Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests

92 What type of authorization mechanism is shown in the following chart?RBACABACMACDAC

93 Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?The Kerberos server is offline.There is a protocol mismatch.The client's TGTs have been marked as compromised and de-authorized.The Kerberos server and the local client's time clocks are not synchronized.

94 Brian wants to explain the benefits of an on-premise federation approach for identity to his organization's leadership. Which of the following is not a common benefit of a federated identity system?Ease of account managementSingle sign-onPrevention of brute-force attacksIncreased productivity

95 The bank that Aaron works for wants to allow customers to use a new add-on application from a third-party partner they are working with. Since not every customer will want or need an account, Aaron has suggested that the bank use a SAML-based workflow that creates an account when a user downloads the app and tries to log in. What type of provisioning system has he suggested?JITOpenIDOAuthKerberos

96 What authentication protocol does Windows use by default for Active Directory systems?RADIUSKerberosOAuthTACACS+

97 Valerie needs to control access to applications that are deployed to mobile devices in a BYOD environment. What type of solution will best allow her to exercise control over the applications while ensuring that they do not leave remnant data on the devices used by her end users?Deploy the applications to the BYOD devices and require unique PINs on every device.Deploy the application to desktop systems and require users to use remote desktop to access them using enterprise authentication.Deploy the applications to the BYOD devices using application containers and require unique PINs on every device.Use a virtual hosted application environment that requires authentication using enterprise credentials.

98 Match the following authorization mechanisms with their descriptions:Role-BACRule BACDACABACMACAn access control model enforced by the operating system.Permissions or rights are granted based on parameters like an IP address, time, or other specific details that match requirements.Sometimes called policy-based access control, this model uses information about the subject to assign permissions.A model where subjects with the proper rights can assign or pass those rights to other subjects.Used to assign permissions based on job or function.

99 Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.Authentication techniquePasswordID cardRetinal scanSmartphone tokenFingerprint analysisCategorySomething you haveSomething you knowSomething you are

100 Match the following identity and access controls with the asset type they are best suited to protect. Each only has one option.Information assetsSystemsMobile devicesFacilitiesPartner applicationsDiscretionary access controlsBadge readersFederated identity managementBiometric authenticationUser accounts with multifactor authentication

SUBDOMAINS:

6.1 Design and validate assessment, test, and audit strategies

6.2 Conduct security control testing

6.3 Collect security process data (e.g. technical and administrative)

6.4 Analyze test output and generate report

6.5 Conduct or facilitate security audits

1 During a port scan, Susan discovers a system running services on TCP and UDP 137–139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?A Linux email serverA Windows SQL serverA Linux file serverA Windows workstation

2 Which of the following is a method used to automatically design new software tests and to ensure the quality of tests?Code auditingStatic code analysisRegression testingMutation testing

3 During a port scan, Naomi found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?zzufNiktoMetasploitsqlmap

4 What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?SyslogNetlogEventlogRemote Log Protocol (RLP)

5 Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?A black boxA brute-force toolA fuzzerA static analysis tool

6 Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?NmapOpenVASMBSANessus

7 Morgan is implementing a vulnerability management system that uses standards-based components to score and evaluate the vulnerabilities it finds. Which of the following is most commonly used to provide a severity score for vulnerabilities?CCECVSSCPEOVAL

8 Jim has been contracted to perform a penetration test of a bank's primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?A crystal-box penetration testA gray-box penetration testA black-box penetration testA white-box penetration test

9 In a response to a request for proposal, Susan receives an SSAE 18 SOC report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow-up and why?A SOC 2 Type II report, because Type I does not cover operating effectivenessA SOC 1 Type I report, because SOC 2 does not cover operating effectivenessA SOC 2 Type I report, because SOC 2 Type II does not cover operating effectivenessA SOC 3 report, because SOC 1 and SOC 2 reports are outdated

10 During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?Using WPA2 encryptionRunning WPA2 in Enterprise modeUsing WEP encryptionRunning WPA2 in PSK mode

11 A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob's role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob's best route to quickly identify vulnerable systems?Immediately run Nessus against all of the servers to identify which systems are vulnerable.Review the CVE database to find the vulnerability information and patch information.Create a custom IDS or IPS signature.Identify affected versions and check systems for that version number using an automated scanner.

12 What type of testing is used to ensure that separately developed software modules properly exchange data?FuzzingDynamic testingInterface testingAPI checksums

13 Selah wants to provide security assessment information to customers who want to use her organization's cloud services. Which of the following options should she select to ensure that the greatest number of customers are satisfied with the assessment information?Use an internal audit team to self-assess against internal metrics.Use a third-party auditor.Use internal technical staff who know the systems.Use an internal audit team to self-assess against a common standard like COBIT.

14 Yasmine has been asked to consider a breach and attack simulation system. What type of system should she look for?A ticket and change management system designed to help manage incidentsA system that runs incident response simulations for blue teams to test their skillsA system that combines red and blue team techniques with automationA security operations and response (SOAR) system