[2025年02月]更新のCISSP問題集PDFでCISSPリアル試験問題解答 [Q229-Q245]

Share

[2025年02月]更新のCISSP問題集PDFでCISSPリアル試験問題解答

CISSP問題集で100%合格保証と最新のお試しサンプル


ISC CISSP(Certified Information Systems Security Professional)試験は、情報セキュリティの分野での専門知識とスキルを検証するために設計された、世界的に認められた認定試験です。この試験は、潜在的なサイバー脅威から組織を保護するためにセキュリティプログラムの設計、実装、管理を担当する個人の能力を評価する基準として考えられています。CISSP認定は業界で高く評価され、多くの組織で世界的に認められています。


CISSP認定試験は、セキュリティとリスク管理、資産セキュリティ、セキュリティアーキテクチャとエンジニアリング、コミュニケーションとネットワークセキュリティ、アイデンティティとアクセス管理、セキュリティ評価とテスト、セキュリティ運用、ソフトウェア開発セキュリティなど、情報セキュリティの8つのドメインをカバーしています。この試験は、これらのドメインに関する個人の知識と理解、および実際のシナリオでこの知識を適用する能力をテストするように設計されています。

 

質問 # 229
Which of the following offers confidentiality to an e-mail message?

  • A. The sender encrypting it with its public key.
  • B. The sender encrypting it with its private key.
  • C. The sender encrypting it with the receiver's public key.
  • D. The sender encrypting it with the receiver's private key.

正解:C

解説:
An e-mail message's confidentiality is protected when encrypted with the receiver's public key, because he is the only one able to decrypt the message. The sender is not supposed to have the receiver's private key. By encrypting a message with its private key, anybody possessing the corresponding public key would be able to read the message. By encrypting the message with its public key, not even the receiver would be able to read the message. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 8: Cryptography (page 517).


質問 # 230
For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?

  • A. Confidentiality management
  • B. Integrity
  • C. Network architecture
  • D. Identity Management (IdM)

正解:C

解説:
Section: Mixed questions


質問 # 231
Which of the following is the final phase of the identity and access provisioning lifecycle?

  • A. Validation
  • B. Revocation
  • C. Recertification
  • D. Removal

正解:B

解説:
Reference:
https://books.google.com.pk/books?id=W2TvAgAAQBAJ&pg=PA256&lpg=PA256&dq=process+in+the+acces


質問 # 232
The Common Criteria (CC) represents requirements for IT security of a product or system under which distinct categories?

  • A. Targets of Evaluation (TOE) and Protection Profile (PP)
  • B. Integrity and control
  • C. Functional and assurance
  • D. Protocol Profile (PP) and Security Target (ST)

正解:C

解説:
"Like other evaluation criteria before it, Common Criteria works to answer two basic and general questions about products being evaluated: what does it do (functionality), and how sure are you of that (assurance)?" pg 232 Shon Harris CISSP All-In-One Certification Exam Guide


質問 # 233
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?

  • A. The Cloud Service Provider (CSP)
  • B. The data owner
  • C. The Data Protection Authority (DPA)
  • D. The application developers

正解:B

解説:
Section: Software Development Security


質問 # 234
Which type of access control includes a system that allows only users that are type=managers and department=sales to access employee records?

  • A. Role-based access control (RBAC)
  • B. Discretionary access control (DAC)
  • C. Mandatory access control (MAC)
  • D. Attribute-based access control (ABAC)

正解:A


質問 # 235
What is static analysis intended to do when analyzing an executable file?

  • A. Collect evidence of the executable file's usage, including dates of creation and last use.
  • B. Search the documents and files associated with the executable file.
  • C. Analyze the position of the file in the file system and the executable file's libraries.
  • D. Disassemble the file to gather information about the executable file's function.

正解:D

解説:
Static analysis is a technique of examining the code or structure of a file or program without executing it.
Static analysis can be used to identify potential vulnerabilities, errors, or malicious code in a file or program.
One of the methods of static analysis is disassembly, which is the process of converting the binary code of an executable file into a human-readable assembly language. Disassembly can reveal information about the executable file's function, such as the instructions, variables, registers, memory addresses, and system calls.
Disassembly can also help to reverse engineer the logic and algorithm of the executable file. Collecting evidence of the executable file's usage, such as dates of creation and last use, is not the purpose of static analysis, but rather a forensic analysis technique. Searching the documents and files associated with the executable file is not a static analysis technique, but rather a data discovery or classification technique.
Analyzing the position of the file in the file system and the executable file's libraries is not a static analysis technique, but rather a dependency analysis or configuration management technique. References:
* 1 (Domain 8: Software Development Security, Objective 8.3: Assess the effectiveness of software security)
* 2 (Chapter 8: Software Development Security, Section 8.3.2: Static and Dynamic Code Analysis)


質問 # 236
Which of the following is a common measure within a Local Area Network (LAN) to provide en additional level of security through segmentation?

