2026年CISSP考试题库和答案汇总｜真题下载+模拟题+学习资料

A. The primary and secondary entrance doors should have access controlled through a swipe card or cipher lock.

B. The primary entrance door should have no access controlled through a security guard. The secondary doors should be secured from the inside and allow no entry.

C. The primary entrance door should have access controlled through a swipe card or cipher lock. The secondary doors should have a security guard.

D. The primary entrance door should have access controlled through a swipe card or cipher lock. Secondary doors should be secured from the inside and allow no entry.

A. They can be hindered by items within the room.

B. They are expensive and require human intervention to respond to the alarms.

C. They usually come with a redundant power supply and emergency backup power.

D. They should detect, and be resistant to, tampering.

A. Create countermeasure performance metrics.

B. Conduct a risk analysis.

C. Design the program.

D. Implement countermeasures.

A. Estimates software development effort based on user function categories

B. Estimates software development effort and cost as a function of the size of the software product in source instructions

C. Estimates software development effort and cost as a function of the size of the software product in source instructions modified by manpower buildup and productivity factors

D. Estimates software development effort and cost as a function of the size of the software product in source instructions modified by hardware and input functions

A. Power line monitor

B. Surge protector

C. Shielded cabling

D. Regulator

A. LCL and MAC; IEEE 802.2 and 802.3

B. LCL and MAC; IEEE 802.1 and 802.3

C. Network and MAC; IEEE 802.1 and 802.3

D. LLC and MAC; IEEE 802.2 and 802.3

A. Open mail relay servers

B. Properly configured mail relay servers

C. Filtering on an e-mail gateway

D. Filtering on the client

A. Two-tiered model

B. Screened subnet

C. Three-tiered model

D. Public and private DNS zones

A. TCP provides best-effort delivery, and UDP sets up a virtual connection with the destination.

B. TCP provides more services and is more reliable in data transmission, whereas UDP takes less resources and overhead to transmit dat

A.

C. TCP provides more services and is more reliable, but UDP provides more security services.

D. TCP is reliable, and UDP deals with flow control and ACKs.

A. Bluejacking is a harmful, malicious attack.

B. It is the process of taking over another portable device via a Bluetooth-enabled device.

C. It is commonly used to send contact information.

D. The term was coined by the use of a Bluetooth device and the act of hijacking another device.

A. DNS spoofing

B. Manipulation of the hosts file

C. Social engineering

D. Domain litigation

A. Limiting IP sessions going through media gateways

B. Identification of rogue devices

C. Implementation of authentication

D. Encryption of packets containing sensitive information

A. Persistent XSS vulnerability

B. Nonpersistent XSS vulnerability

C. Second-order vulnerability

D. DOM-based vulnerability

A. EGP is used in the areas "between" each AS.

B. Regions of nodes that share characteristics and behaviors are called ASs.

C. CAs are specific nodes that are responsible for routing to nodes outside of their region.

D. Each AS uses IGP to perform routing functionality.

A. VoIP networks should be protected with the same security controls used on a data network.

B. Softphones are more secure than IP phones.

C. As endpoints, IP phones can become the target of attacks.

D. The current Internet architecture over which voice is transmitted is less secure than physical phone lines.

A. To prevent attackers from accessing servers

B. To prevent the manipulation of the hosts file

C. To avoid providing attackers with valuable information that can be used to prepare an attack

D. To avoid providing attackers with information needed for cybersquatting

A. SMTP lacks an adequate authentication mechanism.', "B. Administrators often forget to configure an SMTP server to prevent inbound SMTP connections for domains it doesn't serve.", 'C. Keyword filtering is technically obsolete.

D. Blacklists are undependable.

A. They must be connected via a phone line and have access to a modem.', "B. They must be within the satellite's line of site and footprint.", 'C. They must have broadband and a satellite in low Earth orbit.', "D. They must have a transponder and be within the satellite's footprint.

A. Sensitive data and files can be transferred from system to system over IM.

B. Users can receive information—including malware—from an attacker posing as a legitimate sender.

C. IM use can be stopped by simply blocking specific ports on the network firewalls.

D. A security policy is needed specifying IM usage restrictions.

A. TLS is the open-community version of SSL.', "B. SSL can be modified by developers to expand the protocol's capabilities.", 'C. TLS is a proprietary protocol, while SSL is an open-community protocol.

D. SSL is more extensible and backward compatible with TLS.

A. It is a type of security through obscurity.

B. Modifying the most significant bit is the most common method used.

C. Steganography does not draw attention to itself like encryption does.

D. Media files are ideal for steganographic transmission because of their large size.

A. Computationally less intensive than asymmetric systems

B. Work much more slowly than asymmetric systems

C. Carry out mathematically intensive tasks

D. Key must be delivered via secure courier

A. The RA creates the certificate, and the CA signs it.

B. The CA signs the certificate.

C. The RA signs the certificate.

D. The user signs the certificate.

A. Public key cryptography is the use of an asymmetric algorithm, while public key infrastructure is the use of a symmetric algorithm.

B. Public key cryptography is used to create public/private key pairs, and public key infrastructure is used to perform key exchange and agreement.

C. Public key cryptography provides authentication and nonrepudiation, while public key infrastructure provides confidentiality and integrity.

D. Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms.

A. Keys are generated from a master key.

B. Session keys are generated from each other.

C. Asymmetric cryptography is used to encrypt symmetric keys.

D. A master key is generated from a session key.

A. It provides digital signatures, secure key distribution, and encryption.

B. It computes discrete logarithms in a finite field.

C. It uses a larger percentage of resources to carry out encryption.

D. It is more efficient.

A. The pad must be securely distributed and protected at its destination.

B. The pad must be made up of truly random values.

C. The pad must always be the same length.

D. The pad must be used only one time.

A. Statistically unbiased keystream

B. Statistically predictable

C. Long periods of no repeating patterns

D. Keystream not linearly related to key

A. The sender encrypts a message digest with his private key.

B. The sender encrypts a message digest with his public key.

C. The receiver encrypts a message digest with his private key.

D. The receiver encrypts a message digest with his public key.

A. The server creates a session key and encrypts it with a public key.

B. The server creates a session key and encrypts it with a private key.

C. The client creates a session key and encrypts it with a private key.

D. The client creates a session key and encrypts it with a public key.

A. The CRL was developed as a more streamlined approach to OCSP.

B. OCSP is a protocol that submits revoked certificates to the CRL.

C. OCSP is a protocol developed specifically to check the CRL during a certificate validation process.

D. CRL carries out real-time validation of a certificate and reports to the OCSP.

A. Link encryption does not encrypt headers and trailers.

B. Link encryption encrypts everything but data link messaging.

C. End-to-end encryption requires headers to be decrypted at each hop.

D. End-to-end encryption encrypts all headers and trailers.

A. Identify preventive controls.

B. Develop the continuity planning policy statement.

C. Develop recovery strategies.

D. Conduct the business impact analysis.

A. Committee members should be involved with the planning stages, as well as the testing and implementation stages.

B. The smaller the team the better, to keep meetings under control.

C. The business continuity coordinator should work with management to appoint committee members.

D. The team should consist of people from different departments across the company.

A. A parallel or full-interruption test

B. The application of a classification scheme based on criticality levels

C. The gathering of information via interviews

D. Documentation of business functions

A. Ask the offsite vendor to test them and label the ones that were properly read.', "B. Test them on the vendor's machine, which won't be used during an emergency.", 'C. Retrieve the tapes from the offsite facility and verify that the equipment from the original site can read them.', "D. Inventory each tape kept at the vendor's site twice a month.

A. It is fully configured and ready to operate within a few hours, but is the most expensive of the offsite choices.

B. It is an inexpensive option, but it takes the most time and effort to get up and running after a disaster.

C. It is a good alternative for companies that depend upon proprietary software, but annual testing is not usually available.

D. It is the cheapest of the offsite choices, but mixing operations could introduce many security issues.

A. Calculate the risk for each different business function.

B. Identify critical business functions.

C. Create data-gathering techniques.

D. Identify vulnerabilities and threats to business functions.

A. Incremental process

B. Full backup

C. Partial backup

D. Differential process

A. Determine the cause of the disaster.

B. Identify the resources that must be replaced immediately.

C. Declare a disaster.

D. Determine how long it will take to bring critical functions back online.

A. Changes in hardware, software, and applications

B. Infrastructure and environment changes

C. Personnel turnover

D. That the business continuity process is integrated into the change management process

A. Resuming critical business functions

B. Letting business partners know your company is unprepared

C. Protecting lives and ensuring safety

D. Ensuring survivability of the business

A. Business case

B. Business impact analysis

C. Risk analysis

D. Threat report

A. Management

B. Most critical systems

C. Most critical functions

D. Least critical functions

A. Plan testing and drills.

B. Complete a business impact analysis.

C. Determine offsite backup facility alternatives.

D. Organize and create relevant documentation.

A. Provide steps for a post-disaster recovery.

B. Extend backup operations to include more than just backing up dat

A.

C. Outline business functions and systems.

D. Provide procedures for emergency responses.

A. Reconstitution phase

B. Recovery phase

C. Project initiation phase

D. Damage assessment phase

A. Damage assessment team

B. BCP team

C. Salvage team

D. Restoration team

A. Reciprocal agreement

B. Software escrow

C. Electronic vaulting

D. Business interruption insurance

A. Predetermined steps protect the company if a senior executive leaves.

B. Two or more senior staff cannot be exposed to a particular risk at the same time.

C. It documents the assignment of deputy roles.

D. It covers assigning a skeleton crew to resume operations after a disaster.

A. Carrying out a buffer overflow to take control of a system

B. The electronic distribution of child pornography

C. Attacking financial systems to steal funds

D. Capturing passwords as they are sent to the authentication server

A. European Union

B. Council of Europe

C. Safe Harbor

D. Organisation for Economic Co-operation and Development

A. Not many countries work under this law purely; most instead use a mixed system where this law, which deals mainly with personal conduct and patterns of behavior, is an integrated component.

B. It covers all aspects of human life, but is commonly divided into responsibilities and obligations to others, and religious duties.

C. It is a rule-based law focused on codified law.', "D. Based on previous interpretations of laws, this system reflects the community's morals and expectations.

A. The Health Insurance Portability and Accountability Act

B. The Sarbanes-Oxley Act

C. The Computer Fraud and Abuse Act

D. PCI Data Security Standard

A. Downstream liability

B. Responsibility

C. Due diligence

D. Due care

A. It consists of experts who have other duties within the organization.

B. It can be cost prohibitive to smaller organizations.

C. It is a hybrid model.

D. Core members are permanently assigned to the team.

A. Establish a procedure for responding to the incident.

B. Call in forensics experts.

C. Determine that a crime has been committed.

D. Notify senior management.

A. It is the study of computer technology.

B. It is a set of hardware-specific processes that must be followed in order for evidence to be admissible in a court of law.

C. It encompasses network and code analysis, and may be referred to as electronic data discovery.

D. Computer forensics responsibilities should be assigned to a network administrator before an incident occurs.

A. Chain of custody

B. Due care

C. Investigation

D. Motive, Opportunity, and Means

A. Best evidence

B. Secondary evidence

C. Circumstantial evidence

D. Conclusive evidence

A. The methods used to capture a suspect's actions are neither legal nor ethical.", "B. Enticement is used to capture a suspect's actions.", 'C. Hacking does not actually hurt anyone.

