CISSP ISC Certified Information Systems Security Professional (CISSP) Free Practice Exam Questions (2025 Updated)

 The best reason for the organization to pursue a plan to mitigate client-based attacks is that client-based attacks are more common and easier to exploit than server and network based attacks. Client-based attacks are the attacks that target the client applications or systems, such as web browsers, email clients, or media players, and that can exploit the vulnerabilities or weaknesses of the client software or configuration, or the user behavior or interaction. Client-based attacks are more common and easier to exploit than server and network based attacks, because the client applications or systems are more exposed and accessible to the attackers, the client software or configuration is more diverse and complex to secure, and the user behavior or interaction is more unpredictable and prone to errors or mistakes. Therefore, the organization needs to pursue a plan to mitigate client-based attacks, as they pose a significant security threat or risk to the organization’s data, systems, or network. Client privilege administration is inherently weaker than server privilege administration, client hardening and management is easier on clients than on servers, and client-based attacks have higher financial impact are not the best reasons for the organization to pursue a plan to mitigate client-based attacks, as they are not supported by the facts or evidence, or they are not relevant or specific to the client-side security. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1050. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1066.

From a security perspective, the best practice to configure a DNS system is to limit zone transfers to authorized devices. Zone transfers are the processes of replicating the DNS data from one server to another, usually from a primary server to a secondary server. Zone transfers can expose sensitive information about the network topology, hosts, and services to attackers, who can use this information to launch further attacks. Therefore, zone transfers should be restricted to only the devices that need them, and authenticated and encrypted to prevent unauthorized access or modification. The other options are not as good as limiting zone transfers, as they either do not provide sufficient security for the DNS system (A and B), or do not address the zone transfer issue ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 156; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 166.

The most effective way of removing the P2P program from the computer is to re-image the computer. Re-imaging the computer means to restore the computer to its original or desired state, by erasing or overwriting the existing data or software on the computer, and by installing a new or a backup image of the operating system and the applications on the computer. Re-imaging the computer can ensure that the P2P program and any other unwanted or harmful programs or files are completely removed from the computer, and that the computer is clean and secure. Run software uninstall, find and remove all installation files, and delete all cookies stored in the web browser cache are not the most effective ways of removing the P2P program from the computer, as they may not remove all the traces or components of the P2P program from the computer, or they may not address the other potential issues or risks that the P2P program may have caused on the computer. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 906. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 922.

 The primary concern regarding the database information, aside from the potential records which may have been viewed, is the unauthorized database changes. The unauthorized database changes are the modifications or the alterations of the database information or structure, such as the data values, the data types, the data formats, the data relationships, or the data schemas, by an unauthorized individual or a malicious actor, such as the one who accessed the system hosting the database. The unauthorized database changes can compromise the integrity, the accuracy, the consistency, and the reliability of the database information, and can cause serious damage or harm to the organization’s operations, decisions, or reputation. The unauthorized database changes can also affect the availability, the performance, or the functionality of the database, and can create or exploit the vulnerabilities or the weaknesses of the database. Integrity of security logs, availability of the database, and confidentiality of the incident are not the primary concerns regarding the database information, aside from the potential records which may have been viewed, as they are related to the evidence, the accessibility, or the secrecy of the security incident, not the modification or the alteration of the database information. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 865. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 881.

Secure authentication with logging provides access accountability, which means that the actions of users can be traced and audited. Logging can help identify unauthorized or malicious activities, enforce policies, and support investigations12

The best destruction method that provides the assurance that the data has been removed from a malfunctioning PDA device is shredding. Shredding is a method of physically destroying the media, such as flash memory cards, by cutting or tearing them into small pieces that make the data unrecoverable. Shredding can be effective in removing the data from a PDA device that cannot be deleted by software or firmware methods, as it does not depend on the functionality of the device or the media. Shredding can also prevent the reuse or the recycling of the media or the device, as it renders them unusable. Knurling, grinding, and degaussing are not the best destruction methods that provide the assurance that the data has been removed from a malfunctioning PDA device, as they are related to the methods of altering the surface, the shape, or the magnetic field of the media, not the methods of cutting or tearing the media into small pieces. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 889. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 905.

