CISSP · Réussir du premier coup

Chapitre 25
Examen blanc
n° 1

125 questions pondérées comme l'examen réel — conditions réelles, puis corrigé détaillé et auto-diagnostic par domaine.

Durée cible
2 h 30 · sans notes, sans pause
Répartition
D1 20 · D2 12 · D3 16 · D4 16 · D5 16 · D6 15 · D7 17 · D8 13
Seuil
≥ 70 % global avant de réserver
Mode d'emploi
  • Traitez les 125 questions d'affilée, chronomètre lancé, sans consulter le corrigé — notez vos réponses sur papier.
  • Questions mélangées (pas groupées par domaine) et en anglais, comme le jour J.
  • Repérez le mot-clé (BEST, FIRST, MOST, NOT) et appliquez le réflexe manager (chapitre 0).
  • Après coup : grille de réponses, corrigé question par question, puis table d'auto-diagnostic par domaine.
  • Objectif : ≥ 70 % global et repérer les domaines faibles à re-driller (chapitre 29).

QuestionsLes 125 questions

1 · D1

Who is ultimately responsible for the security of an organization's information?

  1. The CISO
  2. Senior management
  3. The security operations team
  4. Each user
2 · D3

In Bell-LaPadula, the star (*) property enforces which rule?

  1. No read up
  2. No write down
  3. No read down
  4. No write up
3 · D4

Which port does LDAPS use?

  1. 389
  2. 443
  3. 636
  4. 3389
4 · D7

During evidence collection on a running system, what should be captured FIRST?

  1. The hard drive
  2. RAM and registers/cache
  3. Backup tapes
  4. Remote archives
5 · D2

Which method is appropriate to sanitize a solid-state drive?

  1. Degaussing
  2. Cryptographic erasure or physical destruction
  3. A single quick format
  4. Moving files to the recycle bin
6 · D5

Which biometric error is most serious from a security standpoint?

  1. False rejection (Type I)
  2. False acceptance (Type II)
  3. Enrollment delay
  4. Low throughput
7 · D6

Which report proves a provider's controls operated effectively over the past year?

  1. SOC 2 Type I
  2. SOC 2 Type II
  3. SOC 3
  4. A marketing whitepaper
8 · D8

Which is the MOST effective defense against SQL injection?

  1. Hiding the DB version
  2. Parameterized queries and input validation
  3. Renaming tables
  4. Disabling the firewall
9 · D1

A company researches risks thoroughly but implements no controls, then suffers a breach. Which is accurate?

  1. Due care but not due diligence
  2. Due diligence but not due care
  3. Both
  4. Neither is relevant
10 · D3

A firewall crashes. Which failure mode protects the network's assets?

  1. Fail-open
  2. Fail-closed
  3. Fail to allow-all
  4. Display debug info
11 · D4

Which attack forges ARP replies to intercept LAN traffic?

  1. SYN flood
  2. ARP poisoning
  3. VLAN hopping
  4. Smurf
12 · D7

What is the correct order of the first three ISC2 incident steps?

  1. Response, detection, recovery
  2. Detection, response, mitigation
  3. Mitigation, detection, response
  4. Reporting, detection, response
13 · D1

Under GDPR, a breach must be reported to the supervisory authority within what timeframe?

  1. 24 hours
  2. 48 hours
  3. 72 hours
  4. 30 days
14 · D5

Which combination is TRUE multi-factor authentication?

  1. Password + security question
  2. Two passwords
  3. Password + hardware token code
  4. PIN + passphrase
15 · D3

Which algorithm provides RSA-equivalent strength with much shorter keys?

  1. 3DES
  2. ECC
  3. MD5
  4. Blowfish
16 · D6

A vulnerability scan differs from a penetration test in that a scan:

  1. Exploits weaknesses
  2. Identifies weaknesses without exploiting them
  3. Is always manual
  4. Requires no authorization
17 · D2

Who is responsible for classifying data?

  1. The database administrator
  2. The data owner
  3. The CISO
  4. The auditor
18 · D7

A full backup on Sunday plus daily incrementals: how many sets restore Thursday?

  1. 2
  2. 5
  3. 1
  4. 7
19 · D4

Which VPN protocol is obsolete due to weak encryption?

