Pass the ISC 2 Credentials CISSP Questions and answers with ValidTests

 A Trusted Platform Module (TPM) is a hardware device that wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device. A TPM is a secure cryptoprocessor that generates, stores, and protects cryptographic keys and other sensitive data. A TPM can be used to implement full disk encryption, which is a technique that encrypts the entire contents of a hard disk drive, making it unreadable without the correct decryption key. A TPM can wrap the decryption key, which means that it encrypts the key with another key that is stored in the TPM and can only be accessed by authorized software. A TPM can also tie the hard disk drive to a particular device, which means that it verifies the identity and integrity of the device before allowing the decryption of the hard disk drive. This prevents unauthorized access to the data even if the hard disk drive is physically removed and attached to another device. A Preboot eXecution Environment (PXE), a Key Distribution Center (KDC), and a Simple Key-Management for Internet Protocol (SKIP) are not devices or techniques that wrap the decryption key of a full disk encryption implementation and tie the hard disk drive to a particular device. A PXE is a protocol that enables a device to boot from a network server without a local operating system or storage device. A KDC is a server that issues and manages cryptographic keys and tickets for authentication and encryption in a Kerberos system. A SKIP is a protocol that provides secure key exchange and authentication for IPsec.

The best practice for testing a Business Continuity Plan (BCP) is to test it when the environment changes, such as when there are new business processes, technologies, threats, or regulations. This ensures that the BCP is updated, relevant, and effective for the current situation. Testing the BCP before the IT audit, after installation of security patches, or after implementation of system patches are not the best practices, as they may not reflect the actual changes in the business environment or the potential disruptions that may occur. References: 5: Comprehensive Guide to Business Continuity Testing67: Maximizing Your BCP Testing Efforts: Best Practices8

 An Information Protection Policy (IPP) is a document that defines the objectives, scope, roles, responsibilities, and rules for protecting the information assets of an organization. An IPP should be aligned with the business goals and legal requirements, and should be communicated and enforced throughout the organization. When constructing an IPP, it is important that the stated rules are necessary, adequate, and achievable, meaning that they are relevant, sufficient, and realistic for the organization’s context and capabilities34. References: 3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 234: CISSP For Dummies, 7th Edition, Chapter 1, page 15.

Diffusion is the principle that requires that changes to the plaintext affect many parts of the ciphertext. Diffusion is a property of a good encryption algorithm that aims to spread the influence of each plaintext bit over many ciphertext bits, so that a small change in the plaintext results in a large change in the ciphertext2. Diffusion can increase the security of the encryption by making it harder for an attacker to analyze the statistical patterns or correlations between the plaintext and the ciphertext. Encapsulation, obfuscation, and permutation are not principles that require that changes to the plaintext affect many parts of the ciphertext, as they are related to different aspects of encryption or security. References: 2: CISSP For Dummies, 7th Edition, Chapter 3, page 65.

In a financial institution, the responsibility for assigning the classification to a piece of information belongs to the originator or nominated owner of the information. The originator is the person who creates or generates the information, and the nominated owner is the person who is assigned the accountability and authority for the information by the management. The originator or nominated owner is the best person to determine the value and sensitivity of the information, and to assign the appropriate classification level based on the criteria and guidelines established by the organization. The originator or nominated owner is also responsible for reviewing and updating the classification as needed, and for ensuring that the information is handled and protected according to its classification56. References: 5: Information Classification Policy76: Information Classification and Handling Policy

The most relevant reading material for researching an organization’s legal obligations to protect privacy-related information is the privacy-related regulations enforced by governing bodies applicable to the organization. These regulations define the legal requirements, standards, and penalties for collecting, processing, storing, and disclosing personal or sensitive information of individuals or entities. The organization must comply with these regulations to avoid legal liabilities, fines, or sanctions. The other options are not as relevant as privacy-related regulations, as they either do not reflect the legal obligations of the organization (A and C), or do not apply to all types of privacy-related information (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 22; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 31.

 Internet Key Exchange (IKE) is a protocol that defines the key exchange for Internet Protocol Security (IPSec). IPSec is a suite of protocols that provides security for IP-based communications, such as encryption, authentication, and integrity. IKE establishes a secure channel between two parties, negotiates the security parameters, and generates the cryptographic keys for IPSec . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 541. : CISSP For Dummies, 7th Edition, Chapter 5, page 157.

Degaussing is an effective method for avoiding magnetic media data remanence, which is the residual representation of data that remains on a storage device after it has been erased or overwritten. Degaussing is a process of applying a strong magnetic field to the storage device, such as a hard disk or a tape, to erase the data and destroy the magnetic alignment of the media. Degaussing can ensure that the data is unrecoverable, even by forensic tools or techniques. Encryption, DLP, and authentication are not methods for avoiding magnetic media data remanence, as they do not erase the data from the storage device, but rather protect it from unauthorized access or disclosure. References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 631. : CISSP For Dummies, 7th Edition, Chapter 9, page 251.

A system’s criticality classification is important in large organizations because it provides for proper prioritization and scheduling of security and maintenance tasks. A system’s criticality classification is the level of importance or impact that a system has on the organization’s mission, objectives, operations, or functions. A system’s criticality classification may depend on factors such as the system’s availability, integrity, confidentiality, functionality, performance, or reliability. A system’s criticality classification helps the organization to allocate resources, implement controls, perform audits, apply patches, conduct backups, and respond to incidents according to the system’s priority and risk. A system’s criticality classification does not necessarily reduce critical system support workload or the time required to apply patches, as these may depend on other factors such as the system’s complexity, configuration, or vulnerability. A system’s criticality classification may allow for clear systems status communications to executive management, but this is not the primary reason for its importance. A system’s criticality classification may provide for easier determination of ownership, but this is not the main benefit of its importance. 

