CISSP Practice Exams 最新官方习题集第四版（2016出版）(1).pdf

ABOUTTHEAUTHORSShonHarris,CISSP,wasthefounderandCEOofShonHarrisSecurityLLCandLogicalSecurityLLC,asecurityconsultant,aformerengineerintheAirForcesInformationWarfareunit,aninstructor,andanauthor.Shonownedandranherowntrainingandconsultingcompaniesfor13yearspriortoherdeathin2014.SheconsultedwithFortune100corporationsandgovernmentagenciesonextensivesecurityissues.Sheauthoredthreebest-sellingCISSPbooks,wasacontributingauthortoGrayHatHacking:TheEthicalHackersHandbookandSecurityInformationandEventManagement(SIEM)Implementation,andatechnicaleditorforInformationSecurityMagazine.JonathanHam,CISSP,GSEC,GCIA,GCIH,GMON,isanindependentconsultantwhospecializesinlarge-scaleenterprisesecurityissues,frompolicyandprocedure,throughteamselectionandtraining,toimplementingscalableprevention,detection,andresponsetechnologiesandtechniques.WithakeenunderstandingofROIandTCO(andanemphasisonreal-worldpracticeoverproducts),hehashelpedhisclientsachievegreatersuccessforover20years,advisinginboththepublicandprivatesectors,fromsmallstartupstotheFortune50,andtheU.S.DepartmentofDefenseacrossmultipleengagedforces.Mr.HamhasbeencommissionedtoteachinvestigativetechniquestotheNSA,hastrainedNCISinvestigatorshowtouseintrusiondetectiontechnologies,hasperformedpacketanalysisfromafacilitymorethan2,000feetunderground,andhascharteredandtrainedtheCIRTforoneofthelargestU.S.civilianfederalagencies.Inadditiontohisprofessionalcertifications,Mr.HamisaCertifiedInstructorandAuthorwiththeSANSInstitute,andisamemberoftheGIACAdvisoryBoard.HehasalsoconsistentlybeenthehighestratedtraineratBlackHatevents,teachinghiscourseonNetworkForensics.Hisgroundbreakingtextbookonthetopicestablishedhimasapioneerinthefield.AformercombatmedicwiththeU.S.Navy/MarineCorps,Mr.Hamhasspentoveradecadepracticingadifferentkindofemergencyresponse,volunteeringandteachingforboththeNationalSkiPatrolandtheAmericanRedCross,asbothaSeniorPatrollerandInstructorandaProfessionalRescuer.ANotefromJonathanShonandInevermetinperson,thoughmycareerhasbeeninextricablylinkedtohersformorethanadecade.ThefirsttimeIwaseveraskedtoteachaclassfortheSANSInstitutewasbecauseShonwasscheduledandcouldntmakeit.IwentontoteachSANSextremelypopularCISSPprepcourse(Mgt414)dozensoftimes,andmystudentsroutinelybroughtherbookstomyclassroom.Asaresult,Ivegoneontoteachthousandsofstudentsatboththegraduateandpost-graduatelevel,acrosssixcontinentsandindozensofcountries,andinvolvingcontentrangingfromhackingtechniquestoforensicinvestigations.ThankstoShon,IamtrulylivingthedreamandgivingitbackineverywaythatIcan.IamalsoextremelyhonoredtohavebeenaskedbyMcGraw-HillEducationtocontinueherwork.WehadsoverymanyfriendsincommonthatnearlyeveryoneIknowprofessionallyencouragedmetodoit.ShewillberememberedwiththerespectofthousandsofCISSPs.Andmine.AbouttheTechnicalEditorDanielCarter,CISSP,CCSP,CISM,CISA,has20yearsofexperienceintheITandsecurityworlds,workinginboththehighereducationandhealthcaresectors,onthestateandfederallevels.HeiscurrentlyaSystemsSecurityOfficerinU.S.FederalHealthcareforHPEnterprise.HehasworkedextensivelyonbothsecurityandarchitectureforpublicwebsystemsfortheCentersforMedicare&MedicaidServices(CMS),includingofficialwebsitesforMedicareandtheAffordableCareAct.PriortoworkatHPEandCMS,DanielworkedinEnterpriseInformationSystemsfortheUniversityofMarylandonsystemsrangingfromofficialuniversitywebsites,identityandauthenticationsystems,e-mailandcalendaring,andtheuniversitysPKIinfrastructure.Copyright2016byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher.ISBN:978-1-25-958508-1MHID:1-25-958508-5ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-1-25-958596-8,MHID:1-25-958596-4.eBookconversionbycodeMantraVersion1.0Alltrademarksaretrademarksoftheirrespectiveowners.