  1. IPsec
  2. PPTP
  3. SSL/TLS VPN
  4. L2TP/IPsec
20 · D8

What does the "A" in ACID stand for?

  1. Availability
  2. Atomicity
  3. Authentication
  4. Access
21 · D1

A CISSP's client asks her to hide a breach that endangers the public. Which canon prevails?

  1. Serve the client diligently
  2. Protect society and the infrastructure
  3. Advance the profession
  4. Preserve confidentiality
22 · D3

Which TPM capability releases a key only if the boot measurements match?

  1. Binding
  2. Sealing
  3. Escrow
  4. Remote wipe
23 · D5

OAuth 2.0 is fundamentally a protocol for what?

  1. Authentication
  2. Authorization
  3. Encryption
  4. Auditing
24 · D7

Which DR test carries the most risk and requires management approval?

  1. Checklist
  2. Tabletop
  3. Parallel
  4. Full interruption
25 · D1

A control costs $10,000/year to prevent an ALE of $2,000. What is BEST?

  1. Implement it for due diligence
  2. Accept the risk
  3. Transfer via insurance and implement
  4. Reject the assessment
26 · D4

At which OSI layer does a router operate?

  1. Layer 2
  2. Layer 3
  3. Layer 4
  4. Layer 7
27 · D3

Which fire suppression agent is banned for ozone depletion?

  1. FM-200
  2. Inergen
  3. Halon
  4. CO₂
28 · D6

In a gray box penetration test, the tester has:

  1. No information
  2. Partial knowledge
  3. Complete knowledge
  4. Only source code
29 · D2

Under GDPR, which technique takes data entirely out of scope?

  1. Pseudonymization
  2. True anonymization
  3. Encryption with escrow
  4. Masking
30 · D7

Which malware propagates across a network without a host file?

  1. Virus
  2. Worm
  3. Trojan
  4. Logic bomb
31 · D1

Which threat modeling framework maps six threat categories to six properties?

  1. PASTA
  2. STRIDE
  3. DREAD
  4. Trike
32 · D5

Which access control model lets the resource owner decide access?

  1. MAC
  2. DAC
  3. RBAC
  4. ABAC
33 · D3

Which mode of DES should never be used because patterns show through?

  1. CBC
  2. ECB
  3. CTR
  4. OFB
34 · D8

Which vulnerability exploits the gap between check and use?

  1. Buffer overflow
  2. TOCTOU race condition
  3. SQL injection
  4. CSRF
35 · D4

Which cloud control is stateful and applied to an instance?

  1. Network ACL
  2. Security group
  3. VLAN
  4. VXLAN
36 · D6

Which is the most dangerous scan result?

  1. False positive
  2. False negative
  3. True positive
  4. True negative
37 · D7

Which recovery site activates in minutes but costs the most?

  1. Cold
  2. Warm
  3. Hot
  4. Reciprocal
38 · D1

How long does patent protection last?

  1. Life + 70 years
  2. 20 years from filing
  3. 10 years renewable
  4. Indefinitely
39 · D3

A digital signature is created by encrypting what with the sender's private key?

  1. The whole message
  2. The message hash
  3. The recipient's public key
  4. A session key
40 · D5

In Kerberos, what is issued after initial authentication?

  1. A service ticket
  2. A TGT
  3. An ACL
  4. A certificate
41 · D4

Which Wi-Fi security introduces SAE?

  1. WEP
  2. WPA
  3. WPA2
  4. WPA3
42 · D2

Which data state is hardest to protect?

  1. At rest
  2. In transit
  3. In use
  4. In escrow
43 · D7

Which control is DETECTIVE and reveals fraud?

  1. Encryption
  2. Mandatory vacations
  3. A firewall
  4. Least privilege
44 · D1

SLE × ARO equals what?

  1. EF
  2. ALE
  3. AV
  4. MTD
45 · D6

Which code review method follows six formal steps?

  1. Pair programming
  2. Fagan inspection
  3. Fuzzing
  4. Regression testing
46 · D3

Which model uses well-formed transactions and the access triple?

  1. Bell-LaPadula
  2. Biba
  3. Clark-Wilson
  4. Brewer-Nash
47 · D5

Reading an access matrix by column (per object) gives what?

