CISSP Practice Questions and Definitions
AAA
Shorthand for authentication, authorization, and accountability controls.
Adware
Software that's commonly installed with a freeware or shareware program. It provides a source of revenue for the software developer and runs only when you're using the associated program or until you purchase the program (in the case of shareware). See also malware.
Antivirus Software
Software that's designed to detect and prevent computer viruses and other malware from entering and harming a system.
Aggregation
(1) A database security issue that describes the act of obtaining information classified at a high sensitivity level by combining other items of low-sensitivity information. (2) The unintended accumulation of access privileges by persons who transfer from role to role in an organization over time.
Acquisition
(1) The process of purchasing another organization. (2) The process of purchasing information systems hardware or software.
Access Matrix Model
Provides object access rights (read/write/execute or R/W/X) to subjects in a Discretionary Access Control (DAC) system. An access matrix consists of Access Control Lists (ACL's) and capability lists.
Attribute-Based Access Control (ABAC)
An access control model where a subject is granted access to an object based on subject attributes, object attributes, and environmental considerations.
Application Scan
An automated test used to identify weaknesses in a software application.
3DES (Triple DES)
An enhancement to the original Data Encryption Standard (DES) algorithm that uses multiple keys to encrypt plain text. Officially known as the Triple Data Encryption Algorithm (TDEA or Triple DEA).
Accreditation
An official, written approval for the operation of a specific system in a specific environment, as documented in a certification report.
Advanced Encryption Standard (AES)
A block cipher based on the Rijndael cipher, which replaced Data Encryption Standard (DES).
Active-Active
A clustered configuration in which all of the nodes in a system or network are load balanced, synchronized, and active. If one node fails, the other node(s) continue providing services seamlessly.
Active-Passive
A clustered configuration in which only one node in a system or network is active. If the primary node fails, a passive node becomes active and continues providing services, usually after a short delay.
Applet
A component in a distributed environment (various components are located on separate systems) that's downloaded into and executed by another program, such as a web browser.
Asymmetric Key System (or Asymmetric Algorithm; Public Key)
A cryptographic system that uses two separate keys -- one key to encrypt information and a different key to decrypt information. These key pairs are known as public and private keys.
Application Firewall
A firewall that inspects Open Systems Interconnection (OSI) Layer 7 (Application Layer) content in order to block malicious content from reaching or leaving an application server. See also Web Application Firewall (WAF).
Application-Level Firewall
A firewall that inspects Open Systems Interconnection (OSI) Layer 7 (Application Layer) content in order to block malicious content from reaching or leaving an application server. See also Web Application Firewall (WAF).
Agile Maturity Model (AMM)
A framework for measuring the maturity of agile software development of a system.
Application Whitelisting
A mechanism used to control which applications are permitted to execute on a system.
Abstraction
A process that involves viewing an application from its highest-level functions, which makes lower-level functions abstract.
Address Space
A range of discrete addresses allocated to a network host, device, disk sector, or memory cell.
Asset
A resource, process, product, system, or program that has some value to an organization and must therefore be protected. These can be hard goods, such as computers and equipment, but can also be information, programs, and intellectual property.
Agent
A software component that performs a particular service.
Agile
A software development methodology known for its iterative approach to the development of a system.
ActiveX
A software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, such as the internet.
Application Programming Interface (API)
A specification for input data and output data for a system.
Annualized Loss Expectancy (ALE)
A standard, quantifiable measure of the impact that a realized threat will have on an organization's assets. Annualized Loss Expectancy (ALE) is determined by the formula: Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)
Asynchronous Transfer Mode (ATM)
A very high-speed, low-latency, packet-switched communications protocol.
Authenticated Scan
A vulnerability scan that attempts to log in to a device, system, or application during its search for exploitable vulnerabilities.
Which of the following items is the least important to consider when designing an access control system? a. Risk b. Threat c. Vulnerability d. Annual loss expectancy
Correct Answer: d - Annual loss expectancy Before implementing any type of access control system, the security professional needs to consider potential vulnerabilities because these give rise to threats. Threats must also be considered because they lead to risks. Risk is the potential that the vulnerability may be exploited. Answer D is incorrect because it relates to the formula used for risk analysis.
Which of the following is not one of the four access control models? a. Discretionary b. Mandatory c. Role-based d. Delegated
Correct Answer: d - Delegated There are four types of access control models. • Discretionary access control places the data owners in charge of access control. • Mandatory access control uses labels to determine who has access to data. • Role-based access control is based on the user's role in the organization. • Rule-based access control is where user's are allowed or denied access to resource objects based on a set of rules defined by a system administrator. Answer D is incorrect because there is no category called delegated access control.
Which style of authentication is not susceptible to a dictionary attack? a. CHAP b. LEAP c. WPA-PSK d. PAP
Correct Answer: d - PAP Only Password Authentication Protocol (PAP) is not susceptible to a dictionary attack; no attack is needed because the password is transmitted in plain text. Challenge Handshake Authentication Protocol (CHAP), Lightweight Extensible Authentication Protocol (LEAP), and WiFi Protected Access Pre-Shared Key (WPA-PSK) are all susceptible to dictionary attacks. When you are forced to use one of these mechanisms, the only security precaution you can take is to choose passwords that will not be in any contrived dictionary—although pre-computed hashes are now being used for that purpose.
Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you are asked to implement a system that will require individuals to present a password and enter a PIN at the security gate before gaining access. What is this type of system called? a. Authorization b. Two-factor authentication c. Authentication d. Three-factor authentication
Correct Answer: c - Authentication The question states that a password and PIN are required. Both passwords and PINs are examples of something you know. Authentication is something you know, something you have, or something you are. Therefore, passwords and PINs are examples of authentication. Answer B is incorrect because two-factor authentication requires two of the three primary categories of authentication to be used. Two-factor authentication is considered more secure than single-factor authentication. Three-factor authentication requires all three categories. Authorization is what you allow the user to do or accomplish.
Which of the following types of copper cabling is the most secure against eavesdropping and unauthorized access? a. Single-mod fiber b. Multimode fiber c. Category 6 cabling d. 802.11ac wireless
Correct Answer: c - Category 6 cabling The only choice for copper cabling would be Category 6. Single-mode and multimode fiber are not examples of copper cabling. However, fiber is considered a more secure transmission medium than copper cabling because it does not emit any Electromagnetic Interference (EMI). All types of copper cabling emit a certain amount of EMI. Unauthorized personnel can clamp probes to these cables and decode the transmitted messages. Wireless is not an example of copper cabling.
Application Software
Computer software that a person uses to accomplish a specific task.
Automatic Controls
Controls that are not performed manually.
You're preparing a presentation for the senior management of your company. They have asked you to rank the general order of accuracy of the most popular biometric systems, with 1 being the lowest and 5 being the highest. What will you tell them? a. (1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan b. (1) fingerprint, (2) palm scan, (3) iris scan, (4) retina scan, (5) hand geometry c. (1) palm scan, (2) hand geometry, (3) iris scan, (4) retina scan, (5) fingerprint d. (1) hand geometry, (2) palm scan, (3) fingerprint, (4) retina scan, (5) iris scan
Correct Answer: a - (1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan The general order of accuracy of biometric systems is fingerprint, palm scan, hand geometry, retina scan, and iris scan. However, the accuracy of an individual system is not the only item a security professional needs to consider before implementing a biometric system. Security professionals must examine usability, employee acceptance, and the crossover error rate of the proposed system. The employee acceptance rate examines the employees' willingness to use the system. For example, technology innovations with Radio Frequency Identifier (RFID) tags have made it possible to inject an extremely small tag into an employee's arm. This RFID tag could be used for identification, for authorization, and to monitor employee movement throughout the organization's facility. However, most employees would be hesitant to allow their employer to embed such a device in their arm. Currently issued passports have RFID tags, which has created an issue with identity theft (RFID sniffers). The crossover error rate examines the capability of the proposed systems to accurately identify the individual. If the system has a high false reject rate, employees will soon grow weary of the system and look for ways to bypass it. Therefore, each of these items is important to consider.
Today, you are meeting with a coworker who is proposing that the number of logins and passwords be reduced. Another coworker has suggested that you investigate single sign-on technologies and make a recommendation at the next scheduled meeting. Which of the following is a type of single sign-on system? a. Kerberos b. RBAC c. DAC d. SAML
Correct Answer: a - Kerberos Kerberos is a single sign-on system for distributed systems. It is unlike authentication systems such as NT LAN MAN (NTLM) that perform only one-way authentication. It provides mutual authentication for both parties involved in the communication process. Kerberos operates under the assumption that there is no trusted party; therefore, both client and server must be authenticated. After mutual authentication occurs, Kerberos makes use of a ticket stored on the client machine to access network resources. Answers B and C are incorrect because they describe access control models. Answer D describes centralized authentication.
While working as a contractor for Widget, Inc., you are asked what the weakest form of authentication is. What will you say? a. Passwords b. Retina scans c. Facial recognition d. Tokens
Correct Answer: a - Passwords Passwords, which belong to the "something you know" category, are the weakest form of authentication. Although there are many more stringent forms of authentication, passwords remain the most widely used. Passwords are insecure because people choose weak ones, don't change them, and tend to write them down or allow others to gain knowledge of them. If more than one person is using the same password, there is no way to properly execute the audit function, and at this point, loss of security occurs. Passwords are also susceptible to cracking and brute-force attacks.
Which of the following is not one of the three primary types of authentication? a. Something you remember b. Something you know c. Something you are d. Something you have
Correct Answer: a - Something to remember Authentication can be based on one or more of the following three factors: • Something you know: This could be a password, passphrase, or secret number. • Something you have: This could be a token, bank debit card, or smart card. • Something you are: This could be a retina scan, fingerprint, DNA sample, or facial recognition.
Your organization has decided to use a biometric system to authenticate users. If the FAR is high, what happens? a. Legitimate users are denied access to the organization's resources. b. Illegitimate users are granted access to the organization's resources. c. Legitimate users are granted access to the organization's resources. d. Illegitimate users are denied access to the organization's resources.
Correct Answer: b - Illegitimate users are granted access to the organization's resources. FAR (False Acceptance Rate) is the percentage of illegitimate users who are granted access to the organization's resources. Keeping this number low is important to keeping unauthorized individuals out of the company's resources.
Which of the following is not one of the three types of access controls? a. Administrative b. Personnel c. Technical d. Physical
Correct Answer: b - Personnel Administrative: These controls are composed of the policies and procedures the organization has put in place to prevent problems and to ensure that the technical and physical controls are known, understood, and implemented. Technical: These controls are used to control access and monitor potential violations. They may be either hardware- or software-based. Physical: These control systems are used to protect the welfare and safety of the employees and the organization. Physical controls include such items as smoke alarms, security guards, cameras, and man traps.
Your company has just opened a call center in India to handle nighttime operations, and you are asked to review the site's security controls. Specifically, you are asked which of the following is the strongest form of authentication. What will your answer be? a. Something you know b. Something you are c. Passwords d. Tokens
Correct Answer: b - Something you are Authentication can take one of three forms: something you know, something you have, or somethin you are. Something you are, such as biometrics, is by far the strongest form of authentication. Systems such as retina and iris scans have high levels of accuracy. The accuracy of a biometric device can be assessed by means of the crossover error rate. Remember: On the exam, questions are sometimes vague, and you will be asked to pick the best available answer.
Auditing is considered what method of access control? a. Preventive b. Technical c. Administrative d. Physical
Correct Answer: c - Administrative Auditing is considered an administrative control. The three types of controls are: Administrative: These controls are composed of the policies and procedures the organization has put in place to prevent problems and to ensure that the technical and physical controls are known, understood, and implemented. Technical: These controls are used to control access and monitor potential violations. They may be either hardware- or software-based. Physical: These control systems are used to protect the welfare and safety of the employees and the organization. Physical controls include such items as smoke alarms, security guards, cameras, and mantraps.
What method of access control system would a bank teller most likely fall under? a. Discretionary b. Mandatory c. Role-based d. Rule-based
Correct Answer: c - Role-based Bank tellers would most likely fall under a role-based access control system. These systems work well for organizations in which employee roles are identical.
Authentication Header (AH)
In Internet Protocol Security (IPsec), a protocol that provides integrity, authentication, and non-repudiation.
Archive
In a Public Key Infrastructure (PKI), an _______ is responsible for long-term storage of archived information from the Certification Authority (CA).
What are the four layers of the Transmission Control Protocol/Internet Protocol (TCP/IP) model?
Layer 1 = Network Access / Link Layer This layer looks out for hardware addressing and the protocols present in this layer allows for the physical transmission of data. Layer 2 = Internet Layer This layer defines the protocols which are responsible for logical transmission of data over the entire network. The main protocols residing in this layer are: IP (Internet Protocol) - Responsible for delivering packets from the source host to the destination host by looking at the IP addresses in the packet headers. IP has two versions: (1) IPv4 and (2) IPv6. ICMP (Internet Control Message Protocol) - Is encapsulated within IP datagrams and is responsible for providing hosts with information about network problems. ARP (Address Resolution Protocol) - Finds the hardware address of a host from a known IP address. ARP has several types: (1) Reverse ARP, (2) Proxy ARP, (3) Gratuitous ARP, and (4) Inverse ARP. Layer 3 = Host-to-Host / Transport Layer This layer is responsible for end-to-end communication and error-free delivery of data. it shields the upper-layer applications from the complexities of data. The two main protocols present in the layer are: Transmission Control Protocol (TCP) - Known to provide reliable and error-free communication between end systems. it performs sequencing and segmentation of data. It has an acknowledgment feature and controls the flow of the data through a flow control mechanism. It is a very effective protocol but has a lot of overhead due to its features which leads to increased cost. User Datagram Protocol (UDP) - Does not provide the features of TCP. It is the go-to protocol if your application does not require reliable transport as it is very cost-effective. Unlike TCP, which is a connection-oriented protocol, UDP is connectionless. Layer 4 = Process / Application Layer This layer is responsible for node-to-node communication and controls user-interface specifications. Some of the protocols present in this layer are: (1) HTTP, (2) HTTPS, (3) FTP, (4) TFTP, (5) Telnet, (6) SSH, (7) SMTP, (8) SNMP, (9) NTP, (10) DNS, (11) DHCP, (12) NFS, (13) X Window, and (14) LPD. Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol-Secure (HTTPS) - Used by the World Wide Web to manage communications between web browsers and servers. Secure Shell (SSH) - A terminal emulations software similar to Telnet. SSH is preferred because it is able to maintain the encrypted connection. It set up a secure session over a TCP/IP connection. Network Time Protocol - Used to synchronize clocks on our computer to one standard time source.
What are the four layers of the Transmission Control Protocol/Internet Protocol (TCP/IP) model?
Layer 1 = Network Access / Link Layer This layer looks out for hardware addressing and the protocols present in this layer allows for the physical transmission of data. Layer 2 = Internet Layer This layer defines the protocols which are responsible for logical transmission of data over the entire network. The main protocols residing in this layer are: IP (Internet Protocol) - Responsible for delivering packets from the source host to the destination host by looking at the IP addresses in the packet headers. IP has two versions: (1) IPv4 and (2) IPv6. ICMP (Internet Control Message Protocol) - Is encapsulated within IP datagrams and is responsible for providing hosts with information about network problems. ARP (Address Resolution Protocol) - Finds the hardware address of a host from a known IP address. ARP has several types: (1) Reverse ARP, (2) Proxy ARP, (3) Gratuitous ARP, and (4) Inverse ARP. Layer 3 = Host-to-Host / Transport Layer This layer is responsible for end-to-end communication and error-free delivery of data. it shields the upper-layer applications from the complexities of data. The two main protocols present in the layer are: Transmission Control Protocol (TCP) - Known to provide reliable and error-free communication between end systems. it performs sequencing and segmentation of data. It has an acknowledgment feature and controls the flow of the data through a flow control mechanism. It is a very effective protocol but has a lot of overhead due to its features which leads to increased cost. User Datagram Protocol (UDP) - Does not provide the features of TCP. It is the go-to protocol if your application does not require reliable transport as it is very cost-effective. Unlike TCP, which is a connection-oriented protocol, UDP is connectionless. Layer 4 = Process / Application Layer This layer is responsible for node-to-node communication and controls user-interface specifications. Some of the protocols present in this layer are: (1) HTTP, (2) HTTPS, (3) FTP, (4) TFTP, (5) Telnet, (6) SSH, (7) SMTP, (8) SNMP, (9) NTP, (10) DNS, (11) DHCP, (12) NFS, (13) X Window, and (14) LPD. Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol-Secure (HTTPS) - Used by the World Wide Web to manage communications between web browsers and servers. Secure Shell (SSH) - A terminal emulations software similar to Telnet. SSH is preferred because it is able to maintain the encrypted connection. It set up a secure session over a TCP/IP connection. Network Time Protocol - Used to synchronize clocks on our computer to one U
Application Layer (TCP/IP Model)
Layer 4 of the Transmission Control Protocol / Internet Protocol (TCP/IP) model.
Application Layer (Open Systems Interconnection - OSI Model)
Layer 7 of the Open Systems Interconnection (OSI) model.
Administrative Laws
Legal requirements passed by government institutions that define standards of performance and conduct for major industries (such as banking, energy, and healthcare), organizations, and officials.
Access Control List (ACL)
Lists the specific rights and permissions assigned to a subject for a given object.
Augmented Reality (AR)
Technology that produces a composite view by superimposing high-resolution (even 3D) images on a real-world view.
Artificial Intelligence (AI)
The ability of a computer to interact with and learn from its environment, and automatically perform actions without being explicitly programmed.
Audit Trail
The auxiliary records that document transactions and other events.
Accountability
The capability of a system to associate users and processes with their actions.
Access Control
The capability to permit or deny the use of an object (a passive entity, such as a system or file) by a subject (an active entity, such as a person or process).
Annualized Rate of Occurrence (ARO)
The estimated annual frequency of occurrence for a specific threat or event.
Acceptance Testing
The human verification of proper functionality of a software program or system.
Audit
The independent verification of any activity or process.
Address Resolution Protocol (ARP)
The network protocol used to query and discover the MAC address of a device on a Local Area Network (LAN).
Administrative Controls
The policies and procedures that an organization implements as part of its overall information security strategy.
Asset Valuation
The process of assigning a financial or relative value to an organization's information assets.
Authorization (or Establishment)
The process of defining and granting the rights and permissions granted to a subject (what you can do).
Availability
The process of ensuring that systems and data are accessible to authorized users when they need it.
Asset Inventory
The process of tracking assets in an organization.
Authentication
The process of verifying a subject's claimed identity in an access control system.
