Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.
Free Download
  • Home
  • Articles
  • 2022 Valid CISSP Real Exam Questions, practice ISC Certification [Q77-Q102]

2022 Valid CISSP Real Exam Questions, practice ISC Certification [Q77-Q102]

Share

2022 Valid CISSP Real Exam Questions, practice ISC Certification

Latest Success Metrics For Actual CISSP Exam (Updated 1481 Questions)

NEW QUESTION 77
View the image below and identify the attack

  • A. TFN
  • B. DOS
  • C. DDoS
  • D. Reflection Attack

Answer: C

Explanation:
The easiest attack to carry out against a network, or so it may seem, is to overload it through excessive traffic or traffic which has been "crafted" to confuse the network into shutting down or slowing to the point of uselessness. The image depicts a distributed denial of service attack where many computers attack the victim with any type of traffic and render it unable to communicate on the network or provide services.
Computers on networks can provide services to other computers. The servers listen on specific TCP or UDP ports and software opens the ports on the server to accept traffic from visitors.
Most users of the services on that server behave normally but at times attackers try to attack and take down the server by attacking its services or the operating system via the protocol stack itself.
In the case of this question, the victim is being bounded with service requests from the zombies. Commonly it's UDP but more often it can be TCP traffic and unfortunately it is nearly impossible to defeat such an attack.
You might compare this attack to calling someone over and over on their phone that they can't use their own phone but you're not doing anything specifically destructive to the phone. You're just exhausting its resources rendering it useless to the owner.
The following answers are incorrect:
-DOS - Denial of Service: This is almost correct but it is wrong because a simple DOS attack is one computer flooding another computer, not the many to one attack you see with a DDoS.
-TFN - Tribe Flood Network attack: This isn't the correct answer because it isn't specifically what's depicted in the image. TFN is actually software used to conduct DDoS attacks and NOT an attack itself. More here.
-Reflection Attack: This isn't the correct answer because a reflection attack is an attack on authentication systems which use the same protocol in both directions and doesn't ordinarily involve zombies.
The following reference(s) was used to create this question:
2013. Official Security+ Curriculum.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 8494-8495). Auerbach Publications. Kindle Edition.

 

NEW QUESTION 78
Which disaster recovery plan test involves functional representatives meeting to review the plan in detail?

  • A. Structured walk-through test
  • B. Checklist test
  • C. Simulation test
  • D. Parallel test

Answer: A

Explanation:
Explanation/Reference:
Explanation:
In a Structured walk-through test representatives from each department or functional area come together and go over the plan to ensure its accuracy. The group reviews the objectives of the plan; discusses the scope and assumptions of the plan; reviews the organization and reporting structure; and evaluates the testing, maintenance, and training requirements described.
Incorrect Answers:
A: In a Simulation test the plan is not reviewed in detail. In a Simulation test all employees who participate in operational and support functions, or their representatives, come together to practice executing the disaster recovery plan based on a specific scenario.
B: A Checklist test, like a Structured walk-through test, has the aim to review the plan, but in a Checklist test the functional representatives do not meet. Instead copies of the BCP are distributed to the different departments and functional areas for review.
C: The purpose of a Parallel test is not to review the plan in detail. A parallel test is done to ensure that the specific systems can actually perform adequately at the alternate offsite facility.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 955

 

NEW QUESTION 79
The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to measure organizational impact based on what risk management aspect?

  • A. Risk tolerance
  • B. Risk treatment
  • C. Risk response
  • D. Risk exception

Answer: C

 

NEW QUESTION 80
Which of the following is a method of multiplexing data where a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. This method allocates bandwidth dynamically to physical channels having information to transmit?

  • A. Statistical multiplexing
  • B. Frequency division multiplexing
  • C. Asynchronous time-division multiplexing
  • D. Time-division multiplexing

Answer: A

Explanation:
Statistical multiplexing is a type of communication link sharing, very similar to dynamic bandwidth allocation (DBA). In statistical multiplexing, a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. The link sharing is adapted to the instantaneous traffic demands of the data streams that are transferred over each channel. This is an alternative to creating a fixed sharing of a link, such as in general time division multiplexing (TDM) and frequency division multiplexing (FDM). When performed correctly, statistical multiplexing can provide a link utilization improvement, called the statistical multiplexing gain.
Generally, the methods for multiplexing data include the following : Time-division multiplexing (TDM): information from each data channel is allocated bandwidth based on pre-assigned time slots, regardless of whether there is data to transmit. Time-division multiplexing is used primarily for digital signals, but may be applied in analog multiplexing in which two or more signals or bit streams are transferred appearing simultaneously as sub-channels in one communication channel, but are physically taking turns on the channel. The time domain is divided into several recurrent time slots of fixed length, one for each sub-channel. A sample byte or data block of sub-channel 1 is transmitted during time slot 1, sub-channel 2 during time slot 2, etc. One TDM frame consists of one time slot per sub-channel plus a synchronization channel and sometimes error correction channel before the synchronization. After the last sub-channel, error correction, and synchronization, the cycle starts all over again with a new frame, starting with the second sample, byte or data block from sub-channel 1, etc.
Asynchronous time-division multiplexing (ATDM): information from data channels is allocated bandwidth as needed, via dynamically assigned time slots. ATM provides functionality that is similar to both circuit switching and packet switching networks: ATM uses asynchronous time-division multiplexing, and encodes data into small, fixed-sized packets (ISO-OSI frames) called cells. This differs from approaches such as the Internet Protocol or Ethernet that use variable sized packets and frames. ATM uses a connection-oriented model in which a virtual circuit must be established between two endpoints before the actual data exchange begins. These virtual circuits may be "permanent", i.e. dedicated connections that are usually preconfigured by the service provider, or "switched", i.e. set up on a per-call basis using signalling and disconnected when the call is terminated.
Frequency division multiplexing (FDM): information from each data channel is allocated bandwidth based on the signal frequency of the traffic. In telecommunications, frequency-division multiplexing (FDM) is a technique by which the total bandwidth available in a communication medium is divided into a series of non-overlapping frequency sub-bands, each of which is used to carry a separate signal. This allows a single transmission medium such as the radio spectrum, a cable or optical fiber to be shared by many signals.
Reference used for this question: http://en.wikipedia.org/wiki/Statistical_multiplexing and http://en.wikipedia.org/wiki/Frequency_division_multiplexing and Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 114).

 

NEW QUESTION 81
Drag the following Security Engineering terms on the left to the BEST definition on the right.

Answer:

Explanation:

Explanation

 

NEW QUESTION 82
Which type of algorithm is considered to have the highest strength per bit of key length of any of the asymmetric algorithms?

  • A. Advanced Encryption Standard (AES)
  • B. El Gamal
  • C. Rivest, Shamir, Adleman (RSA)
  • D. Elliptic Curve Cryptography (ECC)

Answer: D

Explanation:
The answer : "Elliptic Curve Cryptography (ECC)". This type of cryptography is
based on the complex mathematics of elliptic curves. These algorithms are advantageous for their
speed and strength.
The other answers are not correct because:
"Rivest, Shamir, Adleman (RSA)" is incorrect because RSA is a "traditional" asymmetric algorithm.
While it is reasonably strong, it is not considered to be as strong as ECC based systems.
"El Gamal" is incorrect because it is also a "traditional" asymmetric algorithm and not considered
as strong as ECC based systems.
"Advanced Encryption Standard (AES)" is incorrect because the question asks specifically about
asymmetric algorithms and AES is a symmetric algorithm.
References:
Official ISC2 Guide page: 258
All in One Third Edition page: 638 The RSA Crypto FAQ: http://www.rsa.com/rsalabs/node.asp?id=2241

 

NEW QUESTION 83
There are parallels between the trust models in Kerberos and Public Key Infrastructure
(PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

  • A. public-key certificates
  • B. private keys
  • C. public keys
  • D. private-key certificates

Answer: A

Explanation:
A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.
The following answers are incorrect:
public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key.
private keys. Although a Kerberos ticket is not shared publicly, it is not a private key.
Private keys are associated with Asymmetric crypto system which is not used by Kerberos.
Kerberos uses only the Symmetric crypto system.
private key certificates. This is a detractor. There is no such thing as a private key certificate.

 

NEW QUESTION 84
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity?

  • A. Retina scans
  • B. Skin scans
  • C. Palm scans
  • D. Iris scans

Answer: B

 

NEW QUESTION 85
What is the Maximum Tolerable Downtime (MTD):

  • A. Maximum elapsed time required to complete recovery of application data
  • B. Minimum elapsed time required to complete recovery of application data
  • C. Maximum elapsed time required to move back to primary site a major disruption
  • D. It is maximum delay businesses that can tolerate and still remain viable

Answer: D

Explanation:
"The MTD is the period of time a business function or process can remain interrupted before its ability to recover becomes questionable." Pg 678 Hansche: Official (ISC)2 Guide to the CISSP Exam

 

NEW QUESTION 86
Firewalls can be used to

  • A. Protect against protocol redirects.
  • B. Enforce security policy.
  • C. Enforce Secure Network Interface addressing.
  • D. Protect data confidentiality.

Answer: B

Explanation:
A firewall is a device that supports and enforces the company's network security policy. - Shon Harris All-in-one CISSP Certification Guide pg 412

 

NEW QUESTION 87
Which of the following is the BEST Identity-as-a-Service (IDaaS) solution for validating users?

  • A. Security Assertion Markup Language (SAML)
  • B. Single Sign-On (SSO)
  • C. Open Authentication (OAuth)
  • D. Lightweight Directory Access Protocol (LDAP)

Answer: A

 

NEW QUESTION 88
Which of the following is NOT a system-sensing wireless proximity card?

  • A. transponder
  • B. passive device
  • C. field-powered device
  • D. magnetically striped card

Answer: D

Explanation:
The answer: Magnetically
striped cards are digitally encoded cards.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, page 342.

 

NEW QUESTION 89
Which of the following is related to physical security and is NOT considered a technical control?

  • A. Firewalls
  • B. Intrusion Detection Systems
  • C. Access control Mechanisms
  • D. Locks

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Locks are an example of a physical control type, not a technical control.
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors:
administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
Incorrect Answers:
A: Access control Mechanisms are an example of a technical control. Therefore, this answer is incorrect.
B: Intrusion Detection Systems are an example of a technical control. Therefore, this answer is incorrect.
C: Firewalls are an example of a technical control. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 28

 

NEW QUESTION 90
Which of the following are potential firewall problems that should be logged?

  • A. Proxies restarted.
  • B. All of the choices.
  • C. Reboot
  • D. Changes to configuration file.

Answer: B

Explanation:
The following firewall configuration problem are logged:
Reboot of the firewall.
Proxies that cannot start (e.g. Within TIS firewall).
Proxies or other important services that have died or restarted.
Changes to firewall configuration file.
A configuration or system error while firewall is running.

 

NEW QUESTION 91
A computer system that employs the necessary hardware and software
assurance measures to enable it to process multiple levels of classified or
sensitive information is called a:

  • A. Trusted system.
  • B. Safe system.
  • C. Open system.
  • D. Closed system.

Answer: A

Explanation:
The correct answer is Trusted system, by definition of a trusted system.
Answers Closed system and Open system refer to open, standard information on a product as
opposed to a closed or proprietary product. Answer Safe system is a distracter.

 

NEW QUESTION 92
During an IS audit, auditor has observed that authentication and authorization steps are split into two functions and there is a possibility to force the authorization step to be completed before the authentication step. Which of the following technique an attacker could user to force authorization step before authentication?

  • A. Eavesdropping
  • B. Traffic analysis
  • C. Masquerading
  • D. Race Condition

Answer: D

Explanation:
A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on the data before process 1, the result will be much different than if process1 carried out its tasks on the data before process 2
In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A race condition occurs when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order, something that can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unauthorized access to a resource.
The following answers are incorrect:
Eavesdropping - is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them."
Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.
Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack. Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process. The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. As such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the highest access authority to a business organization. Personal attacks, although less common, can also be harmful.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 324
Official ISC2 guide to CISSP CBK 3rd Edition Page number 66
CISSP All-In-One Exam guide 6th Edition Page Number 161

 

NEW QUESTION 93
An application layer firewall is also called a:

  • A. A Session Layer Gateway.
  • B. A Presentation Layer Gateway.
  • C. A Transport Layer Gateway.
  • D. Proxy

Answer: D

Explanation:
An application layer firewall can also be called a proxy. "A presentation layer gateway" is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall. "A session layer gateway" is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.
"A transport layer gateway" is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.
References: CBK, p. 467 AIO3, pp. 486 - 490, 960

 

NEW QUESTION 94
An organization wants to migrate to Session Initiation Protocol (SIP) to save on telephony expenses. Which of the following security related statements should be considered in the decision-making process?

  • A. Given the behavior of SIP traffic, additional security controls would be required.
  • B. Cloud telephony is less secure and more expensive than digital telephony services.
  • C. SIP services are more secure when used with multi-layer security proxies.
  • D. H.323 media gateways must be used to ensure end-to-end security tunnels.

