Hard CISSP Practice Questions - Domain Wise (400 Questions)

Domain-wise 400 original and unseen practice exam questions that will help you clear the CISSP exam in the first attempt.

• Designed by a team of CISSP certified PhDs and industry experts

• Detailed Explanations

• Distributed Domain Wise

Please note that our exams are designed to be difficult to crack, but that is because we try to match the difficulty and complexity of the actual CISSP exam which has an incredibly low pass rate (and hence the stellar reputation). Please attempt these only if you are ready to attack the actual exam. If you have doubts about the validity/correctness of any of our questions, just ping us and we will provide several references to support the accuracy of our exams.

Please take this course if you understand/appreciate the following sample questions which are a noteworthy indication of the quality of the rest of the course:

Sample Questions (Solution Below):

1. In an organization, the primary purpose of a security procedure is to __________.

a) Guide in decision making with regards to security

b) Train employees and ensure consistency in security related business processes

c) Indicate expected user behaviour

d) Provide recommendations on implementing security processes

2. Which of the following is a possible oversight which can happen with job rotation?

a) Privilege creep

b) Lack of separation of duties

c) Collusion

d) All of the above

3. Which of the following BEST describes exposure?

a) A flaw or weakness of an asset or a safeguard

b) Damage, loss or disclosure of an asset

c) An illegal act

d) A weakness or vulnerability that can cause a security breach

4. A notice placed on the common room wall about the usage conditions of Wi-Fi is a ______ access control?

a) Preventive

b) Corrective

c) Compensating

d) Driective

5. Which of the following is true about private key cryptography?

a) It is scalable

b) It is faster than public key cryptography

c) It offers nonrepudiation

d) Different keys are used for encryption and decryption

6. Which of the following models employs sensitivity labels such as top secret and secret?

a) RBAC

b) DAC

c) MAC

d) Rule Based Access Control

7. A digital certificate endorsed by a CA contains the issuer name, public key of david.cooper@itpro.com as well as the serial number, period of validity and the signature algorithm used. Which of the following is NOT true about this certificate?

a) It is only valid as long as the validity period mentioned

b) The subject’s public key can now be used by the general public to decrypt messages

c) It certifies that David Cooper is the subject

d) The signature algorithm mentioned must be used to decrypt the public key

8. Which of the following is a MORE serious concern for biometric authentication systems?

a) False positives

b) False negatives

c) True positive

d) True negative

9. An organization wants to test a software but does not have access to its source code. Which of the following is NOT a valid type of testing?

a) DAST

b) Blackbox

c) Fuzzing

d) SAST

10. Demonstrating to someone that you know the password to a lock without sharing it with that person is an example of?

a) Split-knowledge

b) Zero-knowledge proof

c) Work function

d) Secure proofing

Solution:

1. In an organization, the primary purpose of a security procedure is to __________.

a) Guide in decision making with regards to security

b) Train employees and ensure consistency in security related business processes

c) Indicate expected user behaviour

d) Provide recommendations on implementing security processes

Explanation: A security procedure trains employees and ensures consistency in security related business processes. It streamlines security related business processes to ensure minimal variations and also offers consistency in the implementation of security controls. Guidance in decision making is provided by policies, and standards are used to indicate expected user behaviour. Recommendations on implementing security processes is part of guidelines which are optional in nature.

2. Which of the following is a possible oversight which can happen with job rotation?

a) Privilege creep

b) Lack of separation of duties

c) Collusion

d) All of the above

Explanation: Privilege creep occurs when an employee accumulates access and privileges across job rotations because their privileges are not periodically reviewed and updated. They accumulate privileges which they don’t even need but still possess. Lack of separation of duties may compromise security but is not related to job rotation. Similarly, collusion can occur regardless of job rotation.

3. Which of the following BEST describes exposure?

a) A flaw or weakness of an asset or a safeguard

b) Damage, loss or disclosure of an asset

c) An illegal act

d) A weakness or vulnerability that can cause a security breach

Explanation: Exposure refers to a weakness or vulnerability that can cause a security breach i.e. the adverse event has not actually occurred, but it is an estimation of the adverse consequences of such an event. A flaw or weakness of the asset or the safeguard is called a vulnerability and if a threat has already been realized then it is called experienced exposure.

4. A notice placed on the common room wall about the usage conditions of Wi-Fi is a ______ access control?

a) Preventive

b) Corrective

c) Compensating

d) Driective

Explanation: This is an example of a directive access control. Directive access control mechanisms aim at directing subjects to a certain behaviour or to limit their actions. Preventive access control refers to prevent the unwanted activity from happening in the first place. Corrective access controls aim to return the system state to normalcy or correct a damaged system after an incident. Compensating access control provide additional security to address weakness in an existing security control.

5. Which of the following is true about private key cryptography?

a) It is scalable

b) It is faster than public key cryptography

c) It offers nonrepudiation

d) Different keys are used for encryption and decryption

Explanation: Private key (or symmetric key) cryptography is significantly fast compared to public key cryptography because of the nature of mathematics involved and because it uses the same algorithm for encryption and decryption. However, it is not scalable as different pairs of users need to generate keys for their communication, leading to a large number of keys. Moreover, it does not offer nonrepudiation since the same key is used by different users for encryption and decryption.

6. Which of the following models employs sensitivity labels such as top secret and secret?

a) RBAC

b) DAC

c) MAC

d) Rule Based Access Control

Explanation: MAC (Mandatory Access Control) implements access controls based on the clearances of subjects and the labels assigned to objects. RBAC (Role-based Access Control) assigns permissions to subjects based on the role that has been assigned to them in the organization. DAC (Discretionary Access Control) is a more flexible model which allows subjects which have ownership over objects to share them with other subjects. Rule based Access Control assigns permissions based on a pre-defined list of rules.

7. A digital certificate endorsed by a CA contains the issuer name, public key of david.cooper@itpro.com as well as the serial number, period of validity and the signature algorithm used. Which of the following is NOT true about this certificate?

a) It is only valid as long as the validity period mentioned

b) The subject’s public key can now be used by the general public to decrypt messages

c) It certifies that David Cooper is the subject

d) The signature algorithm mentioned must be used to decrypt the public key

Explanation: All of the above statements regarding this particular certificate are true except for the claim that it certifies the subject David Cooper. This is not true because the certificate just certifies the email address david.cooper@itpro.com and not the actual user David Cooper. Technically, this email could belong to John Doe since the certificate does not explicitly certify that fact.

8. Which of the following is a MORE serious concern for biometric authentication systems?

a) False positives

b) False negatives

c) True positive

d) True negative

Explanation: False positives in biometric authentication system are a far greater concern than the others. A false positive means that the system has (wrongly) authenticated an individual as being someone else and this can lead to a compromise of the security of the system. False negatives may cause some delay as an authentic individual is wrongly rejected by the system, but it is not as serious as a false positive. True positives and negatives are desired traits of a system.

9. An organization wants to test a software but does not have access to its source code. Which of the following is NOT a valid type of testing?

a) DAST

b) Blackbox

c) Fuzzing

d) SAST

Explanation: All of the above can be used since they do not require the source code, except for SAST. SAST (Static Application Security Testing) involves testing the application without running it, by performing a static analysis of the source code to identify vulnerabilities. DAST identifies vulnerableness in an application by executing it and providing malicious input. Fuzzing is a testing technique in which different variations of the input are tried to identify weaknesses.

10. Demonstrating to someone that you know the password to a lock without sharing it with that person is an example of?

a) Split-knowledge

b) Zero-knowledge proof

c) Work function

d) Secure proofing

Explanation: A Zero-knowledge proof involves proving to someone that you know a passcode without actually revealing it. Split knowledge is a concept in which a passcode is split among multiple people such that all of them need to work together to authenticate. Work function is a measure of the amount of work required to break a cipher. Secure proofing is not a valid concept.