あなたを合格させる試験には100%確認済みCISSP試験問題 [Q883-Q903]

Share

あなたを合格させる試験には100%確認済みCISSP試験問題

CISSP問題集PDFでCISSPリアル試験問題解答


ISC CISSP(Certified Information Systems Security Professional)認定試験は、情報セキュリティ専門家のためのグローバルに認められた認定です。この認定は、リスク管理、セキュリティ分析、セキュリティアーキテクチャなどセキュリティ分野における専門家のスキルと知識を検証することを目的としています。この認定は、国際情報システムセキュリティ認定コンソーシアム(ISC)によって提供され、サイバーセキュリティ分野で最も権威ある認定の1つと考えられています。

 

質問 # 883
Which of the following is the most costly countermeasure to reducing physical security risks?

  • A. Electronic Systems
  • B. Procedural Controls
  • C. Hardware Devices
  • D. Security Guards

正解:D

解説:
Explanation/Reference:
Explanation:
One drawback of security guards is that the cost of maintaining a guard function either internally or through an external service is expensive.
With common physical security risk countermeasures such as door entry control systems or perimeter fencing, there is typically a one-off cost when the countermeasure is implemented. With security guards, you have the ongoing cost of paying the salary of the security guard.
Incorrect Answers:
A: Procedural controls consist of approved written policies, procedures, standards and guidelines. The cost of implement procedural controls is not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect.
B: Hardware Devices typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect.
C: Electronic Systems typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more than the ongoing costs associated with security guards.
Therefore, this answer is incorrect.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 535


質問 # 884
Mandatory Access Controls (MAC) are based on:

  • A. user roles and data encryption
  • B. security classification and security clearance
  • C. data labels and user access permissions
  • D. data segmentation and data classification

正解:B

解説:
Section: Security Architecture and Engineering


質問 # 885
Which of the following provides the MOST protection against data theft of sensitive information when a laptop is stolen?

  • A. Encrypt the virtual drive where confidential files can be stored
  • B. Implement a mandatory policy in which sensitive data cannot be stored on laptops, but only on the corporate network
  • C. Encrypt the entire disk and delete contents after a set number of failed access attempts
  • D. Set up a BIOS and operating system password

正解:C


質問 # 886
In supervisory control and data acquisition (SCADA) systems, which of the following controls can be used to reduce device exposure to malware?

  • A. Disable Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 138 and
    139 on the SCADA device.
  • B. Disallow untested code in the execution space of the SCADA device.
  • C. Disable all command line interfaces.
  • D. Prohibit the use of unsecure scripting languages.

正解:B

解説:
They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.


質問 # 887
Which of the following is NOT a known type of Message Authentication Code (MAC)?

  • A. Keyed-hash message authentication code (HMAC)
  • B. Signature-based MAC (SMAC)
  • C. Universal Hashing Based MAC (UMAC)
  • D. DES-CBC

正解:B

解説:
There is no such thing as a Signature-Based MAC. Being the wrong choice in the list, it is the best answer to this question.
WHAT IS A Message Authentication Code (MAC)? In Cryptography, a MAC (Message Authentication Code) also known as a cryptographic checksum, is a small block of data that is generated using a secret key and then appended to the
message. When the message is received, the recipient can generate their own MAC using the
secret key, and thereby know that the message has not changed either accidentally or
intentionally in transit. Of course, this assurance is only as strong as the trust that the two parties
have that no one else has access to the secret key.
A MAC is a small representation of a message and has the following characteristics:
A MAC is much smaller than the message generating it.
Given a MAC, it is impractical to compute the message that generated it.
Given a MAC and the message that generated it, it is impractical to find another message
generating the same MAC.
See the graphic below from Wikipedia showing the creation of a MAC value:

Message Authentication Code MAC HMAC
In the example above, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the integrity of the message was not compromised, and the message was not altered or tampered with during transmission.
However, to allow the receiver to be able to detect replay attacks, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp, sequence
number or use of a one-time MAC). Otherwise an attacker could - without even understanding its
content - record this message and play it back at a later time, producing the same result as the
original sender.
NOTE: There are many ways of producing a MAC value. Below you have a short list of some
implementation.
The following were incorrect answers for this question:
They were all incorrect answers because they are all real type of MAC implementation.
In the case of DES-CBC, a MAC is generated using the DES algorithm in CBC mode, and the
secret DES key is shared by the sender and the receiver. The MAC is actually just the last block of
ciphertext generated by the algorithm. This block of data (64 bits) is attached to the unencrypted
message and transmitted to the far end. All previous blocks of encrypted data are discarded to
prevent any attack on the MAC itself. The receiver can just generate his own MAC using the
secret DES key he shares to ensure message integrity and authentication. He knows that the
message has not changed because the chaining function of CBC would significantly alter the last
block of data if any bit had changed anywhere in the message. He knows the source of the
message (authentication) because only one other person holds the secret key.
A Keyed-hash message authentication code (HMAC) is a specific construction for calculating a
message authentication code (MAC) involving a cryptographic hash function in combination with a
secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data
integrity and the authentication of a message. Any cryptographic hash function, such as MD5,
SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-
MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the
cryptographic strength of the underlying hash function, the size of its hash output, and on the size
and quality of the key.
A message authentication code based on universal hashing, or UMAC, is a type of message
authentication code (MAC) calculated choosing a hash function from a class of hash functions
according to some secret (random) process and applying it to the message. The resulting digest or
fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may
be used to simultaneously verify both the data integrity and the authenticity of a message. UMAC
is specified in RFC 4418, it has provable cryptographic strength and is usually a lot less
computationally intensive than other MACs.
What is the MicMac (confusion) with MIC and MAC?
The term message integrity code (MIC) is frequently substituted for the term MAC, especially in
communications, where the acronym MAC traditionally stands for Media Access Control when
referring to Networking. However, some authors use MIC as a distinctly different term from a MAC;
in their usage of the term the MIC operation does not use secret keys. This lack of security means that any MIC intended for use gauging message integrity should be encrypted or otherwise be protected against tampering. MIC algorithms are created such that a given message will always produce the same MIC assuming the same algorithm is used to generate both. Conversely, MAC algorithms are designed to produce matching MACs only if the same message, secret key and initialization vector are input to the same algorithm. MICs do not use secret keys and, when taken on their own, are therefore a much less reliable gauge of message integrity than MACs. Because MACs use secret keys, they do not necessarily need to be encrypted to provide the same level of assurance.
Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 15799-15815). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Message_authentication_code and http://tools.ietf.org/html/rfc4418


質問 # 888
Wireless users are reporting intermittent Internet connectivity. Connectivity is restored when the users disconnect and reconnect, utilizing the web authentication process each time.
The network administrator can see the devices connected to the APs at all times. Which of the following steps will MOST likely determine the cause of the issue?

  • A. Verify the session time-out configuration on the captive portal settings
  • B. Investigate for a client's disassociation caused by an evil twin AP
  • C. Confirm that a valid passphrase is being used during the web authentication.
  • D. Check for encryption protocol mismatch on the client's wireless settings.

正解:A

解説:
The most likely step to determine the cause of the issue is to verify the session time-out configuration on the captive portal settings. A captive portal is a web page that requires the user to authenticate or accept some terms of service before accessing the Internet through a wireless network. A session time-out is a parameter that defines how long the user can stay connected to the network without re-authenticating or re-accepting the terms of service. If the session time-out is set too low, the user may experience intermittent Internet connectivity, as they will have to disconnect and reconnect frequently, using the web authentication process each time. The network administrator can check the session time-out configuration on the captive portal settings and adjust it accordingly to prevent or reduce the issue. The other options are less likely to determine the cause of the issue, as they either do not relate to the web authentication process, do not explain the intermittent connectivity, or do not match the network administrator's observation. References: CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.1 Implement secure design principles in network architectures, 4.1.3 Secure network components, 4.1.3.1 Wireless access points; CISSP Exam Outline, Domain 4. Communication and Network Security, 4.1 Implement secure design principles in network architectures, 4.1.3 Secure network components, 4.1.3.1 Wireless access points


質問 # 889
What process is used to accomplish high-speed data transfer between a
peripheral device and computer memory, bypassing the Central Processing
Unit (CPU)?

  • A. Transfer under program control
  • B. Interrupt processing
  • C. Direct access control
  • D. Direct memory access

正解:D

解説:
With DMA, a DMAcontroller essentially takes control of the memory busses and manages the data transfer directly. Answer interrupt processing involves an external signal interrupting the normal CPU program flow. This interrupt causes the CPU to halt processing and jump to another program that services the interrupt. When the interrupt has been serviced, the CPU returns to continue executing the original program. Program control transfer, answer c, is accomplished by the processor executing input/output (I/O) instructions. Answer Direct access control is a distracter.


質問 # 890
Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories building?

  • A. Basement
  • B. Sixth floor
  • C. Ground floor
  • D. Third floor

正解:D


質問 # 891
Which of the BEST internationally recognized standard for evaluating security products and systems?

  • A. Health Insurance Portability and Accountability Act (HIPAA)
  • B. Common Criteria (CC)
  • C. Payment Card Industry Data Security Standards (PCI-DSS)
  • D. Sarbanes-Oxley (SOX)

正解:B

解説:
The best internationally recognized standard for evaluating security products and systems is Common Criteria (CC), which is a framework or a methodology that defines and describes the criteria or the guidelines for the evaluation or the assessment of the security functionality and the security assurance of information technology (IT) products and systems, such as hardware, software, firmware, or network devices. Common Criteria (CC) can provide some benefits for security, such as enhancing the confidence and the trust in the security products and systems, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. Common Criteria (CC) can involve various elements and roles, such as:
* Protection Profile (PP), which is a document or a specification that defines and describes the security requirements or the objectives for a class or a category of security products or systems, such as firewalls, routers, or operating systems, and that is created or published by the consumers or the users of the security products or systems, such as the customers, the organizations, or the governments.
* Security Target (ST), which is a document or a specification that defines and describes the security functionality and the security assurance of a specific security product or system, and that is created or published by the vendors or the developers of the security product or system, such as the manufacturers, the suppliers, or the companies.
* Evaluation Assurance Level (EAL), which is a measure or an indicator of the level or the degree of the security assurance of a security product or system, based on the scope and the rigor of the evaluation or the assessment process, and that ranges from EAL1 (the lowest) to EAL7 (the highest), with each level having a predefined or a standard set of assurance components or requirements, such as the functional testing, the vulnerability analysis, or the design documentation.
* Evaluation, which is the process or the activity of testing or verifying the security functionality and the security assurance of a security product or system, according to the criteria or the guidelines of the Common Criteria (CC), and that is performed or conducted by an independent or a certified evaluation facility or laboratory, such as the National Information Assurance Partnership (NIAP) or the National Voluntary Laboratory Accreditation Program (NVLAP).
* Certification, which is the process or the activity of validating or confirming the results or the outcomes of the evaluation of a security product or system, according to the criteria or the guidelines of the Common Criteria (CC), and that is performed or conducted by an independent or a certified certification body or authority, such as the Common Criteria Recognition Arrangement (CCRA) or the National Information Assurance Partnership (NIAP).
Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX) are not internationally recognized standards for evaluating security products and systems, although they may be related or relevant regulations or frameworks for security.
Payment Card Industry Data Security Standard (PCI-DSS) is a regulation or a framework that defines and describes the security requirements or the objectives for the protection and the management of the cardholder data or the payment card information, such as the credit card number, the expiration date, or the card verification value, and that applies to the entities or the organizations that are involved or engaged in the processing, the storage, or the transmission of the cardholder data or the payment card information, such as the merchants, the service providers, or the acquirers. Health Insurance Portability and Accountability Act (HIPAA) is a regulation or a framework that defines and describes the security requirements or the objectives for the protection and the management of the protected health information (PHI) or the personal health information, such as the medical records, the diagnosis, or the treatment, and that applies to the entities or the organizations that are involved or engaged in the provision, the payment, or the operation of the health care services or the health care plans, such as the health care providers, the health care clearinghouses, or the health plans. Sarbanes-Oxley (SOX) is a regulation or a framework that defines and describes the security requirements or the objectives for the protection and the management of the financial information or the financial reports, such as the income statement, the balance sheet, or the cash flow statement, and that applies to the entities or the organizations


質問 # 892
Which of the following is primarily responsible for deciding the classification of data in an organization?

  • A. Device manager
  • B. Database Administrator (DBA)
  • C. Data custodian
  • D. Data owner

正解:D


質問 # 893
An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?

  • A. Deduplication
  • B. Compression
  • C. Caching
  • D. Replication

正解:B


質問 # 894
Which of the following management process allows those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

  • A. Identity
  • B. Configuration
  • C. Patch
  • D. Compliance

正解:B


質問 # 895
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class A network?

  • A. The first bit of the IP address would be set to one and the second bit set to zero.
  • B. The first three bits of the IP address would be set to one.
  • C. The first bit of the IP address would be set to zero.
  • D. The first two bits of the IP address would be set to one, and the third bit set to zero.

正解:C

解説:
Explanation/Reference:
Explanation:
Class A contains all addresses in which the most significant bit is zero. The address range of Class A is
0.0.0.0 - 127.255.255.255.
Incorrect Answers:
B: Class A contains only one single fixed bit, not two.
C: Class A contains only one single fixed bit, not three.
D: Class A contains only one single fixed bit, not three.
References:
https://en.wikipedia.org/wiki/Classful_network


質問 # 896
Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)?

  • A. TCP is connection-oriented, UDP is not.
  • B. UDP provides for Error Correction, TCP does not.
  • C. UDP is useful for longer messages, rather than TCP.
  • D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.

正解:A

解説:
TCP is a reliable connection-oriented transport for guaranteed delivery of data.
Protocols represent certain rules and regulations that are essential in order to have data
communication between two entities. Internet Protocols work in sending and receiving data
packets. This type of communication may be either connection-less or connection-oriented.
In a connection-oriented scenario, an acknowledgement is being received by the sender from the
receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no
feedback is being forwarded to the sender after delivery and the data transfer have taken place or
not. Though, it's not a guaranteed method, but, once a connection is established, UDP works
much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way
handshaking takes place.
The following answers are incorrect:
UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while
TCP does.
UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to
its connectionless nature.
TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite
is true.
References Used for this question:
http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/
http://www.skullbox.net/tcpudp.php
James's TCP-IP FAQ - Understanding Port Numbers.


