CISSP Exam Dumps - Certified Information Systems Security Professional (CISSP)

Network Behavior Analysis (NBA) tools are the best network defense against unknown types of attacks or stealth attacks in progress. NBA tools are devices or software that monitor and analyze the network traffic and activities, and detect any anomalies or deviations from the normal or expected behavior. NBA tools use various techniques, such as statistical analysis, machine learning, artificial intelligence, or heuristics, to establish a baseline of the network behavior, and to identify any outliers or indicators of compromise. NBA tools can provide several benefits, such as:

• Detecting unknown types of attacks or stealth attacks that are not signature-based or rule-based, and that can evade or bypass other network defenses, such as firewalls, IDS, or IPS.
• Detecting advanced persistent threats (APTs) that are low and slow, and that can remain undetected for a long time, by correlating and aggregating the network events and data over time and across different sources.
• Detecting insider threats or compromised hosts that are authorized and trusted, but that exhibit malicious or suspicious behavior, by profiling and classifying the network entities and their interactions.
• Providing early warning and alerting of the potential or ongoing attacks, and facilitating the investigation and response of the incidents, by providing rich and contextual information about the network behavior and the attack vectors.

The other options are not the best network defense against unknown types of attacks or stealth attacks in progress, but rather network defenses that have other limitations or drawbacks. Intrusion Prevention Systems (IPS) are devices or software that monitor and block the network traffic and activities that match the predefined signatures or rules of known attacks. IPS can provide a proactive and preventive layer of security, but they cannot detect or stop unknown types of attacks or stealth attacks that do not match any signatures or rules, or that can evade or disable the IPS. Intrusion Detection Systems (IDS) are devices or software that monitor and alert the network traffic and activities that match the predefined signatures or rules of known attacks. IDS can provide a reactive and detective layer of security, but they cannot detect or alert unknown types of attacks or stealth attacks that do not match any signatures or rules, or that can evade or disable the IDS. Stateful firewalls are devices or software that filter and control the network traffic and activities based on the state and context of the network sessions, such as the source and destination IP addresses, port numbers, protocol types, and sequence numbers. Stateful firewalls can provide a granular and dynamic layer of security, but they cannot filter or control unknown types of attacks or stealth attacks that use valid or spoofed network sessions, or that can exploit or bypass the firewall rules.

 Packet filtering operates at the network layer of the Open System Interconnection (OSI) model. The OSI model is a conceptual framework that describes how data is transmitted and processed across different layers of a network. The OSI model consists of seven layers: application, presentation, session, transport, network, data link, and physical. The network layer is the third layer from the bottom of the OSI model, and it is responsible for routing and forwarding data packets between different networks or subnets. The network layer uses logical addresses, such as IP addresses, to identify the source and destination of the data packets, and it uses protocols, such as IP, ICMP, or ARP, to perform the routing and forwarding functions.

Packet filtering is a technique that controls the access to a network or a host by inspecting the incoming and outgoing data packets and applying a set of rules or policies to allow or deny them. Packet filtering can be performed by devices, such as routers, firewalls, or proxies, that operate at the network layer of the OSI model. Packet filtering typically examines the network layer header of the data packets, such as the source and destination IP addresses, the protocol type, or the fragmentation flags, and compares them with the predefined rules or policies. Packet filtering can also examine the transport layer header of the data packets, such as the source and destination port numbers, the TCP flags, or the sequence numbers, and compare them with the rules or policies. Packet filtering can provide a basic level of security and performance for a network or a host, but it also has some limitations, such as the inability to inspect the payload or the content of the data packets, the vulnerability to spoofing or fragmentation attacks, or the complexity and maintenance of the rules or policies.

