• Home
  • Blogs
  • [Jun 19, 2023] Latest Questions CISSP Guide to Prepare Free Practice Tests [Q121-Q142]

[Jun 19, 2023] Latest Questions CISSP Guide to Prepare Free Practice Tests [Q121-Q142]

Share

[Jun 19, 2023] Latest Questions CISSP Guide to Prepare Free Practice Tests

Reliable CISSP Dumps Questions Available as Web-Based Practice Test Engine

NEW QUESTION # 121
Which of the following security control is intended to avoid an incident from occurring?

  • A. Recovery
  • B. Preventive
  • C. Corrective
  • D. Deterrent

Answer: B

Explanation:
Preventive controls are intended to avoid an incident from occurring For your exam you should know below information about different security controls
Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action.
Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.
Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation.
Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.
Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker Corrective - Corrective control fixes components or systems after an incident has occurred
Recovery - Recovery controls are intended to bring the environment back to regular operations
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 44 and Official ISC2 CISSP guide 3rd edition Page number 50 and 51


NEW QUESTION # 122
In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected?

  • A. The transactions should be processed after the program makes adjustments.
  • B. The transactions should be written to a report and reviewed.
  • C. The transactions should be corrected and reprocessed.
  • D. The transactions should be dropped from processing.

Answer: B

Explanation:
In an online transaction processing system (OLTP) all transactions are recorded as they occur. When erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.
As explained in the ISC2 OIG: OLTP is designed to record all of the business transactions of an organization as they occur. It is a data processing system facilitating and managing transaction-oriented applications. These are characterized as a system used by many concurrent users who are actively adding and modifying data to effectively change real-time data.
OLTP environments are frequently found in the finance, telecommunications, insurance, retail, transportation, and travel industries. For example, airline ticket agents enter data in the database in real-time by creating and modifying travel reservations, and these are increasingly joined by users directly making their own reservations and purchasing tickets through airline company Web sites as well as discount travel Web site portals. Therefore, millions of people may be accessing the same flight database every day, and dozens of people may be looking at a specific flight at the same time.
The security concerns for OLTP systems are concurrency and atomicity.
Concurrency controls ensure that two users cannot simultaneously change the same data, or that one user cannot make changes before another user is finished with it. In an airline ticket system, it is critical for an agent processing a reservation to complete the transaction, especially if it is the last seat available on the plane.
Atomicity ensures that all of the steps involved in the transaction complete successfully. If one step should fail, then the other steps should not be able to complete. Again, in an airline ticketing system, if the agent does not enter a name into the name data field correctly, the transaction
should not be able to complete.
OLTP systems should act as a monitoring system and detect when individual processes abort,
automatically restart an aborted process, back out of a transaction if necessary, allow distribution
of multiple copies of application servers across machines, and perform dynamic load balancing.
A security feature uses transaction logs to record information on a transaction before it is
processed, and then mark it as processed after it is done. If the system fails during the transaction,
the transaction can be recovered by reviewing the transaction logs.
Checkpoint restart is the process of using the transaction logs to restart the machine by running
through the log to the last checkpoint or good transaction. All transactions following the last
checkpoint are applied before allowing users to access the data again.
Wikipedia has nice coverage on what is OLTP:
Online transaction processing, or OLTP, refers to a class of systems that facilitate and manage
transaction-oriented applications, typically for data entry and retrieval transaction processing. The
term is somewhat ambiguous; some understand a "transaction" in the context of computer or
database transactions, while others (such as the Transaction Processing Performance Council)
define it in terms of business or commercial transactions.
OLTP has also been used to refer to processing in which the system responds immediately to user
requests. An automatic teller machine (ATM) for a bank is an example of a commercial transaction
processing application.
The technology is used in a number of industries, including banking, airlines, mailorder,
supermarkets, and manufacturing. Applications include electronic banking, order processing,
employee time clock systems, e-commerce, and eTrading.
There are two security concerns for OLTP system: Concurrency and Atomicity
ATOMICITY
In database systems, atomicity (or atomicness) is one of the ACID transaction properties. In an
atomic transaction, a series of database operations either all occur, or nothing occurs. A
guarantee of atomicity prevents updates to the database occurring only partially, which can cause
greater problems than rejecting the whole series outright.
The etymology of the phrase originates in the Classical Greek concept of a fundamental and
indivisible component; see atom.
An example of atomicity is ordering an airline ticket where two actions are required: payment, and
a seat reservation. The potential passenger must either:
both pay for and reserve a seat; OR
neither pay for nor reserve a seat.
The booking system does not consider it acceptable for a customer to pay for a ticket without securing the seat, nor to reserve the seat without payment succeeding.
CONCURRENCY Database concurrency controls ensure that transactions occur in an ordered fashion. The main job of these controls is to protect transactions issued by different users/applications from the effects of each other. They must preserve the four characteristics of database transactions ACID test: Atomicity, Consistency, Isolation, and Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test. Thus concurrency control is an essential element for correctness in any system where two database transactions or more, executed with time overlap, can access the same data, e.g., virtually in any general-purpose database system. A well established concurrency control theory exists for database systems: serializability theory, which allows to effectively design and analyze concurrency control methods and mechanisms. Concurrency is not an issue in itself, it is the lack of proper concurrency controls that makes it a serious issue.
The following answers are incorrect:
The transactions should be dropped from processing. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs. The transactions should be processed after the program makes adjustments. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs. The transactions should be corrected and reprocessed. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.
References: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Online_transaction_processing and http://databases.about.com/od/administration/g/concurrency.htm


