Pass the ISC ISC 2 Credentials CISSP Questions and answers with CertsForce

The attack surface of an RFID system is the set of points where an attacker can interact with or influence the system. Different types of RFID vulnerabilities may affect different parts of the system, such as the tags, the readers, the middleware, or the backend database. Therefore, the most important consideration in selecting a security testing method based on different RFID vulnerability types is to have an understanding of the attack surface and the potential threats and risks associated with each part of the system. This will help to choose the most appropriate and effective testing method, such as passive or active scanning, tag cloning or spoofing, replay or relay attacks, or cryptographic analysis. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 6: Security Assessment and Testing, pp. 1055-1056; CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10: Security Assessment and Testing, pp. 1039-1040.

The best mitigation practice for man-in-the-middle (MITM) Voice over Internet Protocol (VoIP) attacks is to use Transport Layer Security (TLS) protocol. TLS is a protocol that provides secure and encrypted communication and connection between two systems or devices over an unsecured or public network, such as the internet. TLS can mitigate MITM VoIP attacks, because it can:

Verify and authenticate the identity and the validity of the systems or devices that are involved in the VoIP communication or connection, by using the digital certificates and the public keys, and prevent any impersonation, spoofing, or repudiation of the VoIP communication or connection.

Encrypt and decrypt the data or the information that are exchanged in the VoIP communication or connection, by using the public keys and the private keys, and prevent any interception, modification, or eavesdropping of the VoIP communication or connection.

Sign and verify the data or the information that are exchanged in the VoIP communication or connection, by using the digital signatures and the public keys, and ensure that the VoIP communication or connection are not altered, corrupted, or tampered with.

The other options are not the best mitigation practices for MITM VoIP attacks. Media Gateway Control Protocol (MGCP) is a protocol that provides the control and the management of the media gateways or the devices that convert the voice or the audio signals from one format or network to another format or network, such as from analog to digital, or from circuit-switched to packet-switched. MGCP does not mitigate MITM VoIP attacks, but rather facilitates the VoIP communication or connection, and it does not provide any security or encryption features or mechanisms. File Transfer Protocol (FTP) is a protocol that provides the transfer or the exchange of the files or the data between two systems or devices over a network, such as the internet. FTP does not mitigate MITM VoIP attacks, but rather supports the VoIP communication or connection, and it does not provide any security or encryption features or mechanisms. Secure Shell (SSH) is a protocol that provides secure and encrypted communication and connection between two systems or devices over an unsecured or public network, such as the internet. SSH can mitigate MITM VoIP attacks, but it is not the best option, because it is not designed or optimized for the VoIP communication or connection, and it may have some limitations or challenges, such as the bandwidth, the latency, or the compatibility of the protocol. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, page 589. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5: Communication and Network Security, page 590.

Industrial control systems (ICS) are critical for the operation of many sectors such as energy, transportation, manufacturing, and water. Patching ICS software is a challenging task because it may require extensive testing, validation, and coordination to ensure that the patch does not introduce new vulnerabilities, affect the functionality, performance, or availability of the system, or cause any adverse impacts on the physical processes or safety. Testing a patch in an ICS may require more resources than the organization can commit, such as time, personnel, equipment, or budget. Therefore, this is the greatest impediment to deploying a patch for ICS software. References: Recommended Practice for Patch Management of Control Systems, ICS Security Patching: Never, Next, Now, Patching and Change Management: CISSP Domain 7

 The best permission that the developer should assign to the log file to ensure requirements are met is append. A log file is a type of file that records and stores the information or the data about the activities, events, or issues that occur on a system or a network, or on a software application, such as the user activity. A log file can provide various benefits, such as monitoring, auditing, reporting, or troubleshooting the system, the network, or the software application. A permission is a type of access right or privilege that grants or denies the user or the role the ability to perform certain actions or tasks on a system or a network, or on a file or a folder, such as the log file. A permission can be classified into four types, which are:

Read: The user or the role can view or read the content or the information of the file or the folder.

Write: The user or the role can modify or overwrite the content or the information of the file or the folder.

Execute: The user or the role can run or execute the file or the folder, if it is an executable file or a folder.

Append: The user or the role can add or append new content or information to the end of the file or the folder, but cannot modify or overwrite the existing content or information of the file or the folder. Append is the best permission that the developer should assign to the log file to ensure requirements are met, as it can provide the user or the role with the necessary and sufficient access right or privilege to create and store the log entries or records of the user activity, without compromising the security or the integrity of the log file . References: [CISSP CBK, Fifth Edition, Chapter 6, page 581]; [100 CISSP Questions, Answers and Explanations, Question 14].

 The role that the CIO has a primary obligation to work with in order to ensure proper protection of data during and after the cloud migration is the Chief Information Security Officer (CISO). The CISO is the senior executive who is responsible for establishing, implementing, and maintaining the information security strategy, policies, and programs of the organization, and for ensuring the alignment and integration of the information security objectives and activities with the business goals and operations of the organization. The CISO is the role that the CIO has a primary obligation to work with in order to ensure proper protection of data during and after the cloud migration, as the CISO can provide the leadership, guidance, and expertise for the information security aspects of the cloud migration, such as the risk assessment, the security controls, the compliance requirements, the incident response, and the security monitoring of the cloud services . References: [CISSP CBK, Fifth Edition, Chapter 1, page 28]; [100 CISSP Questions, Answers and Explanations, Question 20].

The description that best describes centralized identity management is that service providers perform as both the credential and identity provider (IdP). Identity management is a type of process that involves defining, verifying, and managing the identity or the information of the users or the entities that access or use a system or a network, or a service or an application, using various methods, such as credentials, identifiers, or attributes. Identity management can provide various benefits, such as enhancing the security, functionality, or usability of the system or the network, or of the service or the application, and ensuring the compliance or alignment with the standards or regulations. Identity management can be classified into various types, such as centralized, decentralized, or federated. Centralized identity management is a type of identity management that involves using or applying a single or a central authority or entity, such as a server or a database, to control and manage the identity or the information of the users or the entities, and to provide or grant the access or the authorization to the users or the entities, for accessing or using the system or the network, or the service or the application. Centralized identity management can provide various benefits, such as simplicity, consistency, or scalability. Centralized identity management can also include various roles or functions, such as:

Credential provider: The role or the function that involves creating and issuing the credentials, such as passwords, tokens, or certificates, to the users or the entities, for authenticating or verifying the identity or the information of the users or the entities, and for accessing or using the system or the network, or the service or the application.

Identity provider (IdP): The role or the function that involves storing and managing the identifiers, such as usernames, email addresses, or phone numbers, and the attributes, such as names, roles, or preferences, of the users or the entities, and providing or sharing the identifiers and the attributes of the users or the entities, with the system or the network, or with the service or the application, for identifying or recognizing the users or the entities, and for accessing or using the system or the network, or the service or the application.

Service provider: The role or the function that involves offering or delivering the system or the network, or the service or the application, to the users or the entities, and requesting or receiving the credentials, the identifiers, or the attributes of the users or the entities, from the credential provider or the identity provider, for authenticating, authorizing, or personalizing the users or the entities, and for accessing or using the system or the network, or the service or the application.

Audit capability is the ability of a system or application to generate and store audit records that can be used to monitor, analyze, and investigate the activities and events that occur within the system or application. Audit records should contain sufficient information to identify the who, what, when, where, and how of each auditable event. This information is essential for accountability, nonrepudiation, and forensic analysis. Therefore, when assessing the audit capability of an application, the most important activity is to determine if the audit records contain sufficient information. Reviewing the security plan for actions to be taken in the event of audit failure, verifying if sufficient storage is allocated for audit records, and identifying procedures to investigate suspicious activity are also important activities, but they are secondary to the quality of the audit records. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 654. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7, Security Operations, page 705.

