Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. ISC
  3. CISSP-ISSAP

ISC CISSP-ISSAP Exam (page: 7)
ISC CISSP-ISSAP Information Systems Security Architecture Professional
Updated on: 15-Dec-2025

Viewing Page 7 of 50
CISSP-ISSAP PDF 241 Questions

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. John notices that the We-are-secure network is vulnerable to a man-in- the-middle attack since the key exchange process of the cryptographic algorithm it is using does not thenticate participants.
Which of the following cryptographic algorithms is being used by the We- are-secure server?

  1. Blowfish
  2. Twofish
  3. RSA
  4. Diffie-Hellman

Answer(s): D

Explanation:

According to this scenario, we-are-secure.com is using the Diffie-Hellman cryptographic algorithm to encrypt data into the network. The Diffie- Hellman encryption was developed by Diffie and Hellman in 1976 and published in the paper named "New Directions in Cryptography." It is a key agreement protocol (also called exponential key agreement) that allows two users to exchange a secret key over an insecure medium
(such as the Internet) without any prior secrets. The original protocol had two system parameters, p and g. They are both public and may be used by all the users in a system. The Diffie-Hellman key exchange was vulnerable to a man-in-the-

middle attack, as Diffie-Hellman key exchange does not authenticate the participants.
The current form of the Diffie-Hellman protocol (also known as authenticated Diffie-Hellman key agreement protocol, or Station-to-Station
(STS) protocol), was developed by Diffie, Van Oorschot, and Wiener in 1992 to overcome the man-in- the-middle attack. This is achieved by allowing the two parties to authenticate themselves to each other by the use of digital signatures and public-key certificates. The Diffie-
Hellman protocol is an example of a much more general cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one party's public key and another party's private key. The parties' key pairs may be generated anew at each run of the protocol as in the original Diffie-Hellman protocol. The public keys may be certified so that the parties can be authenticated and there may be a combination of these attributes.
Answer option C is incorrect. The RSA algorithm is an example of the public key algorithm in which the public key is generated from the private key. In the RSA algorithm, public and private keys are generated as follows:
1.Choose two large prime numbers p and q of equal lengths, and compute n=p*q. 2.Choose a random public key e such that e and (p-1)*(q-1) are relatively prime. 3.Calculate e*d=1*mod[(p-1)*(q-1)]. Here, d is a private key.
4.Calculate d=e^(-1)*mod[(p-1)*(q-1)].
5.Now (e,n) and (d,n) are the public and private keys respectively. Answer option A is incorrect. Blowfish is a symmetric 64-bit block cipher that can support key lengths up to 448 bits. It is included in a large number of cipher suites and encryption products. It was designed in 1993 by Bruce Schneier and is freely available for anyone to use. This has contributed to its popularity in cryptographic software.



Jasmine is creating a presentation. She wants to ensure the integrity and authenticity of the presentation.
Which of the following will she use to accomplish the task?

  1. Mark as final
  2. Digital Signature
  3. Restrict Permission
  4. Encrypt Document

Answer(s): B

Explanation:

Digital signature uses the cryptography mechanism to ensure the integrity of a presentation. Digital signature is an authentication tool that is used to ensure the integrity and non-repudiation of a presentation. It is used to authenticate the presentation by using a cryptographic mechanism. The document for a digital signature can be a presentation, a message, or an email.



John works as a Programmer for We-are-secure Inc. On one of his routine visits to the company, he noted down the passwords of the employees while they were typing them on their computer screens.
Which of the following social engineering attacks did he just perform?

  1. Important user posing
  2. Shoulder surfing
  3. Dumpster diving
  4. Authorization by third party

Answer(s): B

Explanation:

In the given scenario, John was performing a shoulder surfing attack. Shoulder surfing is a type of in person attack in which an attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. An attacker can also gather information by looking at open documents on the employee's desk, posted notices on the notice boards, etc.
Answer option C is incorrect. John was not performing a dumpster diving attack. Dumpster diving is a term that refers to going through someone's trash to find out useful or confidential information. Dumpster divers check and separate items from commercial or residential trash to get any information they desire. This information may be used for identity theft and for breaking physical information security.
Answer option A is incorrect. John was not carrying out an Important user posing attack. In this attack, the attacker pretends to be an important member of the organization. These attacks work because there is a common belief that it is not good to question authority.
Answer option D is incorrect. John was not performing an Authorization by third party attack. In this attack, the attacker misleads the victim into believing that he has approval from a third party. Such types of attacks work because it is generally believed that most people are good and are being truthful about what they are saying.



Which of the following electrical events shows a sudden drop of power source that can cause a wide variety of problems on a PC or a network?

