CISSP Practice Questions 81-100

Q: Using Address Space Layout Randomization (ASLR) reduces the potential for which of the following attacks? A. SQL injection (SQLi) B. Man-in-the-Middle (MITM) C. Cross-Site Scripting (XSS) D. Heap overflow

Correct answer: D. ASLR randomizes memory address allocations, making it difficult for attackers to predict where code or libraries reside. This prevents buffer or heap overflow exploits from reliably executing injected shellcode.

Q: When designing a business continuity plan (BCP), what is the formula to determine the Maximum Tolerable Downtime (MTD)? A. Annual Loss Expectancy (ALE) + Work Recovery Time (WRT) B. Business Impact Analysis (BIA) + Recovery Point Objective (RPO) C. Recovery Time Objective (RTO) + Work Recovery Time (WRT) D. Estimated Maximum Loss (EML) + Recovery Time Objective (RTO)

Correct answer: C. MTD = RTO + WRT. RTO covers restoration of IT systems, and WRT accounts for business process catch-up. CISSP BCP metrics directly define this relationship.

Q: When assessing the audit capability of an application, which of the following activities is MOST important? A. Determine if audit records contain sufficient information. B. Review security plan for actions to be taken in the event of audit failure. C. Verify sufficient storage is allocated for audit records. D. Identify procedures to investigate suspicious activity.

Correct answer: C. If there’s inadequate storage, logging fails silently, defeating the purpose of auditing. Ensuring capacity and retention are in place supports accountability — a CISSP monitoring and logging control.

Q: When designing a new Voice over Internet Protocol (VoIP) network, an organization’s top concern is preventing unauthorized users from accessing the VoIP network. Which of the following will BEST help secure the VoIP network? A. Transport Layer Security (TLS) B. 802.1x C. 802.11g D. Web Application Firewall (WAF)

Correct answer: A. TLS encrypts VoIP signaling (e.g., SIP) and ensures confidentiality/authentication. 802.1x secures physical access but not end-to-end voice sessions; WAF applies to HTTP traffic only.

Q: After the INITIAL input of a user identification (ID) and password, what is an authentication system that prompts the user for a different response each time the user logs on? A. Personal Identification Number (PIN) B. Secondary password C. Challenge-response D. Voice authentication

Correct answer: C. Challenge-response authentication uses a dynamic token or algorithm-based code that changes each login, mitigating replay attacks — a key CISSP multifactor concept.

Q: An organization is trying to secure instant-messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge? A. IM clients can interoperate between multiple vendors. B. IM clients can run without administrator privileges. C. IM clients can utilize random port numbers. D. IM clients can run as executables that do not require installation.

Correct answer: C. Instant messaging applications often use dynamic or random ports, making it difficult for perimeter firewalls to identify, filter, and control the traffic. This significantly undermines perimeter security and is the most important challenge from a CISSP perspective.

Q: An organization has discovered that organizational data is posted by employees to data storage accessible to the general public. What is the PRIMARY step an organization must take to ensure data is properly protected from public release? A. Implement a data classification policy. B. Implement a data encryption policy. C. Implement a user training policy. D. Implement a user reporting policy.

Correct answer: C. Accidental data leaks are typically due to user ignorance. Awareness and training ensure employees understand acceptable use and storage locations — foundational in CISSP security awareness programs.

Q: While classifying credit-card data related to PCI-DSS, which of the following is a PRIMARY security requirement? A. Processor agreements with cardholders B. Three-year retention of data C. Encryption of data D. Specific card-disposal methodology

Correct answer: C. PCI-DSS mandates encryption of stored and transmitted cardholder data as a primary control. Retention or disposal are secondary operational concerns.

Q: The personal laptop of an organization executive is stolen from the office, complete with personnel and project records. Which of the following should be done FIRST to mitigate future occurrences? A. Encrypt disks on personal laptops. B. Issue cable locks for use on personal laptops. C. Create policies addressing critical information on personal laptops. D. Monitor personal laptops for critical information.

Correct answer: A. Full-disk encryption immediately prevents disclosure of sensitive data even if physical theft occurs — CISSP’s primary control for mobile device data security.

Q: An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which statement is TRUE about the baseline cybersecurity standard? A. It should be expressed as general requirements. B. It should be expressed in legal terminology. C. It should be expressed in business terminology. D. It should be expressed as technical requirements.

Correct answer: D. Baseline standards are technical benchmarks defining required configurations and controls (e.g., patch levels, encryption strength). CISSP differentiates these from policy (management intent) or legal terms.

Question 81

Question 81

Using Address Space Layout Randomization (ASLR) reduces the potential for which of the following attacks?
A. SQL injection (SQLi)
B. Man-in-the-Middle (MITM)
C. Cross-Site Scripting (XSS)
D. Heap overflow

Question 82

Question 82

When designing a business continuity plan (BCP), what is the formula to determine the Maximum Tolerable Downtime (MTD)?
A. Annual Loss Expectancy (ALE) + Work Recovery Time (WRT)
B. Business Impact Analysis (BIA) + Recovery Point Objective (RPO)
C. Recovery Time Objective (RTO) + Work Recovery Time (WRT)
D. Estimated Maximum Loss (EML) + Recovery Time Objective (RTO)

Question 83

Question 83

When assessing the audit capability of an application, which of the following activities is MOST important?
A. Determine if audit records contain sufficient information.
B. Review security plan for actions to be taken in the event of audit failure.
C. Verify sufficient storage is allocated for audit records.
D. Identify procedures to investigate suspicious activity.

