Transcription
Cissp practice questions pdf answers key free online download
Cissp practice questions pdf answers key free online downloadCISSP Practice Questions Exam Cram Third Edition Michael Gregg CISSP Practice Questions Exam Cram, Third Edition Copyright 2013 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise,without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the useof the information contained herein. ISBN-13: 978-0-7897-4959-8 ISBN-10: 0-7897-4959-9 Library of Congress Cataloging-in-Publication data is on file. Printed in the United States of America First Printing: September 2012 Associate Publisher Dave Dusthimer Acquisitions Editor Betsy Brown Senior Development Editor Christopher ClevelandManaging Editor Sandra Schroeder Senior Project Editor Tonya Simpson Copy Editor Sheri Cain Technical Editors Shawn Merdinger Patrick Ramseier Publishing Coordinator Vanessa Evans Multimedia Developer Timothy Warner Interior Designer Gary Adair Cover Designer Alan Clements Compositor TnT Design, Inc. Trademarks All termsmentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made tomake this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of theCD or programs accompanying it. Bulk Sales Pearson IT Certification offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact International Sales[email protected] Contents at a Glance Introduction Chapter 1: Physical (Environmental) Security Chapter 2: Access Control Chapter 3: Cryptography Chapter 4: Security Architecture and Design Chapter 5: Telecommunications and Network Security Chapter 6: Business Continuity and Disaster Recovery Planning Chapter 7: Legal, Regulations,Investigations, and Compliance Chapter 8: Software Development Security Chapter 9: Information Security, Governance, and Risk Management Chapter 10: Security Operations Table of Contents Introduction Who This Book Is For What You Will Find in This Book Hints for Using This Book Pearson IT Certification Practice Test Engine and Questionson the CD Need Further Study? Chapter 1: Physical (Environmental) Security Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick-Check Answer Key Answers and Explanations Chapter 2: Access Control Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick-CheckAnswer Key Answers and Explanations Chapter 3: Cryptography Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick-Check Answer Key Answers and Explanations Chapter 4: Security Architecture and Design Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) QuickCheck Answer Key Answers and Explanations Chapter 5: Telecommunications and Network Security Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 6: Business Continuity and Disaster Recovery Planning Practice Questions Practice Questions(True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 7: Legal, Regulations, Investigations, and Compliance Practice Questions Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 8: Software Development Security Practice Questions PracticeQuestions (True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 9: Information Security, Governance, and Risk Management Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 10: SecurityOperations Practice Questions Practice Questions (True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations About the Author As the founder and president of Superior Solutions, Inc., a Houston-based IT security consulting and auditing firm, Michael Gregg has more than 20 years of experience ininformation security and risk management. He holds two associate’s degrees, a bachelor’s degree, and a master’s degree. Some of the certifications he holds include CISA, CISSP, MCSE, CTT , A , N , Security , CASP, CCNA, GSEC, CEH, CHFI, CEI, CISA, CISM, CGEIT, and SSCP. In addition to his experience performing security audits andassessments, Michael has authored or coauthored more than 15 books, including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), and Security Administrator Street Smarts (Sybex). He is a site expert for TechTarget.com websites, such as SearchNetworking.com. He also serves on their editorial advisory board. His articles havebeen published on IT websites, and he has been quoted on Fox News and The New York Times. He has created more than 15 security-related courses and training classes for various companies and universities. Although audits and assessments are where he spends the bulk of his time, teaching and contributing to the written body of IT securityknowledge are how Michael believes he can give something back to the community that has given him so much. He is a board member for Habitat For Humanity and, when not working, Michael enjoys traveling and restoring muscle cars. Dedication I dedicate this book to those who have been my mentors along the way, because without them, thisbook would not have been possible. Acknowledgments I want like to thank everyone who helped make this project a reality, including Betsy Brown, Chris Cleveland, Shawn Merdinger, Patrick Ramseier, and the entire crew at Pearson. About the Technical Reviewers Shawn Merdinger is a security researcher and analyst at the University of FloridaAcademic Health Center. He has worked with Cisco Systems, 3Com/TippingPoint, and as an independent consultant. His current research focuses on medical device security, and he is the founder of the MedSec group on LinkedIn. Shawn regularly presents original research at security/hacker conferences such as DEFCON, Ph-Neutral, ShmooCon,CONfidence, NoConName, O’Reilly, CSI, IT Underground, CarolinaCon, and SecurityOpus. Patrick