ISC2 CISSP Practice Test

The correct first step in an effective patch management process is to inventory systems and software. Before you can properly manage patches for your environment, you must have a complete and accurate inventory of all systems, applications, and software versions that exist in your environment. Without knowing what you have, it's impossible to determine what needs patching, assess vulnerabilities, or prioritize updates. Identifying systems and software is the foundation upon which the entire patch management process is built, preceding vulnerability scanning, patch testing, and deployment activities. This inventory should include all operating systems, applications, firmware, and other software components across the organization's technology stack.

The correct answer is Significantly greater computational requirements. The primary security concern with homomorphic encryption is its extremely high computational overhead compared to traditional encryption methods. While homomorphic encryption allows computations on encrypted data without decrypting it first, current implementations are typically thousands to millions of times slower than operations on unencrypted data, making it impractical for many applications.

Vulnerability to quantum computing is incorrect because this is a concern for many encryption algorithms, not specifically homomorphic encryption.

Incompatibility with PKI is incorrect because this is not a significant issue specific to homomorphic encryption.

Higher risk of side-channel attacks is incorrect because side-channel attacks aren't inherently more problematic for homomorphic encryption than other cryptographic systems.

The correct answer is Multi-factor Authentication (MFA). This authentication model combines two or more authentication factors from different categories: something you know (such as a password), something you have (such as a mobile device receiving a one-time code), and something you are (biometrics). In this scenario, the users need to provide something they know (likely a password or PIN) and then use something they have (their mobile device) to receive and enter a one-time code, making it a multi-factor authentication implementation. Two-factor authentication (2FA) is actually a subset of MFA specifically using two factors, which is what's described in the question, but MFA is the more comprehensive term that encompasses this implementation.

Ensuring the elimination of sensitive data from retired hardware is crucial to prevent potential data breaches. This action needs to involve secure methods of data removal that make information irretrievable. Other options state concrete activities, but they do not necessarily result in the correct outcome. These options do not result in proper data deletion, risking exposure to unauthorized access and undermining the organization’s data security posture.

An Electromagnetic Pulse (EMP) is characterized by high-intensity electromagnetic energy that can damage electronic equipment by inducing current surges in circuitry. EMPs are primarily caused by man-made sources such as nuclear detonations at high altitudes or specialized EMP-generating devices, though some natural phenomena like severe solar flares (coronal mass ejections) can create similar effects known as geomagnetic disturbances.

EMPs pose a significant risk to electronic infrastructure as they can permanently damage electronic components, erase stored data, and render systems inoperable across wide geographic areas without making physical contact with the equipment. Organizations implement protective measures such as Faraday cages, EMP-hardened equipment, or electromagnetic shielding as countermeasures against this environmental threat.

A fire requires physical proximity to damage equipment through heat and combustion. Floods damage equipment through direct water contact. A lightning strike primarily affects localized areas through direct strikes or ground current, rather than affecting wide geographic areas simultaneously through atmospheric propagation.

The correct answer is an effective method that prevents any remnants of the data from being retrievable. Physical destruction that renders media unusable is preferred, but not a listed option. Overwriting data multiple times is a well-known technique that helps eliminate any recoverable instances of the original data. In contrast, options that suggest simple deletion may not adequately address the potential for data recovery through forensic methods. Similarly, methodologies that only involve physical destruction without considering the implications of residual data might still leave recoverable traces.

Edge computing systems are the correct solution for this scenario because they process data closer to the source (patient sensors), reducing latency which is critical for the real-time monitoring application. Edge computing addresses the millisecond response time requirement by eliminating the need to transmit all data to a central cloud for processing before action can be taken.

Cloud-based solutions would introduce too much latency for the critical alerts requirement. A traditional data center approach would also face similar latency issues and would not be optimized for distributed data processing from multiple hospital locations. While fog computing extends cloud capabilities closer to the edge, it still doesn't provide the same level of immediate processing as edge computing for the critical millisecond requirements mentioned in the scenario.

When implementing edge computing for healthcare, security considerations must include data protection at the edge node, secure communication channels, authentication mechanisms for edge devices, and compliance with healthcare regulations for protected health information (PHI).

The correct answer is procedures. In a security governance framework hierarchy, procedures provide detailed, step-by-step instructions for performing specific security-related tasks. They are the most granular documents in the hierarchy.

• Policies are high-level statements of management intent that define what should be done and why
• Standards define mandatory requirements and specify technologies or methodologies to be used
• Guidelines provide recommended actions and guidance but allow flexibility in implementation
• Procedures contain detailed, step-by-step instructions for performing specific tasks

While all these documents are important in a security governance structure, procedures are specifically designed to provide the detailed instructions needed for consistent execution of security activities.

The statement is false because portable USB storage devices present significant security risks even when endpoint security controls are in place. These devices can:

1. Introduce malware into secure environments through infected media
2. Be used for unauthorized data exfiltration
3. Bypass network monitoring controls
4. Potentially deliver hardware-based attacks (like BadUSB)

Comprehensive access control for devices requires:

• Restricting unauthorized devices through physical means
• Implementing technical controls like device whitelisting
• Enforcing policies on approved device usage
• Possibly disabling USB ports in highly sensitive environments

Endpoint security alone is insufficient, as it may have vulnerabilities or configuration gaps that USB devices could exploit. Defense-in-depth principles require both physical access restrictions and technical controls.

Mitigation strategies minimize the impact and severity of an incident on an organization's assets and operations. While containment focuses on stopping the spread of the incident, mitigation involves taking steps to lessen the damage that has already occurred and to facilitate a quicker recovery. Other options may involve some form of response but do not specifically address the reduction of impact after an incident has initiated.

The correct answer is to submit a formal report to the certifying body. This aligns with the ISC2 Code of Ethics, specifically Canon IV (Advance and protect the profession), which requires certified professionals to report violations of the Code to appropriate parties. When a CISSP observes another credential holder engaging in unethical behavior that violates the Code, they have an obligation to report this misconduct.

Talking to the supervisor first might seem like a reasonable approach to resolve the issue internally, but the Code explicitly requires reporting violations. While documenting the incidents is important, it's not sufficient without taking action. Ignoring the situation completely violates the professional responsibility entrusted to CISSP holders. Resigning without reporting fails to uphold the integrity of the profession and allows the unethical behavior to continue, potentially causing harm to the organization and undermining security practices.

The correct answer is a honeypot. A honeypot is a security resource that is intentionally designed to be probed, attacked, or compromised, allowing analysts to gather information about attacks. The other options presented do not specifically target threat attraction and analysis in the same way honeypots do. While a firewall and an IDS monitor and protect systems, they do not serve the primary function of attracting attackers for the purpose of analysis.

The correct choice is multi-factor authentication (MFA), which requires users to present two or more independent credentials: something they know (password) and something they possess (verification code sent to their device). Single sign-on (SSO) allows users to access multiple systems without repeated logins but does not incorporate additional verification steps. Password-based authentication relies solely on user knowledge and lacks the robustness that MFA provides. Biometric authentication involves identifying users based on physical attributes but does not meet the specific criteria of combining knowledge and possession in this scenario.

Measuring the reduction in security incidents related to employee actions is the most valuable metric because it directly demonstrates the impact of the security awareness training on actual security outcomes. This provides tangible evidence that employees are applying what they learned and changing their behaviors accordingly. The primary goal of security awareness training is to reduce security incidents by improving employee security practices, so measuring this reduction provides direct insight into program effectiveness. Other metrics like completion rates, test scores, or feedback surveys can be useful supplementary measures but don't demonstrate actual security improvements in the organization's environment.

The correct answer emphasizes the importance of documenting the response and identifying areas that require change. This process allows organizations to reflect on actions taken, assess their effectiveness, and enhance future incident responses. Collecting data and analyzing outcomes is crucial for creating actionable insights that will strengthen the overall security posture. Other options might address aspects of incident management, but they do not focus on the critical continuous improvement process encapsulated in lessons learned.