Free CISSP Practice Test
Quiz-summary
0 of 19 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
Information
The questions for paying members will be similar to what you see here.
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 19 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Categories
- Asset Security 0%
- Communication and Network Security 0%
- Identity and Access Management 0%
- Security and Risk Management 0%
- Security Architecture and Engineering 0%
- Security Assessment and Testing 0%
- Security Operations 0%
- Software Development Security 0%
-
End of this exam. Thanks for taking the free quiz!
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- Answered
- Review
-
Question 1 of 19
1. Question
If your job description states explicitly that one of your duties is to manually review audit logs to detect malicious activity, which statement is most true?
Correct
Explanation:
This question may be especially challenging since it contains distractors. The best approach with questions like this is to analyze each option carefully, rule out certain options based on key words, and give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
This question combines a few cross-domain concepts but ultimately tests your knowledge about the different control categories, such as technical, detective, and compensating. The audit logs themselves are not any type of control (more of an output), but the mechanism that creates them is a technical control. In this case it’s important to pay attention to wording, as “The mechanism that creates audit logs” would definitely be a system drive process, therefore a technical control. Notice how the various responses try to entice you with distractors.
Incorrect
Explanation:
This question may be especially challenging since it contains distractors. The best approach with questions like this is to analyze each option carefully, rule out certain options based on key words, and give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
This question combines a few cross-domain concepts but ultimately tests your knowledge about the different control categories, such as technical, detective, and compensating. The audit logs themselves are not any type of control (more of an output), but the mechanism that creates them is a technical control. In this case it’s important to pay attention to wording, as “The mechanism that creates audit logs” would definitely be a system drive process, therefore a technical control. Notice how the various responses try to entice you with distractors.
-
Question 2 of 19
2. Question
Which of the following occurs at layer 3?
Correct
Incorrect
-
Question 3 of 19
3. Question
If a colleague uses publicly available information from social media to guess one of your system admin’s passwords, and eventually steals classified information, what has most likely occurred?
Correct
Explanation:
This question may be challenging since it contains distractors in the available responses. The best approach with questions like this is to analyze each option carefully, rule out certain options based on key words, and give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
Masquerading is the correct answer, and while the audit logs may not seem useful, if the incident is detected and reported, they may still prove to be useful.
Spoofing without repudiation or recourse would not be the right choice because an authorized account was used. Repudiation and recourse are distractors.
Escalation of privilege with non-repudiation would not be the right choice because no escalation occurred (the account already had elevated privileges).
Tampering, one of the damaging steps within the STRIDE model would not be the right choice because the data was not tampered with; it was stolen/exfiltrated.Incorrect
Explanation:
This question may be challenging since it contains distractors in the available responses. The best approach with questions like this is to analyze each option carefully, rule out certain options based on key words, and give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
Masquerading is the correct answer, and while the audit logs may not seem useful, if the incident is detected and reported, they may still prove to be useful.
Spoofing without repudiation or recourse would not be the right choice because an authorized account was used. Repudiation and recourse are distractors.
Escalation of privilege with non-repudiation would not be the right choice because no escalation occurred (the account already had elevated privileges).
Tampering, one of the damaging steps within the STRIDE model would not be the right choice because the data was not tampered with; it was stolen/exfiltrated. -
Question 4 of 19
4. Question
The CIO requests a solution to protect from digital squatting; the Board of directors requests a solution to protect digital rights; the CEO requests a solution to protect intellectual property; the CFO requests something to protect digital real estate. Which of the following would only be suitable for one of the requests above?
Correct
Explanation:
This question may be especially challenging since it asks the question in an overly complicated way. The best approach with questions like this when the question is overly large is to skip to the answer options and read through each one carefully (even ISC2 recommends reading the options before the question), and then re-read the question and try to understand what it’s asking. Once you’ve read everything a second or third time, rate each response in terms of what’s closest to being the right answer.
Knowledge needed:
If you got this question wrong, be sure to review the chapter on intellectual property. A digital rights management solution would suitable to protect intellectual property.
Incorrect
Explanation:
This question may be especially challenging since it asks the question in an overly complicated way. The best approach with questions like this when the question is overly large is to skip to the answer options and read through each one carefully (even ISC2 recommends reading the options before the question), and then re-read the question and try to understand what it’s asking. Once you’ve read everything a second or third time, rate each response in terms of what’s closest to being the right answer.
Knowledge needed:
If you got this question wrong, be sure to review the chapter on intellectual property. A digital rights management solution would suitable to protect intellectual property.
