CISSP PRACTICE QUESTIONS – 20210112

Effective CISSP Questions

A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject

Continue reading

CISSP PRACTICE QUESTIONS – 20210111

Effective CISSP Questions

A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered?
A. Is the access token altered?
B. Is the web site the genuine origin of the access token?
C. Is the web site signs the access token?
D. Is the access token in transit lost?

Continue reading

CISSP PRACTICE QUESTIONS – 20210109

Effective CISSP Questions

A client submits a user’s identity in the clear text alone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process?
A. Identification
B. Authentication
C. Pre-authentication
D. The TGT (Ticket-granting ticket)

Continue reading

CISSP PRACTICE QUESTIONS – 20210108

Effective CISSP Questions

A session is a temporary logical connection between two end-user application processes for message exchange. Which of the following statements about the session is not true?
A. The session layer in the ISO OSI model maps to the application layer in TCP/IP.
B. The establishment of a session is independent of underlying transports.
C. The RESTful-style architecture prescribes how a session is managed.
D. A session can maintain state information even if the transport is connectionless.

Continue reading

CISSP PRACTICE QUESTIONS – 20210107

Effective CISSP Questions

SAML and OIDC are commonly found in federated authentication. Which of the following statements about federated authentication is not true?
A. SAML assertions can be viewed as equivalent to OIDC claims.
B. The access token of a subject is trusted and passed across security domains.
C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
D. The relying party refers to the service provider in SAML or the OAuth2 client using OIDC.

Continue reading

CISSP PRACTICE QUESTIONS – 20210106

Effective CISSP Questions

Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are well-known authorization mechanisms introduced in the Trusted Computer System Evaluation Criteria (TCSEC). Which of the following statements about the authorization mechanisms is not true?
A. MAC can exist alone without DAC
B. Privileges granted by the data owner can be reauthorized to others in DAC.
C. A subject with mere security clearance gets no access to objects.
D. MAC mediates the data flow between classification levels.

Continue reading

CISSP PRACTICE QUESTIONS – 20210104

Effective CISSP Questions

You are conducting the risk assessment and have identified several risks. Which of the following best describes the risk in your risk register?
A. Natural hazards like earthquakes, floods, etc.
B. Script kiddies using open source tools to play SQL injections against web sites
C. Employees carelessly attending training may result in frequent violations of security policy
D. Human life losses

Continue reading