best preparation method to pass the ISC CISSP exam, latest ISC CISSP exam dumps

Certfans shares the latest ISC Certification CISSP exam dumps for free exam practice tests and online downloads! “Certified Information Systems Security Professional” CISSP exam. Ready to pass the CISSP exam please click (full exam dump)

Share a free ISC CISSP video tutorial

ISC CISSP Exam pdf

[Oct PDF] Free ISC CISSP pdf dumps download from Google Drive:

CISSP – The World’s Premier Cybersecurity Certification:

ISC CISSP Online Exam Practice Questions

Which one of the following is a key agreement protocol used to enable two entities to agree and generate a session key
(secret key used for one session) over an insecure medium without any prior secrets or communications between the
entities? The negotiated key will subsequently be used for message encryption using Symmetric Cryptography.
C. Diffie_Hellmann
Correct Answer: C
Explanation: The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by
Diffie and Hellman [DH76] in 1976 and published in the ground-breaking paper “New Directions in Cryptography.” The
protocol allows two users to exchange a secret key over an insecure medium without any prior secrets.
The protocol has two system parameters p and g. They are both public and may be used by all the users in a system.
Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, with the following
property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = gk mod p.
Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They
proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a
b are drawn from the set of integers . Then they derive their public values using parameters p and g and their private
values. Alice\\’s public value is ga mod p and Bob\\’s public value is gb mod p. They then exchange their public values.
Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now
have a shared secret key k.
The protocol depends on the discrete logarithm problem for its security. It assumes that it is computationally infeasible
to calculate the shared secret key k = gab mod p given the two public values ga mod p and gb mod p when the prime p
sufficiently large. Maurer [Mau94] has shown that breaking the Diffie-Hellman protocol is equivalent to computing
discrete logarithms under certain assumptions.
The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In this attack, an opponent Carol
intercepts Alice\\’s public value and sends her own public value to Bob. When Bob transmits his public value, Carol
substitutes it
with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another
shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and
possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This
vulnerability is present because Diffie- Hellman key exchange does not authenticate the participants. Possible solutions
include the use of digital signatures and other protocol variants.
The authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS) protocol, was developed by Diffie,
van Oorschot, and Wiener in 1992 [DVW92] to defeat the man-in-the-middle attack on the Diffie-Hellman key
protocol. The immunity is achieved by allowing the two parties to authenticate themselves to each other by the use of
digital signatures (see .2.2) and public-key certificates (see Question
Roughly speaking, the basic idea is as follows. Prior to execution of the protocol, the two parties Alice and Bob each
obtain a public/private key pair and a certificate for the public key. During the protocol, Alice computes a signature on
messages, covering the public value ga mod p. Bob proceeds in a similar way. Even though Carol is still able to
intercept messages between Alice and Bob, she cannot forge signatures without Alice\\’s private key and Bob\\’s private
Hence, the enhanced protocol defeats the man-in-the- middle attack.
In recent years, the original Diffie-Hellman protocol has been understood to be an example of a much more general
cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one
public key and another party\\’s private key. The parties\\’ key pairs may be generated anew at each run of the protocol,
as in the original Diffie-Hellman protocol. The public keys may be certified, so that the parties can be authenticated and
there may be a combination of these attributes. The draft ANSI X9.42 (see .3.1) illustrates some of these combinations,
and a recent paper by Blake-Wilson, Johnson, and Menezes provides some relevant security proofs. TIPTON, et. al.,
Official (ISC)2 Guide to the CISSP CBK 2007 edition, page 257.
RSA laboratoires web site: :

Which of the following statements pertaining to key management is incorrect?
A. The more a key is used, the shorter its lifetime should be.
B. When not using the full keyspace, the key should be extremely random.
C. Keys should be backed up or escrowed in case of emergencies.
D. A key\\’s lifetime should correspond with the sensitivity of the data it is protecting.
Correct Answer: B
Explanation: A key should always be using the full spectrum of the keyspace and be extremely random. Other
statements are correct.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April 2002 (page

Which of the following statements pertaining to secure information processing facilities is incorrect?
A. Walls should have an acceptable fire rating.
B. Windows should be protected with bars.
C. Doors must resist forcible entry.
D. Location and type of fire suppression systems should be known.
Correct Answer: B
Explanation: Windows are normally not acceptable in the data center. If they do exist, however, they must be
translucent and shatterproof. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 10: Physical security (page 329).

