Which of the following is considered best practice for preventing e-mail spoofing?

Uniform Resource Locator (URL) filtering

Reverse Domain Name Service (DNS) lookup

What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?

Physical access to the electronic hardware

Regularly scheduled maintenance process

Availability of the network connection

A security professional has just completed their organization's Business Impact Analysis (BIA).Following Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) best practices, what would be the professional's NEXT step?

Identify and select recovery strategies.

Present the findings to management for funding.

Select members for the organization's recovery teams.

Prepare a plan to test the organization's ability to recover its operations.

A vulnerability test on an Information System (IS) is conducted to

evaluate the effectiveness of security controls.

exploit security weaknesses in the IS.

measure system performance on systems with weak security controls.

evaluate the effectiveness of security controls.

prepare for Disaster Recovery (DR) planning.

When implementing controls in a heterogeneous end-point network for an organization, it is critical that

common software security components be implemented across all hosts.

hosts are able to establish network communications.

users can make modifications to their security software configurations.

common software security components be implemented across all hosts.

firewalls running on each host are fully customizable by the user.

Which of the following is the FIRST action that a system administrator should take when it is revealed during a penetration test that everyone in an organization has unauthorized access to a server holding sensitive data?

Immediately document the finding and report to senior management.

Use system privileges to alter the permissions to secure the server

Continue the testing to its completion and then inform IT management

Terminate the penetration test and pass the finding to the server management team

Which of the following wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device?

Preboot eXecution Environment (PXE)

Simple Key-Management for Internet Protocol (SKIP)

The three PRIMARY requirements for a penetration test are

A defined goal, limited time period, and approval of management

A general objective, unlimited time, and approval of the network administrator

An objective statement, disclosed methodology, and fixed cost

A stated objective, liability waiver, and disclosed methodology

Which of the following is an attacker MOST likely to target to gain privileged access to a system?

Programs that write to system resources

Programs that write to user directories

Log files containing sensitive information

Log files containing system calls

Why is a system's criticality classification important in large organizations?

It provides for proper prioritization and scheduling of security and maintenance tasks.

It reduces critical system support workload and reduces the time required to apply patches.

It allows for clear systems status communications to executive management.

It provides for easier determination of ownership, reducing confusion as to the status of the asset.

By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the

opportunity to sniff network traffic exists.

confidentiality of the traffic is protected.

opportunity to sniff network traffic exists.

opportunity for device identity spoofing is eliminated.

storage devices are protected against availability attacks.

In Disaster Recovery (DR) and business continuity training, which BEST describes a functional drill?

A functional evacuation of personnel

A full-scale simulation of an emergency and the subsequent response functions

A specific test by response teams of individual emergency response functions

A functional evacuation of personnel

An activation of the backup site

Which of the following does the Encapsulating Security Payload (ESP) provide?

Authorization and confidentiality

Which one of the following security mechanisms provides the BEST way to restrict the execution of privileged procedures?

Federated Identity Management (IdM)

What is an effective practice when returning electronic storage media to third parties for repair?

Establishing a contract with the third party regarding the secure handling of the mediA.

Ensuring the media is not labeled in any way that indicates the organization's name.

Disassembling the media and removing parts that may contain sensitive datA.

Physically breaking parts of the media that may contain sensitive datA.

Establishing a contract with the third party regarding the secure handling of the mediA.

Which of the following BEST represents the principle of open design?

The security of a mechanism should not depend on the secrecy of its design or implementation.

Disassembly, analysis, or reverse engineering will reveal the security functionality of the computer system.

Algorithms must be protected to ensure the security and interoperability of the designed system.

A knowledgeable user should have limited privileges on the system to prevent their ability to compromise security capabilities.

The security of a mechanism should not depend on the secrecy of its design or implementation.

An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to the auditor?

Demonstrate that non-compliant passwords cannot be created in the system.

Provide the encrypted passwords and analysis tools to the auditor for analysis.

Analyze the encrypted passwords for the auditor and show them the results.

