cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
PuettK
Newcomer III

Data dictionaries are specific to the data field as length, type, required etc. This is a good description of data dictionaries https://www.bridging-the-gap.com/data-dictionary/

rslade
Influencer II

Oh, and, just to make sure that you know, "blockchain" is not the answer.

 

Unless the question is "stupidest 'magic security technology' buzzphrase in the last decade."


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
AhmedAnas
Viewer II

I would like to thank you for your great effort, I have one question, why do you consider role-based access control as discretionary access control.

 

Sybex and other references consider role-based access control and rule-based access control as non-discretionary access control.

 

Can you elaborate this more?

 

Thanks again, Your questions and answers are really helpful.

 

 

 

 

AhmedAnas
Viewer II

Thanks Again, I am also confused here one more time,

 

Sybex and other references consider role-based access control and rule-based access control as non-discretionary access control.

 

Can you clear this for me a little more

 

I do appreciate your effort.

 

Thanks,

 

 

 

 

PuettK
Newcomer III

think of it this way - you are "tagged" with a role i.e. domain admin.  If the user is placed in a role or rule based control for domain admin - you as the user have no say it it - therefore non-discretionary.  

rslade
Influencer II

> AhmedAnas (Viewer) posted a new reply in Exams on 09-05-2020 12:41 PM in the

> I would like to thank you for your great effort, I have one question, why do you
> consider role-based access control as discretionary access control.   Sybex and
> other references consider role-based access control and rule-based access
> control as non-discretionary access control.   Can you elaborate this more?

OK, if I have said anywhere that role-based access control and discretionary access
control are equivalent, I apologize. They aren't the same thing at all. Role-based
access control is a form of managing or administering an existing access control
system, in terms of assigning permissions *or* clearances. Thus role-based access
control can be used with either MAC or DAC. (Historically, the first papers to
describe mandatory access control did seem to assume a form of role-based access
control, but you only have to look at ACL groups to see that role-based methods
can be used with DAC.)

Sybex is, once again, wrong or incomplete. NDAC is a rather ancient (by now)
structure that relies on a central office. As such, yes, it could use either role or
rule-based systems, but isn't tied to them.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Even if you are a minority of one, the truth is the truth. - Gandhi
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following is NOT an effective deterrent against a database inference
attack?

a. Partitioning
b. Small query sets
c. Noise and perturbation
d. Cell suppression

Answer: b.

OK, over the years I have found that a lot of people get this one wrong.

First off, let's get rid of a and d. Database inference attacks are an old and
established threat against database systems, and are not subject to many defences.
Partitioning and cell suppression may not help much, but they do help.

Now we are left with small query sets (b) and noise and perturbation (c). Lots of
people choose noise and perturbation, because, well, noise. We don't want to
introduce errors into our databases, do we? That has to be the worst (and therfore,
in the wording of this question, right) answer.

The thing is that small query sets are, specifically, one of the tools that you do use
to mount inference attacks. So small query sets are, specifically, NOT an
effective deterrent against a database inference attack.

And what about noise and perturbation? Well, if you are really, seriously,
concerned about inference attacks, introducing small sources of noise and
perturbation (very carefully) *is* a very effective protection. (Which reminds
me: I'd better add that as a slide for my homomorphic encryption presentation on
Friday ...
https://community.isc2.org/t5/C/V/m-p/38219 )

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Perhaps it is our imperfections that make us so perfect for one
another! - Jane Austen
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
PuettK
Newcomer III

Would agree - the key is the interface - think of this as what is truly an interface - forward facing - watch the answers

 

damann1
Viewer II

@rslade 


Thanks for taking the time to post sample questions. 

 I had taken many practice tests but was still unsure if I was ready to take the exam.  I was wrong on several of the sample questions but, I gained the confidence that I understood the principals and decided to take the exam.

I found the advice in your explanations was helpful.  I did come across one question that gave a definition and I had my understanding of the word. But when I looked at the answers, I hadn’t seen any of them mentioned before in my studies.  It gave me a slight chuckle when I thought " just because you don't know it, doesn't make it the right answer."  I was stuck choosing an answer I didn’t know.

To add something to this thread, I would say that the above statement and think of “initial steps” probably got me a couple of right answers.

 

 

 

 

rslade
Influencer II

Expert systems are commonly used to automate security log reviews for

a. user profiling.
b. intrusion detection.
c. system baselining.
d. access modeling

Answer: b.

(Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton
Press, 1991, pg 67)

Discussion:

Answer a - wrong - user profiling deals with user information not intrusion.
Answer b- correct - intrusion detection software is used to review security logs.
Answer c - wrong - system baselining is usually not done in security reviews.
Answer d - wrong - fabricated answer.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
No, it is a very interesting number, it is the smallest number
expressible as a sum of two cubes in two different ways.
Srinivasa Ramanujan (1887-1920), Indian mathematician. The
mathematician G. H. Hardy had referred to the number '1729' as
'dull'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468