The U.S. Uniform Computer Information Transactions Act (UCITA) is a:
A. Model act that is intended to apply uniform legislation to electronic credit transactions
B. Model act that is intended to apply uniform legislation to software licensing
C. Model act that addresses electronic transactions conducted by financial institutions
D. Model act that addresses digital signatures
Correct Answer: B
The National Commissioners on Uniform State Laws (NCUSL) voted to approve the Uniform Computers Information
Transactions Act (UCITA) on July 29, 1999. This legislation, which will have to be enacted state-by-state, will greatly
affect libraries access to and use of software packages. It also will keep in place the current licensing practices of
software vendors. At the present time, shrink-wrap or click-wrap licenses limit rights that are normally granted under
copyright law. Under Section 109 of the U.S. 1976 Copyright Act, the first sale provision permits the owner of a
particular copy without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy.
However, the software manufacturers use the term license in their transactions. As opposed to the word sale, the term
license denotes that the software manufacturers are permitting users to use a copy of their softwarE . Thus, the
software vendor still owns the softwarE . Until each state enacts the legislation, it is not clear if shrink-wrap licenses that
restrict users rights under copyright law are legally enforceablE . For clarification, shrink-wrap licenses physically
accompany a disk while click-on and active clickwrap licenses are usually transmitted electronically. Sometimes, the
term shrink-wrap is interpreted to mean both physical and electronic licenses to use softwarE . The focus of the UCITA
legislation is not on the physical media, but on the information contained on the media.

A practice that permits the owner of a data object to grant other users access to that object would usually provide
A. Mandatory Access Control (MAC).
B. owner-administered control.
C. owner-dependent access control.
D. Discretionary Access Control (DAC).
Correct Answer: D

In a biometric system, the time it takes to register with the system by providing samples of a biometric characteristic is
A. Set-up time.
B. Enrollment time.
C. Log-in time.
D. Throughput time.
Correct Answer: B
The correct answer is “Enrollment time”.
Answers Set-up time and Log-in time are distracters.
Answer throughput, refers to the rate at which individuals once enrolled can be processed and identified or
authenticated by a biometric system.

Which of the following is a benefit in implementing an enterpris e Identity and Access Management (IAM) solution?
A. Password requirements are simplified.
B. Risk associated with orphan accounts is reduced.
C. Segregation of duties is automatically enforced.
D. Data confidentiality is increased.
Correct Answer: A

Which of the following is NOT a criterion for access control?
A. Role
B. Identity
C. Keystroke monitoring
D. Transactions
Correct Answer: C
Keystroke monitoring is associated with the auditing function and not access control. For answer a, the identity of the
user is a criterion for access control. The identity must be authenticated as part of the I and A process.
Answer Role refers to role-based access control where access to information is determined by the user\\’s job function
or role in the organization.
Transactions refer to access control through entering an account number or a transaction number, as may be required
for bill payments by telephone, for example.

When two different keys encrypt a plaintext message into the same ciphertext, this situation is known as:
A. Cryptanalysis.
B. Public key cryptography.
C. Hashing.
D. Key clustering.
Correct Answer: D
The correct answer is “Key clustering”
Answer “Public key cryptography” describes a type of cryptographic system using a public and a private key; answer
Cryptanalysis is the art/science of breaking ciphers; answer Hashing is the conversion of a message of variable length
into a
fixed-length message digest.

Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to
estimate the severity of vulnerabilities identified automated vulnerability assessments?
A. Common Vulnerabilities and Exposures (CVE)
B. Common Vulnerability Scoring System (CVSS)
C. Asset Reporting Format (ARF)
D. Open Vulnerability and Assessment Language (OVAL)
Correct Answer: B

Which of the following is the MOST effective attack against cryptographic hardware modules?
A. Plaintext
B. Brute force
C. Power analysis
D. Man-in-the-middle (MITM)
Correct Answer: C

Which type of control is concerned with restoring controls?
A. Compensating controls
B. Corrective controls
C. Detective controls
D. Preventive controls
Correct Answer: B
Explanation: Corrective controls are concerned with remedying circumstances and restoring controls.
Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes
for example.
Compensating controls are alternative controls, used to compensate weaknesses in other controls.
Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2, Introduction to the
CISSP Exam presentation.

Which of the following is the WEAKEST authentication mechanism?
A. Passphrases
B. Passwords
C. One-time passwords
D. Token devices
Correct Answer: B
Explanation: Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST
answer out of the choices listed above.
The following answers are incorrect because :
Passphrases is incorrect as it is more secure than a password because it is longer. One-time passwords is incorrect as
the name states , it is good for only once and cannot be reused.
Token devices is incorrect as this is also a password generator and is an one time password mechanism.
Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 139 , 142

Share Pass4itsure discount codes for free

pass4itsure coupon

About Pass4itsure!

Pass4itsure offers the latest exam practice questions and answers free of charge! Update all exam questions throughout the year,
with a number of professional exam experts! To make sure it works! Maximum pass rate, best value for money! It helps you pass the exam easily on your first attempt.

why lead4pass


How do I pass the ISC CISSP exam? You need to be prepared for it! You need the latest and most effective learning materials and proper practices to pass the CISSP exam. “Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. With a CISSP, you validate your expertise and become an (ISC)² member, unlocking a broad array of exclusive resources, educational tools, and peer-to-peer networking opportunities”. Pass4itsure offers you the latest exam materials! You can use the materials to prepare to help you achieve excellent results!

This maybe you’re interested