CISSP · Réussir du premier coup
Chapitre 29
Banque de
renforcement
8 sessions de 40 questions, une par domaine — pour re-driller les domaines faibles révélés par les examens blancs.
- Usage
- Ciblé, après les blancs (chapitres 25–26)
- Volume
- 320 questions · réponse condensée
- Format
- Question anglaise → réponse + point clé
Comment l'utiliser
- Ne faites pas tout : ciblez les domaines sous leur seuil aux examens blancs (diagnostic des chapitres 25–26).
- Chaque session couvre tous les objectifs de son domaine, difficulté progressive.
- Format condensé : la bonne réponse est en gras juste après la question, avec le point clé.
- Aucune réutilisation des quiz de cours ni des examens blancs.
Domaine 1Security & Risk Management — 40 questions
- Which pillar is violated by data spoofing? → Authenticity.
- DAD triad's "A"? → Alteration (vs Integrity).
- Accountability collapses with? → Shared accounts.
- Governance approach? → Top-down.
- ISO 27001 vs 27002? → Certifiable ISMS vs guide.
- NIST CSF 2.0 new function? → Govern.
- Due diligence is? → Knowing/investigating.
- Due care is? → Acting prudently.
- Criminal proof standard? → Beyond a reasonable doubt.
- Civil proof standard? → Preponderance of evidence.
- Copyright duration? → Life + 70.
- Patent duration? → 20 years from filing.
- Trademark duration? → 10 years, renewable indefinitely.
- Trade secret protection basis? → Kept secret; NDAs.
- DMCA provides hosts? → Safe harbor.
- Dual-use crypto export? → EAR.
- Military articles export? → ITAR.
- GDPR breach notice to authority? → 72 hours.
- GDPR max fine? → 20M€ or 4% global revenue.
- GDPR controller vs processor? → Decides vs processes for.
- HIPAA covers vendors as? → Business associates (BAA).
- PCI DSS is? → Contractual.
- Children under 13 online? → COPPA.
- School records? → FERPA.
- Investigation with strictest proof? → Criminal.
- Advisory document? → Guideline.
- First BCP phase? → Scope & planning.
- BIA outputs? → MTD, RTO, RPO.
- RTO + WRT must be? → ≤ MTD.
- AV × EF = ? → SLE.
- SLE × ARO = ? → ALE.
- Control value formula? → ALE1 − ALE2 − ACS.
- Insurance is which risk response? → Transfer.
- Ignoring a known risk = ? → Negligence.
- NIST RMF first step? → Prepare.
- STRIDE "R"? → Repudiation.
- PASTA has? → 7 stages.
- SolarWinds illustrates? → Supply chain (trusted update backdoor).
- SBOM is? → Inventory of software components.
- Awareness changes? → Behavior.
Domaine 2Asset Security — 40 questions
- "Exceptionally grave damage" = ? → Top Secret.
- Private-sector top level? → Confidential/Proprietary.
- Who classifies data? → Data owner.
- Multi-level asset protected at? → Highest level.
- Unlabeled media? → Highest until verified.
- Marking's purpose? → Communicate handling requirements.
- Program first step? → Inventory.
- CMDB tracks? → CIs + relationships.
- Intangible assets? → IP, brand, data.
- Backups/ACLs role? → Custodian.
- Data quality role? → Steward.
- Person the data describes? → Data subject.
- Best protection for unneeded data? → Don't collect it.
- Replica subject to? → Local laws (sovereignty).
- Over-retention risk? → Breach + eDiscovery + legal.
- Legal hold does? → Suspends destruction.
- Data remanence? → Residual data after deletion.
- Format before donation? → Insufficient.
- Clearing protects against? → Software recovery.
- Purging protects against? → Lab attacks.
- Degaussing on SSD? → Ineffective.
- Cloud data destruction? → Crypto-shredding.
- Highest-assurance destruction? → Physical.
- Crypto-shredding prerequisite? → Encrypted from the start.
- EOL means? → No longer sold.
- EOS means? → No more patches (critical).
- Post-EOS system? → Replace or isolate + compensate.
