CISSP · Réussir du premier coup

Chapitre 29
Banque de
renforcement

8 sessions de 40 questions, une par domaine — pour re-driller les domaines faibles révélés par les examens blancs.

Usage
Ciblé, après les blancs (chapitres 25–26)
Volume
320 questions · réponse condensée
Format
Question anglaise → réponse + point clé
Comment l'utiliser
  • Ne faites pas tout : ciblez les domaines sous leur seuil aux examens blancs (diagnostic des chapitres 25–26).
  • Chaque session couvre tous les objectifs de son domaine, difficulté progressive.
  • Format condensé : la bonne réponse est en gras juste après la question, avec le point clé.
  • Aucune réutilisation des quiz de cours ni des examens blancs.

Domaine 1Security & Risk Management — 40 questions

  1. Which pillar is violated by data spoofing? → Authenticity.
  2. DAD triad's "A"? → Alteration (vs Integrity).
  3. Accountability collapses with? → Shared accounts.
  4. Governance approach? → Top-down.
  5. ISO 27001 vs 27002? → Certifiable ISMS vs guide.
  6. NIST CSF 2.0 new function? → Govern.
  7. Due diligence is? → Knowing/investigating.
  8. Due care is? → Acting prudently.
  9. Criminal proof standard? → Beyond a reasonable doubt.
  10. Civil proof standard? → Preponderance of evidence.
  11. Copyright duration? → Life + 70.
  12. Patent duration? → 20 years from filing.
  13. Trademark duration? → 10 years, renewable indefinitely.
  14. Trade secret protection basis? → Kept secret; NDAs.
  15. DMCA provides hosts? → Safe harbor.
  16. Dual-use crypto export? → EAR.
  17. Military articles export? → ITAR.
  18. GDPR breach notice to authority? → 72 hours.
  19. GDPR max fine? → 20M€ or 4% global revenue.
  20. GDPR controller vs processor? → Decides vs processes for.
  21. HIPAA covers vendors as? → Business associates (BAA).
  22. PCI DSS is? → Contractual.
  23. Children under 13 online? → COPPA.
  24. School records? → FERPA.
  25. Investigation with strictest proof? → Criminal.
  26. Advisory document? → Guideline.
  27. First BCP phase? → Scope & planning.
  28. BIA outputs? → MTD, RTO, RPO.
  29. RTO + WRT must be? → ≤ MTD.
  30. AV × EF = ? → SLE.
  31. SLE × ARO = ? → ALE.
  32. Control value formula? → ALE1 − ALE2 − ACS.
  33. Insurance is which risk response? → Transfer.
  34. Ignoring a known risk = ? → Negligence.
  35. NIST RMF first step? → Prepare.
  36. STRIDE "R"? → Repudiation.
  37. PASTA has? → 7 stages.
  38. SolarWinds illustrates? → Supply chain (trusted update backdoor).
  39. SBOM is? → Inventory of software components.
  40. Awareness changes? → Behavior.

Domaine 2Asset Security — 40 questions

  1. "Exceptionally grave damage" = ? → Top Secret.
  2. Private-sector top level? → Confidential/Proprietary.
  3. Who classifies data? → Data owner.
  4. Multi-level asset protected at? → Highest level.
  5. Unlabeled media? → Highest until verified.
  6. Marking's purpose? → Communicate handling requirements.
  7. Program first step? → Inventory.
  8. CMDB tracks? → CIs + relationships.
  9. Intangible assets? → IP, brand, data.
  10. Backups/ACLs role? → Custodian.
  11. Data quality role? → Steward.
  12. Person the data describes? → Data subject.
  13. Best protection for unneeded data? → Don't collect it.
  14. Replica subject to? → Local laws (sovereignty).
  15. Over-retention risk? → Breach + eDiscovery + legal.
  16. Legal hold does? → Suspends destruction.
  17. Data remanence? → Residual data after deletion.
  18. Format before donation? → Insufficient.
  19. Clearing protects against? → Software recovery.
  20. Purging protects against? → Lab attacks.
  21. Degaussing on SSD? → Ineffective.
  22. Cloud data destruction? → Crypto-shredding.
  23. Highest-assurance destruction? → Physical.
  24. Crypto-shredding prerequisite? → Encrypted from the start.
  25. EOL means? → No longer sold.
  26. EOS means? → No more patches (critical).
  27. Post-EOS system? → Replace or isolate + compensate.
  28. Hardware retention purpose? → Read old archives.
  29. Knowledge retention? → Documentation, cross-training.
  30. Three data states? → At rest, in transit, in use.
  31. In transit protection? → TLS.
  32. In use, hardest, protected by? → TEE / homomorphic.
  33. Scoping = ? → Remove inapplicable controls.
  34. Tailoring = ? → Adapt the baseline.
  35. DRM/IRM key property? → Persistence.
  36. Endpoint DLP catches? → USB, clipboard, offline.
  37. CASB no-agent mode? → Reverse proxy.
  38. Out of GDPR scope? → True anonymization.
  39. Tokenization vs encryption? → Random, no math link, vault.
  40. Test data? → Masked.

Domaine 3Security Architecture — 40 questions

  1. Fire door, occupied? → Fail-safe.
  2. Firewall crash, assets? → Fail-closed.
  3. Zero trust principle? → Never trust, always verify.
  4. SASE = ? → SD-WAN + cloud security.
  5. Customer always secures? → Data + access.
  6. BLP simple property? → No read up.
  7. BLP star property? → No write down.
  8. Biba simple? → No read down.
  9. Biba protects? → Integrity.
  10. Clark-Wilson uses? → Access triple + TP.
  11. Dynamic conflict-of-interest model? → Brewer-Nash.
  12. 8 rules for rights? → Graham-Denning.
  13. Take-Grant operations? → Take, grant, create, remove.
  14. MAC math foundation? → Lattice.
  15. PP vs ST? → Customer wants vs vendor claims.
  16. EAL4 = ? → Methodically designed, tested, reviewed.
  17. EAL measures? → Evaluation rigor.
  18. Certification vs accreditation? → Technical vs management decision.
  19. TPM sealing? → Key bound to TPM + PCR state.
  20. HSM vs TPM? → Dedicated module vs motherboard chip.
  21. ASLR does? → Randomizes memory layout.
  22. DEP does? → Non-executable data.
  23. Ring 0 = ? → Kernel.
  24. Inference vs aggregation? → Deduce vs add up.
  25. Anti-inference DB defense? → Polyinstantiation.
  26. ICS priority? → Safety, availability.
  27. SCADA vs DCS? → Wide-area vs local site.
  28. Air gap defeated by? → Removable media (Stuxnet).
  29. Community cloud? → Orgs with common requirements.
  30. VM escape? → Guest to host.
  31. Containers share? → The host kernel.
  32. Serverless customer owns? → Code + function permissions.
  33. IoT first steps? → Change defaults + segment.
  34. Kerckhoffs? → Security in the key.
  35. AES block/keys? → 128 / 128-192-256.
  36. ECC advantage? → Shorter keys.
  37. Confidentiality to Bob? → Bob's public key.
  38. Signature provides? → Integrity + authenticity + non-repudiation.
  39. CSR contains? → Public key + identity.
  40. Meet-in-the-middle explains? → Why 2DES → 3DES.

Domaine 4Communication & Network — 40 questions

  1. Router OSI layer? → 3.
  2. MAC addressing layer? → 2.
  3. PDU order L1–L4? → Bits, frames, packets, segments.
  4. TCP/IP Internet layer = OSI? → 3.
  5. RFC 1918 example? → 172.16.0.0/12.
  6. APIPA range? → 169.254.0.0/16.
  7. PAT does? → Multiplex hosts behind one IP.
  8. IPv6 bits? → 128.
  9. TCP handshake? → SYN, SYN/ACK, ACK.
  10. SYN flood? → Half-open connections.
  11. SSH port? → 22.
  12. Kerberos port? → 88.
  13. LDAPS port? → 636.
  14. RDP port? → 3389.
  15. DNSSEC provides? → Integrity/authenticity.
  16. ARP weakness? → No authentication.
  17. VoIP protocols? → SIP + RTP/SRTP.
  18. iSCSI carries? → Block storage over IP.
  19. Copper max distance? → 100 m.
  20. Long-distance fiber? → Single-mode.
  21. East-west traffic? → Server-to-server internal.
  22. VLAN routing needs? → Layer 3 device.
  23. Double tagging = ? → VLAN hopping.
  24. Micro-segmentation controls? → East-west, lateral movement.
  25. Hiding SSID? → Not real security.
  26. WPA2 encryption? → CCMP/AES.
  27. WPA3 handshake? → SAE.
  28. Strongest EAP? → EAP-TLS.
  29. Evil twin? → Fake AP mimicking SSID.
  30. WPS action? → Disable it.
  31. Bluesnarfing? → Data theft.
  32. SDN critical target? → The controller.
  33. Security group? → Stateful, on instance.
  34. NACL? → Stateless, on subnet.
  35. Router vs switch broadcast? → Router separates domains.
  36. Stateful firewall? → Tracks connections.
  37. DMZ architecture? → Two firewalls + buffer.
  38. Obsolete VPN? → PPTP.
  39. RADIUS vs TACACS+? → UDP/password vs TCP/all + AAA split.
  40. ISA defines? → Technical interconnection security.

Domaine 5Identity & Access — 40 questions

  1. Subject = ? → Active entity.
  2. AAA order? → Id, Authn, Authz, Accounting.
  3. Smart card factor? → Type 2 (have).
  4. True MFA? → Different factor types.
  5. NIST on password rotation? → Not forced unless compromised.
  6. TOTP based on? → Time.
  7. Phishing-resistant auth? → FIDO2/passkeys.
  8. Smart vs memory card? → Computes vs stores.
  9. FRR = ? → Type I, legit rejected.
  10. FAR = ? → Type II, imposter accepted (danger).
  11. Lower CER = ? → Better system.
  12. High security tuning? → Minimize FAR.
  13. Iris vs retina? → Contactless vs intrusive/health.
  14. MFA fatigue fix? → Number matching.
  15. SSO concern? → Keys to the kingdom.
  16. Identity proofing? → Verify before issuing credentials.
  17. JIT access? → Grant only when needed.
  18. IdP role? → Authenticates, issues assertion.
  19. SAML? → XML federation SSO.
  20. OAuth is? → Authorization.
  21. OIDC adds? → Authentication (id_token).
  22. DAC? → Owner decides.
  23. MAC? → System labels.
  24. RBAC? → By role.
  25. ABAC? → Attributes + context.
  26. Rule-based? → Global rules for all.
  27. PEP does? → Enforces (the door).
  28. PDP does? → Decides.
  29. Matrix row = ? → Capability.
  30. Matrix column = ? → ACL.
  31. Privilege creep = ? → Accumulated rights.
  32. Recertification? → Revalidate access.
  33. PAM includes? → Vault, JIT, session recording.
  34. Break-glass? → Monitored emergency account.
  35. Kerberos issues first? → TGT.
  36. KDC contains? → AS + TGS.
  37. Kerberos clock tolerance? → ~5 min.
  38. Golden ticket? → Forged TGT (KRBTGT).
  39. PAP? → Clear text (avoid).
  40. Password spraying? → One password, many accounts.

Domaine 6Assessment & Testing — 40 questions

  1. Independent evaluator? → Third-party.
  2. Before testing? → Management approval.
  3. Scan vs pentest? → Identify vs exploit.
  4. Authenticated scan? → Deeper, fewer false positives.
  5. Most dangerous result? → False negative.
  6. CVSS? → Severity score 0–10.
  7. CVE? → Vulnerability identifier.
  8. SCAP includes? → OVAL, XCCDF.
  9. Black box? → No information.
  10. Gray box? → Partial knowledge.
  11. RoE defines? → Scope, prohibited actions.
  12. Red team? → Attacks.
  13. Purple team? → Red + blue collaborate.
  14. Pentest order? → Recon, enum, analysis, exploit, report.
  15. Log review needs? → NTP.
  16. Synthetic transactions? → Scripted, proactive.
  17. Fagan steps? → 6.
  18. SAST? → Static, source code.
  19. DAST? → Dynamic, running app.
  20. Fuzzing? → Malformed inputs.
  21. Test coverage? → % code exercised.
  22. Misuse case? → What must not be allowed.
  23. Regression testing? → Verify nothing broke.
  24. BAS? → Continuous attack replay.
  25. Bug bounty? → Pay researchers per finding.
  26. KPI? → Past performance.
  27. KRI? → Future risk.
  28. Backup as process data via? → Restore test.
  29. Report audiences? → Executive + technical.
  30. Remediation priority? → By risk.
  31. Exception? → Signed risk acceptance.
  32. Responsible disclosure? → Notify vendor, then publish.
  33. Auditor must be? → Independent.
  34. SOC 1? → Financial.
  35. SOC 2? → Security (restricted).
  36. SOC 3? → Public.
  37. Type I? → Design at a point in time.
  38. Type II? → Effectiveness over 6–12 months.
  39. Mandatory TSC? → Security.
  40. SOC standard? → SSAE 18.

