Certified Information Systems Security Professional CISSP (CISSP) — Questions 976990

990 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selectmedium

Which THREE of the following are examples of data at rest?

Select 3 answers
A.Data stored on a hard drive
B.Data in an email in transit
C.Data in a database
D.Data on a backup tape
E.Data on a network cable
AnswersA, C, D

Data on a hard drive is at rest.

Why this answer

Data at rest refers to data that is physically stored on a persistent medium and is not currently moving across a network or being processed. Data stored on a hard drive is a classic example because the data resides on a non-volatile storage device, whether it is an internal HDD, SSD, or external drive. The data remains on the medium until it is read, modified, or deleted, and it is typically protected by encryption mechanisms such as BitLocker or FileVault.

Exam trap

The trap here is that candidates often confuse data in a database as data in use or data in motion, but a database stores data persistently on disk, making it data at rest unless it is being actively queried or transferred.

977
MCQmedium

A SOC analyst at Tier 1 identifies a potential malware infection on a user workstation. What is the next step in the standard incident response process?

A.Update the SIEM correlation rule to ignore similar alerts
B.Escalate the incident to Tier 2 analyst for further investigation
C.Disconnect the workstation from the network immediately
D.Perform a deep forensic analysis of the workstation
AnswerB

Tier 1 triages and escalates unresolved incidents.

Why this answer

Tier 1 analysts typically triage alerts and escalate if they cannot resolve them.

978
MCQhard

During a security assessment, a penetration tester successfully performed a VLAN hopping attack from a host in VLAN 10 to a host in VLAN 20. The switches are configured with IEEE 802.1Q trunking. Which misconfiguration likely allowed this attack?

A.The native VLAN is not used on any trunk ports
B.Spanning Tree Protocol is disabled
C.Port security is disabled on all ports
D.Dynamic Trunking Protocol (DTP) is enabled on access ports
AnswerD

With DTP enabled on an access port, an attacker can send DTP frames to negotiate a trunk, then tag frames to hop VLANs.

Why this answer

D is correct because VLAN hopping attacks exploit Dynamic Trunking Protocol (DTP) to negotiate a trunk link between an attacker's host and a switch port. If DTP is enabled on an access port, the attacker can spoof DTP messages to form a trunk, gaining access to traffic from multiple VLANs, including VLAN 20 from VLAN 10.

Exam trap

ISC2 often tests the distinction between the two types of VLAN hopping (switch spoofing vs. double-tagging), and the trap here is that candidates confuse disabling STP or port security as relevant mitigations, when the core issue is DTP-enabled access ports allowing trunk negotiation.

How to eliminate wrong answers

Option A is wrong because the native VLAN is used on trunk ports by default in IEEE 802.1Q, and not using it would not prevent VLAN hopping; in fact, a misconfigured native VLAN can be exploited for double-tagging attacks, but the question describes a switch spoofing attack, not double-tagging. Option B is wrong because disabling Spanning Tree Protocol (STP) can cause network loops but does not directly enable VLAN hopping; VLAN hopping relies on trunk negotiation, not STP state. Option C is wrong because disabling port security limits MAC address filtering but does not prevent an attacker from negotiating a trunk via DTP; port security is a separate control for MAC flooding and unauthorized devices, not for trunk negotiation.

979
MCQmedium

A financial institution requires that no single employee can approve a transaction and also reconcile the account. This is an example of which security principle?

A.Separation of duties
B.Least privilege
C.Defense in depth
D.Need to know
AnswerA

Separation of duties prevents any single person from having conflicting responsibilities.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from having conflicting responsibilities, such as both approving a transaction and reconciling the account. This reduces the risk of fraud or error by requiring collusion between two or more people to subvert a process. In a financial system, SoD is enforced through access control mechanisms that assign distinct roles (e.g., 'Transaction Approver' and 'Account Reconciler') with mutually exclusive permissions, often implemented via Role-Based Access Control (RBAC) or attribute-based policies.

Exam trap

The trap here is that candidates confuse 'separation of duties' with 'least privilege' because both involve limiting access, but separation of duties specifically addresses conflicting tasks to prevent fraud, not just minimizing permissions.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting only the minimum permissions necessary to perform a job function, not on preventing conflicts of interest or fraud through role separation. Option C (Defense in depth) is wrong because it describes a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption), not a principle that divides critical tasks among different individuals. Option D (Need to know) is wrong because it restricts access to data based on whether it is required for a specific task, but does not address the segregation of conflicting duties like approval and reconciliation.

980
MCQhard

A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?

