Skip to main content

Advanced CISSP Prep Guide: Exam Q&A

Advanced CISSP Prep Guide: Exam Q&A

Ronald L. Krutz, Russell Dean Vines

ISBN: 978-0-471-45401-4

Feb 2003

352 pages

Select type: E-Book


Product not available for purchase


Get ready to pass the CISSP exam and earn your certification with this advanced test guide

Used alone or as an in-depth supplement to the bestselling The CISSP Prep Guide, this book provides you with an even more intensive preparation for the CISSP exam. With the help of more than 300 advanced questions and detailed answers, you'll gain a better understanding of the key concepts associated with the ten domains of the common body of knowledge (CBK). Each question is designed to test you on the information you'll need to know in order to pass the exam. Along with explanations of the answers to these advanced questions, you'll find discussions on some common incorrect responses as well. In addition to serving as an excellent tutorial, this book presents you with the latest developments in information security. It includes new information on:

  • Carnivore, Echelon, and the U.S. Patriot Act
  • The Digital Millennium Copyright Act (DMCA) and recent rulings
  • The European Union Electronic Signature Directive
  • The Advanced Encryption Standard, biometrics, and the Software Capability Maturity Model
  • Genetic algorithms and wireless security models
  • New threats and countermeasures

The CD-ROM includes all the questions and answers from the book with the Boson-powered test engine.

Related Resources


Contact your Rep for all inquiries


About the Authors.


Chapter 1. Security Management.

Chapter 2. Access Control.

Chapter 3. Telecommunications and Network Security.

Chapter 4. Crytography.

Chapter 5. Security Architecture and Models.

Chapter 6. Operations Security.

Chapter 7. Applications and Systems Development.

Chapter 8. Business Continuity Planning--Disaster Recovery Planning.

Chapter 9. Law, Investigation and Ethics.

Chapter 10. Physical Security.

Appendix A. Answers to Sample Questions.

Appendix B. What's on the CD-ROM.

ChapterPageDetailsDatePrint Run
CD ID#1CD Question ID#1
Question: Which choice below most accurately reflects the goals of risk mitigation?

Answer 1: Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level
Answer 2: Analyzing and removing all vulnerabilities and threats to security within the organization
Answer 3: Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party, such as an insurance carrier
Answer 4: Analyzing the effects of a business disruption and preparing the company's response

Explanation: Chapter 1-Security Management Practices. The correct answer is a. The goal of risk mitigation is to reduce risk to a level acceptable to the organization. Therefore risk needs to be defined for the organization through risk analysis, business impact assessment, and/or vulnerability assessment.

Answer b is not possible. Answer c is called risk transference. Answer d is a distracter.

Errata: We have received reports from readers that the answers may not display on some PCs.

CD ID#21CD Question ID#21
Question: Which choice below is NOT an accurate statement about an organization's incident-handling capability?

Answer 1: The organization's incident-handling capability should be used to detect and punish senior-level executive wrong-doing.
Answer 2: It should be used to prevent future damage from incidents.
Answer 3: It should be used to provide the ability to respond quickly and effectively to an incident.
Answer 4: The organization's incident-handling capability should be used to contain and repair damage done from incidents.

Explanation: Chapter 1-Security Management Practices. An organization should address computer security incidents by developing an incident-handling capability. The incident-handling capability should be used to: Provide the ability to respond quickly and effectively. Contain and repair the damage from incidents. When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. Containing the incident should include an assessment of whether the incident is part of a targeted attack on the organization or an isolated incident. Prevent future damage. An incident-handling capability should assist an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities. Source: NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems.

Errata: The correct answer is B, C, and D. The test engine was not set up to handle mutiple correct answers so gives choice A as being correct.

CD ID#27CD Question ID#27
Question: Which question below is NOT accurate regarding the process of risk assessment?

Answer 1: The likelihood of a threat must be determined as an element of the risk assessment.
Answer 2: The level of impact of a threat must be determined as an element of the risk assessment.
Answer 3: Risk assessment is the first process in the risk management methodology.
Answer 4: Risk assessment is the final result of the risk management methodology.

Explanation: Chapter 1-Security Management Practices. Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is the first process in the risk management methodology. The risk assessment process helps organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. The likelihood that a potential vulnerability could be exercised by a given threat-source can be described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by a threat's exploitation of a vulnerability. The determination of the level of impact produces a relative value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.

Errata: The correct answer is C. The test says it is D, which is incorrect.

CD ID#36CD Question ID#36
Question: A type of preventive/physical access control is:

Answer 1: Biometrics for authentication
Answer 2: Motion detectors
Answer 3: Biometrics for identification
Answer 4: An intrusion detection system

Explanation: Chapter 2-Access Control Systems and Methodology. Biometrics applied to identification of an individual is a "one-to-many" search where an individual's physiological or behavioral characteristics are compared to a database of stored information. An example would be trying to match a person's fingerprints to a set in a national database of fingerprints. This search differs from the biometrics search for authentication in answer a. That search would be a "one-to-one" comparison of a person's physiological or behavioral characteristics with their corresponding entry in an authentication database. Answer b, motion detectors, is a type of detective physical control and answer d is a detective/technical control.

