CISSP Practice Test 1 250
*64 - correct answer-Binary keyspaces contain a number of keys equal to 2 raised to the
power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64
possible keys. The number of viable keys is usually smaller in most algorithms due to the
presence of parity bits and other algorithmic overhead or security issues that restrict the use
of some key values.
*A blue box - correct answer-A blue box was used to generate the 2600 Hz tones that
trunking systems required. White boxes included a dual-tone, multifrequency generator to
control phone systems. Black boxes were designed to steal long-distance service by
manipulating line voltages, and red boxes simulated the tones of coins being deposited into
payphones.
*Advance and protect the profession - correct answer-Gina's actions harm the CISSP
certification and information security community by undermining the integrity of the
examination process. While Gina also is acting dishonestly, the harm to the profession is
more of a direct violation of the code of ethics
*AES - correct answer-The DES modes of operation are Electronic Codebook (ECB), Cipher
Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter
(CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.
*Aggregation - correct answer-Aggregation is a security issue that arises when a collection
of facts has a higher classification than the classification of any of those facts standing
alone. An inference problem occurs when an attacker can pull together pieces of less
sensitive information from multiple sources and use them to derive information of greater
sensitivity. In this case, only a single source was used. SQL injection is a web application
exploit. Multilevel security is a system control that allows the simultaneous processing of
information at different classification levels.
*Application log - correct answer-The file clearly shows HTTP requests, as evidenced by the
many GET commands. Therefore, this is an example of an application log from an HTTP
server.
*Assuming control of a nonregistered BYOD mobile device - correct answer-MDM products
do not have the capability of assuming control of a device not currently managed by the
organization. This would be equivalent to hacking into a device owned by someone else and
might constitute a crime.
*Asynchronous - correct answer-X communications rely on a a built-in stop and start flag or
bit. This makes asynchronous communications less efficient than synchronous
communications, but better suited to some types of communication.
,*baseline - correct answer-NIST SP 800-53 discusses security control baselines as a list of
security controls. CIS releases security baselines, and a baseline is a useful part of a threat
management strategy and may contain a list of acceptable configuration items.
*Ben must have a conspicuously posted privacy policy on his site. - correct answer-The
California Online Privacy Protection Act requires that commercial websites that collect
personal information from users in California conspicuously post a privacy policy. The Act
does not require compliance with the EU DPD, nor does it use the DPD concepts of notice or
choice, and it does not require encryption of all personal data.
*Blacklist - correct answer-The blacklist approach to application control blocks certain
prohibited packages but allows the installation of other software on systems. The whitelist
approach uses the reverse philosophy and only allows approved software. Antivirus software
would only detect the installation of malicious software after the fact. Heuristic detection is a
variant of antivirus software.
*Bracketed NOT - correct answer-Mandatory access control systems can be hierarchical,
where each domain is ordered and related to other domains above and below it;
compartmentalized, where there is no relationship between each domain; or hybrid, where
both hierarchy and compartments are used. There is no concept of bracketing in mandatory
access control design.
*Business logic errors - correct answer-Business logic errors are most likely to be missed by
automated functional testing. If a complete coverage code test was conducted, runtime,
input validation, and error handling issues are likely to have been discovered by automated
testing. Any automated system is more likely to miss business logic errors, because human
are typically necessary to understand business logic issues.
*CA's private key - correct answer-The last step of the certificate creation process is the
digital signature. During this step, the certificate authority signs the certificate using its own
private key.
*CA's public key - correct answer-When an individual receives a copy of a digital certificate,
he or she verifies the authenticity of that certificate by using the CA's public key to validate
the digital signature contained on the certificate.
*Class variable - correct answer-X exist only once and share their value across all instances
of that object class. Instance variables have different values for each instance. Member
variables are the combination of class and instance variables associated with a particular
class. Global variables do not exist in an object-oriented programming language.
*Content Distribution Network (CDN) - correct answer-is designed to provide reliable,
low-latency, geographically distributed content distribution. In this scenario, a CDN is an
ideal solution. A P2P CDN like BitTorrent isn't a typical choice for a commercial entity,
whereas redundant servers or a hot site can provide high availability but won't provide the
remaining requirements.
, *CVSS Common Vulnerability Scoring System - correct answer-X uses measures such as
attack vector, complexity, exploit maturity, and how much user interaction is required as well
as measures suited to local concerns. CVE is the Common Vulnerabilities and Exposures
dictionary, CNA is the CVE Numbering Authority, and NVD is the National Vulnerability
Database.
*Detection - correct answer-Alejandro is in the first stage of the incident response process,
X. During this stage, the intrusion detection system provides the initial alert and Alejandro
performs preliminary triaging to determine if an intrusion is actually taking place and whether
the scenario fits the criteria for activating further steps of the incident response process
(which include response, mitigation, reporting, recovery, remediation, and lessons learned).
*Due diligence - correct answer-The due care principle states that an individual should react
in a situation using the same level of care that would be expected from any reasonable
person. It is a very broad standard. The due diligence principle is a more specific component
of due care that states an individual assigned a responsibility should exercise due care to
complete it accurately and in a timely manner.
*EAL2 - correct answer-X assurance applies when the system has been structurally tested. It
is the second-to-lowest level of assurance under the Common Criteria.
*ECPA Electronic Communications Privacy Act - correct answer-X makes it a crime to invade
the electronic privacy of an individual. It prohibits the unauthorized monitoring of email and
voicemail communications.
*Encrypt the email content - correct answer-The SMTP protocol does not guarantee
confidentiality between servers, making TLS or SSL between the client and server only a
partial measure. Encrypting the email content can provide confidentiality; digital signatures
can provide nonrepudiation.
*Examine and test - correct answer-NIST SP800-53 describes three processes:
Examination, which is reviewing or analyzing assessment objects like specifications,
mechanisms, or activities
Interviews, which are conducted with individuals or groups of individuals
Testing, which involves evaluating activities or mechanisms for expected behavior when
used or exercised
Knowing the details of a given NIST document in depth can be challenging. To address a
question like this, first eliminate responses that do not make sense; here, a mechanism
cannot be interviewed, and test and assess both mean the same thing. This leaves only one
correct answer.
*Fault - correct answer-A fault is a momentary loss of power. Blackouts are sustained
complete losses of power. Sags and brownouts are not complete power disruptions but
rather periods of low voltage conditions.
*Foreign key - correct answer-The tail number is a database field because it is stored in the
database. It is also a primary key because the question states that the database uniquely
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Hkane. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.
