CISSP Exam Question 236
Which of the following cryptographic attacks describes when the attacker has a copy of the plaintext and the corresponding ciphertext?
Correct Answer: A
The goal to this type of attack is to find the cryptographic key that was used to encrypt the message. Once the key has been found, the attacker would then be able to decrypt all messages that had been encrypted using that key.
The known-plaintext attack (KPA) or crib is an attack model for cryptanalysis where the attacker has samples of both the plaintext and its encrypted version (ciphertext), and is at liberty to make use of them to reveal further secret information such as secret keys and code books. The term "crib" originated at Bletchley Park, the British World War II decryption operation
In cryptography, a brute force attack or exhaustive key search is a strategy that can in theory be used against any encrypted data by an attacker who is unable to take advantage of any weakness in an encryption system that would otherwise make his task easier. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire key space, also called search space.
In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts.
The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain traffic-flow security, it would be very useful to be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate traffic analysis.
In the history of cryptography, early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed statistical techniques for attacking ciphertext, such as frequency analysis. Mechanical encryption devices such as Enigma made these attacks much more difficult (although, historically, Polish cryptographers were able to mount a successful ciphertext-only cryptanalysis of the Enigma by exploiting an insecure protocol for indicating the message settings).
Every modern cipher attempts to provide protection against ciphertext-only attacks. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise. See: Advanced Encryption Standard process. Also, the field of steganography evolved, in part, to develop methods like mimic functions that allow one piece of data to adopt the statistical profile of another. Nonetheless poor cipher usage or reliance on home-grown proprietary algorithms that have not been subject to thorough scrutiny has resulted in many computer-age encryption systems that are still subject to ciphertext-only attack. Examples include:
Early versions of Microsoft's PPTP virtual private network software used the same RC4 key for the
sender and the receiver (later versions had other problems). In any case where a stream cipher
like RC4 is used twice with the same key it is open to ciphertext-only attack. See: stream cipher
attack
Wired Equivalent Privacy (WEP), the first security protocol for Wi-Fi, proved vulnerable to several
attacks, most of them ciphertext-only.
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the
attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the
corresponding ciphertexts. The goal of the attack is to gain some further information which
reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could
reveal the scheme's secret key.
This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an
attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the
attacker's choosing. Modern cryptography, on the other hand, is implemented in software or
hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext
attack is often very feasible. Chosen-plaintext attacks become extremely important in the context
of public key cryptography, where the encryption key is public and attackers can encrypt any
plaintext they choose.
Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against
known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
Two forms of chosen-plaintext attack can be distinguished:
Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them
are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions.
References:
Source: TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 271.
and
Wikipedia at the following links:
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
http://en.wikipedia.org/wiki/Known-plaintext_attack
http://en.wikipedia.org/wiki/Ciphertext-only_attac
http://en.wikipedia.org/wiki/Brute_force_attack
The known-plaintext attack (KPA) or crib is an attack model for cryptanalysis where the attacker has samples of both the plaintext and its encrypted version (ciphertext), and is at liberty to make use of them to reveal further secret information such as secret keys and code books. The term "crib" originated at Bletchley Park, the British World War II decryption operation
In cryptography, a brute force attack or exhaustive key search is a strategy that can in theory be used against any encrypted data by an attacker who is unable to take advantage of any weakness in an encryption system that would otherwise make his task easier. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire key space, also called search space.
In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts.
The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain traffic-flow security, it would be very useful to be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate traffic analysis.
In the history of cryptography, early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed statistical techniques for attacking ciphertext, such as frequency analysis. Mechanical encryption devices such as Enigma made these attacks much more difficult (although, historically, Polish cryptographers were able to mount a successful ciphertext-only cryptanalysis of the Enigma by exploiting an insecure protocol for indicating the message settings).
Every modern cipher attempts to provide protection against ciphertext-only attacks. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise. See: Advanced Encryption Standard process. Also, the field of steganography evolved, in part, to develop methods like mimic functions that allow one piece of data to adopt the statistical profile of another. Nonetheless poor cipher usage or reliance on home-grown proprietary algorithms that have not been subject to thorough scrutiny has resulted in many computer-age encryption systems that are still subject to ciphertext-only attack. Examples include:
Early versions of Microsoft's PPTP virtual private network software used the same RC4 key for the
sender and the receiver (later versions had other problems). In any case where a stream cipher
like RC4 is used twice with the same key it is open to ciphertext-only attack. See: stream cipher
attack
Wired Equivalent Privacy (WEP), the first security protocol for Wi-Fi, proved vulnerable to several
attacks, most of them ciphertext-only.
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the
attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the
corresponding ciphertexts. The goal of the attack is to gain some further information which
reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could
reveal the scheme's secret key.
This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an
attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the
attacker's choosing. Modern cryptography, on the other hand, is implemented in software or
hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext
attack is often very feasible. Chosen-plaintext attacks become extremely important in the context
of public key cryptography, where the encryption key is public and attackers can encrypt any
plaintext they choose.
Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against
known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
Two forms of chosen-plaintext attack can be distinguished:
Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them
are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions.
References:
Source: TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 271.
and
Wikipedia at the following links:
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
http://en.wikipedia.org/wiki/Known-plaintext_attack
http://en.wikipedia.org/wiki/Ciphertext-only_attac
http://en.wikipedia.org/wiki/Brute_force_attack
CISSP Exam Question 237
Which of the following actions should be undertaken prior to deciding on a physical baseline Protection Profile (PP)?
Correct Answer: B
Conducting a site survey is the action that should be undertaken prior to deciding on a physical baseline Protection Profile (PP). A PP is a document that defines the security requirements and objectives for a system or a product, and that can be used as a basis for evaluation, testing, or certification. A physical baseline PP is a type of PP that focuses on the physical security aspects of a system or a product, such as the locks, doors, windows, fences, cameras, alarms, or sensors. Conducting a site survey is a process that involves inspecting, measuring, and documenting the physical characteristics and conditions of a site, such as the layout, dimensions, access points, environmental factors, or potential threats. Conducting a site survey can help to determine the appropriate physical security requirements and objectives for a system or a product, and to select the suitable physical security controls and measures to meet those requirements and objectives. The other options are not the actions that should be undertaken prior to deciding on a physical baseline PP, as they either do not relate to the physical security aspects, or do not involve inspecting, measuring, or documenting the site.
References: CISSP - Certified Information Systems Security Professional, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations; CISSP Exam Outline, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations
References: CISSP - Certified Information Systems Security Professional, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations; CISSP Exam Outline, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations
CISSP Exam Question 238
A group of processes that share access to the same resources is called:
Correct Answer: B
In answer a, an access control list (ACL) is a list denoting which users have what privileges to a particular resource. Table illustrates an ACL. The table shows the subjects or users that have access to the object, FILE X and what privileges they have with respect to that file. For answer "An access control triple", an access control triple consists of the user, program, and file with the corresponding access privileges noted for each user.
The TCB, of answer "A Trusted Computing Base (TCB", is defined in the answers as the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy.
The TCB, of answer "A Trusted Computing Base (TCB", is defined in the answers as the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy.
CISSP Exam Question 239
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
Correct Answer: C
Explanation/Reference:
Explanation:
Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network.
Incorrect Answers:
A: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object.
B: Discretionary access control (DAC) is an access control model and policy that restricts access to objects according to the identity of the subjects and the groups to which those subjects belong.
D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 220-228
Explanation:
Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network.
Incorrect Answers:
A: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object.
B: Discretionary access control (DAC) is an access control model and policy that restricts access to objects according to the identity of the subjects and the groups to which those subjects belong.
D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 220-228
CISSP Exam Question 240
Which of the following is not a form of passive attack?
Correct Answer: B
Explanation/Reference:
Explanation:
Details: Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting confidentiality.
References: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGrawHill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 645).
Explanation:
Details: Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting confidentiality.
References: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGrawHill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 645).
- Other Version
- 1361ISC.CISSP.v2026-05-11.q720
- 3368ISC.CISSP.v2024-06-16.q746
- 63ISC.Braindumpspass.CISSP.v2022-04-14.by.egbert.619q.pdf
- 10054ISC.CISSP.v2022-02-09.q619
- 8944ISC.CISSP.v2021-08-21.q483
- Latest Upload
- 140CyberAB.CMMC-CCP.v2026-06-26.q98
- 123MedicalProfessional.CCM.v2026-06-26.q60
- 147RedHat.EX200.v2026-06-25.q31
- 256Microsoft.DP-100.v2026-06-25.q212
- 213IIBA.ECBA.v2026-06-24.q96
- 261Microsoft.AI-102.v2026-06-24.q184
- 152Databricks.Databricks-Generative-AI-Engineer-Associate.v2026-06-24.q31
- 144EMC.D-PDM-DY-23.v2026-06-24.q16
- 325ECCouncil.312-50v13.v2026-06-24.q254
- 166F5.F5CAB5.v2026-06-22.q29