NEW QUESTION # 123
Why are mobile devices something difficult to investigate in a forensic examinition?

  • A. They may have proprietary software installed to protect them.
  • B. They may contain cryptographic protection.
  • C. They have password-based security at logon.
  • D. There are no forensics tools available for examination.

Answer: A


NEW QUESTION # 124
Which of the following can best be defined as a key distribution protocol that uses hybrid encryption to convey session keys. This protocol establishes a long-term key once, and then requires no prior communication in order to establish or exchange keys on a session- by-session basis?

  • A. Internet Security Association and Key Management Protocol (ISAKMP)
  • B. IPsec Key exchange (IKE)
  • C. Simple Key-management for Internet Protocols (SKIP)
  • D. Diffie-Hellman Key Distribution Protocol

Answer: C

Explanation:
RFC 2828 (Internet Security Glossary) defines Simple Key Management for
Internet Protocols (SKIP) as:
A key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.
SKIP is an hybrid Key distribution protocol similar to SSL, except that it establishes a long- term key once, and then requires no prior communication in order to establish or exchange keys on a session-by-session basis. Therefore, no connection setup overhead exists and new keys values are not continually generated. SKIP uses the knowledge of its own secret key or private component and the destination's public component to calculate a unique key that can only be used between them.
IKE stand for Internet Key Exchange, it makes use of ISAKMP and OAKLEY internally.
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association
(SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication and a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are derived.
The following are incorrect answers:
ISAKMP is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.
IKE is an Internet, IPsec, key-establishment protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.
IPsec Key exchange (IKE) is only a detracto.
Reference(s) used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
and
http://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol and
http://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol


NEW QUESTION # 125
An important element of database design that ensures that the attributes in a table depend only on the primary key is:

  • A. Data reuse.
  • B. Data normalization.
  • C. Database management.
  • D. Data integrity.

Answer: B

Explanation:
The correct answer is "Data normalization". Normalization includes eliminating redundant data and eliminating attributes in a table that are not dependent on the primary key of that table. In answer a, a database
management system (DBMS) provides access to the database and is
used for maintaining the database. Answers "Data integrity" and "Data reuse" are distracters.


NEW QUESTION # 126
What is called the percentage of invalid subjects that are falsely accepted?

  • A. True Acceptance Rate (TAR) or Type III error
  • B. Crossover Error Rate (CER)
  • C. False Rejection Rate (FRR) or Type I Error
  • D. False Acceptance Rate (FAR) or Type II Error

Answer: D


NEW QUESTION # 127
Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program?

