CISSP Exam Question 616
Which of the following activities BEST identifies operational problems, security misconfigurations, and malicious attacks?
Correct Answer: D
CISSP Exam Question 617
Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?
Correct Answer: D
The data link layer, or Layer 2, of the OSI model is responsible for adding a header
and a trailer to a packet to prepare the packet for the local area network or wide area network
technology binary format for proper line transmission.
Layer 2 is divided into two functional sublayers.
The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2
specification. It communicates with the network layer, which is immediately above the data link
layer.
Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the
protocol requirements of the physical layer.
Thus, the specification for this layer depends on the technology of the physical layer.
The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11,
and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to
the protocol working at the MAC sublayer of the data link layer of the protocol stack.
The following answers are incorrect:
LCL and MAC; IEEE 802.2 and 802.3 is incorrect because LCL is a distracter. The correct
acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control.
By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of
network protocols within a multipoint network and their transportation over the same network
media.
LCL and MAC; IEEE 802.1 and 802.3 is incorrect because LCL is a distracter. The sublayers of
the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC).
Furthermore, the LLC is defined in the IEEE 802.2 specification, not 802.1. The IEEE 802.1
specifications are concerned with protocol layers above the MAC and LLC layers. It addresses
LAN/MAN architecture, network management, internetworking between LANs and WANs, and link
security, etc.
Network and MAC; IEEE 802.1 and 802.3 is incorrect because network is not a sublayer of the
data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the
Media Access Control (MAC). The LLC sits between the network layer (the layer immediately
above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 802.2
specification,not IEEE 802.1. As just explained, 802.1 standards address areas of LAN/MAN
architecture, network management, internetworking between LANs and WANs, and link
security.The IEEE 802.1 group's four active task groups are Internetworking, Security,
Audio/Video Bridging, and Data Center Bridging.
The following reference(s) were/was used to create this question:
http://en.wikipedia.org/wiki/OSI_model
and a trailer to a packet to prepare the packet for the local area network or wide area network
technology binary format for proper line transmission.
Layer 2 is divided into two functional sublayers.
The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2
specification. It communicates with the network layer, which is immediately above the data link
layer.
Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the
protocol requirements of the physical layer.
Thus, the specification for this layer depends on the technology of the physical layer.
The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11,
and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to
the protocol working at the MAC sublayer of the data link layer of the protocol stack.
The following answers are incorrect:
LCL and MAC; IEEE 802.2 and 802.3 is incorrect because LCL is a distracter. The correct
acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control.
By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of
network protocols within a multipoint network and their transportation over the same network
media.
LCL and MAC; IEEE 802.1 and 802.3 is incorrect because LCL is a distracter. The sublayers of
the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC).
Furthermore, the LLC is defined in the IEEE 802.2 specification, not 802.1. The IEEE 802.1
specifications are concerned with protocol layers above the MAC and LLC layers. It addresses
LAN/MAN architecture, network management, internetworking between LANs and WANs, and link
security, etc.
Network and MAC; IEEE 802.1 and 802.3 is incorrect because network is not a sublayer of the
data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the
Media Access Control (MAC). The LLC sits between the network layer (the layer immediately
above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 802.2
specification,not IEEE 802.1. As just explained, 802.1 standards address areas of LAN/MAN
architecture, network management, internetworking between LANs and WANs, and link
security.The IEEE 802.1 group's four active task groups are Internetworking, Security,
Audio/Video Bridging, and Data Center Bridging.
The following reference(s) were/was used to create this question:
http://en.wikipedia.org/wiki/OSI_model
CISSP Exam Question 618
In the OSI / ISO model, at what layer are some of the SLIP, CSLIP, PPP control functions are provided?
Correct Answer: A
The Data Link layer takes raw data from the physical layer and gives it logical structure. This logic includes information about where the data is meant to go, which computer sends the data, and the overall validity of the bytes sent. The
Data Link layer also controls functions of logical network topologies and physical addressing as well as data transmission synchronization and corrections. SLIP,
CSLIP and PPP provide control functions at the Data Link Layer (layer 2 of the OSI model).
Data Link layer also controls functions of logical network topologies and physical addressing as well as data transmission synchronization and corrections. SLIP,
CSLIP and PPP provide control functions at the Data Link Layer (layer 2 of the OSI model).
CISSP Exam Question 619
Cryptography does not concern itself with which of the following choices?
Correct Answer: D
The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. Unlike the other domains, cryptography does not completely support the standard of availability.
Availability
Cryptography supports all three of the core principles of information security. Many access control systems use cryptography to limit access to systems through the use of passwords. Many token-based authentication systems use cryptographic-based hash algorithms to compute one-time passwords. Denying unauthorized access prevents an attacker from entering and damaging the system or network, thereby denying access to authorized users if they damage or currupt the data.
Confidentiality Cryptography provides confidentiality through altering or hiding a message so that ideally it cannot be understood by anyone except the intended recipient.
Integrity Cryptographic tools provide integrity checks that allow a recipient to verify that a message has not been altered. Cryptographic tools cannot prevent a message from being altered, but they are effective to detect either intentional or accidental modification of the message.
Additional Features of Cryptographic Systems In addition to the three core principles of information security listed above, cryptographic tools provide several more benefits.
Nonrepudiation In a trusted environment, the authentication of the origin can be provided through the simple control of the keys. The receiver has a level of assurance that the message was encrypted by the sender, and the sender has trust that the message was not altered once it was received. However, in a more stringent, less trustworthy environment, it may be necessary to provide assurance via a third party of who sent a message and that the message was indeed delivered to the right recipient. This is accomplished through the use of digital signatures and public key encryption. The use of these tools provides a level of nonrepudiation of origin that can be verified by a third party.
Once a message has been received, what is to prevent the recipient from changing the message and contesting that the altered message was the one sent by the sender? The nonrepudiation of delivery prevents a recipient from changing the message and falsely claiming that the message is
in its original state. This is also accomplished through the use of public key cryptography and
digital signatures and is verifiable by a trusted third party.
Authentication
Authentication is the ability to determine if someone or something is what it declares to be. This is
primarily done through the control of the keys, because only those with access to the key are able
to encrypt a message. This is not as strong as the nonrepudiation of origin, which will be reviewed
shortly Cryptographic functions use several methods to ensure that a message has not been
changed or altered. These include hash functions, digital signatures, and message authentication
codes (MACs). The main concept is that the recipient is able to detect any change that has been
made to a message, whether accidentally or intentionally.
Access Control
Through the use of cryptographic tools, many forms of access control are supported-from log-ins
via passwords and passphrases to the prevention of access to confidential files or messages. In
all cases, access would only be possible for those individuals that had access to the correct
cryptographic keys.
NOTE FROM CLEMENT:
As you have seen this question was very recently updated with the latest content of the Official
ISC2 Guide (OIG) to the CISSP CBK, Version 3.
Myself, I agree with most of you that cryptography does not help on the availability side and it is
even the contrary sometimes if you loose the key for example. In such case you would loose
access to the data and negatively impact availability. But the ISC2 is not about what I think or what
you think, they have their own view of the world where they claim and state clearly that
cryptography does address availability even thou it does not fully address it.
They look at crypto as the ever emcompassing tool it has become today. Where it can be use for
authentication purpose for example where it would help to avoid corruption of the data through
illegal access by an unauthorized user.
The question is worded this way in purpose, it is VERY specific to the CISSP exam context where
ISC2 preaches that cryptography address availability even thou they state it does not fully address
it. This is something new in the last edition of their book and something you must be aware of.
Best regards
Clement
The following terms are from the Software Development Security domain:
Validation: The assurance that a product, service, or system meets the needs of the customer and
other identified stakeholders. It often involves acceptance and suitability with external customers.
Contrast with verification below."
Verification: The evaluation of whether or not a product, service, or system complies with a
regulation, requirement, specification, or imposed condition. It is often an internal process.
Contrast with validation."
The terms above are from the Software Development Security Domain.
Reference(s) used for this question:
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Cryptography (Kindle Locations 227-244). . Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Cryptography (Kindle Locations 206-227). . Kindle Edition.
and
http://en.wikipedia.org/wiki/Verification_and_validation
Availability
Cryptography supports all three of the core principles of information security. Many access control systems use cryptography to limit access to systems through the use of passwords. Many token-based authentication systems use cryptographic-based hash algorithms to compute one-time passwords. Denying unauthorized access prevents an attacker from entering and damaging the system or network, thereby denying access to authorized users if they damage or currupt the data.
Confidentiality Cryptography provides confidentiality through altering or hiding a message so that ideally it cannot be understood by anyone except the intended recipient.
Integrity Cryptographic tools provide integrity checks that allow a recipient to verify that a message has not been altered. Cryptographic tools cannot prevent a message from being altered, but they are effective to detect either intentional or accidental modification of the message.
Additional Features of Cryptographic Systems In addition to the three core principles of information security listed above, cryptographic tools provide several more benefits.
Nonrepudiation In a trusted environment, the authentication of the origin can be provided through the simple control of the keys. The receiver has a level of assurance that the message was encrypted by the sender, and the sender has trust that the message was not altered once it was received. However, in a more stringent, less trustworthy environment, it may be necessary to provide assurance via a third party of who sent a message and that the message was indeed delivered to the right recipient. This is accomplished through the use of digital signatures and public key encryption. The use of these tools provides a level of nonrepudiation of origin that can be verified by a third party.
Once a message has been received, what is to prevent the recipient from changing the message and contesting that the altered message was the one sent by the sender? The nonrepudiation of delivery prevents a recipient from changing the message and falsely claiming that the message is
in its original state. This is also accomplished through the use of public key cryptography and
digital signatures and is verifiable by a trusted third party.
Authentication
Authentication is the ability to determine if someone or something is what it declares to be. This is
primarily done through the control of the keys, because only those with access to the key are able
to encrypt a message. This is not as strong as the nonrepudiation of origin, which will be reviewed
shortly Cryptographic functions use several methods to ensure that a message has not been
changed or altered. These include hash functions, digital signatures, and message authentication
codes (MACs). The main concept is that the recipient is able to detect any change that has been
made to a message, whether accidentally or intentionally.
Access Control
Through the use of cryptographic tools, many forms of access control are supported-from log-ins
via passwords and passphrases to the prevention of access to confidential files or messages. In
all cases, access would only be possible for those individuals that had access to the correct
cryptographic keys.
NOTE FROM CLEMENT:
As you have seen this question was very recently updated with the latest content of the Official
ISC2 Guide (OIG) to the CISSP CBK, Version 3.
Myself, I agree with most of you that cryptography does not help on the availability side and it is
even the contrary sometimes if you loose the key for example. In such case you would loose
access to the data and negatively impact availability. But the ISC2 is not about what I think or what
you think, they have their own view of the world where they claim and state clearly that
cryptography does address availability even thou it does not fully address it.
They look at crypto as the ever emcompassing tool it has become today. Where it can be use for
authentication purpose for example where it would help to avoid corruption of the data through
illegal access by an unauthorized user.
The question is worded this way in purpose, it is VERY specific to the CISSP exam context where
ISC2 preaches that cryptography address availability even thou they state it does not fully address
it. This is something new in the last edition of their book and something you must be aware of.
Best regards
Clement
The following terms are from the Software Development Security domain:
Validation: The assurance that a product, service, or system meets the needs of the customer and
other identified stakeholders. It often involves acceptance and suitability with external customers.
Contrast with verification below."
Verification: The evaluation of whether or not a product, service, or system complies with a
regulation, requirement, specification, or imposed condition. It is often an internal process.
Contrast with validation."
The terms above are from the Software Development Security Domain.
Reference(s) used for this question:
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Cryptography (Kindle Locations 227-244). . Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Cryptography (Kindle Locations 206-227). . Kindle Edition.
and
http://en.wikipedia.org/wiki/Verification_and_validation
- Other Version
- 1163ISC.CISSP.v2026-05-11.q720
- 8549ISC.CISSP.v2024-12-24.q999
- 3309ISC.CISSP.v2024-06-16.q746
- 63ISC.Braindumpspass.CISSP.v2022-04-14.by.egbert.619q.pdf
- 8751ISC.CISSP.v2021-08-21.q483
- Latest Upload
- 160CompTIA.220-1202.v2026-06-16.q110
- 112TheInstitutes.CPCU-500.v2026-06-16.q25
- 155ACAMS.CAMS7-CN.v2026-06-16.q170
- 183CBIC.CIC.v2026-06-15.q123
- 127Peoplecert.ITIL-4-Specialist-High-velocity-IT.v2026-06-15.q16
- 220HashiCorp.Terraform-Associate-004.v2026-06-15.q126
- 130Peoplecert.ITILFNDv5.v2026-06-15.q26
- 128Workday.Workday-Pro-HCM-Reporting.v2026-06-15.q28
- 129Fortinet.NSE5_SSE_AD-7.6.v2026-06-15.q17
- 323PMI.PMI-ACP.v2026-06-15.q523