The components that are in the scope of PCI-DSS are the end devices, wireless access points, WLAN, switches, management console, and firewall. PCI-DSS is a set of standards and requirements that aim to ensure the security of the cardholder data and the payment transactions. PCI-DSS applies to any entity that stores, processes, or transmits cardholder data, or that provides services or devices that affect the security of the cardholder data. The scope of PCI-DSS includes all the system components that are connected to or support the cardholder data environment, such as the hardware, the software, the network, or the personnel. In this question, the end devices, wireless access points, WLAN, switches, management console, and firewall are all part of the system components that are connected to or support the cardholder data environment, as they are used to process the credit card transactions on the WLAN. Therefore, they are in the scope of PCI-DSS, and they must comply with the PCI-DSS requirements. The entire enterprise network infrastructure and the Internet are not in the scope of PCI-DSS, as they are not directly connected to or support the cardholder data environment, and they are separated from the private segment for credit card processing by the firewall. The border gateway is not a system component, but a term that refers to a device that connects two networks with different protocols, such as a router or a proxy server. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 548. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 564.

 In a Bell-LaPadula system, a user cannot write data to a file that has a lower security classification than their own. This is because of the star property (*property) of the Bell-LaPadula model, which states that a subject with a given security clearance may write data to an object if and only if the object’s security level is greater than or equal to the subject’s security level. This rule is also known as the no write-down rule, as it prevents the leakage of information from a higher level to a lower level. In this question, User D has a Top Secret clearance, and File 3 has a Secret security class. Therefore, User D cannot write to File 3, as they have a higher clearance than the security class of File 3, and they would violate the star property by writing down information to a lower level. User A, User B, and User C can write to File 3, as they have the same or lower clearances than the security class of File 3, and they would not violate the star property by writing up or across information to a higher or equal level. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 498. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 514.

The most important factor to monitor when determining appropriate resource allocation is the number of system compromises. The number of system compromises is the count or the frequency of the security incidents or breaches that affect the confidentiality, the integrity, or the availability of the system data or functionality, and that are caused by the unauthorized or the malicious access or activity. The number of system compromises can help to determine appropriate resource allocation, as it can indicate the level of security risk or threat that the system faces, and the level of security protection or improvement that the system needs. The number of system compromises can also help to evaluate the effectiveness or the efficiency of the current resource allocation, and to identify the areas or the domains that require more or less resources. Number of audit findings, number of staff reductions, and number of additional assets are not the most important factors to monitor when determining appropriate resource allocation, as they are related to the results or the outcomes of the audit process, the changes or the impacts of the staff size, or the additions or the expansions of the system resources, not the security incidents or breaches that affect the system data or functionality. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 863. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 879.

Security Assertion Markup Language (SAML) is the best solution for the manufacturing organization that wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. FIM is a process that allows the sharing and recognition of identities across different organizations that have a trust relationship. FIM enables the users of one organization to access the resources or services of another organization without having to create or maintain multiple accounts or credentials. FIM can provide several benefits, such as:

Improving the user experience and convenience by reducing the need for multiple logins and passwords

Enhancing the security and privacy by minimizing the exposure and duplication of sensitive information

Increasing the efficiency and productivity by streamlining the authentication and authorization processes

Reducing the cost and complexity by simplifying the identity management and administration

SAML is a standard protocol that supports FIM by allowing the exchange of authentication and authorization information between different parties. SAML uses XML-based messages, called assertions, to convey the identity, attributes, and entitlements of a user to a service provider. SAML defines three roles for the parties involved in FIM:

Identity provider (IdP): the party that authenticates the user and issues the SAML assertion

Service provider (SP): the party that provides the resource or service that the user wants to access

User or principal: the party that requests access to the resource or service

SAML works as follows:

The user requests access to a resource or service from the SP

The SP redirects the user to the IdP for authentication

The IdP authenticates the user and generates a SAML assertion that contains the user’s identity, attributes, and entitlements

The IdP sends the SAML assertion to the SP

The SP validates the SAML assertion and grants or denies access to the user based on the information in the assertion

SAML is the best solution for the manufacturing organization that wants to establish a FIM system with its 20 different supplier companies, because it can enable the seamless and secure access to the resources or services across the different organizations, without requiring the users to create or maintain multiple accounts or credentials. SAML can also provide interoperability and compatibility between different platforms and technologies, as it is based on a standard and open protocol.

