[2024年10月14日]CISSPサンプルには正確で更新された問題 [Q232-Q247]

Share

[2024年10月14日]CISSPサンプルには正確で更新された問題

CISSP試験情報と無料練習テスト


ISC CISSP認定は、情報セキュリティ分野で非常に尊敬され、認定された認定です。それは、専門知識を実証し、キャリアを促進したい専門家にとって貴重な資産です。認定には広範な準備と経験が必要ですが、報酬は努力する価値があります。資格のある情報セキュリティの専門家に対する需要の増加に伴い、CISSP認定を獲得することで、キャリアの成長と進歩の機会が多く開くことができます。


ISC CISSP認定試験は、情報セキュリティ分野で最低5年の経験を持つ専門家向けに設計されています。この試験は、セキュリティマネージャー、セキュリティコンサルタント、セキュリティアナリスト、ネットワークアーキテクト、および分野の知識と専門知識を検証したい他の情報セキュリティ専門家を対象としています。この認定は業界で非常に尊敬されており、世界中の政府、企業、学術機関によって認められています。

 

質問 # 232
Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense?

  • A. DIACAP
  • B. ITSEC
  • C. NIACAP
  • D. TCSEC

正解:D

解説:
Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in
2005.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 197-199.
Wikepedia
http://en.wikipedia.org/wiki/TCSEC


質問 # 233
Which one of the following is a key agreement protocol used to enable two entities to agree and generate a session key (secret key used for one session) over an insecure medium without any prior secrets or communications between the entities? The negotiated key will subsequently be used for message encryption using Symmetric Cryptography.

  • A. Diffie_Hellmann
  • B. RSA
  • C. PKI
  • D. 3DES

正解:A

解説:
The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman [DH76] in 1976 and published in the ground-breaking paper "New Directions in Cryptography." The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets.
The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, with the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = gk mod p.
Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers . Then they derive their public values using parameters p and g and their private values. Alice's public value is ga mod p and Bob's public value is gb mod p. They then exchange their public values. Finally, Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k.
The protocol depends on the discrete logarithm problem for its security. It assumes that it is computationally infeasible to calculate the shared secret key k = gab mod p given the two public values ga mod p and gb mod p when the prime p is sufficiently large. Maurer [Mau94] has shown that breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms under certain assumptions.
The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.
The authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS) protocol, was developed by Diffie, van Oorschot, and Wiener in 1992 [DVW92] to defeat the man-in-themiddle attack on the Diffie-Hellman key agreement protocol. The immunity is achieved by allowing the two parties to authenticate themselves to each other by the use of digital signatures (see
Question 2
.2.2) and public-key certificates (see Question 4.1.3.10).
Roughly speaking, the basic idea is as follows. Prior to execution of the protocol, the two parties Alice and Bob each obtain a public/private key pair and a certificate for the public key. During the protocol, Alice computes a signature on certain messages, covering the public value ga mod p. Bob proceeds in a similar way. Even though Carol is still able to intercept messages between Alice and Bob, she cannot forge signatures without Alice's private key and Bob's private key. Hence, the enhanced protocol defeats the man-in-the-middle attack.
In recent years, the original Diffie-Hellman protocol has been understood to be an example of a much more general cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one party's public key and another party's private key. The parties' key pairs may be generated anew at each run of the protocol, as in the original Diffie-Hellman protocol. The public keys may be certified, so that the parties can be authenticated and there may be a combination of these attributes. The draft ANSI X9.42 (see
Question 5
.3.1)
illustrates some of these combinations, and a recent paper by Blake-Wilson, Johnson, and
Menezes provides some relevant security proofs.
References:
TIPTON, et. al., Official (ISC)2 Guide to the CISSP CBK 2007 edition, page 257.
And
RSA laboratoires web site: http://www.rsa.com/rsalabs/node.asp?id=2248 :


質問 # 234
What are database views used for?

  • A. To provide audit trails.
  • B. To restrict user access to data in a database.
  • C. To allow easier access to data in a database.
  • D. To ensure referential integrity.

正解:B

解説:
Through the use of a view we can provide security for the organization restricting users access to certain data or to the real tables containing the information in our database. For example, we can create a view that brings data from 3 tables, only showing
2 of the 4 columns in each. Instead of giving access to the tables that contain the information, we give access to the view, so the user can access this fixed information but does not have privileges over the tables containing it. This provides security.


質問 # 235
Refer to the information below to answer the question.
An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.
Which of the following is considered the MOST important priority for the information security officer?

  • A. Disciplinary actions taken against unethical behavior
  • B. Formal acceptance of the security strategy
  • C. Audit of all organization system configurations for faults
  • D. Development of an awareness program for new employees

正解:B


質問 # 236
Which of the following methods MOST efficiently manages user accounts when using a third-party cloud-based application and directory solution?

  • A. Directory synchronization
  • B. Cloud directory
  • C. Lightweight Directory Access Protocol (LDAP)
  • D. Assurance framework

正解:A

解説:
Directory synchronization is a method of managing user accounts when using a third-party cloud-based application and directory solution. Directory synchronization allows the user accounts in the local directory, such as Active Directory, to be automatically synchronized with the user accounts in the cloud directory, such as Azure Active Directory. This way, the users can use the same credentials to access both the local and the cloud resources, and the administrators can manage the user accounts from a single point. Option A, cloud directory, is not a method, but a type of directory service that is hosted in the cloud. Option C, assurance framework, is not related to user account management, but to the evaluation and verification of security controls. Option D, Lightweight Directory Access Protocol (LDAP), is a protocol for accessing and querying directory services, not a method for managing user accounts.


質問 # 237
In IPSec, if the communication mode is gateway-gateway or host-gateway:

  • A. Only tunnel mode can be used.
  • B. Only transport mode can be used.
  • C. Encapsulating Security Payload (ESP) authentication must be used.
  • D. Both tunnel and transport mode can be used.

正解:D

解説:
"IPSec can work in one of two modes: transport mode, where the payload of the message is protected, and tunnel mode, where the payload and the routing and header information is protected." Pg 527 Shon Harris: All-in-One CISSP Certification
Not:" Encapsulating Security Payload (ESP) authentication must be used"
"IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to be used, but it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity." Pg 527 Shon Harris: All-in-One CISSP Certification


質問 # 238
_______ requires that two entities work together to complete a task?

  • A. Rotation of duties
  • B. Enforced mandatory vacations
  • C. Separation of duties
  • D. Dual controls
  • E. Workplace rules

正解:D

解説:
Dual controls require that two entities work together to complete a task. This is used to reduce the possibility of fraud.


質問 # 239
What can be defined as a momentary low voltage?

  • A. Sag
  • B. Brownout
  • C. Fault
  • D. Spike

正解:A

解説:
A sag is a momentary low voltage. A spike is a momentary high voltage. A fault is a momentary power out and a brownout is a prolonged power supply that is below normal voltage.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical security (page 299).


質問 # 240
What is the HIGHEST priority in agile development?

  • A. Maximizing the amount of code delivered
  • B. Managing costs of product delivery
  • C. Selecting appropriate coding language
  • D. Early and continuous delivery of software

正解:D

解説:
The highest priority in agile development is early and continuous delivery of software. Agile development is a type of software development methodology that is based on the principles of the Agile Manifesto, which values individuals and interactions, working software, customer collaboration, and responding to change.
Agile development aims to deliver software products or services that meet the changing needs and expectations of the customers and stakeholders, by using an iterative, incremental, and collaborative approach.
Agile development involves various methods or frameworks, such as Scrum, Kanban, or Extreme Programming. The highest priority in agile development is early and continuous delivery of software, as stated in the first principle of the Agile Manifesto: "Our highest priority is to satisfy the customer through early and continuous delivery of valuable software." Early and continuous delivery of software means that the software products or services are delivered to the customers or stakeholders in short and frequent cycles, rather than in long and infrequent cycles. Early and continuous delivery of software can help to improve the quality and value of the software products or services, by enabling faster feedback, validation, and verification of the software products or services, as well as by allowing more flexibility and adaptability to the changing requirements and preferences of the customers or stakeholders. Selecting appropriate coding language, managing costs of product delivery, or maximizing the amount of code delivered are not the highest priorities in agile development, as they are either more related to the technical, financial, or quantitative aspects of software development, rather than the customer-oriented or value-driven aspects of software development.
References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21: Software Development Security, page 1155; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 8: Software Development Security, Question 8.11, page 305.


質問 # 241
What is the MOST important goal of conducting security assessments?

