to known attacks. Vulnerability assessment represents a special case of the intrusion detection process. The information sources used are system state attributes and outcomes of attempted attacks. The information sources are collected by a part of the assessment engine. The timing of analysis is interval-based or batch-mode, and the type of analysis is misuse detection. This means that vulnerability assessment systems are essentially batch mode misuse detectors that operate on system state information and results of specified test routines.

- Idham Azhari

CISSP Exam Preparation (Question 306)

(306) The absence or weakness in a system that may possibly be exploited is called a(n)?

A. Threat

B. Exposure

C. Vulnerability

D. Risk

Correct Answer: C

Explanation

Explanation/Reference:

- Idham Azhari

CISSP Exam Preparation (Question 305)

(305) Which of the following is an advantage of a qualitative over quantitative risk analysis?

A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

B. It provides specific quantifiable measurements of the magnitude of the impacts

C. It makes cost-benefit analysis of recommended controls easier

Correct Answer: A

Explanation

Explanation/Reference:

- Idham Azhari