1、CISSP认证考试(安全运营)模拟试卷 1及答案与解析 1 Which of the following is not a common component of configuration management change control steps? ( A) Tested and presented ( B) Service-level agreement approval ( C) Report change to management ( D) Approval of the change 2 A change management process should include a
2、 number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy? ( A) Changes that are unanimously approved by the change control committee must be tested to uncover any unforeseen results. ( B) Changes approved by the change control commi
3、ttee should be entered into a change log. ( C) A schedule that outlines the projected phases of the change should be developed. ( D) An individual or group should be responsible for approving proposed changes. 3 The requirement of erasure is the end of the media life cycle if it contains sensitive i
4、nformation. Which of the following best describes purging? ( A) Changing the polarization of the atoms on the media. ( B) It is unacceptable when media are to be reused in the same physical environment for the same purposes. ( C) Data formerly on the media is made unrecoverable by overwriting it wit
5、h a pattern. ( D) Information is made unrecoverable, even with extraordinary effort. 4 Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-to
6、lerant technologies? ( A) They are among the most expensive solutions and are usually only for the most mission-critical information. ( B) They help service providers identify appropriate availability services for the specific customer. ( C) They are required to maintain integrity, regardless of the
7、 other technologies in place. ( D) They allow a failed component to be replaced while the system continues to run. 5 Which of the following refers to the amount of time it will be expected to take to get a device fixed and back into production? ( A) SLA ( B) MTTR ( C) Hot-swap ( D) MTBF 6 Which of t
8、he following correctly describes Direct Access and Sequential Access storage devices? ( A) Any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in orde
9、r to reach the desired position. ( B) RAIT is an example of a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device. ( C) MAID is a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device. ( D) As an example of Sequential Ac
10、cess Storage, tape drives are faster than Direct Access Storage Devices. 7 There are classifications for operating system failures. Which of the following refers to what takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a m
11、ore consistent state, requiring an administrator to intervene? ( A) Emergency system restart ( B) Trusted recovery ( C) System cold start ( D) System reboot 8 Various levels of RAID dictate the type of activity that will take place within the RAID system. Which level is associated with byte-level pa
12、rity? ( A) RAID Level 0 ( B) RAID Level 3 ( C) RAID Level 5 ( D) RAID Level 10 9 Which of the following incorrectly describes IP spoofing and session hijacking? ( A) Address spoofing helps an attacker to hijack sessions between two users without being noticed. ( B) IP spoofing makes it harder to tra
13、ck down an attacker. ( C) Session hijacking can be prevented with mutual authentication. ( D) IP spoofing is used to hijack SSL and IPSec secure communications. 10 RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data
14、 over several drives? ( A) Parity ( B) Mirroring ( C) Striping ( D) Hot-swapping 11 What is the difference between hierarchical storage management and storage area network technologies? ( A) HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology. (
15、B) HSM and SAN are one and the same. The difference is in the implementation. ( C) HSM uses optical or tape jukeboxes, and SAN is a network of connected storage. ( D) SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems. 12 John and his team are conducting a penetrat
16、ion test of a clients network. The team will conduct its testing armed only with knowledge it acquired from the Web. The network staff is aware that the testing will take place, but the penetration testing team will only work with publicly available data and some information from the client. What is
17、 the degree of the teams knowledge and what type of test is the team carrying out? ( A) Full knowledge; blind test ( B) Partial knowledge; blind test ( C) Partial knowledge; double-blind test ( D) Zero knowledge; targeted test 13 What type of exploited vulnerability allows more input than the progra
18、m has allocated space to store it? ( A) Symbolic links ( B) File descriptors ( C) Kernel flaws ( D) Buffer overflows 14 There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following
19、is the best approach to making changes? ( A) Review the changes within 48 hours of making them. ( B) Review and document the emergency changes after the incident is over. ( C) Activity should not take place in this manner. ( D) Formally submit the change to a change control committee and follow the
20、complete change control process. 15 Organizations should keep system documentation on hand to ensure that the system is properly cared for, that changes are controlled, and that the organization knows whats on the system. What does not need to be in this type of documentation? ( A) Functionality ( B
21、) Changes ( C) Volume of transactions ( D) Identity of system owner 16 Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best f
22、its this need? ( A) Management review ( B) Two-factor identification and authentication ( C) Capturing this data in audit logs ( D) Implementation of a strong security policy 17 Which of the following is the best way to reduce brute-force attacks that allow intruders to uncover users passwords? ( A)
23、 Increase the clipping level. ( B) Lock out an account for a certain amount of time after the clipping level is reached. ( C) After a threshold of failed login attempts is met, the administrator must physically lock out the account. ( D) Choose a weaker algorithm that encrypts the password file. 18
24、Brandy could not figure out how Sam gained unauthorized access to her system, since he has little computer experience. Which of the following is most likely the attack Sam used? ( A) Dictionary attack ( B) Shoulder surfing attack ( C) Covert channel attack ( D) Timing attack 19 The relay agent on a
25、mail server plays a role in spam prevention. Which of the following incorrectly describes mail relays? ( A) Antispam features on mail servers are actually antirelaying features. ( B) Relays should be configured “wide open“ to receive any e-mail message. ( C) Relay agents are used to send messages fr
26、om one mail server to another. ( D) If a relay is configured “wide open,“ the mail server can be used to send spam. 20 John is responsible for providing a weekly report to his manager outlining the weeks security incidents and mitigation steps. What steps should he take if a report has no informatio
27、n? ( A) Send his manager an e-mail telling her so. ( B) Deliver last weeks report and make sure its clearly dated. ( C) Deliver a report that states “No output.“ ( D) Dont do anything. 21 Brian, a security administrator, is responding to a virus infection. The antivirus application reports that a fi
28、le has been infected with a dangerous virus and disinfecting it could damage the file. What course of action should Brian take? ( A) Replace the file with the file saved from the day before. ( B) Disinfect the file and contact the vendor. ( C) Restore an uninfected version of the patched file from b
29、ackup media. ( D) Back up the data and disinfect the file. 22 Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines? ( A) A small number of administrators should be allowed to carry out remote functionality. ( B) Critical systems s
30、hould be administered locally instead of remotely. ( C) Strong authentication should be in place. ( D) Telnet should be used to send commands and data. 23 In a redundant array of inexpensive disks (RAID) systems, data and parity information are striped over several different disks. What is parity in
31、formation used for? ( A) Information used to create new data ( B) Information used to erase data ( C) Information used to rebuild data ( D) Information used to build data 24 Mirroring of drives is when data is written to two drives at once for redundancy purposes. What similar type of technology is
32、shown in the graphic that follows? ( A) Direct access storage ( B) Disk duplexing ( C) Striping ( D) Massive array of inactive disks 25 There are several different types of important architectures within backup technologies. Which architecture does the graphic that follows represent?( A) Clustering
33、( B) Grid computing ( C) Backup tier security ( D) Hierarchical Storage Management 26 Which of the following is not considered a countermeasure to port scanning and operating system fingerprinting? ( A) Allow access at the perimeter network to all internal ports ( B) Remove as many banners as possib
34、le within operating systems and applications ( C) Use TCP wrappers on vulnerable services that have to be available ( D) Disable unnecessary ports and services 27 _provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide im
35、munity to faults and improves performance. ( A) Disc duping ( B) Clustering ( C) RAID ( D) Virtualization 28 Bob is a new security administrator at a financial institution. The organization has experienced some suspicious activity on one of the critical servers that contain customer data. When revie
36、wing how the systems are administered, he uncovers some concerning issues pertaining to remote administration. Which of the following should not be put into place to reduce these concerns? i. Commands and data should not be sent in cleartext. ii. SSH should be used, not Telnet. iii. Truly critical s
37、ystems should be administered locally instead of remotely. iv. Only a small number of administrators should be able to carry out remote functionality. v. Strong authentication should be in place for any administration activities. ( A) i, ii ( B) None of them ( C) ii, iv ( D) All of them 28 The follo
38、wing scenario will be used for questions 29 and 30. John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling to them and then from them in a sporadic manner. The traffic has been mainly ICMP,
39、but the patterns were unusual compared to other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems NICs are not in promiscuous mode, so h
40、e is assured that sniffers have not been planted. 29 Which of the following describes the most likely situation as described in this scenario? ( A) Servers are not infected, but the traffic illustrates attack attempts. ( B) Servers have been infected with rootkits. ( C) Servers are vulnerable and ne
41、ed to be patched. ( D) Servers have been infected by spyware. 30 Which of the following best explains why John does not see anything suspicious on the reported systems? ( A) The systems have not yet been infected. ( B) He is not running the correct tools. He needs to carry out a penetration test on
42、the two systems. ( C) Trojaned files have been loaded and executed. ( D) A back door has been installed and the attacker enters the system sporadically. CISSP认证考试(安全运营)模拟试卷 1答案与解析 1 【正确答案】 B 【试题解析】 B正确。应该建立一个结构良好的变更管理流程来帮助员工适应多种不同类型的环境变化。这个过程应该体现在变更控制策略中。尽管变更的类型各不相同, 但一个标准的过程列表能有助于把这个流程置于可控范围内,并确保变更
43、以一个可以预见的方式进行。变更控制策略应该包括请求变更的发生、批准变更、变更文档化、测试和呈现、实施,以及把变更报告提交给管理层等流程。配置管理变更控制过程通常对服务等级协议的批准无效。 A不正确。因为一个标准的变更控制策略应该包含测试和呈现。所有变更必须经过全面测试以发现任何不可以预见的结果。根据变更的严重程度和公司的组织结构,变更及其实施可能需要被提交给变更控制委员会。这有助于表现变更的不同目的和结果,以及可能的分支。 C不正确。因为把变更 报告提交给管理层的流程应该包含在标准的变更控制策略中。在变更得以实施之后,应该向管理层提交一个总结这次变更的完整报告。这样的报告可以定期提交,从而使得
44、管理层实时了解并继续给予支持。 D不正确。因为获取变更批准的流程应该包含在标准的变更控制策略中。请求变更的人必须陈述理由,并清楚地阐述变更的好处和可能产生的失误。有时请求者可能被要求进行更多的研究并提供更多的信息之后才被批准变更。 【知识模块】 安全运营 2 【正确答案】 A 【试题解析】 A正确。应该建立一个结构良好的变更管理流程来帮助员工度 过多种类型的环境变化。这个流程应该体现在变更控制策略中。尽管变更的类型各不相同,但一个标准的流程列表有助于把这个流程置于可控范围内,从而确保它以一个可以预见的方式进行。变更控制委员会批准的所有变更都必须经过全面测试以发现不可以预见的结果。根据变更的严重
45、程度和公司的组织结构,变更及其实施可能需要被提交给变更控制委员会。这有助于表现变更的不同目的和效果以及可能产生的后果。 B不正确。因为变更控制委员会批准的变更的确应该记入变更口志。这个口志应该随着进程的进行而更新,直到进程结束。追踪并记录所有得以批准并实施的变更是至关重要的。 C不正确。因为一旦某个变更经过了全面地测试和批准,就应该制定一个描述实施变更的各个阶段和必要里程碑的日程安排。这些步骤应该完全被记录下来,进度也应该被监控。 D不正确。因为请求应该被提交给负责批准变更并监督在这个环境中发生的变更活动的人或者小组。 【知识模块】 安全运营 3 【正确答案】 D 【试题解析】 D正确。清理
46、(purging)指的是在过程周期结束时从系统、存储设备或者带有存储容量的外围设备上移除敏感信息。这个行为的执行方式应该保护数据的敏感性,使得敏感数据不会被重 建。删除介质上的文件并不会真正让数据消失,它只是删除了指针,而那些文件中的数据仍然保留在介质上。这就是专门从事恢复数据业务的公司能够在数据被故意或者意外销毁后仍然能够恢复被删除文件的原因所在。即使简单地使用新信息重写介质也不会降低恢复以前所写信息的可能性。这就是为什么需要清零和安全覆盖算法的原因。如果包含高度敏感信息介质的某个部分无法被清理或者清除,那么就必须采用物理销毁的方式。 A不正确。因为它描述的是消磁 (degaussing),
47、消磁是清理的一种。执行消磁的设备会产生一种强制磁力,把存储介质的磁通密度降 为 0。正是这种磁力把介质中的数据擦除了。数据以原子极化的形式存储在磁介质上,消磁用一种强大的磁力改变了这种极化,把它恢复为最初的通量 (磁量分布 )。 B不正确。因为当介质需要重新安排到一个不同的区域时就需要清理它。当介质被擦除 (删除它们的内容 )时,称为被消毒。这意味着擦除信息,从而使得使用常规操作系统命令或者现有的商业取证或数据恢复软件来恢复不是那么容易。 C不正确。因为它描述的是清零,这是清理的一种,而不是描述清理本身。载有敏感数据的介质必须被正确清理,这可以通过清零、消磁或者介质销毁的方式实现。 【 知识模
48、块】 安全运营 4 【正确答案】 A 【试题解析】 A正确。容错技术可以保证信息不仅在单个存储设备出现故障时可用,甚至可以在整个系统出现故障时也可用。容错是最昂贵的保持信息可用性的解决方案,通常仅用于最关键的任务信息。所有的技术最终都将经历某种形式的故障。如果一家公司遇到计划外的停机会遭受难以弥补的损害,那么这家公司才有使用高成本的容错系统的必要。 B不正确。因为服务等级协议 (Service-Level Agreements, SLA)帮助服务提供者 无论是内部 IT业务运营部门还是外包商 决定什么类型的可用性技术和服务是适合的。确定可用性技术和服务的类型,服务的价格或者 IT运营部门的预算
49、便可以定下来。开发业务的 SLA过程对企业本身大有裨益。虽然有些企业已经意识到了这一点,但许多企业还没有。作为他们内部 IT业务或者外部外包预算的一部分而被迫开发的 SLA有助于该企业了解它的信息的真正价值。 C不正确。因为容错技术并不一定和数据或者系统完整性有关系。 D不正确。因为新增热插拔 (hot-swappable)硬件不需要关闭系统,可能会、也可能不会被认为是容错技术。热插拔允许管理员在系统持续运行和信息仍 旧可用时替换出现故障的组件,这样做通常会降低性能,但可避免出现计划外的停机时间。 【知识模块】 安全运营 5 【正确答案】 B 【试题解析】 B正确。平均修复时间 (Mean Time To Repair, MTTR)指的是修复一个设备使其重新投入生产预计所用的时间。对于一个冗余阵列中的硬盘来说,MTTR指的是从实际出现故障到这个故障被注意到,有人更换这个出故障的硬盘,且冗余阵列已经完成在新硬盘上重新写入信息为止所用的时间。这个时间通常用小时来衡量。对于台式机内的一个非冗余硬盘驱动器而言, MTTR指的是硬盘出现故障开始到更换后的硬盘已载入操作系统、软件和其他任何属于用户的备份数据为止的这段时间。这有可能是几天的时间。对于一个意外重启而言,MTTR指的是从系统出现故障开始到它重新启动系统、检查了磁盘状态、重启其应用程序、允许其应用程