The other options are not the best solutions for the manufacturing organization that wants to establish a FIM system with its 20 different supplier companies, but rather solutions that have other limitations or drawbacks. Trusted third-party certification is a process that involves a third party, such as a certificate authority (CA), that issues and verifies digital certificates that contain the public key and identity information of a user or an entity. Trusted third-party certification can provide authentication and encryption for the communication between different parties, but it does not provide authorization or entitlement information for the access to the resources or services. Lightweight Directory Access Protocol (LDAP) is a protocol that allows the access and management of directory services, such as Active Directory, that store the identity and attribute information of users and entities. LDAP can provide a centralized and standardized way to store and retrieve identity and attribute information, but it does not provide a mechanism to exchange or federate the information across different organizations. Cross-certification is a process that involves two or more CAs that establish a trust relationship and recognize each other’s certificates. Cross-certification can extend the trust and validity of the certificates across different domains or organizations, but it does not provide a mechanism to exchange or federate the identity, attribute, or entitlement information.

Applying the principle of least privilege is the best approach for controlling access to highly sensitive information when employees have the same level of security clearance. The principle of least privilege is a security concept that states that every user or process should have the minimum amount of access rights and permissions that are necessary to perform their tasks or functions, and nothing more. The principle of least privilege can provide several benefits, such as:

Improving the security and confidentiality of the information by limiting the access and exposure of the sensitive data to the authorized users and purposes

Reducing the risk and impact of unauthorized access or disclosure of the information by minimizing the attack surface and the potential damage

Increasing the accountability and auditability of the information by tracking and logging the access and usage of the sensitive data

Enhancing the performance and efficiency of the system by reducing the complexity and overhead of the access control mechanisms

Applying the principle of least privilege is the best approach for controlling access to highly sensitive information when employees have the same level of security clearance, because it can ensure that the employees can only access the information that is relevant and necessary for their tasks or functions, and that they cannot access or manipulate the information that is beyond their scope or authority. For example, if the highly sensitive information is related to a specific project or department, then only the employees who are involved in that project or department should have access to that information, and not the employees who have the same level of security clearance but are not involved in that project or department.

The other options are not the best approaches for controlling access to highly sensitive information when employees have the same level of security clearance, but rather approaches that have other purposes or effects. Audit logs are records that capture and store the information about the events and activities that occur within a system or a network, such as the access and usage of the sensitive data. Audit logs can provide a reactive and detective layer of security by enabling the monitoring and analysis of the system or network behavior, and facilitating the investigation and response of the incidents. However, audit logs cannot prevent or reduce the access or disclosure of the sensitive information, but rather provide evidence or clues after the fact. Role-Based Access Control (RBAC) is a method that enforces the access rights and permissions of the users based on their roles or functions within the organization, rather than their identities or attributes. RBAC can provide a granular and dynamic layer of security by defining and assigning the roles and permissions according to the organizational structure and policies. However, RBAC cannot control the access to highly sensitive information when employees have the same level of security clearance and the same role or function within the organization, but rather rely on other criteria or mechanisms. Two-factor authentication is a technique that verifies the identity of the users by requiring them to provide two pieces of evidence or factors, such as something they know (e.g., password, PIN), something they have (e.g., token, smart card), or something they are (e.g., fingerprint, face). Two-factor authentication can provide a strong and preventive layer of security by preventing unauthorized access to the system or network by the users who do not have both factors. However, two-factor authentication cannot control the access to highly sensitive information when employees have the same level of security clearance and the same two factors, but rather rely on other criteria or mechanisms.

Limiting access to predefined queries is the control that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees. A query is a request for information from a database, which can be expressed in a structured query language (SQL) or a graphical user interface (GUI). A query can specify the criteria, conditions, and operations for selecting, filtering, sorting, grouping, and aggregating the data from the database. A predefined query is a query that has been created and stored in advance by the database administrator or the data owner, and that can be executed by the authorized users without any modification. A predefined query can provide several benefits, such as:

Improving the performance and efficiency of the database by reducing the processing time and resources required for executing the queries

Enhancing the security and confidentiality of the database by restricting the access and exposure of the sensitive data to the authorized users and purposes

Increasing the accuracy and reliability of the database by preventing the errors or inconsistencies that might occur due to the user input or modification of the queries

Reducing the cost and complexity of the database by simplifying the query design and management

Limiting access to predefined queries is the control that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees, because it can ensure that the users can only access the data that is relevant and necessary for their tasks, and that they cannot access or manipulate the data that is beyond their scope or authority. For example, a predefined query can be created and stored that calculates and displays the average salary of groups of employees based on certain criteria, such as department, position, or experience. The users who need to view this information can execute this predefined query, but they cannot modify it or create their own queries that might reveal the individual employee’s salary or other sensitive data.

The other options are not the controls that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees, but rather controls that have other purposes or effects. Segregating the database into a small number of partitions each with a separate security level is a control that would improve the performance and security of the database by dividing it into smaller and manageable segments that can be accessed and processed independently and concurrently. However, this control would not prevent the users from obtaining an individual employee’s salary, if they have access to the partition that contains the salary data, and if they can create or modify their own queries. Implementing Role Based Access Control (RBAC) is a control that would enforce the access rights and permissions of the users based on their roles or functions within the organization, rather than their identities or attributes. However, this control would not prevent the users from obtaining an individual employee’s salary, if their roles or functions require them to access the salary data, and if they can create or modify their own queries. Reducing the number of people who have access to the system for statistical purposes is a control that would reduce the risk and impact of unauthorized access or disclosure of the sensitive data by minimizing the exposure and distribution of the data. However, this control would not prevent the users from obtaining an individual employee’s salary, if they are among the people who have access to the system, and if they can create or modify their own queries.

Derived credential is the best description of an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices. A smart card is a device that contains a microchip that stores a private key and a digital certificate that are used for authentication and encryption. A smart card is typically inserted into a reader that is attached to a computer or a terminal, and the user enters a personal identification number (PIN) to unlock the smart card and access the private key and the certificate. A smart card can provide a high level of security and convenience for the user, as it implements a two-factor authentication method that combines something the user has (the smart card) and something the user knows (the PIN).

However, a smart card may not be compatible or convenient for mobile devices, such as smartphones or tablets, that do not have a smart card reader or a USB port. To address this issue, a derived credential is a solution that allows the user to use a mobile device as an alternative to a smart card for authentication and encryption. A derived credential is a cryptographic key and a certificate that are derived from the smart card private key and certificate, and that are stored on the mobile device. A derived credential works as follows:

The user inserts the smart card into a reader that is connected to a computer or a terminal, and enters the PIN to unlock the smart card

The user connects the mobile device to the computer or the terminal via a cable, Bluetooth, or Wi-Fi

The user initiates a request to generate a derived credential on the mobile device

The computer or the terminal verifies the smart card certificate with a trusted CA, and generates a derived credential that contains a cryptographic key and a certificate that are derived from the smart card private key and certificate

The computer or the terminal transfers the derived credential to the mobile device, and stores it in a secure element or a trusted platform module on the device

The user disconnects the mobile device from the computer or the terminal, and removes the smart card from the reader

The user can use the derived credential on the mobile device to authenticate and encrypt the communication with other parties, without requiring the smart card or the PIN

A derived credential can provide a secure and convenient way to use a mobile device as an alternative to a smart card for authentication and encryption, as it implements a two-factor authentication method that combines something the user has (the mobile device) and something the user is (the biometric feature). A derived credential can also comply with the standards and policies for the use of smart cards, such as the Personal Identity Verification (PIV) or the Common Access Card (CAC) programs.

The other options are not the best descriptions of an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices, but rather descriptions of other methods or concepts. Temporary security credential is a method that involves issuing a short-lived credential, such as a token or a password, that can be used for a limited time or a specific purpose. Temporary security credential can provide a flexible and dynamic way to grant access to the users or entities, but it does not involve deriving a cryptographic key from a smart card private key. Mobile device credentialing service is a concept that involves providing a service that can issue, manage, or revoke credentials for mobile devices, such as certificates, tokens, or passwords. Mobile device credentialing service can provide a centralized and standardized way to control the access of mobile devices, but it does not involve deriving a cryptographic key from a smart card private key. Digest authentication is a method that involves using a hash function, such as MD5, to generate a digest or a fingerprint of the user’s credentials, such as the username and password, and sending it to the server for verification. Digest authentication can provide a more secure way to authenticate the user than the basic authentication, which sends the credentials in plain text, but it does not involve deriving a cryptographic key from a smart card private key.

This is the principle of open design, which states that the security of a system or mechanism should rely on the strength of its key or algorithm, rather than on the obscurity of its design or implementation. This principle is based on the assumption that the adversary has full knowledge of the system or mechanism, and that the security should still hold even if that is the case. The other options are not consistent with the principle of open design, as they either imply that the security depends on hiding or protecting the design or implementation (A and B), or that the user’s knowledge or privileges affect the security ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 105; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, page 109.

A formal review of any Disaster Recovery Plan (DRP) should be conducted at a minimum annually, or more frequently if there are significant changes in the business environment, the IT infrastructure, the security threats, or the regulatory requirements. A formal review involves evaluating the DRP against the current business needs, objectives, and risks, and ensuring that the DRP is updated, accurate, complete, and consistent. A formal review also involves testing the DRP to verify its effectiveness and feasibility, and identifying any gaps or weaknesses that need to be addressed12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 10352: CISSP For Dummies, 7th Edition, Chapter 10, page 351.

Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to establish a secure initial state. A TPM is a hardware device that provides cryptographic functions and secure storage for keys, certificates, passwords, and other sensitive data. A TPM can also measure and verify the integrity of the system components, such as the BIOS, boot loader, operating system, and applications, before they are executed. This process is known as trusted boot or measured boot, and it ensures that the system is in a known and trusted state before allowing access to the user or network. A TPM can also enable features such as disk encryption, remote attestation, and platform authentication12. References: 1: What is a Trusted Platform Module (TPM)?32: Trusted Platform Module (TPM) Fundamentals4

Copyright is a form of intellectual property that grants the author or creator of an original work the exclusive right to reproduce, distribute, perform, display, or license the work. Copyright does not protect ideas, concepts, facts, discoveries, or methods, but only the particular expression of an idea in a tangible medium, such as a book, a song, a painting, or a software program12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 2872: CISSP For Dummies, 7th Edition, Chapter 3, page 87.

The Common Vulnerability Scoring System (CVSS) is a framework that provides a standardized and consistent way of measuring and communicating the severity and risk of published vulnerabilities. CVSS assigns a numerical score and a vector string to each vulnerability, based on various metrics and formulas. CVSS is a useful tool for prioritizing the remediation of vulnerabilities, but it has some limitations as it relates to conducting code review. One of the limitations is that CVSS aims to calculate the risk of published vulnerabilities, which means that it does not cover the vulnerabilities that are not yet discovered or disclosed. Code review, on the other hand, is a process of examining the source code of a software to identify and fix any errors, bugs, or vulnerabilities that may exist in the code. Code review can help find vulnerabilities that are not yet published, and therefore not scored by CVSS. References: : CISSP For Dummies, 7th Edition, Chapter 8, page 222. : Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 8, page 465.

The best way to verify the integrity of a software patch is to use cryptographic checksums. Cryptographic checksums are mathematical values that are computed from the data in the software patch using a hash function or an algorithm. Cryptographic checksums can be used to compare the original and the downloaded or installed version of the software patch, and to detect any alteration, corruption, or tampering of the data. Cryptographic checksums are also known as hashes, digests, or fingerprints, and they are often provided by the software vendor along with the software patch12. References: 1: What is a Checksum and How to Calculate a Checksum32: How to Verify File Integrity Using Hashes

 The best way to ensure document confidentiality in the repository is to encrypt the contents of the repository and document any exceptions to that requirement. Encryption is the process of transforming the information into an unreadable form using a secret key or algorithm. Encryption protects the confidentiality of the information by preventing unauthorized access or disclosure, even if the repository is compromised or breached. Encryption also provides integrity and authenticity of the information by ensuring that it has not been modified or tampered with. Documenting any exceptions to the encryption requirement is also important to justify the reasons and risks for not encrypting certain information, and to apply alternative controls if needed93. References: 9: What Is a Document Repository and What Are the Benefits of Using One103: What is a document repository and why you should have one11

The Information Security Department must verify that the service provider will impose controls and protections that meet or exceed the current systems controls and produce audit logs as verification. This is to ensure that the service provider will maintain or improve the security posture of the organization, and that the organization will be able to monitor and audit the service provider’s performance and compliance. The service provider’s policies may or may not be consistent with ISO/IEC27001, but this is not a mandatory requirement, as long as the service provider can meet the organization’s security needs and expectations. The service provider may or may not segregate the data within its systems, depending on the type and sensitivity of the data, and the contractual and regulatory obligations. The service provider’s policies may differ from the organization’s current policies, as long as they can meet the requirements imposed by the new environment, and are agreed upon by both parties. References: 1: How to Choose a Managed Security Service Provider (MSSP)22: 10 Questions to Ask Your Managed Security Service Provider3

The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using the GRANT and REVOKE commands. DAC is a type of access control that allows the owner or creator of an object, such as a table, view, or procedure, to grant or revoke permissions to other users or roles. For example, a user can grant SELECT, INSERT, UPDATE, or DELETE privileges to another user on a specific table, or revoke them if needed34. References: 3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 4134: CISSP For Dummies, 7th Edition, Chapter 4, page 123.