The other options are not techniques that operate at the network layer of the OSI model, but rather at other layers. Port services filtering is a technique that controls the access to a network or a host by inspecting the transport layer header of the data packets and applying a set of rules or policies to allow or deny them based on the port numbers or the services. Port services filtering operates at the transport layer of the OSI model, which is the fourth layer from the bottom. Content filtering is a technique that controls the access to a network or a host by inspecting the application layer payload or the content of the data packets and applying a set of rules or policies to allow or deny them based on the keywords, URLs, file types, or other criteria. Content filtering operates at the application layer of the OSI model, which is the seventh and the topmost layer. Application access control is a technique that controls the access to a network or a host by inspecting the application layer identity or the credentials of the users or the processes and applying a set of rules or policies to allow or deny them based on the roles, permissions, or other attributes. Application access control operates at the application layer of the OSI model, which is the seventh and the topmost layer.

Link Control Protocol (LCP) is used by the Point-to-Point Protocol (PPP) to determine packet formats. PPP is a data link layer protocol that provides a standard method for transporting network layer packets over point-to-point links, such as serial lines, modems, or dial-up connections. PPP supports various network layer protocols, such as IP, IPX, or AppleTalk, and it can encapsulate them in a common frame format. PPP also provides features such as authentication, compression, error detection, and multilink aggregation. LCP is a subprotocol of PPP that is responsible for establishing, configuring, maintaining, and terminating the point-to-point connection. LCP negotiates and agrees on various options and parameters for the PPP link, such as the maximum transmission unit (MTU), the authentication method, the compression method, the error detection method, and the packet format. LCP uses a series of messages, such as configure-request, configure-ack, configure-nak, configure-reject, terminate-request, terminate-ack, code-reject, protocol-reject, echo-request, echo-reply, and discard-request, to communicate and exchange information between the PPP peers.

The other options are not used by PPP to determine packet formats, but rather for other purposes. Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that allows the creation of virtual private networks (VPNs) over public networks, such as the Internet. L2TP encapsulates PPP frames in IP datagrams and sends them across the tunnel between two L2TP endpoints. L2TP does not determine the packet format of PPP, but rather uses it as a payload. Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that is used by PPP to verify the identity of the remote peer before allowing access to the network. CHAP uses a challenge-response mechanism that involves a random number (nonce) and a hash function to prevent replay attacks. CHAP does not determine the packet format of PPP, but rather uses it as a transport. Packet Transfer Protocol (PTP) is not a valid option, as there is no such protocol with this name. There is a Point-to-Point Protocol over Ethernet (PPPoE), which is a protocol that encapsulates PPP frames in Ethernet frames and allows the use of PPP over Ethernet networks. PPPoE does not determine the packet format of PPP, but rather uses it as a payload.

The 802.1x standard provides a framework for network authentication for wired and wireless networks. The 802.1x standard defines the Extensible Authentication Protocol (EAP), which is a protocol that enables the exchange of authentication information between a supplicant (a device that wants to access the network), an authenticator (a device that controls the access to the network), and an authentication server (a device that verifies the identity and credentials of the supplicant). The 802.1x standard supports various authentication methods, such as passwords, certificates, tokens, or biometrics. The other options are not correct descriptions of the 802.1x standard. Option A is a description of network authentication for only wireless networks, which is not the scope of the 802.1x standard, as it also applies to wired networks. Option C is a description of wireless encryption using the Advanced Encryption Standard (AES), which is not a function of the 802.1x standard, but rather a function of the Wi-Fi Protected Access 2 (WPA2) standard. Option D is a description of wireless network encryption using Secure Sockets Layer (SSL), which is not a function of the 802.1x standard, but rather a function of the Transport Layer Security (TLS) protocol. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, p. 310; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, p. 233.

