ISC Updated CISSP Exam Questions and Answers by jonas

The document that specifies services from the client’s viewpoint is the Service Level Requirement (SLR). SLR is a document that defines and describes the expectations and the needs of the client or the customer regarding the services that are provided or delivered by the service provider or the vendor, such as the quality, the availability, the performance, or the cost of the services. SLR specifies services from the client’s viewpoint, because it can:

• Identify and communicate the requirements and the objectives of the client or the customer for the services that are provided or delivered by the service provider or the vendor, and ensure that the services are aligned and consistent with the requirements and the objectives of the client or the customer.
• Negotiate and agree on the terms and the conditions of the services that are provided or delivered by the service provider or the vendor, and establish the roles and the responsibilities of the client or the customer and the service provider or the vendor for the services.
• Monitor and measure the performance and the effectiveness of the services that are provided or delivered by the service provider or the vendor, and evaluate the satisfaction and the feedback of the client or the customer for the services.

The other options are not the documents that specify services from the client’s viewpoint. Service level report is a document that provides and presents the information and the data about the actual performance and the effectiveness of the services that are provided or delivered by the service provider or the vendor, compared to the agreed or the expected performance and the effectiveness of the services, such as the service level targets or the service level indicators. Service level report does not specify services from the client’s viewpoint, but rather reports services from the service provider’s viewpoint. Business impact analysis (BIA) is a document that provides and presents the analysis and the assessment of the potential impact and the consequences of the disruption or the interruption of the critical business functions or processes, due to the incidents or the events, such as the disasters, the emergencies, or the threats. BIA does not specify services from the client’s viewpoint, but rather analyzes services from the business viewpoint. Service level agreement (SLA) is a document that defines and describes the agreed or the expected performance and the effectiveness of the services that are provided or delivered by the service provider or the vendor, such as the service level targets or the service level indicators, and the remedies or the penalties for the non-compliance or the breach of the performance and the effectiveness of the services. SLA does not specify services from the client’s viewpoint, but rather agrees services from the service provider’s viewpoint. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, page 900. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7: Security

Structured Query Language (SQL) Injection is a type of attack that happens when an attacker is able to inject malicious SQL statements into a web-based application or a database, and to execute them on the database server. SQL injection exploits the vulnerability in the input validation or the database query of a web-based application, and allows the attacker to perform various actions on the database, such as retrieving, modifying, or deleting the data, executing commands, or bypassing the authentication. SQL injection works by manipulating the user input or the parameters that are sent to the web-based application or the database, and that are used to construct the SQL query. The attacker then inserts or appends the malicious SQL statements to the user input or the parameters, and tricks the web-based application or the database to execute them as part of the SQL query. In this scenario, the password shown for an administrative login event was ’ OR ’ ‘1’=‘1’ --, which is an example of a SQL injection attack. The attacker used the ’ OR ’ ‘1’=‘1’ – as the password input, and appended it to the SQL query that checks the username and password for the login. The ’ OR ’ ‘1’=‘1’ – is a logical expression that always evaluates to true, and the – is a comment symbol that ignores the rest of the SQL query. The SQL query then becomes something like this: SELECT * FROM users WHERE username = ‘admin’ AND password = ‘’ OR ‘1’=‘1’ --; This SQL query will return the record of the admin user, and allow the attacker to login as the admin without knowing the correct password. Brute force attack, cross-site scripting (XSS), or rainbow table attack are not the types of attack that happen when an attacker is able to inject malicious SQL statements into a web-based application or a database, and to execute them on the database server. Brute force attack is a type of attack that tries to guess the password or the encryption key of a system or a user by using a trial-and-error method, such as using a dictionary, a word list, or a combination of characters. XSS is a type of attack that injects malicious scripts into a web page or an application that the user views or interacts with, and that executes in the user’s web browser, and may steal the user’s cookies, session tokens, or personal information. Rainbow table attack is a type of attack that uses a precomputed table of hashed values and their corresponding plaintext values to crack the hashed passwords or encryption keys of a system or a user. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 21: Software Development Security, page 2020.

Radio-Frequency Identification (RFID) assists with asset management by transmitting unique serial numbers wirelessly. RFID is a technology that uses radio waves to identify and track objects, such as assets, inventory, or personnel. RFID consists of three main components: RFID tags, RFID readers, and RFID middleware. RFID tags are small devices that are attached or embedded in the objects to be identified and tracked. RFID tags contain a microchip that stores a unique serial number, and an antenna that transmits the serial number wirelessly. RFID readers are devices that emit radio signals to activate and communicate with the RFID tags. RFID readers receive and decode the serial numbers from the RFID tags, and send them to the RFID middleware. RFID middleware is a software application that connects the RFID readers and the RFID tags with the backend systems, such as databases or enterprise resource planning systems. RFID middleware processes and analyzes the data from the RFID tags, and provides the information and functionality for asset management. RFID assists with asset management by providing the following benefits:

• It enables automatic and accurate identification and tracking of assets, without the need for manual scanning or human intervention.
• It improves the visibility and control of assets, as the RFID tags can provide real-time information about the location, status, and condition of the assets.
• It reduces the cost and complexity of asset management, as the RFID tags can store and transmit more data than other identification methods, such as barcodes or labels, and can operate in harsh or remote environments. References: CISSP All-in-One Exam Guide, Chapter 2: Asset Security, Section: Asset Management, pp. 97-98.

The best option to reduce the network attack surface of a system is to disable unnecessary ports and services. The network attack surface of a system is the sum of the points or the areas where an attacker can try to enter, access, or exploit the system over the network, using various methods, such as scanning, probing, or attacking. The network attack surface of a system can be reduced by minimizing the exposure and vulnerability of the system to potential attacks, and by enhancing the security and protection of the system against potential attacks. Disabling unnecessary ports and services is an option that can reduce the network attack surface of a system, as it can eliminate or close the unused or unwanted entry points or areas for the attacker, and as it can improve the performance and security of the system12. References: CISSP CBK, Fifth Edition, Chapter 4, page 365; CISSP Practice Exam – FREE 20 Questions and Answers, Question 14.