CISSP PRACTICE QUESTIONS – 20201205

Effective CISSP Questions

After transforming stakeholder requirements into system requirements, you are selecting controls based upon system security requirements and allocating them to the security architecture. As a security architect, which of the following selection criteria is least likely used to select controls?
A. The attack surface
B. The result of risk assessment
C. The impact level of the system
D. The exploitability of vulnerabilities

Continue reading

CISSP PRACTICE QUESTIONS – 20201204

Effective CISSP Questions

A switching hub in production is receiving a huge amount of traffic that leads to the overflow of context-addressable memory (CAM) table. It begins to flood traffic to all ports and becomes vulnerable to sniffing attacks. Which of the following security principles should have been first implemented to prevent the sniffing attacks?
A. Trusted recovery
B. Secure failure
C. Secure defaults
D. Least privilege

Continue reading

CISSP PRACTICE QUESTIONS – 20201203

Effective CISSP Questions

Your company develops and sells firewalls. Some of the firewalls are sent for independent evaluation against the Common Criteria. Which of the following affects the level of evaluation assurance least significantly?
A. The evaluation methods, processes, and tools employed
B. The percentage of the system is considered in the evaluation
C. The evaluation granularity of the design, implementation, and processes of the system
D. The ability of the system to reestablish a secure state and to do so in a secure manner

Continue reading

SOC 1, 2, and 3 Reports Overview

Service Organization Control (SOC)
Service Organization Controls (SOC)

The following is an excerpt from Microsoft web site:

Increasingly, businesses outsource basic functions such as data storage and access to applications to cloud service providers (CSPs) and other service organizations. In response, the American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. This aligns with the International Standard on Assurance Engagements (ISAE), the reporting standard for international service organizations.

Service audits based on the SOC framework fall into two categories — SOC 1 and SOC 2 — that apply to in-scope Microsoft cloud services.

  • A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed, and is the basis of the SOC 1 report.
  • A SOC 2 audit gauges the effectiveness of a CSP’s system based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 and SOC 3 reports.

At the conclusion of a SOC 1 or SOC 2 audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report, which describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

  • Auditors can also create a SOC 3 report — an abbreviated version of the SOC 2 Type 2 audit report — for users who want assurance about the CSP’s controls but don’t need a full SOC 2 report. A SOC 3 report can be conferred only if the CSP has an unqualified audit opinion for SOC 2.

Source: https://docs.microsoft.com/en-us/compliance/regulatory/offering-soc

CISSP PRACTICE QUESTIONS – 20201202

Effective CISSP Questions

Your company is developing an E-Commerce system, which is a system of systems. It accepts orders on web servers, processes them on application servers, stores them on database servers, and sends short messages of transaction success to customers through external notification services. Internal DNS servers are deployed for domain name resolution, while external DNS servers are employed for failover. Which of the following is the best composition theory describing the DNS operations?
A. Cascading
B. Feedback
C. Hookup
D. Delegate

Continue reading

CISSP PRACTICE QUESTIONS – 20201201

Effective CISSP Questions

“Defense in depth”, sometimes also known as layered defense, is one of the most important approaches to trustworthy secure system development. Which of the following is true?
A. It creates parallel barriers to prevent, delay, or deter an attack.
B. It achieves greater trustworthiness than the individual security components used.
C. It is an alternative to a balanced application of security concepts and design principles.
D. Its concepts are not the same as the security design principles of modularity and layering.

Continue reading

Exploit and Attack

Threat Modeling

Threat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment.

A common form of threat modeling is software threat modeling, which is threat modeling performed during software design to reduce software vulnerabilities. There are many established methodologies for performing software threat modeling.

Another common form of threat modeling is known as system threat modeling, which is threat modeling performed for operational systems to improve their overall security. Compared to software threat modeling, system threat modeling tends to be largely informal and ad hoc.

Source: NIST SP 800-154 (draft)

Continue reading

CISSP PRACTICE QUESTIONS – 20201130

Effective CISSP Questions

Alice develops a program and has permissions, {read, write, execute}, on it. Bob has no permissions on the program but can forcibly take Alice’s permissions. Alice was surprised that Eve should have executed the program because Bob granted Eve this permission without Alice’s awareness. Which of the following is the authorization mechanism the security kernel implements?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Non-discretionary access control

Continue reading

CISSP PRACTICE QUESTIONS – 20201129

Effective CISSP Questions

A plethora of vulnerabilities is discovered after conducting a vulnerability assessment against your company’s official web site. You decide to implement continuous monitoring over the web server and automate the patching process. Which of the following is the best vehicle?
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)

Continue reading