FREE PRACTICE QUIZ Here is a free quiz! This will give you an idea of the type of questions we have and the difficulty level we strive for at CISSPrep. Note: this quiz resembles our "EXAMS" which are timed, just like the real exam. Our Domain Quizzes are not timed. You will have about 90 seconds per question, so choose carefully! 1 / 10 When building a cloud system to manage multiple edge devices, what should be used if one of the requirements is to have key management services provide the highest level of customer control over the encryption/decryption keys? Cloud-based key management Fog computing Client-side key management Remote key management Client-side is the best option here because it represents the scenario where key-management services are kept on-premises and within the organization, and provides the highest level of control to the client. The hardware security module and software is licensed/leased, and control is handed over to the client for storage and processing. Remote key is where the key management service is also on-prem, but the processing (application server) and hosting (storage array) are done at the cloud level. “Cloud-based” is a distractor option, and fog computing is where you have IOT devices but the computations are not done at the source (as opposed to edge computing, where IOT devices would do computations at the source). 2 / 10 The confidentiality of data in transit is most at risk of: Packet drop and loss of data Unauthorized access to the data Exfiltration of data in plaintext Eavesdropping and capture of data Dropping packets really depends on layer 3 configurations, so it would not be the best option here – in addition, it impacts availability and not confidentiality. Unauthorized access and exfiltration are possible answers, but again would depend on some other assumptions (such as the assumption that eavesdropping was occurring), however, the exfiltration states that the data is in plaintext, and since we don’t know, this would not be the best option. Since eavesdropping could result in both unauthorized access and exfiltration, this is the best choice. 3 / 10 At which of the following phases of the software assurance process would sustainment, disposal, or decommissioning occur? Monitoring and Acceptance Phase Planning Phase Contracting Phase Ongoing Use and Support Phase As we have stated in our domain questions, it is important to not only understand the step names/titles, but what happens at each step of any process taught in the CBK. For more information, please study up on Domain 8, software assurance process. We have a video that covers this in detail: https://youtu.be/6RoUCNc6TP4 4 / 10 What is needed when a system’s feedback loop and a logic model require an additional layer of due diligence? A logic bomb An outer-control loop A silicon root of trust A logic model Due diligence is the measuring, the calculating, and the pre-decision aspect of governance, and is demonstrated by using cybernetics as an example. A feedback loop measures the state of the system, whereas logic models make the decisions. The outer control loop is part of the hierarchy of the feedback loop’s process control and demonstrates due diligence. Logic bomb is a type of malware, and silicon root of trust is firmware technology that integrates security into the hardware level of a chip. This is a Domain 1 question. 5 / 10 A systems vendor claims that it can guarantee protection of data being processed. What is the most effective way to verify this claim after the system has been deployed into production? Test the database to ensure that data remains encrypted prior to being transmitted to the client. Test applicable portions of the architecture to ensure that polyinstantiation is used when the data is sent to random access memory. Test portions of memory while the data is being processed to ensure that enclaves are utilized, and that the data is not visible to other processes. Test the application processes to ensure that a secret key is used to transmit data between ends. When faced with difficult questions that may push the limits of your analytical thought process, take time to look for any key words that you know. In this case, you should be able to recognize “data being processed” as a data state, or rather, data in use. Since protecting data in use requires certain methods, be sure to review Domain 2 concepts (namely enclave) if you struggled with this question. Data in use is difficult to protect because it is processed in RAM. Using secure enclaves can help fix this problem. Data is processed in unencrypted form, and an enclave can isolate data from the rest of the architecture, which means it can be protected from vulnerabilities or malware that might exist in that architecture. 6 / 10 Real-time confirmation in a pay-as-you-go Secrets Manager that any given request to perform an action is allowed by the various defined privileges refers to which of the following? Authentication Approval Authorization Accounting When taking the exam and a question feels completely unfamiliar because of certain words or phrases, try to ignore that part of the question and read everything over a few times. It may take as many as five times to really understand what the question is asking. In this case, the question is a more complicated form of asking what the difference is between authorization and authentication. The exam will present many real-world technologies or concepts intermixed with the CBK topics you’ve studied. If you struggled with this question be sure to read up on Provisioning and Authorization in Domain 5. 