-
Question 5 of 19
5. Question
Telnet occurs at which layer?
Correct
Incorrect
-
Question 6 of 19
6. Question
IGMP operates at which layer?
Correct
Incorrect
-
Question 7 of 19
7. Question
Which of the following is not a component of personnel security?
Correct
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented with statements like “which of the following is NOT”, which is misleading for those of us who are quick readers. The best approach with questions like this is to rephrase the question in your mind, and turn it into something like “all of these are good options EXCEPT” and then find the choice that doesn’t fit.
Knowledge needed:
An employee handbook that is not published is not current, and not in effect, thus it cannot be part of personnel security despite it potentially being published in the future (note: the question doesn’t indicate that it’ll be published ever). If you struggled with this question, be sure to study up on personnel security in Domain 1.
Incorrect
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented with statements like “which of the following is NOT”, which is misleading for those of us who are quick readers. The best approach with questions like this is to rephrase the question in your mind, and turn it into something like “all of these are good options EXCEPT” and then find the choice that doesn’t fit.
Knowledge needed:
An employee handbook that is not published is not current, and not in effect, thus it cannot be part of personnel security despite it potentially being published in the future (note: the question doesn’t indicate that it’ll be published ever). If you struggled with this question, be sure to study up on personnel security in Domain 1.
-
Question 8 of 19
8. Question
Astrotek Company has just experienced an unexpected outage of both the primary site and the mirror site. The duration of this outage has been declared to be at least three weeks. As you begin to examine the contingency plan, what is the first category of items you should look for?
Correct
Explanation:
This question may be especially challenging since it has multiple correct answers. The best approach with questions like this is to rate each response according to which one would be better than the other. Whichever response has the better rating should be the answer you select.
Knowledge needed:
If you struggled with this question, be sure to review the chapter(s) on contingency planning, steps, and RTO in your book(s). Notice how two sites are mentioned specifically in the question, a primary site and mirror site. There is no mention of a hot site, warm site, or cold site, so we can’t assume that any of these are being used. The best choice in this scenario is to select the “higher level” option of “alternate” site, and we should be looking for recovery steps within the RTO. The terms recovery and reconstitution may be interchangeable in questions like this, but in this case the answer is made obvious due to its relationship to the RTO.
Incorrect
Explanation:
This question may be especially challenging since it has multiple correct answers. The best approach with questions like this is to rate each response according to which one would be better than the other. Whichever response has the better rating should be the answer you select.
Knowledge needed:
If you struggled with this question, be sure to review the chapter(s) on contingency planning, steps, and RTO in your book(s). Notice how two sites are mentioned specifically in the question, a primary site and mirror site. There is no mention of a hot site, warm site, or cold site, so we can’t assume that any of these are being used. The best choice in this scenario is to select the “higher level” option of “alternate” site, and we should be looking for recovery steps within the RTO. The terms recovery and reconstitution may be interchangeable in questions like this, but in this case the answer is made obvious due to its relationship to the RTO.
-
Question 9 of 19
9. Question
Jeff uses a secret code to gain access to a database and begin his work as an administrator. He also is required to provide a thumb print, a retina scan, and the system looks at his terminal’s authentication location as well. What is most likely described here?
Correct
Explanation:
This question may be challenging since it contains irrelevant information. The best approach with questions like this is to take your time in reading the question and available responses a few times to identify the irrelevant information. This will help you to understand what the question is really asking.
Knowledge needed:
Domain 5 teaches about the various factors of authentication: something you know, something you have, and something you are. If you require one, it’s single-factor (such as a password). If you require two or more, it’s considered multifactor.
Incorrect
Explanation:
This question may be challenging since it contains irrelevant information. The best approach with questions like this is to take your time in reading the question and available responses a few times to identify the irrelevant information. This will help you to understand what the question is really asking.
Knowledge needed:
Domain 5 teaches about the various factors of authentication: something you know, something you have, and something you are. If you require one, it’s single-factor (such as a password). If you require two or more, it’s considered multifactor.
-
Question 10 of 19
10. Question
Your CIO wants to implement Lightweight Directory Access Protocol (LDAP) to authenticate the company’s public users. Your first consideration should be:
Correct
Knowledge needed:
Of these options, the best choice would be an updated version of LDAP to support TLS since (without knowing other factors) the other options are simply listing components of LDAP without applicability to security. TLS addresses security and would be the best choice in this scenario. If you have work-related experience in a certain area such as LDAP, try not to let it influence your answer selection. The Common Body of Knowledge talks about the better version of LDAP having support for TLS.
