ISC

CISSP

Certified Information
Systems Security
Professional (CISSP)
Version: Demo

[ Total Questions: 10]

Web: www.marks4sure.com

Email: [email protected]
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at [email protected]

Support
If you have any questions about our product, please provide the following items:

exam code
screenshot of the question
login id/email

please contact us at [email protected] and our technical experts will provide support within 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Practice Test ISC - CISSP

Exam Topic Breakdown

Exam Topic Number of Questions
Topic 10 : Exam Set B 2
Topic 9 : Exam Set A 2
Topic 4 : Communication and Network Security 2
Topic 2 : Exam Pool B 2
Topic 11 : Exam Set C 2
Topic 5 : Identity and Access Management (IAM) 0
Topic 1 : Exam Pool A 0
Topic 14 : NEW Questions C 0
Topic 3 : Security Architecture and Engineering 0
Topic 6 : Security Assessment and Testing 0
Topic 13 : New Questions B 0
Topic 7 : Security Operations 0
Topic 8 : Software Development Security 0
TOTAL 10

Pass Your Certification With Marks4sure Guarantee 1 of 20

Practice Test ISC - CISSP

Topic 10, Exam Set B

Question #:1 - (Exam Topic 10)

A system is developed so that its business users can perform business functions but not user administration
functions. Application administrators can perform administration functions but not user business functions.
These capabilities are BEST described as

A. least privilege.

B. rule based access controls.

C. Mandatory Access Control (MAC).

D. separation of duties.

Answer: D

Explanation
The capabilities of the system that allow its business users to perform business functions but not user
administration functions, and its application administrators to perform administration functions but not user
business functions, are best described as separation of duties. Separation of duties is a security principle that
divides the roles and responsibilities of different tasks or functions among different individuals or groups, so
that no one person or group has complete control or authority over a critical process or asset. Separation of
duties can help to prevent fraud, collusion, abuse, or errors, and to ensure accountability, oversight, and checks
and balances. Least privilege, rule based access controls, and Mandatory Access Control (MAC) are not the
best descriptions of the capabilities of the system, as they do not reflect the division of roles and
responsibilities among different users or groups. References: CISSP All-in-One Exam Guide, Eighth Edition,
Chapter 1, Security and Risk Management, page 32. Official (ISC)2 CISSP CBK Reference, Fifth Edition,
Chapter 1, Security and Risk Management, page 45.

Question #:2 - (Exam Topic 10)

During the procurement of a new information system, it was determined that some of the security requirements
were not addressed in the system specification. Which of the following is the MOST likely reason for this?

A. The procurement officer lacks technical knowledge.

B. The security requirements have changed during the procurement process.

C. There were no security professionals in the vendor's bidding team.

D. The description of the security requirements was insufficient.

Answer: D

Pass Your Certification With Marks4sure Guarantee 2 of 20

Practice Test ISC - CISSP

Explanation
The most likely reason for some of the security requirements not being addressed in the system specification
during the procurement of a new information system is that the description of the security requirements was
insufficient. The description of the security requirements is the part of the procurement document that
specifies the security objectives, criteria, standards, and measures that the system must meet or comply with. If
the description of the security requirements is insufficient, vague, ambiguous, incomplete, or inaccurate, then
the system specification may not reflect or satisfy the security needs and expectations of the organization. The
procurement officer lacking technical knowledge, the security requirements changing during the procurement
process, and there being no security professionals in the vendor’s bidding team are not the most likely reasons
for this problem, as they do not directly affect the quality or clarity of the description of the security
requirements. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development
Security, page 1045. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development
Security, page 1071.

Pass Your Certification With Marks4sure Guarantee 3 of 20

Practice Test ISC - CISSP

Topic 9, Exam Set A

Question #:3 - (Exam Topic 9)

Which of the following is a potential risk when a program runs in privileged mode?

A. It may serve to create unnecessary code complexity

B. It may not enforce job separation duties

C. It may create unnecessary application hardening

D. It may allow malicious code to be inserted

Answer: D

Explanation
A potential risk when a program runs in privileged mode is that it may allow malicious code to be inserted.
Privileged mode, also known as kernel mode or supervisor mode, is a mode of operation that grants the
program full access and control over the hardware and software resources of the system, such as memory,
disk, CPU, and devices. A program that runs in privileged mode can perform any action or instruction without
any restriction or protection. This can be exploited by an attacker who can inject malicious code into the
program, such as a rootkit, a backdoor, or a keylogger, and gain unauthorized access or control over the
system . References: : What is Privileged Mode? : Privilege Escalation - OWASP Cheat Sheet Series

Question #:4 - (Exam Topic 9)

The key benefits of a signed and encrypted e-mail include

A. confidentiality, authentication, and authorization.

B. confidentiality, non-repudiation, and authentication.

C. non-repudiation, authorization, and authentication.

D. non-repudiation, confidentiality, and authorization.

Answer: B

Explanation
A signed and encrypted e-mail provides confidentiality by preventing unauthorized access to the message
content, non-repudiation by verifying the identity and integrity of the sender, and authentication by ensuring
that the message is from the claimed source. Authorization is not a benefit of a signed and encrypted e-mail, as
it refers to the process of granting or denying access to resources based on predefined rules.

Pass Your Certification With Marks4sure Guarantee 4 of 20

Practice Test ISC - CISSP

Topic 4, Communication and Network Security

Question #:5 - (Exam Topic 4)

What is the purpose of an Internet Protocol (IP) spoofing attack?

A. To send excessive amounts of data to a process, making it unpredictable

B. To intercept network traffic without authorization

C. To disguise the destination address from a target’s IP filtering devices

D. To convince a system that it is communicating with a known entity

Answer: D

Explanation
The purpose of an Internet Protocol (IP) spoofing attack is to convince a system that it is communicating with
a known entity. IP spoofing is a technique that involves creating and sending IP packets with a forged source
IP address, which is usually the IP address of a trusted or authorized host. IP spoofing can be used for various
malicious purposes, such as:

Bypassing IP-based access control lists (ACLs) or firewalls that filter traffic based on the source IP
address.

Launching denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by flooding a target

system with spoofed packets, or by reflecting or amplifying the traffic from intermediate systems.

Hijacking or intercepting a TCP session by predicting or guessing the sequence numbers and sending
spoofed packets to the legitimate parties.

Gaining unauthorized access to a system or network by impersonating a trusted or authorized host and
exploiting its privileges or credentials.

The purpose of IP spoofing is to convince a system that it is communicating with a known entity, because it
allows the attacker to evade detection, avoid responsibility, and exploit trust relationships.

The other options are not the main purposes of IP spoofing, but rather the possible consequences or methods of
IP spoofing. To send excessive amounts of data to a process, making it unpredictable is a possible
consequence of IP spoofing, as it can cause a DoS or DDoS attack. To intercept network traffic without
authorization is a possible method of IP spoofing, as it can be used to hijack or intercept a TCP session. To
disguise the destination address from a target’s IP filtering devices is not a valid option, as IP spoofing
involves forging the source address, not the destination address.

Question #:6 - (Exam Topic 4)

Pass Your Certification With Marks4sure Guarantee 5 of 20

Practice Test ISC - CISSP

An external attacker has compromised an organization’s network security perimeter and installed a sniffer
onto an inside computer. Which of the following is the MOST effective layer of security the organization
could have implemented to mitigate the attacker’s ability to gain further information?

A. Implement packet filtering on the network firewalls

B. Install Host Based Intrusion Detection Systems (HIDS)

C. Require strong authentication for administrators

D. Implement logical network segmentation at the switches

Answer: D

Explanation
Implementing logical network segmentation at the switches is the most effective layer of security the
organization could have implemented to mitigate the attacker’s ability to gain further information. Logical
network segmentation is the process of dividing a network into smaller subnetworks or segments based on
criteria such as function, location, or security level. Logical network segmentation can be implemented at the
switches, which are devices that operate at the data link layer of the OSI model and forward data packets based
on the MAC addresses. Logical network segmentation can provide several benefits, such as:

Isolating network traffic and reducing congestion and collisions

Enhancing performance and efficiency of the network

Improving security and confidentiality of the network

Restricting the scope and impact of attacks

Enforcing access control and security policies

Facilitating monitoring and auditing of the network

Logical network segmentation can mitigate the attacker’s ability to gain further information by limiting the
visibility and access of the sniffer to the segment where it is installed. A sniffer is a tool that captures and
analyzes the data packets that are transmitted over a network. A sniffer can be used for legitimate purposes,
such as troubleshooting, testing, or monitoring the network, or for malicious purposes, such as eavesdropping,
stealing, or modifying the data. A sniffer can only capture the data packets that are within its broadcast
domain, which is the set of devices that can communicate with each other without a router. By implementing
logical network segmentation at the switches, the organization can create multiple broadcast domains and
isolate the sensitive or critical data from the compromised segment. This way, the attacker can only see the
data packets that belong to the same segment as the sniffer, and not the data packets that belong to other
segments. This can prevent the attacker from gaining further information or accessing other resources on the
network.

The other options are not the most effective layers of security the organization could have implemented to
mitigate the attacker’s ability to gain further information, but rather layers that have other limitations or
drawbacks. Implementing packet filtering on the network firewalls is not the most effective layer of security,
because packet filtering only examines the network layer header of the data packets, such as the source and

Pass Your Certification With Marks4sure Guarantee 6 of 20

Practice Test ISC - CISSP

destination IP addresses, and does not inspect the payload or the content of the data. Packet filtering can also
be bypassed by using techniques such as IP spoofing or fragmentation. Installing Host Based Intrusion
Detection Systems (HIDS) is not the most effective layer of security, because HIDS only monitors and detects
the activities and events on a single host, and does not prevent or respond to the attacks. HIDS can also be
disabled or evaded by the attacker if the host is compromised. Requiring strong authentication for
administrators is not the most effective layer of security, because authentication only verifies the identity of
the users or processes, and does not protect the data in transit or at rest. Authentication can also be defeated by
using techniques such as phishing, keylogging, or credential theft.

Pass Your Certification With Marks4sure Guarantee 7 of 20

Practice Test ISC - CISSP

Topic 2, Exam Pool B

Question #:7 - (Exam Topic 2)

Which of the following is MOST important when assigning ownership of an asset to a department?

A. The department should report to the business owner

B. Ownership of the asset should be periodically reviewed

C. Individual accountability should be ensured

D. All members should be trained on their responsibilities

Answer: C

Explanation
When assigning ownership of an asset to a department, the most important factor is to ensure individual
accountability for the asset. Individual accountability means that each person who has access to or uses the
asset is responsible for its protection and proper handling. Individual accountability also implies that each
person who causes or contributes to a security breach or incident involving the asset can be identified and held
liable. Individual accountability can be achieved by implementing security controls such as authentication,
authorization, auditing, and logging.

The other options are not as important as ensuring individual accountability, as they do not directly address the
security risks associated with the asset. The department should report to the business owner is a management
issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it
does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a
preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.

Question #:8 - (Exam Topic 2)

Which one of the following affects the classification of data?

A. Assigned security label

B. Multilevel Security (MLS) architecture

C. Minimum query size

D. Passage of time

Answer: D

Explanation

Pass Your Certification With Marks4sure Guarantee 8 of 20

Practice Test ISC - CISSP

The passage of time is one of the factors that affects the classification of data. Data classification is the process
of assigning a level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data
classification helps to determine the appropriate security controls and handling procedures for the data.
However, data classification is not static, but dynamic, meaning that it can change over time depending on
various factors. One of these factors is the passage of time, which can affect the relevance, usefulness, or
sensitivity of the data. For example, data that is classified as confidential or secret at one point in time may
become obsolete, outdated, or declassified at a later point in time, and thus require a lower level of protection.
Conversely, data that is classified as public or unclassified at one point in time may become more valuable,
sensitive, or regulated at a later point in time, and thus require a higher level of protection. Therefore, data
classification should be reviewed and updated periodically to reflect the changes in the data over time.

