Pass the ISC ISC 2 Credentials CISSP Questions and answers with CertsForce

Role-Based Access Control (RBAC) is the type of access control that determines the authorization to resources based on predefined job titles within an organization. RBAC is a model of access control that assigns roles to users based on their functions, responsibilities, or qualifications, and grants permissions to resources based on the roles. RBAC simplifies the management and administration of access control, as it reduces the complexity and redundancy of assigning permissions to individual users or groups. RBAC also enhances the security and compliance of access control, as it enforces the principle of least privilege and the separation of duties. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 203. Free daily CISSP practice questions, Question 4.

The data that must be handled according to the privacy protections of General Data Protection Regulation (GDPR) is only the EU residents’ data. GDPR is a regulation that aims to protect the personal data and privacy of the individuals who reside in the European Union (EU), and to harmonize the data protection laws and practices across the EU member states. GDPR applies to any organization that processes the personal data of the EU residents, regardless of the location, citizenship, or nationality of the data subjects, or the organization. Therefore, the organization with divisions in the US and the UK must handle only the EU residents’ data according to the GDPR, and comply with the GDPR requirements and obligations, such as the data protection principles, the data subject rights, the data breach notification, or the data protection impact assessment12. References: CISSP CBK, Fifth Edition, Chapter 2, page 87; CISSP Practice Exam – FREE 20 Questions and Answers, Question 18.

A penetration test is a type of security assessment that simulates a real-world attack on a system or network, with the permission and authorization of the owner, to identify and exploit the vulnerabilities and weaknesses that may compromise the security of the system or network. A penetration test can help to evaluate the effectiveness and resilience of the security controls and measures that are implemented on the system or network, as well as to provide recommendations and solutions to improve the security posture of the system or network. One of the primary challenges when running a penetration test is determining the depth of coverage. The depth of coverage is the extent and level of detail that the penetration test will cover in terms of the scope, objectives, and methodology of the test. The depth of coverage can vary depending on the type, purpose, and budget of the penetration test, as well as the expectations and requirements of the organization and the stakeholders. The depth of coverage can affect the quality and accuracy of the penetration test results, as well as the time and resources that are needed to conduct the penetration test. Therefore, determining the depth of coverage is a critical and challenging task when running a penetration test, as it requires a careful balance and trade-off between the security and business needs of the organization and the stakeholders. Determining the cost, establishing a business case, or remediating found vulnerabilities are not the primary challenges when running a penetration test, as they are more related to the management, justification, or improvement aspects of the penetration test. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 18: Security Assessment and Testing, page 1003; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 6: Security Assessment and Testing, Question 6.10, page 246.

 The security principle that this company is affecting is availability, which is the ability of authorized users to access and use the resources and information of the system or network. By implementing a password complexity and an account lockout policy, the company is trying to enhance the security and authentication of the system or network, but it may also reduce the availability of the system or network for the legitimate users. If the users forget their passwords, or enter them incorrectly, or become victims of brute-force or denial-of-service attacks, they may be locked out of the system or network, and unable to perform their tasks or functions. Therefore, the company should balance the security and availability of the system or network, and consider the impact of the password and account lockout policy on the users and the business12. References: CISSP CBK, Fifth Edition, Chapter 1, page 17; CISSP Practice Exam – FREE 20 Questions and Answers, Question 13.

In a DevOps environment, automating functionality testing is the most necessary action to have confidence in the quality of the changes being made. DevOps is a methodology that integrates the development and operations teams and processes, and aims to deliver software products or services faster, more frequently, and more reliably. Functionality testing is a type of testing that verifies that the software product or service meets the functional requirements and specifications, and performs as expected. Automating functionality testing means using tools or scripts to execute the test cases and scenarios, and compare the actual results with the expected results, without human intervention. Automating functionality testing can improve the speed, accuracy, and coverage of the testing process, and it can enable continuous testing and feedback throughout the software development life cycle. The other options are not correct. Preparing to take corrective actions quickly is a good practice in a DevOps environment, as it can help to resolve any issues or defects that may arise during the software delivery process, but it is not the most necessary action to have confidence in the quality of the changes being made. Receiving approval from the change review board is not a common practice in a DevOps environment, as it can slow down the software delivery process and introduce bureaucracy and bottlenecks. Reviewing logs for any anomalies is a useful practice in a DevOps environment, as it can help to monitor and troubleshoot the performance and behavior of the software product or service, but it is not the most necessary action to have confidence in the quality of the changes being made. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, page 700. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6: Security Assessment and Testing, page 698.

Negative testing is an example of the type of testing that the security team performed on the organization’s customer service portal. Negative testing is a technique that tests the system or the application with invalid, unexpected, or erroneous inputs or data, such as alphabets in a numeric field, special characters in a text field, or null values in a mandatory field. Negative testing can help to evaluate the robustness, stability, and error handling of the system or the application, and to identify and fix the bugs, flaws, or vulnerabilities that may cause the system or the application to crash, malfunction, or behave unpredictably. The other options are not examples of the type of testing that the security team performed on the organization’s customer service portal, as they either do not involve invalid, unexpected, or erroneous inputs or data, or do not match the outcome of the testing. References: CISSP - Certified Information Systems Security Professional, Domain 8. Software Development Security, 8.2 Understand and apply security in the software development life cycle, 8.2.2 Assess the effectiveness of software security, 8.2.2.1 Testing methods; CISSP Exam Outline, Domain 8. Software Development Security, 8.2 Understand and apply security in the software development life cycle, 8.2.2 Assess the effectiveness of software security, 8.2.2.1 Testing methods

Attribute-based access control (ABAC) is a type of access control that includes a system that allows only users that are type=managers and department=sales to access employee records. ABAC is a flexible and granular access control model that uses attributes to define access rules and policies, and to make access decisions. Attributes are characteristics or properties of entities, such as users, resources, actions, or environments. For example, a user attribute can be the role, department, clearance, or location of the user. A resource attribute can be the type, classification, owner, or location of the resource. An action attribute can be the read, write, execute, or delete operation on the resource. An environment attribute can be the time, date, network address, or device of the access request. ABAC evaluates the attributes of the subject (user), the object (resource), the requested action, and the environment, and compares them with the predefined rules and policies to grant or deny access. For example, a rule can state that only users with the attribute type=managers and department=sales can access resources with the attribute type=employee records and action=read. ABAC can enforce dynamic and context-aware access control policies, and support complex scenarios involving multiple subjects, objects, and actions. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 294. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), page 607.

The most effective preventative method to identify security flaws in software is to perform a structured code review. A security flaw is a defect or weakness in the software that can compromise or affect the security of the software, such as the confidentiality, integrity, availability, or accountability of the software, or the data or information that is processed or stored by the software. A security flaw can also expose the software to various security threats or risks, such as unauthorized access, data leakage, or malware infection. A security flaw can be identified or detected by using various methods or techniques, such as testing, scanning, or auditing, that can analyze or evaluate the software for any security vulnerabilities, weaknesses, or flaws. A structured code review is a method or technique that can be used to identify security flaws in software. A structured code review is a process that involves the systematic and comprehensive examination or inspection of the source code or the program code of the software, by the developers, testers, or reviewers, to identify or detect any errors, bugs, or flaws in the code, that may affect the functionality, performance, or security of the software. A structured code review can help to identify security flaws in software, by using various methods or techniques, such as manual review, automated review, or peer review, that can check or verify the quality, accuracy, or compliance of the code, as well as by using various tools or standards, such as code analyzers, code checkers, or code guidelines, that can assist or support the code review process. A structured code review can also help to prevent security flaws in software, by identifying or detecting the security flaws in the early stages of the software development life cycle, such as the design, development, or implementation phases, rather than in the later stages of the software development life cycle, such as the testing, deployment, or maintenance phases, and by allowing the correction or remediation of the security flaws before they become more costly, complex, or critical. Monitoring performance in production environments, performing application penetration testing, or using automated security

The log of the transported media and its classification marking would help the incident management team to most effectively analyze the business impact of the robbery. A log is a record of events or activities that occur on a system or a process, such as backup or transport. A classification marking is a label or a tag that indicates the level of sensitivity or confidentiality of the data or the media, such as public, internal, confidential, or secret. A log of the transported media and its classification marking would provide the incident management team with the information about what type of media and data was stolen, how sensitive or critical the data was, and what potential consequences or damages the data loss could cause to the organization or its customers. This information would help the incident management team to assess the severity and scope of the incident, and to prioritize and implement the appropriate response and recovery actions. A log of backup administrative actions, a log of the transported media and its detailed contents, and a log of backed up data and their respective data custodians are not as helpful as a log of the transported media and its classification marking, as they may not provide the relevant or sufficient information to analyze the business impact of the robbery, or they may be too cumbersome or impractical to maintain or access. References:

Incident Management

Data Classification

Backup and Recovery

 Software defined networking (SDN) is a network architecture that decouples the control plane from the data plane, allowing for more flexibility and programmability of network functions. The SDN controller is the architectural component that acts as the brain of the SDN network, communicating with both the SDN applications and the SDN data paths. The SDN controller is responsible for translating the network requirements from the SDN applications, such as security policies, routing rules, or load balancing, into instructions for the SDN data paths, such as switches, routers, or firewalls, to implement them. The SDN controller also monitors the network state and provides feedback to the SDN applications. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 9: Communication and Network Security, page 573. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, page 663.

 Cookie manipulation is a technique that allows an attacker to intercept, modify, or forge a cookie, which is a piece of data that is used to maintain the state of a web session. By manipulating the cookie, the attacker can hijack the session and gain unauthorized access to the web application. Known-plaintext attack, DoS, and SQL injection are not directly related to session hijacking, although they can be used for other purposes, such as breaking encryption, disrupting availability, or executing malicious commands. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, page 729; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 522.

 The technique that an organization should use to assure application integrity is digital signing. Digital signing is a technique that uses cryptography to generate a digital signature for a message or a document, such as an application. The digital signature is a value that is derived from the message and the sender’s private key, and it can be verified by the receiver using the sender’s public key. Digital signing can help to assure application integrity, which means that the application has not been altered or tampered with during the transmission or storage. Digital signing can also help to assure application authenticity, which means that the application originates from the legitimate source. Application authentication, input validation, and device encryption are not techniques that can assure application integrity, but they can help to assure application security, usability, or confidentiality, respectively. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 607; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 388.

The most effective practice in managing user accounts when an employee is terminated is to implement processes for automated removal of access for terminated employees. This practice can ensure that the access rights of the terminated employee are revoked as soon as possible, preventing any unauthorized or malicious use of the account. Automated removal of access can be achieved by using software tools or scripts that can disable or delete the account, remove it from any groups or roles, and revoke any permissions or privileges associated with the account. Automated removal of access can also reduce the human errors or delays that may occur in manual processes, and provide an audit trail of the actions taken. Deleting employee network and system IDs upon termination, manually removing terminated employee user-access to all systems and applications, and disabling terminated employee network ID to remove all access are all possible ways to manage user accounts when an employee is terminated, but they are not as effective as automated removal of access. Deleting employee network and system IDs upon termination may cause problems with data retention, backup, or recovery, and may not remove all traces of the account from the systems. Manually removing terminated employee user-access to all systems and applications may be time-consuming, error-prone, or incomplete, and may depend on the cooperation and coordination of different administrators or departments. Disabling terminated employee network ID to remove all access may not be sufficient, as the account may still exist and be reactivated, or may have access to some resources that are not controlled by the network ID. 

