CISSP Exam Questions for Self-Study (Domain 5)
Note: Pardon the messiness of the questions. These questions come from my podcast and will be cleaning the questions up over the coming weeks.
Question:
When looking at user logs, the purpose of the Username and Passwords provides the following:
- Identification
- Authentication
- Accountability
- Authorization
Explanation: [a] The username ensures that the correct identification is used when accessing the account.
Question:
Which one of the following is a "Preventative" access control type?
- CCTV
- Background checks
- Man-Trap
- None of the above
Explanation: [c] Man-Traps are considered a preventative access control that will limit individuals from a specific facility.
QUESTION 1
Abstract episodes of interaction between a system and its environment:
- Misuse case
- Web proxies
- Use cases
- Negative testing
CORRECT ANSWER - Use cases
QUESTION 2
A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:
- Information security continuous monitoring (ISCM)
- CWE/SANS Top 25 most dangerous software errors
- Automated vulnerability scanners
- Real user monitoring (RUM)
CORRECT ANSWER - Information security continuous monitoring (ISCM)
QUESTION 3
This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:
- Statement coverage
- Data flow coverage
- Condition coverage
- Path coverage
CORRECT ANSWER - Statement coverage
QUESTION 1
A process by which developers can understand security threats to a system, determine risks from those threats and establish appropriate mitigations:
- Threat modeling
- White-box testing
- Path coverage
- Negative testing
CORRECT ANSWER - Threat modeling
QUESTION 2
This criteria requires sufficient test cases for each feasible data flow to be executed at least once:
- Statement coverage
- Path coverage
- Data flow coverage
- Condition coverage
CORRECT ANSWER - Data flow coverage
QUESTION 3
Tests an application for the use of system components or configurations that are known to be insecure:
- Synthetic performance monitoring
- Automated Vulnerability Scanners
- Multi-condition coverage
- Architecture security reviews
CORRECT ANSWER - Automated Vulnerability Scanners
QUESTION 1
The determination of the impact of a change based on review of the relevant documentation:
- Validation
- Regression analysis
- Data flow coverage
- Security log management
CORRECT ANSWER - Regression analysis
QUESTION 2
Analysis of the application source code for finding vulnerabilities without actually executing the application:
- System events
- Architecture security reviews
- Static source code analysis (SAST)
- Audit records
CORRECT ANSWER - Static source code analysis (SAST)
QUESTION 3
Contain security event information such as successful and failed authentication attempts, file access, security policy changes, account changes and use of privileges:
- System events
- Static source code analysis (SAST)
- Path coverage
- Audit records
CORRECT ANSWER - Audit records
QUESTION 4
A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data:
- Positive testing
- White-box testing
- Statement coverage
- Negative testing
CORRECT ANSWER - White-box testing
