CISSP · Réussir du premier coup
125 questions pondérées comme l'examen réel — conditions réelles, puis corrigé détaillé et auto-diagnostic par domaine.
Who is ultimately responsible for the security of an organization's information?
In Bell-LaPadula, the star (*) property enforces which rule?
Which port does LDAPS use?
During evidence collection on a running system, what should be captured FIRST?
Which method is appropriate to sanitize a solid-state drive?
Which biometric error is most serious from a security standpoint?
Which report proves a provider's controls operated effectively over the past year?
Which is the MOST effective defense against SQL injection?
A company researches risks thoroughly but implements no controls, then suffers a breach. Which is accurate?
A firewall crashes. Which failure mode protects the network's assets?
Which attack forges ARP replies to intercept LAN traffic?
What is the correct order of the first three ISC2 incident steps?
Under GDPR, a breach must be reported to the supervisory authority within what timeframe?
Which combination is TRUE multi-factor authentication?
Which algorithm provides RSA-equivalent strength with much shorter keys?
A vulnerability scan differs from a penetration test in that a scan:
Who is responsible for classifying data?
A full backup on Sunday plus daily incrementals: how many sets restore Thursday?
Which VPN protocol is obsolete due to weak encryption?
What does the "A" in ACID stand for?
A CISSP's client asks her to hide a breach that endangers the public. Which canon prevails?
Which TPM capability releases a key only if the boot measurements match?
OAuth 2.0 is fundamentally a protocol for what?
Which DR test carries the most risk and requires management approval?
A control costs $10,000/year to prevent an ALE of $2,000. What is BEST?
At which OSI layer does a router operate?
Which fire suppression agent is banned for ozone depletion?
In a gray box penetration test, the tester has:
Under GDPR, which technique takes data entirely out of scope?
Which malware propagates across a network without a host file?
Which threat modeling framework maps six threat categories to six properties?
Which access control model lets the resource owner decide access?
Which mode of DES should never be used because patterns show through?
Which vulnerability exploits the gap between check and use?
Which cloud control is stateful and applied to an instance?
Which is the most dangerous scan result?
Which recovery site activates in minutes but costs the most?
How long does patent protection last?
A digital signature is created by encrypting what with the sender's private key?
In Kerberos, what is issued after initial authentication?
Which Wi-Fi security introduces SAE?
Which data state is hardest to protect?
Which control is DETECTIVE and reveals fraud?
SLE × ARO equals what?
Which code review method follows six formal steps?
Which model uses well-formed transactions and the access triple?
Reading an access matrix by column (per object) gives what?
Which device separates broadcast domains?
What protects against a COTS vendor going out of business?
Which suppression system is preferred in data centers to avoid accidental water damage?
Which document is advisory rather than mandatory?
Which EAL corresponds to "methodically designed, tested, and reviewed"?
Which technology is specifically designed to resist phishing?
CVSS provides what?
Which converged protocols support VoIP?
When returning to the primary site, which functions move back FIRST?
Which term describes residual data after deletion?
Which risk response is buying cybersecurity insurance?
Which IPsec component provides encryption?
What is the degree of a relation?
What does OIDC add to OAuth 2.0?
Which RFC 1918 range is valid?
Which technology correlates logs across the organization?
Which auditor characteristic is fundamental?
Which principle states security should not depend on algorithm secrecy?
Which is the FIRST phase of the BCP?
Which classification level maps to "exceptionally grave damage"?
Which control grants admin rights only for the duration of a task?
Which firewall architecture uses two firewalls with a buffer zone?
What is a legal hold?
Which defense best mitigates XSS?
Which standard certifies an ISMS?
Which is the recommended humidity range for a data center?
Which attack tries one common password against many accounts?
Which team makes red and blue collaborate?
Which is the correct TCP handshake?
Enticement is legal; entrapment is:
Which repository tracks configuration items and their relationships?
Which law governs export of dual-use commercial encryption?
Which memory protection randomizes address layout?
Which term describes accumulating rights across role changes?
Which protocol transmits credentials in clear text?
Which testing analyzes source code without executing it?
Which backup does NOT clear the archive bit?
Which maturity model is maintained by OWASP for software assurance?
Which investigation requires "beyond a reasonable doubt"?
Which RAID level tolerates two simultaneous disk failures?
What is the fundamental requirement for accountability?
Which CASB mode works without agents, ideal for BYOD?
Which document defines the scope and prohibited actions of a pentest?
Ransomware that also exfiltrates and threatens to publish data uses:
The most effective protection for unnecessary personal data is to:
Which framework added the "Govern" function?
Which key encrypts a confidential message to Bob?
Which is the primary concern with SSO?
Which fiber type spans the longest distance?
Which incident step addresses the root cause?
Which SOC report is public and marketing-oriented?
In relational databases, cardinality is the number of:
Which risk analysis uses anonymous expert consensus?
Which suppression agent is lethal at extinguishing concentrations?
Which model uses labels and need-to-know, enforced by the system?
Which protocol secures LDAP queries?
Which metric is the average time between failures?
Which term means adapting a control baseline to the organization?
Which duty applies only to a professional's employers and clients?
