• Home
  • Articles
  • CISSP Dumps By Pros - 1st Attempt Guaranteed Success [Q534-Q554]

CISSP Dumps By Pros - 1st Attempt Guaranteed Success [Q534-Q554]

Share

CISSP Dumps By Pros - 1st Attempt Guaranteed Success

100% Guarantee Download CISSP Exam Dumps PDF Q&A


Study Tips

Below are some helpful study tips you can refer to while preparing for the CISSP test:

  • Look at the security management prep exam questions to see what valuable knowledge you can collect.
  • Take advantage of the most up-to-date security materials and online webinars focused on security operations and software development security.
  • Seek guidance from security practitioners who have already earned certification for their CISSP skills.
  • Get an in-depth & real-life experience that your job and your certification can apply to.
  • Attend online programs focused on the CISSP and best practices in security to increase your confidence in facing the real exam.

Career opportunities after getting the ISC CISSP Certification exam

There are many possibilities of career growth after earning the CISSP certification by doing prep from CISSP Dumps. You can become a security analyst, senior manager in security, or become one of the most skilled men in the world with your ISC CISSP certification. After earning this certification, you can start with your own cybersecurity company and secure company.

ISC's CISSP team provides support to individuals through a publicly documented question and answer forum, a non-public LinkedIn group for credential holders only, and a private Facebook group for credential holders only. The career opportunities after getting the ISC CISSP Certification exam are numerous. Having the certification shows that you have the knowledge and experience to apply this knowledge in a secure manner. As a result, you can easily get hired by IT companies, and you can enhance your employability and value of your skillset.


Here is the information about Passing Scores ISC CISSP Exam

The exam passing score varies from country to country and is set by the local testing authority in each region or country. To determine your Exam Pass/Fail status, you will need to know your total raw score count for all domains, not individual domain count.

 

NEW QUESTION 534
One of these statements about the key elements of a good configuration process is NOT true

  • A. Accommodate the reuse of proven standards and best practices
  • B. Control modifications to system hardware in order to prevent resource changes
  • C. Ensure that all requirements remain clear, concise, and valid
  • D. Ensure changes, standards, and requirements are communicated promptly and precisely

Answer: B

Explanation:
Configuration management isn't about preventing change but ensuring the integrity of IT resources by preventing unauthorised or improper changes.
According to the Official ISC2 guide to the CISSP exam, a good CM process is one that can:
(1)
accommodate change;
(2)
accommodate the reuse of proven standards and best practices;
(3)
ensure that all requirements remain clear, concise, and valid;
(4)
ensure changes, standards, and requirements are communicated promptly and precisely; and
(5)
ensure that the results conform to each instance of the product.
Configuration management Configuration management (CM) is the detailed recording and updating of information that describes an enterprise's computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed. An advantage of a configuration management application is that the entire collection of systems can be reviewed to make sure any changes made to one system do not adversely affect any of the other systems
Configuration management is also used in software development, where it is called Unified Configuration Management (UCM). Using UCM, developers can keep track of the source code, documentation, problems, changes requested, and changes made. Change management In a computer system environment, change management refers to a systematic approach to keeping track of the details of the system (for example, what operating system release is running on each computer and which fixes have been applied).

 

NEW QUESTION 535
What is the primary role of smartcards in a PKI?

  • A. Easy distribution of the certificates between the users
  • B. Tamper resistant, mobile storage and application of private keys of the users
  • C. Fast hardware encryption of the raw data
  • D. Transparent renewal of user keys

Answer: B

Explanation:
Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-
Hill/Osborne, page 139;
SNYDER, J., What is a SMART CARD?.
Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance
Security
Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.
Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM
4758 and chips used in smartcards, as well as the Clipper chip.
It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:
* physical attack of various forms (microprobing, drills, files, solvents, etc.)
* freezing the device
* applying out-of-spec voltages or power surges
* applying unusual clock signals
* inducing software errors using radiation
* measuring the precise time and power requirements of certain operations (see power analysis)
Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of- specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled.
Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos).
Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

 

NEW QUESTION 536
Simple Key Management for Internet Protocols (SKIP) is similar to Secure Sockets Layer (SSL), except that it requires no prior communication in order to establish or exchange keys on a:

  • A. Remote Server basis
  • B. response-by-session basis
  • C. Secure Private keyring basis
  • D. session-by-session basis

Answer: D

Explanation:
Reference: pg 117 Krutz: CISSP Prep Guide: Gold Edition

 

NEW QUESTION 537
Which of the following would be the best reason for separating the test and development environments?

  • A. To restrict access to systems under test.
  • B. To segregate user and development staff.
  • C. To secure access to systems under development.
  • D. To control the stability of the test environment.

Answer: D

Explanation:
The test environment must be controlled and stable in order to ensure that development projects are tested in a realistic environment which, as far as possible, mirrors the live environment.
Reference(s) used for this question:
Information Systems Audit and Control Association, Certified Information Systems Auditor
2002 review manual, chapter 6: Business Application System Development, Acquisition,
Implementation and Maintenance (page 309).

 

NEW QUESTION 538
Which choice below is NOT an accurate description or element of
remote sensing technology?

  • A. Photographic, radar, infrared, or multi-spectral imagery from landbased tracking stations
  • B. Photographic, radar, infrared, or multi-spectral imagery from geostationary or orbiting satellites
  • C. RS intelligence may be integrated into geographic information systems (GIS) to produce map-based products
  • D. Photographic, radar, infrared, or multi-spectral imagery from manned or unmanned aircraft

Answer: A

Explanation:
Remote sensing is the acquisition of information via aerial or
satellite sensors. The most critical category of information to capture immediately following a disaster is accurate and timely intelligence about the scope, extent, and impact of the event. Intelligent and effective decisions hinge on the credible characterization of the
situation. If the disaster is extensive enough, it may cause serious
damage to the telephone or wireless infrastructure and ground
communications may be unusable to accurately assess the situation.
Remote sensing systems can provide a highly effective alternative
means of gathering intelligence about the event.
*Answer "Photographic, radar, infrared, or multi-spectral imagery from manned or unmanned aircraft" describes remote sensing using aerial-derived information.
*Answer "Photographic, radar, infrared, or multi-spectral imagery from geostationary or orbiting satellites" describes satellite-derived remote sensing.
*Answer "RS intelligence may be integrated into geographic information systems (GIS) to produce map-based products" describes a common use of the remote sensing data.
Source: Remote Sensing
in Federal Disaster Areas, Standard Operating Procedures, FEMA
9321.1-PR, June 1999

 

NEW QUESTION 539
What is RAD?

  • A. A project management technique
  • B. A measure of system complexity
  • C. A development methodology
  • D. Risk-assessment diagramming

Answer: C

Explanation:
RAD stands for Rapid Application Development.
RAD is a methodology that enables organizations to develop strategically important systems faster
while reducing development costs and maintaining quality.
RAD is a programming system that enables programmers to quickly build working programs.
In general, RAD systems provide a number of tools to help build graphical user interfaces that
would normally take a large development effort.
Two of the most popular RAD systems for Windows are Visual Basic and Delphi. Historically, RAD
systems have tended to emphasize reducing development time, sometimes at the expense of
generating in-efficient executable code. Nowadays, though, many RAD systems produce
extremely faster code that is optimized.
Conversely, many traditional programming environments now come with a number of visual tools
to aid development. Therefore, the line between RAD systems and other development
environments has become blurred.
Reference:
Information Systems Audit and Control Association, Certified Information Systems Auditor 2002
review manual, chapter 6: Business Application System Development, Acquisition, Implementation
and Maintenance (page 307)
http://www.webopedia.com

 

NEW QUESTION 540
Which one the following is the primary goal of Business Continuity Planning?

  • A. Sustain the organization.
  • B. Recover from a major data center outage.
  • C. Test the ability to prevent major outages.
  • D. Satisfy audit requirements.

Answer: A

Explanation:
Simply put, business continuity plans are created to prevent interruptions to normal business activity. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 378

 

NEW QUESTION 541
Which of the following models does NOT include data integrity or conflict of interest?

  • A. Brewer-Nash
  • B. Bell-LaPadula
  • C. Clark-Wilson
  • D. Biba

Answer: B

Explanation:
Explanation/Reference:
Explanation:
In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classified information. The Bell-LaPadula model was developed to address these concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access, and outlined rules of access.
An important thing to note is that the Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses confidentiality only. This model does not address the integrity of the data the system maintains-only who can and cannot access the data and what operations can be carried out.
Incorrect Answers:
A: The Biba model deals with data integrity.
B: The Clark-Wilson model deals with data integrity.
D: The Brewer and Nash Model deals with conflict of interest. In this model, no information can flow between the subjects and objects in a way that would create a conflict of interest.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 370

 

NEW QUESTION 542
Which of the following is true of Service Organization Control (SOC) reports?

  • A. SOC 2 Type 2 reports assess internal controls for financial reporting
  • B. SOC 2 Type 2 reports include information of interest to the service organization's management
  • C. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization's controls
  • D. SOC 3 Type 2 reports assess internal controls for financial reporting

Answer: B

 

NEW QUESTION 543
This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What BEST describes this scenario?

  • A. Excessive Permissions
  • B. Excessive Rights
  • C. Excessive Privileges
  • D. Excessive Access

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Privilege is a term used to describe what a user can do on a computer or system. It covers rights, access and permissions. A user who has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill is said to have 'excessive privileges'.
Incorrect Answers:
A: Rights are just one aspect of what a user can do with a computer or system. Access and permissions are other aspects. Privileges cover all three.
B: Access is just one aspect of what a user can do with a computer or system. Rights and permissions are other aspects. Privileges cover all three.
C: Permissions are just one aspect of what a user can do with a computer or system. Access and rights are other aspects. Privileges cover all three.

 

NEW QUESTION 544
Why is data classification control important to an organization?

  • A. To ensure its integrity, confidentiality and availability
  • B. To ensure security controls align with organizational risk appetite
  • C. To control data retention in alignment with organizational policies and regulation
  • D. To enable data discovery

Answer: A

 

NEW QUESTION 545
Crackers today are MOST often motivated by their desire to:

  • A. Help the community in securing their networks.
  • B. Gaining Money or Financial Gains.
  • C. Seeing how far their skills will take them.
  • D. Getting recognition for their actions.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A few years ago the best choice for this question would have been seeing how far their skills can take them. Today this has changed greatly, most crimes committed are financially motivated. Profit is the most widespread motive behind all cybercrimes and, indeed, most crimes- everyone wants to make money.
Hacking for money or for free services includes a smorgasbord of crimes such as embezzlement, corporate espionage and being a "hacker for hire". Scams are easier to undertake but the likelihood of success is much lower. Money-seekers come from any lifestyle but those with persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy make better "hacks for hire".
"White hats" are the security specialists (as opposed to Black Hats) interested in helping the community in securing their networks.
They will test systems and network with the owner authorization. A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization before they attempt to comprise the security mechanisms in place. "Grey Hats" are people who sometimes work as a White hat and other times they will work as a "Black Hat", they have not made up their mind yet as to which side they prefer to be. The following are incorrect answers: All the other choices could be possible reasons but the best one today is really for financial gains.
References:
http://library.thinkquest.org/04oct/00460/crimeMotives.html
and http://www.informit.com/articles/article.aspx?p=1160835
http://www.aic.gov.au/documents/1/B/A/%7B1BA0F612-613A-494D-B6C5-06938FE8BB53%
7Dhtcb006.pdf

 

NEW QUESTION 546
Kerberos provides an integrity check service for messages between two
entities through the use of:

  • A. A trusted, third-party authentication server
  • B. Credentials
  • C. Tickets
  • D. A checksum

Answer: D

Explanation:
Achecksum that is derived from a Kerberos message is used to verify
the integrity of the message. This checksum may be a message digest
resulting from the application of a hash function to the message. At the receiving end of the transmission, the receiving party can calculate the message digest of the received message using the identical hash algorithm as the sender. Then the message digest calculated by the receiver can be compared with the message digest appended to the message by the sender. If the two message digests match, the message has not been
modified en route, and its integrity has been preserved.
For answers Credentials and Tickets are authenticators used in the process of granting user access to services on the network. Answer "A trusted, third-party authentication server" is the AS or authentication server that conducts the ticket-granting process.

 

NEW QUESTION 547
Mandatory access controls first appear in the Trusted Computer System
Evaluation Criteria (TCSEC) at the rating of:

  • A. D
  • B. A
  • C. C
  • D. B

Answer: D

 

NEW QUESTION 548
A vehicle of a private courier company that transports backup data for offsite storage was robbed while in transport backup data for offsite was robbed while in transit. The incident management team is now responsible to estimate the robbery, which of the following would help the incident management team to MOST effectively analyze the business impact of the robbery?

  • A. Log of the transported media and Its detailed contents
  • B. Log of the transported media and its classification marking
  • C. Log of backup administrative actions
  • D. Log of backed up data and their respective data custodians

Answer: B

 

NEW QUESTION 549
Asynchronous Communication transfers data by sending:

  • A. bits of data sequentially
  • B. bits of data sequentially in irregular timing patterns
  • C. bits of data simultaneously
  • D. bits of data in sync with a heartbeat or clock

