CISSPPDF問題集で2022年05月07日試験問題 有効なCISSP問題集 [Q473-Q495]

Share

CISSPPDF問題集で2022年05月07日試験問題 有効なCISSP問題集

究極のCISSP準備ガイドで無料最新のISC練習テスト問題集


ISC CISSP 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • セキュリティとリスク管理
  • 資産セキュリティ
トピック 2
  • セキュリティアーキテクチャおよび
  • セキュリティ運用
トピック 3
  • ソフトウェア開発セキュリティ
トピック 4
  • セキュリティの評価とテスト
トピック 5
  • IDおよびアクセス管理(IAM)

 

質問 473
What algorithm was DES derived from?

  • A. Brooks-Aldeman.
  • B. Lucifer.
  • C. Skipjack.
  • D. Twofish.

正解: B

解説:
NSA took the 128-bit algorithm Lucifer that IBM developed, reduced the key size to 64 bits and with that developed DES.
The following answers are incorrect:
Twofish. This is incorrect because Twofish is related to Blowfish as a possible replacement for DES.
Skipjack. This is incorrect, Skipjack was developed after DES by the NSA .
Brooks-Aldeman. This is incorrect because this is a distractor, no algorithm exists with this name.

 

質問 474
What can be defined as the maximum acceptable length of time that elapses before the unavailability of the system severely affects the organization?

  • A. Recovery Time Period (RTP)
  • B. Recovery Point Objectives (RPO)
  • C. Critical Recovery Time (CRT)
  • D. Recovery Time Objectives (RTO)

正解: D

解説:
One of the results of a Business Impact Analysis is a determination of each business function's Recovery Time Objectives (RTO). The RTO is the amount of time allowed for
the recovery of a business function. If the RTO is exceeded, then severe damage to the
organization would result.
The Recovery Point Objectives (RPO) is the point in time in which data must be restored in order
to resume processing.
Reference(s) used for this question:
BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John
Wiley & Sons, 2001 (page 68).
and
And: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST
Special Publication 800-34, Contingency Planning Guide for Information Technology Systems,
December 2001 (page 47).

 

質問 475
Which Open Systems Interconnect (OSI) layers provide Transport Control Protocol/Internet Protocol (TCP/IP) end-to-end security?

  • A. Application and transport
  • B. Application and presentation
  • C. Presentation and session
  • D. Network and application

正解: C

解説:
"The Session layer (layer 5) is responsible for establishing, maintaining, and
terminating communication sessions between two computers. The primary technology within layer
5 is a gateway. The following protocols operate within the Session layer:
Secure Sockets Layer (SSL)
Network File System (NFS)
Structured Query Language (SQL)
Remote Procedure Call (RPC)
The presentation layer (layer 6) is responsible for transforming data received from the application
layer into a format that any system following the OSI model can understand. It imposes common
or standardized structure and formatting rules onto the data. The Presentation layer is also
responsible for encryption and compression." Pg. 79-80 Tittel: CISSP Study Guide.

 

質問 476
Which statement below MOST accurately describes configuration
control?

  • A. Assuring that only the proposed and approved system changes are implemented
  • B. Verifying that all configuration management policies are being followed
  • C. Tracking the status of current changes as they move through the configuration control process
  • D. The decomposition process of a verification system into CIs

正解: A

解説:
Configuration control is a means of assuring that system changes
are approved before being implemented, only the proposed and
approved changes are implemented, and the implementation is
complete and accuratE. This involves strict procedures for
proposing, monitoring, and approving system changes and their
implementation. Configuration control entails central direction of
the change process by personnel who coordinate analytical tasks,
approve system changes, review the implementation of changes,
and supervise other tasks such as documentation.
*Answer "The decomposition process of a verification system into CIs" is configuration identification. The decomposition process of a verification system into Configuration Items (CIs) is
called configuration identification. A CI is a uniquely identifiable
subset of the system that represents the smallest portion to be subject to independent configuration control procedures.
Answer "Tracking the status of current changes as they move through the configuration control process" is configuration accounting. Configuration accounting documents the status of configuration control activities and, in general, provides the information needed to manage a configuration effectively. It allows managers to trace system changes and establish
the history of any developmental problems and associated fixes.
Configuration accounting also tracks the status of current changes as
they move through the configuration control process. Configuration
accounting establishes the granularity of recorded information and
thus shapes the accuracy and usefulness of the audit function.
*Answer "Verifying that all configuration management policies are being follow" is configuration audit. Configuration audit is the quality assurance component of configuration management. It involves periodic
checks to determine the consistency and completeness of
accounting information and to verify that all configuration management
policies are being followeD. A vendors configuration management
program must be able to sustain a complete configuration audit
by an NCSC review team.
Source: NCSC-TG-014, Guidelines for Formal Verification Systems.

