CISSP - Question Bank 12

Test your knowledge of CISSP with these multiple choice questions. Each Question Bank includes 20 practice questions that have been designed to measure your knowledge of key ideas.

A key factor to keep in mind is that guessing is better than not answering a question.

Every single question on the CISSP exam is a four-option multiple choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, such as asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response.

Start

Q1. What is system certification?

A. Formal acceptance of a stated system configuration
B. A technical evaluation of each part of a computer system to assess its compliance with security standards
C. A functional evaluation of the manufacturer’s goals for each hardware and software component to meet integration standards
D. A manufacturer’s certificate stating that all components were installed and configured correctly

View Answer
The Correct Answer is B.
Explanation: A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.
Q2. What is system accreditation?

A. Formal acceptance of a stated system configuration
B. A functional evaluation of the manufacturer’s goals for each hardware and software component to meet integration standards
C. Acceptance of test results that prove the computer system enforces the security policy
D. The process to specify secure communication between machines

View Answer
The Correct Answer is A.
Explanation: Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy and accreditation does not entail secure communication specification.
Q3. What is a closed system?

A. A system designed around final, or closed, standards
B. A system that includes industry standards
C. A proprietary system that uses unpublished protocols
D. Any machine that does not run Windows

View Answer
The Correct Answer is C.
Explanation: A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.
Q4. Which best describes a confined process?

A. A process that can run only for a limited time
B. A process that can run only during certain times of the day
C. A process that can access only certain memory locations
D. A process that controls access to an object

View Answer
The Correct Answer is C.
Explanation: A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.
Q5. What is an access object?

A. A resource a user or process wishes to access
B. A user or process that wishes to access a resource
C. A list of valid access rules
D. The sequence of valid access types

View Answer
The Correct Answer is A.
Explanation: An object is a resource a user or process wishes to access. Option A describes an access object.
Q6. What is a security control?

A. A security component that stores attributes that describe an object
B. A document that lists all data classification types
C. A list of valid access rules
D. A mechanism that limits access to an object

View Answer
The Correct Answer is D.
Explanation: A control limits access to an object to protect it from misuse from unauthorized users.
Q7. For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated?

A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation

View Answer
The Correct Answer is B.
Explanation: The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.
Q8. How many major categories do the TCSEC criteria define?

A. Two
B. Three
C. Four
D. Five

View Answer
The Correct Answer is C.
Explanation: TCSEC defines four major categories: Category A is verified protection, category B is mandatory protection, category C is discretionary protection, and category D is minimal protection.
Q9. What is a trusted computing base (TCB)?

A. Hosts on your network that support secure transmissions
B. The operating system kernel and device drivers
C. The combination of hardware, software, and controls that work together to enforce a security policy
D. The software and controls that certify a security policy

View Answer
The Correct Answer is C.
Explanation: The TCB is the part of your system you can trust to support and enforce your security policy.
Q10. What is a security perimeter? (Choose all that apply.)

A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
C. The network where your firewall resides
D. Any connections to your computer system

View Answer
The Correct Answers are A and B .
Explanation: Although the most correct answer in the context of this chapter is B, option A is also a correct answer in the context of physical security.
Q11. What part of the TCB validates access to every resource prior to granting the requested access?

A. TCB partition
B. Trusted library
C. Reference monitor
D. Security kernel

View Answer
The Correct Answer is C.
Explanation: Options A and B are not valid TCB components. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions.
Q12. What is the best definition of a security model?

A. A security model states policies an organization must follow.
B. A security model provides a framework to implement a security policy.
C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.
D. A security model is the process of formal acceptance of a certified configuration.

View Answer
The Correct Answer is B.
Explanation: Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.
Q13. Which security models are built on a state machine model?

A. Bell-LaPadula and Take-Grant
B. Biba and Clark-Wilson
C. Clark-Wilson and Bell-LaPadula
D. Bell-LaPadula and Biba

View Answer
The Correct Answer is D.
Explanation: The Bell-LaPadula and Biba models are built on the state machine model.
Q14. Which security model(s) address(es) data confidentiality?

A. Bell-LaPadula
B. Biba
C. Clark-Wilson
D. Both A and B

View Answer
The Correct Answer is A.
Explanation: Only the Bell-LaPadula model addresses data confidentiality. The other models address data integrity.
Q15. Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level?

A. * (star) Security Property
B. No write up property
C. No read up property
D. No read down property

View Answer
The Correct Answer is C.
Explanation: The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object.
Q16. What is a covert channel?

A. A method that is used to pass information and that is not normally used for communication
B. Any communication used to transmit secret or top secret data
C. A trusted path between the TCB and the rest of the system
D. Any channel that crosses the security perimeter

View Answer
The Correct Answer is A.
Explanation: A covert channel is any method that is used to secretly pass data and that is not normally used for communication. All of the other options describe normal communication channels.
Q17. What term describes an entry point that only the developer knows about into a system?

A. Maintenance hook
B. Covert channel
C. Buffer overflow
D. Trusted path

View Answer
The Correct Answer is A.
Explanation: An entry point that only the developer knows about into a system is a maintenance hook, or back door.
Q18. What is the time-of-check?

A. The length of time it takes a subject to check the status of an object
B. The time at which the subject checks on the status of the object
C. The time at which a subject accesses an object
D. The time between checking and accessing an object

View Answer
The Correct Answer is B.
Explanation: Option B defines the time-of-check (TOC), which is the time at which a subject verifies the status of an object.
Q19. How can electromagnetic radiation be used to compromise a system?

A. Electromagnetic radiation can be concentrated to disrupt computer operation.
B. Electromagnetic radiation makes some protocols inoperable.
C. Electromagnetic radiation can be intercepted.
D. Electromagnetic radiation is necessary for some communication protocol protection schemes to work.

View Answer
The Correct Answer is C.
Explanation: If a receiver is in close enough proximity to an electromagnetic radiation source, it can be intercepted.
Q20. What is the most common programmer-generated security flaw?

A. TOCTTOU vulnerability
B. Buffer overflow
C. Inadequate control checks
D. Improper logon authentication

View Answer
The Correct Answer is B.
Explanation: By far, the buffer overflow is the most common, and most avoidable, programmer-generated vulnerability.

Copyright © 2018 | All Rights Reserved | Designed & Developed by Yeahhub.com