質問 # 897
Which application type is considered high risk and provides a common way for malware and viruses to enter a network?

  • A. Instant messaging or chat applications
  • B. End-to-end applications
  • C. E-mail applications
  • D. Peer-to-Peer (P2P) file sharing applications

正解:D

解説:
The application type that is considered high risk and that provides a common way for malware and viruses to enter a network is peer-to-peer (P2P) file sharing applications. An application is a type of software or program that can be installed or run on a system or a network, and that can provide various functions or features for the user or the customer, such as communication, entertainment, or productivity. An application can also pose a security risk, as it can introduce or expose various threats or attacks to the system or the network, such as malware or viruses. Malware is a type of malicious or harmful software or code that can be installed or executed on a system or a network, and that can perform various actions or tasks that can cause harm or damage to the system or the network, or to the user or the customer, such as stealing, deleting, or encrypting the data or the information. A virus is a type of malware that can replicate or copy itself, and that can infect or spread to other systems or networks, or to other files or programs, using various methods, such as e-mail, USB, or network.


質問 # 898
Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.

Which of the following is true according to the star property (*property)?

  • A. User B can write to File 1
  • B. User C can write to File 1
  • C. User A can write to File 1
  • D. User D can write to File 1

正解:C


質問 # 899
Which of the following problems is not addressed by using OAuth (Open Standard to
Authorization) 2.0 to integrate a third-party identity provider for a service?

  • A. Guest users need to authenticate with the third party identity provider.
  • B. Revocation of access of some users of the third party instead of all the users from the third party.
  • C. Resource Servers are required to use passwords to authenticate end users.
  • D. Compromise of the third party means compromise of all the users in the service.

正解:D


質問 # 900
A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern in the context of what your Disaster Recovery Plan would include?

  • A. IS Operations
  • B. Data/Telecomm/IS facilities
  • C. Facilities security
  • D. Marketing/Public relations

正解:B

解説:
The main concern when recovering after a disaster is data, telecomm and IS
facilities. Other services, in descending priority order are: IS operations, IS support services,
market structure, marketing/public relations, customer service & systems support, market
regulation/surveillance, listing, application development, accounting services, facilities, human
resources, facilities security, legal and Office of the Secretary, national sales.
Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning,
John Wiley & Sons, 2001 (page 129).


質問 # 901
Which of the following protocols is designed to send individual messages securely?

  • A. Secure HTTP (S-HTTP).
  • B. Secure Sockets Layer (SSL).
  • C. Secure Electronic Transaction (SET).
  • D. Kerberos

正解:A

解説:
Explanation/Reference:
Explanation:
S-HTTP provides protection for each message sent between two computers, but not the actual link.
Incorrect Answers:
A: Kerberos is a network authentication protocol. It is not used to secure messages.
B: SET is designed to provide secure credit card transactions, not to provide secure transfer of messages.
C: HTTPS protects the communication channel, not each individual message separately. HTTPS is HTTP that uses SSL for security purposes.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 873


質問 # 902
Authentication in which a random value is presented to a user, who
then returns a calculated number based on that random value is called:

  • A. Man-in-the-middle
  • B. Personal identification number (PIN) protocol
  • C. Challenge-response
  • D. One-time password

正解:C

解説:
In challenge-response authentication, the user enters a random value
(challenge) sent by the authentication server into a token device. The
token device shares knowledge of a cryptographic secret key with the
authentication server and calculates a response based on the challenge
value and the secret key. This response is entered into the authentication server, which uses the response to authenticate the identity of the user by performing the same calculation and comparing results.
Answer "man-in-the-middle" is a type of attack in which a cracker is
interposed between the user and authentication server and attempts to
gain access to packets for replay in order to impersonate a valid user.
A "one-time password" is a password that is used only once to gain
access to a network or computer system. A typical implementation is
through the use of a token that generates a number based on the time of day. The user reads this number and enters it into the authenticating device. The authenticating device calculates the same number based on the time of day and uses the same algorithm used by the token. If the
token's number matches that of the authentication server, the identity of the user is validated. Obviously, the token and the authentication server must be time-synchronized for this approach to work. Also, there is allowance for small values of time skew between the authorization device and the token. Answer d refers to a PIN number that is something you know used with something you have, such as an ATM card.


質問 # 903
......

CISSP問題集100合保証には最新のサンプル:https://jp.fast2test.com/CISSP-premium-file.html

準備CISSP問題解答無料更新には100%試験合格保証 [2025年更新]:https://drive.google.com/open?id=16GSr3L8gT64DNlRmunUEbgWMaaQAhnXp


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어