← CISSP 2024 · CISSP Intermediate

CISSP 2024 Intermediate Quiz

Learning Objectives

Apply CISSP domains: cryptography, access control, network security, and software development.

CISSP 2024 certification badge
Time left --:--:--
Question 1 / 60 · 60 unanswered
Question 1 of 60
A financial services firm must ensure that a single employee cannot both initiate and approve wire transfers. Which control framework concept does this DIRECTLY enforce?
1 / 60
Question 2 of 60
A security operations analyst notices multiple failed authentication attempts against a privileged account followed by a successful login from an unusual geographic location. Which security capability would MOST efficiently detect this pattern?
2 / 60
Question 3 of 60
An organization discovers its third-party payroll vendor experienced a data breach exposing employee records. Which document should have established the vendor's security obligations BEFORE the relationship began?
3 / 60
Question 4 of 60
Which type of attack involves sending a specially crafted input to an application that causes it to write beyond the allocated memory buffer, potentially allowing code execution?
4 / 60
Question 5 of 60
During a risk assessment, an analyst determines that a web application vulnerability has a 30% annual probability of exploitation and a successful attack would cause $200,000 in losses. What is the Annualized Loss Expectancy (ALE)?
5 / 60
Question 6 of 60
Which security architecture principle dictates that each system component should operate in the minimum environment required and expose only necessary interfaces?
6 / 60
Question 7 of 60
Which security architecture model requires continuous verification for every access request, eliminating implicit trust based on network location?
7 / 60
Question 8 of 60
An organization uses Single Sign-On (SSO) so that employees authenticate once and gain access to multiple systems. Which security risk does SSO PRIMARILY introduce?
8 / 60
Question 9 of 60
Which access control implementation grants permissions based on sensitivity labels and formal authorization level, enforced by policy rather than the data owner?
9 / 60
Question 10 of 60
An organization uses a Certificate Authority hierarchy with an offline root CA and online intermediate CAs. What is the PRIMARY security benefit of keeping the root CA offline?
10 / 60
Question 11 of 60
An application generates session tokens using only the user's username and timestamp. An attacker who captures one token can predictably forge tokens for other users. Which vulnerability does this represent?
11 / 60
Question 12 of 60
According to the CISSP 2024 CBK, which security document describes the specific technical and procedural steps required to implement a control defined in a security standard?
12 / 60
Question 13 of 60
A CISO is selecting a key exchange mechanism that allows two parties to derive a shared secret over an insecure channel without transmitting the secret itself. Which algorithm BEST meets this requirement?
13 / 60
Question 14 of 60
Which penetration testing phase involves using tools such as Nmap and passive DNS reconnaissance to gather information without directly interacting with target systems?
14 / 60
Question 15 of 60
Which identity federation standard allows identity providers to assert authentication information to service providers using XML-based assertions?
15 / 60
Question 16 of 60
A security team captures network traffic from a suspected malware infection. Which forensic capability allows them to reconstruct session data and replay communications from captured packets?
16 / 60
Question 17 of 60
An organization performs a threat model using STRIDE. Which STRIDE category addresses an attacker modifying stored transaction records?
17 / 60
Question 18 of 60
A multinational organization must ensure that personal data transferred from the EU to the United States has equivalent GDPR protection. Which mechanism BEST achieves this?
18 / 60
Question 19 of 60
A database contains credit card numbers that must be stored for dispute resolution but never exposed to end users. Which technique replaces card numbers with non-sensitive surrogate values while maintaining a secure mapping?
19 / 60
Question 20 of 60
In the CISSP 2024 CBK, which principle requires that an access control mechanism checks every access attempt to a resource — not just the initial request?
20 / 60
Question 21 of 60
Which network security architecture places internet-facing servers in a segment isolated from both the internet and the internal trusted network?
21 / 60
Question 22 of 60
Which security control validates that system changes have not altered critical OS files by comparing current file attributes against a trusted baseline?
22 / 60
Question 23 of 60
Which operational security control prevents a developer from deploying their own code changes directly to production without a separate approval step?
23 / 60
Question 24 of 60
Which CISSP 2024 CBK concept refers to the residual risk that remains after security controls have been applied?
24 / 60
Question 25 of 60
A security team wants to verify that all cryptographic keys protecting data at rest are rotated and no expired keys remain active. Which security process BEST addresses this?
25 / 60
Question 26 of 60
A developer integrates a third-party logging library from a public repository into a production application. Which control would MOST effectively reduce supply chain risk?
26 / 60
Question 27 of 60
An organization wants to protect against SQL injection while minimizing code changes to an existing web application. Which compensating control provides the MOST immediate mitigation?
27 / 60
Question 28 of 60
Which protocol is used to securely synchronize time across network devices and is critical for ensuring log timestamps are accurate for forensic correlation?
28 / 60
Question 29 of 60
Which incident response phase involves isolating a compromised system from the network to prevent further lateral movement while preserving evidence?
29 / 60
Question 30 of 60
Which type of social engineering attack involves sending highly personalized phishing emails crafted with specific details about the target such as their name, role, and recent activities?
30 / 60
Question 31 of 60
Which cryptographic attack attempts every possible key combination until the correct one is found?
31 / 60
Question 32 of 60
Which secure coding practice prevents an application from disclosing internal system details — such as stack traces, database errors, or server versions — to end users?
32 / 60
Question 33 of 60
An organization wants to evaluate whether its security controls are functioning as designed over time. Which assessment type BEST provides this continuous assurance?
33 / 60
Question 34 of 60
An organization implements a control requiring two separate administrators — one to create an account and another to grant privileges. Which security principle does this DIRECTLY support?
34 / 60
Question 35 of 60
Which GDPR Article 5 principle requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes?
35 / 60
Question 36 of 60
A security administrator configures a system to lock an account after five consecutive failed login attempts and unlock it only after administrator review. Which type of control is this?
36 / 60
Question 37 of 60
Which type of evidence is derived from human observation and testimony rather than from documents or physical objects?
37 / 60
Question 38 of 60
Which database security concept stores a transformed version of a password that cannot be reversed, while still allowing verification of submitted passwords?
38 / 60
Question 39 of 60
A company uses asymmetric cryptography to distribute a symmetric session key. Which term describes encrypting the symmetric key with the recipient's public key?
39 / 60
Question 40 of 60
Which wireless security threat involves an attacker setting up a rogue wireless access point that mimics a legitimate corporate SSID to intercept client traffic?
40 / 60
Question 41 of 60
During a software security review, a developer discovers that user-supplied input is used directly in a database query without sanitization. Which vulnerability does this MOST likely represent?
41 / 60
Question 42 of 60
A security team must preserve evidence from a compromised server. Which forensic action should be performed FIRST?
42 / 60
Question 43 of 60
Which type of security assessment involves a simulated attack by an authorized team that mimics the TTPs of advanced persistent threat actors?
43 / 60
Question 44 of 60
According to the CISSP 2024 CBK, which asset classification element defines who is responsible for ensuring that data is properly classified and protected?
44 / 60
Question 45 of 60
Which cloud security concern refers to the risk that one tenant's workload may access memory or resources belonging to another tenant?
45 / 60
Question 46 of 60
Which CISSP 2024 CBK concept defines the maximum acceptable data loss measured in time, determining how frequently backups must occur?
46 / 60
Question 47 of 60
Which standard provides prescriptive security configuration benchmarks for operating systems, cloud platforms, and applications widely used for hardening?
47 / 60
Question 48 of 60
Which software security control prevents an application from executing code passed in user input by ensuring executable regions of memory are marked non-executable?
48 / 60
Question 49 of 60
Which secure protocol replaced Telnet for remote administration, providing encrypted terminal sessions and supporting public-key authentication?
49 / 60
Question 50 of 60
Which encryption mode XORs each plaintext block with the previous ciphertext block before encryption, providing semantic security but requiring sequential processing?
50 / 60
Question 51 of 60
An attacker gains physical access to a data center by wearing a vendor uniform and following an authorized employee through a secured door. Which attack technique does this represent?
51 / 60
Question 52 of 60
In a CISSP 2024 CBK risk analysis, which calculation determines the expected monetary loss from a single occurrence of a specific threat exploiting a vulnerability?
52 / 60
Question 53 of 60
A security architect implements input validation, output encoding, and Content Security Policy (CSP) headers. These controls PRIMARILY mitigate which attack type?
53 / 60
Question 54 of 60
A security manager wants to verify employees are following the clean desk policy. Which type of audit is MOST appropriate?
54 / 60
Question 55 of 60
Which CISSP 2024 CBK concept defines the formal process of granting a system authority to operate based on security control assessment and acceptance of residual risk?
55 / 60
Question 56 of 60
Which CISSP 2024 CBK concept describes a situation where an employee gradually accumulates more access rights over time through role changes without having previous rights revoked?
56 / 60
Question 57 of 60
Which business continuity concept identifies the minimum resources and personnel required for an organization to maintain critical business functions?
57 / 60
Question 58 of 60
Which CISSP 2024 CBK concept requires that security control testing be proportional to asset sensitivity and residual risk accepted by management?
58 / 60
Question 59 of 60
Which data handling requirement mandates that certain types of data — such as healthcare records — must not be moved outside a specific country or regulatory jurisdiction?
59 / 60
Question 60 of 60
A penetration tester discovers that a web application reflects user input in HTTP response headers without sanitization, allowing header injection. Which vulnerability does this represent?
60 / 60