It’s commonly accepted that all user-originated inputs are treated as untrusted. Which of the following is least significant to ensure the security of an API’s input data? (Wentz QOTD)
A. Serialization
B. Canonicalization
C. Sanitization
D. Validation
Category Archives: QOTD
CISSP PRACTICE QUESTIONS – 20220120
You lead an integrated product team to develop a software solution. Which of the following is incorrect about threat modeling? (Wentz QOTD)
A. Threat modeling emphasizes identifying and addressing design flaws before coding.
B. Ideally, threat modeling is applied as soon as an architecture has been established.
C. Threat modeling should be conducted in the initiation phase as mentioned in the NIST SDLC.
D. The express aim of threat modeling is to identify and eliminate architectural and design issues.
CISSP PRACTICE QUESTIONS – 20220119
You employ a symmetric cipher to protect data at rest. Which of the following is the most feasible secret key providing the highest level of security? (Wentz QOTD)
A. Fixed 128-bit key
B. Complicated password
C. A key with a length between 2048 and 3072 bits
D. A randomly generated key with the lowest level of entropy
CISSP PRACTICE QUESTIONS – 20220118
Which of the following is the most crucial concept used to categorize an information system based on the NIST Risk Management Framework? (Wentz QOTD)
A. Scoping
B. Tailoring
C. High watermark
D. System-specific risk assessment
CISSP PRACTICE QUESTIONS – 20220117
An online store employs a relational database. The store owner is concerned about data integrity. Which of the following best enforces referential integrity? (Wentz QOTD)
A. Lipner Model
B. Elliptic Curve Digital Signature Algorithm (ECDSA)
C. Hash-based message authentication code (HMAC)
D. Clark-Wilson Model
CISSP PRACTICE QUESTIONS – 20220116
A keystream is a sequence of random or pseudorandom data elements, e.g., bits, that are combined with a plaintext message to produce the ciphertext. Which of the following doesn’t use a keystream? (Wentz QOTD)
A. One-time pad
B. RC4 in Wired Equivalent Privacy (WEP)
C. DES-CTR (Counter mode)
D. AES-CBC (Cipher Block Chaining mode)
CISSP PRACTICE QUESTIONS – 20220115
As a lead auditor, you lead an audit team to conduct a security audit. Which of the following is the least ideal audience to whom you functionally report? (Wentz QOTD)
A. Chief executive officer (CEO)
B. Chief audit executive (CAE)
C. Audit committee
D. Board of directors
CISSP PRACTICE QUESTIONS – 20220114
You are conducting a security assessment. Which of the following is not an assessment object? (Wentz QOTD)
A. Specifications
B. Mechanisms
C. Activities
D. Depth and coverage
CISSP PRACTICE QUESTIONS – 20220113
You are conducting an account management review. Which of the following is not a good practice? (Wentz QOTD)
A. Select all accounts for review
B. Assess the list of carefully selected accounts by system administrators
C. Verify former employees’ accounts
D. Review the paper trail or records for specific accounts
CISSP PRACTICE QUESTIONS – 20220112
Which of the following is the primary target or fundamental unit that the NIST Risk Management Framework protects? (Wentz QOTD)
A. Common controls
B. Personal data and privacy
C. The information system in question
D. Data processed by the information system