7 / 10 In which case would the discovery phase of ethical penetration testing be unnecessary? If the rules-of-engagement already define the systems or environments to be tested. If the activities of the tester are compiled and presented to management. If the results of the exploit delivery are documented. If the systems or environments are subjected to fingerprinting. If you struggled with this question, be sure to read up on the basic methodology of Ethical Penetration Testing in Domain 6. Discovery Phase: Consistent with the RoE, the testers define the potential breadth of the environment. Note this is an administrative process that is done prior to testing activities (it identifies what is to be tested). If the ROE already defines the systems and areas in scope, this part of discovery is not needed. 8 / 10 A user of your company’s website submits a General Data Protection Regulation request with a right to be forgotten clause cited as legal authority after posting defamatory information about several of your executives. What is the best advice if there is no legal team to respond to this request? If your company is not part of the European Union and there is a privacy regulation that requires deletion regardless of any criminal investigation, comply with the request If your company resides in the European Union but there is a defamation lawsuit involving the individual that requires data retention, the request cannot be fulfilled If the individual is a citizen of the European Union, comply with the request If your company resides in the European Union, comply with the request At times you’ll be presented with questions that have too much information. In these cases, you’ll have to identify the irrelevant pieces of information and try to rule out options one-by-one based on how their wording aligns (or doesn’t align) with the context of the question. In this case, you will need to know a little bit about the GDPR and what’s discussed in the CBK. If you’re familiar with GDPR, its scope seems to be changing as court cases and legal matters come up, but for the most part its scope ends if the citizen doesn’t reside in a participating country. There are also jurisdiction concerns if the company is not part of the EU. This is a Domain 1 question. The CBK specifically mentions some concerns with the GDPR “right to be forgotten” clause, but even if you’re not 100% familiar with it, you might still be able to answer the question. You can ignore certain pieces of information, such as the fact that there is no legal team. You can ignore the issue about whether the individual/company resides in the EU after examining the question in its entirety, because there is no blanket application of this particular clause, and the other details are more important in this scenario. Pay special attention to the wording of all questions, as a single question could be the deciding factor of a pass/fail score. In this case, the word “requires” should stand out. The CBK specifically talks about defamation lawsuits being some type of exemption from the deletion of data (as evidence/artifact rules would apply at that point). 9 / 10 The best way to ensure that a login ID and password combination is not disclosed during an authentication process is which of the following? Applying a State Machine model Leveraging a Noninterference model Implementing a Ring model Using the Information Flow model Noninterference ensures that objects and subjects of one sensitivity don’t inappropriately interact with objects/subjects of another sensitivity level. In this case, upon successful login the output should most likely be the first screen of the graphical user interface, as opposed to the login credentials themselves. The information flow model describes how privileges for subjects can be used to constrain access and modifications those subjects can perform on objects. The state machine model ensures that the system meets a starting and ending condition criteria for each process. The Ring model focuses on interactions between the underlying hardware’s security capabilities. 10 / 10 A number of key goal indicators (KGI) show that it takes an average of four months to successfully implement a change through the change management process. If you are facing a non-urgent but much needed change, the absence of which could create additional risks, what is the best approach to recommend? Check the key performance indicators (KPI) for the assets in question, and if the KPIs are less than the average KGI, submit a request through the normal process. Check key risk indicators (KRI) to calculate either a qualitative or quantitative prediction as to whether the additional risks will materialize. Check KGIs related to changing the security baseline, and if it takes less time to change the baseline, submit a request to change the baseline. Check the key performance indicators (KPI) on the risky assets, and test the metrics for vulnerabilities. This question presents “TMI” (too much information), and might be similar to a beta question, however it requires you to apply practical working knowledge to the concepts of secure baseline and change management. If you struggled with this question be sure to read up on both secure baseline and change management in Domain 7. Your score is