Answer: D

 

NEW QUESTION 95
A global organization wants to implement hardware tokens as part of a multifactor authentication solution for remote access. The PRIMARY advantage of this implementation is

  • A. increased accountability of end users.
  • B. it simplifies user access administration.
  • C. it protects against unauthorized access.
  • D. the scalability of token enrollment.

Answer: C

 

NEW QUESTION 96
Which OSI/OSI layer defines the X.24, V.35, X.21 and HSSI standard interfaces?

  • A. Network layer
  • B. Physical layer
  • C. Data link layer
  • D. Transport layer

Answer: B

Explanation:
Explanation/Reference:
Explanation:
X.25, V.35, X21 and HSSI all work at the physical layer in the OSI model.
X.25 is an older WAN protocol that defines how devices and networks establish and maintain connections.
V.35 is the interface standard used by most routers and DSUs that connect to T-1 carriers.
X21 is a physical and electrical interface.
High-Speed Serial Interface (HSSI) is a short-distance communications interface.
Incorrect Answers:
A: X.25, V.35, X21 and HSSI all work at the physical layer, not the transport layer.
B: X.25, V.35, X21 and HSSI all work at the physical layer, not the network layer.
C: X.25, V.35, X21 and HSSI all work at the physical layer, not the data link layer.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 679

 

NEW QUESTION 97
What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition?

  • A. Cipher block chaining
  • B. Steganography
  • C. One-time pad
  • D. Running key cipher

Answer: C

Explanation:
Explanation/Reference:
Explanation:
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used.
The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so that the top sheet could be easily torn off and destroyed after use.
The one-time pad has serious drawbacks in practice because it requires:
Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement.

Secure generation and exchange of the one-time pad values, which must be at least as long as the

message. (The security of the one-time pad is only as secure as the security of the one-time pad exchange).
Careful treatment to make sure that it continues to remain secret, and is disposed of correctly

preventing any reuse in whole or part-hence "one time".
Because the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely).
Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too difficult for humans to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non- suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration).
The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects.
Incorrect Answers:
A: Running key cipher does not use a key of the same length as the message.
C: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. This is not what is described in the question.
D: Cipher block chaining is an encryption method where each block of text, the key, and the value based on the previous block are processed in the algorithm and applied to the next block of text. This is not what is described in the question.
References:
https://en.wikipedia.org/wiki/One-time_pad

 

NEW QUESTION 98
A distributed system using passwords as the authentication means can
use a number of techniques to make the password system stronger.
Which of the following is NOT one of these techniques?

  • A. Password generators
  • B. Password file protection
  • C. Regular password reuse
  • D. Limiting the number or frequency of log-on attempts

Answer: C

Explanation:
Passwords should never be reused after the time limit on their use
has expired.
Answer "password generators" supply passwords
upon request. These passwords are usually comprised of numbers,
characters, and sometimes symbols. Passwords provided by
password generators are, usually, not easy to remember.
For answer "password file protection" may consist of encrypting the password with a one-way hash function and storing it in a password file. A typical brute force attack against this type of protection is to encrypt trial password guesses using the same hash function and to compare the encrypted results with the encrypted passwords stored in the password file.
Answer "Limiting the number or frequency of log-on attempts" provides protection in that, after a specified number of unsuccessful log-on attempts, a user may be locked out of trying to log on for a period of time. An alternative is to
progressively increase the time between permitted log-on tries after
each unsuccessful log-on attempt.

 

NEW QUESTION 99
Which layer of the DoD TCP/IP model controls the communication flow between hosts?

  • A. Internet layer
  • B. Application layer
  • C. Host-to-host transport layer
  • D. Network access layer

Answer: C

Explanation:
Whereas the host-to-host layer (equivalent to the OSI's transport layer) provides
end-to-end data delivery service, flow control, to the application layer.
The four layers in the DoD model, from top to bottom, are:
The Application Layer contains protocols that implement user-level functions, such as mail
delivery, file transfer and remote login.
The Host-to-Host Layer handles connection rendez vous, flow control, retransmission of lost data,
and other generic data flow management between hosts. The mutually exclusive TCP and UDP
protocols are this layer's most important members.
The Internet Layer is responsible for delivering data across a series of different physical networks that interconnect a source and destination machine. Routing protocols are most closely associated with this layer, as is the IP Protocol, the Internet's fundamental protocol. The Network Access Layer is responsible for delivering data over the particular hardware media in use. Different protocols are selected from this layer, depending on the type of physical network The OSI model organizes communication services into seven groups called layers. The layers are as follows:
Layer 7, The Application Layer: The application layer serves as a window for users and application processes to access network services. It handles issues such as network transparency, resource allocation, etc. This layer is not an application in itself, although some applications may perform application layer functions. Layer 6, The Presentation Layer: The presentation layer serves as the data translator for a network. It is usually a part of an operating system and converts incoming and outgoing data from one presentation format to another. This layer is also known as syntax layer. Layer 5, The Session Layer: The session layer establishes a communication session between processes running on different communication entities in a network and can support a message-mode data transfer. It deals with session and connection coordination. Layer 4, The Transport Layer: The transport layer ensures that messages are delivered in the order in which they are sent and that there is no loss or duplication. It ensures complete data transfer. This layer provides an additional connection below the Session layer and assists with managing some data flow control between hosts. Data is divided into packets on the sending node, and the receiving node's Transport layer reassembles the message from packets. This layer is also responsible for error checking to guarantee error-free data delivery, and requests a retransmission if necessary. It is also responsible for sending acknowledgments of successful transmissions back to the sending host. A number of protocols run at the Transport layer, including TCP, UDP, Sequenced Packet Exchange (SPX), and NWLink. Layer 3, The Network Layer: The network layer controls the operation of the subnet. It determines the physical path that data takes on the basis of network conditions, priority of service, and other factors. The network layer is responsible for routing and forwarding data packets. Layer 2, The Data-Link Layer: The data-link layer is responsible for error free transfer of data frames. This layer provides synchronization for the physical layer. ARP and RARP would be found at this layer. Layer 1, The Physical Layer: The physical layer is responsible for packaging and transmitting data on the physical media. This layer conveys the bit stream through a network at the electrical and mechanical level.
See a great flash animation on the subject at: http://www.maris.com/content/applets/flash/comp/fa0301.swf Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and
Network Security (page 85).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 7: Telecommunications and Network Security (page 344).

 

NEW QUESTION 100
What can be described as a measure of the magnitude of loss or impact on the value of an asset?

  • A. Vulnerability
  • B. Threat
  • C. Exposure factor
  • D. Probability

Answer: C

Explanation:
The exposure factor is a measure of the magnitude of loss or impact on the value of
an asset.
The probability is the chance or likelihood, in a finite sample, that an event will occur or that a
specific loss value may be attained should the event occur.
A vulnerability is the absence or weakness of a risk-reducing safeguard.
A threat is event, the occurrence of which could have an undesired impact.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.

 

NEW QUESTION 101
Which of the following is true about a "dry pipe" sprinkler system?

  • A. It is a substitute for carbon dioxide systems.
  • B. It reduces the likelihood of the sprinkler system pipes freezing.
  • C. It uses less water than "wet pipe" systems.
  • D. It maximizes chances of accidental discharge of water.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. The pipes hold pressurized air, which is reduced when a fire or smoke alarm is activated, allowing the water valve to be opened by the water pressure. Water is not allowed into the pipes that feed the sprinklers until an actual fire is detected. First, a heat or smoke sensor is activated; then, the water fills the pipes leading to the sprinkler heads, the fire alarm sounds, the electric power supply is disconnected, and finally water is allowed to flow from the sprinklers. These pipes are best used in colder climates because the pipes will not freeze.
Incorrect Answers:
A: A "dry pipe" sprinkler system is not a replacement for a carbon dioxide system. Dry pipe systems still use water which is not suitable for many fires. Therefore, this answer is incorrect.
B: A "dry pipe" sprinkler system does not maximize the chances of accidental discharge of water. The chances are reduced as there is no water held in the pipes. Therefore, this answer is incorrect.
D: A "dry pipe" sprinkler system uses no less water than "wet pipe" systems. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 474

 

NEW QUESTION 102
......

Genuine CISSP Exam Dumps Free Demo Valid QA's: https://www.validexam.com/CISSP-latest-dumps.html

Printable & Easy to Use ISC Certification CISSP Dumps 100% Same Q&A In Your Real Exam: https://drive.google.com/open?id=1g19ZmIlcQa124iXTh0pT7RuVJwOf4iet

Related Articles

more
ISC CISSP Certification Practice Exam

Our website will provide you with latest exam dumps based on the real exams to make sure you pass valid test in a short time.

Latest Pass Braindumps Exam

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ValidExam NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy