
[2022年02月]更新のCISSP試験事前練習テスト試験問題と解答ISC Certification学習ガイド
Certified Information Systems Security Professional認証サンプル解答
質問 171
Which Orange book security rating introduces security labels?
- A. C2
- B. B3
- C. B2
- D. B1
正解: D
解説:
Class (B1) or "Labeled Security Protection" systems require all the features required for class (C2). In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. The capability must exist for accurately labeling exported information. Any flaws identified by testing must be removed.
質問 172
Which of the following statements is TRUE regarding value boundary analysis as a functional software testing technique?
- A. Test inputs are obtained from the derived threshold of the given functional specifications.
- B. An entire partition can be covered by considering only one representative value from that partition.
- C. It is characterized by the stateless behavior of a process implemented in a function.
- D. It is useful for testing communications protocols and graphical user interfaces.
正解: A
質問 173
In a wireless General Packet Radio Services (GPRS) Virtual Private
Network (VPN) application, which of the following security protocols is commonly used?
- A. TLS
- B. WTP
- C. SSL
- D. IPSEC
正解: D
解説:
An example is the use of a GPRS-enabled laptop that connects to a
corporate intranet via a VPN. The laptop is given an IP address and a
RADIUS server authenticates the user. IPSEC is used to create the
VPN. As background, GPRS is a second-generation (2G) packet data
technology that is overlaid on existing Global System for Mobile
communications (GSM). GSM is the wireless analog of the ISDN
landline system. The key features of GPRS are that it is always on line
(no dial-up needed), existing GSM networks can be upgraded with
GPRS, and it can serve as the packet data core of third generation
(3G) systems.
Answers SSL and TLS are similar security protocols
that are used on the Internet side of the Wireless Application
Protocol (WAP) Gateway.
For answer WTP is the Wireless Transaction
Protocol that is part of the WAP suite of protocols. WTP is a lightweight, message-oriented, transaction protocol that provides more reliable connections than UDP, but does not have the robustness of
TCP.
質問 174
A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended?
- A. Privilege bracketing
- B. Least privilege
- C. Defense in depth
- D. Privilege escalation
正解: B
質問 175
Which of the following answers BEST indicates the most important part of a data backup plan?
- A. Expensive backup hardware
- B. A reliable network infrastructure
- C. Testing the backups with restore operations
- D. An effective backup plan
正解: C
解説:
If you can't restore lost files from your backup system then your backup plan is useless. You could have the best backup system and plan available but if you are unable to restore files then the system can't assure data availability.
Develop an effective disaster recovery plan and include in that plan a good backup strategy that meets the needs of your organization. Be sure to include periodic recovery practice operations to prove the effectiveness of the system.
The following answers are incorrect:
- An effective backup plan: This is vital but testing the plan with restores is vital to operate a network safely.
- A reliable network infrastructure: This is incorrect because it is only part of what you need to have an effective backup and restore plan.
- Expensive backup hardware: This is good to have but if you don't rest your restore plan and it doesn't work when you need it, it is useless.
The following reference(s) was used to create this question:
2 013. Official Security+ Curriculum.
質問 176
If an employee's computer has been used by a fraudulent employee to commit a crime, the hard disk may be seized as evidence and once the investigation is complete it would follow the normal steps of the Evidence Life Cycle. In such case, the Evidence life cycle would not include which of the following steps listed below?
- A. Destruction
- B. Analysis
- C. Storage, preservation, and transportation
- D. Acquisition collection and identification
正解: A
解説:
Unless the evidence is illegal then it should be returned to owner, not destroyed.
The Evidence Life Cycle starts with the discovery and collection of the evidence. It progresses
through the following series of states until it is finally returned to the victim or owner:
Acquisition collection and identification
Analysis
Storage, preservation, and transportation
Presented in court
Returned to victim (owner)
The Second edition of the ISC2 book says on page 529-530:
Identifying evidence: Correctly identifying the crime scene, evidence, and potential containers of evidence. Collecting or acquiring evidence: Adhering to the criminalistic principles and ensuring that the contamination and the destruction of the scene are kept to a minimum. Using sound, repeatable, collection techniques that allow for the demonstration of the accuracy and integrity of evidence, or copies of evidence. Examining or analyzing the evidence: Using sound scientific methods to determine the characteristics of the evidence, conducting comparison for individuation of evidence, and conducting event reconstruction. Presentation of findings: Interpreting the output from the examination and analysis based on findings of fact and articulating these in a format appropriate for the intended audience (e.g., court brief, executive memo, report).
Note on returning the evidence to the Owner/Victim The final destination of most types of evidence is back with its original owner. Some types of evidence, such as drugs or drug paraphernalia (i.e., contraband), are destroyed after the trial.
Any evidence gathered during a search, although maintained by law enforcement, is legally under the control of the courts. And although a seized item may be yours and may even have your name on it, it might not be returned to you unless the suspect signs a release or after a hearing by the court. Unfortunately, many victims do not want to go to trial; they just want to get their property back.
Many investigations merely need the information on a disk to prove or disprove a fact in question; thus, there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying.
Mirror copies of the suspect disk are obtained using forensic software and then one of those copies can be returned to the victim so that business operations can resume.
Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 309). and The Official Study Book, Second Edition, Page 529-230
質問 177
HIPAA preempts state laws
- A. except to the extent that the state law is less stringent
- B. except to the extent that the state law more stringent
- C. except to the extent that the state law is legislated later than HIPAA
- D. regardless of the extent that the state law is more stringent
正解: B
質問 178
Which choice below is the MOST accurate description of a warm site?
- A. A backup processing facility with adequate electrical wiring and air conditioning, but no hardware or software installed
- B. A backup processing facility with all hardware and software installed and 100% compatible with the original site, operational within hours
- C. A mobile trailer with portable generators and air conditioning
- D. A backup processing facility with most hardware and software installed, which can be operational within a matter of days
正解: D
解説:
The three most common types of remote off-site backup processing facilities are hot sites, warm sites, and cold sites. They are primarily differentiated by how much preparation is devoted to the site, and therefore how quickly the site can be used as an alternate processing site.
質問 179
Which of the following phases of a software development life cycle normally addresses Due
Care and Due Diligence?
- A. Product design
- B. Implementation
- C. System feasibility
- D. Software plans and requirements
正解: D
解説:
The software plans and requirements phase addresses threats, vulnerabilities, security requirements, reasonable care, due diligence, legal liabilities, cost/benefit analysis, level of protection desired, test plans.
Implementation is incorrect because it deals with Installing security software, running the system, acceptance testing, security software testing, and complete documentation certification and accreditation (where necessary).
System Feasibility is incorrect because it deals with information security policy, standards, legal issues, and the early validation of concepts.
Product design is incorrect because it deals with incorporating security specifications, adjusting test plans and data, determining access controls, design documentation, evaluating encryption options, and verification.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 252).
KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Security Life Cycle Components, Figure 7.5 (page 346).
質問 180
Which of the following is a common measure within a Local Area Network (LAN) to provide en additional level of security through segmentation?
- A. Building Virtual Local Area Networks (VLAN)
- B. Implementing an Intrusion Detection System (IDS)
- C. Building Demilitarized Zones (DMZ)
- D. Implementing a virus scanner
正解: A
質問 181
Which of the following recovery plan test results would be most useful to management?
- A. amount of work completed
- B. elapsed time to perform various activities
- C. description of each activity
- D. list of successful and unsuccessful activities
正解: D
質問 182
An engineer in a software company has created a virus creation tool. The tool can generate thousands of polymorphic viruses. The engineer is planning to use the tool in a controlled environment to test the company's next generation virus scanning software. Which would BEST describe the behavior of the engineer and why?
- A. The behavior is ethical because the tool will be used to create a better virus scanner.
- B. The behavior is ethical because any experienced programmer could create such a tool.
- C. The behavior is not ethical because such a tool could be leaked on the Internet.
- D. The behavior is not ethical because creating any kind of virus is bad.
正解: A
質問 183
Which of the following allows two computers to coordinate in executing software?
- A. NFS
- B. RSH
- C. SNMP
- D. RPC
正解: D
解説:
Remote Procedure Call (RPC, UDP port 111) is a protocol that allows two computers to coordinate in executing software. RPC can be used by a program on one computer to transfer execution of a subroutine to another computer, and have the results returned to the first. RPC is a fragile service, and most operating systems cannot handle arbitrary data being sent to an RPC port. It is best used in trusted LAN environments and should not usually be allowed through the organization's firewall. RPC is being replaced by Secure-RPC. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services from a Security Viewpoint.
質問 184
What two things below are associated with security policy?(Choose Two)
- A. Are strategic in nature
- B. Must be developed after procedures
- C. Support of upper management
- D. Are tactical in nature
- E. Must be developed after guidelines
- F. Support of department managers
正解: A,C
解説:
Explanation: Policies are written as a broad overview and require the support of upper management. After the development and approval of policies, guidelines and procedures may be written.
質問 185
What is NOT an authentication method within IKE and IPSec?
- A. CHAP
- B. Public key authentication
- C. Pre shared key
- D. certificate based authentication
正解: A
解説:
CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients.
CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps
1 through 3.
The following were incorrect answers:
Pre Shared Keys
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless access points (AP) and all clients share the same key.
The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password like
'bret13i', a passphrase like 'Idaho hung gear id gene', or a hexadecimal string like '65E4
E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.
Certificat Based Authentication
The most common form of trusted authentication between parties in the wide world of Web commerce is the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished Name (DN) and an associated public key.
The certificate is digitally signed by a trusted third party known as the Certificate Authority
(CA). The CA vouches for the authenticity of the certificate holder. Each principal in the transaction presents certificate as its credentials. The recipient then validates the certificate's signature against its cache of known and trusted CA certificates. A "personal certificate" identifies an end user in a transaction; a "server certificate" identifies the service provider.
Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the
Open Systems Interconnect
(OSI) X.500 specification.
Public Key Authentication
Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up.
In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed an attacker can learn your password.
Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have a copy of that private key; but anybody who has your public key can verify that a particular signature is genuine.
So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to your computer will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, you must decrypt the key, so you have to type your passphrase.
References:
RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan
Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks,
1999, Prentice Hall PTR; SMITH, Richard E.
Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP
Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467.
http://en.wikipedia.org/wiki/Pre-shared_key
http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf
http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1
質問 186
......
ISC CISSP 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
ISC試験練習テスト最高得点を獲得しよう:https://jp.fast2test.com/CISSP-premium-file.html
検証済み材料にはここCISSP:https://drive.google.com/open?id=16GSr3L8gT64DNlRmunUEbgWMaaQAhnXp