10 Question Challenge CISSP Questions and Solutions[vc_empty_space height=”20px”]
1. Which of the following would be the most important factor for a successful IT security program in an organization?
A. Security policies are custom written for the organization, all employees are annually trained, and all agree to the security policies.
B. Strong support from the Chief Information Security Officer and other senior leadership.
C. The newest Anti-Virus, Firewalls and Intrusion Prevention Systems are all installed with the latest updates.
D. A highly skilled threat management team that proactively scans for vulnerabilities.
Answer: B, Strong support from the Chief Information Security Officer and other senior leadership.
Strong support from senior leadership is always the most critical factor to the success of any IT security program. The other answers are great things to have, but without leadership to support the personnel, policies, and technical controls, the program won’t receive the attention and monetary backing it requires.
2. Your company is purchasing a new timekeeping system. The software will need to be installed on servers in your virtual infrastructure. What is an example of providing due care for the new timekeeping system?
A. Perform a risk assessment on the timekeeping software prior to being implemented.
B. Have the legal department review and approve the contracts before signing.
C. Hire a 3rd party company to perform a penetration test on the timekeeping system before the go-live.
D. Ensure the servers stay patched after the timekeeping software is installed.
Answer: D, Ensure the servers stay patched after the timekeeping software is installed.
Due care primarily takes place after a system has been implemented. Keeping a server patched is a good example of due care, while a risk assessment, penetration test, and contract review are examples of due diligence.
3. An asset manager is disposing of old hard drives that have held sensitive information. She is concerned about data remanence. Which of the following scenarios best illustrates a risk related to data remanence?
A. The asset manager zeros out the hard drives then has them shredded. She gives samples of the shredded hard drives to a forensic scientist who confirms no data is recoverable.
B. The asset manager degausses the hard drives, verifies they are unreadable, and dumps them at the local electronic recycling company.
C. The asset manager formats the hard drives and dumps them at the local electronic recycling company.
D. The asset manager formats the hard drives and gives them to the desktop support team to use in desktop computers within the company.
Answer: C, The asset manager formats the hard drives and dumps them at the local electronic recycling company.
Data remanence is the data left after trying to wipe it. Example C is correct a format does not completely wipe a hard drive. Therefore, there is now data remanence outside the custody of the asset manager. Examples A and B show a successful wipes with no data remanence. In example D, there may be data accessible on the hard drives after the format. However, there is no risk because it is staying within the company.
4. A solutions architect is working on a project to implement a virtual infrastructure to house a web application that will be accessible from the internet. How could the new solution best be designed securely?
A. From the outset, invite IT security personnel to contribute to the project.
B. Interview the stakeholders and identify risks they are concerned with.
C. Design a solution using industry best practices.
D. Build the system and have IT security perform a vulnerability assessment.
Answer: A, From the outset, invite IT security personnel to contribute to the project.
Inviting IT security personnel from the onset will provide the highest likelihood of creating a secure solution. Interviewing the stakeholders is important, but they will not be up to date as far as IT security trends and solutions are concerned. Designing the solution using best practices is a good starting point, but every solution needs to be custom tailored to the business using it. A vulnerability assessment should be performed, but if IT security is included at the outset, fewer vulnerabilities are likely.
5. A software company regularly posts new versions of their software publicly for download. The company also lists the MD5 hash value next to the download link. What is the software company concerned about that would cause them to post a hash value?
Answer: D, Integrity
An MD5 hash value can be used to verify the integrity of a file or set of data. If one bit is different, the hash value will be completely changed. Authorization verifies that an object is allowed access to a file or data. Availability allows authorized users to access information. Confidentiality involves limiting information access to authorized personnel only.
6. A newly hired Security Architect is reviewing the current remote access solution. He discovers that there is an SSL VPN configured to allow all employees to log in remotely. The Security Architect interviews the department heads and discovers that only two departments use the VPN for three unique applications. What method would both satisfy the needs of the two departments and be more secure?
A. Advertise the three apps only to the users who need them.
B. Restrict the VPN connection to the two departments that need it.
C. Implement multifactor authentication by issuing RSA tokens to all employees.
D. Whitelist MAC addresses of devices that will be using the VPN.
Answer: A, Advertise the three apps only to the users who need them.
Advertising only the three apps to users who need them is the best way to securely meet the needs of the two departments. Instead of completely joining the corporate network, they will only be able to access exactly what they need in a secure method. While the other options are all more secure than the current solution, they are not as effective as the virtual app solution.
7. A server administrator has been tasked with securing a directory on a server that contains sensitive financial information. There are 10 users that need full access to this folder and nobody else should be able to access it. What is the best logical access control to implement to obtain this goal?
A. Move the files onto a desktop workstation, lock it in a secure room, and give keys to the 10 people who need access.
B. Create an active directory group for the 10 users and give that group exclusive permissions to the folder.
C. Remove all permissions to the folder, then assign the 10 users full access to the folder.
D. Remove all permissions on the folder and assign domain administrator rights to the 10 users who need access.
Answer: B, Create an active directory group for the 10 users and give that group exclusive permissions to the folder.
Creating an active directory group to manage permissions is an effective way to maintain secure and exclusive permissions to an object. Moving the files to a workstation in a separate physical room would be very inefficient. You could assign the users individually, but using a group is easier to manage and track. Assigning domain administrator rights would cause subsequent security risks because then the 10 users can access the entire directory, even if they are not authorized to do so.
8. You are an account administrator. A department manager has come to you complaining that a former employee of hers is still accessing sensitive information that only her department has permission to view. The employee was not fired but moved roles onto a different team. This is a reoccurring issue: employees switch roles and/or departments and gain new access rights, but retain their old rights as well. Which term best describes this situation?
A. Least Privilege
B. Mandatory Access Control
C. Discretionary Access Control
D. Authorization Creep
Answer: D, Authorization Creep
Authorization creep occurs when users gain additional permissions and access over time but these rights are not revoked when they are no longer needed. The principle of Least Privilege refers to the opposite, wherein a user only has access to what is necessary to do their job. Mandatory Access Control assigns labels or classifications to objects and data in order to determine access levels. Although Discretionary Access Control may have led to the Authorization Creep issue, this term means that data owners specify who has access to the data.
9. An incident responder has discovered a significant breach and law enforcement has been called. They have instructed the company to maintain a chain of custody for all evidence involved in the breach. A chain of custody provides all of the following except:
A. A chain of custody tracks who has handled the evidence.
B. A chain of custody ensures the hacker is prosecuted.
C. A chain of custody shows that the evidence has not been tampered with or modified.
D. A chain of custody ensures that the evidence is admissible in court.
Answer: B, A chain of custody ensures the hacker is prosecuted.
A chain of custody does not ensure the hacker is prosecuted, only that the evidence was collected and handled in a trustworthy manner. The other answers are all benefits of a chain of custody.
10. A small software company has hired a third-party consultant to help them reach level 5 of the Capability Maturity Model Integration model. What would best describe when the software company reaches level 5 of the Capability Maturity Model Integration model?
A. They have defined, repeatable processes that can be measured quantitatively.
B. They are able to repeat successful processes with each project.
C. They have a budget and plan for continual process improvement.
D. They have implemented formal processes to collect and analyze metrics in order to run a process improvement program.
Answer: C, They have a budget and plan for continual process improvement.
Having a budget and plan for continual process improvement describes level 5, which is the Optimizing level. Defined, repeatable processes that can be measured quantitatively describes Level 3, which is the Defined level. Being able to repeat successful processes with each project describes Level 2, the Repeatable level. Implementing formal processes to collect and analyze metrics to run a process improvement program best describes Level 4, the Managed level.