  • A. Automated vulnerability scanning
  • B. Review automated patch deployment reports
  • C. Periodic third party vulnerability assessment
  • D. Perform vulnerability scan by security team

Answer: C


NEW QUESTION # 128
Which of the following concerning the Rijndael block cipher algorithm is false?

  • A. Both block size and key length can be extended to multiples of 64 bits.
  • B. The design of Rijndael was strongly influenced by the design of the block cipher Square.
  • C. The cipher has a variable block length and key length.
  • D. A total of 25 combinations of key length and block length are possible

Answer: A

Explanation:
The answer above is the correct answer because it is FALSE. Rijndael does not support multiples of 64 bits but multiples of 32 bits in the range of 128 bits to 256 bits. Key length could be 128, 160, 192, 224, and 256.
Both block length and key length can be extended very easily to multiples of 32 bits. For a total combination of 25 different block and key size that are possible.
The Rijndael Cipher Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the Advanced Encryption Standard (AES) in the United States of America. The cipher has a variable block length and key length.
Rijndael can be implemented very efficiently on a wide range of processors and in hardware. The design of Rijndael was strongly influenced by the design of the block cipher Square.
The Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) keys are defined to be either 128, 192, or 256 bits in accordance with the requirements of the AES.
The number of rounds, or iterations of the main algorithm, can vary from 10 to 14 within the Advanced Encryption Standard (AES) and is dependent on the block size and key length. 128 bits keys uses 10 rounds or encryptions, 192 bits keys uses 12 rounds of encryption, and 256 bits keys uses 14 rounds of encryption.
The low number of rounds has been one of the main criticisms of Rijndael, but if this ever becomes a problem the number of rounds can easily be increased at little extra cost performance wise by increasing the block size and key length.
Range of key and block lengths in Rijndael and AES Rijndael and AES differ only in the range of supported values for the block length and cipher key length.
For Rijndael, the block length and the key length can be independently specified to any multiple of 32 bits, with a minimum of 128 bits, and a maximum of 256 bits. The support for block and key lengths 160 and 224 bits was introduced in Joan Daemen and Vincent Rijmen, AES submission document on Rijndael, Version 2, September 1999 available at http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
AES fixes the block length to 128 bits, and supports key lengths of 128, 192 or 256 bits only.
Reference used for this question: The Rijndael Page and http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf and FIPS PUB 197, Advanced Encryption Standard (AES), National Institute of Standards and Technology, U.S. Department of Commerce, November 2001.


NEW QUESTION # 129
Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?

  • A. The impact of the control
  • B. The nature of the risk
  • C. The cost of the control
  • D. The risk culture of the organization

Answer: D


NEW QUESTION # 130
Common Criteria has assurance level from EAL 1 to EAL 7 regarding the depth of design and testing. Which of following assure the Target of Evaluation (or TOE) is methodically designed, tested and reviewed?

  • A. EAL 5
  • B. EAL 3
  • C. EAL 4
  • D. EAL 6

Answer: C

Explanation:
EAL 1 : functionally tested
EAL 2 : structurally tested
EAL 3 : methodically tested and checked
EAL 4 : methodically designed, tested and reviewed
EAL 5 : semifomally designed and tested
EAL 6 : semifomally verified design and tested
EAL 7 : fomally verified design and tested.
Source: Common Criteria Version 2.1, Part 2 page 53 through 67.
Additional source:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd Edition, McGraw-
Hill/Osborne, 2005, page 312.


NEW QUESTION # 131
The fundamental entity in a relational database is the:

  • A. Domain.
  • B. Pointer.
  • C. Relation.
  • D. Cost.

Answer: C

Explanation:
The correct answer is Relation. The fundamental entity in a relational
database is the relation in the form of a table. Answer Domain is the set of allowable attribute values, and answers Pointer and Cost are distracters.


NEW QUESTION # 132
Which of the following statements pertaining to fire suppression systems is TRUE?

