cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
ndouzounasesse
Newcomer I

IMO, the correct answer is: D - During requirements development (of the application(s))
Vigenere
Newcomer III

No @LHablas,

I was referring to this:

Prior to implementation, a complete description of an operational security issue should specify threat, vulnerability, and

a. safeguard.
b. asset.
c. exposure.
d. control.



"I have no special talent. I am only passionately curious."
rslade
Influencer II

In an on-line computer application system, erroneous or invalid transactions that
are detected by the computer program should be

a. dropped from processing.
b. written to a report and reviewed.
c. terminated and the process aborted.
d. written to a computer log.

Answer: b.

Dropping a transaction from processing, and not doing anything with it, *can*
create all kinds of problems for the business. terminating and aborting the process
is a good way to open yourself to some kind of denial of service attack. Writing
to a report is good, but writing to a report and then reviewing it is better.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
The vast accumulations of knowledge--or at least of information--
deposited by the nineteenth century have been responsible for an
equally vast iqnorance. When there is so much to be known, when
there are so many fields of knowledge in which the same words are
used with different meanings, when every one knows a little about
a great many things, it becomes increasingly difficult for anyone
to know whether he knows what he is talking about or not. And
when we do not know, or when we do not know enough, we tend
always to substitute emotions for thoughts. - T. S. Eliot
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rajus
Newcomer I

I would think the answer is Control because Asset and Exposure should be obvious but we would like to know through this implementation what control objective are we trying to achieve.

 

I may be completely off here though.

rajus
Newcomer I

I would think the answer is Control because Asset and Exposure should be obvious but we would like to know through this implementation what control objective are we trying to achieve.

I may be completely off here though.
rslade
Influencer II

Which of the following is commonly used for retrofitting security to a Database
Management System?

a. Trusted back-end
b. Audit trail
c. Trusted front-end
d. Controller

Answer: c.

OK, slapping a trusted front-end on a database is not the best idea in the entire
world. Yes, if you have security problems in the database itself, some front-end
interface is not going to solve all the problems that will remain behind the curtain.
The thing is, you answer the question that has been asked, from the answers that
have been provided. And, in this case, putting a trusted front-end on the system
*is* what most people, companies, and enterprises do to protect a weak database.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Instructions for living a life: Pay attention. Be astonished.
Tell about it. - Mary Oliver
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Vigenere
Newcomer III


@rajus wrote:

I would think the answer is Control because Asset and Exposure should be obvious but we would like to know through this implementation what control objective are we trying to achieve.

 

I may be completely off here though.


The answer provided by @rslade on page 2 of this thread was b (Asset). However, I personally think the question is incomplete because it doesn't say what it is that we are implementing.




"I have no special talent. I am only passionately curious."
Vigenere
Newcomer III


@rslade wrote:
In an on-line computer application system, erroneous or invalid transactions that
are detected by the computer program should be

a. dropped from processing.
b. written to a report and reviewed.
c. terminated and the process aborted.
d. written to a computer log.

Answer: b.

Dropping a transaction from processing, and not doing anything with it, *can*
create all kinds of problems for the business. terminating and aborting the process
is a good way to open yourself to some kind of denial of service attack. Writing
to a report is good, but writing to a report and then reviewing it is better.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
The vast accumulations of knowledge--or at least of information--
deposited by the nineteenth century have been responsible for an
equally vast iqnorance. When there is so much to be known, when
there are so many fields of knowledge in which the same words are
used with different meanings, when every one knows a little about
a great many things, it becomes increasingly difficult for anyone
to know whether he knows what he is talking about or not. And
when we do not know, or when we do not know enough, we tend
always to substitute emotions for thoughts. - T. S. Eliot
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

@rsladecould you please share a book reference that would sustain this answer?

Does this mean that transactions that are detected as invalid (e.g. a banking operation attempting to transfer more funds than are available in an account) should still be executed and in parallel written to a report and reviewed?




"I have no special talent. I am only passionately curious."
Vigenere
Newcomer III

What documents the intention of two entities to work together toward a common goal?

a. Mutual agreement
b. SLA
c. MOU
d. ISA


Answer: c

Reference: "(ISC)2 Official Study Guide" - Applying Security Operations Concepts



"I have no special talent. I am only passionately curious."
rslade
Influencer II

Which of the following has the objective to control and manage data from a
central location?

a. Databases
b. Data dictionaries
c. Data access methods
d. Data storage

Answer: b.

Does anybody (except me) even remember what a data dictionary is? However,
do recall that the exam has the whole field of security and related computer,
information, and communications technologies to draw upon. (To balance things
out, remember that *you* only have to get 70%.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
People run downstairs faster with announcement of leftover
conference food than fire drill. The building manager should
note that for safety.
- https://twitter.com/y_i_y_a/status/380342899931480067
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468