Free Practice Questions for ISC2 CISSP Exam

Answer : B

A honeypot is a decoy system that is designed to attract and trap attackers, while diverting them from the real network assets. A honeypot can help detect successful network breaches by monitoring the attacker's activities and collecting forensic evidence. An intrusion prevention system (IPS) and an intrusion detection system (IDS) are both proactive measures that aim to prevent or detect network attacks, but they cannot confirm if a breach has occurred. A sandbox is an isolated environment that is used to test or run untrusted code or applications, but it is not a tool for discovering network breaches.Reference:1,2,3

Answer : B

Threat modeling is a technique that evaluates the security risks and vulnerabilities of a network or software architecture, by identifying the potential threats, their likelihood, and their impact. Threat modeling can help design secure systems by applying the appropriate countermeasures and controls. Risk modeling is a similar technique, but it focuses on the overall business risks and their mitigation strategies, rather than the specific security threats. Fuzzing is a technique that tests the robustness and security of software by sending random or malformed inputs to trigger errors or crashes. Waterfall method is a software development methodology that follows a sequential and linear process, but it does not evaluate the security design principles of the architecture.Reference:1,2,4

Answer : C

The Maximum Tolerable Downtime (MTD) is the maximum amount of time that a business process can be disrupted without causing unacceptable consequences. The MTD can be calculated by adding the Recovery Time Objective (RTO) and the Work Recovery Time (WRT). The RTO is the maximum amount of time that is allowed to restore the critical systems and resume the business operations after a disaster. The WRT is the amount of time that is needed to catch up on the backlog of work that was accumulated during the downtime. The Annual Loss Expectancy (ALE) is the expected annual loss due to a risk, calculated by multiplying the Single Loss Expectancy (SLE) and the Annualized Rate of Occurrence (ARO). The Business Impact Analysis (BIA) is a process that identifies and evaluates the critical business functions and their dependencies, and determines the impact of a disruption on them. The Recovery Point Objective (RPO) is the maximum amount of data that can be lost or corrupted without causing unacceptable consequences. The Estimated Maximum Loss (EML) is the worst-case scenario loss due to a risk, calculated by multiplying the Exposure Factor (EF) and the Asset Value (AV).Reference:1,2,5

Answer : C

The overall goal of software security testing is to reduce the vulnerabilities within a software system. A software system is a collection of software components, such as applications, programs, or modules, that interact with each other and with other systems, such as hardware, networks, or databases, to perform certain functions or tasks. A vulnerability is a weakness or a flaw in a software system that can be exploited by a threat, such as an attacker, a malware, or an error, to cause harm or damage, such as unauthorized access, data breach, denial of service, or corruption. Software security testing is a process of evaluating and verifying the security aspects and features of a software system, such as confidentiality, integrity, availability, authentication, authorization, or encryption, by using various tools, techniques, and methods, such as static analysis, dynamic analysis, code review, or fuzzing. Software security testing can help to identify and eliminate the vulnerabilities within a software system, or to mitigate and manage their impact, and thus to improve the security and quality of the software system. Identifying the key security features of the software is not the overall goal of software security testing, but rather a specific objective or a subtask of the process. Ensuring all software functions perform as specified is not the overall goal of software security testing, but rather a general goal of software testing, which is a broader process that covers not only the security aspects, but also the functional, non-functional, performance, usability, and compatibility aspects of a software system. Making software development more agile is not the overall goal of software security testing, but rather a benefit or an outcome of the process, as software security testing can help to integrate the security considerations and practices into the software development life cycle, and to enable faster and more frequent delivery of secure and reliable software products.

Answer : D

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as a service provider and an identity provider. SAML is based on Extensible Markup Language (XML), which is a markup language that defines a set of rules for encoding and structuring data in a human-readable and machine-readable format. SAML enables single sign-on (SSO), which is a system that allows a user to log in and access multiple related servers and applications with a single authentication process. SAML uses assertions, which are statements that contain information about the user, such as their identity, attributes, or privileges, to communicate between the parties. SAML also uses protocols, which are sets of rules and messages that define how the parties request and respond to the assertions, to establish the trust and security of the communication. Wired markup language is not a term used in information security, but it could refer to a markup language that is used for creating web pages or applications that run on a wired network. Hypertext Markup Language (HTML) is a markup language that is used for creating and displaying web pages or applications that run on a web browser. HTML is not an open standard for exchanging authentication and authorization data between parties, but rather a standard for defining the structure and content of web pages or applications.