A disaster recovery test plan is a document that describes the methods and procedures for testing the effectiveness and readiness of a disaster recovery plan (DRP), which is a subset of a BCP that focuses on restoring the organization’s IT systems and data after a disruption or disaster. A disaster recovery test plan can have different types and levels of testing, depending on the objectives, scope, and resources of the organization. A parallel test is a type of disaster recovery test plan that involves activating the backup site and running the critical systems and processes in parallel with the primary site, without disrupting the normal operations. A parallel test is the most effective type of disaster recovery test plan, as it simulates a realistic scenario of a disruption or disaster, and allows the organization to evaluate the performance and functionality of the backup site, as well as the communication and coordination between the primary and backup sites. A parallel test also provides minimal risk, as it does not affect the normal operations of the primary site, and does not require switching over to the backup site. A read-through test is a type of disaster recovery test plan that involves reviewing the DRP document and verifying its accuracy and completeness, without performing any actual actions. A read-through test is the least effective type of disaster recovery test plan, as it does not test the actual implementation and execution of the DRP, and does not identify any potential issues or gaps in the DRP. A full interruption test is a type of disaster recovery test plan that involves shutting down the primary site and switching over to the backup site, and performing the normal operations from the backup site. A full interruption test is the most realistic type of disaster recovery test plan, as it tests the actual implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a full interruption test also provides the highest risk, as it affects the normal operations of the primary site, and may cause data loss, downtime, or customer dissatisfaction. A simulation test is a type of disaster recovery test plan that involves simulating a disruption or disaster scenario and performing the actions and procedures of the DRP, without activating the backup site or affecting the normal operations. A simulation test is a moderately effective type of disaster recovery test plan, as it tests the implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a simulation test also provides moderate risk, as it does not test the performance and functionality of the backup site, and may not simulate a realistic scenario of a disruption or disaster. References: [Disaster Recovery Test Plan], [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations]2

According to the CISSP All-in-One Exam Guide, the restoration priorities of a Disaster Recovery Plan (DRP) are based on the Business Impact Analysis (BIA). A DRP is a document that defines the procedures and actions to be taken in the event of a disaster that disrupts the normal operations of an organization. A restoration priority is the order or sequence in which the critical business processes and functions, as well as the supporting resources, such as data, systems, personnel, and facilities, are restored after a disaster. A BIA is a process that assesses the potential impact and consequences of a disaster on the organization’s business processes and functions, as well as the supporting resources. A BIA helps to identify and prioritize the critical business processes and functions, as well as the recovery objectives and time frames for them. A BIA also helps to determine the dependencies and interdependencies among the business processes and functions, as well as the supporting resources. Therefore, the restoration priorities of a DRP are based on the BIA, as it provides the information and analysis that are needed to plan and execute the recovery strategy. A Service Level Agreement (SLA) is not the document that the restoration priorities of a DRP are based on, although it may be a factor that influences the restoration priorities. An SLA is a document that defines the expectations and requirements for the quality and performance of a service or product that is provided by a service provider to a customer or client, such as the availability, reliability, scalability, or security of the service or product. An SLA may help to justify or support the restoration priorities of a DRP, but it does not provide the information and analysis that are needed to plan and execute the recovery strategy. A Business Continuity Plan (BCP) is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A BCP is a document that defines the procedures and actions to be taken to ensure the continuity of the essential business operations during and after a disaster. A BCP may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the continuity rather than the recovery of them. A BCP may also include other aspects or components that are not covered by a DRP, such as the prevention, mitigation, or response to a disaster. A crisis management plan is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A crisis management plan is a document that defines the procedures and actions to be taken to manage and resolve a crisis or emergency situation that may affect the organization, such as a natural disaster, a cyberattack, or a pandemic. A crisis management plan may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the management rather than the recovery of them. A crisis management plan may also include other aspects or components that are not covered by a DRP, such as the communication, coordination, or escalation of the crisis or emergency situation.

The primary advantage of implementing hardware tokens as part of a multifactor authentication solution for remote access is that it protects against unauthorized access by requiring the user to possess something (the token) and to know something (the PIN or password) to authenticate. Hardware tokens are physical devices that generate one-time passwords (OTP) or digital certificates that are used in conjunction with a personal identification number (PIN) or a password to verify the user’s identity.

• A. the scalability of token enrollment is not the primary advantage of implementing hardware tokens, but rather a challenge that requires efficient and secure processes to distribute, activate, and revoke tokens.
• B. increased accountability of end users is not the primary advantage of implementing hardware tokens, but rather a benefit that depends on the proper management and usage of the tokens by the end users and the administrators.
• D. it simplifies user access administration is not the primary advantage of implementing hardware tokens, but rather a potential drawback that requires additional resources and tools to manage the tokens and their lifecycle.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 274; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, page 223