  • A. Implementing a virus scanner
  • B. Building Virtual Local Area Networks (VLAN)
  • C. Implementing an Intrusion Detection System (IDS)
  • D. Building Demilitarized Zones (DMZ)

正解:B


質問 # 237
Which of the following makes smartphones particularly vulnerable to phishing attacks?

  • A. Full website address cannot be clearly seen
  • B. New Operating system (OS) features introduce vulnerabilities.
  • C. System updates are not regularly installed or are disabled
  • D. Lack of user awareness or training.

正解:D


質問 # 238
Which type of attack involves the altering of a systems Address Resolution Protocol (ARP) table so that it contains incorrect IP to MAC address mappings?

  • A. ARP table poisoning
  • B. Reverse ARP table poisoning
  • C. Reverse ARP
  • D. Poisoning ARP cache

正解:A

解説:
ARP table poisoning, also referred to as ARP cache poisoning, is the process of altering a system's ARP table so that it contains incorrect IP to MAC address mappings. This allows requests to be sent to a different device instead of the one it is actually intended for. It is an excellent way to fool systems into thinking that a certain device has a certain address so that information can be sent to and captured on an attacker's computer.
The following answers are incorrect:
"Reverse ARP" is the process of determining what an IP address is from a known MAC address
"Poisoning ARP cache" This is not the correct term.
"Reverse ARP table poisoning" There is no attack that goes by that name.
The following reference(s) were/was used to create this question:
TestPrep Certified Information Systems Security Professional (CISSP) Skillsoft Course


質問 # 239
A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

  • A. Select and procure supporting technologies.
  • B. Measure effectiveness of the program's stated goals.
  • C. Educate and train key stakeholders.
  • D. Determine a budget and cost analysis for the program.

正解:B


質問 # 240
Which choice below is considered the HIGHEST level of operator privilege?

  • A. Read Only
  • B. Access Change
  • C. Write Only
  • D. Read/Write

正解:B

解説:
The correct answer is Access Change.
The three common levels of operator privileges,
based on the concept of least privilege, are:
Read Only Lowest level, view data only
Read/Write View and modify data
Access Change Highest level, right to change data/operator
permissions
Answer d is a distracter.


質問 # 241
An organization plans to acquire @ commercial off-the-shelf (COTS) system to replace their aging home-built reporting system. When should the organization's security team FIRST get involved in this acquisition's life cycle?

  • A. When the system is verified and validated
  • B. When the system is being designed, purchased, programmed, developed, or otherwise constructed
  • C. When the system is deployed into production
  • D. When the need for a system is expressed and the purpose of the system Is documented

正解:D

解説:
Security has to get involved to complete the ESR (external security review) before even considering bringing in the application to the organisation. then the new application has to go through an application security review where validation and verification happen. once the application security review completed, it can go for a proof of concept (PoC) OR to the production depends on the organisation plan.


質問 # 242
What is a warn site when conducting Business continuity planning (BCP)

  • A. An alternate facility that allows for Immediate cutover to enable continuation of business functions
  • B. An area partially equipped with equipment and resources to recover business functions
  • C. A place void of any resources or equipment except air conditioning and raised flooring
  • D. A location, other than the normal facility, used to process data on a daily basis

正解:B


質問 # 243
Transport Layer Security (TLS) provides which of the following capabilities for a remote access server?

  • A. Transport layer handshake compression
  • B. Application layer negotiation
  • C. Digital certificate revocation
  • D. Peer identity authentication

正解:D

解説:
Section: Communication and Network Security


質問 # 244
A company is concerned that its employees may come under threat to turn over corporate logon credentials Which of the following would BEST protect staff and detect these threats?

  • A. Duress code credentials tied to a honeypot
  • B. A policy against revealing credentials
  • C. Parameters of standard activity and monitoring for deviations
  • D. A strict access control policy for corporate assets

正解:C


質問 # 245
......


CISSP試験に合格するためには、候補者は情報セキュリティ分野で少なくとも5年の専門経験が必要です。また、ISC2の倫理規定に従い、試験に合格する必要があります。試験は250問の多肢選択問題からなり、6時間以内に回答する必要があります。試験に合格した候補者は、3年間有効なCISSP認定を授与されます。その後、継続教育ポイントを獲得するか、試験を再受験して認定を更新する必要があります。

 

問題集でリアルISC CISSP試験問題 [更新されたのは2025年]:https://www.goshiken.com/ISC/CISSP-mondaishu.html

試験準備には欠かさない!CISSP問題解答無料更新には100%試験合格保証 [2025年更新]:https://drive.google.com/open?id=1SLbMWuMvI42SPtVrphn7OJc-Oqprxq2a