cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
denbesten
Community Champion


@redacted wrote:

I was experimenting with the technique of reading the answers FIRST (before even reading the question).


I do use that technique sometimes and did use it (years ago) on the CISSP exam -- typically, when there were 4 short answers to a long question, but also sometimes just for a change of pace.  For me, it depends on which will be easier to hold in my brain as I read the other.

 

Also, back in the day you could review and revise your answers.  Whenever I did that, I almost always switch to the other technique to hopefully offer a different perspective.

 

Focus on what works for you and don't be afraid to switch it up a bit.   There is more than one "right" way to prepare/take the exam. 

 

About the only technique I advise against is predicting the answer before actually reading the choices because that tends to lead to affirmation-bias.

jurupapa
Newcomer I

I am a newbie CISSP and recently came across this thread, seeing great postings by rslade san on what makes CISSP exam questions harder with very good sample questions. 

 

I felt it is worth to translate couple of his questions/answers and explanations into Japanese and introduce them in my personal blog. My blog's main topics are mathematics and the computer algebra system Maxima, with occasional security related topics. URL is: https://maxima.hatenablog.jp/ , entirely written in Japanese.


I directly contacted rslade san of this idea, and he has kindly permitted me to do so. I appreciate his kindest treatment. Also, he has suggested me to share the idea here, so I am writing this.

 

Also, just in case, I double checked the ISC2 Website Access Policy found at https://www.isc2.org/Policies-Procedures/Website-Access-Policy.  I see no violation, as these postings are rslade san's User Contribution and all rights under the control of rslade san.

 

With doing so, I would like this thread of 'CISSP sample questions' to get attention in Japan, hence ultimately contributing to CISSP community and candidates in Japan.

rslade
Influencer II

> jurupapa (Viewer III) posted a new reply in Certifications on 03-19-2020 01:34

>     I felt it is worth to translate couple of his questions/answers
> and explanations into Japanese and introduce them in my personal blog.

And thank you for helping others to get prepped for certification.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Security industry code of ethics - First: Do no Pwn.
- http://twitter.com/#!/SecurityHumor/status/99454302174720000
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Penetration testing is security testing in which


a. hackers with no knowledge of the system are hired to attempt to break into a system to demonstrate protection flaws.
b. penetrators attempt to circumvent the security features of the system to identify where weaknesses exist, so that they may be strengthened.
c. foreign agents use sophisticated tools such as “password grabbers” and “dictionary attacks” to overcome the identification and authentication mechanisms of a system for future intrusions.
d. physical penetration is perpetrated in order to perform manual activities only possible with physical access to the system.

 

OK, the correct answer is b.

 

(I suspect some of you may wish to discuss this  🙂


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion


@rslade wrote:

Penetration testing is security testing in which


a. hackers with no knowledge of the system are hired to attempt to break into a system to demonstrate protection flaws.
b. penetrators attempt to circumvent the security features of the system to identify where weaknesses exist, so that they may be strengthened.
c. foreign agents use sophisticated tools such as “password grabbers” and “dictionary attacks” to overcome the identification and authentication mechanisms of a system for future intrusions.
d. physical penetration is perpetrated in order to perform manual activities only possible with physical access to the system.

 

OK, the correct answer is b.

 

(I suspect some of you may wish to discuss this  🙂


@rslade 

 

I can see where some folk would choose A. 

 

When most folks think of Pen Tests, they think of hiring someone to do the work and that is usually an ethical hacker.  Unless the organization is large, they may not have the skills on board to perform the test.

 

Hacker means many things to many people.  They could be a Penetrator that you have on staff or someone you hire.

 

I have never heard of a Pen Tester being called a penetrator.....not a term I would use.

 

If we look at the definition of Pen Testing on the Internet (okay I know you can't believe everything you see on the internet but my library is locked up in my office and I am not allowed to go there.......lucky me), we find this definition:

 

"A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system."

 

So I would say either A or B could be acceptable and probably if faced with this question would go for A.

 

But I have been wrong before.....

 

d

 

 

 

rslade
Influencer II

A is a more limited answer than B, because it is limited to the "zero knowledge" type of pen test.  The best, and therefore correct, answer is the one that covers the most security situations, and there are a number of pen test situations where you give the "attacker" some or "as much as possible" information in order to target the test.

 

And remember, don't get hung up on specific terms.  The exam is going after concepts, rather than just regurgitated facts.  The important thing is to understand what is going on.  Throwing out an answer because it doesn't fit your memory of some text somewhere will lose you marks.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion

@rslade wrote:

Penetration testing is security testing in which...

The limitation with A is that oftentimes one gives addresses, creds, etc. as part of the engagement to provide more valuable results at a lesser cost and also because one may wish to test beyond the first layer of a multi-layered defense.

 

The limitation with B is that it a pen test might be purchased for other reasons, such as meeting contractual requirements by demonstrating that things are already "good enough".

 

This leaves us with picking the best choice, as opposed to the "right answer".  Of these, I would probably pick B as being more correct.

 

I do concur with @dcontesti that a better word choice could have been made.  The issue is not that of a rarely used synonym.  The concern is that it unnecessarily invokes imagery that tempts the notorious pron filter.  We can and should be better than that in our professional communications.

Shannon
Community Champion

 

While I arrive at the same answer, I look at this in a different way. IT Security should cater to the CIA triad --- Confidentiality, Integrity & Availability --- & while the question mandates Availability it doesn't say what the classification is, so I'll assume we have to consider all 3 factors.

 

So I'll attempt to rule out the options...

 

b) This may limit availability.

c) This only focuses on availability.

d) This may limit availability.

 

With b, c, & d knocked out, we're left with --- this lets one apply & balance controls to meet requirements.

 

 

(I failed the CISSP in my 1st attempt, so my reasoning could be flawed   Man Wink)

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Shannon
Community Champion

 

@redacted, here's how I would rule out the options...

 

c) 'Relational' isn't any kind of access control --- at least not to my knowledge.

a) With Mandatory Access Control, the system owner decides on the access, but a user has no say

 

With c & a out, I'll decide whether b or fits better...

 

d) An Administrative control will determine whether something is secured, and how.

b) With Discretionary Access Control, the user (data owner) can determine the access.

 

 

The administrative control isn't specific for this requirement, but DAC is. So b stays...

 

 

(While the answer was all too clear in this case, I'm just providing a justification)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Shannon
Community Champion

 

For this question I'd  be inclined to chose b, primarily because it covers most aspects of penetration testing, unlike the others, which are limited. Here's how I'd rule out the other options: -

 

a) If the tester is provided with partial / full knowledge of the target, doesn't it quality as penetration testing?

c) If social engineering is enough to get to the target, does that mean it isn't penetration testing?

d) Is the testing strictly limited to systems that can only be accessed physically? (Question doesn't say so)

 

(While a is tempting, the point about system knowledge not being provided would rule out Grey box and White box testing)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz