cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rooks
Newcomer III

CISSP Review Questions

Hello All,

 

I'm reviewing some questions for CISSP exam preparation. I found answers for some of the questions are questionable and would like to find your take on this.  You feedback is very much appreciated.

 

I'm copied/mentioned some folks here that I encountered with or saw their feedbacks in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

 

 

Question 1. 

 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

 

A.   All email should be encrypted

B.   All email should be encrypted and labelled

C.  Sensitive email should be encrypted and labelled

D.  Only highly sensitive email should be encrypted

 

 

Answer: Given answer is C. 

 

However, I think it should be A because the question is not mentioning anything to do with classification.

What do you think? 

 

37 Replies
Rooks
Newcomer III

Thanks @denbesten for clarifying. This truly helps in understanding this type of tricky questions.

Much appreciated. 

JoePete
Advocate I


@denbesten wrote:
Without a label, how would one know if the message requires encryption.

Or if you just encrypt all email, you don't have to worry about labels 😉

 

Again, I think it is a flawed question. What might make a better scenario is to put Johny in charge of a file server. A will provide at least the same level of confidentiality, integrity, and availability as B, C, D without the extra overhead of having to create some labeling system that would seem difficult to implement across the heterogeneity of email. By the same token, to implement B, C, and D requires you to the encryption work of A and then create an additional taxonomy. Again, I think a file server scenario might more get what the answer was trying to test.

Rooks
Newcomer III

Got this interesting question and would like to see your answer and thoughts please.   Thank you!

 

Question 3.

 

Callback to a landline phone number is an example of what type of factor?

 

A.  Something you know

B.  Somewhere you are

C.  Something you have

D.  Something you are

 

What do think the answer should be? 

 

Rooks
Newcomer III

Okay sharing the answer from the source.

 

Answer given is B.  Somewhere you are.

 

Do you agree with this answer?  Your answer and explanation is appreciated.  Thanks

 

funkychicken
Contributor I

Land lines are located in a physical location and its a location based item. It is not something you have because it is not tied to you as an individual. Its not something you know, because its a physical device external to your brain. So the answer will be somewhere you are. Also multi factor authentication is slightly changing in the market to use other ways to authenticate. 

funkychicken
Contributor I

The CISSP exam is laid out to try to consider the best answer. In this example with the email: 

 

Question 1. 

 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

 

Lets break this down. 

 

Johny needs to provide a set of MINIMUM security requirements for EMAIL. So the standards are going to be minimum and not necessarily for all email. Infact most times in an organisation especially when doing ISO27001 and PCI-DSS, all email does not require to be encrypted only the sensitive items need to be. We must also consider encryption as a technology that puts lots of processing power on CPU resources and also will slow down the system if being used for all email so in reality this really isn't a viable options because in an email scenario, receiving an email if it is not sensitive is more important than encrypting it. 

 

What steps should he recommend for his organization to ensure that the email remains secure?

 

OK so he needs to take some steps, and he should recommend these steps for the org to make sure THE EMAIL remains secure. 

 

So, the email relates to the type of email that is being encrypted. This does not relate to all email, it relates to the type of email which means that it has been broken down in to categories. So here you will have email that is non secure and is OK to be sent to users and then you have email that is sensitive and needs to be secured and send using something like PGP encryption. 

 

Remember the CISSP training and the core skills of a CISSP representative. The Security Dept is there to facilitate the business to achieve the business goals. There are also many elements of the CISSP training which you need to consider for every answer to a question. Remember that most of the answers are correct but it is the best answer which you need to know in the situation. I know all these are confusing but you will need to consider every situation in every part of the CISSP and adopt the knowledge to answer the question. 

 

So the answers:

 

A.   All email should be encrypted - not necessarily. In most companies all email does not need to be encrypted but only the category of email that is required to be encrypted. 

 

B.   All email should be encrypted and labelled - same as above. In certain companies or government operations it should be but if this was a standard then Office 365 would adopt this or yahoo.com and everyone would have to use PGP and everything would need to be labelled which is impractical at the moment. 

 

C.  Sensitive email should be encrypted and labelled - Yes there is always a time where there are certain emails which need to be shared with a key. They also need to be labelled and considered inbound and outbound. So something that may not be considered sensitive inside but when released outside of the company this may be considered sensitive and therefore should be labelled as such. 

 

D.  Only highly sensitive email should be encrypted - This is incorrect because some email which is classified as non sensitive may be sensitive if the data was released outside. 

 

 

I recently passed my CISSP I had to review all of the documentation for these areas. It became more and more obvious that its not just the specific question that is the concern but every element from the training, what the current state of the technology is that is mentioned in the question, wow the technology works, the CIA triad, the principles of a CISSP, the roles and objectives of a CISSP in a business and a variety of other aspects that could affect the answer to a question. 

 

When I sat my exam there were many questions that were like this, and the thought process is not just the question at stake as all of the answers could be correct but its what is the best answer in this scenario given the situation.  

 

Rooks
Newcomer III

Thank you @funkychicken, for the explanation.

 

"Land lines are located in a physical location and its a location based item. It is not something you have because it is not tied to you as an individual. Its not something you know, because its a physical device external to your brain. So the answer will be somewhere you are. Also multi factor authentication is slightly changing in the market to use other ways to authenticate."

 

What through me off is that I never heard this "somewhere you are" mentioned anywhere else. I thought this could be mad-up thing. Well, I know now. Thanks.

 

 

Rooks
Newcomer III

@funkychicken Big congrats in passing the exam. 

 

Sounds like lot of ambiguous questions on the exam 🙂 Thanks for the advice, re - best answer

 

 

Thanks for your explanation for the question below. However, these keywords "minimum security requirements' could be interpreted different way by some. Some may think the minimum requirement /effort could be just encrypt all mail rather than go through the extensive process in classifying emails appropriately and then label them, and then apply appropriate polices. And we know email and data classification is challenging and takes time and efforts. Not disagreeing with the answer but just my 2 cents... 

 

 

"Question 1. 

 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

 

Lets break this down. 

 

Johny needs to provide a set of MINIMUM security requirements for EMAIL. So the standards are going to be minimum and not necessarily for all email. Infact most times in an organisation especially when doing ISO27001 and PCI-DSS, all email does not require to be encrypted only the sensitive items need to be. We must also consider encryption as a technology that puts lots of processing power on CPU resources and also will slow down the system if being used for all email so in reality this really isn't a viable options because in an email scenario, receiving an email if it is not sensitive is more important than encrypting it. 

 

What steps should he recommend for his organization to ensure that the email remains secure?

 

OK so he needs to take some steps, and he should recommend these steps for the org to make sure THE EMAIL remains secure. 

 

So, the email relates to the type of email that is being encrypted. This does not relate to all email, it relates to the type of email which means that it has been broken down in to categories. So here you will have email that is non secure and is OK to be sent to users and then you have email that is sensitive and needs to be secured and send using something like PGP encryption. 

 

Remember the CISSP training and the core skills of a CISSP representative. The Security Dept is there to facilitate the business to achieve the business goals. There are also many elements of the CISSP training which you need to consider for every answer to a question. Remember that most of the answers are correct but it is the best answer which you need to know in the situation. I know all these are confusing but you will need to consider every situation in every part of the CISSP and adopt the knowledge to answer the question. 

 

So the answers:

 

A.   All email should be encrypted - not necessarily. In most companies all email does not need to be encrypted but only the category of email that is required to be encrypted. 

 

B.   All email should be encrypted and labelled - same as above. In certain companies or government operations it should be but if this was a standard then Office 365 would adopt this or yahoo.com and everyone would have to use PGP and everything would need to be labelled which is impractical at the moment. 

 

C.  Sensitive email should be encrypted and labelled - Yes there is always a time where there are certain emails which need to be shared with a key. They also need to be labelled and considered inbound and outbound. So something that may not be considered sensitive inside but when released outside of the company this may be considered sensitive and therefore should be labelled as such. 

 

D.  Only highly sensitive email should be encrypted - This is incorrect because some email which is classified as non sensitive may be sensitive if the data was released outside. 

 

 

I recently passed my CISSP I had to review all of the documentation for these areas. It became more and more obvious that its not just the specific question that is the concern but every element from the training, what the current state of the technology is that is mentioned in the question, wow the technology works, the CIA triad, the principles of a CISSP, the roles and objectives of a CISSP in a business and a variety of other aspects that could affect the answer to a question. 

 

When I sat my exam there were many questions that were like this, and the thought process is not just the question at stake as all of the answers could be correct but its what is the best answer in this scenario given the situation. "

 

Rooks
Newcomer III

Okay, we have been advised to think like an adviser / manager when answering CISSP questions. So, with that in mind, what's your take on the following question.

 

Question 4.

 

Jacky recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Jacky do next?

 

A.  Patching

B.  Reporting

C.  Remediation

D.  Validation

 

Answer.  Given answer is D.

 

Now, if you think like an adviser or a manager your answer should be B. Reporting. and ask to validate and take action as needed. As a manager or adviser, you don't get into nitty-gritty details. What's your take on this?   Thank you!

denbesten
Community Champion


@Rooks wrote:

Callback to a landline phone number is an example of what type of factor?

...

Answer given is B.  Somewhere you are.

 

Do you agree with this answer?  


I do not.  "Somewhere you are" is not a generally recognized factor. There are three generally recognized factors:  

 

  • something you have (e.g. a phone/PC hopefully with a TPM)
  • something you are  (e.g. biometrics)
  • something you know (e.g. a password)

 

The best (well, least bad) answer would be "something you have".  

 

Incidentally, a "landline" phone does not really demonstrate physical location.  My phone number is a "landline" based on the telco allocation tables, but it is actually rings on my mobile phone. Phone calls/texts are also not a very good choice for MFA due to known attack methods (porting numbers, forwarding, sim swap).  Given a choice between a password or password+SMS, chose the latter, but if any other MFA mechanism is available, avoid SMS.