CISSP Exam Questions for Self-Study (Domain 6)
Note: Pardon the messiness of the questions. These questions come from my podcast and will be cleaning the questions up over the coming weeks.
Question:
When looking at the Common Vulnerability Scoring System (CVSS), when a vulnerability is ranked at "10" what does that mean?
- Most open for patching
- Most severe
- Least severe
- Easily managed
Answer: Most Severe
Question
What tool is commonly used as scan engine to find vulnerabilities within an environment
- Nessus
- NMAP
- Ping
- DNS
Explanation: [a] Nessus is commonly used to look for vulnerabilities within an network to determine if an exploit can be used against the system.
QUESTION 1
Abstract episodes of interaction between a system and its environment:
- Misuse case
- Web proxies
- Use cases
- Negative testing
CORRECT ANSWER - Use cases
QUESTION 2
A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:
- Information security continuous monitoring (ISCM)
- CWE/SANS Top 25 most dangerous software errors
- Automated vulnerability scanners
- Real user monitoring (RUM)
CORRECT ANSWER - Information security continuous monitoring (ISCM)
QUESTION 3
This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:
- Statement coverage
- Data flow coverage
- Condition coverage
- Path coverage
CORRECT ANSWER - Statement coverage
QUESTION 1
A process by which developers can understand security threats to a system, determine risks from those threats and establish appropriate mitigations.
- Threat modeling
- White-box testing
- Path coverage
- Negative testing
CORRECT ANSWER - Threat modeling
QUESTION 2
This criteria requires sufficient test cases for each feasible data flow to be executed at least once.
- Statement coverage
- Path coverage
- Data flow coverage
- Condition coverage
CORRECT ANSWER - Data flow coverage
QUESTION 3
Tests an application for the use of system components or configurations that are known to be insecure.
- Synthetic performance monitoring
- Automated vulnerability scanners
- Multi-condition coverage
- Architecture security reviews
CORRECT ANSWER - Automated vulnerability scanners
QUESTION 1
The determination of the impact of a change based on review of the relevant documentation.
- Validation
- Regression analysis
- Data flow coverage
- Security log management
CORRECT ANSWER - Regression analysis
QUESTION 2
Analysis of the application source code for finding vulnerabilities in software without actually executing the application.
- System events
- Architecture security reviews
- Static source code analysis (SAST)
- Audit records
CORRECT ANSWER - Static source code analysis (SAST)
QUESTION 3
Contain security event information such as successful and failed authentication attempts, file access, security policy changes, account changes and use of privileges.
- System events
- Static source code analysis (SAST)
- Path coverage
- Audit records
CORRECT ANSWER - Audit records
QUESTION 4
A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data.
- Positive testing
- White-box testing
- Statement coverage
- Negative testing
CORRECT ANSWER - White-box testing