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.McGraw-HillEducationeBooksareavailableatspecialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactU.InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEducation,orothers,McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.TERMSOFUSEThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofthisworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGraw-HillEducationspriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQUACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditslicensorsdonotwarrantorguaranteethatthefunctionscontainedintheworkwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtherefrom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemhasbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.IthasbeenattheexpenseofmytribethatIhavemanagedtocontinueShonswork.Ihonorthembynamehere,aselsewhere:436861726C6965204D617269652048616D0D0A56696F6C65742044616E67657220576573740D0A5468756E646572204772657920576573740D0A50616F6C6120436563696C696120476172636961204A756172657A0D0ATheyarebeautifulandbrillianteach,andlovedmorethantheymayeverknow.JonathanHam,April13,2016CONTENTSPrefaceIntroductionChapter1SecurityandRiskManagementChapter2AssetSecurityChapter3SecurityEngineeringChapter4CommunicationandNetworkSecurityChapter5IdentityandAccessManagementChapter6SecurityAssessmentandTestingChapter7SecurityOperationsChapter8SoftwareDevelopmentSecurityAppendixAbouttheDownloadIndexPREFACEComputer,information,andphysicalsecurityarebecomingmoreimportantatanexponentialrate.Overthelastfewyears,thenecessityforcomputerandinformationsecurityhasgrownrapidlyascyberattackshaveincreased,financialinformationisbeingstolenatarapidpace,cyberwarfareisaffectingcountriesaroundtheworld,andtodaysmalwareisgrowingexponentiallyinitssophisticationanddominatingourthreatlandscape.Theworldscontinuousdependencyupontechnologyandtherapidincreaseinthecomplexitiesofthesetechnologiesmakesecuringthemachallengingandimportanttask.Companieshavehadtospendmillionsofdollarstocleanuptheeffectsoftheseissuesandmillionsofdollarsmoretosecuretheirperimeterandinternalnetworkswithequipment,software,consultants,andeducation.Ournetworkedenvironmentsnolongerhavetrueboundaries;theintegrationofmobiledeviceshasintroducedmoreattacksurfaces;andtheattackersarecommonlywellfunded,organized,andfocusedontheirintendedvictims.Thenecessityandurgencyforsecurityhaveledtoanewparadigmemerging.Itisslowlybecomingapparentthatgovernments,nations,andsocietiesarevulnerabletomanydifferenttypesofattacksthatcanhappenoverthenetworkwireandairwaves.Societiesdependheavilyonalltypesofcomputingpowerandfunctionality,mostlyprovidedbythepublicandprivatesectors.Thismeansthatalthoughgovernmentsareresponsibleforprotectingtheircitizens,itisbecomingapparentthatthecitizensandtheirbusinessesmustbecomemoresecuretoprotectthenationasawhole.Thistypeofprotectioncanreallyonlybeginthroughpropereducationandunderstanding,andmustcontinuewiththededicatedexecutionofthisknowledge.Thisbookiswrittentoprovideafoundationinthemanydifferentareasthatmakeupeffectivesecurity.Weneedtounderstandallofthethreatsanddangerswearevulnerabletoandthestepsthatmustbetakentomitigatethesevulnerabilities.INTRODUCTIONTheobjectiveofthisbookistoprepareyoufortheCISSPexambyfamiliarizingyouwiththemoredifficulttypesofquestionsthatmaycomeupontheexam.ThequestionsinthisbookdelveintothemorecomplextopicsoftheCISSPCommonBodyofKnowledge(CBK)thatyoumaybefacedwithwhenyoutaketheexam.ThisbookhasbeendevelopedtobeusedintandemwiththeCISSPAll-in-OneExamGuide,SeventhEdition.Thebestapproachtopreparefortheexamusingallofthematerialavailabletoyouisoutlinedhere:1.Reviewthequestionsandanswerexplanationsineachchapter.2.Iffurtherreviewisrequired,readthecorrespondingchapter(s)intheCISSPAll-in-OneExamGuide,SeventhEdition.3.Reviewalloftheadditionalquestionsthatareavailable.Seethe“AdditionalQuestionsAvailable”sectionattheendofthisintroduction.Becausetheprimaryfocusofthisbookistohelpyoupasstheexam,thequestionsincludedcoveralleightCISSPexamdomains.Eachquestionfeaturesadetailedexplanationastowhyoneanswerchoiceisthecorrectanswerandwhyeachoftheotherchoicesisincorrect.Becauseofthis,webelievethisbookwillserveasavaluableprofessionalresourceafteryourexam.InThisBookThisbookhasbeenorganizedsothateachchapterconsistsofabatteryofpracticeexamquestionsrepresentingasingleCISSPexamdomain,appropriateforexperiencedinformationsecurityprofessionals.Eachpracticeexamquestionfeaturesanswerexplanationsthatprovidetheemphasisonthe“why”aswellasthe“how-to”ofworkingwithandsupportingthetechnologyandconcepts.InEveryChapterIncludedineachchapterarefeaturesthatcallyourattentiontothekeystepsofthetestingandreviewprocessandthatprovidehelpfulexam-takinghints.Takealookatwhatyoullfindineverychapter:EverychapterincludespracticeexamquestionsfromoneCISSPCBKSecurityDomain.Drilldownonthequestionsfromeachdomainthatyouwillneedtoknowhowtoanswerinordertopasstheexam.ThePracticeExamQuestionsaresimilartothosefoundontheactualCISSPexamandaremeanttopresentyouwithsomeofthemostcommonandconfusingproblemsthatyoumayencounterwhentakingtheactualexam.Thesequestionsaredesignedtohelpyouanticipatewhattheexamwillemphasize.Gettinginsidetheexamwithgoodpracticequestionswillhelpensureyouknowwhatyouneedtoknowtopasstheexam.EachchapterincludesaQuickAnswerKey,whichprovidesthequestionnumberandthecorrespondingletterforthecorrectanswerchoice.Thisallowsyoutoscoreyouranswersquicklybeforeyoubeginyourreview.EachquestionincludesanIn-DepthAnswerExplanationexplanationsareprovidedforboththecorrectandincorrectanswerchoicesandcanbefoundattheendofeachchapter.Byreadingtheanswerexplanations,youllreinforcewhatyouvelearnedfromansweringthequestionsinthatchapter,whilealsobecomingfamiliarwiththestructureoftheexamquestions.AdditionalQuestionsAvailableInadditiontothequestionsineachchapter,therearemorethan1,000multiple-choicepracticeexamquestionsavailabletoyou.Alsoavailablearesimulatedhotspotanddrag-and-droptypequestions.Formoreinformationonthesequestiontypesandhowtoaccessthem,pleaserefertotheappendix.CHAPTER1SecurityandRiskManagementThisdomainincludesquestionsfromthefollowingtopics:SecurityterminologyandprinciplesProtectioncontroltypesSecurityframeworks,models,standards,andbestpracticesComputerlawsandcrimesIntellectualpropertyDatabreachesRiskmanagementThreatmodelingBusinesscontinuityanddisasterrecoveryPersonnelsecuritySecuritygovernanceAsecurityprofessionalsresponsibilitiesextendwellbeyondreactingtothelatestnewsheadlinesofanewexploitorsecuritybreach.Theday-to-dayresponsibilitiesofsecurityprofessionalsarefarlessexcitingonthesurfacebutarevitaltokeepingorganizationsprotectedagainstintrusionssothattheydontbecomethenextheadline.Theroleofsecuritywithinanorganizationisacomplexone,asittoucheseveryemployeeandmustbemanagedcompanywide.Itisimportantthatyouhaveanunderstandingofsecuritybeyondthetechnicaldetailstoincludemanagementandbusinessissues,bothfortheCISSPexamandforyourroleinthefield.QQUESTIONS1.WhichofthefollowingbestdescribestherelationshipbetweenCOBITandITIL?A.COBITisamodelforITgovernance,whereasITILisamodelforcorporategovernance.B.COBITprovidesacorporategovernanceroadmap,whereasITILisacustomizableframeworkforITservicemanagement.C.COBITdefinesITgoals,whereasITILprovidestheprocess-levelstepsonhowtoachievethem.D.COBITprovidesaframeworkforachievingbusinessgoals,whereasITILdefinesaframeworkforachievingITservice-levelgoals.2.Globalorganizationsthattransferdataacrossinternationalboundariesmustabidebyguidelinesandtransborderinformationflowrulesdevelopedbyaninternationalorganizationthathelpsdifferentgovernmentscometogetherandtackletheeconomic,social,andgovernancechallengesofaglobalizedeconomy.Whatorganizationisthis?A.CommitteeofSponsoringOrganizationsoftheTreadwayCommissionB.TheOrganisationforEconomicCo-operationandDevelopmentC.COBITD.InternationalOrganizationforStandardization3.Steve,adepartmentmanager,hasbeenaskedtojoinacommitteethatisresponsiblefordefininganacceptablelevelofriskfortheorganization,reviewingriskassessmentandauditreports,andapprovingsignificantchangestosecuritypoliciesandprograms.Whatcommitteeishejoining?A.SecuritypolicycommitteeB.AuditcommitteeC.RiskmanagementcommitteeD.Securitysteeringcommittee4.Whichofthefollowingisnotincludedinariskassessment?A.DiscontinuingactivitiesthatintroduceriskB.IdentifyingassetsC.IdentifyingthreatsD.Analyzingriskinorderofcostorcriticality5.Theintegrityofdataisnotrelatedtowhichofthefollowing?A.UnauthorizedmanipulationorchangestodataB.ThemodificationofdatawithoutauthorizationC.TheintentionaloraccidentalsubstitutionofdataD.Theextractionofdatatosharewithunauthorizedentities6.AshiscompanysCISO,Georgeneedstodemonstratetotheboardofdirectorsthenecessityofastrongriskmanagementprogram.WhichofthefollowingshouldGeorgeusetocalculatethecompanysresidualrisk?A.threatsvulnerabilityassetvalue=residualriskB.SLEfrequency=ALE,whichisequaltoresidualriskC.(threatsvulnerabilityassetvalue)controlsgap=residualriskD.(totalriskassetvalue)countermeasures=residualrisk7.CapabilityMaturityModelIntegration(CMMI)camefromthesoftwareengineeringworldandisusedwithinorganizationstohelplayoutapathwayofhowincrementalimprovementcantakeplace.Thismodelisusedbyorganizationsinself-assessmentandtodevelopstructuredstepsthatcanbefollowedsoanorganizationcanevolvefromoneleveltothenextandconstantlyimproveitsprocesses.IntheCMMImodelgraphicshown,whatisthepropersequenceofthelev