Demonstrate that non-compliant passwords cannot be created in the system.

Demonstrate that non-compliant passwords cannot be encrypted in the system.

When building a data center, site location and construction factors that increase the level of vulnerability to physical threats include

proximity to high crime areas of the city.

hardened building construction with consideration of seismic factors.

adequate distance from and lack of access to adjacent buildings.

curved roads approaching the data center.

proximity to high crime areas of the city.

Which of the following can BEST prevent security flaws occurring in outsourced software development?

Certification of the quality and accuracy of the work done

Contractual requirements for code quality

Licensing, code ownership and intellectual property rights

Certification of the quality and accuracy of the work done

Delivery dates, change management control and budgetary control

Which of the following is the MAIN reason that system re-certification and re-accreditation are needed?

To verify that security protection remains acceptable to the organizational security policy

To assist data owners in making future sensitivity and criticality determinations

To assure the software development team that all security issues have been addressed

To verify that security protection remains acceptable to the organizational security policy

To help the security team accept or reject new systems for implementation and production

An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information?

Implement logical network segmentation at the switches

Implement packet filtering on the network firewalls

Require strong authentication for administrators

Install Host Based Intrusion Detection Systems (HIDS)

Implement logical network segmentation at the switches

A security consultant has been asked to research an organization's legal obligations to protect privacy-related information. What kind of reading material is MOST relevant to this project?

Privacy-related regulations enforced by governing bodies applicable to the organization

The organization's current security policies concerning privacy issues

Privacy-related regulations enforced by governing bodies applicable to the organization

Privacy best practices published by recognized security standards organizations

Organizational procedures designed to protect privacy information

According to best practice, which of the following groups is the MOST effective in performing an information security compliance audit?

In-house security administrators

When is security personnel involvement in the Systems Development Life Cycle (SDLC) process MOST beneficial?

Operations and maintenance phase

A large bank deploys hardware tokens to all customers that use their online banking system. The token generates and displays a six digit numeric password every 60 seconds. The customers must log into their bank accounts using this numeric password. This is an example of

single factor authentication token.

Which of the following is the BEST reason to review audit logs periodically?

Identify anomalies in use patterns

Verify they are operating properly

Identify anomalies in use patterns

What is the PRIMARY reason for ethics awareness and related policy implementation?

It affects the reputation of an organization.

It affects the workflow of an organization.

It affects the reputation of an organization.

It affects the retention rate of employees.

It affects the morale of the employees.

Which of the following is critical for establishing an initial baseline for software components in the operation and maintenance of applications?

Configuration control procedures

Application monitoring procedures

Configuration control procedures

Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?

Report the vulnerability to product owner.

Make changes following principle and design guidelines.

Stop the application until the vulnerability is fixed.

Report the vulnerability to product owner.

Monitor the application and review code.

Which of the following provides effective management assurance for a Wireless Local Area Network (WLAN)?

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?

Limit zone transfers to authorized devices.

Configure secondary servers to use the primary server as a zone forwarder.

Block all Transmission Control Protocol (TCP) connections.

Disable all recursive queries on the name servers.

Limit zone transfers to authorized devices.

During an investigation of database theft from an organization's web site, it was determined that the Structured Query Language (SQL) injection technique was used despite input validation with clientside scripting. Which of the following provides the GREATEST protection against the same attack occurring again?

Implement server-side filtering

Encrypt communications between the servers

Implement server-side filtering

Filter outgoing traffic at the perimeter firewall

ISC CISSP Practice Test 5 - Free Online Exam Prep & Questions

When designing a networked Information System (IS) where there will be several different types of individual access, what is the FIRST step that should be taken to ensure all access control requirements are addressed?

Create a user profile.

Create a user access matrix.

Develop an Access Control List (ACL).

Develop a Role Based Access Control (RBAC) list.

Comment (0)

ISC CISSP Practice Test 5

Question

ISC CISSP Practice Tests

Practice Tests