- Hardware retention purpose? → Read old archives.
- Knowledge retention? → Documentation, cross-training.
- Three data states? → At rest, in transit, in use.
- In transit protection? → TLS.
- In use, hardest, protected by? → TEE / homomorphic.
- Scoping = ? → Remove inapplicable controls.
- Tailoring = ? → Adapt the baseline.
- DRM/IRM key property? → Persistence.
- Endpoint DLP catches? → USB, clipboard, offline.
- CASB no-agent mode? → Reverse proxy.
- Out of GDPR scope? → True anonymization.
- Tokenization vs encryption? → Random, no math link, vault.
- Test data? → Masked.
Domaine 3Security Architecture — 40 questions
- Fire door, occupied? → Fail-safe.
- Firewall crash, assets? → Fail-closed.
- Zero trust principle? → Never trust, always verify.
- SASE = ? → SD-WAN + cloud security.
- Customer always secures? → Data + access.
- BLP simple property? → No read up.
- BLP star property? → No write down.
- Biba simple? → No read down.
- Biba protects? → Integrity.
- Clark-Wilson uses? → Access triple + TP.
- Dynamic conflict-of-interest model? → Brewer-Nash.
- 8 rules for rights? → Graham-Denning.
- Take-Grant operations? → Take, grant, create, remove.
- MAC math foundation? → Lattice.
- PP vs ST? → Customer wants vs vendor claims.
- EAL4 = ? → Methodically designed, tested, reviewed.
- EAL measures? → Evaluation rigor.
- Certification vs accreditation? → Technical vs management decision.
- TPM sealing? → Key bound to TPM + PCR state.
- HSM vs TPM? → Dedicated module vs motherboard chip.
- ASLR does? → Randomizes memory layout.
- DEP does? → Non-executable data.
- Ring 0 = ? → Kernel.
- Inference vs aggregation? → Deduce vs add up.
- Anti-inference DB defense? → Polyinstantiation.
- ICS priority? → Safety, availability.
- SCADA vs DCS? → Wide-area vs local site.
- Air gap defeated by? → Removable media (Stuxnet).
- Community cloud? → Orgs with common requirements.
- VM escape? → Guest to host.
- Containers share? → The host kernel.
- Serverless customer owns? → Code + function permissions.
- IoT first steps? → Change defaults + segment.
- Kerckhoffs? → Security in the key.
- AES block/keys? → 128 / 128-192-256.
- ECC advantage? → Shorter keys.
- Confidentiality to Bob? → Bob's public key.
- Signature provides? → Integrity + authenticity + non-repudiation.
- CSR contains? → Public key + identity.
- Meet-in-the-middle explains? → Why 2DES → 3DES.
Domaine 4Communication & Network — 40 questions
- Router OSI layer? → 3.
- MAC addressing layer? → 2.
- PDU order L1–L4? → Bits, frames, packets, segments.
- TCP/IP Internet layer = OSI? → 3.
- RFC 1918 example? → 172.16.0.0/12.
- APIPA range? → 169.254.0.0/16.
- PAT does? → Multiplex hosts behind one IP.
- IPv6 bits? → 128.
- TCP handshake? → SYN, SYN/ACK, ACK.
- SYN flood? → Half-open connections.
- SSH port? → 22.
- Kerberos port? → 88.
- LDAPS port? → 636.
- RDP port? → 3389.
- DNSSEC provides? → Integrity/authenticity.
- ARP weakness? → No authentication.
- VoIP protocols? → SIP + RTP/SRTP.
- iSCSI carries? → Block storage over IP.
- Copper max distance? → 100 m.
- Long-distance fiber? → Single-mode.
- East-west traffic? → Server-to-server internal.
- VLAN routing needs? → Layer 3 device.
- Double tagging = ? → VLAN hopping.
- Micro-segmentation controls? → East-west, lateral movement.
- Hiding SSID? → Not real security.
- WPA2 encryption? → CCMP/AES.
- WPA3 handshake? → SAE.
- Strongest EAP? → EAP-TLS.
- Evil twin? → Fake AP mimicking SSID.
- WPS action? → Disable it.
- Bluesnarfing? → Data theft.
- SDN critical target? → The controller.
- Security group? → Stateful, on instance.
- NACL? → Stateless, on subnet.
- Router vs switch broadcast? → Router separates domains.
- Stateful firewall? → Tracks connections.
- DMZ architecture? → Two firewalls + buffer.
- Obsolete VPN? → PPTP.
- RADIUS vs TACACS+? → UDP/password vs TCP/all + AAA split.
- ISA defines? → Technical interconnection security.
Domaine 5Identity & Access — 40 questions
- Subject = ? → Active entity.
- AAA order? → Id, Authn, Authz, Accounting.
- Smart card factor? → Type 2 (have).
- True MFA? → Different factor types.
- NIST on password rotation? → Not forced unless compromised.
- TOTP based on? → Time.
- Phishing-resistant auth? → FIDO2/passkeys.
- Smart vs memory card? → Computes vs stores.
- FRR = ? → Type I, legit rejected.
- FAR = ? → Type II, imposter accepted (danger).
- Lower CER = ? → Better system.
- High security tuning? → Minimize FAR.
- Iris vs retina? → Contactless vs intrusive/health.
- MFA fatigue fix? → Number matching.
- SSO concern? → Keys to the kingdom.
- Identity proofing? → Verify before issuing credentials.
- JIT access? → Grant only when needed.
- IdP role? → Authenticates, issues assertion.
- SAML? → XML federation SSO.
- OAuth is? → Authorization.
- OIDC adds? → Authentication (id_token).
- DAC? → Owner decides.
- MAC? → System labels.
- RBAC? → By role.
- ABAC? → Attributes + context.
- Rule-based? → Global rules for all.
- PEP does? → Enforces (the door).
- PDP does? → Decides.
- Matrix row = ? → Capability.
- Matrix column = ? → ACL.
- Privilege creep = ? → Accumulated rights.
- Recertification? → Revalidate access.
- PAM includes? → Vault, JIT, session recording.
- Break-glass? → Monitored emergency account.
- Kerberos issues first? → TGT.
- KDC contains? → AS + TGS.
- Kerberos clock tolerance? → ~5 min.
- Golden ticket? → Forged TGT (KRBTGT).
- PAP? → Clear text (avoid).
- Password spraying? → One password, many accounts.
Domaine 6Assessment & Testing — 40 questions
- Independent evaluator? → Third-party.
- Before testing? → Management approval.
- Scan vs pentest? → Identify vs exploit.
- Authenticated scan? → Deeper, fewer false positives.
- Most dangerous result? → False negative.
- CVSS? → Severity score 0–10.
- CVE? → Vulnerability identifier.
- SCAP includes? → OVAL, XCCDF.
- Black box? → No information.
- Gray box? → Partial knowledge.
- RoE defines? → Scope, prohibited actions.
- Red team? → Attacks.
- Purple team? → Red + blue collaborate.
- Pentest order? → Recon, enum, analysis, exploit, report.
- Log review needs? → NTP.
- Synthetic transactions? → Scripted, proactive.
- Fagan steps? → 6.
- SAST? → Static, source code.
- DAST? → Dynamic, running app.
- Fuzzing? → Malformed inputs.
- Test coverage? → % code exercised.
- Misuse case? → What must not be allowed.
- Regression testing? → Verify nothing broke.
- BAS? → Continuous attack replay.
- Bug bounty? → Pay researchers per finding.
- KPI? → Past performance.
- KRI? → Future risk.
- Backup as process data via? → Restore test.
- Report audiences? → Executive + technical.
- Remediation priority? → By risk.
- Exception? → Signed risk acceptance.
- Responsible disclosure? → Notify vendor, then publish.
- Auditor must be? → Independent.
- SOC 1? → Financial.
- SOC 2? → Security (restricted).
- SOC 3? → Public.
- Type I? → Design at a point in time.
- Type II? → Effectiveness over 6–12 months.
- Mandatory TSC? → Security.
- SOC standard? → SSAE 18.
Domaine 7Security Operations — 40 questions
- Chain of custody? → Continuous evidence trail.
- Collect first? → RAM/registers.
- Don't unplug because? → Destroys volatile evidence.
- Write blocker? → Prevents writes to source.
- Prove image fidelity? → Hashing.
- Admissibility? → Relevant, material, competent.
- Logs admissible via? → Business records exception.
- EDRM first? → Identification.
- Law enforcement means? → Loss of control.
- IDS vs IPS? → Detect vs block.
- Anomaly detection? → Finds unknown, more false positives.
- SIEM? → Correlates logs.
- SOAR? → Automates response.
- Event vs incident? → Observable vs harms/threatens.
- 7 steps first? → Detection.
- Containment step? → Mitigation.
- Root cause step? → Remediation.
- Need-to-know vs least privilege? → Info vs action rights.
- Mandatory vacations? → Detective (fraud).
- MTBF? → Between failures.
- MTTR? → Repair time.
- Enticement? → Legal.
- Entrapment? → Illegal.
- Allow-listing? → Only approved runs.
- Worm? → Self-propagates.
- Logic bomb? → Condition-triggered.
- Double extortion? → Encrypt + threaten to leak.
- Fileless malware? → Memory-only.
- Smurf? → ICMP broadcast amplification.
- Zero-day? → No patch available.
- Patch before prod? → Test in staging.
- Emergency change docs? → After the fact.
- Incremental restore? → Full + all incrementals.
- Differential restore? → Full + last.
- Real-time replication? → Remote mirroring.
- Hot site? → Minutes, costly.
- RAID 6 tolerates? → 2 disks.
- Riskiest DR test? → Full interruption.
- Return to primary? → Least critical first.
- Duress code? → Silent threat signal.
Domaine 8Software Development — 40 questions
- Shift left? → Security from requirements.
- Sequential methodology? → Waterfall.
- Risk-driven methodology? → Spiral.
- Agile value? → Working software over docs.
- Scrum iteration? → Sprint.
- DevSecOps adds? → Automated security in pipeline.
- CMMI order? → Initial, Repeatable, Defined, Quantified, Optimizing.
- CMMI level 4? → Quantitatively Managed.
- OWASP maturity model? → SAMM.
- Compiled vs interpreted? → Pre-translated vs on the fly.
- Memory-safe benefit? → Prevents buffer overflows.
- Log4j lesson? → Dependency vulnerabilities.
- SCA analyzes? → Third-party components.
- Secrets scanning? → Blocks credentials in repos.
- RASP? → Self-protection in production.
- CI/CD gate? → Fail build on finding.
- Spiral repeats? → Risk analysis each loop.
- IPT? → Multidisciplinary team.
- SAFe? → Scales Agile.
- BSIMM? → Descriptive maturity model.
- 4GL? → Near natural language.
- Signed commits? → Integrity + attribution.
- Compromised pipeline? → Supply-chain attack.
- Rate limiting? → Limits requests.
- SQLi defense? → Parameterized queries.
- XSS defense? → Output encoding + CSP.
- CSRF defense? → Anti-CSRF tokens.
- Buffer overflow defense? → Memory-safe, ASLR/DEP.
- TOCTOU? → Check-to-use race condition.
- Timing channel? → Modulates time.
- Input validation? → Allow-list.
- Error messages? → Generic to users.
- COTS vendor risk? → Code escrow.
- Cardinality? → Rows.
- Degree? → Columns.
- ACID "A"? → Atomicity.
- Isolation ensures? → No concurrent interference.
- View is? → Access control.
- Foreign key? → References another table's PK.
- Expert system? → Knowledge base + inference engine.
Fin du livre
Vous avez parcouru l'intégralité du programme : les 8 domaines, deux examens blancs, 100 drills et cette banque de 320 renforts. Si vos points faibles sont désormais solides et vos blancs au-dessus de 80 %, il ne reste qu'à appliquer le protocole du jour J (chapitre 28) et à faire confiance à votre jugement. Vous êtes prêt à réussir du premier coup. Bonne chance.