STUDENTS SUCCESS
Revision Examination Tests
“Come all for this Greatness”
... 100% Correct Ans ...
CISSP OFFICIAL ISC2 PRACTICE TESTS - DOMAIN 8 2024-2025 ACTUAL EXAM
COMPLETE -
QUESTIONS AND CORRECT DETAILED ANSWERS
Quiz 1. When designing an object-oriented model, which of the following situations is
ideal?
A. High cohesion, high coupling
B. High cohesion, low coupling
C. Low cohesion, low coupling
D. Low cohesion, high coupling
Ans: B.
Coupling is a description of the level of interaction between objects. Cohesion is the
strength of the relationship between the purposes of methods within the same class.
When you are developing an object-oriented model, it is desirable to have high
cohesion and low coupling.
Quiz 2. Which of the following is a common way that attackers leverage botnets?
A. Sending spam messages
B. Conducting brute-force attacks
C. Scanning for vulnerable systems
D. All of the above
Ans: D.
Botnets are used for a wide variety of malicious purposes, including scanning the
network for vulnerable systems, conducting brute-force attacks against other
systems, and sending out spam messages.
Quiz 3. Which one of the following statements is not true about code review?
A. Code review should be a peer-driven process that includes multiple developers.
B. Code review may be automated.
C. Code review occurs during the design phase.
D. Code reviewers may expect to review several hundred lines of code per hour.
,Ans: C.
Code review takes place after code has been developed, which occurs after the
design phase of the system's development life cycle (SDLC). Code review may use a
combination of manual and automated techniques, or rely solely on one or the other.
It should be a peer-driven process that includes developers who did not write the
code.
Developers should expect to complete the review of around 300 lines per hour, on
average.
Quiz 4. Harold's company has a strong password policy that requires a minimum
length of 12
characters and the use of both alphanumeric characters and symbols. What
technique
would be the most effective way for an attacker to compromise passwords in
Harold's
organization?
A. Brute-force attack
B. Dictionary attack
C. Rainbow table attack
D. Social engineering attack
Ans: D.
A social engineering attack may trick a user into revealing their password to the
attacker. Other attacks that depend on guessing passwords, such as brute-force
attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in
light of the organization's strong password policy.
Quiz 5. Which process is responsible for ensuring that changes to software include
acceptance?
testing?
A. Request control
B. Change control
C. Release control
D. Configuration control
Ans: C.
One of the responsibilities of the release control process is ensuring that the process
includes acceptance testing that confirms that any alterations to end-user work tasks
are understood and functional prior to code release. The request control,
change control, and configuration control processes do not include acceptance
testing.
Quiz 6. Which one of the following attack types attempt to exploit the trust
relationship that?
a user's browser has with other websites by forcing the submission of an
authenticated request to a third-party site?
A. XSS
,B. CSRF
C. SQL injection
D. Session hijacking
Ans: B.
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in
a user's browser by attempting to force the submission of authenticated requests to
third-party sites. Session hijacking attacks attempt to steal previously authenticated
sessions but do not force the browser to submit requests. SQL injection directly
attacks a database through a web application. Cross-site scripting uses reflected
input to trick a user's browser into executing untrusted code from a trusted site.
Quiz 7. When using the SDLC, which one of these steps should you take before the
others?
A. Functional requirements determination
B. Control specifications development
C. Code review
D. Design review
Ans: A.
The SDLC consists of seven phases, in the following order: conceptual definition,
functional requirements determination, control specifications development, design
review, code review, system test review, and maintenance and change
management.
Quiz 8. Jaime is a technical support analyst and is asked to visit a user whose
computer is
displaying the error message (blue screen - white text). What state has this computer
entered?
A. Fail open
B. Irrecoverable error
C. Memory exhaustion
D. Fail secure
Ans: D.
The error message shown in the figure is the infamous "Blue Screen of Death" that
occurs when a Windows system experiences a dangerous failure and enters a fail
secure state. If the system had "failed open," it would have continued operation. The
error described is a memory fault that is likely recoverable by rebooting the system.
There is no indication that the system has run out of usable memory.
Quiz 9. Which one of the following is not a goal of software threat modeling?
A. To reduce the number of security-related design flaws
B. To reduce the number of security-related coding flaws
C. To reduce the severity of non-security-related flaws
D. To reduce the number of threat vectors
, Ans: D.
Software threat modeling is designed to reduce the number of security-related
design and coding flaws as well as the severity of other flaws. The developer or
evaluator of software has no control over the threat environment, because it is
external to the organization.
Quiz 10. In the diagram shown here, which is an example of a method?
A. Account
B. Owner
C. AddFunds
D. None of the above
Ans: C.
In the diagram, Account is the name of the class. Owner and Balance are attributes
of
that class. Add Funds and Remove Funds are methods of the class.
Quiz 11. Which one of the following is considered primary storage?
A. Memory
B. Hard disk
C. Flash drive
D. DVD
Ans: A.
Primary storage is a technical term used to refer to the memory that is directly
available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs,
and
hard drives, are classified as secondary storage.
Quiz 12. Which one of the following testing methodologies typically works without
access to
source code?
A. Dynamic testing
B. Static testing
C. White box testing
D. Code review
Ans: A.
Dynamic testing of software typically occurs in a black box environment where the
tester does not have access to the source code. Static testing, white box testing, and
code review approaches all require access to the source code of the application.
Quiz 13. What concept in object-oriented programming allows a subclass to access
methods
belonging to a superclass?