 

質問 477
Which answer best describes a computer software attack that takes advantage of a previously unpublished vulnerability?

  • A. Zero-Day Attack
  • B. Software Crack
  • C. Exploit Attack
  • D. Vulnerability Attack

正解: A

解説:
A zero-day (or zero-hour, or Oday, or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.
The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.
Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop a counter to that threat.
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this time line:
The developer creates software containing an unknown vulnerability
The attacker finds the vulnerability before the developer does
The attacker writes and distributes an exploit while the vulnerability is not known to the developer
The developer becomes aware of the vulnerability and starts developing a fix.
The following answers are incorrect:
Exploit Attack
An exploit (from the verb to exploit, in the meaning of using something to one's own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack.
Vulnerability Attack
There is no such thing as the term Vulnerability Attack. However a vulnerability is synonyous with a weakness, it could be bad quality of software, a weakness within your physical security, or a weakness in your policies and procedures. An attacker will take advantage of a weakness and usually use an exploit to gain access to your systems without proper authorization or privilege.
Software Crack
Software cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks,
CD check or software annoyances like nag screens and adware.
A crack is the software tool used to remove the need to insert a serial number or activation key.
The following reference(s) were/was used to create this question:
2011, Ethical Hacking and Countermeasures, EC-Council Official Curriculum, Book 1,
Page 9
https://en.wikipedia.org/wiki/Zero_day_attack
https://en.wikipedia.org/wiki/Exploit_%28computer_security%29
https://en.wikipedia.org/wiki/Software_cracking

 

質問 478
Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?

  • A. SOC 2 Type 2
  • B. SOC 1 Type1
  • C. SOC 2 Type 1
  • D. SOC 1Type2

正解: A

 

質問 479
Which of the following is a potential risk when a program runs in privileged mode?

  • A. It may serve to create unnecessary code complexity
  • B. It may create unnecessary application hardening
  • C. It may not enforce job separation duties
  • D. It may allow malicious code to be inserted

正解: D

 

質問 480
Knowledge-based Intrusion Detection Systems (IDS) are more common than:

  • A. Host-based IDS
  • B. Network-based IDS
  • C. Behavior-based IDS
  • D. Application-Based IDS

正解: C

解説:
Explanation/Reference:
Explanation:
An IDS can detect malicious behavior using two common methods. One way is to use knowledge-based detection which is more frequently used. The second detection type is behavior-based detection.
Incorrect Answers:
A: A Network-based IDS is not a type of Knowledge-based Intrusion Detection System.
B: A host-based IDS is not a type of Knowledge-based Intrusion Detection System.
D: An application-based IDS is not a type of Knowledge-based Intrusion Detection System.
References:
Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 56

 

質問 481
Which of the following is used in database information security to hide information?

  • A. Polymorphism
  • B. Delegation
  • C. Polyinstantiation
  • D. Inheritance

正解: C

解説:
Explanation/Reference:
Explanation:
Polyinstantiation is a process of interactively producing more detailed versions of objects by populating variables with different values or other variables. It is often used to prevent inference attacks by hiding information.
Incorrect Answers:
A: Inheritance is not used to hide database information. Within object orientation programming inheritance is a mechanism for code reuse and to allow independent extensions of the original software via public classes and interfaces.
C: Polymorphism is when different objects are given the same input and react differently. Polymorphism is not a way to hide database security information.
D: Delegation is a concept within object-oriented programming. Delegation does not concern information security for database.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 1136, 1186
http://en.wikipedia.org/wiki/Polyinstantiation
https://en.wikipedia.org/wiki/Polymorphism_(computer_science)

 

質問 482
Which of the following establishes the minimal national standards for certifying and accrediting national security systems?

  • A. NIACAP
  • B. TCSEC
  • C. HIPAA
  • D. DIACAP

正解: D

解説:
DIACAP
DITSCAP has been replaced by DIACAP (DoD Information Assurance Certification and
Accreditation Process) effective Nov 2007 for C&A within the Department of Defense.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the
United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system's life cycle.
An interim version of the DIACAP was signed July 6, 2006 and superseded DITSCAP. The final version is titled Department of Defense Instruction 8510.01 and was signed on
November 28, 2007. It supersedes the Interim DIACAP Guidance.
NIACAP
National Information Assurance Certification and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the Information
Assurance (IA) and security posture of a system or site.
HIPAA
The HIPAA legislation had four primary objectives:
(1) Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions,
(2) Reduce healthcare fraud and abuse,
(3) Enforce standards for health information and
(4) Guarantee security and privacy of health information.
TCSEC
The TCSEC defines a hierarchy of various levels of security functionality and assurance criteria. Progression up the hierarchy involves the addition of security functionality and more stringent assurance criteria to enable users to place progressively more trust in the higher rated systems.
REFERENCES:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, page 199.
Additional references: National Security Telecommunications and Information Systems
Security Committee, National Information Assurance Certification and Accreditation
Process (NIACAP).
And: U.S. Department of Defense, Defense Information Technology Security Certification and Accreditation Process (DITSCAP).
And: FAGIN, Daniel (SANS Institute), HIPAA Security Standards v1.2d.
And: IBM's Security Solutions Glossary.

 

質問 483
What is the expected outcome of security awareness in support of a security awareness program?

  • A. Awareness is not training. The purpose of awareness presentation is simply to focus attention on security.
  • B. Awareness is not an activity or part of the training but rather a state of persistence to support the program
  • C. Awareness activities should be used to focus on security concerns and respond to those concerns accordingly
  • D. Awareness is training. The purpose of awareness presentations is to broaden attention of security.

正解: D

 

質問 484
Which of the following Orange Book ratings represents the highest level of trust?

  • A. F6
  • B. B1
  • C. C2
  • D. B2

正解: D

解説:
Explanation/Reference:
Explanation:
The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book.
TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:
A. Verified protection
B. Mandatory protection
C. Discretionary protection
D. Minimal security
Classification A represents the highest level of assurance, and D represents the lowest level of assurance.
Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. The classes with higher numbers offer a greater degree of trust and assurance. So B2 would offer more assurance than B1, and C2 would offer more assurance than C1.
Incorrect Answers:
A: B1 has a lower level of trust than B2.
C: F6 is not a valid rating.
D: Division C has a lower level of trust than division B.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

 

質問 485
What is a security policy?

  • A. A statement that focuses on the authorization process for a system
  • B. High level statements on management's expectations that must be met in regards to security
  • C. A policy that defines authentication to the network.
  • D. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements.

正解: B

解説:
A statement on the expectations that must be met to be considered compliant. This
is because a policy is a broad statement that management has approved of and stands behind to
express the security expectations for the organization.
The following answers are incorrect:
A statement that focuses on the authorization process for a system is incorrect because although
authorization might be an important element for meeting security policies, it is not the only focus.
A policy that defines authentication to the network is incorrect because authentication to the
network is only one aspect of an entire security concern. The policy must also focus on more than
the network and more than on authentication.
A policy that focuses on ensuring a secure posture and expresses management approval. It
explains in detail how to implement the requirements is incorrect due to the "explain in detail"
portion. A policy is a statement, it does not deal with specifics.
The following reference(s) were/was used to create this question:
Shon Harris, Latest All in Once CISSP Exam Prep p227; also ISC2 Official Guide to the CISSP
Exam, p82

 

質問 486
In regards to information classification what is the main responsibility of information (data) owner?

  • A. periodically check the validity and accuracy of the data
  • B. running regular data backups
  • C. audit the data users
  • D. determining the data sensitivity or classification level

正解: D

解説:
Making the determination to decide what level of classification the information
requires is the main responsibility of the data owner.
The data owner within classification is a person from Management who has been entrusted with a
data set that belong to the company. It could be for example the Chief Financial Officer (CFO) who
has been entrusted with all financial date or it could be the Human Resource Director who has
been entrusted with all Human Resource data. The information owner will decide what
classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality,
and Sensitivity of the data.
The Custodian is the technical person who will implement the proper classification on objects in
accordance with the Data Owner. The custodian DOES NOT decide what classification to apply, it
is the Data Owner who will dictate to the Custodian what is the classification to apply.
NOTE:
The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it
means the person who has created an object. For example, if I create a file on my system then I
am the owner of the file and I can decide who else could get access to the file. It is left to my
discretion. Within DAC access is granted based solely on the Identity of the subject, this is why
sometimes DAC is referred to as Identity Based Access Control.
The other choices were not the best answer
Running regular backups is the responsibility of custodian.
Audit the data users is the responsibility of the auditors
Periodically check the validity and accuracy of the data is not one of the data owner responsibility
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: Security Management
Practices.

 

質問 487
Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects is part of:

  • A. Incident Recognition
  • B. Incident Evaluation
  • C. Incident Response
  • D. Incident Protection

正解: C

解説:
Explanation/Reference:
Explanation:
Incident Response includes notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects.
Incorrect Answers:
A: Incident Evaluation is the process that would be performed by the "appropriate parties" to determine the extent of the severity of an incident. Incident Evaluation is not the process of notifying the appropriate parties about the incident.
B: Incident Recognition is the initial realization that an incident has occurred. After an incident is recognized, the appropriate parties should be notified about the incident. Incident Recognition is not the process of notifying the appropriate parties about the incident.
C: Incident Protection is not a defined incident management process.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 187

 

質問 488
Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what?

  • A. Establish a secure initial state
  • B. Improve the quality of security software
  • C. Prevent Denial of Service (DoS) attacks
  • D. Interface with the Public Key Infrastructure (PKI)

正解: A

 

質問 489
Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense?

  • A. NIACAP
  • B. TCSEC
  • C. DIACAP
  • D. ITSEC

正解: B

解説:
Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005.
References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 197-199. Wikepedia http://en.wikipedia.org/wiki/TCSEC

 

質問 490
Application Layer Firewalls operate at the:

  • A. OSI protocol Layer six, the Presentation Layer.
  • B. OSI protocol Layer five, the Session Layer.
  • C. OSI protocol Layer four, the Transport Layer.
  • D. OSI protocol Layer seven, the Application Layer.

正解: D

解説:
Since the application layer firewall makes decisions based on application-layer information in the packet, it operates at the application layer of the OSI stack. "OSI protocol layer 6, the presentation layer" is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
"OSI protocol layer 5, the session layer" is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
"OSI protocol layer 4, the transport layer" is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
References:
CBK, p. 467 AIO3, pp.488 - 490

 

質問 491
What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)?

  • A. Target audience
  • B. Management support
  • C. Consideration of organizational need
  • D. Technology used for delivery

正解: C

 

質問 492
What is a PRIMARY reason for designing the security kernel to be as small as possible?

  • A. Due to its compactness, the kernel is easier to formally verify.
  • B. The operating system cannot be easily penetrated by users.
  • C. System performance and execution are enhanced.
  • D. Changes to the kernel are not required as frequently.

正解: A

解説:
I disagree with the original answer which was B (changes to the kernel) and think it is C (Due to its compactness). However, use your best judgment based on knowledge and experience. Below is why I think it is C.
"There are three main requirements of the security kernel:
It must provide isolation for the processes carrying out the reference monitor concept and they
must be tamperproof.
The reference monitor must be invoked for every access attempt and must be impossible to
circumvent. Thus the reference monitor must be implemented in a complete and foolproof way.
It must be small enough to be able to be tested and verified in a complete and comprehensive
manner." - Shon Harris All-in-one CISSP Certification Guide pg 232-233

 

質問 493
Which statement below about the difference between analog and digital
signals is incorrect?

  • A. Analog signals cannot be used for data communications.
  • B. Adigital signal produces a saw-tooth wave form.
  • C. An analog signal produces an infinite waveform.
  • D. An analog signal can be varied by amplification.

正解: A

解説:
The correct answer is "Analog signals cannot be used for data communications". The other answers are all properties of analog or digital signals.

 

質問 494
How is remote authentication Dial-In user service (RADIUS) authentication accomplished?

  • A. It relies on Virtual Private Networks (VPN).
  • B. It uses clear text and shared secret keys.
  • C. It uses clear text and firewall rules.
  • D. It relies on asymmetric encryption keys.

正解: B

 

質問 495
......

合格率 取得する秘訣はCISSP認定試験エンジンPDF:https://jp.fast2test.com/CISSP-premium-file.html

今すぐ試そう!高評価ISC CISSP試験問題集:https://drive.google.com/open?id=14mqZ5Wcl0YAu4YSVdHqlsFDbF0S-XCnG


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어