(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests. Mike Chapple
Читать онлайн книгу.
a target's operating system for a penetration tester?NmapNessusNiktosqlmap
38 Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?Perform yearly risk assessments.Hire a penetration testing company to regularly test organizational security.Identify and track key risk indicators.Monitor logs and events using a SIEM device.
39 What major difference separates synthetic and passive monitoring?Synthetic monitoring works only after problems have occurred.Passive monitoring cannot detect functionality issues.Passive monitoring works only after problems have occurred.Synthetic monitoring cannot detect functionality issues.For questions 40–42, please refer to the following scenario. Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test.
40 What task is the most important during Phase 1, Planning?Building a test labGetting authorizationGathering appropriate toolsDetermining if the test is white, black, or gray box
41 Which of the following tools is most likely to be used during discovery?NessusjohnNmapNikto
42 Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?Which CVE format to useHow the vulnerability data will be stored and sentWhich targets are off-limitsHow long the report should be
43 What four types of coverage criteria are commonly used when validating the work of a code testing suite?Input, statement, branch, and condition coverageFunction, statement, branch, and condition coverageAPI, branch, bounds, and condition coverageBounds, branch, loop, and condition coverage
44 As part of his role as a security manager, Jacob provides the following chart to his organization's management team. What type of measurement is he providing for them?A coverage rate measureA key performance indicatorA time to live metricA business criticality indicator
45 What does using unique user IDs for all users provide when reviewing logs?ConfidentialityIntegrityAvailabilityAccountability
46 Which of the following is not an interface that is typically tested during the software testing process?APIsNetwork interfaces UIsPhysical interfaces
47 Alan's organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management program. Which component of SCAP can Alan use to reconcile the identity of vulnerabilities generated by different security assessment tools?OVALXCCDFCVESCE
48 Susan is reviewing software testing coverage data and sees the information shown in the following figure. What can she determine about this testing process? (Select all answers that apply.)The testing does not have full coverage.Test 4 completed with no failures.Test 2 failed to run successfully.The testing needs to be run a fifth time.
49 Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?Install a patch.Use a workaround fix.Update the banner or version number.Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.
50 During a penetration test, Selah calls her target's help desk claiming to be the senior assistant to an officer of the company. She requests that the help desk reset the officer's password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?Zero knowledgeHelp desk spoofingSocial engineeringBlack box
51 In this image, what issue may occur due to the log handling settings?Log data may be lost when the log is archived.Log data may be overwritten.Log data may not include needed information.Log data may fill the system disk.
52 Which of the following is not a hazard associated with penetration testing?Application crashesDenial of service BlackoutsData corruption
53 Which NIST special publication covers the assessment of security and privacy controls?800-12800-53A800-34800-86
54 Michelle is conducting a quantitative business impact assessment and wants to collect data to determine the dollar cost of downtime. What information would she need from outages during the previous year to calculate the cost of those outages to the business? (Select all that apply.)The total amount of time the business was downThe number of personnel hours worked to recover from the outageThe business lost during the outage per hour in dollarsThe average employee wage per hour
55 If Kara's primary concern is preventing eavesdropping attacks, which port should she block?22804431433
56 If Kara's primary concern is preventing administrative connections to the server, which port should she block?22804431433
57 During a third-party audit, Jim's company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis and take action in a timely manner to resolve reported exceptions.” What potential problem does this finding indicate?Administrators will not know if the backups succeeded or failed.The backups may not be properly logged.The backups may not be usable.The backup logs may not be properly reviewed.
58 Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim's organization is likely to use as part of its audits?COBITSSAE-18ITILISO 27001
59 Nicole wants to conduct a standards-based audit of her organization. Which of the following is commonly used to describe common requirements for information systems?IECCOBITFISADMCA
60 Kelly's team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?Time to remediate vulnerabilitiesA measure of the rate of defect recurrenceA weighted risk trendA measure of the specific coverage of their testing
61 Which of the following types of code review is not typically performed by a human?Software inspectionsPair programmingStatic program analysisSoftware walk-throughsFor questions 62–64, please refer to the following scenario:Susan is the lead of a quality assurance team at her company. The team has been tasked with the testing for a major release of their company's core software product.
62 Susan's team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?White boxGray boxBlack boxDynamic
63 As part of the continued testing of their new application, Susan's quality assurance team has designed a set of test cases for a series of black-box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?A test coverage reportA penetration test reportA code coverage reportA line coverage report
64 As part of their code coverage testing, Susan's team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?Improper bounds checkingInput validationA race conditionPointer manipulation
65 Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?PatchingReportingRemediationValidation
66 The automated code testing and integration that Andrea ran as part of her organization's CI/CD pipeline errored out. What should Andrea do with the code if the company needs the code to go live immediately?Manually bypass the test.Review error logs to identify the problem.Rerun the test to see if it works.Send the code back to the developer for a fix.
67 Michelle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?CSVNVDVSSCVSS
68 During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?Web serversFile serversWireless access pointsPrinters
69 Nikto,