  1. Blackout
  2. Power spike
  3. Power sag
  4. Power surge

Answer(s): A

Explanation:

A blackout indicates a complete loss of PC's electrical source. It is an event that shows a sudden drop of power source that can cause a wide variety of problems on a PC or a network. A blackout is not a power failure over an entire area but it can be in a section or a part of a building,
city, or any other larger area. It is caused by electrical storms, traffic accidents in utility poles, or a total collapse of the power system due to demand overload.
Answer option D is incorrect. Power surge is a sharp increase in the voltage or an over voltage event.
It is a short and temporary increase in voltage on the power grid and it is like a rough wave. Different types of electrical disturbance such as lightning storm, distant lightning strikes,
or problems on the electrical power supply grid can cause the voltage to suddenly increase. Answer option B is incorrect. A power spike is a sudden isolated extremely high over voltage event on an electrical line. The primary cause of the power spike is lightning strikes. Lightning carries millions of volts, and if a home or office takes a direct hit, a PC along with other devices are likely to be heavily damaged. Direct striking is a rare event but a strike within a mile can create a sudden spike in the electrical current near the strike.



Which of the following is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity?

  1. RCO
  2. RTO
  3. RPO
  4. RTA

Answer(s): B

Explanation:

The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may start at the same, or different, points.
In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the process. Answer option D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered infrastructure to the business.
Answer option A is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.
Answer option C is incorrect. The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.



Viewing Page 7 of 50



Share your comments for ISC CISSP-ISSAP exam with other users:

Mouli 9/2/2023 7:02:00 AM

question 75: option c is correct answer
Anonymous


JugHead 9/27/2023 2:40:00 PM

please add this exam
Anonymous


sushant 6/28/2023 4:38:00 AM

please upoad
EUROPEAN UNION


John 8/7/2023 12:09:00 AM

has anyone recently attended safe 6.0 certification? is it the samq question from here.
Anonymous


Blessious Phiri 8/14/2023 3:49:00 PM

expository experience
Anonymous


concerned citizen 12/29/2023 11:31:00 AM

52 should be b&c. controller failure has nothing to do with this type of issue. degraded state tells us its a raid issue, and if the os is missing then the bootable device isnt found. the only other consideration could be data loss but thats somewhat broad whereas b&c show understanding of the specific issues the question is asking about.
UNITED STATES


deedee 12/23/2023 5:10:00 PM

great help!!!
UNITED STATES


Samir 8/1/2023 3:07:00 PM

very useful tools
UNITED STATES


Saeed 11/7/2023 3:14:00 AM

looks a good platform to prepare az-104
Anonymous


Matiullah 6/24/2023 7:37:00 AM

want to pass the exam
Anonymous


SN 9/5/2023 2:25:00 PM

good resource
UNITED STATES


Zoubeyr 9/8/2023 5:56:00 AM

question 11 : d
FRANCE


User 8/29/2023 3:24:00 AM

only the free dumps will be enough for pass, or have to purchase the premium one. please suggest.
Anonymous


CW 7/6/2023 7:37:00 PM

good questions. thanks.
Anonymous


Farooqi 11/21/2023 1:37:00 AM

good for practice.
INDIA


Isaac 10/28/2023 2:30:00 PM

great case study
UNITED STATES


Malviya 2/3/2023 9:10:00 AM

the questions in this exam dumps is valid. i passed my test last monday. i only whish they had their pricing in inr instead of usd. but it is still worth it.
INDIA


rsmyth 5/18/2023 12:44:00 PM

q40 the answer is not d, why are you giving incorrect answers? snapshot consolidation is used to merge the snapshot delta disk files to the vm base disk
IRELAND


Keny 6/23/2023 9:00:00 PM

thanks, very relevant
PERU


Muhammad Rawish Siddiqui 11/29/2023 12:14:00 PM

wrong answer. it is true not false.
SAUDI ARABIA


Josh 7/10/2023 1:54:00 PM

please i need the mo-100 questions
Anonymous


VINNY 6/2/2023 11:59:00 AM

very good use full
Anonymous


Andy 12/6/2023 5:56:00 AM

very valid questions
Anonymous


Mamo 8/12/2023 7:46:00 AM

will these question help me to clear pl-300 exam?
UNITED STATES


Marial Manyang 7/26/2023 10:13:00 AM

please provide me with these dumps questions. thanks
Anonymous


Amel Mhamdi 12/16/2022 10:10:00 AM

in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam
FRANCE


Angel 8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable
UNITED STATES


SH 5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now
UNITED STATES


sudhagar 9/6/2023 3:02:00 PM

question looks valid
UNITED STATES


Van 11/24/2023 4:02:00 AM

good for practice
Anonymous


Divya 8/2/2023 6:54:00 AM

need more q&a to go ahead
Anonymous


Rakesh 10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview
Anonymous


Nik 11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.
HONG KONG


Deep 6/12/2023 7:22:00 AM

needed dumps
INDIA