Most Recent ISC2 CISSP Exam Questions & Answers

In the Common Criteria (CC) for Information Technology (IT) Security Evaluation, increasing Evaluation Assurance Levels (EAL) results in an increase in resource requirement. CC is an international standard that provides a framework for evaluating the security properties and assurance of IT products and systems. CC defines seven EALs, ranging from EAL1 (the lowest) to EAL7 (the highest), that indicate the depth and rigor of the security evaluation. Higher EALs require more evidence, documentation, testing, analysis, and review of the security functionality and assurance of the IT product or system. Therefore, higher EALs also require more resources, such as time, money, effort, and expertise, to conduct and complete the security evaluation. Higher EALs do not necessarily result in increased functionality, increased interoperability, or increase in evaluated systems, as these are not the objectives or outcomes of the security evaluation. Functionality refers to the features and capabilities of the IT product or system, which are defined by the security functional requirements (SFRs) in the CC. Interoperability refers to the ability of the IT product or system to work with other products or systems, which are not directly related to the security evaluation. Evaluated systems refer to the number of IT products or systems that undergo the security evaluation, which are determined by the market demand and the availability of the evaluation facilities and schemes.Reference:

Common Criteria

Evaluation Assurance Level

Common Criteria for Information Technology Security Evaluation

Threat modeling is the testing technique that enables the designer to develop mitigation strategies for potential vulnerabilities. Threat modeling is a method of identifying, analyzing, and prioritizing the threats and vulnerabilities that may affect a system or an application. Threat modeling can help the designer to understand the attack surface, the attack vectors, the attack scenarios, and the impact and likelihood of the attacks. Threat modeling can also help the designer to develop mitigation strategies for the potential vulnerabilities, such as applying security controls, implementing security best practices, or redesigning the system or the application. Threat modeling can be performed at any stage of the system development life cycle (SDLC), but it is most effective when done early and iteratively.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 441.Free daily CISSP practice questions, Question 2.

Defense in depth is a concept that involves implementing multiple layers of security controls to protect the assets and information of an organization. The idea is to create a series of obstacles that would deter or delay an attacker from reaching the target, and to provide detection and response capabilities to mitigate the impact of an attack. Defense in depth can be applied at different levels, such as physical, network, host, application, data, and user. The answer choice C represents a defense in depth concept, because it includes security controls at different levels, such as endpoint security management (host level), network intrusion detection system (network level), Network Access Control (network level), Privileged Access Management (user level), and security information and event management (data level).The other answer choices are not examples of defense in depth, because they only focus on one or two levels of security, and do not provide a comprehensive protection for the organization12.Reference:CISSP CBK, Fifth Edition, Chapter 3, page 229;CISSP Practice Exam -- FREE 20 Questions and Answers, Question 16.

Virtualization is a solution that can help to enhance the recovery time objective (RTO) and cater for more frequent data captures, as required by the new business requirements. Virtualization is a technique that creates a virtual version of a resource, such as a server, a storage, a network, or an application, that can run on a physical platform. Virtualization can improve the availability, scalability, and performance of the resources, as well as reduce the cost, complexity, and risk of the resources. Virtualization can help to achieve a shorter RTO, which is the maximum acceptable time to restore the normal operations and services after a disruption or disaster. Virtualization can enable faster recovery of the resources, by using techniques such as snapshots, backups, replication, or failover. Virtualization can also help to cater for more frequent data captures, which can reduce the data loss and improve the data integrity. Virtualization can enable more frequent data captures, by using techniques such as incremental backups, differential backups, or continuous data protection. Antivirus, process isolation, and host-based intrusion prevention system (HIPS) are not solutions that can help to enhance the RTO and cater for more frequent data captures, as required by the new business requirements. Antivirus is a software tool that detects and removes malicious software, such as viruses, worms, trojans, or ransomware, from a system or a network. Antivirus can help to protect the confidentiality, integrity, and availability of the data and the system, but it does not directly affect the RTO or the data capture frequency. Process isolation is a security technique that separates the processes running on a system or a network, so that they do not interfere with each other or access each other's resources. Process isolation can help to prevent the propagation, escalation, or exploitation of the processes, but it does not directly affect the RTO or the data capture frequency. Host-based intrusion prevention system (HIPS) is a security tool that monitors and blocks malicious or anomalous activities on a host, such as a server, workstation, or device. HIPS can help to protect the host from attacks, such as malware, exploits, or unauthorized changes, but it does not directly affect the RTO or the data capture frequency.Reference:Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3, Security Architecture and Engineering, page 293.CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 256.

A Public Key Infrastructure (PKI) is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates, which are electronic documents that bind a public key to an identity. A digital certificate can be used to authenticate the identity of an entity, such as a person, a device, or a server, that possesses the corresponding private key. An organization can implement a partial PKI with only the servers having digital certificates, which means that only the servers can prove their identity to the clients, but not vice versa. The security benefit of this implementation is that servers can authenticate themselves to the client, which can prevent impersonation, spoofing, or man-in-the-middle attacks by malicious servers. Clients can authenticate themselves to the servers, mutual authentication is available between the clients and servers, and servers are able to issue digital certificates to the client are not the security benefits of this implementation, as they require the clients to have digital certificates as well.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Cryptography and Symmetric Key Algorithms, page 615.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Cryptography and Symmetric Key Algorithms, page 631.