You are conducting penetration testing against a website supported by a relational database by creating an identity equation as a login input to manipulate and bypass the authentication procedure. Which of the following tactics, techniques, and procedures (TTP) you most likely used?
A. Polyinstantiation
B. Reflected cross-site scripting
C. Data manipulation language
D. Noise and perturbation data
You are learning about IPv6 addressing. Which of the following is not correct?
A. There are no broadcast addresses in IPv6.
B. IPv6 nodes boot with the default address (::0) and use multicast to contact the DHCP server.
C. An anycast must not be used as the source address and can be assigned only to a router.
D. A link-local address is automatically configured using the prefix FE80::/10 and the modified EUI-64 format.
You are conducting threat modeling to identify attack vectors. Which of the following is the least likely initiated to hijack user sessions?
A. IP address spoofing
B. ARP spoofing
C. DNS spoofing
D. VLAN hopping
Your organization initiated a project to develop an E-Commerce web system. As a security professional, you have to research, implement and manage engineering processes using secure design principles. Which of the following is the first principle you are most likely to employ in terms of the SDLC?
A. Trust but verify
B. Threat modeling
C. Privacy by design
D. Shared responsibility
According to FISMA, which of the following is the security objective primarily impacted by the unauthorized destruction of information?
A. Accountability
B. Integrity
C. Confidentiality
D. Availability
You have provisionally passed the CISSP exam and started the online endorsement application to earn the certification (as a privilege) and obtain your credential. To commit to fully supporting the (ISC)² Code of Ethics, you are exercising due diligence and reviewing the code online. Which of the following is not an ethics canon that you might violate?
A. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
B. Act honorably, honestly, justly, responsibly, and legally.
C. Provide diligent and competent service to principles.
D. Advance and protect the profession.
To mitigate lateral movement, your company is implementing technical access controls per zero trust principles. Which of the following is least related to the implementation of zero trust?
A. XACML
B. De-perimeterisation
C. Separation of duties
D. Complete mediation
Your company is developing an E-Commerce web system. As a software tester, you would like to prepare test data to verify if the back-end API is vulnerable in terms of data integrity. Which of the following is the best tool?
A. zzuf
B. Nmap
C. Nessus
D. Metasploit
Your organization suffered from data compromise. A local hacker group was identified during the incident response process and regarded responsible based on collected evidence. If your organization decides to prosecute the hacker group, which of the following is most critical?
A. Timely e-discovery
B. Sound information governance
C. Compliance with CPTED principles
D. Effective administrative investigation
A subject is authenticating to the ID provider. Which of the following is not a cryptographic function or cipher and provides the lowest level of security in the authentication process?
A. Base64 for the encoding of ID and password in HTTP basic authentication
B. Electronic Codebook (ECB) that produces repeated patterns
C. Hash-based message authentication code (HMAC)
D. Cipher block chaining message authentication code (CBC-MAC)