合格できるISC CISSPのPDF問題集!最近更新された990問あります [Q375-Q394]

Share

合格できるISC CISSPのPDF問題集!最近更新された990問あります

更新されたテストエンジンCISSP練習問題集と練習試験合格させます

質問 375
Which of the following uses a directed graph to specify the rights that a subject can transfer to an object, or that a subject can take from another subject?

  • A. Biba model
  • B. Bell-Lapadula model
  • C. Access Matrix model
  • D. Take-Grant model

正解: D

解説:
The Take-Grant System is a model that helps in determining the protection rights (e.g., read or write) in a computer system. The Take-Grant system was introduced by
Jones, Lipton, and Snyder to show that it is possible to decide on the safety of a computer system even when the number of subjects and objects are very large, or unbound. This can be accomplished in linear time based on the initial size of the system. The take-grant system models a protection system which consists of a set of states and state transitions. A directed graph shows the connections between the nodes of this system. These nodes are representative of the subjects or objects of the model. The directed edges between the nodes represent the rights that one node has over the linked node.

 

質問 376
What access control scheme uses fine-grained rules to specify the conditions under which access to each data item or applications is granted?

  • A. Role Based Access Control (RBAC)
  • B. Mandatory Access Control (MAC)
  • C. Attribute Based Access Control (ABAC)
  • D. Discretionary Access Control (DAC)

正解: C

解説:
https://en.wikipedia.org/wiki/Attribute-based_access_control

 

質問 377
Which of the following is the best example of need-to-know?

  • A. Two operators are required to work together to perform a task.
  • B. An operator cannot generate and verify transactions alone.
  • C. The operators' duties are frequently rotated.
  • D. An operator does not know more about the system than the minimum required to do the job.

正解: D

解説:
The correct answer is "An operator does not know more about the system than the minimum required to do the job". Need-to-know means the operators are working in an environment that limits their knowledge of the system, applications, or data to the minimum elements that they require to perform their job.
*Answer "Two operators are required to work together to perform a task" is dual-control
*"The operators' duties are frequently rotated" is job rotation
*answer "An operator cannot generate and verify transactions alone" is separation of duties.

 

質問 378
Which of the following statements is TRUE about data encryption as a method of protecting data?

  • A. It makes few demands on system resources
  • B. It requires careful key management
  • C. It should sometimes be used for password files
  • D. It is usually easily administered

正解: B

解説:
Explanation/Reference:
Explanation:
The main challenge brought by improved security is that introducing encryption software also introduces management complexity, and in particular this means dealing with encryption keys.
An encryption key applies a set of complex algorithms to data and translates it into streams of seemingly random alphanumeric characters. There are two main types - private key (or symmetric) encryption and public key (or asymmetric) encryption.
In symmetric encryption, all users have access to one private key, which is used to encrypt and decrypt data held in storage media such as backup tapes and disk drives. Although considered generally secure, the downside is that there is only one key, which has to be shared with others to perform its function.
Asymmetric encryption comprises two elements: a public key to encrypt data and a private key to decrypt data. The public key is used by the owner to encrypt information and can be given to third parties running a compatible application to enable them to send encrypted messages back.
Managing encryption keys effectively is vital. Unless the creation, secure storage, handling and deletion of encryption keys is carefully monitored, unauthorized parties can gain access to them and render them worthless. And if a key is lost, the data it protects becomes impossible to retrieve.
Incorrect Answers:
A: Data encryption should not 'sometimes' be used for password files; it should always be used.
B: It is not true that data encryption is usually easily administered; it is complicated.
C: It is not true that data encryption makes few demands on system resources; encrypting data requires significant processing power.
References:
http://www.computerweekly.com/feature/Encryption-key-management-is-vital-to-securing-enterprise-data- storage

 

質問 379
Due to system constraints, a group of system administrators must share a high-level access set of credentials.
Which of the following would be MOST appropriate to implement?

  • A. Increased console lockout times for failed logon attempts
  • B. A credential check-out process for a per-use basis
  • C. Full logging on affected systems
  • D. Reduce the group in size

正解: B

解説:
Section: Security Operations

 

質問 380
Your co-worker is studying for the CISSP exam and has come to you with a question. What is ARP poisoning?

  • A. Flooding of a switched network
  • B. A denial of service that uses the DNS death ping
  • C. Modifying a DNS record
  • D. Inserting a bogus IP and MAC address in the ARP table
  • E. Turning of IP to MAC resolution

正解: D

解説:
ARP poisoning is a masquerading attack where the attacker inserts a bogus
IP and MAC address in a victims ARP table or into the table of a switch. This has the effect of redirecting traffic to the attacker and not to the intended computer.

 

質問 381
In which phase of the System Development Lifecycle (SDLC) is Security Accreditation
Obtained?