What is the block size of AES?
Which is forward-looking and warns of rising risk?
Which EAP method is strongest, using certificates on both sides?
Which attack uses two 802.1Q tags to reach another VLAN?
Which order is correct from most to least volatile?
Which is one of the four Agile Manifesto values?
PCI DSS is BEST described as:
Which model changes access rights based on prior access history?
Which component enforces the access decision (the "door")?
Which server should be placed in the DMZ?
Which activity continuously replays known attack techniques?
Which roles apply under GDPR: a retailer decides purposes, a vendor processes?
What must precede any correlation of logs across systems?
Which control category are job rotation and mandatory vacations?
Which attack explains why 2DES is not used?
SAML is BEST described as:
Which practice prevents secrets from entering a code repository?
Who declares a disaster and activates the DR plan?
A vulnerability cannot be fixed in time. The correct action is to:
1-B · 2-B · 3-C · 4-B · 5-B · 6-B · 7-B · 8-B · 9-B · 10-B · 11-B · 12-B · 13-C · 14-C · 15-B · 16-B · 17-B · 18-B · 19-B · 20-B · 21-B · 22-B · 23-B · 24-D · 25-B · 26-B · 27-C · 28-B · 29-B · 30-B · 31-B · 32-B · 33-B · 34-B · 35-B · 36-B · 37-C · 38-B · 39-B · 40-B · 41-D · 42-C · 43-B · 44-B · 45-B · 46-C · 47-B · 48-C · 49-A · 50-C · 51-C · 52-B · 53-C · 54-B · 55-A · 56-B · 57-B · 58-C · 59-B · 60-B · 61-B · 62-B · 63-B · 64-B · 65-A · 66-C · 67-B · 68-B · 69-B · 70-B · 71-A · 72-C · 73-B · 74-B · 75-A · 76-B · 77-B · 78-B · 79-B · 80-B · 81-B · 82-B · 83-B · 84-C · 85-B · 86-C · 87-D · 88-B · 89-B · 90-A · 91-B · 92-B · 93-A · 94-C · 95-B · 96-B · 97-C · 98-C · 99-B · 100-A · 101-B · 102-B · 103-B · 104-B · 105-B · 106-C · 107-B · 108-B · 109-B · 110-B · 111-B · 112-B · 113-C · 114-C · 115-C · 116-B · 117-A · 118-B · 119-B · 120-B · 121-B · 122-B · 123-A · 124-B · 125-B
Les réponses reprennent les principes vus dans le cours ; voici les points de raisonnement clés pour les questions les plus discriminantes. Pour toute question ratée, retournez au chapitre indiqué (numéro · domaine).
Rechercher = diligence (savoir) ; ne rien implémenter = absence de care (agir). Chapitre 1.
10 000 $/an pour éviter 2 000 $ : irrationnel, on accepte. Chapitre 3.
La donnée doit être déchiffrée pour être traitée : l'état le plus dur (sauf homomorphe). Chapitre 5.
Fonctions les moins critiques d'abord : si le site reflanche, les vitales ne retombent pas. Chapitre 20.
Inciter au crime est illégal ; observer un attaquant décidé (enticement) est légal. Chapitre 19.
Chiffrer avec la clé publique de Bob : lui seul déchiffre. « Ta publique protège. » Chapitre 8.
Rend 2DES presque aussi faible que DES → 3DES. Chapitre 8.
Une exception documentée et signée transforme la faille en risque accepté. Chapitre 17.
| Domaine | Questions | Votre score | Seuil | Si < seuil : réviser |
|---|---|---|---|---|
| D1 | 1,9,13,21,25,31,38,44,51,58,66,72,79,86,93,100,106,113,120 (+) | /20 | 14 | Chapitres 1–3 |
| D2 | 5,17,29,42,57,67,78,92,105,118 (+) | /12 | 8 | Chapitres 4–5 |
| D3 | 2,10,15,22,27,33,39,46,52,59,65,73,80,87,94,101,107,114,121 (+) | /16 | 11 | Chapitres 6–9 |
| D4 | 3,11,19,26,35,41,48,55,62,69,76,82,89,96,103,110,116,122 (+) | /16 | 11 | Chapitres 10–12 |
| D5 | 6,14,23,32,40,47,53,61,68,74,81,88,95,102,109,115 (+) | /16 | 11 | Chapitres 13–15 |
| D6 | 7,16,28,36,45,54,64,75,83,90,98,108,117,125 (+) | /15 | 10 | Chapitres 16–17 |
| D7 | 4,12,18,24,30,37,43,50,56,63,70,77,84,91,97,104,111,119,124 (+) | /17 | 12 | Chapitres 18–21 |
| D8 | 8,20,34,49,60,71,85,99,112,123 (+) | /13 | 9 | Chapitres 22–23 |
≥ 70 % global (≥ 88/125) et aucun domaine sous son seuil : vous pouvez réserver l'examen. Un ou deux domaines faibles : re-drillez-les avec le chapitre 29 avant l'examen blanc n° 2 (chapitre 26). Sous 60 % global : reprenez le cours des domaines concernés avant de réattaquer un blanc.