802.1x is the standard that will best help secure the VoIP network from unauthorized users. 802.1x is a protocol that provides port-based network access control, which means that it controls the access to a network port based on the authentication and authorization of the device or the user that is trying to connect to the port. 802.1x can be used to secure the VoIP network by preventing unauthorized devices or users from accessing the network ports that are used for VoIP communication, such as the ports on the switches, routers, or phones. 802.1x can also prevent unauthorized devices or users from accessing the network resources or services that are available through the VoIP network, such as voice mail, call forwarding, or conferencing. 802.1x can also prevent unauthorized devices or users from eavesdropping, intercepting, or modifying the VoIP traffic, by encrypting the communication between the devices and the network ports. The other options are not the standards that will best help secure the VoIP network from unauthorized users, as they either do not provide port-based network access control, do not apply to VoIP communication, or do not exist. References: CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.2 Implement secure communication channels, 4.2.2.2 Network access control (NAC); CISSP Exam Outline, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.2 Implement secure communication channels, 4.2.2.2 Network access control (NAC)

A third-party federated identity architecture is a system that allows users to access multiple services or applications across different domains or organizations using a single identity. The most significant benefit of implementing such an architecture is that it enables business objectives so departments can focus on their mission rather than the business of identity management. By delegating the authentication and authorization processes to a trusted third party, the departments can reduce the complexity, cost, and risk of managing their own identity systems, and improve the user experience and satisfaction. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 239; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5: Identity and Access Management (IAM), page 397]

The best recommendation to make is to setup a network firewall. A network firewall is a device or a software that monitors and controls the incoming and outgoing network traffic based on predefined rules and policies. A network firewall can protect the email, web, and FTP servers from attacks by blocking or filtering the malicious or unwanted traffic, such as denial-of-service, port scanning, or brute force attacks. A network firewall can also log and audit the network activity and provide alerts and reports on the security incidents. The other options are not as effective as setting up a network firewall, as they either do not protect all the servers, do not control the network traffic, or do not prevent the attacks. References: CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.1 Establish secure communication channels, 4.2.1.2 Transmission methods; CISSP Exam Outline, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.1 Establish secure communication channels, 4.2.1.2 Transmission methods

A tamper seal is a device or material that is attached to a computer system’s case to indicate whether the case has been opened or tampered with. The main purpose of placing a tamper seal on a computer system’s case is to detect efforts to open the case, as the seal will be broken or damaged if someone tries to access the internal components of the system. This can help deter unauthorized access, prevent physical damage or theft, and provide evidence for forensic investigation. Raising security awareness is not the main purpose of placing a tamper seal on a computer system’s case, although it may have a secondary effect of reminding users of the importance of physical security. Expediting physical auditing is not the main purpose of placing a tamper seal on a computer system’s case, although it may have a secondary effect of simplifying the process of checking the integrity of the system. Making it difficult to steal internal components is not the main purpose of placing a tamper seal on a computer system’s case, although it may have a secondary effect of increasing the effort and risk of the attacker. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Architecture and Engineering, p. 409. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Architecture and Engineering, p. 298.

The best statement for a professional to include as part of a business continuity (BC) procedure is that a full data backup must be done based on the needs of the business. A business continuity procedure is a set of steps or actions that should be followed to ensure the continuity of critical business functions and processes in the event of a disruption or disaster. A full data backup is a type of backup that copies all the data from a system or resource to another storage medium, such as a tape, a disk, or a cloud. A full data backup provides the most complete and reliable recovery option, as it restores the system or resource to its original state. A full data backup must be done based on the needs of the business, meaning that it should consider the factors such as the recovery time objective (RTO), the recovery point objective (RPO), the frequency of data changes, the importance of data, the cost of backup, and the available resources. A full data backup must not be done upon management request, as this may not reflect the actual needs of the business, and may result in unnecessary or insufficient backup. An incremental data backup is a type of backup that copies only the data that has changed since the last backup, whether it was a full or an incremental backup. An incremental data backup saves time and space, but it requires more steps and dependencies to restore the system or resource. An incremental data backup must not be done upon management request or after each system change, as this may not meet the needs of the business, and may cause inconsistency or redundancy in the backup. References:

[Business Continuity Procedure]

[Backup Types: Full, Incremental, Differential, Synthetic, and Forever-Incremental]

[Backup and Recovery Best Practices]