Domaine 7Security Operations — 40 questions

  1. Chain of custody? → Continuous evidence trail.
  2. Collect first? → RAM/registers.
  3. Don't unplug because? → Destroys volatile evidence.
  4. Write blocker? → Prevents writes to source.
  5. Prove image fidelity? → Hashing.
  6. Admissibility? → Relevant, material, competent.
  7. Logs admissible via? → Business records exception.
  8. EDRM first? → Identification.
  9. Law enforcement means? → Loss of control.
  10. IDS vs IPS? → Detect vs block.
  11. Anomaly detection? → Finds unknown, more false positives.
  12. SIEM? → Correlates logs.
  13. SOAR? → Automates response.
  14. Event vs incident? → Observable vs harms/threatens.
  15. 7 steps first? → Detection.
  16. Containment step? → Mitigation.
  17. Root cause step? → Remediation.
  18. Need-to-know vs least privilege? → Info vs action rights.
  19. Mandatory vacations? → Detective (fraud).
  20. MTBF? → Between failures.
  21. MTTR? → Repair time.
  22. Enticement? → Legal.
  23. Entrapment? → Illegal.
  24. Allow-listing? → Only approved runs.
  25. Worm? → Self-propagates.
  26. Logic bomb? → Condition-triggered.
  27. Double extortion? → Encrypt + threaten to leak.
  28. Fileless malware? → Memory-only.
  29. Smurf? → ICMP broadcast amplification.
  30. Zero-day? → No patch available.
  31. Patch before prod? → Test in staging.
  32. Emergency change docs? → After the fact.
  33. Incremental restore? → Full + all incrementals.
  34. Differential restore? → Full + last.
  35. Real-time replication? → Remote mirroring.
  36. Hot site? → Minutes, costly.
  37. RAID 6 tolerates? → 2 disks.
  38. Riskiest DR test? → Full interruption.
  39. Return to primary? → Least critical first.
  40. Duress code? → Silent threat signal.

Domaine 8Software Development — 40 questions

  1. Shift left? → Security from requirements.
  2. Sequential methodology? → Waterfall.
  3. Risk-driven methodology? → Spiral.
  4. Agile value? → Working software over docs.
  5. Scrum iteration? → Sprint.
  6. DevSecOps adds? → Automated security in pipeline.
  7. CMMI order? → Initial, Repeatable, Defined, Quantified, Optimizing.
  8. CMMI level 4? → Quantitatively Managed.
  9. OWASP maturity model? → SAMM.
  10. Compiled vs interpreted? → Pre-translated vs on the fly.
  11. Memory-safe benefit? → Prevents buffer overflows.
  12. Log4j lesson? → Dependency vulnerabilities.
  13. SCA analyzes? → Third-party components.
  14. Secrets scanning? → Blocks credentials in repos.
  15. RASP? → Self-protection in production.
  16. CI/CD gate? → Fail build on finding.
  17. Spiral repeats? → Risk analysis each loop.
  18. IPT? → Multidisciplinary team.
  19. SAFe? → Scales Agile.
  20. BSIMM? → Descriptive maturity model.
  21. 4GL? → Near natural language.
  22. Signed commits? → Integrity + attribution.
  23. Compromised pipeline? → Supply-chain attack.
  24. Rate limiting? → Limits requests.
  25. SQLi defense? → Parameterized queries.
  26. XSS defense? → Output encoding + CSP.
  27. CSRF defense? → Anti-CSRF tokens.
  28. Buffer overflow defense? → Memory-safe, ASLR/DEP.
  29. TOCTOU? → Check-to-use race condition.
  30. Timing channel? → Modulates time.
  31. Input validation? → Allow-list.
  32. Error messages? → Generic to users.
  33. COTS vendor risk? → Code escrow.
  34. Cardinality? → Rows.
  35. Degree? → Columns.
  36. ACID "A"? → Atomicity.
  37. Isolation ensures? → No concurrent interference.
  38. View is? → Access control.
  39. Foreign key? → References another table's PK.
  40. Expert system? → Knowledge base + inference engine.

Fin du livre

Vous avez parcouru l'intégralité du programme : les 8 domaines, deux examens blancs, 100 drills et cette banque de 320 renforts. Si vos points faibles sont désormais solides et vos blancs au-dessus de 80 %, il ne reste qu'à appliquer le protocole du jour J (chapitre 28) et à faire confiance à votre jugement. Vous êtes prêt à réussir du premier coup. Bonne chance.