Kelly Handerhan’s CISSP Q&A Review Guide

Dear Students,

We will going through the answers to these, as a class during our final Cybrary Live session. If you are able to, prior to
the class, try answering each of the questions. See you all on Cybrary Live!

- Kelly

Access Control
Question 1
Bob enrolls with a fingerprint reader and is able to authenticate for a number of weeks using the system. One day, Bob
cuts his finger
and finds he can no longer authenticate and receives a “Type 1” error. What is most likely the problem?
a) The system does not examine enough information to assess that it is Bob
b) Fingerprint readers are not very good at handling type 1errors by nature since these are very dynamic metrics
c) Fingerprint readers are not very good at handling type 1errors by nature since they have high cross-over error rates
d) The system examines too much information and needs to be configured to be less sensitive

Question 2
If a complex password, stored in a system that uses the full entropy of the Extended ASCII key set (8 bits per character),
can be cracked in one week, what is the maximum time it would it take to crack it if one more character is added?
a) 256 weeks
b) 2 weeks
c) 1 week and 1 day
d) 10.5 days

Question 3
A small number of sales people share an office with marketing. Rather than purchase a separate printer, management has
requested that the sales people use the marketing printer. Which of the following is the most appropriate way to grant
authorization for these users?
a) Add the sales people names to the printer ACL
b) Add the sales people names to the marketing group
c) Create a new group for these users and add the group to the printer’s ACL
d) Advise against it as it is a possible conflict of interest

Question 4
To validate a claimed identity, which of the following best describes authentication tokens?
a) Time-based access control
b) Sensitivity labels
c) Access control lists
d) Credentials
Page 1
Question 5
An Intrusion Detection System (IDS) has detected an ACK storm. What does this mean?
a) An intruder is sending unsolicited acknowledgements to scan the network
b) An intruder is sending unsolicited acknowledgements to perform a denial of service
c) An intruder is attempting to spoof the host to hijack a session
d) There is a bridging loop

Application Security
Question 1
At what phase of the system development life cycle are the customer-specific requirements determined?
a) Functional design
b) System design
c) Validations
d) Project initiation

Question 2
Which statement is true?
a) In a relational database parents can have only one child
b) In a relational database a child can have only one parent
c) In a hierarchical database a parent can have only one child
d) In a hierarchical database a child can have only one parent

Question 3
A change is planned to an application to address a specific problem.After the change however it appears that other
modules that should not have been affected appear to be broken. What is the likely cause?
a) The changed module had low cohesion
b) The changed module had high cohesion
c) The changed module was tightly coupled
d) The changed module was loosely coupled

Question 4
A user complains that his phone number in the employee database is not accurate. Each time the user makes a change to
the number it seems to take but then reverts back to the old number by the end of the day. Which of the following is the
most likely cause?
a) The user does not have modification rights
b) The schema does not allow changes from the user’s machine
c) Someone in personnel has put a lock on the cell
d) Replication integrity is inaccurate due to mismatched times

Question 5
What is the purpose of configuration management?
a) Security of a host
b) To produce documentation
c) To prevent changes
d) To Provide instructions for role back

Page 2
Business Continuity and Disaster Recovery Planning
Question 1
Bob is charged with creating disaster recovery plans for his group. He is very concerned that paper-based tests are not
realistic enough but is very concerned with risking downtime of production systems. What test type is most appropriate in
this situation?
a) Structured walkthrough
b) Warm
c) Simulation
d) Parallel

Question 2
A company provides outsourced help desk service to a number of clients worldwide. Currently they are equipped to
handle over a thousand calls a day, with an average call length of 10 minutes. If
they need to move to an alternate facility in the event of some disaster or disruption, management wants to be able to
provide at least 80 percent of the current capacity. What metric would need
to be determined in the Business Impact Analysis (BIA)?
a) Recovery time objectives
b) Service level objectives
c) Maximum tolerable downtime
d) Recovery point objectives

Question 3
Griffin Space Tech, a space development company experiences a fire requiring relocation to an off-site location. An
operator, a key person on the recovery team, fails to show up at the site. When contacted, the operator claims he was not
clear on his role and did not realize he was named in the plan. Which document type would explain the specific names of
the teams involved?
a) Reconstitution plans
b) Recovery procedures
c) Service level agreement
d) Memorandum of Agreement (MOA)

Question 4
The senior network administrator responsible for managing perimeter security devices is named in the disaster recovery
plan as the primary person to perform recovery of the firewall at an alternate site in an event requiring relocation.
However, this administrator may move to another department and may no longer be available for this role. What plan
should be used to prepare for such situations?
a) Business impact analysis
b) Succession
c) Personnel migration
d) Restructuring

Question 5
Critical systems are migrated to a hot site after a disaster. The backup operator from the recovery team receives a call
from a user complaining that the data that have been restored for their system
are too old to be of any use. The operator checks the tape that was used for the restore and confirms it was indeed the most
recent backup and that the tape was created only the night before. What
is the most likely cause of the problem?
a) The user is looking at a cached copy

Page 3
b) The data was restored to the wrong directory
c) There is a network latency issue
d) Recovery point objectives are very short

Cryptography
Question 1
Which of the following statements is incorrect?
a) To ensure the integrity of data create a message digest
b) To ensure privacy, encrypt the data with a symmetric key and the symmetric key with the receiver’s private key
c) To validate the sender, encrypt the message digest with the sender’s private key
d) To obtain the fastest method to encrypt data use a symmetric, shared secret key

Question 2
What is the most trusted way to ensure only the intended recipient obtains the key in a purely symmetric system?
a) Manager hand-delivers the key
b) Encrypt the key with the receiver’s public key
c) Encrypt the key with a passphrase
d) Encrypt the key with the sender’s private key

Question 3
Alice gives a copy of her private key to the crypto admin, Bob for backup. Which problem below would most likely affect
the accountability of the system?
a) Bob could sign documents as Alice
b) Bob could read documents destined for Alice
c) Bob could leave the company and her backup could be unavailable
d) Bob could update the CRL claiming Alice’s key was lost

Question 4
Alice works in customer service for a large manufacturing corporation and is responsible for working with customer’s
time sensitive orders. One of her customers, Bob, sends her a signed and encrypted email and requests a signed receipt.
Bob receives a receipt from Alice and becomes concerned when she does not follow through with his order and calls her
on the phone a few days later. Alice claims she did not receive the email. Which of the following could explain the
situation?
a) The email is stuck in her server’s inbound queue
b) Bob’s private key has been compromised
c) The CA has issued a duplicate certificate
d) Alice’s private key has been compromised

Question 5
Bob connects to an SSL server daily to check his email over an encrypted channel. His company-issued laptop is
upgraded to meet new client standards. He receives an error message stating that he is about to download a certificate that
has not been signed by a trusted 3rd party. What is the most likely cause?
a) The admin forgot to copy his private key to the new system
b) The new laptop has the wrong network address
c) The public key of the CA is not on his machine
d) His session key needs to be recreated

Page 4
Information Security and Risk Management
Question 1
To address a contract agreement with a new client, management is required to select stronger encryption algorithms. What
document needs to be modified to define the specifications for these new algorithms?
a) Policies
b) Standards
c) Procedures
d) Baselines

Question 2
Which of the following is out of place?
a) High, medium, low rankings
b) Subjective intuition
c) Objective opinions
d) Value

Question 3
Management requires that all employees with a company laptop keep their virus signatures up to date and run a full
system scan at least weekly. It is suggested however that they update signatures every night if possible. In what document
type would such suggestions likely be made?
a) Policies
b) Procedures
c) Guidelines
d) Standards

Question 4
Which of the following is the most logical order for risk management?
a) Asset valuation, threat analysis, control analysis, mitigation, policy creation, awareness
b) Threat analysis, control recommendation, asset valuation, mitigation
c) Policy creation, risk mitigation, control evaluation, training
d) Test, recommend, acquire/create, control, valuation

Legal, Regulations, Compliance and Investigations

Question 1
You are working in Philadelphia using a VPN to connect to a network in Singapore for a China-based company. Some of
the laws differ across these jurisdictions. According to the ISC2 Code
of Ethics, what is the proper action(s) to take?
a) Avoid conflicts of interest
b) Follow the most restrictive laws
c) China laws take precedence since this is the where corporate headquarters is located
d) Philadelphia laws take precedence since this is where you are rendering service.

Question 2
Alice is asked by a potential customer if she can provide service for an intrusion detection system (IDS) to assess the rule-
set currently configured on the system, and make recommendations

Page 5
for improvement, to comply with a new regulation pertaining to the customer’s line of business. Though Alice has an
interest in working with intrusion detection systems she has no hands-on
experience. What ISC2 code of ethics requirement may force Alice to decline the primary role for such an assignment?
a) Render only those services for which you are fully competent and qualified
b) Thou shall not make false claims
c) Provide only services in your area of expertise
d) Where compliance is paramount, service personnel require appropriate certification

Question 3
Alice is aggressively trying to increase personnel to meet market demands and tries to recruit Bob, a colleague, by
offering 5% ownership to the entire enterprise and agreeing to put this in writing soon. For expedience, they agree on a
start date before the lawyers approve the contract regarding the 5% ownership. Nine months pass and Alice fails to
provide the agreement in writing and changes her mind. According to the ISC2 Code of Ethics, what can be said of the
situation?
a) Alice is at fault for “Conflict of Interest”
b) Bob is at fault for failing “To ensure proper documentation”
c) Alice is at fault for failure to “Observe all contracts and agreements, express or implied”
d) There is no violation of the ISC2 Code of Ethics

Question 4
Due to new laws governing the actions taken by companies when customer-identifiable information is collected, a senior
manager directs internal auditors to analyze the company’s exposure to the new regulations. The results of the audit
identify a number of potential violations. What is the most appropriate action to take?
a) Consult outside advice to ensure that the audit is accurate
b) Conduct a gap analysis to prioritize ways to close the gaps
c) Review the company’s privacy policy and determine the necessary changes
d) Take steps to encrypt the sensitive data to protect the information

Question 5
Which of the following is not an example of civil law?
a) Contract
b) Property
c) Tort
d) Regulatory

Operations Security
Question 1
What RAID level is primarily associated with fastest writes but not
necessarily reads
a) 0
b) 1
c) 3
d) 5

Question 2
Which of the following control is more likely to provide confidentiality protection?
a) Rotation of Duties

Page 6
b) Segregation of Duties
c) Dual Control
d) Quality assurance

Question 3
Bob is hired to perform a penetration test for Griffin Space Tech, a leading space exploration company. Alice is nearly
killed when her navigation system is interrupted by what turned out to be a test on a system that was not supposed to be
part of the test. What document, if defined and understood, most likely may have prevented such a problem?
a) Rules of engagement
b) Concept of operations
c) Statement of work
d) Exception reports

Question 4
A critical server is scheduled to have a service pack installed. Departmental management requests that the change is tested
on a spare server first before being applied to the production server. To ensure that the spare server is configured exactly
as the production server, operations plan to make an unscheduled backup of the production server. Which backup method
is most appropriate?
a) Full
b) Incremental
c) Differential
d) Copy

Question 5
A user in your organization habitually surfs inappropriate websites. You are responsible for desktop support and notice
these sites in the history log. What is the best way to ensure the company is not held accountable by other user’s
complaints about this user?
a) Block access to these sites with an approved filter
b) Nothing as you are not in security
c) Inform law enforcement
d) Report your findings to management

Physical (Environmental) Security

Question 1
What is the purpose of a strike plate?
a) To prevent damage to a door in a loading dock
b) It is part of a locking mechanism
c) To allow egress traffic in the event of an emergency evacuation
d) To prevent damage to a door from moving equipment

Question 2
Measuring light output and sensitivity to light is an important concept for physical security. Lux ratings refer to lumens
per square meter. What rating refers to lumens per square foot?
a) LPSF
b) Luminescence
c) Joules
d) Foot-Candles

Page 7
Question 3
Which of the following is not an advantage to using security dogs?\
a) Olfactory sensitivity
b) Work in a power failure
c) Can cover a large area
d) Will prevent intruders from entering the premises

Question 4
Closed circuit television (CCTV) is an important detective control. Which of the following is most likely to be a common
application for CCTV?
a) To be used after a crime in event correlation
b) To enable guards to extend their vision to detect suspicious activity before a crime can be committed
c) To allow police to monitor sensitive areas
d) To allow management to monitor employee behavior

Question 5
What is the purpose of emergency lighting?
a) To allow rescue teams to search for distressed personnel after a power failure
b) Illumination of evacuation routes
c) To assist in CCTV controls during a threatening situation
d) They act as a deterrent as criminals fear detection

Security Architecture and Design

Question 1
A system engineer would like to design a backup system that allows an operator to perform backups on all system data
without giving the operator file system rights. What should the engineer
consider?
a) The Clark Wilson model
b) A SANS device
c) RBAC
d) Least privilege and need to know. In this case the operator by nature must have read access only.

Question 2
What is the purpose of the *_property in the Bell-Lapadula model?
a) To prevent an unauthenticated user from leaking secrets
b) To prevent an unauthenticated user from accessing sensitive data
c) To prevent an authenticated user from leaking secrets
d) To prevent an authenticated user from accessing sensitive data

Question 3
A remote database user maliciously enters a command in a user input dialog box, and manages to execute a command to
upgrade his rights in the system. Which recommended remediation method is least likely to mitigate this risk?
a) The system should check for input length
b) The system should check for input type
c) The system should block data control language from remote locations
d) The system should implement a mandatory access control

Page 8
Question 4
When determining whether to use a product in your environment you are asked to consult the product for certification per
the Common Criteria. The category for this product does not contain a protection profile (PP). Which of the following is
true?
a) An exception report may be created to allow this product, provided local testing can certify a build of the system.
b) The system may grandfather an existing rating from the TCSEC
c) The product can still be rated against the security target (ST)
d) Review other products to see if there is a viable alternative

Question 5
Which of the following is an example of the reference monitor?
a) Requiring users to provide proof of identification
b) Account lockouts
c) Log files
d) Directory attributes

Telecommunications and Network Security

Question 1
Why is it advisable to prevent packets from leaving your network where the source address is not from your network or a
private (RFC 1918) address?
a) To prevent your perimeter or edge devices from being attacked with a denial of service attack.
b) To prevent your internal devices from being attacked with a denial of service attack.
c) To prevent your systems from being used to attack others
d) To prevent your systems from a reconnaissance attack.

Question 2
Bob is attempting to use the hotel wireless network to connect to his company’s email server. He is told by the hotel staff
that the SSID is HOTELX (where X equals his floor number). After
gaining connection it is discovered that his email has been posted to some hacker website. Which of the following would
have most likely prevented this problem?
a) RADIUS
b) Mutual authentication
c) Two factor authentication
d) Extensible Authentication Protocol

Question 2
In what layer of the OSI model are electrical signals turned into binary addressing information?
a) Host to host
b) Biba
c) Datalink
d) Physical

Question 3
The firewall administrator notices that an IP address on the inside is attempting to open ports to an unknown host in a
foreign country. What is the most appropriate action to take?
a) Block the port until the host can be authenticated

Page 9
b) Perform a violation analysis
c) Run a virus scan on the machine that is attempting the connection as it may be infected
d) Interview the user of the machine to determine his intention.

Question 4
Which VPN method is less likely to work through NAT?
a) IPSec transport mode
b) IPSec tunnel with AH
c) IPSec tunnel with ESP
d) PPTP

Question 5
With regards to an intrusion detection system, what is meant by an insertion attack?
a) Enabling attackers to insert themselves into a system without detection
b) Injecting false data to mislead an IDS
c) Adding additional rules to misclassify an attack
d) Code injection attacks

Question 6
Which of the following attacks does not take advantage of systems that do not check for unsolicited replies?
a) Arp poisoning
b) DNS cache poisoning
c) OS Fingerprinting
d) Fragmenting

Page 10