  • A. Water Based extinguishers are NOT an effective fire suppression method for class C (electrical) fires.
  • B. Halon is today the most common choice as far as agents are concerned because it is highly effective in the way that it interferes with the chemical reaction of the elements within a fire.
  • C. Gas masks provide an effective protection against use of CO2 systems. They are recommended for the protection of the employees within data centers.
  • D. CO2 systems are NOT effective because they suppress the oxygen supply required to sustain the fire.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Class C fires are electrical fires which that may occur in electrical equipment or wiring. Class C fire extinguishers use gas, CO2 or dry powders. These extinguishing agents are non-conductive.
Class A fire extinguishers use water or foam. Water or foam used on an electrical fire would conduct the electricity and make the fire worse. Therefore, it is TRUE that water-based extinguishers are NOT an effective fire suppression method for class C (electrical) fires.
Incorrect Answers:
A: Halon is NOT the most common choice as far as agents are concerned. Halon is now known to be dangerous and no longer produced. Therefore, this answer is incorrect.
B: Gas masks DO NOT provide an effective protection against use of CO2 systems. CO2 systems work by removing the oxygen from the air. Therefore, this answer is incorrect.
C: CO2 systems ARE effective because they suppress the oxygen supply required to sustain the fire.
Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 472


NEW QUESTION # 133
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?

  • A. DAC
  • B. TACACS
  • C. Access control matrix
  • D. MAC

Answer: D

Explanation:
MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.
DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.
Access control matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc.
TACACS is incorrect. TACACS is a tool for performing user authentication.
References:
CBK, p. 187, Domain 2: Access Control.
AIO3, Chapter 4, Access Control.


NEW QUESTION # 134
Which choice below is NOT a common element of user account
administration?

  • A. Authorizing the request for a users system account
  • B. Periodically verifying the legitimacy of current accounts and access authorizations
  • C. Tracking users and their respective access authorizations
  • D. Establishing, issuing, and closing user accounts

Answer: A

Explanation:
For proper separation of duties, the function of user account establishment and maintenance should be separated from the function of initiating and authorizing the creation of the account. User account
management focuses on identification, authentication, and access
authorizations. This is augmented by the process of auditing and otherwise periodically verifying the legitimacy of current accounts and access authorizations. Also, there are considerations involved in the
timely modification or removal of access and associated issues for
employees who are reassigned, promoted, or terminated, or who retire.
Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.


NEW QUESTION # 135
Which layer of the TCP/IP protocol model would BEST correspond to the OSI/ISO model's network layer?

  • A. Internet layer
  • B. Host-to-host transport layer
  • C. Network access layer
  • D. Application layer

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The OSI model Network layer corresponds to the TCP/IP model Internet layer.
Incorrect Answers:
A: The Network access layer corresponds to the data link and physical layers of the OSI model.
B: The Application layer corresponds to the Application, Presentation, and the Session layers of the OSI model.
C: The Host-to-host transport layer corresponds to the Transport layer of the OSI model.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 518


NEW QUESTION # 136
Which of the following functions is less likely to be performed by a typical security administrator?

  • A. Reviewing audit data
  • B. Setting user clearances and initial passwords
  • C. Adding and removing system users
  • D. Setting or changing file sensitivity labels

Answer: C


NEW QUESTION # 137
Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?

  • A. Access control lists
  • B. Role-based access control
  • C. Non-mandatory access control
  • D. Discretionary access control

Answer: B

Explanation:
Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list
(ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non-mandatory access control is not a defined access control technique.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 9).


NEW QUESTION # 138
A system administration office desires to implement the following rules:
- An administrator that is designated as a skill level 3, with 5 years
of experience, is allowed to perform system backups, upgrades, and
local administration.
- An administrator that is designated as a skill level 5, with 10 years of experience, is permitted to perform all actions related to system administration.
Which of the following access control methods MUST be implemented to achieve this goal?

  • A. Role Based Access Control (RBAC)
  • B. Mandatory Access Control (MAC)
  • C. Discretionary Access Control (DAC)
  • D. Attribute Based Access Control (ABAC)

Answer: D


NEW QUESTION # 139
Which of the following was developed to support multiple protocols as well as provide as well as provide login, password, and error correction capabilities?

  • A. Challenge Handshake Authentication Protocol (CHAP)
  • B. Post Office Protocol (POP)
  • C. Password Authentication Protocol (PAP)
  • D. Point-to-Point Protocol (PPP)

Answer: A


NEW QUESTION # 140
The description of the database is called a schema. The schema is defined by which of the following?

  • A. Search Query Language (SQL).
  • B. Data Definition Language (DDL).
  • C. Data Manipulation Language (DML).
  • D. Data Control Language (DCL).

Answer: B

Explanation:
The description of the database is called a schema, and the schema is defined by a Data Definition Language (DDL).
A data definition language (DDL) or data description language (DDL) is a syntax similar to a computer programming language for defining data structures, especially database schemas.
The data definition language concept and name was first introduced in relation to the
Codasyl database model, where the schema of the database was written in a language syntax describing the records, fields, and sets of the user data model. Later it was used to refer to a subset of Structured Query Language (SQL) for creating tables and constraints.
SQL-92 introduced a schema manipulation language and schema information tables to query schemas. These information tables were specified as SQL/Schemata in SQL:2003.
The term DDL is also used in a generic sense to refer to any formal language for describing data or information structures.
Data Definition Language (DDL) statements are used to define the database structure or schema.
*CREATE - to create objects in the database
*ALTER - alters the structure of the database
*DROP - delete objects from the database
*TRUNCATE - remove all records from a table, including all spaces allocated for the records are removed
*COMMENT - add comments to the data dictionary
*RENAME - rename an object
The following answers were incorrect:
DCL Data Control Language. Also for Statement
The Data Control Language (DCL) is a subset of the Structured Query Language (SQL) that allows database administrators to configure security access to relational databases. It complements the Data Definition Language (DDL), which is used to add and delete database objects, and the Data Manipulation Language (DML), which is used to retrieve, insert and modify the contents of a database. DCL is the simplest of the SQL subsets, as it consists of only three commands: GRANT, REVOKE, and DENY. Combined, these three commands provide administrators with the flexibility to set and remove database permissions in an extremely granular fashion.
DML The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. Some of the command are:
INSERT - Allow addition of data
SELECT - Used to query data from the DB, one of the most commonly used command.
UPDATE - Allow update to existing Data
SQL Structure Query Language
Abbreviation of structured query language, and pronounced either see-kwell or as separate letters. SQL is a standardized query language for requesting information from a database.
The original version called SEQUEL (structured English query language) was designed by an IBM research center in 1974 and 1975. SQL was first introduced as a commercial database system in 1979 by Oracle Corporation.
Reference(s) used for this question:
https://secure.wikimedia.org/wikipedia/en/wiki/Data_Definition_Language and
The CISSP All In One (AIO) guide, Shon Harris, Sixth Edition , chapter 10 Software
Development Security, page 1177.
and
http://databases.about.com/od/Advanced-SQL-Topics/a/Data-Control-Language-Dcl.htm and
http://www.webopedia.com/TERM/S/SQL.html
http://www.w3schools.in/mysql/ddl-dml-dcl/
and
http://www.orafaq.com/faq/what_are_the_difference_between_ddl_dml_and_dcl_command s


NEW QUESTION # 141
A public key algorithm that does both encryption and digital signature is which of the following?

  • A. IDEA
  • B. DES
  • C. DSS
  • D. RSA

Answer: D

Explanation:
"RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption."
Pg. 489 Shon Harris: All-In-One CISSP Certification Exam Guide


NEW QUESTION # 142
......

Correct and Up-to-date ISC CISSP BrainDumps: https://www.exam4docs.com/CISSP-study-questions.html

Current CISSP dumps Preparation through Our Practice Test: https://drive.google.com/open?id=19wTaj-DzVj5Y-XnYMeVA6Zb_C32o3wJI

Related Blogs

more
ISC CISSP Certification Practice Exam

Our study guide torrent covers most questions of real test and can help you pass exam certainly. The high pass rate bring help you pass at the first attempt.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 EXAM4DOCS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy