Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests

71 Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?Systems will be scanned for vulnerabilities.Systems will have known vulnerabilities exploited.Services will be probed for buffer overflow and other unknown flaws.Systems will be tested for zero-day exploits.

72 Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?Misuse case testingFuzzingRegression testingInterface testing

73 Jim is designing his organization's log management systems and knows that he needs to carefully plan to handle the organization's log data. Which of the following is not a factor that Jim should be concerned with?The volume of log dataA lack of sufficient log sourcesData storage security requirementsNetwork bandwidth

74 Ryan's organization wants to ensure that proper account management is occurring but does not have a central identity and access management tool in place. Ryan has a limited amount of time to do his verification process. What is his best option to test the account management process as part of an internal audit?Validate all accounts changed in the past 90 days.Select high-value administrative accounts for validation.Validate all account changes in the past 180 days.Validate a random sample of accounts.

75 When a Windows system is rebooted, what type of log is generated?ErrorWarningInformationFailure audit

76 During a review of access logs, Alex notices that Michelle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department's main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?Inconsistent log formattingModified logsInconsistent timestampsMultiple log sources

77 What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?Authenticated scansWeb application scansUnauthenticated scansPort scansFor questions 78–80, please refer to the following scenario:Ben's organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified.

78 Ben's development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?Auditing and logging are enabled.Role-based access control is used for specific operations.Data type and format checks are enabled.User input is tested against a whitelist.

79 Ben's team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?Information disclosureDenial of serviceTamperingRepudiation

80 Ben wants to use a third-party service to help assess denial-of-service attack vulnerabilities due the amount of traffic during denial-of-service attacks. What type of engagement should he suggest to his organization?A social engineering engagementA penetration testLoad or stress testingTesting using a fuzzer

81 Chris is troubleshooting an issue with his organization's SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?SSHFTPTLSNTP

82 Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?Fuzzers only find complex faults.Testers must manually generate input.Fuzzers may not fully cover the code.Fuzzers can't reproduce errors.

83 Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing?Branch coverageCondition coverageFunction coverageStatement coverageFor questions 84–86, please refer to the following scenario. During a port scan, Ben uses nmap's default settings and sees the following results.

84 If Ben is conducting a penetration test, what should his next step be after receiving these results?Connect to the web server using a web browser.Connect via Telnet to test for vulnerable accounts.Identify interesting ports for further scanning.Use sqlmap against the open databases.

85 Based on the scan results, what operating system (OS) was the system that was scanned most likely running?Windows DesktopLinuxNetwork deviceWindows Server

86 Ben's manager expresses concern about the coverage of his scan. Why might his manager have this concern?Ben did not test UDP services.Ben did not discover ports outside the “well-known ports.”Ben did not perform OS fingerprinting.Ben tested only a limited number of ports.

87 Lucca is reviewing his organization's disaster recovery process data and notes that the MTD for the business's main website is two hours. What does he know about the RTO for the site when he does testing and validation?It needs to be less than two hours.It needs to be at least two hours.The MTD is too short and needs to be longer.The RTO is too short and needs to be longer.

88 Diana has engaged third-party auditors and wants to release an audit attestation to third parties without including details of the audit. What type of SSAE 18 SOC report should she request?SOC 1SOC 2SOC 3SOC 4

89 While reviewing the software testing output for her organization's new application, Madhuri notices that the application has produced errors that included directory and file information shown to the web application tester. What issue should she include in her report about the application?It does not perform proper exception handling.The software does not handle misuse case testing properly.Debugging statements need to be removed.The code was not fully tested due to errors.

90 What is the first step that should occur before a penetration test is performed?Data gatheringPort scanningGetting permissionPlanning

91 The president of Josh's company is concerned about a significant increase in cryptographic malware that is impacting other companies in their industry. She has asked John to ensure that the company's data will be recoverable if malware strikes and encrypts their production systems. What process does Josh need to undertake to be able to tell her that the company is covered?Encrypt all sensitive data.Hash all of the organization's data to detect cryptographic malware.Perform backup verification.Use anti-encryption technology to prevent the malware from encrypting drives.

92 Joanna is her organization's CISO, and in her security operations oversight role she wants to ensure that management oversight is happening for security-related changes. What system should she focus on to track this type of data in most organizations?The SIEM systemThe IPS systemThe CMS toolThe ITSM tool

93 Henry wants to validate that his backups are working. Which of the following options is the best way for him to ensure that the backups will be useful in a true disaster recovery scenario?Periodically restore a random file to ensure that the backups are working.Review configurations and settings on a regular schedule to validate backup settings.Review the backup logs to ensure no errors are occurring.Regularly perform full restores from backups to validate their success.

94 What type of vulnerabilities will not be found by a vulnerability scanner?Local vulnerabilitiesService vulnerabilitiesZero-day vulnerabilitiesVulnerabilities that require authentication