https://www.certbus.com/CISSP.

html
2019 Latest certbus CISSP PDF and VCE dumps Download

CISSPQ&As
Certified Information Systems Security Professional

certbus 2019 Newest ISC CISSP ISC Certification Exam

VCE and PDF Dumps for Free Download!

CISSP ISC Certification Exam PDF and VCE Dumps : 3069Q&As Instant
Download: https://www.certbus.com/CISSP.html [100% CISSP Exam Pass
Guaranteed or Money Refund!!]
Free view online pdf on certbus free test CISSP PDF:
https://www.certbus.com/online-pdf/CISSP.pdf
certbus 2019 Newest CISSP ISC Certification exam Question PDF Free
Download from Google Drive Share:
https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?
usp=sharing

Following CISSP 3069Q&As are all new published by

ISC Official Exam Center

Vendor: ISC

Exam Code: CISSP

Exam Name: Certified Information Systems Security Professional

Update: June 01,2019 - Total Q&As 3069

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 1 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

QUESTION 1

Which of the following can BEST prevent security flaws occurring in outsourced software development?

A. Contractual requirements for code quality

B. Licensing, code ownership and intellectual property rights

C. Certification of the quality and accuracy of the work done

D. Delivery dates, change management control and budgetary control

Correct Answer: C

QUESTION 2

Which of the following are additional access control objectives?

A. Consistency and utility

B. Reliability and utility

C. Usefulness and utility

D. Convenience and utility

Correct Answer: B

Explanation: Availability assures that a system\\'s authorized users have timely and uninterrupted access to the
information in the system. The additional access control objectives are reliability and utility. These and other related
objectives flow from the organizational security policy. This policy is a high-level statement of management intent
regarding the control of access to information and the personnel who are authorized to receive that information. Three
things that must be considered for the planning and implementation of access control mechanisms are the threats to the
system, the system\\'s vulnerability to these threats, and the risk that the threat may materialize

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley and Sons, Page 32

QUESTION 3

In the OSI / ISO model, at what layer are some of the SLIP, CSLIP, PPP control functions are provided?

A. Link

B. Transport

C. Presentation

D. Application

Correct Answer: A

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 2 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

Explanation: The Data Link layer takes raw data from the physical layer and gives it logical structure. This logic includes
information about where the data is meant to go, which computer sends the data, and the overall validity of the bytes
sent. The Data Link layer also controls functions of logical network topologies and physical addressing as well as data
transmission synchronization and corrections. SLIP, CSLIP and PPP provide control functions at the Data Link Layer
(layer 2 of the OSI model).

QUESTION 4

A momentary high voltage is a:

A. spike

B. blackout

C. surge

D. fault

Correct Answer: A

Explanation: Too much voltage for a short period of time is a spike.

Too much voltage for a long period of time is a surge. Not enough voltage for a short period of time is a sag or dip Not
enough voltage for a long period of time is brownout A short power interruption is a fault A long power interruption is a
blackout You MUST know all of the power issues above for the purpose of the exam.

From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw- Hill/Osborne, 2005, page 368.

QUESTION 5

Which of the following protocols would BEST mitigate threats of sniffing attacks on web application traffic?

A. SSL or TLS

B. 802.1X

C. ARP Cache Security

D. SSH - Secure Shell

Correct Answer: A

Explanation: While it traverses the network, without some sort of encryption of web application data is vulnerable to
sniffing and interception by attackers on the network. If we observe sniffer traffic on an unencrypted network we can
clearly

see the contents of user interaction with the web server and its applications.

SSL - Secure Sockets Layer or TLS - Transport Layer Security

There are similarities between these two protocols but TLS 3.1 supersedes SSL 2.0 but they are not interoperable.
Today both protocols are commonly used on many web server. In either case SSL/TLS encrypts network traffic as it
traverses

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 3 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

the wire and protects it from sniffing attacks.

The following answers are incorrect:

802.1X: This wouldn\\'t secure data in transit but it would help prevent unauthorized devices from connecting to your
network and sniffing data. Also Known As "Dot 1 X" or "The Extensible Authentication Protocol (EAP)" it provides

infrastructure protection by requiring certificates to connect.

ARP Cache Security: This wouldn\\'t mitigate the threat of network sniffing of web app data.

SSH - Secure Shell: Incorrect. SSH is a TELNET replacement for that encrypts traffic to mitigate the threat of network
sniffers on SSH connections. The following reference(s) were/was used to create this question:

2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 13, Page 569.

QUESTION 6

Which of the following is NOT an assumption of the basic Kerberos paradigm?

A. Specific servers and locations cannot be secured.

B. Messages are not secure from interception.

C. Cabling is not secure.

D. Client computers are not secured and are easily accessible.

Correct Answer: A

The correct answer is "Specific servers and locations cannot be secured". Kerberos requires that centralized servers
implementing the trusted authentication mechanism must be secured.

QUESTION 7

Which of the following is an extension to Network Address Translation that permits multiple devices providing services
on a local area network (LAN) to be mapped to a single public IP address?

A. IP Spoofing

B. IP subnetting

C. Port address translation

D. IP Distribution

Correct Answer: C

Explanation: Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple
devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP

addresses or to publish multiple hosts with service to the internet while having only one single IP assigned on the
external side of your gateway.

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 4 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the
home network\\'s router. When Computer X logs on the Internet, the router assigns the client a port number, which is

appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the
Internet at the same time, the router assigns it the same local IP address with a different port number. Although both

computers are sharing the same public IP address and accessing the Internet at the same time, the router knows
exactly which computer to send specific packets to because each computer has a unique internal address.

Port Address Translation is also called porting, port overloading, port-level multiplexed NAT and single address NAT.

Shon Harris has the following example in her book:

The company owns and uses only one public IP address for all systems that need to communicate outside the internal
network. How in the world could all computers use the exact same IP address? Good question. Here\\'s an example:
The

NAT device has an IP address of 127.50.41.3. When computer A needs to communicate with a system on the Internet,
the NAT device documents this computer\\'s private address and source port number (10.10.44.3; port 43,887). The
NAT

device changes the IP address in the computer\\'s packet header to 127.50.41.3, with the source port 40,000. When
computer B also needs to communicate with a system on the Internet, the NAT device documents the private address
and

source port number (10.10.44.15; port 23,398) and changes the header information to 127.50.41.3 with source port
40,001. So when a system responds to computer A, the packet first goes to the NAT device, which looks up the port
number

40,000 and sees that it maps to computer A\\'s real information. So the NAT device changes the header information to
address 10.10.44.3 and port 43,887 and sends it to computer A for processing. A company can save a lot more money
by

using PAT, because the company needs to buy only a few public IP addresses, which are used by all systems in the
network.

As mentioned on Wikipedia:

NAT is also known as Port Address Translation: is a feature of a network device that translate TCP or UDP
communications made between host on a private network and host on a public network. I allows a single public IP
address to be used

by many host on private network which is usually a local area network LAN

NAT effectively hides all TCP/IP-level information about internal hosts from the Internet.

The following were all incorrect answer:

IP Spoofing - In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet
Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the

sender or impersonating another computing system.

Subnetting - Subnetting is a network design strategy that segregates a larger network into smaller components. While
connected through the larger network, each subnetwork or subnet functions with a unique IP address. All systems that
are

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 5 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

assigned to a particular subnet will share values that are common for both the subnet and for the network as a whole.

A different approach to network construction can be thought of as subnetting in reverse. Known as CIDR, or Classless
Inter-Domain Routing, this approach also creates a series of subnetworks. Rather than dividing an existing network into

small components, CIDR takes smaller components and connects them into a larger network. This can often be the
case when a business is acquired by a larger corporation. Instead of doing away with the network developed and used
by the

newly acquired business, the corporation chooses to continue operating that network as a subsidiary or an added
component of the corporation\\'s network. In effect, the system of the purchased entity becomes a subnet of the parent

company\\'s network.

IP Distribution - This is a generic term which could mean distribution of content over an IP network or distribution of IP
addresses within a Company. Sometimes people will refer to this as Internet Protocol address management (IPAM) is a

means of planning, tracking, and managing the Internet Protocol address space used in a network. Most commonly,
tools such as DNS and DHCP are used in conjunction as integral functions of the IP address management function, and
true

IPAM glues these point services together so that each is aware of changes in the other (for instance DNS knowing of
the IP address taken by a client via DHCP, and updating itself accordingly). Additional functionality, such as controlling

reservations in DHCP as well as other data aggregation and reporting capability, is also common. IPAM tools are
increasingly important as new IPv6 networks are deployed with larger address pools, different subnetting techniques,
and more

complex 128-bit hexadecimal numbers which are not as easily human-readable as IPv4 addresses.

Reference(s) used for this question:

STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1:

Understanding Firewalls.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

Telecommunications and Network Security, Page 350.

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 12765-12774).
Telecommunications and Network Security, Page 604-606

http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
http://en.wikipedia.org/wiki/IP_address_spoofing

http://www.wisegeek.com/what-is-subnetting.htm

http://en.wikipedia.org/wiki/IP_address_management

QUESTION 8

In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears
to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when
executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 6 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

possible system harm.

A. virus.

B. worm.

C. Trojan horse.

D. trapdoor.

Correct Answer: C

Explanation: A trojan horse is any code that appears to have some useful purpose but also contains code that has a
malicious or harmful purpose imbedded in it. A Trojan often also includes a trapdoor as a means to gain access to a

computer system bypassing security controls.

Wikipedia defines it as:

A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code
that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data,
and

possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking
concealed warriors into their city in ancient Greece, because computer Trojans often employ a form of social

engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their
computers.

The following answers are incorrect:

virus. Is incorrect because a Virus is a malicious program and is does not appear to be harmless, it\\'s sole purpose is
malicious intent often doing damage to a system. A computer virus is a type of malware that, when executed, replicates
by

inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive;
when this replication succeeds, the affected areas are then said to be "infected".

worm. Is incorrect because a Worm is similiar to a Virus but does not require user intervention to execute. Rather than
doing damage to the system, worms tend to self- propagate and devour the resources of a system. A computer worm is
a

standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a
computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer
virus, it

does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network,
even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

trapdoor. Is incorrect because a trapdoor is a means to bypass security by hiding an entry point into a system. Trojan
Horses often have a trapdoor imbedded in them. http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 and

http://en.wikipedia.org/wiki/Computer_virus

and

http://en.wikipedia.org/wiki/Computer_worm

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 7 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

and

http://en.wikipedia.org/wiki/Backdoor_%28computing%29

QUESTION 9

What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP).

B. SSL and TLS provide nonrepudiation by default.

C. SSL and TLS do not provide security for most routed protocols.

D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).

Correct Answer: A

QUESTION 10

Which of the following is NOT a part of a risk analysis?

A. Identify risks

B. Quantify the impact of potential threats

C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure

D. Choose the best countermeasure

Correct Answer: D

Explanation: This step is not a part of RISK ANALYSIS. A risk analysis has three main goals: identify risks, quantify the
impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the

associated countermeasure. Choosing the best countermeasure is not part of the risk analysis.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, chapter 3: Security
Management Practices (page 73). HARRIS, Shon, Mike Meyers\\' CISSP(R) Certification Passport, 2002, McGraw-Hill,

page 12.

QUESTION 11

Identify the component that MOST likely lacks digital accountability related to information access. Click on the correct
device in the image below.

Hot Area:

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 8 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

Correct Answer:

QUESTION 12

If an internal database holds a number of printers in every department and this equals the total number of printers for
the whole organization recorded elsewhere in the database, it is an example of:

A. External consistency of the information system.

B. Differential consistency of the information system.

C. Internal consistency of the information system.

D. Referential consistency of the information system.

Correct Answer: C

Explanation: Internal consistency ensures that internal data is consistent, the subtotals match the total number of units
in the data base. Internal Consistency, External Consistency, Well formed transactions are all terms related to the Clark-
Wilson Model.

The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of
information. This model uses the following elements:

?Users Active agents

?Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify

?Constrained data items (CDIs) Can be manipulated only by TPs ?Unconstrained data items (UDIs) Can be
manipulated by users via primitive read and write operations

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 9 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

?Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality Although this list may look
overwhelming, it is really quite straightforward. When an application uses the Clark-Wilson model, it separates data into

one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset
that does not require a high level of protection, which is called an unconstrained data item (UDI).

Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software,
and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs
to

update information held within her company\\'s database, she will not be allowed to do so without a piece of software
controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database,
and

then the program will control what Kathy can and cannot do to the information in the database.

This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without
using a TP.

Well Formed Transactions

A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to
the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of
two

operations: subtract money from one account and add it to a different account. By making sure the new values in her
checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external
consistency.

The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If
we follow our same example of banking software, if a customer needs to withdraw over $ 10,000, the application may

require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent
activities.

The model provides the rules that the developers must follow to properly implement and enforce separation of duties
through software procedures.

The following answers are incorrect:

External consistency of the information system. External consistency is were the data matches the real world. If you
have an automated inventory system the numbers in the data must be consistent with what your stock actually is.

The other answers are distractors.

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 8146-8159). McGraw-Hill.
Kindle Edition.

and

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 8188-8195). McGraw-Hill.
Kindle Edition.

and

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 10 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Security Architecture and Design Ch 4, Pg,
374-376 AIO 6th Edition. McGraw-Hill.

QUESTION 13

When referring to the Cloud Computing Service models. What would you call a service model where the consumer does
not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but
has control over the deployed applications and possibly configuration settings for the application-hosting environment?

A. Code as a Service (CaaS)

B. Platform as a Service (PaaS)

C. Software as a Service (SaaS)

D. Infrastructure as a Service (IaaS)

Correct Answer: B

Explanation: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or
acquired applications created using programming languages, libraries, services, and tools supported by the provider.
The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating
systems, or storage, but has control over the deployed applications and possibly configuration settings for the
application-hosting environment.

Platform-as-a-Service (PaaS) is a model of service delivery whereby the computing platform is provided as an on-
demand service upon which applications can be developed and deployed. Its main purpose is to reduce the cost and
omplexity of buying, housing, and managing the underlying hardware and software components of the platform,
including any needed program and database development tools. The development environment is typically special
purpose, determined by the cloud provider and tailored to the design and architecture of its platform. The cloud
consumer has control over applications and application environment settings of the latform. Security provisions are split
between the cloud provider and the cloud consumer.

The following answers are incorrect: Software-as-a-Service.

Software-as-a-Service (SaaS) is a model of service delivery whereby one or more applications and the computational
resources to run them are provided for use on demand as a turnkey service. Its main purpose is to reduce the total cost
of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the
cloud provider. The cloud consumer does not manage or control the underlying cloud infrastructure or individual
applications, except for preference selections and limited administrative application settings. Infrastructure-as-a-Service.
Infrastructure-as-a-Service (IaaS) is a model of service delivery whereby the basic computing infrastructure of servers,
software, and network equipment is provided as an on- demand service upon which a platform to develop and execute
applications can be established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware
and software infrastructure components, and instead obtain those resources as virtualized objects controllable via a
service interface. The cloud consumer generally has broad freedom to choose the operating system and development
environment to be hosted. Security provisions beyond the basic infrastructure are carried out mainly by the cloud
consumer Code as a Service (CaaS) CaaS does not exist and is only a detractor. This is no such service model.

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 11 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

Cloud Deployment Models

NOTE: WHAT IS A CLOUD INFRASTRUCTURE?

A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud
computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The

physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and
typically includes server, storage and network components. The abstraction layer consists of the software deployed

across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits
above the physical layer.

The following reference(s) were/was used to create this question:

NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing

and

NIST Special Publication 800-145 The NIST definition of Cloud Computing

CISSP PDF Dumps CISSP Practice Test CISSP Exam Questions

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 12 / 13

 https://www.certbus.com/CISSP.html
2019 Latest certbus CISSP PDF and VCE dumps Download

To Read the Whole Q&As, please purchase the Complete Version from Our website.

Try our product !

100% Guaranteed Success

100% Money Back Guarantee
365 Days Free Update
Instant Download After Purchase
24x7 Customer Support
Average 99.9% Success Rate
More than 800,000 Satisfied Customers Worldwide
Multi-Platform capabilities - Windows, Mac, Android, iPhone, iPod, iPad, Kindle

We provide exam PDF and VCE of Cisco, Microsoft, IBM, CompTIA, Oracle and other IT Certifications.
You can view Vendor list of All Certification Exams offered:

https://www.certbus.com/allproducts

Need Help
Please provide as much detail as possible so we can best assist you.
To update a previously submitted ticket:

Any charges made through this site will appear as Global Simulators Limited.
All trademarks are the property of their respective owners.
Copyright © certbus, All Rights Reserved.

CISSP PDF Dumps | CISSP Practice Test | CISSP Exam Questions 13 / 13

Powered by TCPDF (www.tcpdf.org)