2
CISSP Official ISC2 practice tests - Domain 8 questions with
|| || || || || || || || || ||
accurate solutions ||
1. When designing an object-oriented model, which of the following situations is ideal?
|| || || || || || || || || || || ||
A. High cohesion, high coupling
|| || || ||
B. High cohesion, low coupling
|| || || ||
C. Low cohesion, low coupling
|| || || ||
D. Low cohesion, high coupling - ✔✔B.
|| || || || || ||
Coupling is a description of the level of interaction between objects. Cohesion is the strength of
|| || || || || || || || || || || || || || || ||
the relationship between the purposes of methods within the same class.
|| || || || || || || || || ||
When you are developing an object-oriented model, it is desirable to have high
|| || || || || || || || || || || ||
cohesion and low coupling. || || ||
2. Which of the following is a common way that attackers leverage botnets?
|| || || || || || || || || || || ||
A. Sending spam messages
|| || ||
B. Conducting brute-force attacks
|| || ||
C. Scanning for vulnerable systems
|| || || ||
D. All of the above - ✔✔D.
|| || || || || ||
Botnets are used for a wide variety of malicious purposes, including scanning the
|| || || || || || || || || || || ||
network for vulnerable systems, conducting brute-force attacks against other systems, and
|| || || || || || || || || || ||
sending out spam messages. || || ||
3. Which one of the following statements is not true about code review?
|| || || || || || || || || || || ||
A. Code review should be a peer-driven process that includes multiple developers.
|| || || || || || || || || || ||
,2
B. Code review may be automated.
|| || || || ||
C. Code review occurs during the design phase.
|| || || || || || ||
D. Code reviewers may expect to review several hundred lines of code per hour. - ✔✔C.
|| || || || || || || || || || || || || || ||
Code review takes place after code has been developed, which occurs after the
|| || || || || || || || || || || ||
design phase of the system's development life cycle (SDLC). Code review may use a combination
|| || || || || || || || || || || || || ||
of manual and automated techniques, or rely solely on one or the other.
|| || || || || || || || || || || || ||
It should be a peer-driven process that includes developers who did not write the code.
|| || || || || || || || || || || || || ||
Developers should expect to complete the review of around 300 lines per hour, on
|| || || || || || || || || || || || ||
average.
4. Harold's company has a strong password policy that requires a minimum length of 12
|| || || || || || || || || || || || || ||
characters and the use of both alphanumeric characters and symbols. What technique
|| || || || || || || || || || ||
would be the most effective way for an attacker to compromise passwords in Harold's
|| || || || || || || || || || || || ||
organization?
A. Brute-force attack
|| ||
B. Dictionary attack
|| ||
C. Rainbow table attack
|| || ||
D. Social engineering attack - ✔✔D.
|| || || || ||
A social engineering attack may trick a user into revealing their password to the attacker. Other
|| || || || || || || || || || || || || || || ||
attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and
|| || || || || || || || || || || || || ||
dictionary attacks, are unlikely to be successful in light of the organization's strong password
|| || || || || || || || || || || || || ||
policy.
5. Which process is responsible for ensuring that changes to software include acceptance
|| || || || || || || || || || || ||
testing?
A. Request control
|| ||
,2
B. Change control
|| ||
C. Release control
|| ||
D. Configuration control - ✔✔C.
|| || || ||
One of the responsibilities of the release control process is ensuring that the process includes
|| || || || || || || || || || || || || || ||
acceptance testing that confirms that any alterations to end-user work tasks are understood and
|| || || || || || || || || || || || || ||
functional prior to code release. The request control, || || || || || || ||
change control, and configuration control processes do not include acceptance testing.
|| || || || || || || || || ||
6. Which one of the following attack types attempt to exploit the trust relationship that
|| || || || || || || || || || || || || ||
a user's browser has with other websites by forcing the submission of an
|| || || || || || || || || || || ||
authenticated request to a third-party site? || || || || ||
A. XSS ||
B. CSRF ||
C. SQL injection
|| ||
D. Session hijacking - ✔✔B.
|| || || ||
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user's
|| || || || || || || || || || || || || || || ||
browser by attempting to force the submission of authenticated requests to third-party sites.
|| || || || || || || || || || || || ||
Session hijacking attacks attempt to steal previously authenticated sessions but do not force the
|| || || || || || || || || || || || || ||
browser to submit requests. SQL injection directly attacks a database through a web application.
|| || || || || || || || || || || || || ||
Cross-site scripting uses reflected input to trick a user's browser into executing untrusted code
|| || || || || || || || || || || || || ||
from a trusted site. || || ||
7. When using the SDLC, which one of these steps should you take before the others?
|| || || || || || || || || || || || || || ||
A. Functional requirements determination
|| || ||
B. Control specifications development
|| || ||
C. Code review
|| ||
D. Design review - ✔✔A.
|| || || ||
, 2
The SDLC consists of seven phases, in the following order: conceptual definition,
|| || || || || || || || || || ||
functional requirements determination, control specifications development, design review, code
|| || || || || || || || ||
review, system test review, and maintenance and change management.
|| || || || || || || ||
8. Jaime is a technical support analyst and is asked to visit a user whose computer is
|| || || || || || || || || || || || || || || ||
displaying the error message (blue screen - white text). What state has this computer entered?
|| || || || || || || || || || || || || ||
A. Fail open
|| ||
B. Irrecoverable error
|| ||
C. Memory exhaustion
|| ||
D. Fail secure - ✔✔D.
|| || || ||
The error message shown in the figure is the infamous "Blue Screen of Death" that
|| || || || || || || || || || || || || ||
occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If
|| || || || || || || || || || || || || || || ||
the system had "failed open," it would have continued operation. The error described is a memory
|| || || || || || || || || || || || || || || ||
fault that is likely recoverable by rebooting the system.
|| || || || || || || ||
There is no indication that the system has run out of usable memory.
|| || || || || || || || || || || ||
9. Which one of the following is not a goal of software threat modeling?
|| || || || || || || || || || || || ||
A. To reduce the number of security-related design flaws
|| || || || || || || ||
B. To reduce the number of security-related coding flaws
|| || || || || || || ||
C. To reduce the severity of non-security-related flaws
|| || || || || || ||
D. To reduce the number of threat vectors - ✔✔D.
|| || || || || || || || ||
Software threat modeling is designed to reduce the number of security-related
|| || || || || || || || || ||
design and coding flaws as well as the severity of other flaws. The developer or
|| || || || || || || || || || || || || ||
evaluator of software has no control over the threat environment, because it is external to the
|| || || || || || || || || || || || || || || ||
organization.
CISSP Official ISC2 practice tests - Domain 8 questions with
|| || || || || || || || || ||
accurate solutions ||
1. When designing an object-oriented model, which of the following situations is ideal?
|| || || || || || || || || || || ||
A. High cohesion, high coupling
|| || || ||
B. High cohesion, low coupling
|| || || ||
C. Low cohesion, low coupling
|| || || ||
D. Low cohesion, high coupling - ✔✔B.
|| || || || || ||
Coupling is a description of the level of interaction between objects. Cohesion is the strength of
|| || || || || || || || || || || || || || || ||
the relationship between the purposes of methods within the same class.
|| || || || || || || || || ||
When you are developing an object-oriented model, it is desirable to have high
|| || || || || || || || || || || ||
cohesion and low coupling. || || ||
2. Which of the following is a common way that attackers leverage botnets?
|| || || || || || || || || || || ||
A. Sending spam messages
|| || ||
B. Conducting brute-force attacks
|| || ||
C. Scanning for vulnerable systems
|| || || ||
D. All of the above - ✔✔D.
|| || || || || ||
Botnets are used for a wide variety of malicious purposes, including scanning the
|| || || || || || || || || || || ||
network for vulnerable systems, conducting brute-force attacks against other systems, and
|| || || || || || || || || || ||
sending out spam messages. || || ||
3. Which one of the following statements is not true about code review?
|| || || || || || || || || || || ||
A. Code review should be a peer-driven process that includes multiple developers.
|| || || || || || || || || || ||
,2
B. Code review may be automated.
|| || || || ||
C. Code review occurs during the design phase.
|| || || || || || ||
D. Code reviewers may expect to review several hundred lines of code per hour. - ✔✔C.
|| || || || || || || || || || || || || || ||
Code review takes place after code has been developed, which occurs after the
|| || || || || || || || || || || ||
design phase of the system's development life cycle (SDLC). Code review may use a combination
|| || || || || || || || || || || || || ||
of manual and automated techniques, or rely solely on one or the other.
|| || || || || || || || || || || || ||
It should be a peer-driven process that includes developers who did not write the code.
|| || || || || || || || || || || || || ||
Developers should expect to complete the review of around 300 lines per hour, on
|| || || || || || || || || || || || ||
average.
4. Harold's company has a strong password policy that requires a minimum length of 12
|| || || || || || || || || || || || || ||
characters and the use of both alphanumeric characters and symbols. What technique
|| || || || || || || || || || ||
would be the most effective way for an attacker to compromise passwords in Harold's
|| || || || || || || || || || || || ||
organization?
A. Brute-force attack
|| ||
B. Dictionary attack
|| ||
C. Rainbow table attack
|| || ||
D. Social engineering attack - ✔✔D.
|| || || || ||
A social engineering attack may trick a user into revealing their password to the attacker. Other
|| || || || || || || || || || || || || || || ||
attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and
|| || || || || || || || || || || || || ||
dictionary attacks, are unlikely to be successful in light of the organization's strong password
|| || || || || || || || || || || || || ||
policy.
5. Which process is responsible for ensuring that changes to software include acceptance
|| || || || || || || || || || || ||
testing?
A. Request control
|| ||
,2
B. Change control
|| ||
C. Release control
|| ||
D. Configuration control - ✔✔C.
|| || || ||
One of the responsibilities of the release control process is ensuring that the process includes
|| || || || || || || || || || || || || || ||
acceptance testing that confirms that any alterations to end-user work tasks are understood and
|| || || || || || || || || || || || || ||
functional prior to code release. The request control, || || || || || || ||
change control, and configuration control processes do not include acceptance testing.
|| || || || || || || || || ||
6. Which one of the following attack types attempt to exploit the trust relationship that
|| || || || || || || || || || || || || ||
a user's browser has with other websites by forcing the submission of an
|| || || || || || || || || || || ||
authenticated request to a third-party site? || || || || ||
A. XSS ||
B. CSRF ||
C. SQL injection
|| ||
D. Session hijacking - ✔✔B.
|| || || ||
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user's
|| || || || || || || || || || || || || || || ||
browser by attempting to force the submission of authenticated requests to third-party sites.
|| || || || || || || || || || || || ||
Session hijacking attacks attempt to steal previously authenticated sessions but do not force the
|| || || || || || || || || || || || || ||
browser to submit requests. SQL injection directly attacks a database through a web application.
|| || || || || || || || || || || || || ||
Cross-site scripting uses reflected input to trick a user's browser into executing untrusted code
|| || || || || || || || || || || || || ||
from a trusted site. || || ||
7. When using the SDLC, which one of these steps should you take before the others?
|| || || || || || || || || || || || || || ||
A. Functional requirements determination
|| || ||
B. Control specifications development
|| || ||
C. Code review
|| ||
D. Design review - ✔✔A.
|| || || ||
, 2
The SDLC consists of seven phases, in the following order: conceptual definition,
|| || || || || || || || || || ||
functional requirements determination, control specifications development, design review, code
|| || || || || || || || ||
review, system test review, and maintenance and change management.
|| || || || || || || ||
8. Jaime is a technical support analyst and is asked to visit a user whose computer is
|| || || || || || || || || || || || || || || ||
displaying the error message (blue screen - white text). What state has this computer entered?
|| || || || || || || || || || || || || ||
A. Fail open
|| ||
B. Irrecoverable error
|| ||
C. Memory exhaustion
|| ||
D. Fail secure - ✔✔D.
|| || || ||
The error message shown in the figure is the infamous "Blue Screen of Death" that
|| || || || || || || || || || || || || ||
occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If
|| || || || || || || || || || || || || || || ||
the system had "failed open," it would have continued operation. The error described is a memory
|| || || || || || || || || || || || || || || ||
fault that is likely recoverable by rebooting the system.
|| || || || || || || ||
There is no indication that the system has run out of usable memory.
|| || || || || || || || || || || ||
9. Which one of the following is not a goal of software threat modeling?
|| || || || || || || || || || || || ||
A. To reduce the number of security-related design flaws
|| || || || || || || ||
B. To reduce the number of security-related coding flaws
|| || || || || || || ||
C. To reduce the severity of non-security-related flaws
|| || || || || || ||
D. To reduce the number of threat vectors - ✔✔D.
|| || || || || || || || ||
Software threat modeling is designed to reduce the number of security-related
|| || || || || || || || || ||
design and coding flaws as well as the severity of other flaws. The developer or
|| || || || || || || || || || || || || ||
evaluator of software has no control over the threat environment, because it is external to the
|| || || || || || || || || || || || || || || ||
organization.