Answer: B

Explanation:
Asynchronous Communication transfers data by sending bits of data in irregular timing patterns.
In asynchronous transmission each character is transmitted separately, that is one character at a time. The character is preceded by a start bit, which tells the receiving end where the character coding begins, and is followed by a stop bit, which tells the receiver where the character coding ends. There will be intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent characters in the asynchronous communication scheme. In this scheme, the bits within the character frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise the data transmission. Asynchronous communication is used when slow speed peripherals communicate with the computer. The main disadvantage of asynchronous communication is slow speed transmission. Asynchronous communication however, does not require the complex and costly hardware equipments as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any timing required to recover data from the communication symbols is encoded within the symbols. The most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
The use of independent transmit and receive clocks constrains transmission to relatively short characters (<8 bits) and moderate data rates (< 64 kbps, but typically lower).
The asynchronous transmitter delimits each character by a start sequence and a stop sequence. The start bit (0), data (usually 8 bits plus parity) and stop bit(s) (1) are transmitted using a shift register clocked at the nominal data rate.
When asynchronous transmission is used to support packet data links (e.g. IP), then special characters have to be used ("framing") to indicate the start and end of each frame transmitted.
One character (none as an escape character) is reserved to mark any occurrence of the special characters within the frame. In this way the receiver is able to identify which characters are part of the frame and which are part of the "framing".
Packet communication over asynchronous links is used by some users to get access to a network using a modem.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100.
and
http://en.wikipedia.org/wiki/Asynchronous_communication
and
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
and
http://www.ligaturesoft.com/data_communications/async-data-transmission.html

 

NEW QUESTION 550
What is the three way handshake sequence used to initiate TCP connections?

  • A. ACK, SYN/ACK, ACK
  • B. SYN, SYN, ACK/ACK
  • C. ACK, SYN/ACK, SYN
  • D. SYN, SYN/ACK, ACK

Answer: D

Explanation:
The TCP three way handshake:
1 . First, the client sends a SYN segment. This is a request to the server to synchronize the sequence numbers. It specifies its initial sequence number (ISN), which is incremented by
1 , and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers.
2 . Second, the server sends an ACK and a SYN in order to acknowledge the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this transmission from the first one. The server transmits an acknowledgement number to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number.
3. Third, the client sends an ACK in order to acknowledge the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection.
The following answers are incorrect:
All of the other choices were incorrect answers
The following reference(s) were/was used to create this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 5560-5573). Auerbach Publications. Kindle
Edition.

 

NEW QUESTION 551
The default level of security established for access controls should be

  • A. All access
  • B. Update access
  • C. Read access
  • D. No access

Answer: D

Explanation:
"Need to Know and the Principle of Least Privilege are two standard axioms of high-security environments. A user must have a need-to-know to gain access to data or resources. Even if that ser has an equal or greater security classification than the requested information, if they do not have a need-to-know, they are denied access. A need-to-know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is the notion that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks." Pg 399 Tittel: CISSP Study Guide

 

NEW QUESTION 552
What is the effective key size of DES?

  • A. 56 bits
  • B. 64 bits
  • C. 128 bits
  • D. 1024 bits

Answer: A

Explanation:
Explanation/Reference:
Explanation:
DES makes use of a 64-bit key, of which 56 bits represents the true key, and the remaining 8 bits are used for parity.
Incorrect Answers:
B: DES does make use of a 64-bit key, but the effective key size is 56 bits.
C: International Data Encryption Algorithm (IDEA) produces key that is 128 bits long.
D: RC5 support variable-length key sizes ranging from 0-2040.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 800, 809, 810

 

NEW QUESTION 553
Which of the following uses protection profiles and security targets?

  • A. CTCPEC
  • B. ITSEC
  • C. International Standard 15408
  • D. TCSEC

Answer: C

Explanation:
"For historical and continuity purposes, ISO has accepted the continued use of the term "Common Criteria" (CC) within this document, while recognizing the official ISO name for the new IS 15408 is "Evaluation Criteria for Information Technology Security." Pg. 552 Krutz: The CISSP Prep Guide: Gold Edition
"The Common Criteria define a Protection Profile (PP), which is an implementation-independent specification of the security requirements and protections of a product that could be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed testing and formal design verification). The Common Criteria TOE refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product. Also, the Common Criteria describe an intermediate grouping of security requirement components as a package." Pg. 266-267 Krutz: The CISSP Prep Guide: Gold Edition

 

NEW QUESTION 554
......

Earn Quick And Easy Success With CISSP Dumps: https://www.testkingfree.com/ISC/CISSP-practice-exam-dumps.html

Kickstart your Career with Real  Updated Questions: https://drive.google.com/open?id=1wDWDIWu8EIH9BtWUxlSIkgiB4aKxX-St

Related Articles

more
ISC CISSP Certification Practice Exam