CISSP PRACTICE QUESTIONS – 20201201

“Defense in depth”, sometimes also known as layered defense, is one of the most important approaches to trustworthy secure system development. Which of the following is true?
A. It creates parallel barriers to prevent, delay, or deter an attack.
B. It achieves greater trustworthiness than the individual security components used.
C. It is an alternative to a balanced application of security concepts and design principles.
D. Its concepts are not the same as the security design principles of modularity and layering.

Continue reading

CISSP PRACTICE QUESTIONS – 20201130

Alice develops a program and has permissions, {read, write, execute}, on it. Bob has no permissions on the program but can forcibly take Alice’s permissions. Alice was surprised that Eve should have executed the program because Bob granted Eve this permission without Alice’s awareness. Which of the following is the authorization mechanism the security kernel implements?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Non-discretionary access control

Continue reading

CISSP PRACTICE QUESTIONS – 20201129

A plethora of vulnerabilities is discovered after conducting a vulnerability assessment against your company’s official web site. You decide to implement continuous monitoring over the web server and automate the patching process. Which of the following is the best vehicle?
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)

Continue reading

CISSP PRACTICE QUESTIONS – 20201128

Your company is developing an ERP system, owned by the head of the IT department, using Scrum. You are the product owner of the development of the material management module. Which of the following is the least of your concerns?
A. Refinement of the product backlog
B. Application for authorization to operate (ATO)
C. Trustworthiness of the product
D. User acceptance

Continue reading

CISSP PRACTICE QUESTIONS – 20201127

You started a software house two years ago that builds and implements custom software solutions for clients. As there existed no organizational project management standard and unified processes, your company relied on senior project managers capable of managing projects and delivering software to clients based on their own approaches and experience. Which of the following is the maturity level that best describes your company in terms of CMMI?
A. Initial
B. Repeatable
C. Managed
D. Defined

Continue reading

CISSP PRACTICE QUESTIONS – 20201125

An unknown vulnerability is discovered after conducting a vulnerability scanning against your company’s official web site. You are analyzing it and calculating its score based on CVSS v3.1. Which of the following is not a mandatory metric?
A. Attack Vector (AV)
B. Exploit Code Maturity (E)
C. User Interaction (UI)
D. Privileges Required (PR)

Continue reading

CISSP PRACTICE QUESTIONS – 20201124

You are conducting a vulnerability assessment against your company’s official web site. Which of the following should be scanned first?
A. Known weaknesses in the CWE List
B. Known vulnerabilities in the CVE List
C. Undiscovered or unknown vulnerabilities
D. The attack surface determined after the threat modeling

Continue reading

CISSP PRACTICE QUESTIONS – 20201123

In a threat modeling meeting, the development team identified a couple of attack vectors. Most of them appear in the OWASP Top 10. Which of the following should be done first to address the attack surface?
A. Prioritize and sort the attack vectors
B. Calculate the risk exposure of each attack vector
C. Submit a change request to revise the architectural design
D. Evaluate and determine the scope of the attack surface to be addressed

Continue reading