CISSP Exam Question 26
With SQL Relational databases where is the actual data stored?
Correct Answer: B
Explanation/Reference:
Explanation: SQL is a relational database Query language. SQL stands for structured query language.
Schemas describe how the tables and views are structured - careful design is required so that the SQL database runs in an efficient manner. Tables are made up of rows and columns and contain the actual data. Views represent how you want to look at the data. They are not concerned with where the data is, but rather what data you want to view and how you want to see it. You can even join more than one table together. However, the less efficient the views, the longer it takes to retrieve your report. Sub- schemas may be used to establish user privileges to see data.
Explanation: SQL is a relational database Query language. SQL stands for structured query language.
Schemas describe how the tables and views are structured - careful design is required so that the SQL database runs in an efficient manner. Tables are made up of rows and columns and contain the actual data. Views represent how you want to look at the data. They are not concerned with where the data is, but rather what data you want to view and how you want to see it. You can even join more than one table together. However, the less efficient the views, the longer it takes to retrieve your report. Sub- schemas may be used to establish user privileges to see data.
CISSP Exam Question 27
This type of attack is generally most applicable to public-key cryptosystems, what type of attack am I?
Correct Answer: A
A chosen-ciphertext attack is one in which cryptanalyst may choose a piece of ciphertext and attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most applicable to public-key cryptosystems.
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.
A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the El Gamal cryptosystem is semantically secure under chosen-plaintext attack, but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosen-ciphertext attack which revealed SSL session keys. Chosen-ciphertext attacks have implications for some self-synchronizing stream ciphers as well. Designers of tamper-resistant cryptographic smart cards must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.
According to RSA: Cryptanalytic attacks are generally classified into six categories that distinguish the kind of information the cryptanalyst has available to mount an attack. The categories of attack are listed here roughly in increasing order of the quality of information available to the cryptanalyst, or, equivalently, in decreasing order of the level of difficulty to the cryptanalyst. The objective of the cryptanalyst in all cases is to be able to decrypt new pieces of ciphertext without additional information. The ideal for a cryptanalyst is to extract the secret key.
A ciphertext-only attack is one in which the cryptanalyst obtains a sample of ciphertext, without the plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a successful ciphertext-only attack is generally difficult, and requires a very large ciphertext sample. Such attack was possible on cipher using Code Book Mode where frequency analysis was being used and even thou only the ciphertext was available, it was still possible to eventually collect enough data and decipher it without having the key.
A known-plaintext attack is one in which the cryptanalyst obtains a sample of ciphertext and the corresponding plaintext as well. The known-plaintext attack (KPA) or crib is an attack model for cryptanalysis where the attacker has samples of both the plaintext and its encrypted version (ciphertext), and is at liberty to make use of them to reveal further secret information such as secret keys and code books.
A chosen-plaintext attack is one in which the cryptanalyst is able to choose a quantity of plaintext and then obtain the corresponding encrypted ciphertext. A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme's secret key.
This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an
attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the
attacker's choosing. Modern cryptography, on the other hand, is implemented in software or
hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext
attack is often very feasible. Chosen-plaintext attacks become extremely important in the context
of public key cryptography, where the encryption key is public and attackers can encrypt any
plaintext they choose.
Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against
known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
Two forms of chosen-plaintext attack can be distinguished:
Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them
are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
Adaptive chosen-plaintext attack, is a special case of chosen-plaintext attack in which the
cryptanalyst is able to choose plaintext samples dynamically, and alter his or her choices based on
the results of previous encryptions. The cryptanalyst makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions.
Non-randomized (deterministic) public key encryption algorithms are vulnerable to simple
"dictionary"-type attacks, where the attacker builds a table of likely messages and their
corresponding ciphertexts. To find the decryption of some observed ciphertext, the attacker simply
looks the ciphertext up in the table. As a result, public-key definitions of security under chosen-
plaintext attack require probabilistic encryption (i.e., randomized encryption). Conventional
symmetric ciphers, in which the same key is used to encrypt and decrypt a text, may also be
vulnerable to other forms of chosen-plaintext attack, for example, differential cryptanalysis of block
ciphers.
An adaptive-chosen-ciphertext is the adaptive version of the above attack. A cryptanalyst can
mount an attack of this type in a scenario in which he has free use of a piece of decryption
hardware, but is unable to extract the decryption key from it.
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-
ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses
the results of these decryptions to select subsequent ciphertexts. It is to be distinguished from an
indifferent chosen-ciphertext attack (CCA1).
The goal of this attack is to gradually reveal information about an encrypted message, or about the
decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable
only when they have the property of ciphertext malleability - that is, a ciphertext can be modified
in specific ways that will have a predictable effect on the decryption of that message.
A Plaintext Only Attack is simply a bogus detractor. If you have the plaintext only then there is no
need to perform any attack.
References:
RSA Laboratories FAQs about today's cryptography: What are some of the basic types of
cryptanalytic attack?
also see:
http://www.giac.org/resources/whitepaper/cryptography/57.php
and
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.
A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the El Gamal cryptosystem is semantically secure under chosen-plaintext attack, but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosen-ciphertext attack which revealed SSL session keys. Chosen-ciphertext attacks have implications for some self-synchronizing stream ciphers as well. Designers of tamper-resistant cryptographic smart cards must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.
According to RSA: Cryptanalytic attacks are generally classified into six categories that distinguish the kind of information the cryptanalyst has available to mount an attack. The categories of attack are listed here roughly in increasing order of the quality of information available to the cryptanalyst, or, equivalently, in decreasing order of the level of difficulty to the cryptanalyst. The objective of the cryptanalyst in all cases is to be able to decrypt new pieces of ciphertext without additional information. The ideal for a cryptanalyst is to extract the secret key.
A ciphertext-only attack is one in which the cryptanalyst obtains a sample of ciphertext, without the plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a successful ciphertext-only attack is generally difficult, and requires a very large ciphertext sample. Such attack was possible on cipher using Code Book Mode where frequency analysis was being used and even thou only the ciphertext was available, it was still possible to eventually collect enough data and decipher it without having the key.
A known-plaintext attack is one in which the cryptanalyst obtains a sample of ciphertext and the corresponding plaintext as well. The known-plaintext attack (KPA) or crib is an attack model for cryptanalysis where the attacker has samples of both the plaintext and its encrypted version (ciphertext), and is at liberty to make use of them to reveal further secret information such as secret keys and code books.
A chosen-plaintext attack is one in which the cryptanalyst is able to choose a quantity of plaintext and then obtain the corresponding encrypted ciphertext. A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme's secret key.
This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an
attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the
attacker's choosing. Modern cryptography, on the other hand, is implemented in software or
hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext
attack is often very feasible. Chosen-plaintext attacks become extremely important in the context
of public key cryptography, where the encryption key is public and attackers can encrypt any
plaintext they choose.
Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against
known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
Two forms of chosen-plaintext attack can be distinguished:
Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them
are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
Adaptive chosen-plaintext attack, is a special case of chosen-plaintext attack in which the
cryptanalyst is able to choose plaintext samples dynamically, and alter his or her choices based on
the results of previous encryptions. The cryptanalyst makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions.
Non-randomized (deterministic) public key encryption algorithms are vulnerable to simple
"dictionary"-type attacks, where the attacker builds a table of likely messages and their
corresponding ciphertexts. To find the decryption of some observed ciphertext, the attacker simply
looks the ciphertext up in the table. As a result, public-key definitions of security under chosen-
plaintext attack require probabilistic encryption (i.e., randomized encryption). Conventional
symmetric ciphers, in which the same key is used to encrypt and decrypt a text, may also be
vulnerable to other forms of chosen-plaintext attack, for example, differential cryptanalysis of block
ciphers.
An adaptive-chosen-ciphertext is the adaptive version of the above attack. A cryptanalyst can
mount an attack of this type in a scenario in which he has free use of a piece of decryption
hardware, but is unable to extract the decryption key from it.
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-
ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses
the results of these decryptions to select subsequent ciphertexts. It is to be distinguished from an
indifferent chosen-ciphertext attack (CCA1).
The goal of this attack is to gradually reveal information about an encrypted message, or about the
decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable
only when they have the property of ciphertext malleability - that is, a ciphertext can be modified
in specific ways that will have a predictable effect on the decryption of that message.
A Plaintext Only Attack is simply a bogus detractor. If you have the plaintext only then there is no
need to perform any attack.
References:
RSA Laboratories FAQs about today's cryptography: What are some of the basic types of
cryptanalytic attack?
also see:
http://www.giac.org/resources/whitepaper/cryptography/57.php
and
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
CISSP Exam Question 28
When are security requirements the LEAST expensive to implement?
Correct Answer: B
CISSP Exam Question 29
Which of the following protects a password from eavesdroppers and supports the encryption of communication?
Correct Answer: A
Explanation/Reference:
Explanation:
One approach to remote access security is the Challenge Handshake Authentication Protocol (CHAP).
CHAP protects the password from eavesdroppers and supports the encryption of communication.
Challenge Handshake Authentication Protocol (CHAP) addresses some of the vulnerabilities found in PAP.
It uses a challenge/response mechanism to authenticate the user instead of sending a password. When a user wants to establish a PPP connection and both ends have agreed that CHAP will be used for authentication purposes, the user's computer sends the authentication server a logon request. The server sends the user a challenge (nonce), which is a random value. This challenge is encrypted with the use of a predefined password as an encryption key, and the encrypted challenge value is returned to the server.
The authentication server also uses the predefined password as an encryption key and decrypts the challenge value, comparing it to the original value sent. If the two results are the same, the authentication server deduces that the user must have entered the correct password, and authentication is granted.
Incorrect Answers:
B: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Identification Protocol (CHIP).
C: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Encryption Protocol (CHEP).
D: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Substitution Protocol (CHSP).
References:
Krutz, Ronald L and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 66 Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 710
Explanation:
One approach to remote access security is the Challenge Handshake Authentication Protocol (CHAP).
CHAP protects the password from eavesdroppers and supports the encryption of communication.
Challenge Handshake Authentication Protocol (CHAP) addresses some of the vulnerabilities found in PAP.
It uses a challenge/response mechanism to authenticate the user instead of sending a password. When a user wants to establish a PPP connection and both ends have agreed that CHAP will be used for authentication purposes, the user's computer sends the authentication server a logon request. The server sends the user a challenge (nonce), which is a random value. This challenge is encrypted with the use of a predefined password as an encryption key, and the encrypted challenge value is returned to the server.
The authentication server also uses the predefined password as an encryption key and decrypts the challenge value, comparing it to the original value sent. If the two results are the same, the authentication server deduces that the user must have entered the correct password, and authentication is granted.
Incorrect Answers:
B: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Identification Protocol (CHIP).
C: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Encryption Protocol (CHEP).
D: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Substitution Protocol (CHSP).
References:
Krutz, Ronald L and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 66 Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 710
CISSP Exam Question 30
Which of the following processes is used to align security controls with business functions?
Correct Answer: B
Section: Mixed questions
- Other Version
- 1170ISC.CISSP.v2026-05-11.q720
- 8553ISC.CISSP.v2024-12-24.q999
- 3311ISC.CISSP.v2024-06-16.q746
- 63ISC.Braindumpspass.CISSP.v2022-04-14.by.egbert.619q.pdf
- 9964ISC.CISSP.v2022-02-09.q619
- Latest Upload
- 167CompTIA.220-1202.v2026-06-16.q110
- 124TheInstitutes.CPCU-500.v2026-06-16.q25
- 169ACAMS.CAMS7-CN.v2026-06-16.q170
- 187CBIC.CIC.v2026-06-15.q123
- 132Peoplecert.ITIL-4-Specialist-High-velocity-IT.v2026-06-15.q16
- 226HashiCorp.Terraform-Associate-004.v2026-06-15.q126
- 133Peoplecert.ITILFNDv5.v2026-06-15.q26
- 132Workday.Workday-Pro-HCM-Reporting.v2026-06-15.q28
- 134Fortinet.NSE5_SSE_AD-7.6.v2026-06-15.q17
- 344PMI.PMI-ACP.v2026-06-15.q523