cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
rslade
Influencer II

OK, you want a plain fact question?

 

What type of attack often tries all possible solutions?

 

a. Trojan horse
b. Trap door
c. Clone
d. Brute force


Answer: d.
Reference: Handbook of Info. Sec. Mgmt; Auerbach; Tipton & Krause; 1998; pg 406.

 

Discussion:

 

Answer a - a trojan horse is hidden code in a program so that the computer will execute unexpected functions.
Answer b - a trap door allows system access without going through the authentication process.
Answer c - to clone is to replicate a program, code, or operating instruction for authorized or unauthorized use.
Answer d - an exhaustive attack often tries all possible solutions.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion

 

 

What @rslade said makes perfect sense. When I took the exam, I've not relied on the practice questions but banked on CISSP not requiring a vast amount of technical know-how, but adequate experience.

 

You have to ensure that: -

 

  1. You have a good understanding of the foundational concepts that the domains cover.
  2. You are able to relate these concepts to situations in the real world.
  3. You can use your experience to determine the best options based on circumstances.

 

 

To sum it up, you have to employ a combination of the following: -

 

  1. Technical knowledge
  2. (ISC)2 best practices
  3. Work experience

 

1 is relatively basic & rarely a sole deciding factor, so you often have to make use of 2 & 3 --- if these conflict, you'll want to call in your own judgement and ability to correctly 'interpret' the question.

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
rslade
Influencer II

Which of the following defines a denial of service attack?

 

a. An action that prevents a system from functioning in accordance with its intended purpose.
b. An action that allows unauthorized users to access some of the computing services available.
c. An action that allows a hacker to compromise system information.
d. An action that allows authorized users to access some of the computing services available.

 

Answer: a.

 

Reference: Information Systems Security: A Practitioner’s Reference; Fites & Kratz; Thomson Computer Press; 1996; pg 437-438.

 

Discussion:

 

Answer a - in denial of service, a user or attacker might try to “crash” the system or hang it up so no one can use it.  But, at times, simply preventing part of the system from working is enough.
Answer b - Usually denial of service attacks make the system virtually unusable.  On occasion, an attacker may attempt to bring down one part of a system in order to enable access to another part, but that's a specialize, rather than the general, situation.
Answer c - denial of service could involve data corruption/destruction but usually does not compromise the confidentiality of information.
Answer d - Usually denial of service means denial of use, i.e., the system itself is not usable.  Se above.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
quattroschick
Viewer III

Thanks for posting these questions. I'm planning to take the CISSP in October and I'll definitely be dwindling down my practice test sources to less than a handful. I'm glad I have been looking at the information in a holistic manner and not just memorizing key terms. I only missed 1 question out of all you've posted even though it has no indication of my knowledge but it's good for me to see how I can deduce answers and understand why it's correct. 

rslade
Influencer II

What type attack is eavesdropping?

 

a. Active
b. Passive
c. Aggressive
d. Masquerading

 

Answer: b.

 

Reference: Information Systems Security; Fites & Kratz; pg 439.

 

Discussion:
Answer a - in active attacks data is altered.
Answer b - eavesdropping is a method of attack in which data is not altered and, therefore, is a passive attack.
Answer c - not a formally defined type of attack.
Answer d - the pretense by an entity to be a different entity.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Some privacy laws are partly based on the principle that information obtained about a user for some purpose

 

a. cannot be used for another purpose.
b. must be copied and provided to the user.
c. may only be used with the user's permission.
d. may be reviewed by the user's manager.

 

Answer: a.

 

A is the correct answer, even though that principle has not always been followed.  A is one of the principles from the original EU privacy directive, and therefore has been modelled in a significant number of privacy laws around the world (because of the "jurisdiction transfer" restriction).  B is a slight variation on one of the privacy directive principles, and is less common in that form.  C and D probably don't exist in anybody's privacy laws.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?

 

a. Limiting the local access of operations personnel
b. Job rotation of operations personnel
c. Management monitoring of audit logs
d. Enforcing regular password changes

 

Answer: a.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

The concept of “Least Privilege” involves

 

a. individual accountability.
b. access authentication.
c. authorization levels.
d. audit mechanisms.

 

Answer: c

 

(Reference: Helsing, Swanson, and Todd, Management Guide to the Protection of Information Resources, NIST Special Publication 500-170, 1989, pg.6)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
jjchucho
Viewer III

Could you explain this? 


@rslade wrote:

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?

 

a. Limiting the local access of operations personnel
b. Job rotation of operations personnel
c. Management monitoring of audit logs
d. Enforcing regular password changes

 

Answer: a.


 

Shannon
Community Champion

 


@jjchucho wrote:

Could you explain this? 

The question here is what may lead to collusion, and not prevent or detect it.

 

Take this scenario...

 

Tom & Jerry work in different functional departments of an organization --- Tom's in the HR department while Jerry's in the Financial department.

 

Tom wants to siphon some of the organisation's money into his own account, for which he needs to use systems in both the HR & Financial department.

 

If IT security is lax & Tom is able to access the Financial department's systems / data, he might be able to do this on his own.

 

But if there are controls that limit his access to the HR department's systems / data, he'll have to collude with Jerry for this.

 

That's option A.

 

As for the other options getting ruled out, D is a general preventive control, B is a preventive / deterrent control that discourages collusion, & C is a general detective control.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz