cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
alekos
Newcomer II

Which one of the following is the key element when performing a penetration test?
a. The tester should have the same access constraints as a normal user.
b. The tester should have access to the system source code.
c. The tester should have access to network diagrams.
d. The tester should have access to vendor manuals and system documentation.

Hello Mr Slade,

Thank you for taking the time to provide us with such great and well written questions; they really get me thinking. I am having a hard time seeing why the answer is “a” in this question. I promise you I am not trying to fight the question; I accept that the answer you provide is right but at the same time I am disappointed in my ability (or lack of) to be able to “see” that as the answer.
You mention in your explanation that: “Answer a - to be effective, the tester must not have privileges, otherwise the test may be invalid.”
So with this explanation in mind, if I start off as a “normal user” doesn’t that mean that I have entitlement and therefore some sort of privileged access to the network?
From my understanding all of the answer choices pertain to a Graybox penetration test. Now “b “ and “d” I quickly eliminated because like you explain I also am trying to find the most broad definition here. As I look at the remaining choices I find that “c” is broader a description than “a” because it does not give any access privileges and just provides a network blue print. Unless having the network diagram is considered a higher privilege than being a normal user on the network in which case then I understand why it would be “a”. Anyway I hope you have a happy new year and I look forward to more questions.

Thank you,

Alex
rslade
Influencer II

> alekos (Viewer II) posted a new reply in Exams on 01-03-2021 01:17 PM in the

> Hello Mr Slade, Thank you for taking the time to provide us with such great and
> well written questions; they really get me thinking.

Quite welcome. That's what they are there for.

> Unless having the network
> diagram is considered a higher privilege than being a normal user on the network
> in which case then I understand why it would be a.

Yes, having access to network diagrams would be considered a form of inside
information, and so, in a sense, higher access. There are, of course, "full access"
tests, and there are ways of mapping the network from the outside, but these
would be considered special cases, and therefore not suitable answers when the
question is about pen testing as a whole.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
This is not spam. - the first sentence in most recent spam
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

22. What is the PRIMARY benefit of adding a callback system to a computer
security system that permits dial-up access?

a. It avoids the cost and effort that is typically required to install and administer
an access control software package.
b. Once all of the authorized telephone numbers are defined to the modem,
further maintenance effort is not needed.
c. It enables the system to validate the location of the user terminal, thus
providing additional evidence that the user is authorized.
d. If a user calls when the system is down, the system may call back the user
automatically when processing has been resumed.

Answer: c.
Reference: Network Security; Simmons; McGraw-Hill; 1997; pg 100.

Discussion:
Answer a - wrong - a call-back system may well use a centralized access control
system such as RADIUS.
Answer b - wrong - maintenance is required for adds, moves, and changes.
Answer c - correct. Note that it says "additional evidence, not "proof." No, it's
not perfect, but the others are all wrong.
Answer d - wrong - not a traditional feature of a call-back system, and therefore,
can’t be the primary benefit.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Death is God's way of telling us to take things easier.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Startzc
Newcomer III

Alex,

 

Pull yourself away from the mindset that "a normal user" has to be an employee of the company. Anyone visiting a company's public facing web site to make a purchase, search for information, or watch a streaming video is a "normal user." These people would not have any inside information about the system itself, but they (may) have their own accounts and privileges, even if that account is "Guest" and the privileges are None or Temporary.

alekos
Newcomer II

Thank you sir.
rslade
Influencer II

24. Which of the following is the BEST way to protect an e-mail message?

a. Send the message only to the person you want to see it.
b. Code the message so the recipient has to decode it.
c. Request a receipt from the receiver of the message for verification.
d. Sign the message using a digital signature.

Answer: b.
Reference: E-Mail Security - How to Keep Your Messages Private; Schneier;
1995; Wiley & Sons; pg 107.

Discussion:
Answer a - wrong - the sender of an e-mail message does not have control over
the ultimate destiny of the message (e.g., messages can be forwarded by the
recipient to others).
Answer b - correct - protects both the confidentiality & integrity.
Answer c - wrong - a receipt can confirm message delivery or that the message has
been read. It does not control who else may have access to it.
Answer d - wrong - a digital signature only protects the integrity and
authenticates the source.

(Of course, the *real* answer is, don't send it 🙂

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Startzc
Newcomer III

Is the TCSEC information in the study guide still tested at all or is it just for historical information. I came up when the Orange Book was still pretty much the DoD security bible. Even though Common Criteria has long since replaced it I've seen a lot of TCSEC questions in official and 3rd party practice questions.

kamalamalhotra
Newcomer III

TCSEC is just a historical. CC is the one that is followed as of now. 

rslade
Influencer II

Why is traffic across a packet switched network (e.g. frame relay, X.25) difficult
to monitor?

a. Packets are link encrypted by the carrier
b. Government regulations forbid monitoring
c. Packets are transmitted on multiple paths
d. The network factor is too high

Answer: c.
Reference: VRDCH; J Randade; McGraw-Hill; 1997 pg 414, 423, 428.

Discussion:
Answer a - wrong - link encryption is not a normal service of a carrier.
Answer b - wrong - it may, but that would stop someone from capturing
transmitted data in free space.
Answer c - correct.
Answer d - wrong - fabricated option. Once again, just because you don't know it
doesn't make it the right answer.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Practice random humour and acts of senseless mirth
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Date sent: Tue, 05 Jan 2021 03:14:45 +0000 (UTC)
From: ISC ² Community <connect@isc2.org>

 

> Startzc (Newcomer II) posted a new reply in Exams on 01-04-2021 10:14 PM

 

> Is the TCSEC information in the study guide still tested at all or is it just
> for historical information. I came up when the Orange Book was still pretty much
> the DoD security bible. Even though Common Criteria has long since replaced it

 

1) You will, occasionally, see historical stuff in the exam. (I remember one
question on the exam I took, back in the paper-based days, and thinking that,
besides myself, nobody else in the room was likely to have actually used that
technology. Even then I was an "old timer.") There aren't likely to be many, so
don't expend too much time cramming for them, but you will probably see them.

 

2) Look for the fundamentals in the historical materials. For example, TCSEC
was largely based on Bell-LaPadula, and was therefore exclusively concerned with
confidentiality. So a major, and foundational, difference between TCSEC and
ITSEC was the addition of concern about integrity. (The Common Criteria is, like
most of the more recent frameworks, primarily concerned with documentation. It
is perfectly possible to do a Common Criteria compliant system or device that
essentially says "we don't care about security, and you can trust that statement as
long as we didn't lie to you" as long as you document it properly.)

 

> I've seen a lot of TCSEC questions in official and 3rd party practice questions.

 

Yeah. Pretty much all practice question sets are a) grabbed from someone else, b)
cribbed out of old trivia that the collector didn't know and so figured nobody else
did, and c) "just the facts, ma'am." (None of which accurately represents the
actual exam.) (See the opening post of this topic.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468