  • A. Testing and evaluation control
  • B. Functional Requirements Phase
  • C. Acceptance Phase
  • D. Postinstallation Phase

正解: A

解説:
A project management tool that can be used to plan, execute, and control a software development project is the systems development life cycle (SDLC). The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development.
Because there is no industry-wide SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be shown together or as separate elements.
The model chosen should be based on the project. For example, some models work better with long-term, complex projects, while others are more suited for short-term projects. The key element is that a formalized SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and implement) on up.
The basic phases of SDLC are:
Project initiation and planning
Functional requirements definition
System design specifications
Development and implementation
Documentation and common program controls
Testing and evaluation control, (certification and accreditation)
Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two additional phases:
Operations and maintenance support (post-installation)
Revisions and system replacement
The following answers are incorrect:
Functional Requirements Phase
Acceptance Phase
Postinstallation Phase
The following reference(s) were/was used to create this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 11790-11809). Auerbach Publications. Kindle
Edition.

 

質問 382
Which of the following is the key requirement for test results when implementing forensic procedures?

  • A. The test results must be reproducible.
  • B. The test result must be authorized.
  • C. The test results must be cost-effective.
  • D. The test results must be quantifiable.

正解: B

 

質問 383
Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean?

  • A. System functions are layered, and none of the functions in a given layer can access data outside that layer.
  • B. Only security processes are allowed to write to ring zero memory.
  • C. It is a form of strong encryption cipher.
  • D. Auditing processes and their memory addresses cannot be accessed by user processes.

正解: A

解説:
Data Hiding is protecting data so that it is only available to higher levels this is done
and is also performed by layering, when the software in each layer maintains its own global data
and does not directly reference data outside its layers.
The following answers are incorrect:
Auditing processes and their memory addresses cannot be accessed by user processes. Is
incorrect because this does not offer data hiding.
Only security processes are allowed to write to ring zero memory. This is incorrect, the security
kernel would be responsible for this.
It is a form of strong encryption cipher. Is incorrect because this does not conform to the definition
of data hiding.

 

質問 384
In regards to relational database operations using the Structure Query Language (SQL), which of the following is a value that can be bound to a placeholder declared within an SQL statement?

  • A. A reduction value
  • B. A resolution value
  • C. An assimilation value
  • D. A bind value

正解: D

解説:
Explanation/Reference:
Explanation:
Bind parameters-also called dynamic parameters or bind variables-are an alternative way to pass data to the database. Instead of putting the values directly into the SQL statement, you just use a placeholder like ?, :name or @name and provide the actual values using a separate API call.
When using bind parameters you do not write the actual values but instead insert placeholders into the SQL statement. That way the statements do not change when executing them with different values.
Incorrect Answers:
B: An assimilation value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement.
C: A reduction value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement.
D: A resolution value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement.
References:
http://use-the-index-luke.com/sql/where-clause/bind-parameters

 

質問 385
During the testing of the business continuity plan (BCP), which of the following methods of results analysis provides the BEST assurance that the plan is workable?

  • A. Quantitatively measuring the results of the test
  • B. Measurement of accuracy
  • C. Evaluation of the observed test results
  • D. Elapsed time for completion of critical tasks

正解: A

 

質問 386
Which choice below is NOT one of the legal IP address ranges specified
by RFC1976 and reserved by the Internet Assigned Numbers Authority
(IANA) for nonroutable private addresses?

  • A. 192.168.0.0 - 192.168.255.255
  • B. 127.0.0.0 - 127.0.255.255
  • C. 10.0.0.0 - 10.255.255.255
  • D. 172.16.0.0 - 172.31.255.255

正解: B

解説:
The other three address ranges can be used for Network Address
Translation (NAT). While NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with
Dynamic Host Configuration Protocol (DHCP) to help prevent certain
internal routing information from being exposed. The address
127.0.0.1 is called the loopback address. Source: Designing Network
Security by Merike Kaeo (Cisco Press, 1999).

 

質問 387
Which of the following activities would not be included in the contingency planning process phase?

  • A. Assessment of threat impact on the organization
  • B. Development of test procedures
  • C. Prioritization of applications
  • D. Development of recovery scenarios

正解: B

解説:
Explanation/Reference:
Explanation:
When an incident strikes, more is required than simply knowing how to restore data from backups. Also necessary are the detailed procedures that outline the activities to keep the critical systems available and ensure that operations and processing are not interrupted. Contingency management defines what should take place during and after an incident. Actions that are required to take place for emergency response, continuity of operations, and dealing with major outages must be documented and readily available to the operations staff.
Development of test procedures is not part of contingency planning. This has nothing to do with recovering from an incident.
Incorrect Answers:
A: Prioritization of applications is used to determine which applications are most important to the company and should be recovered first. This should be part of your contingency planning.
C: Assessment of threat impact on the organization should be part of the contingency plan to determine what affect an incident would have. This should be part of your contingency planning.
D: Development of recovery scenarios are the most obvious part of a contingency plan. You need to plan how to recover from an incident. This should be part of your contingency planning.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1276

 

質問 388
In which identity management process is the subject's identity established?

  • A. Authorization
  • B. Enrollment
  • C. Provisioning
  • D. Trust

正解: B

解説:
Section: Software Development Security

 

質問 389
What is it called when a computer uses more than one CPU in parallel to execute instructions?

  • A. Multiprocessing
  • B. Multithreading
  • C. Parallel running
  • D. Multitasking

正解: A

解説:
A system with multiple processors is called a multiprocessing system.
Multitasking is incorrect. Multitasking involves sharing the processor amoung all ready processes.
Though it appears to the user that multiple processes are executing at the same time, only one
process is running at any point in time.
Multithreading is incorrect. The developer can structure a program as a collection of independent
threads to achieve better concurrency. For example, one thread of a program might be performing
a calculation while another is waiting for additional input from the user.
"Parallel running" is incorrect. This is not a real term and is just a distraction.
References
CBK, pp. 315-316
AIO3, pp. 234 - 239

 

質問 390
Which Orange Book evaluation level is described as "Structured Protection"?

  • A. A1
  • B. B2
  • C. B1
  • D. B3

正解: B

解説:
Explanation/Reference:
Explanation:
Level B2 is described as "Structured Protection".
B2: Structured Protection The security policy is clearly defined and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system.
The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise.
Incorrect Answers:
A: Level A1 is "Verified Design", not "Structured Protection".
B: Level B3 is "Security Domains", not "Structured Protection".
D: Level B1 is "Labeled Security", not "Structured Protection".
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 395-397

 

質問 391
When attempting to establish Liability, which of the following would be describe as performing the ongoing maintenance necessary to keep something in proper working order, updated, effective, or to abide by what is commonly expected in a situation?

  • A. Due concern
  • B. Due diligence
  • C. Due practice
  • D. Due care

正解: D

解説:
My friend JD Murray at Techexams.net has a nice definition of both, see his
explanation below:
Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the
same thing but not exactly. Here it goes:
Due diligence is performing reasonable examination and research before committing to a course
of action. Basically, "look before you leap." In law, you would perform due diligence by researching
the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or
"not doing your homework."
Due care is performing the ongoing maintenance necessary to keep something in proper working
order, or to abide by what is commonly expected in a situation. This is especially important if the
due care situation exists because of a contract, regulation, or law. The opposite of due care is
"negligence."
In summary, Due Diligence is Identifying threats and risks while Due Care is Acting upon findings
to mitigate risks
EXAM TIP:
The Due Diligence refers to the steps taken to identify risks that exists within the environment.
This is base on best practices, standards such as ISO 27001, ISO 17799, and other consensus.
The first letter of the word Due and the word Diligence should remind you of this. The two letters
are DD = Do Detect.
In the case of due care, it is the actions that you have taken (implementing, designing, enforcing,
updating) to reduce the risks identified and keep them at an acceptable level. The same apply
here, the first letters of the work Due and the work Care are DC. Which should remind you that DC
= Do correct.
The other answers are only detractors and not valid.
Reference(s) used for this question:
CISSP Study Guide, Syngress, By Eric Conrad, Page 419
HARRIS, Shon, All-In-One CISSP Certification Exam Guide Fifth Edition, McGraw-Hill, Page 49 and 110. and Corporate; (Isc)2 (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press) (Kindle Locations 11494-11504). Taylor & Francis. Kindle Edition. and My friend JD Murray at Techexams.net

 

質問 392
Another model that allows two software components to communicate
with each other independent of their platforms operating systems and
languages of implementation is:

  • A. Spiral Model
  • B. Sandbox
  • C. Basic Object Model (BOM)
  • D. Common Object Model (COM)

正解: D

解説:
As in the object-oriented paradigm, COM works with encapsulated
objects. Communications with a COM object are through an
interface contract between an object and its clients that defines the
functions that are available in the object and the behavior of the
object when the functions are calleD.
*Answer a sandbox, is an access
control-based protection mechanism. It is commonly applied to
restrict the access rights of mobile code that is downloaded from a
Web site as an applet. The code is set up to run in a sandbox that
blocks its access to the local workstations hard disk, thus preventing
the code from malicious activity. The sandbox is usually interpreted
by a virtual machine such as the Java Virtual MachinE.
*Answer BOM is a distracter.
* Spiral Model refers to the software development life cycle.

 

質問 393
What is called the access protection system that limits connections by calling back the number of a previously authorized location?

  • A. Sendback systems
  • B. Callback systems
  • C. Callback forward systems
  • D. Sendback forward systems

正解: B

解説:
The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

 

質問 394
......


ISC CISSP 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Software Development Security
トピック 2
  • Security Assessment and Testing
トピック 3
  • Security and Risk Management
  • Asset Security
トピック 4
  • Security Architecture and
  • Security Operations
トピック 5
  • Communication and Network Security

 

ISC CISSP問題集でカバー率リアル試験問題:https://jp.fast2test.com/CISSP-premium-file.html

問題集お試しセットCISSPテストエンジン問題集トレーニングには990問あります:https://drive.google.com/open?id=16GSr3L8gT64DNlRmunUEbgWMaaQAhnXp


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어