The preferred access control mechanism for an IT infrastructure project with high employee turnover is Role-Based Access Control (RBAC). RBAC is a type of access control model that assigns permissions to users based on their roles or functions within the organization, rather than on their individual identities or attributes. RBAC can be preferred for an IT infrastructure project with high employee turnover because it can simplify the management and the administration of the user accounts and access rights. RBAC can reduce the administrative overhead and ensure the consistency and accuracy of the user accounts and access rights, by using predefined roles or groups that have defined privileges. RBAC can also facilitate the identity lifecycle management activities, such as provisioning, review, or revocation, by adding or removing users from the roles or groups based on their current jobs. RBAC can also provide some benefits for security, such as enforcing the principle of least privilege, facilitating the separation of duties, and supporting the audit and compliance activities. Attribute Based Access Control (ABAC), Discretionary Access Control (DAC), and Mandatory Access Control (MAC) are not the preferred access control mechanisms for an IT infrastructure project with high employee turnover, although they may be related or useful access control models. ABAC is a type of access control model that assigns permissions to users with policies that combine attributes together. Attributes are characteristics or properties of the users, the objects, the environment, or the actions. ABAC can provide some benefits for access control, such as enhancing the flexibility and the granularity of the permissions, supporting the dynamic and complex scenarios, and enabling the interoperability and scalability of the systems or the network. However, ABAC is not preferred for an IT infrastructure project with high employee turnover, as it can be difficult and costly to implement and manage, due to the large number and variety of attributes and policies, and the lack of standardization and validation of the attributes and policies. DAC is a type of access control model that assigns permissions to users based on their identities or their ownership of the objects. DAC is enforced by the owner or the creator of the object, who can grant or revoke permissions to other users at their discretion. DAC can provide some benefits for access control, such as enhancing the flexibility and the usability of the permissions, supporting the user collaboration and sharing, and enabling the user autonomy and responsibility. However, DAC is not preferred for an IT infrastructure project with high employee turnover, as it can be insecure and inconsistent, due to the lack of centralized control and oversight of the permissions, and the potential for excessive or unauthorized permissions. MAC is a type of access control model that assigns permissions to users and objects based on their security labels, which indicate their level of sensitivity or trustworthiness. MAC is enforced by the system or the network, rather than by the owner or the creator of the object, and it cannot be modified or overridden by the users. MAC can provide some benefits for access control, such as enhancing the confidentiality and the integrity of the data, preventing unauthorized access or disclosure, and supporting the audit and compliance activities. However, MAC is not preferred for an IT infrastructure project with high employee turnover, as it can be rigid and complex, due to the strict and predefined rules and policies of the permissions, and the difficulty and overhead of assigning and maintaining the security labels. 

Log analysis is the most essential method to recognize a system attack. Log analysis is the process of collecting, reviewing, and interpreting the records of events and activities that occur on a system or a network. Logs can provide valuable information and evidence about the source, nature, and impact of an attack, as well as the actions and responses of the system or the network. Log analysis can help to detect and analyze anomalies, patterns, trends, and indicators of compromise, as well as to identify and correlate the root cause, scope, and severity of an attack. Log analysis can also help to support incident response, forensic investigation, audit, and compliance activities. Log analysis requires the use of appropriate tools, techniques, and procedures, as well as the implementation of effective log management practices, such as log generation, collection, storage, retention, protection, and disposal. Stateful firewall, distributed antivirus, and passive honeypot are not the methods that must be in place to recognize a system attack, although they may be related or useful techniques. Stateful firewall is a type of network security device that monitors and controls the incoming and outgoing network traffic based on the state, context, and rules of the network connections. Stateful firewall can help to prevent or mitigate some types of attacks, such as denial-of-service, spoofing, or port scanning, by filtering or blocking the packets that do not match the established or expected state of the connection. However, stateful firewall is not sufficient to recognize a system attack, as it may not be able to detect or analyze the attacks that bypass or exploit the firewall rules, such as application-layer attacks, encryption-based attacks, or insider attacks. Distributed antivirus is a type of malware protection solution that uses a centralized server and multiple agents or clients to scan, detect, and remove malware from the systems or the network. Distributed antivirus can help to prevent or mitigate some types of attacks, such as viruses, worms, or ransomware, by updating and applying the malware signatures, heuristics, or behavioral analysis to the systems or the network. However, distributed antivirus is not sufficient to recognize a system attack, as it may not be able to detect or analyze the attacks that evade or disable the antivirus solution, such as zero-day attacks, polymorphic malware, or rootkits. Passive honeypot is a type of decoy system or network that mimics the real system or network and attracts the attackers to interact with it, while monitoring and recording their activities. Passive honeypot can help to divert or distract some types of attacks, such as reconnaissance, scanning, or probing, by providing false or misleading information to the attackers, while collecting valuable intelligence about their techniques, tools, or motives. However, passive honeypot is not sufficient to recognize a system attack, as it may not be able to detect or analyze the attacks that target the real system or network, or that avoid or identify the honeypot.