Right.
For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
@rslade wrote:Penetration testing is security testing in which
a. hackers with no knowledge of the system are hired to attempt to break into a system to demonstrate protection flaws.
b. penetrators attempt to circumvent the security features of the system to identify where weaknesses exist, so that they may be strengthened.
c. foreign agents use sophisticated tools such as “password grabbers” and “dictionary attacks” to overcome the identification and authentication mechanisms of a system for future intrusions.
d. physical penetration is perpetrated in order to perform manual activities only possible with physical access to the system.
OK, the correct answer is b.
(I suspect some of you may wish to discuss this 🙂
So at a quick glance for me, answers A,and C are quickly eliminated. Hackers and foreign agents are not involved in security testing, they are involved in hacking/attacking. Pen tests are something we hire people (professionals) to do, not an activity that is done to us. If we are not paying for it then it is an attack, not pen testing. I know the answer says we hire the "hackers" but in real-life most CISSP's or security folks would never hire a "hacker" (I do know there are some examples out there, but very few) to do pen testing. You may hire a "former" hacker who has opened or i working for a business, but you would not straight out hire hackers. @rslade mentions that hackers can have different meanings but in the testing world I would assume that all testing orgs would consider hackers in a negative light. That is why it would be eliminated for me.
So that leaves me with B & D. Both statements are true, so which one is the better answer? D involves physical penetration which is an option, but not required for pen tests. Most pen tests I have been involved in do not involve physical test or probes. So for me since it is an option and not a requirement, B becomes the better answer. If we decide to include A as being true also, as it could be a plausible truth as well and do not make the assumption that hackers indicate a negative connotation, we would also need to examine it against B & D. The statement made by A is a type of pen test (black box testing) but is not applicable to ALL pen tests, so like answer D, it is a partial truth with B being the more complete true statement.
If we start out with trying to understand what the question is, that may help us also. What is pen testing used for? Why do we do pen tests? What do we do with the results of a pen test? We do penetration testing (pen tests) to try and find the flaws so you can fix them. Answer B is the only answer that fits neatly into that category. The others only partially answer it so B is the BEST answer.
Which of the following results would NOT routinely be expected from a penetration test?
a. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system.
b. A description of the company’s vulnerabilities
c. A risk analysis showing the extent to which a company is at risk within each exposure
d. Evidence of destruction of any data obtained but not delivered
Answer: c
@rslade wrote:Which of the following results would NOT routinely be expected from a penetration test?
a. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system.
b. A description of the company’s vulnerabilities
c. A risk analysis showing the extent to which a company is at risk within each exposure
d. Evidence of destruction of any data obtained but not delivered
Answer: c
d. I have seen several penetration test reports, and none of them referenced evidence of destruction of data, although this may have been in the T&Cs.
It might be nice to see "Evidence of destruction of any data obtained" after a test, but the clause "but not delivered" seems to make this nonsensical. Unless you're suggesting that all physical media which could have been tainted with client data is physically delivered to the client.
c would have been my second choice, although test reports do contain generic risk classifications for findings.
@rslade wrote:Which of the following results would NOT routinely be expected from a penetration test?
a. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system.
b. A description of the company’s vulnerabilities
c. A risk analysis showing the extent to which a company is at risk within each exposure
d. Evidence of destruction of any data obtained but not delivered
Answer: c
I'd be inclined to go with C. Assuming we're talking about an external party, A and B are expected in a report --- although D might not be stated in their report itself, the NDA would dictate how obtained info should be handled.
A risk analysis from a penetration tester would probably be something they offer as a complimentary part of the service, assuming it's free / discounted, since this would have to take into account the criticality of assets, & include additional info.
(For example, a system that is easily compromised won't carry much risk if not critical / important.)
Typically, the results of the penetration test would be used for a subsequent risk analysis --- either carried out internally or by an external party.
Sometimes CISSP is said to be English comprehension test. For this one and for me, understanding the option D requires English comprehension. Note English is not my language.
In option D, the hard part for me is: "obtained but not delivered". Is it data that is obtained (by whom)? Or is it evidence that is obtained (by whom)? Who did not deliver what to whom? Too many words are omitted and it is hard for me to find appropriate complement.
For this quiz, I would go with C as the same reasons others say here. But,,, I would appreciate if someone could explain me the very meaning of D.
This is not any sort of criticizing to the option D. I would love to have a level of English skills that make me understand option D naturally...
jurupapa
@jurupapa wrote:
In option D, the hard part for me is: "obtained but not delivered". Is it data that is obtained (by whom)? Or is it evidence that is obtained (by whom)? Who did not deliver what to whom? Too many words are omitted and it is hard for me to find appropriate complement.
It's assumed to mean 'Evidence of destruction of any data obtained by the penetration tester but not delivered to the company.'
That in turn is to be interpreted as 'The penetration tester should provide proof that any data they obtained during this test but failed to return to the company has been destroyed.'
While a statement like this may be included in an NDA * it's not always feasible to furnish concrete evidence of this --- unless you're also expecting the penetration tester to carry out forensics on the activities as well.
Like @gidyn said, we rarely see actual evidence of this kind, & the result may include a generic risk analysis --- considering this and lack of specificity, it would be tempting to select D.
(I'm still inclined to go with C, though.)
* Note that an NDA will generally have all this VERY clearly defined to avoid ambiguity / misunderstanding.
Shannon san,
I appreciate your explanation. Now I got the meaning of D. Pen-tester obtained data during test, but evidence of destruction of the data is not delivered to the orderer of the pen-test.
I also got where I was confused.
"D. Evidence of destruction of any data obtained but not delivered"
I happened to think that the subject and object of "obtained" and "delivered" were same. But they were different: data obtained, but evidence not delivered.
This I feel is still tough to correctly interpret when I am under the pressure of the actual exam and given only 1 minute to answer. Rephrasing D such as:
D. Test orderer's data is obtained by pen-tester, but no evidence of destruction of the data is delivered to the orderer.
might help non English native people to understand it without confusion.
Which one of the following is the key element when performing a penetration test?
a. The tester should have the same access constraints as a normal user.
b. The tester should have access to the system source code.
c. The tester should have access to network diagrams.
d. The tester should have access to vendor manuals and system documentation.
Answer: a.
(Reference: Network Security (Voice & Data Comm.), Simmons; ISBN 0-07-057634-3, pg 371)
Discussion:
Answer a - to be effective, the tester must not have privileges, otherwise the test may be invalid. The purpose is to emulate an actual hacker (internal or external). OK, I get it that some of you may feel that this is only one type of a penetration test. You are correct, and answer a is only partially right. The thing is,answers b and c are pretty limited in the types of pen tests they would support, and answer d, while it may or may not be relevant for some types of pen tests, is more restricted than a. A is the answer that is most broadly correct in the most situations. (This is sort of a "which answer stinks the least" question. Remember: you must answer the question asked from the answers provided. Fighting with a question because it isn't 100% correct gets you no points. Security, as a profession, very seldom gives you a 100% cut and dried situation.)
I'd be inclined to go with A too. Validity of the options will depend on the type of test --- since the question doesn't specify this, I'll take it to mean securing a system in general, where I'd be most concerned about its security against attacks by those having limited info about it or general access to it.
B, C, & D --- mainly the last part of D --- are dependent on possession of info about the system, & the scope of this is usually limited, assuming such info is properly controlled.
I'll rule them out, since A caters to the broadest scope and assesses general security.
To analogize, if I want to gauge the security of my residence, my 1st interest is how well protected it is against a 'general' burglar, & not my family / friends / the architect / the contractor, etc. --- all that can depend on my own attitude, diligence, trust, and other factors.
@gidyn wrote:The questions in CISSP Official (ISC)2 Practice Tests bear little resemblance to those in https://community.isc2.org/t5/Certifications/CISSP-questions/td-p/18626. The "official" practice tests expect you to memorise and regurgitate a vast amount of detail, whereas the community questions are more strategic, expecting you to understand how the concepts are applied in real life, rather than memorising every published guidance and technical specification.
The differences are so profound that if I focus on one format, I would probably fail an exam that takes the other. Which is correct?
As I said, the questions I am posting aren't meant to be a brain dump. I have, in fact, specifically taken out any "plain fact" questions, since those you can pass simply by knowing the answers. The ones I am posting are to show you the other (and more significant) types of questions: the ones that test your judgment and critical thinking.