Most Recent ISC2 CISSP Exam Questions & Answers

Substitution is a threat that occurs when an attacker replaces a valid digital signature with an invalid one, or a signature from another document. This can compromise the integrity and non-repudiation of the signed document, as the receiver cannot verify the authenticity and origin of the document. Substitution can be prevented by using secure hash algorithms and encryption to generate and protect the digital signatures. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, page 115; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3: Security Engineering, page 177]

The primary difference between security policies and security procedures is that policies are generic in nature, and procedures contain operational details. Security policies are the high-level statements or rules that define the goals, objectives, and requirements of security for an organization. Security procedures are the low-level steps or actions that specify how to implement, enforce, and comply with the security policies.

A . Policies are used to enforce violations, and procedures create penalties is not a correct answer, as it confuses the roles and functions of policies and procedures. Policies are used to create penalties, and procedures are used to enforce violations. Penalties are the consequences or sanctions that are imposed for violating the security policies, and they are defined by the policies. Enforcement is the process or mechanism of ensuring compliance with the security policies, and it is carried out by the procedures.

B . Policies point to guidelines, and procedures are more contractual in nature is not a correct answer, as it misrepresents the nature and purpose of policies and procedures. Policies are not merely guidelines, but rather mandatory rules that bind the organization and its stakeholders to follow the security principles and standards. Procedures are not contractual in nature, but rather operational in nature, as they describe the specific tasks and activities that are necessary to achieve the security goals and objectives.

C . Policies are included in awareness training, and procedures give guidance is not a correct answer, as it implies that policies and procedures have different audiences and functions. Policies and procedures are both included in awareness training, and they both give guidance. Awareness training is the process of educating and informing the organization and its stakeholders about the security policies and procedures, and their roles and responsibilities in security. Guidance is the process of providing direction and advice on how to comply with the security policies and procedures, and how to handle security issues and incidents.

The correct list of password attacks is brute force, dictionary, phishing, and keylogger. Password attacks are the attacks that aim to guess, crack, or steal the passwords or the credentials of the users or the systems, and to gain unauthorized or malicious access to the information or the resources. Password attacks can include the following methods: - Brute force is a method that tries all possible combinations of characters or symbols until the correct password is found. - Dictionary is a method that uses a list of common or likely words or phrases as the input for guessing the password. - Phishing is a method that uses fraudulent emails or websites that impersonate legitimate entities or parties, and that trick the users into revealing their passwords or credentials. - Keylogger is a method that uses a software or a hardware device that records the keystrokes of the users, and that captures or transmits their passwords or credentials. Masquerading, salami, malware, and polymorphism are not password attacks, as they are related to the impersonation, manipulation, infection, or mutation of the data or the systems, not the guessing, cracking, or stealing of the passwords or the credentials. Zeus, netbus, rabbit, and turtle are not password attacks, as they are the names of specific types of malware, such as trojans, worms, or viruses, not the methods of attacking the passwords or the credentials. Token, biometrics, IDS, and DLP are not password attacks, as they are the types of security controls or technologies, such as authentication, identification, detection, or prevention, not the attacks on the passwords or the credentials.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 684.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 700.

Write Once, Read Many (WORM) data storage devices are designed to best support the core security concept of integrity. Integrity is the property that ensures that data or information is accurate, complete, consistent, and protected from unauthorized modification or deletion. WORM data storage devices are devices that allow data to be written only once, and then read multiple times, without the possibility of altering or erasing the data. WORM data storage devices can support the integrity of the data, as they can prevent any accidental or intentional changes or corruption of the data, and preserve the original state and content of the data. Some examples of WORM data storage devices are optical discs, magnetic tapes, or flash drives. Scalability, availability, and confidentiality are not the core security concepts that WORM data storage devices are designed to best support. Scalability is the property that enables a system or a network to handle an increasing amount of work or demand, without compromising the performance or quality of the service. Availability is the property that ensures that data or information is accessible and usable by authorized parties, whenever and wherever needed. Confidentiality is the property that ensures that data or information is disclosed or revealed only to authorized parties, and protected from unauthorized access or exposure. WORM data storage devices may not necessarily support these security concepts, as they may not be able to accommodate more data or users, provide continuous or reliable access to the data, or restrict or encrypt the data.Reference:Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3, Security Architecture and Engineering, page 331.CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 314.

A software assurance policy is a document that defines the standards, guidelines, and best practices for ensuring the quality, security, and reliability of software products and services. A software assurance policy can help address the requirements of security assessment during software acquisition, as it establishes the criteria and methods for evaluating and testing the software, as well as the roles and responsibilities of the stakeholders involved. A software assurance policy can help ensure that the software meets the functional and non-functional requirements, as well as the security and compliance requirements, of the organization. Continuous monitoring is a process that involves collecting, analyzing, and reporting data on the performance and security of the systems and networks. Continuous monitoring can help maintain the security and availability of the systems and networks, but it does not address the security assessment during software acquisition. Software configuration management (SCM) is a process that involves controlling and tracking the changes and versions of the software products and components. SCM can help ensure the consistency and integrity of the software products and components, but it does not address the security assessment during software acquisition. Data loss prevention (DLP) policy is a document that defines the rules and actions for preventing the unauthorized disclosure, transfer, or leakage of sensitive data. DLP policy can help protect the data from being exposed, but it does not address the security assessment during software acquisition.