topic Checking some answers to a practice test in Exam Preparation

Checking some answers to a practice test

altoflyer — Mon, 10 Jun 2019 22:04:23 GMT

I just took a practice test and I don't understand some of the answers they say are correct. Can anyone explain them? Or are the questions broken?

17. Cloud computing is based on which approach to service delivery: the answer was "Virtualization or thin client technology." My answer "virtualization" was wrong. I wasn't aware the thin client technology was part of it. Not mentioned in anything I read (that I remember) or in the class.

32. Information Rights management (IRM) is generally associated with the following attributes: (notice it said "attributes.")

Right answer: Data rights management, the use of role-based access control, the installation of a local client agent, and the ability to integrate with the data loss prevention (DLP) solutions

My selected answer was: Role-based access control, the installation of a local client agent, and the ability to integrate with the data loss prevention (DLP) solutions

It had everything that the "right" answer had except "data rights management." Is drm an attribute or a technology? And besides, isn't IRM the same term as DRM?

65. A risk assessment is based on the following, in order:

The right answer is: Threat, vulnerability, probability, impact and risk determination.

My answer was: Vulnerability, threat, impact, probability and risk determination.

My class notes and the photo of the instructor's drawing clearly says:

Identify assets

Identify vulnerabilities

Identify threats

Identify exposure factor (impact)

Identify Likelihood (probability)

Perform qualitative risk analysis

perform quantitative risk analysis. which means that my selected answer was correct. Thoughts?

135: Generally, there are two types of cooling, and the return air temperature is based on:

The right answer: Latent cooling (remove moisture) and sensible cooling (remove heat),and the temperature is measured at the inlet point.

Well that's just wrong. The air temperature is measured as it exits the room, not as it enters the room. My selected answer was: Latent cooling (remove moisture) and sensible cooling (remove heat),and the temperature is measured at the exhaust point.

Thoughts?

Re: Checking some answers to a practice test

dcontesti — Mon, 10 Jun 2019 23:58:52 GMT

So this is hard to answer.

First whose practice test is it? Is it on the internet, from the course provider?

Second what were all the answers? to the questions.

Whose training did you take.......what references did they provide?

Sorry for so many questions, but I cannot answer your questions without some information.

Regards

Re: Checking some answers to a practice test

altoflyer — Tue, 11 Jun 2019 00:22:26 GMT

Thanks, I got the practice test from Training Camp. Training camp was offered to me by my employer, so I didn't inquire about their references. (or did you mean what materials did they reference?) The material we used was the official ISC2 publication "Certified Cloud Security Professional Official (ISC)2 Student Guide." IMHO, this guide is very poorly written. But that's the subject for another thread.

17. Cloud computing is based on which approach to service delivery:

a) virtualization

b) thin client technology

c) Virtualization or thin client technology

d) Tightly coupled architectural models

I answered "a," but the correct answer was "c." Really?Just the fact that they have "or" in the answer made it not seem correct. That combined with not having heard about thin clients since the early days of the internet made that answer seem wrong.

32. Information Rights management (IRM) is generally associated with the following attributes:

a) Data rights management, the use of role-based access control, the installation of a local client agent, and the ability to integrate with the data loss prevention (DLP) solutions.

b) Data rights management, the use of rule based access control, the installation of a local client agent, and the ability to integrate with data loss prevention (DLP) solutions

c) role-based access control, the installation of a local client agent, and problems with interoperability with solutions such as data loss prevention (DLP) solutions.

d) Role-based access control, the installation of a local client agent, and the ability to integrate with data loss prevention (DLP) solutions.

I answered "d" because they said they were looking for attributes. The only difference between "d" and the right answer "a" is it mentions data rights management, which is a technology not an attribute.

65. A risk assessment is based on the following, in order:

a) vulnerability, threat, probability, impact, existing controls, and risk determination.

b) vulnerability, threat, impact, probability, and risk de3termination

c) threat, vulnerability, existing controls, probability, impact and risk determination

d) threat, vulnerability, probability, impact, and risk determination

I answer b, which matches my instructor's drawing in class. The correct answer is D.

My class notes and the photo of the instructor's drawing clearly says:

Identify assets

Identify vulnerabilities

Identify threats

Identify exposure factor (impact)

Identify Likelihood (probability)

Perform qualitative risk analysis

perform quantitative risk analysis. which means that my selected answer was correct.

HOWEVER ... between when I wrote that and now, I found this in the Student Guide:

Risk Management Process

An organization will conduct a risk assessment (the term risk analysis is sometimes intercahgned with risk assessment) to evaluate:

- threats to its assets

- vulnerabilities present in the envrionmnet

- the likelihood that a threat will be realized ...

- the impact that the exposure being realized will have on the organization

- Countermeasures available ...

- the residual risk

So that matches the right answer, D. So I guess that one is now answered. Go with the official ISC2 guidebook.

135: Generally, there are two types of cooling, and the return air temperature is based on:

a) latent cooling (remove moisture) and sensible cooling (remove heat), and the temperature is measured at the inlet point.

b) latent cooling (remove moisture) and sensible cooling (remove heat), and the temperature is measured at the server exhaust point

c) latent cooling (remove heat), and sensible cooling (remove moisture), and the temperature is measured at the inlet point.

d) latent cooling (remove heat) and sensible cooling (remove moisture), and the temperature is measured at the server exhaust point.

Thoughts?

Thank you very much for your help!

Re: Checking some answers to a practice test

altoflyer — Tue, 11 Jun 2019 00:40:29 GMT

And here is another one that I don't understand:

Cloud environment can be separated into three layers, which are referred to as the:

a) compute layer, the management plane, and the infrastructure layer

b) application layer, the management plane, and the infrastructure layer

c) application layer, the control plane, and the infrastructure layer

d) service layer, the platform layer, and the infrastructure layer.

My answer was d, the right answer was a.

Now this confuses the heck out of me because of a few things. First, a layer is an architectural component and a plane is traffic. (or so I've been told). So the only suitable answer was d. But even if you let that go ... second, they mix up plane and layer in answers a, b, and c. That seems inconsistent. Third, what i'd personally say was the right answer would be

Application (or compute) layer | Control Layer | Infrastructure Layer

The management plane runs on the control layer, sometimes also called the management layer. The control plane runs on the infrastructure layer and makes the connection to the control layer. The data plane (also called the forwarding plane, also called the data forwarding plane) runs on the infrastructure layer.

So by what I know, none of the answers is correct. But even if you try to figure out which one is least wrong, and you accept that management plane is the central layer (since it does run there after all), then a and b are identical because application layer and compute layer are the same. And, given that my class drawing says "application layer," i would have chosen b. Which is wrong. Anyway, here's a screen shot of the information I've been referencing.

Re: Checking some answers to a practice test

TheWhiteKnight — Tue, 11 Jun 2019 02:02:09 GMT

For your query on Cloud Computing
Always remember this,
- Cloud Applications (SAAS)
- Cloud Software Environment (PAAS)
- Cloud Software Infrastructure
— Computation Resources (IAAS)
— Storage (DAAS)
— Communications (CAAS)
- Then comes Software Kernel which sits on
- Firmware /Hardware

Now, looking at above, just try answering
1.the definition of Platform?
2. Is Infrastructure part of Platform? If not then why ?
3. Now relate this >> Computational Resources ( Processing, Memory ,etc ) sits on Infrastructure components and it’s controlled by administration or management

Their answer is right definitely because a Platform is whole set of everything including Infrastructure and compute layers while management is being referred as a plane.

Hope this clarifies

Re: Checking some answers to a practice test

dcontesti — Tue, 11 Jun 2019 15:56:15 GMT

@altoflyer wrote:
Thanks, I got the practice test from Training Camp. Training camp was offered to me by my employer, so I didn't inquire about their references. (or did you mean what materials did they reference?) The material we used was the official ISC2 publication "Certified Cloud Security Professional Official (ISC)2 Student Guide." IMHO, this guide is very poorly written. But that's the subject for another thread.

17. Cloud computing is based on which approach to service delivery:

a) virtualization
b) thin client technology
c) Virtualization or thin client technology
d) Tightly coupled architectural models
I answered "a," but the correct answer was "c." Really?Just the fact that they have "or" in the answer made it not seem correct. That combined with not having heard about thin clients since the early days of the internet made that answer seem wrong.

So my take on this one: Not sure who wrote this question but I agree it is poorly written and in some ways what I would call a trick question. I am not a CCSP but I do not think you should find any questions on the exam like this one.

@altoflyer wrote:

65. A risk assessment is based on the following, in order:
a) vulnerability, threat, probability, impact, existing controls, and risk determination.
b) vulnerability, threat, impact, probability, and risk de3termination
c) threat, vulnerability, existing controls, probability, impact and risk determination
d) threat, vulnerability, probability, impact, and risk determination

I answer b, which matches my instructor's drawing in class. The correct answer is D.

My class notes and the photo of the instructor's drawing clearly says:
Identify assets
Identify vulnerabilities
Identify threats
Identify exposure factor (impact)
Identify Likelihood (probability)
Perform qualitative risk analysis
perform quantitative risk analysis. which means that my selected answer was correct.

HOWEVER ... between when I wrote that and now, I found this in the Student Guide:
Risk Management Process
An organization will conduct a risk assessment (the term risk analysis is sometimes intercahgned with risk assessment) to evaluate:
- threats to its assets
- vulnerabilities present in the envrionmnet
- the likelihood that a threat will be realized ...
- the impact that the exposure being realized will have on the organization
- Countermeasures available ...
- the residual risk

So that matches the right answer, D. So I guess that one is now answered. Go with the official ISC2 guidebook.

So I would have gone with D. Rationale: Patch Tuesday example: a threat is announced, you check to see if you are vulnerable (does it exist in your environment), then evaluate the likely hood (impact), and then determine what to do. The problem is that several of these steps happen at the same time. I am not a fan of questions that are lists that require memory work......

@altoflyer wrote:

135: Generally, there are two types of cooling, and the return air temperature is based on:
a) latent cooling (remove moisture) and sensible cooling (remove heat), and the temperature is measured at the inlet point.
b) latent cooling (remove moisture) and sensible cooling (remove heat), and the temperature is measured at the server exhaust point
c) latent cooling (remove heat), and sensible cooling (remove moisture), and the temperature is measured at the inlet point.
d) latent cooling (remove heat) and sensible cooling (remove moisture), and the temperature is measured at the server exhaust point.
Well that's just wrong. The air temperature is measured as it exits the room, not as it enters the room. My selected answer was: Latent cooling (remove moisture) and sensible cooling (remove heat),and the temperature is measured at the exhaust point.
Thoughts?

I know nothing about heating but as a casual user, I would rule out A and C and look to B or D as being the answer. I would probably go with B.

Others?

Re: Checking some answers to a practice test

Steve-Wilme — Tue, 11 Jun 2019 10:08:12 GMT

For 17, if you consider IaaS, PaaS and SaaS than c) is probably more correct answer. Virtualisation is an enabler for cloud services, but thin client i.e. standard web browser, provides the universal access that make it usable. If you look at the NIST definition in SP800-145 that should explain.

32 seems to be a poorly worded question and set of answers.

For 65 if you look up 27005 or look at the links below, by convention you start with the threat source, then the threat actor who targets a vulnerability in an asset .....

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

https://en.wikipedia.org/wiki/IT_risk_management#/media/File:2010-T10-ArchitectureDiagram.png

You've got all the right elements.

Re: Checking some answers to a practice test

rslade — Tue, 11 Jun 2019 15:54:05 GMT

> altoflyer (Viewer) posted a new reply in Certifications on 06-10-2019 08:22 PM

> I got the practice test from Training Camp.

I taught for Training Camp several times, and I often had trouble justifying the
"correct" answers on *their* practice exams from *their* material ... (Training
Camp *used* to have some agreement to use ISC2 facilitators and material, along
with their own stuff, but I don't know what the current situation is ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The sun, with all those planets revolving around it and
dependent upon it, can still ripen a bunch of grapes as if it had
nothing else in the universe to do. - Galileo Galilei
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Checking some answers to a practice test

Steve-Wilme — Wed, 12 Jun 2019 07:08:05 GMT

I think it helps to stick to the official CBK materials rather than use secondary sources. The applies to the CISSP and CISSP concentrations (follow the references at the end of the chapters). Depending on reworked secondary sources, both in academia and in professional life is unlikely to be a useful shortcut. So if you need to read the SP800 series, IETF RFCs, CoBIT ISO 27000 series or whatever, go read the original.

Re: Checking some answers to a practice test

altoflyer — Wed, 12 Jun 2019 16:15:49 GMT

Yes, that does make sense. Thanks! I passed my test yesterday. Yay!

Re: Checking some answers to a practice test

altoflyer — Wed, 12 Jun 2019 16:18:15 GMT

Thanks for your time to look at and think about these questions I had. I do understand and agree with the process for risk management. I'm just irritated that what we were taught is not what was in the ISC2 materials. These questions are binary: they are right or wrong. So we need to learn it the way it will be asked on the test.

But hey, I passed my test! So, yay. 🙂

Re: Checking some answers to a practice test

altoflyer — Wed, 12 Jun 2019 16:22:01 GMT

I completely agree. Unfortunately I had assumed that the class material was aligned with ISC2 material and had learned that. The book was very difficult to read since it was way too wordy and repetitive. They could use a very good copy editor. Think of Hemingway's sparse prose style, or of Edith Wharton going through her manuscripts and deleting the adjectives.

Thank you for your time to look at my questions and provide your thoughts; I really appreciate it.

And hey, I passed the test!!! YAY!

Re: Checking some answers to a practice test

AlecTrevelyan — Thu, 13 Jun 2019 10:59:16 GMT

Congratulations and welcome to the CCSP club!

I agree with what the others are saying in that these questions in the original post are badly written. For anyone else looking at CCSP practice tests, I'd highly recommend the CCSP Official (ISC)2 Practice Tests:

https://www.isc2.org/Training/Self-Study-Resources#accordion-64c669e893ce4e1ea9eb5ea78312cfec

These were written by @Ben_Malisow who is an active member on here and responds to queries you might have about the book or specific questions in the book in this thread:

https://community.isc2.org/t5/Certifications/CCSP-Practice-Questions/m-p/5891#M1029

Re: Checking some answers to a practice test

Ben_Malisow — Thu, 13 Jun 2019 11:51:51 GMT

Thanks for the kind words, Alec! Yes, I'd be glad to offer any insight to issues that you might have with any of the questions from the book.

Re: Checking some answers to a practice test

Steve-Wilme — Fri, 14 Jun 2019 12:06:10 GMT

I'm afraid that's the trick to passing these tests, like all recall based testing. Personally I think it'd be far more valuable if the tests were applied to more typical real world scenarios, rather than being a case of selecting the best or least worst answers, but that'd require a lot of human judgement in assessing, so I can't see it happening. There are other InfoSec professional bodies you can join that do require written exams and face to face interview in which you are grilled about your experience.