Incorrect
Knowledge needed:
Of these options, the best choice would be an updated version of LDAP to support TLS since (without knowing other factors) the other options are simply listing components of LDAP without applicability to security. TLS addresses security and would be the best choice in this scenario. If you have work-related experience in a certain area such as LDAP, try not to let it influence your answer selection. The Common Body of Knowledge talks about the better version of LDAP having support for TLS.
-
Question 11 of 19
11. Question
Robert sends you a message. The cryptosystem runs a hash on his message. The digest is then encrypted using Robert’s private key. This process most likely describes:
Correct
Explanation:
This question may be especially challenging since it does not have enough information to make a good choice with the available options (the question is vague or ambiguous). The best approach with questions like this is to either think through the process to what the eventual outcome or missing component might be, or to give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
One of the key words in this question is ‘process’. If it were asking about a ‘system’ the nature of the question would change entirely. This process describes a digital signature. The strength or weakness of the hashing function is irrelevant in this question. If you struggled with this question, be sure to study up on Digital Signatures in Domain 3.
Incorrect
Explanation:
This question may be especially challenging since it does not have enough information to make a good choice with the available options (the question is vague or ambiguous). The best approach with questions like this is to either think through the process to what the eventual outcome or missing component might be, or to give the available options a rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
One of the key words in this question is ‘process’. If it were asking about a ‘system’ the nature of the question would change entirely. This process describes a digital signature. The strength or weakness of the hashing function is irrelevant in this question. If you struggled with this question, be sure to study up on Digital Signatures in Domain 3.
-
Question 12 of 19
12. Question
A attacker gains access to a device on the network and is able to intercept transmissions, however the transmissions are encrypted. What type of attack will the attacker attempt next?
Correct
Incorrect
-
Question 13 of 19
13. Question
Match the following software development lifecycle activities with their phases:
Sort elements
- Conceptual objective
- Formalizing of security requirements
- Designing the system and software
- Develop the source code
- Document security code
- Data validation and bounds checking
- Move from the acceptance phase to the production environment
-
Project initiation
-
Functional requirements
-
System design specifications
-
Development and implementation
-
Documentation
-
Testing and evaluation
-
Transition to production
Correct
This is straight from the Common Body of Knowledge. We include questions like this to prepare you for harder versions of the same question in later practice exams where the terminology may not align perfectly.
Incorrect
This is straight from the Common Body of Knowledge. We include questions like this to prepare you for harder versions of the same question in later practice exams where the terminology may not align perfectly.
-
Question 14 of 19
14. Question
Which of the following software development methods might lead to poor design due to the goal of producing quality code quickly?
Correct
Incorrect
-
Question 15 of 19
15. Question
A team of Agile software developers asks what your recommendation would be for ensuring that their web application has proper bounds checking and input validation. What would be the best recommendation if there are no internal documents or resources available?
Correct
Incorrect
-
Question 16 of 19
16. Question
The encapsulating security payload:
Correct
Incorrect
-
Question 17 of 19
17. Question
The sender encrypts a message with the recipient’s public key. This ensures:
Correct
Incorrect
-
Question 18 of 19
18. Question
Which of the following does not describe a negative test?
Correct
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented with statements like “which of the following is NOT”, which is misleading for those of us who are quick readers. The best approach with questions like this is to rephrase the question in your mind, and turn it into something like “all of these are good options EXCEPT” and then find the choice that doesn’t fit.
Knowledge needed:
Negative tests demonstrate application behavior when there is unexpected or invalid data. Information on this can be found in Domain 6.
Incorrect
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented with statements like “which of the following is NOT”, which is misleading for those of us who are quick readers. The best approach with questions like this is to rephrase the question in your mind, and turn it into something like “all of these are good options EXCEPT” and then find the choice that doesn’t fit.
Knowledge needed:
Negative tests demonstrate application behavior when there is unexpected or invalid data. Information on this can be found in Domain 6.
-
Question 19 of 19
19. Question
Within which phase(s) of the asset lifecycle would configuration management most likely be performed?
Correct
This question tries to trick you by crossing concepts over domains. The question is really asking where is the baseline established? Most likely this is in the Secure phase.
Incorrect
This question tries to trick you by crossing concepts over domains. The question is really asking where is the baseline established? Most likely this is in the Secure phase.