The retention period for an organization’s social media content should be defined by the records retention policy of the organization, which is a policy that specifies how long and in what format the organization’s records, such as documents, e-mails, or social media posts, should be kept, stored, and disposed of. The records retention policy of the organization should be based on the legal, regulatory, operational, and historical requirements of the organization, and should also consider the risks and benefits of retaining or deleting the records. The records retention policy of the organization should apply to all types of records, regardless of the media or the platform they are created or stored on. The retention policies of each social media service is not a valid way to define the retention period for an organization’s social media content, as they are the policies that specify how long and in what format the social media service keeps, stores, and disposes of the user’s content, not the organization’s content. The retention policies of each social media service may not be aligned with the organization’s legal, regulatory, operational, and historical requirements, and may also not be consistent or reliable. The Chief Information Officer (CIO) is not a valid way to define the retention period for an organization’s social media content, as the CIO is the senior executive who is responsible for the overall strategy, planning, implementation, and management of the organization’s information technology (IT) and information systems (IS), not the records retention policy. The CIO may be involved in the development and approval of the records retention policy, but not in the definition of the retention period for each type of record. The amount of available storage space is not a valid way to define the retention period for an organization’s social media content, as the amount of available storage space is a technical and operational factor that affects the capacity and performance of the organization’s IT and IS, not the records retention policy. The amount of available storage space may not be relevant or sufficient to meet the legal, regulatory, operational, and historical requirements of the organization, and may also change over time. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 7: Security Operations, page 365. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Business Continuity and Disaster Recovery Planning, page 500.

A strongly typed programming language is a type of programming language that enforces strict rules and constraints on the data types and operations that can be used in the code. A strongly typed language prevents or detects errors such as type mismatch, type conversion, or memory allocation at compile time or run time, and ensures that the code executes safely and only as intended. A strongly typed language also supports features such as type inference, type checking, and type safety, which enhance the readability, maintainability, and security of the code. Examples of strongly typed languages are Java, C#, and Python. A strongly typed language is different from a weakly typed language, which is a type of programming language that allows more flexibility and leniency on the data types and operations that can be used in the code. A weakly typed language may perform implicit type conversion, type coercion, or type casting at run time, and may not detect or report errors until they cause unexpected or undesirable results. A weakly typed language may also have features such as dynamic typing, duck typing, or polymorphism, which enable the code to handle different types of data or objects at run time. Examples of weakly typed languages are JavaScript, PHP, and Perl. A strongly typed language is also different from a statically typed language, which is a type of programming language that assigns and checks the data types of variables and expressions at compile time. A statically typed language requires the programmer to declare the data types of variables and expressions explicitly in the code, and ensures that the code is consistent and compatible with the data types before execution. Examples of statically typed languages are C, C++, and Java. A statically typed language is also different from a dynamically typed language, which is a type of programming language that assigns and checks the data types of variables and expressions at run time. A dynamically typed language does not require the programmer to declare the data types of variables and expressions explicitly in the code, and allows the code to adapt and change the data types during execution. Examples of dynamically typed languages are Python, Ruby, and JavaScript. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10: Software Development Security, page 657. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 8: Software Development Security, page 1009.

 A penetration test is the best type of assessment to gain a comprehensive understanding of the startup’s security posture. A penetration test is a simulated attack on a system or a network, performed by authorized testers, to evaluate the security and vulnerability of the system or network. A penetration test can provide the following benefits for the IT consulting firm that is considering acquiring the startup:

It can reveal the actual risks and impacts of the potential attacks or threats on the system or network, by exploiting the vulnerabilities or weaknesses in the system or network.

It can measure the effectiveness and maturity of the security controls and policies implemented by the system or network, by testing the detection, prevention, and response capabilities of the system or network.

It can provide the recommendations and solutions for improving the security and resilience of the system or network, by identifying and prioritizing the remediation actions for the system or network. A penetration test can provide more comprehensive and realistic information about the startup’s security posture than other types of assessments, such as a security audit, a tabletop exercise, or a security threat model, which are more theoretical, formal, or hypothetical in nature. References: CISSP All-in-One Exam Guide, Chapter 6: Security Assessment and Testing, Section: Penetration Testing, pp. 553-554.