Errata: The question/answer is incorrect as written. Biometrics is preventive/technical and is used for authentication.

CD ID#67CD Question ID#67
Question: Which choice below is NOT one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority (IANA) for non-routable private addresses?

Answer 1: -
Answer 2: -
Answer 3: -
Answer 4: -

Explanation: Chapter 3-Telecommunications and Network Security. The other three address ranges can be used for Network Address Translation (NAT). While NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address is called the "loopback" address. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999).

Errata: RFC1976 is actually 'PPP for Data Compression in Data Circuit-Terminating Equipment (DCE)'. The correct RFC Reference for this question should have been 1918, 'Address Allocation for Private Networks'. Please refer to for more information on RFC1976.

CD ID#84CD Question ID#84
Question: The IP address,, is considered to be in which class of address?
Answer 1: Class A
Answer 2: Class B
Answer 3: Class C
Answer 4: Class D

Explanation: Chapter 3-Telecommunications and Network Security. The class A address range is to The class B address range is to The class C address range is from to The class D address range is to, and is used for multicast packets. Sources: Designing Network Security by Merike Kaeo (Cisco Press, 1999) and CCNA Study Guide by Todd Lammle, Donald Porter, and James Chellis (Sybex, 1999).

Errata: There is a typographical error in the answer for class D address range. It should be to

CD ID#109CD Question #109
Question: The graph in Figure A.7, which depicts the equation y2 = x 3 + ax + b, denotes the:

Answer 1: Elliptic curve and the elliptic curve discrete logarithm problem
Answer 2: RSA Factoring problem
Answer 3: ElGamal discrete logarithm problem
Answer 4: Knapsack problem

Explanation: Chapter 4-Cryptography. Figure A.7 Graph of the function y2 = x 3 + ax + b.

The elliptic curve is defined over a finite field comprised of real, complex or rational numbers. The points on an elliptic curve form a Group under addition as shown in Figure A.7. Multiplication (or multiple additions) in an elliptic curve system is equivalent to modular exponentiation; thus, defining a discreet logarithm problem.

Errata: The graph in Figure A.7 does not show up on certain systems. Here's the graph:

CD ID#122CD Question ID#122
Question: The Advanced Encryption Standard (Rijndael) block cipher requirements regarding keys and block sizes have now evolved to which configuration?

Answer 1: Both the key and block sizes can be 128, 192 and 256- bits each.
Answer 2: The key size is 128 bits and the block size can be 128, 192 or 256- bits.
Answer 3: The block size is 128 bits and the key can be 128, 192 or 256- bits.
Answer 4: The block size is 128 bits and the key size is 128 bits.

Explanation: Chapter 4-Cryptography. AES is comprised of the three key sizes, 128, 192 and 256-bits with a fixed block size of 128 bits, so answer C is correct. The Advanced Encryption Standard (AES) was announced on November 26, 2001, as Federal Information Processing Standard Publication (FIPS PUB 197). FIPS PUB 197 states that "This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P.L. 100-235) requires cryptographic protection. Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard." Depending upon which of the three keys is used, the standard may be referred to as "AES-128," "AES-192" or "AES-256."
The number of rounds used in the Rijndael cipher is a function of the key size as follows:
256-bit key à 14 rounds
192-bit key à 12 rounds
128-bit key à 10 rounds
Rijndael has a symmetric and parallel structure that provides for flexibility of implementation and resistance to cryptanalytic attacks. Attacks on Rijndael would involve the use of differential and linear cryptanalysis.

Errata: This question may be confusing to some because AES has a fixed block size, but the Rinjdael Block Cipher has a variable block size. The question is referring to AES developed by Rijndael.

CD ID#134CD Question ID#134
Question: Using a modulo 26 substitution cipher where the letters A to Z of the alphabet are given a value of 0 to 25, respectively, encrypt the message " OVERLORD BEGINS." Use the key K =NEW and D =3 where D is the number of repeating letters representing the key. The encrypted message is:


Explanation: Chapter 4-Cryptography. The solution is as follows:

OVERLORD becomes 14 21 4 17 11 14 17 3
BEGINS becomes 1 4 6 8 13 18
The key NEW becomes 13 4 22
Adding the key repetitively to OVERLORD BEGINS modulo 26 yields 1 5 0 4 15 10 4 7 23 17 10 4 0 22, which translates to BFAEPKEH XRKEAW

Errata: The correct answer is not given as a choice. The correct ciphertext should be BZAEPKEH XRKEAW.