2
CISSP Official ISC2 practice tests - Domain 6 questions with || || || || || || || || || ||
accurate solutions ||
1. During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and
|| || || || || || || || || || || || || || || || ||
TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the
|| || || || || || || || || || || || || || || || || || || || ||
machine?
A. A Linux email server
|| || || ||
B. A Windows SQL server
|| || || ||
C. A Linux file server
|| || || ||
D. A Windows workstation - ✔✔B. TCP and UDP ports 137-139 are used for NetBIOS services,
|| || || || || || || || || || || || || || || ||
whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL,
|| || || || || || || || || || || || || || || ||
indicating that this is probably a Windows server providing SQL services.
|| || || || || || || || || ||
2. Which of the following is a method used to design new software tests and to ensure the quality
|| || || || || || || || || || || || || || || || || || ||
of tests?
||
A. Code auditing
|| ||
B. Static code analysis
|| || ||
C. Regression testing
|| ||
D. Mutation testing - ✔✔D. Mutation testing modifies a program in small ways, and then tests
|| || || || || || || || || || || || || || || ||
that mutant to determine if it behaves as it should or if it fails. This technique is used to design and
|| || || || || || || || || || || || || || || || || || || ||
test software tests through mutation. Static code analysis and regression testing are both means of
|| || || || || || || || || || || || || || || ||
testing code, whereas code auditing is an analysis of source code rather than a means of designing
|| || || || || || || || || || || || || || || || ||
and testing software tests.
|| || ||
3. During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to
|| || || || || || || || || || || || || || || || || || || ||
scanning the service that is most likely running on that port?
|| || || || || || || || || ||
A. zzuf ||
,2
B. Nikto ||
C. Metasploit
||
D. sqlmap - ✔✔B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for
|| || || || || || || || || || || || || || || ||
vulnerability scanning web servers and applications and is the best choice listed for a web server.
|| || || || || || || || || || || || || || || ||
Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability
|| || || || || || || || || || || || ||
scanning. zzuf is a fuzzing tool and isn't relevant for vulnerability scans, whereas sqlmap is a SQL
|| || || || || || || || || || || || || || || ||
injection testing tool.
|| || ||
4. What message logging standard is commonly used by network devices, Linux and Unix
|| || || || || || || || || || || || || ||
systems, and many other enterprise devices?
|| || || || ||
A. Syslog ||
B. Netlog ||
C. Eventlog
||
D. Remote Log Protocol (RLP) - ✔✔A. Syslog is a widely used protocol for event and message
|| || || || || || || || || || || || || || || || ||
logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.
|| || || || || || || || || ||
5. Alex wants to use an automated tool to fill web application forms to test for format string
|| || || || || || || || || || || || || || || || || ||
vulnerabilities. What type of tool should he use? || || || || || || ||
A. A black box
|| || ||
B. A brute-force tool
|| || ||
C. A fuzzer
|| ||
D. A static analysis tool - ✔✔C. Fuzzers are tools that are designed to provide invalid or
|| || || || || || || || || || || || || || || || ||
unexpected input to applications, testing for vulnerabilities like format string vulnerabilities,
|| || || || || || || || || || ||
buffer-overflow issues, and other problems. A static analysis relies on examining code without || || || || || || || || || || || || ||
running the application or code, and thus would not fill forms as part of a web application. Brute-
|| || || || || || || || || || || || || || || || ||
force tools attempt to bypass security by trying every possible combination for passwords or other
|| || || || || || || || || || || || || ||
values. A black box is a type of penetration test where the testers do not know anything about the
|| || || || || || || || || || || || || || || || || || || ||
environment.
,2
6. Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to
|| || || || || || || || || || || || || || || || || || ||
test the system remotely. Which of the following tools will meet her requirements and allow
|| || || || || || || || || || || || || || ||
vulnerability scanning? ||
A. Nmap ||
B. OpenVAS||
C. MBSA ||
D. Nessus - ✔✔B. OpenVAS is an open source vulnerability scanning tool that will provide
|| || || || || || || || || || || || || || ||
Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan.
|| || || || || || || || || || || || || || || ||
Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA)
|| || || || || || || || || || || || || ||
and Nessus are closed source tools, although Nessus was originally open source.
|| || || || || || || || || || ||
7. NIST Special Publication 800-53A describes four major types of assessment objects that can be
|| || || || || || || || || || || || || ||
used to identify items being assessed. If the assessment covers IPS devices, which of the types of
|| || || || || || || || || || || || || || || || || ||
assessment objects is being assessed? || || || ||
A. A specification
|| ||
B. A mechanism
|| ||
C. An activity
|| ||
D. An individual - ✔✔B. An IPS is an example of a mechanism like a hardware-, software-, or
|| || || || || || || || || || || || || || || || || ||
firmware based control or system. Specifications are document-based artifacts like policies or
|| || || || || || || || || || || ||
designs, activities are actions that support an information system that involves people, and an
|| || || || || || || || || || || || || ||
individual is one or more people applying specifications, mechanisms, or activities.
|| || || || || || || || || ||
8. Jim has been contracted to perform a penetration test of a bank's primary branch. In order to
|| || || || || || || || || || || || || || || || || ||
make the test as real as possible, he has not been given any information about the bank other than
|| || || || || || || || || || || || || || || || || || ||
its name and address. What type of penetration test has Jim agreed to perform?
|| || || || || || || || || || || || ||
A. A crystal box penetration test
|| || || || ||
B. A gray box penetration test
|| || || || ||
C. A black box penetration test
|| || || || ||
, 2
D. A white box penetration test - ✔✔C. Jim has agreed to a black box penetration test, which
|| || || || || || || || || || || || || || || || || ||
provides no information about the organization, its systems, or its defenses. A crystal or white box
|| || || || || || || || || || || || || || ||
penetration test provides all of the information an attacker needs, whereas a gray box penetration
|| || || || || || || || || || || || || || || ||
test provides some, but not all, information.
|| || || || || ||
9. As part of a penetration test, Alex needs to determine if there are web servers that could suffer
|| || || || || || || || || || || || || || || || || || ||
from the 2014 Heartbleed bug. What type of tool could he use, and what should he check to verify
|| || || || || || || || || || || || || || || || || ||
that the tool can identify the problem?
|| || || || || || ||
A. A vulnerability scanner, to see whether the scanner has a signature or test for the Heartbleed
|| || || || || || || || || || || || || || || || ||
CVE number ||
B. A port scanner, to see whether the scanner properly identifies SSL connections
|| || || || || || || || || || || ||
C. A vulnerability scanner, to see whether the vulnerability scanner detects problems with the
|| || || || || || || || || || || || || ||
Apache web server || ||
D. A port scanner, to see whether the port scanner supports TLS connections - ✔✔A. A
|| || || || || || || || || || || || || || || ||
vulnerability scanner that has a test (sometimes called a signature or plugin) that provides a || || || || || || || || || || || || || || ||
detection method for CVE-2014-0160, also known as the Heartbleed bug, a vulnerability in
|| || || || || || || || || || || || ||
OpenSSL will detect and report on the issue on any system it can connect to. Port scanners do not
|| || || || || || || || || || || || || || || || || || ||
determine whether services are vulnerable, and Heartbleed was not a vulnerability in the Apache || || || || || || || || || || || || || ||
web server—but even without knowing this, the CVE number is a better indicator of whether the
|| || || || || || || || || || || || || || || ||
issue will be found than a generic detect for a service.
|| || || || || || || || || ||
10. In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a
|| || || || || || || || || || || || || || || || || || ||
report that includes operating effectiveness detail, what should Susan ask for as follow up and
|| || || || || || || || || || || || || || || ||
why?
A. An SAS-70 Type II, because Type I only covers a single point in time
|| || || || || || || || || || || || || ||
B. An SOC Type 1, because Type II does not cover operating effectiveness
|| || || || || || || || || || || ||
C. An SOC Type 2, because Type I does not cover operating effectiveness
|| || || || || || || || || || || ||
D. An SAC-70 type 3, because Types 1 and 2 are outdated and no longer accepted - ✔✔C.
|| || || || || || || || || || || || || || || || || ||
Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report
|| || || || || || || || || || || || || ||
only covers a point in time, so Susan needs an SOC Type 2 report to have the information she
|| || || || || || || || || || || || || || || || || || ||
requires to make a design and operating effectiveness decision based on the report.
|| || || || || || || || || || || ||
CISSP Official ISC2 practice tests - Domain 6 questions with || || || || || || || || || ||
accurate solutions ||
1. During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and
|| || || || || || || || || || || || || || || || ||
TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the
|| || || || || || || || || || || || || || || || || || || || ||
machine?
A. A Linux email server
|| || || ||
B. A Windows SQL server
|| || || ||
C. A Linux file server
|| || || ||
D. A Windows workstation - ✔✔B. TCP and UDP ports 137-139 are used for NetBIOS services,
|| || || || || || || || || || || || || || || ||
whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL,
|| || || || || || || || || || || || || || || ||
indicating that this is probably a Windows server providing SQL services.
|| || || || || || || || || ||
2. Which of the following is a method used to design new software tests and to ensure the quality
|| || || || || || || || || || || || || || || || || || ||
of tests?
||
A. Code auditing
|| ||
B. Static code analysis
|| || ||
C. Regression testing
|| ||
D. Mutation testing - ✔✔D. Mutation testing modifies a program in small ways, and then tests
|| || || || || || || || || || || || || || || ||
that mutant to determine if it behaves as it should or if it fails. This technique is used to design and
|| || || || || || || || || || || || || || || || || || || ||
test software tests through mutation. Static code analysis and regression testing are both means of
|| || || || || || || || || || || || || || || ||
testing code, whereas code auditing is an analysis of source code rather than a means of designing
|| || || || || || || || || || || || || || || || ||
and testing software tests.
|| || ||
3. During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to
|| || || || || || || || || || || || || || || || || || || ||
scanning the service that is most likely running on that port?
|| || || || || || || || || ||
A. zzuf ||
,2
B. Nikto ||
C. Metasploit
||
D. sqlmap - ✔✔B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for
|| || || || || || || || || || || || || || || ||
vulnerability scanning web servers and applications and is the best choice listed for a web server.
|| || || || || || || || || || || || || || || ||
Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability
|| || || || || || || || || || || || ||
scanning. zzuf is a fuzzing tool and isn't relevant for vulnerability scans, whereas sqlmap is a SQL
|| || || || || || || || || || || || || || || ||
injection testing tool.
|| || ||
4. What message logging standard is commonly used by network devices, Linux and Unix
|| || || || || || || || || || || || || ||
systems, and many other enterprise devices?
|| || || || ||
A. Syslog ||
B. Netlog ||
C. Eventlog
||
D. Remote Log Protocol (RLP) - ✔✔A. Syslog is a widely used protocol for event and message
|| || || || || || || || || || || || || || || || ||
logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.
|| || || || || || || || || ||
5. Alex wants to use an automated tool to fill web application forms to test for format string
|| || || || || || || || || || || || || || || || || ||
vulnerabilities. What type of tool should he use? || || || || || || ||
A. A black box
|| || ||
B. A brute-force tool
|| || ||
C. A fuzzer
|| ||
D. A static analysis tool - ✔✔C. Fuzzers are tools that are designed to provide invalid or
|| || || || || || || || || || || || || || || || ||
unexpected input to applications, testing for vulnerabilities like format string vulnerabilities,
|| || || || || || || || || || ||
buffer-overflow issues, and other problems. A static analysis relies on examining code without || || || || || || || || || || || || ||
running the application or code, and thus would not fill forms as part of a web application. Brute-
|| || || || || || || || || || || || || || || || ||
force tools attempt to bypass security by trying every possible combination for passwords or other
|| || || || || || || || || || || || || ||
values. A black box is a type of penetration test where the testers do not know anything about the
|| || || || || || || || || || || || || || || || || || || ||
environment.
,2
6. Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to
|| || || || || || || || || || || || || || || || || || ||
test the system remotely. Which of the following tools will meet her requirements and allow
|| || || || || || || || || || || || || || ||
vulnerability scanning? ||
A. Nmap ||
B. OpenVAS||
C. MBSA ||
D. Nessus - ✔✔B. OpenVAS is an open source vulnerability scanning tool that will provide
|| || || || || || || || || || || || || || ||
Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan.
|| || || || || || || || || || || || || || || ||
Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA)
|| || || || || || || || || || || || || ||
and Nessus are closed source tools, although Nessus was originally open source.
|| || || || || || || || || || ||
7. NIST Special Publication 800-53A describes four major types of assessment objects that can be
|| || || || || || || || || || || || || ||
used to identify items being assessed. If the assessment covers IPS devices, which of the types of
|| || || || || || || || || || || || || || || || || ||
assessment objects is being assessed? || || || ||
A. A specification
|| ||
B. A mechanism
|| ||
C. An activity
|| ||
D. An individual - ✔✔B. An IPS is an example of a mechanism like a hardware-, software-, or
|| || || || || || || || || || || || || || || || || ||
firmware based control or system. Specifications are document-based artifacts like policies or
|| || || || || || || || || || || ||
designs, activities are actions that support an information system that involves people, and an
|| || || || || || || || || || || || || ||
individual is one or more people applying specifications, mechanisms, or activities.
|| || || || || || || || || ||
8. Jim has been contracted to perform a penetration test of a bank's primary branch. In order to
|| || || || || || || || || || || || || || || || || ||
make the test as real as possible, he has not been given any information about the bank other than
|| || || || || || || || || || || || || || || || || || ||
its name and address. What type of penetration test has Jim agreed to perform?
|| || || || || || || || || || || || ||
A. A crystal box penetration test
|| || || || ||
B. A gray box penetration test
|| || || || ||
C. A black box penetration test
|| || || || ||
, 2
D. A white box penetration test - ✔✔C. Jim has agreed to a black box penetration test, which
|| || || || || || || || || || || || || || || || || ||
provides no information about the organization, its systems, or its defenses. A crystal or white box
|| || || || || || || || || || || || || || ||
penetration test provides all of the information an attacker needs, whereas a gray box penetration
|| || || || || || || || || || || || || || || ||
test provides some, but not all, information.
|| || || || || ||
9. As part of a penetration test, Alex needs to determine if there are web servers that could suffer
|| || || || || || || || || || || || || || || || || || ||
from the 2014 Heartbleed bug. What type of tool could he use, and what should he check to verify
|| || || || || || || || || || || || || || || || || ||
that the tool can identify the problem?
|| || || || || || ||
A. A vulnerability scanner, to see whether the scanner has a signature or test for the Heartbleed
|| || || || || || || || || || || || || || || || ||
CVE number ||
B. A port scanner, to see whether the scanner properly identifies SSL connections
|| || || || || || || || || || || ||
C. A vulnerability scanner, to see whether the vulnerability scanner detects problems with the
|| || || || || || || || || || || || || ||
Apache web server || ||
D. A port scanner, to see whether the port scanner supports TLS connections - ✔✔A. A
|| || || || || || || || || || || || || || || ||
vulnerability scanner that has a test (sometimes called a signature or plugin) that provides a || || || || || || || || || || || || || || ||
detection method for CVE-2014-0160, also known as the Heartbleed bug, a vulnerability in
|| || || || || || || || || || || || ||
OpenSSL will detect and report on the issue on any system it can connect to. Port scanners do not
|| || || || || || || || || || || || || || || || || || ||
determine whether services are vulnerable, and Heartbleed was not a vulnerability in the Apache || || || || || || || || || || || || || ||
web server—but even without knowing this, the CVE number is a better indicator of whether the
|| || || || || || || || || || || || || || || ||
issue will be found than a generic detect for a service.
|| || || || || || || || || ||
10. In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a
|| || || || || || || || || || || || || || || || || || ||
report that includes operating effectiveness detail, what should Susan ask for as follow up and
|| || || || || || || || || || || || || || || ||
why?
A. An SAS-70 Type II, because Type I only covers a single point in time
|| || || || || || || || || || || || || ||
B. An SOC Type 1, because Type II does not cover operating effectiveness
|| || || || || || || || || || || ||
C. An SOC Type 2, because Type I does not cover operating effectiveness
|| || || || || || || || || || || ||
D. An SAC-70 type 3, because Types 1 and 2 are outdated and no longer accepted - ✔✔C.
|| || || || || || || || || || || || || || || || || ||
Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report
|| || || || || || || || || || || || || ||
only covers a point in time, so Susan needs an SOC Type 2 report to have the information she
|| || || || || || || || || || || || || || || || || || ||
requires to make a design and operating effectiveness decision based on the report.
|| || || || || || || || || || || ||