Ramseier is a technical editor and author and manages a team of security and unified access consultants. He has held several management and technical positions in different security companies over the past 18 years and currently works on theBorderless Network Security and Unified Access team for Cisco in the Bay Area, where he leads a senior consulting team covering the entire western United States. Patrick has provided many technical edits/reviews for several major publishing companies, including Pearson Education, McGraw Hill, Wiley, and Sybex. He has a BA in BusinessAdministration and MIS and holds CCNA, CISSP, and CISCP certifications. We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdomyou’re willing to pass our way. We welcome your comments. You can email or write to let us know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that we cannot help you with technical problems related to the topic of this book. When you write, please be sure to include this book’s title andauthor as well as your name and email address. We will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail: Dave Dusthimer Associate Publisher Pearson IT Certification 800 East 96th Street Indianapolis, IN 46240 USA Reader Services Visit our website and register thisbook at www.pearsonitcertification.com/register for convenient access to any updates, downloads, or errata that might be available for this book. Introduction Welcome to the CISSP Practice Questions Exam Cram! This book provides you with practice questions, complete with answers and explanations, that help you learn, drill, and review for theCISSP certification exam. Who This Book Is For If you have studied the CISSP exam’s content, and you believe that you are ready to put your knowledge to the test but you’re not sure you want to take the actual exam yet, this book is for you! Maybe you have answered other practice questions or unsuccessfully taken the real exam, reviewed, andwanted to do more practice questions before retaking the exam. If so, this book is for you, too! Be aware that the CISSP exam is difficult and challenging; therefore, this book shouldn’t be your only vehicle for CISSP study. Because of the breadth and depth of knowledge needed to successfully pass the CISSP exam, be sure to use plenty of studymaterial and use this book as a drill, review, and practice vehicle. It is recommended that you use this book with the CISSP Exam Cram, Third Edition, by Michael Gregg. What You Will Find in This Book This book is all about practice questions. It is divided into the ten domains that you find on the CISSP exam. Each chapter represents a domain, andeach chapter has three elements: Practice Questions: This section includes numerous questions that help you learn, drill, and review. Quick-Check Answer Key: After you finish answering the questions, you can quickly grade your exam from this section. Only the correct answers are given here. No explanations are offered yet. Answers andExplanations: This section gives the correct answers and detailed explanations about the content posed in that question. Use this information to learn why an answer is correct and reinforce the content in your mind for exam day. Hints for Using This Book Because this book is a paper practice product, you might want to complete its exams onseparate pieces of paper so that you can reuse the exams without having previous answers in your way. Also, a rule of thumb across all practice-question products is to make sure that you score into the high 90-percent range in all topics before attempting the actual exam. The higher you score on practice-question products, the better your chances ofpassing the real exam. Of course, we can’t guarantee that you will receive a passing score on the real exam, but we can offer you plenty of opportunities to practice and assess your knowledge levels before you take the exam. Pearson IT Certification Practice Test Engine and Questions on the CD This book’s accompanying CD includes the Pearson ITCertification Practice Test engine—software that displays and grades a set of exam-realistic multiple-choice questions. Using the Pearson IT Certification Practice Test engine, you can either study by going through the questions in Study Mode or take a simulated exam that mimics real exam conditions. The installation process requires two majorsteps: installing the software and activating the exam. The CD has a recent copy of the Pearson IT Certification Practice Test engine. The practice exam—the database of exam questions—is not on the CD. Note The cardboard CD case in the back of this book includes the CD and a piece of paper. The paper lists the activation code for the practiceexam associated with this book. Do not lose the activation code. On the opposite side of the paper from the activation code is a unique, one-time-use coupon code for the purchase of the Premium Edition eBook and Practice Test. Install the Software from the CD The Pearson IT Certification Practice Test is a Windows-only desktop application. You canrun it on a Mac using a Windows virtual machine, but it was built specifically for the PC platform. The minimum system requirements are as follows: Windows XP (SP3), Windows Vista (SP2), or Windows 7 Microsoft .NET Framework 4.0 client Microsoft SQL Server Compact 4.0 Pentium class 1GHz processor (or equivalent) 512 MB RAM 650 MB disc space plus 50 MB for each downloaded practice exam The software-installation process is routine compared with other software-installation processes. If you have already installed the Pearson IT Certification Practice Test software from another Pearson product, there is no need for you to reinstall the software. Simply launch thesoftware on your desktop and proceed to activate the practice exam from this book by using the activation code that’s included in the CD sleeve. The following steps outline the installation process: 1. Insert the CD into your PC. 2. The software that automatically runs is the Pearson software to access and use all CD-based features, including the examengine and the CD-only appendixes. From the main menu, click the Install the Exam Engine option. 3. Respond to Windows prompts, like you would with any typical software-installation process. The installation process gives you the option to activate your exam with the activation code supplied on the paper in the CD sleeve. This process requires youto establish a Pearson website login. You need this login to activate the exam, so please register when prompted. If you already have a Pearson website login, there is no need to register again; just use your existing login. Activate and Download the Practice Exam After the exam engine is installed, you should then activate the exam associated withthis book (if you did not do so during the installation process), as follows: 1. Start the Pearson IT Certification Practice Test software from the Windows Start menu or from your desktop shortcut icon. 2. To activate and download the exam associated with this book, from the My Products or Tools tab, select the Activate button. 3. At the next screen,enter the activation key from the paper inside the cardboard CD holder. Once entered, click the Activate button. 4. The activation process downloads the practice exam. Click Next, and then click Finish. After the activation process is complete, the My Products tab should list your new exam. If you do not see the exam, make sure you have selected theMy Products tab on the menu. At this point, the software and practice exam are ready to use. Simply select the exam and click the Open Exam button. To update a particular exam that you have already activated and downloaded, simply select the Tools tab and select the Update Products button. Updating your exams ensures that you have the latestchanges and updates to the exam data. If you want to check for updates to the Pearson IT Certification Practice Test exam engine software, simply select the Tools tab and select the Update Application button. This ensures that you are running the latest version of the software engine. Activating Other Exams The exam software-installation process,and the registration process, has to happen only once. Then, for each new exam, only a few steps are required. For example, if you buy another new Pearson IT Certification Cert Guide or Cisco Press Official Cert Guide, extract the activation code from the CD sleeve in the back of that book—you don’t even need the CD at this point. From there, allyou have to do is start the exam engine (if it’s not still up and running) and perform Steps 2 through 4 from the previous list. Need Further Study? If you have a difficult time correctly answering these questions, you probably need further review. Read the sister product to this book, CISSP Exam Cram, Third Edition (by Pearson), for further review.Chapter 1. Physical (Environmental) Security Don’t underestimate the challenge of mastering the material in the Physical Security domain. If you are not a physical security expert and don’t work in this field on a regular basis, give yourself plenty of time to review the concepts. This domain encompasses all areas of physical security, from choosing asite to securing it against natural or man-made disasters. As a CISSP, you must protect not only the company’s assets but also its employees. The following list includes some key areas from this content that you need to master for the CISSP exam: Crime Prevention Through Environmental Design (CPTED) Facility design Fire safety Electricalsecurity HVAC Perimeter security: fences, gates, lighting Physical access control: transponders, badges, swipe cards, biometric devices Theft, denial, destruction Intrusion detection: CCTV, alarms, guards, dogs Practice Questions 1. Your lab manager is preparing to buy all the equipment that has been budgeted for next year. While reviewingthe specifications for several pieces of equipment, he notices that each device has a Mean Time To Repair (MTTR) rating. He asks you what this means. Which of the following is the best response? A. The MTTR is used to determine the expected time before the repair can be completed. Higher numbers are better. B. The MTTR is used todetermine the expected time before the repair can be completed. Lower numbers are better. C. The MTTR is used to determine the expected time between failures. Higher numbers are better. D. The MTTR is used to determine the expected time between failures. Lower numbers are better. Quick Answer: 22 Detailed Answer: 23 2. Which of thefollowing would you be least likely to find in a data center? A. Dry pipe fire control B. Smoke detectors C. Drop ceilings D. Surge protection Quick Answer: 22 Detailed Answer: 23 3. You are asked to serve as a consultant on the design of a new facility. Which of the following is the best location for the server room? A. Near the outside ofthe building B. Near the center of the building C. In an area that has plenty of traffic so that equipment can be observed by other employees and guests D. In an area that offers easy access Quick Answer: 22 Detailed Answer: 23 4. A closed-circuit TV (CCTV) system has been installed to monitor a bank’s ATM. The lighting has been adjusted toprevent dark areas, and the depth of field and degree of focus are appropriate for proper monitoring. However, the guard has asked if it would be possible to provide greater width to the area being monitored to permit a subject to be captured for a longer stretch of time. Which adjustment is needed? A. Decrease the focal length B. Increase thefocal length C. Decrease the iris D. Increase the iris Quick Answer: 22 Detailed Answer: 23 5. When you’re choosing the physical location for a new facility, which of the following should you not avoid? A. Airport flight paths B. Chemical refineries C. Railway freight lines D. Hospitals Quick Answer: 22 Detailed Answer: 23 6. Which one ofthe following is not one of the three main types of fire-detection systems? A. Heat sensing B. Flame sensing C. CO2 sensing D. Smoke sensing Quick Answer: 22 Detailed Answer: 23 7. Above what concentration is Halon considered toxic when inhaled? A. 5 percent B. 6 percent C. 10 percent D. 15 percent Quick Answer: 22 DetailedAnswer: 23 8. What height of fence is required to deter determined intruders? A. 4 feet B. 5 feet C. 8 feet D. 6 feet Quick Answer: 22 Detailed Answer: 24 9. Superior Solutions, Inc., has acquired a contract for the upgrade of a local manufacturer’s fire-suppression system. The client wants to find suitable replacements for its Halon firesuppression system. Which of the following is not a suitable replacement? A. Argon B. Hydrogen bromide C. Inergen D. FM-200 Quick Answer: 22 Detailed Answer: 24 10. You are asked to review the design of your organization’s new data center. The proposed data center will be unmanned and typically will not have anyone working inside.With this in mind, which of the following fire-suppression methods works by removing the oxygen element? A. Soda acid B. CO2 C. Water D. NO2 Quick Answer: 22 Detailed Answer: 24 11. You are asked to sit in on a meeting with the design team working on the new security data center. Because this facility will have extremely high security,you are concerned about having the appropriate type of fence in place. There will be limited access to this facility, and Class IV gates will be used. What is the correct specification for this perimeter barrier? A. 2-inch mesh, 9 gauge B. 3/8-inch mesh, 11 gauge C. 1-inch mesh, 9 gauge D. 2-inch mesh, 6 gauge Quick Answer: 22 DetailedAnswer: 24 12. Which of the following is a major drawback of the decision to use security guards as a form of physical deterrent? A. Schedule B. Salary and benefits C. Liability D. Culpability Quick Answer: 22 Detailed Answer: 24 13. You are asked to create the new company policy on emergency response and training. You want to make surethat the policy defines how employees are trained to deal with fire drills. Which of the following is the best way to carry out emergency fire drills? A. Fire drills should be timed to correspond with company breaks. B. Fire drills should be a scheduled event that all employees are told about. C. Fire drills should be a random event that theemployees are unaware of before the event. D. Fire drills are an unnecessary event that cuts into employee work time, thereby reducing productivity. Quick Answer: 22 Detailed Answer: 24 14. Which of the following replacements for Halon has been recommended by the EPA? A. Argon B. FM-200 C. Inergen D. FM-300 Quick Answer: 22Detailed Answer: 24 15. You are put in charge of the new semiconductor facility, and your boss is concerned about ESD. To protect sensitive equipment from ESD damage, the humidity should be kept at what level? A. 10–20 percent B. 20–40 percent C. 40–60 percent D. 60–80 percent Quick Answer: 22 Detailed Answer: 24 16. You are askedto secure the operations of a South American electronics production plant. Because of rising energy prices, this small country has been plagued with power problems over the past several years. One major problem has been the fluctuation of power to greater-than-normal levels. Which of the following best describes this event? A. Faults andblackouts B. Spikes and surges C. Sags and brownouts D. Noise and EMI Quick Answer: 22 Detailed Answer: 25 17. You are placed in charge of a small room full of servers. Which of the following is the best protection against brownouts and temporary power loss? A. RAID B. Surge protectors C. UPS D. Voltage regulators QuickAnswer: 22 Detailed Answer: 25 18. Your manager wants to know which of the following you, as a CISSP, would rank as the item of highest priority. How should you answer? A. Duty to the ISC2 code of ethics B. Duty to protect company assets C. Duty to company policy D. Duty to public safety Quick Answer: 22 Detailed Answer: 25 19.Which of the following is the specification for Halon that can be used as a gas agent? A. Halon 2800 B. Halon 1625 C. Halon 1311 D. Halon 1301 Quick Answer: 22 Detailed Answer: 25 20. What class of fire suppression should be used against chemical or grease fires? A. Class A B. Class B C. Class C D. Class D Quick Answer: 22Detailed Answer: 25 21. Which of the following is classified as an ASTM Class II gate? A. Commercial B. Industrial C. Residential D. Restricted access Quick Answer: 22 Detailed Answer: 25 22. Which of the following heat-activated fire-detection systems provides the fastest warning time? A. Fixed temperature B. Rate of rise C.Photoelectric D. Piezoelectric Quick Answer: 22 Detailed Answer: 25 23. Which of the following physical security practices is the best security solution implementation? A. Placing a Halon fire extinguisher system in the new cafeteria. B. Erecting parking-lot lighting on poles in the center of periodic islands, on which trees have been planted forbeautification. C. Installing emergency-exit fire doors that fail-close in the event of a power failure and that have push panic bars for emergency release. D. Placing outside windows in a data center looking at the parking lot so that employees can see their vehicles. Quick Answer: 22 Detailed Answer: 25 24. Because of an upturn in business, yourcompany has started running a second shift. Some of the line workers complain to your boss that it is very dark in the parking lot. He advises you to investigate the purchase and installation of new exterior lighting. What level of illumination does NIST recommend for lighting critical areas? A. Two feet of candlepower at a height of 8 feet B. Twofeet of candlepower at a height of 10 feet C. Four feet of candlepower at a height of 8 feet D. Four feet of candlepower at a height of 6 feet Quick Answer: 22 Detailed Answer: 25 25. Why is Halon no longer being produced or sold? A. It has been found to cause cancer in laboratory animals. B. The base components in Halon are consideredrare. This has resulted in a massive price increase. Other options are now much cheaper. C. Its use was banned because it was an ozone-depleting agent. D. Its use was banned because it is considered a dual-use technology that can be used to produce weapons. Quick Answer: 22 Detailed Answer: 25 26. Which of the following fits in the categoryof power degradation? A. Blackouts B. Spikes C. Brownouts D. Surge Quick Answer: 22 Detailed Answer: 25 27. What is a critical consideration when discussing physical security? A. Guard dogs B. Layered access control C. Fences D. CCTV Quick Answer: 22 Detailed Answer: 26 28. Which of the following statements about CCTV isnot true? A. CCTV is a good example of a deterrent system. B. CCTV is a good example of an automated intrusion detection system. C. CCTV is effective at deterring security violations. D. CCTV is a good example of a detection system. Quick Answer: 22 Detailed Answer: 26 29. Which of the following best describes piggybacking? A. The actof stealing someone’s access card to gain access later B. The act of watching over someone’s shoulder to steal a password for later use C. The act of following someone through a secured door to gain unauthorized access D. The act of spoofing someone’s identity to gain unauthorized access Quick Answer: 22 Detailed Answer: 26 30. What classof fire suppression should be used against electrical fires, such as computers or electronic equipment? A. Class E B. Class D C. Class C D. Class B Quick Answer: 22 Detailed Answer: 26 31. What is one of the largest drawbacks of using guard dogs as a physical security control? A. Care B. Liability C. Investment D. Training QuickAnswer: 22 Detailed Answer: 26 32. Controlled humidity is important in preventing ESD. What level of static discharge is the approximate amount required to destroy data on hard drives? A. 100 static volts B. 500 static volts C. 1,000 static volts D. 1,500 static volts Quick Answer: 22 Detailed Answer: 26 33. While you are consulting forTrayTec, Inc., an employee approaches you with a question. Which of the following would you say is not a reason to put a raised floor in the server room? A. For increased airflow B. To allow easy access to cables C. To prevent damage to equipment in case of a flood or water leak D. To isolate equipment from harmful vibrations QuickAnswer: 22 Detailed Answer: 26 34. Which of the following water-suppression systems contains compressed air or nitrogen? A. Wet pipe B. Dry pipe C. Deluge system D. Preaction system Quick Answer: 22 Detailed Answer: 26 35. Doors with automatic locks can serve as a good form of physical protection. These doors can be configured torespond to power outages in either a fail-safe or fail-open condition. Which of the following describes fail-safe? A. If a loss of power occurs, the door opens automatically. B. If a loss of power occurs, the door remains locked. C. In case of a power outage, the door has a BPS and continues to operate normally. D. In case of a power outage, thedoor will lock but can be opened with a passkey. Quick Answer: 22 Detailed Answer: 26 36. What is a special type of identification device that does not require action by users because the user only needs to have it passed close to the ID device? A. Biometric systems B. Access control badges C. Proximity badges D. CCTV Quick Answer: 22Detailed Answer: 26 37. What type of attack relies on the trusting nature of employees and the art of deception? A. Hijacking B. Social engineering C. Spoofing D. Deception Quick Answer: 22 Detailed Answer: 26 38. Which of the following is not a valid fire-suppression system? A. Wet pipe B. Dry pipe C. Reaction system D. Delugesystem Quick Answer: 22 Detailed Answer: 27 39. You are hired to consult for TrayTec, a small manufacturing firm. This firm is preparing to construct a data center. What is the recommended temperature for rooms containing computer equipment? A. 50–65 degrees Fahrenheit B. 60–75 degrees Fahrenheit C. 65–85 degrees Fahrenheit D.70–85 degrees Fahrenheit Quick
(True or False) Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 7: Legal, Regulations, Investigations, and Compliance Practice Questions Practice Questions (Mix and Match) Quick Check Answer Key Answers and Explanations Chapter 8: Software Development Security Practice Questions Practice
