cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
rslade
Influencer II

22. Remote access using a one-time password scheme is most closely associated with which of the following?

 

a. Something you are
b. Something you have
c. Something you calculate
d. Something you know


Answer: b.

 

Reference: Handbook of Info. Sec. Mgmt; Krause & Tipton; 1998; pg 682-683.

 

You have to read, but you also have to think about, the question.  This is one of the few cases where your first reaction might be wrong, since you probably triggered on the word "password" in the question.  But remember that a "one-time" password is not the same as a static password.  The one-time password generator in this case might be a token.  Or, in some cases, it might be a list of one-time passwords that are crossed off or discarded after use.  In either case, something you have.


Answer a - Something you are is biometrics.
Answer b - Something you have which in this case would be the token generating the password or a list.
Answer c - Something you calculate is not one of the 3 authentication factors.
Answer d - Something you know is a static password, not a one-time password.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

31. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called

 

a. keystroke capturing
b. access validation testing
c. brute force testing
d. accountability testing


Answer: c.

 

Reference: Intrusion Detection; Terry Escamilla; pg 44-47.

 

OK, maybe you think that brute force testing is not penetration testing, but rather cryptology.  That's a classic case of "fighting the question."  It isn't going to get you any points.  It also doesn't demonstrate that you know what using various inputs to gain access is called: brute force testing.

 

Besides, none of the other answers fit at all.

 

Keystroke capturing, captures the information being entered so no guessing is involved. User Ids & passwords are known.


"Access validation testing" doesn't exist.


"Accountability testing" doesn't exist.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following security principles are supported by role-based access control?

 

a. Discretionary access control, confidentiality, and non-repudiation
b. Mandatory access control, auditing, and integrity
c. Least privilege, separation of duties, and discretionary access control
d. Least privilege, mandatory access control, and data sensitivity

 

 

Answer: c.
Reference: Handbook of Info. Sec. Mgmt.; edited by Krause & Tipton, Auerbach. 1998. Pg 606-607, 622.

 

 

This one takes a bit of thinking, because so many parts of the answers do relate to role-based access control.  You have to read the answers fully, and see which ones have points that aren't supported.


Answer a - non-repudiation is not supported by role-based access control.
Answer b - auditing is not supported by role-based access control.
Answer c - all are conceivable.
Answer d - data sensitivity is not supported by role-based access control.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Vigenere
Newcomer III

Hello, today in the official CISSP app I have encountered the following question

Q: When you're designing a security system for Internet-delivered email, which of the following is least important?

- Nonrepudiation
- Availability
- Message Integrity
- Access restriction

How would you answer?



"I have no special talent. I am only passionately curious."
ndouzounasesse
Newcomer I

I will with answer B.

The key words for me are “Designing a security system”
Vigenere
Newcomer III

Your answer is correct. Personally I don't get it, how can one of the pillars of security (CIA triad) be the least important factor when designing a security system?
Would you be able to point me to the part of CBK that sustains this concept?



"I have no special talent. I am only passionately curious."
rslade
Influencer II

> Vigenere (Newcomer I) posted a new reply in Certifications on 01-19-2020 05:51

> Hello, today in the official CISSP app I have encountered the following question
> Q: When you're designing a security system for Internet-delivered email, which
> of the following is least important?
> - Nonrepudiation
> - Availability
> - Message Integrity
> - Access restriction

> How would you answer?

Right. The question is asking about email security, with no other specification, so
look at email in the broadest possible terms. All of the answers are useful and
proper: none is specifically "wrong." Of the answers given, availability, message
integrity, and access restriction are pretty much key. Any system that doesn't
ensure those three would be a failure. Non-repudiation might be an add-on, if you
were using the system for commerce or other specialized purposes. So, least
important, in general terms.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Where does the idea come from that if what we are doing is fun,
it can't be God's will? The God who made giraffes has a sense of
humor. Make no mistake about that. - Catherine Marshall
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II


@Vigenere wrote:
Your answer is correct.

What the [epithet deleted to avoid the dreaded "community" pr0n filter]?

 


Personally I don't get it, how can one of the pillars of security (CIA triad) be the least important factor when designing a security system?

All I can say is that, to misquote "Oliver Twist," the official CISSP app is an ass.

 


Would you be able to point me to the part of CBK that sustains this concept?

Nope.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Apparently, "ass" is not part of the dreaded "community" pr0n filter.

 

Celebrate minor and inconsequential victories!


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Vigenere
Newcomer III

Yep, and this was precisely my line of thought, which is (apparently) wrong.



"I have no special talent. I am only passionately curious."