  1. A capability table
  2. An ACL
  3. A security label
  4. A role
48 · D4

Which device separates broadcast domains?

  1. Hub
  2. Layer 2 switch
  3. Router
  4. Repeater
49 · D8

What protects against a COTS vendor going out of business?

  1. Source code escrow
  2. A firewall
  3. A honeypot
  4. A VPN
50 · D7

Which suppression system is preferred in data centers to avoid accidental water damage?

  1. Wet pipe
  2. Dry pipe
  3. Pre-action
  4. Deluge
51 · D1

Which document is advisory rather than mandatory?

  1. Standard
  2. Baseline
  3. Guideline
  4. Procedure
52 · D3

Which EAL corresponds to "methodically designed, tested, and reviewed"?

  1. EAL2
  2. EAL4
  3. EAL6
  4. EAL7
53 · D5

Which technology is specifically designed to resist phishing?

  1. SMS codes
  2. Security questions
  3. FIDO2 / passkeys
  4. Static passwords
54 · D6

CVSS provides what?

  1. A unique vulnerability identifier
  2. A severity score from 0 to 10
  3. A firewall rule
  4. An algorithm
55 · D4

Which converged protocols support VoIP?

  1. SIP and RTP/SRTP
  2. FCoE and iSCSI
  3. DNP3 and Modbus
  4. SMTP and IMAP
56 · D7

When returning to the primary site, which functions move back FIRST?

  1. The most critical
  2. The least critical
  3. All at once
  4. Only the database
57 · D2

Which term describes residual data after deletion?

  1. Retention
  2. Data remanence
  3. Replication
  4. Aggregation
58 · D1

Which risk response is buying cybersecurity insurance?

  1. Mitigation
  2. Avoidance
  3. Transference
  4. Acceptance
59 · D3

Which IPsec component provides encryption?

  1. AH
  2. ESP
  3. IKE only
  4. SOCKS
60 · D8

What is the degree of a relation?

  1. Number of rows
  2. Number of columns
  3. Number of tables
  4. Number of keys
61 · D5

What does OIDC add to OAuth 2.0?

  1. A hardware token
  2. An authentication layer (id_token)
  3. A firewall
  4. A vault
62 · D4

Which RFC 1918 range is valid?

  1. 169.254.0.0/16
  2. 172.16.0.0/12
  3. 127.0.0.0/8
  4. 224.0.0.0/4
63 · D7

Which technology correlates logs across the organization?

  1. SOAR
  2. SIEM
  3. IDS
  4. DNS
64 · D6

Which auditor characteristic is fundamental?

  1. Reports to the audited team
  2. Independence from the audited function
  3. Also administers the systems
  4. Owns the assets
65 · D3

Which principle states security should not depend on algorithm secrecy?

  1. Kerckhoffs's principle
  2. Least privilege
  3. Defense in depth
  4. Separation of duties
66 · D1

Which is the FIRST phase of the BCP?

  1. BIA
  2. Continuity planning
  3. Project scope and planning
  4. Approval and implementation
67 · D2

Which classification level maps to "exceptionally grave damage"?

  1. Secret
  2. Top Secret
  3. Confidential
  4. Unclassified
68 · D5

Which control grants admin rights only for the duration of a task?

  1. Permanent admin accounts
  2. Just-in-time elevation
  3. Shared root
  4. Disabling MFA
69 · D4

Which firewall architecture uses two firewalls with a buffer zone?

  1. Screened host
  2. Screened subnet (DMZ)
  3. Single-homed
  4. Router only
70 · D7

What is a legal hold?

  1. An encryption method
  2. A suspension of destruction for relevant data
  3. A backup rotation
  4. A firewall rule
71 · D8

Which defense best mitigates XSS?

  1. Output encoding and CSP
  2. Longer passwords
  3. Disabling cookies
  4. Degaussing
72 · D1

Which standard certifies an ISMS?

  1. ISO 27002
  2. NIST 800-53
  3. ISO 27001
  4. CIS Controls
73 · D3

Which is the recommended humidity range for a data center?

  1. 10–20%
  2. 40–60%
  3. 70–90%
  4. Below 10%
74 · D5

Which attack tries one common password against many accounts?

  1. Brute force
  2. Password spraying
  3. Credential stuffing
  4. Rainbow table
75 · D6

Which team makes red and blue collaborate?

  1. Purple
  2. White
  3. Green
  4. Gold
76 · D4

Which is the correct TCP handshake?

  1. ACK, SYN, SYN/ACK
  2. SYN, SYN/ACK, ACK
  3. SYN, ACK, FIN
  4. SYN/ACK, SYN, ACK
77 · D7

Enticement is legal; entrapment is:

  1. Also legal
  2. Illegal, inducing a crime
  3. A backup method
  4. A honeypot type
78 · D2

Which repository tracks configuration items and their relationships?

  1. Data dictionary
  2. CMDB
  3. Risk register
  4. BIA
79 · D1

Which law governs export of dual-use commercial encryption?

  1. ITAR
  2. EAR
  3. FISMA
  4. HIPAA
80 · D3

Which memory protection randomizes address layout?

  1. DEP
  2. ASLR
  3. Process isolation
  4. Ring 3
81 · D5

Which term describes accumulating rights across role changes?

  1. Privilege escalation
  2. Privilege creep
  3. Separation of duties
  4. Break-glass
82 · D4

Which protocol transmits credentials in clear text?

  1. CHAP
  2. PAP
  3. EAP-TLS
  4. Kerberos
83 · D6

Which testing analyzes source code without executing it?

  1. DAST
  2. SAST
  3. IAST
  4. Fuzzing
84 · D7

Which backup does NOT clear the archive bit?

  1. Full
  2. Incremental
  3. Differential
  4. None
85 · D8

Which maturity model is maintained by OWASP for software assurance?

  1. CMMI
  2. SAMM
  3. ITIL
  4. COBIT
86 · D1

Which investigation requires "beyond a reasonable doubt"?

  1. Administrative
  2. Civil
  3. Criminal
  4. Regulatory
87 · D3

Which RAID level tolerates two simultaneous disk failures?

  1. RAID 0
  2. RAID 1
  3. RAID 5
  4. RAID 6
88 · D5

What is the fundamental requirement for accountability?

  1. Shared accounts
  2. Individual, attributable identities
  3. Anonymous access
  4. No logging
89 · D4

Which CASB mode works without agents, ideal for BYOD?

  1. Forward proxy
  2. Reverse proxy
  3. Log collection
  4. Endpoint DLP
90 · D6

Which document defines the scope and prohibited actions of a pentest?

  1. Rules of engagement
  2. SLA
  3. BIA
  4. Incident response plan
91 · D7

Ransomware that also exfiltrates and threatens to publish data uses:

  1. Single extortion
  2. Double extortion
  3. Amplification
  4. Spoofing
92 · D2

The most effective protection for unnecessary personal data is to:

  1. Encrypt it
  2. Not collect it
  3. Isolate it
  4. Anonymize it later
93 · D1

Which framework added the "Govern" function?

  1. NIST CSF 2.0
  2. ISO 27001
  3. COBIT
  4. PCI DSS
94 · D3

Which key encrypts a confidential message to Bob?

  1. Alice's private key
  2. Alice's public key
  3. Bob's public key
  4. Bob's private key
95 · D5

Which is the primary concern with SSO?

  1. Too many passwords
  2. One compromised identity unlocks all services
  3. Cannot be cloud-based
  4. Disables logging
96 · D4

Which fiber type spans the longest distance?

  1. Multimode
  2. Single-mode
  3. Cat6a
  4. Coaxial
97 · D7

Which incident step addresses the root cause?

  1. Detection
  2. Recovery
  3. Remediation
  4. Reporting
98 · D6

Which SOC report is public and marketing-oriented?

  1. SOC 1
  2. SOC 2
  3. SOC 3
  4. SOC 2 Type I
99 · D8

In relational databases, cardinality is the number of:

  1. Columns
  2. Rows
  3. Tables
  4. Keys
100 · D1

Which risk analysis uses anonymous expert consensus?

  1. Delphi technique
  2. Fagan inspection
  3. Monte Carlo
  4. Reduction analysis
101 · D3

Which suppression agent is lethal at extinguishing concentrations?

  1. FM-200
  2. CO₂
  3. Water
  4. Inergen
102 · D5

Which model uses labels and need-to-know, enforced by the system?

  1. DAC
  2. MAC
  3. RBAC
  4. Rule-based
103 · D4

Which protocol secures LDAP queries?

  1. LDAP on 389
  2. LDAPS on 636
  3. Kerberos on 88
  4. SMTP on 25
104 · D7

Which metric is the average time between failures?

  1. MTTR
  2. MTBF
  3. MTTF
  4. RTO
105 · D2

Which term means adapting a control baseline to the organization?

  1. Scoping
  2. Tailoring
  3. Benchmarking
  4. Accreditation
106 · D1

Which duty applies only to a professional's employers and clients?

  1. Canon I
  2. Canon II
  3. Canon III
  4. Canon IV
107 · D3

What is the block size of AES?

  1. 64 bits
  2. 128 bits
  3. 256 bits
  4. Variable
108 · D6

Which is forward-looking and warns of rising risk?

  1. KPI
  2. KRI
  3. Raw metric
  4. ROI
109 · D5

Which EAP method is strongest, using certificates on both sides?

  1. LEAP
  2. EAP-TLS
  3. PAP
  4. EAP-MD5
110 · D4

Which attack uses two 802.1Q tags to reach another VLAN?

  1. ARP poisoning
  2. Double tagging (VLAN hopping)
  3. MAC flooding
  4. SYN flood
111 · D7

Which order is correct from most to least volatile?

  1. Disk, RAM, registers
  2. Registers/cache, RAM, swap, disk
  3. Archives, disk, RAM
  4. RAM, archives, registers
112 · D8

Which is one of the four Agile Manifesto values?

  1. Documentation over working software
  2. Working software over comprehensive documentation
  3. Plan over change
  4. Process over people
113 · D1

PCI DSS is BEST described as:

  1. A US federal law
  2. An EU regulation
  3. A contractual obligation
  4. A voluntary framework with no enforcement
114 · D3

Which model changes access rights based on prior access history?

  1. Bell-LaPadula
  2. Biba
  3. Brewer-Nash
  4. Graham-Denning
115 · D5

Which component enforces the access decision (the "door")?

  1. PAP
  2. PDP
  3. PEP
  4. PIP
116 · D4

Which server should be placed in the DMZ?

  1. The internal database
  2. The public web server
  3. The domain controller
  4. The backup server
117 · D6

Which activity continuously replays known attack techniques?

  1. BAS
  2. An annual pentest
  3. RUM
  4. A vulnerability scan
118 · D2

Which roles apply under GDPR: a retailer decides purposes, a vendor processes?

  1. Retailer processor, vendor controller
  2. Retailer controller, vendor processor
  3. Both joint controllers
  4. Vendor is data subject
119 · D7

What must precede any correlation of logs across systems?

  1. Encryption
  2. Time synchronization (NTP)
  3. Compression
  4. Deduplication
120 · D1

Which control category are job rotation and mandatory vacations?

  1. Technical preventive
  2. Administrative detective
  3. Physical deterrent
  4. Technical corrective
121 · D3

Which attack explains why 2DES is not used?

  1. Birthday attack
  2. Meet-in-the-middle
  3. Rainbow table
  4. Downgrade
122 · D5

SAML is BEST described as:

  1. An authorization framework for APIs
  2. An XML-based federation protocol for enterprise SSO
  3. A password vault
  4. A firewall protocol
123 · D8

Which practice prevents secrets from entering a code repository?

  1. Secrets scanning
  2. Load balancing
  3. Degaussing
  4. Broadcasting the SSID
124 · D7

Who declares a disaster and activates the DR plan?