The first step to take when designing a networked Information System (IS) where there will be several different types of individual access is to create a user access matrix. A user access matrix is a table that defines the access rights and permissions of each user or user group to each resource or function in the system. A user access matrix helps to ensure that all access control requirements are addressed, such as the principle of least privilege, the principle of separation of duties, and the principle of need to know. A user access matrix also helps to simplify and standardize the implementation and administration of access control policies and mechanisms910. References: 9: Access Control Matrix1110: Access Control Models and Methods12

Black box testing is a method of software testing that does not require any knowledge of the internal structure or code of the software1. The test planner only knows the functional specifications, which describe what the software is supposed to do, and tests the software based on the expected inputs and outputs. Black box testing is useful for finding errors in the functionality, usability, or performance of the software, but it cannot detect errors in the code or design. White box testing, on the other hand, requires the test planner to have access to the source code and the design documents, and tests the software based on the internal logic and structure2. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21, page 13132: CISSP For Dummies, 7th Edition, Chapter 8, page 215.

A forensic specialist can exclude from examination a large percentage of operating system files residing on a copy of the target system by creating a comparison database of cryptographic hashes of the files from a system with the same operating system and patch level. This method is also known as known file filtering or file signature analysis. It allows the forensic specialist to quickly identify and eliminate the files that are part of the standard operating system installation and focus on the files that are unique or relevant to the investigation. This makes the process of exclusion much faster and more accurate than manually deleting or discarding files12. References: 1: Computer Forensics: Forensic Techniques, Part 1 [Updated 2019]32: Point Checklist: cissp book4

Network Address Translation (NAT) is the most effective method for obscuring network addresses from external exposure when implemented on a firewall or router. NAT is a technique that allows a device, such as a firewall or a router, to modify the source or destination IP address of a packet as it passes through the device3. NAT can be used to hide the internal IP addresses of a network from the external network, such as the internet, by replacing them with a public IP address. This can enhance the security and privacy of the network, as well as conserve the limited IPv4 address space. Application proxy, RIP version 2, and address masking are not methods for obscuring network addresses from external exposure, as they are either related to different functions or not implemented on a firewall or router. References: 3: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 4, page 196. : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 413.

Separation of duties is a security management control that divides a critical or sensitive task into two or more parts, and assigns them to different individuals or groups. This reduces the risk of fraud, error, or abuse of authority, as no single person or group can perform the entire task without the cooperation or oversight of others. Separation of duties is most often broken by collusion, which is a secret or illegal agreement between two or more parties to bypass the control and achieve a common goal12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 352: CISSP For Dummies, 7th Edition, Chapter 1, page 23.

 If a system administrator discovers a serious security breach during a penetration test, such as unauthorized access to a server holding sensitive data, the first action that he or she should take is to immediately document the finding and report it to senior management. This is because senior management is ultimately responsible for the security of the organization and its assets, and they need to be aware of the situation and take appropriate actions to mitigate the risk and prevent further damage. Documenting the finding is also important to provide evidence and support for the report, and to comply with any legal or regulatory requirements. Using system privileges to alter the permissions to secure the server, continuing the testing to its completion, or terminating the penetration test and passing the finding to the server management team are not the first actions that a system administrator should take, as they may not address the root cause of the problem, may interfere with the ongoing testing, or may delay the notification of senior management.

The primary purpose of a security awareness program is to ensure that everyone understands the organization’s policies and procedures related to information security. A security awareness program is a set of activities, materials, or events that aim to educate and inform the employees, contractors, partners, and customers of the organization about the security goals, principles, and practices of the organization1. A security awareness program can help to create a security culture, improve the security behavior, and reduce the human errors or risks. Communicating that access to information will be granted on a need-to-know basis, warning all users that access to all systems will be monitored on a daily basis, and complying with regulations related to data and information protection are not the primary purposes of a security awareness program, as they are more specific or secondary objectives that may be part of the program, but not the main goal. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 28.