  • A. To prepare the organization for an external audit, particularly by a regulatory entity
  • B. To demonstrate proper function of security controls and processes to senior management
  • C. To align the security program with organizational risk appetite
  • D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them

正解:D

解説:
The most important goal of conducting security assessments is to discover unmitigated security vulnerabilities, and propose paths for mitigating them. A security assessment is a process that involves evaluating and testing the security posture and performance of a system or network, and identifying and reporting any security vulnerabilities or issues that may pose a security risk. A security assessment can help to discover unmitigated security vulnerabilities, which are the security flaws or weaknesses that have not been detected, reported, or resolved, and that can be exploited by the adversaries to compromise the security of the system or network. A security assessment can also help to propose paths for mitigating the security vulnerabilities, which are the actions or measures that can be taken to eliminate, reduce, or transfer the security risk associated with the security vulnerabilities. Discovering unmitigated security vulnerabilities, and proposing paths for mitigating them, is the most important goal of conducting security assessments, as it can help to improve the security level and quality of the system or network, and to prevent or minimize the potential damage or loss caused by the security incidents or breaches . References: [CISSP CBK, Fifth Edition, Chapter 6, page 540]; [CISSP Practice Exam - FREE 20 Questions and Answers, Question 12].


質問 # 242
An Information Technology (IT) professional attends a cybersecurity seminar on current incident response methodologies.
What code of ethics canon is being observed?

  • A. Act honorable, honesty, justly, responsibly, and legally
  • B. Provide diligent and competent service to principals
  • C. Advance and protect the profession
  • D. Protect society, the commonwealth, and the infrastructure

正解:B

解説:
Section: Security Operations


質問 # 243
Which of the following is the key requirement for test results when implementing forensic procedures?

  • A. The test results must be quantifiable.
  • B. The test results must be cost-effective.
  • C. The test results must be reproducible.
  • D. The test result must be authorized.

正解:D


質問 # 244
A security practitioner has been tasked with establishing organizational asset handling procedures. What should be considered that would have the GRFATEST impact to the development of these procedures?

  • A. Information classification scheme
  • B. Acceptable Use Policy (ALP)
  • C. Media handling procedures
  • D. User roles and responsibilities

正解:A

解説:
A security practitioner who has been tasked with establishing organizational asset handling procedures should consider the information classification scheme as the factor that would have the greatest impact to the development of these procedures. An information classification scheme is a set of policies and rules that define how the organization's information assets are categorized and labeled according to their sensitivity, value, and criticality. The information classification scheme also determines the appropriate security controls, access rights, retention periods, and disposal methods for each category of information. By applying an information classification scheme, the organization can ensure that its asset handling procedures are consistent, effective, and aligned with its security objectives and compliance requirements. References: CISSP domain 2: Asset security, 2024 CISSP Detailed Content Outline With Weights Final (Public Use Only), CISSP 2021: Asset Classification & Lifecycle


質問 # 245
Which of the following is used to support the concept of defense in depth during the development phase of a software product?

  • A. Maintenance hooks
  • B. Security auditing
  • C. Known vulnerability list
  • D. Polyinstiation

正解:D


質問 # 246
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?

  • A. integrity and availability.
  • B. none of the above.
  • C. integrity and confidentiality.
  • D. confidentiality and availability.

正解:A

解説:
TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.
The following answers are incorrect:
integrity and confidentiality. Is incorrect because TCSEC addressed confidentiality.
confidentiality and availability. Is incorrect because TCSEC addressed confidentiality.
none of the above. Is incorrect because ITSEC added integrity and availability as security goals.


質問 # 247
......


ISC CISSP(認定情報システムセキュリティプロフェッショナル)認定試験は、情報セキュリティの分野で非常に尊敬され、世界的に認められた認定です。セキュリティとリスク管理、資産セキュリティ、セキュリティエンジニアリング、コミュニケーションとネットワークセキュリティ、アイデンティティとアクセス管理、セキュリティ評価とテスト、テスト、セキュリティ運用、ソフトウェアなど、情報セキュリティのさまざまな分野の候補者の知識とスキルをテストするように設計されています。開発セキュリティ。

 

合格させるISC CISSPプレミアムお試しセットテストエンジンPDFで無料問題集セット:https://jp.fast2test.com/CISSP-premium-file.html

2024年最新の実際に出るCISSP問題集テストエンジン試験問題はここにある:https://drive.google.com/open?id=14mqZ5Wcl0YAu4YSVdHqlsFDbF0S-XCnG


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어