  1. The first technician
  2. Management, per defined criteria
  3. Any user
  4. The backup software
125 · D6

A vulnerability cannot be fixed in time. The correct action is to:

  1. Ignore it silently
  2. Document a signed exception with compensating controls
  3. Shut down the business
  4. Delete the finding

GrilleRéponses

1-B · 2-B · 3-C · 4-B · 5-B · 6-B · 7-B · 8-B · 9-B · 10-B · 11-B · 12-B · 13-C · 14-C · 15-B · 16-B · 17-B · 18-B · 19-B · 20-B · 21-B · 22-B · 23-B · 24-D · 25-B · 26-B · 27-C · 28-B · 29-B · 30-B · 31-B · 32-B · 33-B · 34-B · 35-B · 36-B · 37-C · 38-B · 39-B · 40-B · 41-D · 42-C · 43-B · 44-B · 45-B · 46-C · 47-B · 48-C · 49-A · 50-C · 51-C · 52-B · 53-C · 54-B · 55-A · 56-B · 57-B · 58-C · 59-B · 60-B · 61-B · 62-B · 63-B · 64-B · 65-A · 66-C · 67-B · 68-B · 69-B · 70-B · 71-A · 72-C · 73-B · 74-B · 75-A · 76-B · 77-B · 78-B · 79-B · 80-B · 81-B · 82-B · 83-B · 84-C · 85-B · 86-C · 87-D · 88-B · 89-B · 90-A · 91-B · 92-B · 93-A · 94-C · 95-B · 96-B · 97-C · 98-C · 99-B · 100-A · 101-B · 102-B · 103-B · 104-B · 105-B · 106-C · 107-B · 108-B · 109-B · 110-B · 111-B · 112-B · 113-C · 114-C · 115-C · 116-B · 117-A · 118-B · 119-B · 120-B · 121-B · 122-B · 123-A · 124-B · 125-B


CorrigéExplications ciblées

Les réponses reprennent les principes vus dans le cours ; voici les points de raisonnement clés pour les questions les plus discriminantes. Pour toute question ratée, retournez au chapitre indiqué (numéro · domaine).

Q9 · due care/diligenceB

Rechercher = diligence (savoir) ; ne rien implémenter = absence de care (agir). Chapitre 1.

Q25 · proportionnalitéB

10 000 $/an pour éviter 2 000 $ : irrationnel, on accepte. Chapitre 3.

Q42 · data in useC

La donnée doit être déchiffrée pour être traitée : l'état le plus dur (sauf homomorphe). Chapitre 5.

Q56 · retour au primaireB

Fonctions les moins critiques d'abord : si le site reflanche, les vitales ne retombent pas. Chapitre 20.

Q77 · entrapmentB

Inciter au crime est illégal ; observer un attaquant décidé (enticement) est légal. Chapitre 19.

Q94 · confidentialité vers BobC

Chiffrer avec la clé publique de Bob : lui seul déchiffre. « Ta publique protège. » Chapitre 8.

Q121 · meet-in-the-middleB

Rend 2DES presque aussi faible que DES → 3DES. Chapitre 8.

Q125 · exceptionB

Une exception documentée et signée transforme la faille en risque accepté. Chapitre 17.

BilanAuto-diagnostic par domaine

DomaineQuestionsVotre scoreSeuilSi < seuil : réviser
D11,9,13,21,25,31,38,44,51,58,66,72,79,86,93,100,106,113,120 (+)/2014Chapitres 1–3
D25,17,29,42,57,67,78,92,105,118 (+)/128Chapitres 4–5
D32,10,15,22,27,33,39,46,52,59,65,73,80,87,94,101,107,114,121 (+)/1611Chapitres 6–9
D43,11,19,26,35,41,48,55,62,69,76,82,89,96,103,110,116,122 (+)/1611Chapitres 10–12
D56,14,23,32,40,47,53,61,68,74,81,88,95,102,109,115 (+)/1611Chapitres 13–15
D67,16,28,36,45,54,64,75,83,90,98,108,117,125 (+)/1510Chapitres 16–17
D74,12,18,24,30,37,43,50,56,63,70,77,84,91,97,104,111,119,124 (+)/1712Chapitres 18–21
D88,20,34,49,60,71,85,99,112,123 (+)/139Chapitres 22–23
Interprétation

≥ 70 % global (≥ 88/125) et aucun domaine sous son seuil : vous pouvez réserver l'examen. Un ou deux domaines faibles : re-drillez-les avec le chapitre 29 avant l'examen blanc n° 2 (chapitre 26). Sous 60 % global : reprenez le cours des domaines concernés avant de réattaquer un blanc.