A.SSH
B.IPsec tunnel mode
C.MPLS
D.SSL/TLS
AnswerB

IPsec tunnel mode encrypts and authenticates entire packets between gateways.

Why this answer

IPsec tunnel mode is the correct choice because it encrypts the entire IP packet, including the original IP header, and encapsulates it within a new IP header for secure transport across an untrusted WAN. It also provides mutual authentication of both endpoints using IKE (Internet Key Exchange) with pre-shared keys or certificates, satisfying the requirement for encrypting all traffic and authenticating both data centers.

Exam trap

ISC2 often tests the distinction between IPsec tunnel mode and transport mode, and candidates may confuse SSL/TLS (which secures individual sessions) with a full network-layer VPN solution, missing that IPsec tunnel mode is the only option that encrypts all traffic and authenticates both endpoints at the network layer.

How to eliminate wrong answers

Option A is wrong because SSH is a protocol for secure remote login and command execution, not designed for site-to-site VPN encryption of all traffic between networks; it operates at the application layer and cannot encrypt arbitrary IP traffic between two data centers. Option C is wrong because MPLS is a label-switching technology for traffic engineering and QoS, not an encryption protocol; it provides no confidentiality or authentication, and traffic traversing an MPLS WAN is typically sent in the clear unless combined with IPsec or another encryption layer. Option D is wrong because SSL/TLS operates at the transport layer and is designed for securing individual connections (e.g., HTTPS), not for encrypting all IP traffic between two networks; it cannot encapsulate and protect non-TCP/UDP traffic or provide the same level of network-layer authentication and encryption as IPsec tunnel mode.

981
MCQhard

A DevSecOps team wants to integrate security into the CI/CD pipeline without slowing down development. Which approach best achieves this?

A.Perform comprehensive security tests only on major releases
B.Conduct a security review after each release and fix issues retrospectively
C.Require manual security sign-off before each production deployment
D.Implement automated security scanning with gating (pass/fail) in the pipeline
AnswerD

Automation provides fast, consistent security checks.

Why this answer

Option D is correct because automated security gates with pass/fail criteria provide fast feedback without manual delays. Option A is wrong because manual reviews are slow. Option B is wrong because skipping testing increases risk.

Option C is wrong because after-the-fact reviews do not prevent flawed releases.

982
Multi-Selectmedium

An organization is conducting a Business Impact Analysis (BIA) as part of its business continuity planning. Which THREE of the following are essential components of a BIA? (Choose three.)

Select 3 answers
A.Criticality prioritization
B.Recovery Time Objective (RTO)
C.Mean Time Between Failures (MTBF)
D.Single point of failure identification
E.Maximum Tolerable Downtime (MTD)
AnswersA, B, E

Ranking processes by criticality is fundamental to BIA to focus resources.

Why this answer

The correct options are A, B, and D. Recovery Time Objective (RTO) defines the target time to resume operations; Maximum Tolerable Downtime (MTD) defines the total allowable downtime; Criticality prioritization ranks processes by importance. Option C (Mean Time Between Failures) is a reliability metric not used in BIA.

Option E (Single point of failure identification) is part of vulnerability assessment, not a direct component of BIA.

983
Multi-Selectmedium

A security analyst is identifying incident categories for a new incident response plan. Which TWO of the following are valid incident categories according to standard IR frameworks?

Select 2 answers
A.Change request
B.Denial of Service (DoS)
C.Patch management failure
D.Insider threat
E.Business continuity exercise
AnswersB, D

DoS is a standard incident category.

Why this answer

Common incident categories include Denial of Service, malware, data breach, insider threat, unauthorized access, and social engineering.

984
Multi-Selectmedium

An organization is implementing a defense-in-depth strategy for a data center. Which THREE of the following are examples of physical security controls that align with layered defense?

Select 3 answers
A.Antivirus software
B.Intrusion detection system on the network
C.Card reader at building entrance
D.Server cage locks
E.Perimeter fencing
AnswersC, D, E

Correct. Card readers control access at the building layer.

Why this answer

Layered physical security includes perimeter fencing, building access controls (e.g., card readers), and internal secure areas (e.g., server cages).

985
Multi-Selecthard

A security team is planning to integrate security testing into the software development lifecycle. They want to identify vulnerabilities early and often. Which TWO of the following testing methods should be implemented during the development phase (before deployment) to catch code-level vulnerabilities?

Select 2 answers
A.Interactive Application Security Testing (IAST)
B.Penetration testing
C.Vulnerability scanning
D.Static Application Security Testing (SAST)
E.Dynamic Application Security Testing (DAST)
AnswersA, D

IAST instruments the application and provides real-time analysis during testing.

Why this answer

SAST (Static Application Security Testing) analyzes source code for vulnerabilities without executing it. IAST (Interactive Application Security Testing) combines SAST and DAST by instrumenting the application and analyzing runtime behavior. Both are suitable for development phase.

DAST requires a running application, and penetration testing is usually done later.

986
MCQmedium

An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?

A.Role-based access control
B.Enterprise password manager
C.Privileged Access Management (PAM) solution
D.Single sign-on for administrators
AnswerC

PAM provides password rotation, vaulting, session monitoring, and audit trails.

Why this answer

A Privileged Access Management (PAM) solution is specifically designed to manage privileged accounts, enforce password rotation policies (e.g., every 30 days), and provide detailed monitoring and auditing of privileged sessions. It automates password changes, vaults credentials, and logs all access, directly meeting the policy requirements for privileged accounts.

Exam trap

The trap here is that candidates confuse a general password manager (Option B) with a PAM solution, overlooking that PAM adds session monitoring, auditing, and just-in-time access for privileged accounts, which are critical for compliance.

How to eliminate wrong answers

Option A is wrong because Role-Based Access Control (RBAC) manages access rights based on roles, not password lifecycle or monitoring of privileged accounts. Option B is wrong because an enterprise password manager typically stores and rotates passwords for general users, but lacks the session monitoring, auditing, and just-in-time access controls required for privileged accounts. Option D is wrong because Single Sign-On (SSO) for administrators simplifies authentication but does not enforce password rotation or provide the granular monitoring and vaulting needed for privileged accounts.

987
MCQmedium

A security analyst is reviewing access rights and discovers an active account belonging to a former employee who left six months ago. This is an example of:

A.Orphaned account
B.Separation of duties violation
C.Account lockout
D.Privilege escalation
AnswerA

An account without an owner is orphaned.

Why this answer

An orphaned account is one that remains active after the user has left the organization, posing a security risk.

988
MCQmedium

A security team is conducting a penetration test on a web application. They identify that the application is vulnerable to reflected cross-site scripting (XSS). Which of the following is the most effective mitigation?

A.Using HTTPS to encrypt traffic
B.Implementing a Content Security Policy (CSP) with strict directives
C.Validating input against a whitelist of allowed characters
D.Encoding all user-supplied data before reflecting it in the response
AnswerD

Output encoding (e.g., HTML encoding) is the primary defense against reflected XSS.

Why this answer

Option D is correct because reflecting user-supplied data without proper encoding allows an attacker to inject arbitrary HTML/JavaScript that executes in the victim's browser. Output encoding (e.g., HTML entity encoding for context like <script> to &lt;script&gt;) neutralizes the injected script by treating it as data rather than executable code. This directly addresses the root cause of reflected XSS—failure to separate user input from executable content in the response.

Exam trap

The trap here is that candidates often confuse input validation (Option C) with output encoding, but the CISSP emphasizes that output encoding is the definitive control for injection flaws because it ensures data is treated as data regardless of input validation failures.

How to eliminate wrong answers

Option A is wrong because HTTPS encrypts data in transit but does not prevent the server from reflecting malicious input in the response; the XSS payload still executes in the browser after decryption. Option B is wrong because while CSP can mitigate XSS by restricting script sources, it is a defense-in-depth control and not the most effective primary mitigation—it can be bypassed if the application reflects user input into inline script contexts or if CSP is misconfigured (e.g., using 'unsafe-inline'). Option C is wrong because input validation against a whitelist is effective for input validation but does not guarantee safety when data is reflected; an attacker may bypass the whitelist or inject via other input channels, and output encoding is required regardless of input validation.

989
MCQmedium

An organization wants to test its web application for vulnerabilities by running the application and probing it with malicious inputs. Which tool is BEST suited for this purpose?

A.OWASP ZAP
B.Checkmarx
C.SonarQube
D.Veracode
AnswerA

OWASP ZAP is a DAST tool for testing running web applications.

Why this answer

DAST tools like OWASP ZAP and Burp Suite probe running applications to find vulnerabilities.

990
MCQhard

A company's security team uses a tool that instruments the application at runtime to monitor and block attacks. This is an example of:

A.IAST
B.RASP
C.SAST
D.DAST
AnswerB

RASP provides runtime self-protection.

Why this answer

RASP (Runtime Application Self-Protection) integrates with the application to detect and block attacks in real time.

Page 13

Page 14 of 14