The other options are not factors that affect the classification of data, but rather the outcomes or components of
data classification. Assigned security label is the result of data classification, which indicates the level of
sensitivity or criticality of the data. Multilevel Security (MLS) architecture is a system that supports data
classification, which allows different levels of access to data based on the clearance and need-to-know of the
users. Minimum query size is a parameter that can be used to enforce data classification, which limits the
amount of data that can be retrieved or displayed at a time.

Pass Your Certification With Marks4sure Guarantee 9 of 20

Practice Test ISC - CISSP

Topic 11, Exam Set C

Question #:9 - (Exam Topic 11)

Which of the following would BEST describe the role directly responsible for data within an organization?

A. Data custodian

B. Information owner

C. Database administrator

D. Quality control

Answer: B

Explanation
According to the CISSP For Dummies, the role that is directly responsible for data within an organization is
the information owner. The information owner is the person or role that has the authority and accountability
for the data or information that the organization owns, creates, uses, or maintains, such as data, documents,
records, or intellectual property. The information owner is responsible for defining the classification, value,
and sensitivity of the data or information, as well as the security requirements, policies, and standards for the
data or information. The information owner is also responsible for granting or revoking the access rights and
permissions to the data or information, as well as for monitoring and auditing the compliance and effectiveness
of the security controls and mechanisms for the data or information. The data custodian is not the role that is
directly responsible for data within an organization, although it may be a role that supports or assists the
information owner. The data custodian is the person or role that has the responsibility for implementing and
maintaining the security controls and mechanisms for the data or information, as defined by the information
owner. The data custodian is responsible for performing the technical and operational tasks and activities for
the data or information, such as backup, recovery, encryption, or disposal. The database administrator is not
the role that is directly responsible for data within an organization, although it may be a role that supports or
assists the information owner or the data custodian. The database administrator is the person or role that has
the responsibility for managing and administering the database system that stores and processes the data or
information. The database administrator is responsible for performing the technical and operational tasks and
activities for the database system, such as installation, configuration, optimization, or troubleshooting.

Question #:10 - (Exam Topic 11)

Which Web Services Security (WS-Security) specification handles the management of security tokens and the
underlying policies for granting access? Click on the correct specification in the image below.

Pass Your Certification With Marks4sure Guarantee 10 of 20

Practice Test ISC - CISSP

Answer:

Explanation

Pass Your Certification With Marks4sure Guarantee 11 of 20

Practice Test ISC - CISSP

WS-Authorization

Reference: Java Web Services: Up and Running” By Martin Kalin page 228

Pass Your Certification With Marks4sure Guarantee 12 of 20

Practice Test ISC - CISSP

Topic 5, Identity and Access Management (IAM)

Pass Your Certification With Marks4sure Guarantee 13 of 20

Practice Test ISC - CISSP

Topic 1, Exam Pool A

Pass Your Certification With Marks4sure Guarantee 14 of 20

Practice Test ISC - CISSP

Topic 14, NEW Questions C

Pass Your Certification With Marks4sure Guarantee 15 of 20

Practice Test ISC - CISSP

Topic 3, Security Architecture and Engineering

Pass Your Certification With Marks4sure Guarantee 16 of 20

Practice Test ISC - CISSP

Topic 6, Security Assessment and Testing

Pass Your Certification With Marks4sure Guarantee 17 of 20

Practice Test ISC - CISSP

Topic 13, New Questions B

Pass Your Certification With Marks4sure Guarantee 18 of 20

Practice Test ISC - CISSP

Topic 7, Security Operations

Pass Your Certification With Marks4sure Guarantee 19 of 20

Practice Test ISC - CISSP

Topic 8, Software Development Security

Pass Your Certification With Marks4sure Guarantee 20 of 20

About Marks4sure.com
marks4sure.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam
Questions, Study Guides, Practice Tests.

We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.

View list of all certification exams: All vendors

We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed
below.

Sales: [email protected]
Feedback: [email protected]
Support: [email protected]

Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.