cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
rslade
Influencer II

Which one of the following can be used to verify the source of a fax transmission?

 

a. Caller ID
b. Ring Differential Detector
c. ID banner stamped on cover page
d. Call forwarding

 

Answer: a

 

Reference: Bellcore CND TR -TSY0000302230
British Telcom CID Standard SIN 227
EV ETSI 300

 

Discussion:

 

OK, this is an example of a question with four wrong answers.  But you have to answer the question asked from the answers given.  You have to pick the least wrong (or, as one of my training colleagues puts it, Which Answer Stinks The Least, WASTL).

 

Answer a - correct, or most correct, or least wrong - supposedly accurate report of calling number.  In fact I know of at least four ways to mess with Called ID.  But:
Answer b - wrong - this is a signaling function.
Answer c - wrong - this can be forged.  As a matter of fact, it is strictly user-settable.  I used to set mine to a company name, rather than any phone number.
Answer d - wrong - doesn’t provide source, and can be used to try to hide the source.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
PuettK
Newcomer III

Spoiler
Love the question - too many professionals take fax and/or all-in-one copiers for granted from a security function.
rslade
Influencer II

How should access to a local area network be controlled for outside support?

a. Obtain the signature of the user.
b. Issue a temporary password.
c. Verify user employment.
d. Request user identification.

Answer: b.
Reference: Security Data & Voice Communications; Simonds; McGraw-Hill; 1996; pg 104.

Outside support refers to remote access from a vendor’s site for system maintenance, etc. Therefore, a. & d. wouldn’t be practical unless digital signatures (certificates) are used. This may be an option in the future, but now, b. is the best. The third answer, c., is obviously incorrect
because the question is addressing a non-employee situation.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Why does fiber optic communication technology have significant security advantage over other transmission technology?

 

a. Higher data rates can be transmitted.
b. Interception of data traffic is more difficult.
c. Traffic analysis is prevented by multiplexing.
d. Single and double-bit errors are correctable.

 

Answer: b.

Reference: Voice & Data Communications Handbook; pg 631.

 

Discussion:

 

Answer a - wrong - higher data rates are not a security advantage.
Answer b - correct - fiber is resistant to tapping.  "Resistant," not impossible.  I remember having a discussion with some guys who would only admit to being from "Fort Meade" (back in the days when NSA really did stand for "No Such Agency").  They said you couldn't tap fibre.  I knew you could.  But it's not really easy.
Answer c - wrong - multiplexing is not always used with fiber.
Answer d - wrong - error correcting is not associated with a transmission medium, but with a protocol.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

What is a basic security problem in distributed systems?

 

a. Knowing who to trust.
b. Knowing when to reconnect.
c. Knowing how to name resources.
d. Knowing the order of transactions.

 

Answer: a.

Reference: Secure Computing; Rita Surrons; McGraw-Hill; 1997; pg 535-536.

 

Discussion:

 

Answer a - correct
Answer b - wrong - reconnect what? Indiscriminate.
Answer c - wrong - naming of resources may aid security implementation but you still have work to do.
Answer d - wrong - race conditions apply pretty much anywhere.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which privacy law does differential privacy support?

 

a. British privacy law
b. Chinese privacy law
c. EU privacy law
d. US privacy law

 

Answer: d

 

a. British privacy law has recently been amended/updated to be equivalent to GDPR, so answers a and c are basically the same.
b. Yeah, I needed a good laugh, too. But China does have a privacy law, and it pretends to be compatible with the original privacy directives: what data you can collect, and for how long, and how accurate you have to be.
c. Well, GDPR is mostly just the original privacy directives, but the new accountability directive might have to do with how well you protect what you have collected ...
d. OK, I often say the the US doesn't have any privacy laws, but they do. Those are primarily concerned with how much you can sue when people disclose your data.  So, if you do use differential privacy, you at least have some proof that you have thought about protecting the data you hold against queries, and, if you have a privacy budget, you have a measure of how much protection you provide.  This speaks to liability, negligence, and due care, so this is the best answer.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following is NOT part of differential privacy?

 

a. database queries
b. network calculus
c. noise
d. privacy budget

 

Answer: b

 

Differential privacy is specifically for preventing privacy loss in database queries, often uses noise, and leads to the concept of a privacy budget.

 

Network calculus is a fabricated distractor.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

@rslade  wrote:

 

Which privacy law does differential privacy support?

 

a. British privacy law
b. Chinese privacy law
c. EU privacy law
d. US privacy law

 

Answer: d

 

So I like where you are going by bringing Privacy to the forefront for Security folks, however should the question be changed to list the actual laws.  With recent changes in privacy not all laws in the US support differential privacy. I am specifically thinking about CCPA and CPRA (which a number of states are following or copying) and more akin to GDPR than anything.

 

Just my thoughts,

 

d

 

rslade
Influencer II

Which method is often used to reduce the risk to a local area network that has external connections?

a. Passwords
b. Firewall
c. Dial-up
d. Fiber optics

Answer: b.
Reference: Internet Security; Professional Reference; New Riders; Varnors; 1996; pg 197.

Discussion:
Answer a - wrong - passwords are used for authentication.
Answer b - correct - firewalls provide a resistance to attacks from the outside - none of the others do.
Answer c - wrong - dial-up does not provide protection , only provides remote access that can be spoofed.
Answer d - wrong - fiber optics is a transport mechanism & doesn’t provide protection.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
PuettK
Newcomer III

This is a typical read the question before answering - local area network access that has external connections.  Always a firewall question.