 The best way to ensure document confidentiality in the repository is to encrypt the contents of the repository and document any exceptions to that requirement. Encryption is the process of transforming the information into an unreadable form using a secret key or algorithm. Encryption protects the confidentiality of the information by preventing unauthorized access or disclosure, even if the repository is compromised or breached. Encryption also provides integrity and authenticity of the information by ensuring that it has not been modified or tampered with. Documenting any exceptions to the encryption requirement is also important to justify the reasons and risks for not encrypting certain information, and to apply alternative controls if needed93. References: 9: What Is a Document Repository and What Are the Benefits of Using One103: What is a document repository and why you should have one11

File Transfer Protocol (FTP) is a protocol that enables the transfer of files between a client and a server over a network. FTP has a security limitation in that it does not encrypt the authentication process, meaning that the username and password are sent in clear text over the network. This exposes the credentials to interception and eavesdropping by unauthorized parties, who could then access the files or compromise the system . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 533. : CISSP For Dummies, 7th Edition, Chapter 5, page 155.

Permission is the type of authorized interactions a subject can have with an object. Permission is a rule or a setting that defines the specific actions or operations that a subject can perform on an object, such as read, write, execute, or delete1. Permission is usually granted by the owner or the administrator of the object, and can be based on the identity, role, or group membership of the subject. Control, procedure, and protocol are not types of authorized interactions a subject can have with an object, as they are related to different aspects of access control or security. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 355.

A heterogeneous end-point network is a network that consists of different types of devices, such as computers, tablets, smartphones, printers, etc., that connect to the network and communicate with each other. Each device, or host, may have different operating systems, applications, configurations, and security requirements. When implementing controls in a heterogeneous end-point network, it is critical that common software security components be implemented across all hosts. Common software security components are software programs or features that provide security functions, such as antivirus, firewall, encryption, authentication, etc. Implementing common software security components across all hosts ensures that the hosts have a consistent and minimum level of security protection, and that the hosts can interoperate securely with each other and with the network. Implementing common software security components across all hosts does not mean that the hosts have to be identical or have the same security settings. The hosts can still have different hardware, software, and security configurations, as long as they meet the security requirements and standards of the organization and the network. Implementing common software security components across all hosts is not the same as ensuring that hosts are able to establish network communications, allowing users to make modifications to their security software configurations, or making firewalls running on each host fully customizable by the user. These are other aspects of security management that may or may not be relevant or desirable for a heterogeneous end-point network, depending on the organization’s policies and objectives.

The term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source is spoofing. Spoofing is a type of attack that involves impersonating or masquerading as a legitimate entity, such as a user, a device, or a network, by altering or falsifying the source or destination address of a packet3. Spoofing can be used to bypass authentication, gain unauthorized access, or launch other attacks, such as denial-of-service or man-in-the-middle. Man-in-the-middle, smurfing, and session redirect are not terms that refer to a technique of authenticating one machine to another by forging packets from a trusted source, as they are related to different types of attacks or techniques. Man-in-the-middle is an attack that involves intercepting and modifying the communication between two parties. Smurfing is an attack that involves sending a large number of ICMP echo requests to a network broadcast address, using a spoofed source address of the intended victim. Session redirect is a technique that involves changing the destination address of a packet to redirect it to a different location. References: 3: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 4, page 199. : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 423.

Testing for the security patch level of the environment is the web application control that should be put into place to prevent exploitation of Operating System (OS) bugs. OS bugs are errors or defects in the code or logic of the OS that can cause the OS to malfunction or behave unexpectedly. OS bugs can be exploited by attackers to gain unauthorized access, disrupt business operations, or steal or leak sensitive data. Testing for the security patch level of the environment is the web application control that should be put into place to prevent exploitation of OS bugs, because it can provide several benefits, such as:

Detecting and resolving any vulnerabilities or issues caused by the OS bugs by applying the latest security patches or updates from the OS developers or vendors

Enhancing the security and performance of the web applications by using the most secure and efficient version of the OS that supports the web applications

Increasing the compliance and alignment of the web applications with the security policies and regulations that are applicable to the web applications

Improving the compatibility and interoperability of the web applications with the other systems or platforms that interact with the web applications

The other options are not the web application controls that should be put into place to prevent exploitation of OS bugs, but rather web application controls that can prevent or mitigate other types of web application attacks or issues. Checking arguments in function calls is a web application control that can prevent or mitigate buffer overflow attacks, which are attacks that exploit the vulnerability of the web application code that does not properly check the size or length of the input data that is passed to a function or a variable, and overwrite the adjacent memory locations with malicious code or data. Including logging functions is a web application control that can prevent or mitigate unauthorized access or modification attacks, which are attacks that exploit the lack of or weak authentication or authorization mechanisms of the web applications, and access or modify the web application data or functionality without proper permission or verification. Digitally signing each application module is a web application control that can prevent or mitigate code injection or tampering attacks, which are attacks that exploit the vulnerability of the web application code that does not properly validate or sanitize the input data that is executed or interpreted by the web application, and inject or modify the web application code with malicious code or data.