D. The seizure of evidence by law enforcement because there is concern that a suspect will attempt to destroy it.

A. It creates criminal sentencing guidelines.

B. It issues ethics-related statements concerning the use of the Internet.

C. It edits Request for Comments.

D. It maintains ten commandments for ethical behavior.

A. Denial of Service

B. Dumpster diving

C. Wiretapping

D. Data diddling

A. Analysis

B. Containment

C. Tracking

D. Follow-up

A. The crime scene should be modified as necessary.

B. A file copy tool may not recover all data areas of the device that are necessary for investigation.

C. Contamination of the crime scene may not negate derived evidence, but it should still be documented.

D. Only individuals with knowledge of basic crime scene analysis should have access to the crime scene.

A. The original image should be hashed with MD5 and/or SHA-256.

B. Two time-stamped images should be created.

C. New media should be properly purged before images are created on them.

D. Some systems must be imaged while they are running.

A. Information should be shared freely and openly; thus, sharing confidential information should be ethical.

B. Think about the social consequences of the program you are writing or the system you are designing.

C. Discourage unnecessary fear or doubt.

D. Do not participate in Internet-wide experiments in a negligent manner.

A. Modus Operandi

B. Profiling', "C. Locard's Principle of Exchange", 'D. Motive, Opportunity, and Means

A. It could increase the risk of privacy violations.

B. It is developed to carry out analysis.

C. It contains data from several different sources.

D. It is created and used for project-based tactical reasons.

A. So that the rules for database integrity can be established

B. So that the database performs transactions as a single unit without interruption

C. To ensure that rollbacks cannot take place

D. To prevent concurrent processes from interacting with each other

A. Processes running at different levels, which can negatively affect the integrity of the database if not properly controlled.

B. The ability to deduce new information from reviewing accessible data, which can allow an inference attack to take place.

C. Processes running simultaneously, which can negatively affect the integrity of the database if not properly controlled.

D. Storing data in more than one place within a database, which can negatively affect the integrity of the database if not properly controlled.

A. Polymorphism

B. Normalization

C. Implementation of database views

D. Constructing schema

A. When an application queries for data, it receives both the data and the procedure.

B. It is structured similarly to a mesh network for redundancy and fast data retrieval.

C. Subject must have knowledge of the well-defined access path in order to access dat

A.

D. The relationships between data entities provide the framework for organizing dat

A.

A. Acceptance testing

B. Regression testing

C. Integration testing

D. Unit testing

A. Components periodically revisit previous stages to update and verify design requirements

B. Minimizes the use of arbitrary transfer control statements between components

C. Uses independent and standardized modules that are assembled into serviceable programs

D. Implemented in module-based scenarios requiring rapid adaptations to changing client requirements

A. Intercepts antivirus's call to the operating system for file and system information", 'B. Varies the sequence of its instructions using noise, a mutation engine, or random-number generator

C. Can use different encryption schemes requiring different decryption routines

D. Produces multiple, varied copies of itself

A. Converts the source code into bytecode and blocks the sandbox

B. Converts the bytecode into machine-level code

C. Operates only on specific processors within specific operating systems', "D. Develops the applets, which run in a user's browser

A. Concurrent integrity

B. Referential integrity

C. Entity integrity

D. Semantic integrity

A. Low cohesion, low coupling

B. High cohesion, high coupling

C. Low cohesion, high coupling

D. High cohesion, low coupling

A. SOAP was designed to overcome the compatibility and security issues associated with Remote Procedure Calls.

B. Both SOAP and Remote Procedure Calls were created to enable application-layer communication.

C. SOAP enables the use of Remote Procedure Calls for information exchange between applications over the Internet.

D. HTTP was not designed to work with Remote Procedure Calls, but SOAP was designed to work with HTTP.

A. Cleanroom

B. Exploratory Model

C. Modified Prototype Method

D. Iterative Development

A. The use of heuristics reduced programming effort, but the amount of manual coding for a specific task is usually more than the preceding generation.

B. The use of syntax similar to human language reduced development time, but the language is resource intensive.

C. The use of binary was extremely time consuming but resulted in fewer errors.

D. The use of symbols reduced programming time, but the language required knowledge of machine architecture.

A. Machine

B. Very high-level

C. High-level

D. Assembly

A. Second order

B. DOM-based

C. Persistent

D. Nonpersistent

A. Infected server sends attack commands to the botnet.

B. Spammer pays a hacker for use of a botnet.

C. Controller server instructs infected systems to send spam to mail servers.

D. Malicious code is sent out that has bot software as its payload.

A. Behavior blocking

B. Fingerprint detection

C. Signature-based detection

D. Heuristic detection

A. Autonomous objects, with cooperate through exchanges of messages

B. The internal components of an object can be refined without changing other parts of the system

C. Object-oriented analysis, design, and modeling maps to business needs and solutions

D. Other programs using same objects

A. Tested and presented

B. Service-level agreement approval

C. Report change to management

D. Approval of the change

A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforeseen results.

B. Changes approved by the change control committee should be entered into a change log.

C. A schedule that outlines the projected phases of the change should be developed.

D. An individual or group should be responsible for approving proposed changes.

A. Changing the polarization of the atoms on the medi

A.

B. It is unacceptable when media are to be reused in the same physical environment for the same purposes.

C. Data formerly on the media is made unrecoverable by overwriting it with a pattern.

D. Information is made unrecoverable, even with extraordinary effort.

A. They are among the most expensive solutions and are usually only for the most mission-critical information.

B. They help service providers identify appropriate availability services for the specific customer.

C. They are required to maintain integrity, regardless of the other technologies in place.

D. They allow a failed component to be replaced while the system continues to run.

A. Any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position.

B. RAIT is an example of a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device.

C. MAID is a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device.

D. As an example of Sequential Access Storage, tape drives are faster than Direct Access Storage Devices.

A. Emergency system restart

B. Trusted recovery

C. System cold start

D. System reboot

A. Address spoofing helps an attacker to hijack sessions between two users without being noticed.

B. IP spoofing makes it harder to track down an attacker.

C. Session hijacking can be prevented with mutual authentication.

D. IP spoofing is used to hijack SSL and IPSec secure communications.

A. Parity

B. Mirroring

C. Striping

D. Hot-swapping

A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.

B. HSM and SAN are one and the same. The difference is in the implementation.

C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage.

D. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.

A. Full knowledge; blind test

B. Partial knowledge; blind test

C. Partial knowledge; double-blind test

D. Zero knowledge; targeted test

A. Symbolic links

B. File descriptors

C. Kernel flaws

D. Buffer overflows

A. Review the changes within 48 hours of making them.

B. Review and document the emergency changes after the incident is over.

C. Activity should not take place in this manner.

D. Formally submit the change to a change control committee and follow the complete change control process.

A. Functionality

B. Changes

C. Volume of transactions

D. Identity of system owner

A. Management review

B. Two-factor identification and authentication

C. Capturing this data in audit logs

D. Implementation of a strong security policy

A. Increase the clipping level.

B. Lock out an account for a certain amount of time after the clipping level is reached.

C. After a threshold of failed login attempts is met, the administrator must physically lock out the account.

D. Choose a weaker algorithm that encrypts the password file.

A. Dictionary attack

B. Shoulder surfing attack

C. Covert channel attack

D. Timing attack

A. Antispam features on mail servers are actually antirelaying features.

B. Relays should be configured "wide open" to receive any e-mail message.

C. Relay agents are used to send messages from one mail server to another.

D. If a relay is configured "wide open," the mail server can be used to send spam.

A. Send his manager an e-mail telling her so.', "B. Deliver last week's report and make sure it's clearly dated.", 'C. Deliver a report that states "No output."', "D. Don't do anything.

A. Replace the file with the file saved from the day before.

B. Disinfect the file and contact the vendor.

C. Restore an uninfected version of the patched file from backup medi

A.

D. Back up the data and disinfect the file.

A. A small number of administrators should be allowed to carry out remote functionality.

B. Critical systems should be administered locally instead of remotely.

C. Strong authentication should be in place.

D. Telnet should be used to send commands and dat

A.

A. NIACAP

B. DIACAP

C. HIPAA

D. TCSEC

A. An intentional hidden message or feature in an object such as a piece of software or a movie.

B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software.

C. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer.

D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system.

A. Physical security complementing logical security measures.

B. Protection mechanisms implemented as an integral part of an information system.

C. Layer security.

D. Protection mechanisms implemented after an information system has become operational.

A. Degaussing magnetic tapes when they're no longer needed.", 'B. Deleting files on disk before reusing the space.

C. Clearing memory blocks before they are allocated to a program or dat

A.

D. Clearing buffered pages, documents, or screens from the local memory of a terminal or printer.

A. Session layer

B. Transport layer

C. Data link layer

D. Network layer

A. Peer-to-peer authentication

B. Only server authentication (optional)

C. Server authentication (mandatory) and client authentication (optional)

D. Role based authentication scheme

A. ISDN

B. SLIP

C. xDSL

D. T1

A. It provides for proper prioritization and scheduling of security and maintenance tasks.

B. It reduces critical system support workload and reduces the time required to apply patches.

C. It allows for clear systems status communications to executive management.

D. It provides for easier determination of ownership, reducing confusion as to the status of the asset.

A. AVPs are the constructs that outline how two entities will communicate. Diameter has many more AVPs, which allow for the protocol to have more capabilities than RADIUS.

B. AVPs are the protocol parameters used between communicating entities. Diameter has less AVPs, which allow for the protocol to have more capabilities than RADIUS.

C. AVPs are the security mechanisms that provide confidentiality and integrity for data being passed back and forth between entities. Diameter has many more AVPs, which allow for the protocol to have more security capabilities than RADIUS.

A. The directory has a tree structure to organize the entries using a parent-child configuration.

B. Each entry has a unique name made up of attributes of a specific object.

C. The attributes used in the directory are dictated by the defined schem

A.

D. The unique identifiers are called fully qualified names.

A. Trusted kernel

B. Kernel controller

C. Front end controller

D. Trusted front-end"

A. It cannot analyze encrypted information.

B. It is costly to remove.

C. It is affected by switched networks.

D. It is costly to manage.

A. A parallel or full-interruption test

B. The application of a classification scheme based on criticality levels

C. The gathering of information via interviews

D. Documentation of business functions

A. Personal information is collected from victims through legitimate-looking Web sites in phishing attacks, while personal information is collected from victims via e-mail in pharming attacks.

B. Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from victims.', "C. Victims are pointed to a fake Web site with a domain name that looks similar to a legitimate site's in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.", 'D. Phishing is a technical attack, while pharming is a type of social engineering.

A. Because they can only identify correctly attacks they already know about.

B. Because they are application-based are more subject to attacks.

C. Because they can’t identify abnormal behavior.

D. Because normal patterns of user and system behavior can vary wildly.

A. Bonk attack

B. Land attack

C. Teardrop attack

D. Smurf attack

A. Start and Stop bits.

B. Start and End bits.

C. Begin and Stop bits.

D. Start and Finish bits.

A. The societies role in the organization.', "B. The individual's role in the organization.", "C. The group-dynamics as they relate to the individual's role in the organization.", 'D. The group-dynamics as they relate to the master-slave role in the organization.

A. Using a hidden, unauthorized network connection to communicate unauthorized information

B. The use of two-factor passwords

C. Nonbusiness or personal use of the Internet

D. Socially engineering passwords from an ISP

A. All end stations are attached to a MSAU.

B. These networks were originally designed to serve sporadic and only occasionally heavy traffic.

C. These networks were originally designed to serve large, bandwidthconsuming applications.

D. Workstations cannot transmit until they receive a token.

A. Evaluates the applications and systems at a specific, self-contained location

B. Evaluates a major application or general support system', "C. Verifies the evolving or modified system's compliance with the information agreed on in the System Security Authorization Agreement (SSAA)", 'D. Evaluates an application or system that is distributed to a number of different locations