CISSP - EXAM PRACTICE/STUDY QUESTIONS AND ANSWERS 100%

CISSP - EXAM PRACTICE/STUDY What is the most effective defense against cross-site scripting attacks? a) Limiting account privileges b)User Authentication c) Input validation d) Encryption - ANSWER c) Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML ˂SCRIPT˃ tag in the input. What phase of the Electronic Discovery Reference Model puts evidence in a format that may be shared with others? a) production b) processing c) revice d) presentation - ANSWER a) Production places the information in a format that may be shared with others. What form of security planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans? a)strategic b) operational c) tactical d)administrative - ANSWER c.) tactical planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans. Which is not a part of an electronic access control lock? A. An electromagnet B. A credential reader C. A door sensor D. A biometric scanner - ANSWER d -An electronic access control (EAC) lock comprises three elements: an electromagnet to keep the door closed, a credential reader to authenticate subjects and to disable the electromagnet, and a door-closed sensor to reenable the electromagnet. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites? a.Communications circuits B. Workstations C. Servers D. Current data - ANSWER d- current data Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil results throughout the communication? A. Cipher Block Chaining (CBC) B. Electronic Code Book (ECB) C. Cipher Feedback (CFB) D. Output feedback (OFB) - ANSWER d -Output feedback (OFB) mode prevents early errors from interfering with future encryption/decryption. Cipher Block Chaining and Cipher Feedback modes will carry errors throughout the entire encryption/decryption process. Electronic Code Book (ECB) operation is not suitable for large amounts of data. Which one of the following items is not a critical piece of information in the chain of evidence? A. General description of the evidence B. Name of the person collecting the evidence C. Relationship of the evidence to the crime D. Time and date the evidence was collected - ANSWER c -The chain of evidence does not require that the evidence collector know or document the relationship of the evidence to the crime. Which firewall type looks exclusively at the message header to determine whether to transmit or drop data? A. Static packet filtering B. Application-level gateway C. Stateful inspection D. Dynamic packet filtering - ANSWER a -A static packet-filtering firewall filters traffic by examining data from a message header. What type of information is used to form the basis of an expert system's decision-making process? A. A series of weighted layered computations B. Combined input from a number of human experts, weighted according to past performance C. A series of "if/then" rules codified in a knowledge base D. A biological decision-making process that simulates the reasoning process used by the human mind - ANSWER c -Expert systems use a knowledge base consisting of a series of "if/then" statements to form decisions based on the previous experience of human experts. What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption? A. Birthday attack B. Chosen ciphertext attack C. Meet-in-the-middle attack D. Man-in-the-middle attack - ANSWER c -The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication. Which of the following is most directly associated with providing or supporting perfect forward secrecy? A. PBKDF2 B. ECDHE C. HMAC D. OCSP - ANSWER B- Elliptic Curve Diffie-Hellman Ephemeral, or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE), implements perfect forward secrecy through the use of elliptic curve cryptography (ECC). PBKDF2 is an example of a key-stretching technology not directly supporting perfect forward secrecy. HMAC is a hashing function. OCSP is used to check for certificate revocation. What is the best way to understand the meaning of the term 100-year flood plain? A. A flood that occurs once every 100 years B. A flood larger than any recorded in the past 100 years C. A very serious but very unlikely flood event D. A very serious flood that has a probability of 1 in 100 (1%) of occurring in any single calendar year - ANSWER D-Flood levels rated in years (100-year, 500-year, 1,000-year, and so forth) basically reflect estimates of the probability of their occurrence. An area rated as a 100-year flood plain has a 1 in 100 chance of occurring in any given calendar year (1%), a 500-year flood has a 1 in 500 chance of occurring in any given calendar year, and so forth. Options A and B misrepresent the meaning of the 100-year interval mentioned, while option C fails to address its probabilistic intent. What is the formula used to compute the ALE? A. ALE = AV * EF * ARO B. ALE = ARO * EF C. ALE = AV * ARO D. ALE = EF * ARO - ANSWER a -The Annualized Loss Expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO. The other formulas displayed here do not accurately reflect this calculation. Matthew and Richard want to communicate with each other using a public key cryptosystem. What is the total number of keys they must have to successfully communicate? A. 1 B. 2 C. 3 D. 4 - ANSWER To use public key cryptography, Matthew and Richard must each have their own pair of public and private cryptographic keys.