CarlsCloud™ CISSP Study Guide Pt 2: Mock Exam Qs 6-10 Explained

Welcome back, future CISSPs!

In our previous post, we presented mock exam questions 6-10, and now, we're diving into the answers and explanations. Understanding why each answer is correct is crucial for mastering the CISSP concepts. Let's get started!

Question 6

You recently performed a vulnerability assessment and found hundreds of vulnerabilities in your organization's infrastructure. It will take months to address all of these issues. What factors should you use to prioritize these vulnerabilities?

A. Likelihood and probability
B. Impact and exploitability
C. Impact and CVSS score
D. Likelihood and impact

Explanation:

When prioritizing vulnerabilities, it's essential to consider both how likely a vulnerability is to be exploited and the potential damage that could occur if it is exploited.
Option A focuses on probability, but does not consider the potential impact. Option B includes impact, but references exploitability, which is less important than likelihood, and option C includes impact and CVSS score (Common Vulnerability Scoring System), but CVSS scores are often not a good indicator of real-world likelihood or impact.
The combination of likelihood and impact provides a realistic view of which vulnerabilities pose the greatest risk to the organization and should be addressed first.

Question 7

You recently completed a vulnerability assessment and identified a moderate level risk that will require a significant investment to remediate. You wish to take the cost of that remediation and compare it to a value from your business impact assessment (BIA) to determine if you should perform the remediation. Which value would provide the best comparison?

A. ARO
B. AV
C. EF
D. ALE

Explanation:

ALE, or Annualized Loss Expectancy, is the most suitable value for comparing remediation costs.
ALE represents the expected financial loss from a risk over a year, which can be compared to the cost of mitigating that risk.
ARO (Annualized Rate of Occurrence) is how often a threat is likely to occur. AV (Asset Value) is the value of the asset. EF (Exposure Factor) is the percentage of asset loss that is expected by a successful event. While these values are important for calculating ALE, ALE itself is most appropriate for this comparison.

Question 8

Fred is helping his organization conduct a Business Impact Analysis (BIA). Which one of the following is typically NOT a goal of a BIA?

A. To identify critical business processes
B. To implement new security controls
C. To identify threats to the organization's information assets
D. To assess the likelihood and impact of risks

Explanation:

A Business Impact Analysis (BIA) focuses on understanding the potential impact of disruptions on business operations.
While a BIA will inform the need for security controls, its primary goals are to:
Identify critical business processes.
Identify threats to the organization's information assets.
Assess the likelihood and impact of risks.
Implementing new security controls is a separate step that comes after the BIA is completed.

Question 9

You recently completed a risk assessment and determined that an unpatched vulnerability in a web server operated by your organization poses an unacceptable level of risk to your organization. You would like to mitigate this risk. Which one of the following would be the best example of a risk mitigation strategy?

A. Shutting down the web server
B. Patching the web server
C. Purchasing cybersecurity insurance
D. Continuing to operate the web server in an unpatched state

Explanation:

Risk mitigation involves taking actions to reduce the likelihood or impact of a risk.
Patching the web server directly addresses the vulnerability, reducing the risk of exploitation.
Shutting down the web server (Option A) is an example of risk avoidance. Purchasing cybersecurity insurance (Option C) is an example of risk transference. Continuing to operate in an unpatched state (Option D) is not a risk mitigation strategy.

Question 10

You are attempting to secure a wired network belonging to your organization. You would like to deploy technology that limits network access to authorized users. Which one of the following technologies would best meet that need?

A. WiFi Protected Access v2 (WPA2)
B. WiFi Protected Access v3 (WPA3)
C. IEEE 802.1x
D. MAC filtering

Explanation:

IEEE 802.1x is a network authentication protocol that provides port-based access control, limiting network access to authorized users.
WPA2 and WPA3 (Options A and B) are wireless security protocols, not wired. MAC filtering (Option D) can be easily bypassed.
802.1x is preferred for wired networks because it provides authentication and authorization before granting network access.

Key Takeaways

These questions highlight the importance of understanding key security concepts, risk management, and the practical application of security principles.
Prioritizing vulnerabilities requires a focus on both likelihood and impact.
ALE is the best metric to compare remediation costs to.
BIAs help to identify critical business processes and risks, but are not a method for implementing controls.
Risk mitigation involves taking action to reduce risk, and patching systems is an example.
802.1x is best for wired network access control.

Study Tips

Review the concepts of risk management, including likelihood, impact, and risk response strategies.
Focus on understanding the purpose and application of different security technologies.
Practice with mock exams to reinforce your knowledge and identify weak areas.

Stay tuned for 5 more additional CISSP mock exam like questions in the CarlsCloud™ Study Guide Series for questions 11-15!

Good luck and happy studying!

Did you enjoy CarlsCloud™ today? If so, buy me a coffee or just shoot me a note via LinkedIn to say thanks it would mean a lot!