Question 84

Question 84

When designing a new Voice over Internet Protocol (VoIP) network, an organization’s top concern is preventing unauthorized users from accessing the VoIP network. Which of the following will BEST help secure the VoIP network?
A. Transport Layer Security (TLS)
B. 802.1x
C. 802.11g
D. Web Application Firewall (WAF)

Question 85

Question 85

After the INITIAL input of a user identification (ID) and password, what is an authentication system that prompts the user for a different response each time the user logs on?
A. Personal Identification Number (PIN)
B. Secondary password
C. Challenge-response
D. Voice authentication

Question 86

Question 86

An organization is trying to secure instant-messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge?
A. IM clients can interoperate between multiple vendors.
B. IM clients can run without administrator privileges.
C. IM clients can utilize random port numbers.
D. IM clients can run as executables that do not require installation.

Question 87

Question 87

An organization has discovered that organizational data is posted by employees to data storage accessible to the general public. What is the PRIMARY step an organization must take to ensure data is properly protected from public release?
A. Implement a data classification policy.
B. Implement a data encryption policy.
C. Implement a user training policy.
D. Implement a user reporting policy.

Question 88

Question 88

While classifying credit-card data related to PCI-DSS, which of the following is a PRIMARY security requirement?
A. Processor agreements with cardholders
B. Three-year retention of data
C. Encryption of data
D. Specific card-disposal methodology

Question 89

Question 89

The personal laptop of an organization executive is stolen from the office, complete with personnel and project records. Which of the following should be done FIRST to mitigate future occurrences?
A. Encrypt disks on personal laptops.
B. Issue cable locks for use on personal laptops.
C. Create policies addressing critical information on personal laptops.
D. Monitor personal laptops for critical information.

Question 90

Question 90

An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which statement is TRUE about the baseline cybersecurity standard?
A. It should be expressed as general requirements.
B. It should be expressed in legal terminology.
C. It should be expressed in business terminology.
D. It should be expressed as technical requirements.

Question 91

Question 91

What BEST describes the confidentiality, integrity, availability (CIA) triad?
A. A tool used to assist in understanding how to protect the organization’s data
B. The three-step approach to determine the risk level on an organization
C. The implementation of security systems to protect the organization’s data
D. A vulnerability assessment to see how well the organization’s data is protected

Question 92

Question 92

A small office is running Wi-Fi 4 APs, and neighboring offices do not want to increase throughput to associated devices. Which is the MOST cost-efficient way for the office to increase network performance?
A. Add another AP.
B. Disable the 2.4 GHz radios.
C. Enable channel bonding.
D. Upgrade to Wi-Fi 5.

Question 93

Question 93

Management has decided that a core application will be used on personal cellular phones. Continuous monitoring must be implemented. Which of the following is required to accomplish management’s directive?
A. Strict integration of application management, configuration management, and phone management
B. Management application installed on user phones that tracks all application events and cellular traffic
C. Enterprise-level SIEM dashboard with visibility of cellular phone activity
D. Routine reports generated by the user’s carrier provider

Question 94

Question 94

What is static analysis intended to do when analyzing an executable file?
A. Collect evidence of the executable file’s usage, including creation and last use dates.
B. Search the documents and files associated with the executable file.
C. Analyze the position of the file in the file tree in the system and the executable file’s libraries.
D. Disassemble the file to gather information about the executable file’s function.

Question 95

Question 95

Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?
A. Vendors take on liability for COTS software vulnerabilities.
B. In-house developed software is inherently less secure.
C. Exploits for COTS software are well-documented and publicly available.
D. COTS software is inherently less secure.

Question 96

Question 96

Which of the following would be considered an incident if reported by a SIEM system?
A. An administrator logging in via VPN
B. A log source has stopped sending data
C. A web resource has reported a 404 error
D. A firewall logs a TCP connection on port 80

Question 97

Question 97

Which of the following is the reason that transposition ciphers are easily recognizable?
A. Key
B. Block
C. Stream
D. Character

Question 98

Question 98

Which of the following is MOST appropriate to collect evidence of a zero-day attack?
A. Firewall
B. Honeypot
C. Antispam
D. Antivirus

Question 99

Question 99

What is the benefit of using Network Admission Control (NAC)?
A. OS versions can be validated before allowing access.
B. NAC supports validation at the endpoint’s security posture prior to allowing the session.
C. NAC can require use of certificates, passwords, or both before admission.
D. NAC only supports Windows OS.

Question 100

Question 100

Which of the following is the PRIMARY issue when analyzing detailed log information?
A. Logs may be unavailable when required.
B. Timely review of data is difficult.
C. Most systems don’t support logging.
D. Logs don’t provide sufficient details of system and individual activities.