A. Polymorphism
Revision Examination Tests
“Come all for this Greatness”
... 100% Correct Ans ...
CISSP OFFICIAL ISC2 PRACTICE TESTS - DOMAIN 8 2024-2025 ACTUAL EXAM
COMPLETE -
QUESTIONS AND CORRECT DETAILED ANSWERS
Quiz 1. When designing an object-oriented model, which of the following situations is
ideal?
A. High cohesion, high coupling
B. High cohesion, low coupling
C. Low cohesion, low coupling
D. Low cohesion, high coupling
Ans: B.
Coupling is a description of the level of interaction between objects. Cohesion is the
strength of the relationship between the purposes of methods within the same class.
When you are developing an object-oriented model, it is desirable to have high
cohesion and low coupling.
Quiz 2. Which of the following is a common way that attackers leverage botnets?
A. Sending spam messages
B. Conducting brute-force attacks
C. Scanning for vulnerable systems
D. All of the above
Ans: D.
Botnets are used for a wide variety of malicious purposes, including scanning the
network for vulnerable systems, conducting brute-force attacks against other
systems, and sending out spam messages.
Quiz 3. Which one of the following statements is not true about code review?
A. Code review should be a peer-driven process that includes multiple developers.
B. Code review may be automated.
C. Code review occurs during the design phase.
D. Code reviewers may expect to review several hundred lines of code per hour.
,Ans: C.
Code review takes place after code has been developed, which occurs after the
design phase of the system's development life cycle (SDLC). Code review may use a
combination of manual and automated techniques, or rely solely on one or the other.
It should be a peer-driven process that includes developers who did not write the
code.
Developers should expect to complete the review of around 300 lines per hour, on
average.
Quiz 4. Harold's company has a strong password policy that requires a minimum
length of 12
characters and the use of both alphanumeric characters and symbols. What
technique
would be the most effective way for an attacker to compromise passwords in
Harold's
organization?
A. Brute-force attack
B. Dictionary attack
C. Rainbow table attack
D. Social engineering attack
Ans: D.
A social engineering attack may trick a user into revealing their password to the
attacker. Other attacks that depend on guessing passwords, such as brute-force
attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in
light of the organization's strong password policy.
Quiz 5. Which process is responsible for ensuring that changes to software include
acceptance?
testing?
A. Request control
B. Change control
C. Release control
D. Configuration control
Ans: C.
One of the responsibilities of the release control process is ensuring that the process
includes acceptance testing that confirms that any alterations to end-user work tasks
are understood and functional prior to code release. The request control,
change control, and configuration control processes do not include acceptance
testing.
Quiz 6. Which one of the following attack types attempt to exploit the trust
relationship that?
a user's browser has with other websites by forcing the submission of an
authenticated request to a third-party site?
A. XSS
,B. CSRF
C. SQL injection
D. Session hijacking
Ans: B.
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in
a user's browser by attempting to force the submission of authenticated requests to
third-party sites. Session hijacking attacks attempt to steal previously authenticated
sessions but do not force the browser to submit requests. SQL injection directly
attacks a database through a web application. Cross-site scripting uses reflected
input to trick a user's browser into executing untrusted code from a trusted site.
Quiz 7. When using the SDLC, which one of these steps should you take before the
others?
A. Functional requirements determination
B. Control specifications development
C. Code review
D. Design review
Ans: A.
The SDLC consists of seven phases, in the following order: conceptual definition,
functional requirements determination, control specifications development, design
review, code review, system test review, and maintenance and change
management.
Quiz 8. Jaime is a technical support analyst and is asked to visit a user whose
computer is
displaying the error message (blue screen - white text). What state has this computer
entered?
A. Fail open
B. Irrecoverable error
C. Memory exhaustion
D. Fail secure
Ans: D.
The error message shown in the figure is the infamous "Blue Screen of Death" that
occurs when a Windows system experiences a dangerous failure and enters a fail
secure state. If the system had "failed open," it would have continued operation. The
error described is a memory fault that is likely recoverable by rebooting the system.
There is no indication that the system has run out of usable memory.
Quiz 9. Which one of the following is not a goal of software threat modeling?
A. To reduce the number of security-related design flaws
B. To reduce the number of security-related coding flaws
C. To reduce the severity of non-security-related flaws
D. To reduce the number of threat vectors
, Ans: D.
Software threat modeling is designed to reduce the number of security-related
design and coding flaws as well as the severity of other flaws. The developer or
evaluator of software has no control over the threat environment, because it is
external to the organization.
Quiz 10. In the diagram shown here, which is an example of a method?
A. Account
B. Owner
C. AddFunds
D. None of the above
Ans: C.
In the diagram, Account is the name of the class. Owner and Balance are attributes
of
that class. Add Funds and Remove Funds are methods of the class.
Quiz 11. Which one of the following is considered primary storage?
A. Memory
B. Hard disk
C. Flash drive
D. DVD
Ans: A.
Primary storage is a technical term used to refer to the memory that is directly
available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs,
and
hard drives, are classified as secondary storage.
Quiz 12. Which one of the following testing methodologies typically works without
access to
source code?
A. Dynamic testing
B. Static testing
C. White box testing
D. Code review
Ans: A.
Dynamic testing of software typically occurs in a black box environment where the
tester does not have access to the source code. Static testing, white box testing, and
code review approaches all require access to the source code of the application.
Quiz 13. What concept in object-oriented programming allows a subclass to access
methods
belonging to a superclass?
A. Polymorphism
