cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
Startzc
Newcomer III

So after clearing it with Member Support, I got the okay to offer the following advice:

 

1. Know your software testing methods/tools, including the various names they can go by, and dev processes in general.
2. Know Cloud security concepts and terminology. Cloud is still the favorite buzzword of many orgs.
3. The test gives you a link at the bottom with 17 pages of Acronyms, USE IT if your not sure about something; it might help eliminate wrong answers.
4. As I said before, they did not try to hide qualifying words like "best, most, not, only" within the questions, they were plainly displayed and easy to see in BOLD CAPS. You still need to read the questions and all answers very carefully before you answer though.
rslade
Influencer II

One issue with mail forwarding systems that are not restricted to a particular domain is they

 

a. can be used for spamming.
b. are subject to content attacks.
c. leak DNS information to outside sources.
d. can not block ping-of-death attacks.

 

Answer: a


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
kamalamalhotra
Newcomer III

been a while. thanks for the refresher. planning to take my exam on March 15th. 

rslade
Influencer II

Which of the following statements is true about data encryption as a method of
protecting data?

a. It verifies the accuracy of the data.
b. It is usually easily administered.
c. It requires careful key management.
d. It makes few demands on system resources.

Answer: c.

“a.” is wrong because it has no way to verify accuracy of data - it can be used to
verify the integrity of a message, file, etc.
“b.” is wrong because there are several aspects to data encryption that can be
difficult to administer - key management, key recovery, etc.
“c” is true because it does require careful key management
“d.” is wrong because encryption always adds some overhead to a system,
particularly if implemented in software.


======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
kamalamalhotra
Newcomer III

What are the main building blocks of SAML?

a. Assertions, Protocol, and Binding

b. Authentication, Attribute and Authorization

c. Assertions, Protocol, and Authorization

d. Assertions, Protocol, and Authentication

dcontesti
Community Champion

Sorry, but I have a few questions on this one:

 

1. Are you submitting this as an example?  If so, what is the key?

 

2. What is the reference?

 

3. Is this intended to be an example of what one might find on the exam?

 

Regards

 

 

kamalamalhotra
Newcomer III

The correct answer is:

Assertions, Protocol, and Binding

This is correct, SAML main components are Assertions, Protocol, and Binding.

 

DISCUSSION:

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites. It’s much simpler to manage one login per user than it is to manage separate logins to email, customer relationship management (CRM) software, Active Directory, etc.

SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services. The service provider requests the authorization and authentication from the identify provider. Since both of those systems speak the same language – SAML – the user only needs to log in once.


Assertions, Protocol, and Binding

In the public cloud world, identity providers are increasingly adopting OpenID and OAuth as standard protocols. In a corporate environment, corporate identity repositories can be used. Microsoft Active Directory is a dominant example. Relevant standard protocols in the corporate world are Security Assertion Markup Language (SAML) and WS-Federation.

SAML consists of a number of components that, when used together, permit the exchange of identity, authentication, and authorization information between autonomous organizations.

The first component is an assertion which defines the structure and content of the information being transferred. The structure is based on the SAML v2 assertion schema.

How an assertion is requested by, or pushed to, a service provider is defined as a request/response protocol encoded in its own structural guidelines: the SAML v2 protocol schema.

A binding defines the communication protocols (such as HTTP or SOAP) over which the SAML protocol can be transported.

Together, these three components create a profile (such as Web Browser Artifact or Web Browser POST). In general, profiles satisfy a particular use case. The following image illustrates how the components are integrated for a SAML interaction.


Two other components that may be included in SAML messages are:

Metadata

Metadata defines how configuration information shared between two communicating entities is structured. For instance, an entity's support for specific SAML bindings, identifier information, and public key information is defined in the metadata. The structure of the metadata is based on the SAML v2 metadata schema. The location of the metadata is defined by Domain Name Server (DNS) records.

Authentication Context

In some situations, one entity may want additional information to determine the authenticity of, and confidence in, the information being sent in an assertion. Authentication context permits the augmentation of assertions with information pertaining to the method of authentication used by the principal and how secure that method might be. For example, details of multi-factor authentication can be included.

NIST SP 800-63C (https://pages.nist.gov/800-63-3/sp800-63c.html) has the following info on SAML:

Security Assertion Markup Language (SAML)

SAML is an XML-based framework for creating and exchanging authentication and attribute information between trusted entities over the internet. As of this writing, the latest specification for SAML is SAML v2.0, issued 15 March 2005.

The building blocks of SAML include:

  • The Assertions XML schema, which defines the structure of the assertion.
  • The SAML Protocols, which are used to request assertions and artifacts (the assertion references used in the indirect model described in Section 7.1).
  • The Bindings, which define the underlying communication protocols (such as HTTP or SOAP), and can be used to transport the SAML assertions.

The three components above define a SAML profile that corresponds to a particular use case such as “Web Browser SSO”.

SAML Assertions are encoded in an XML schema and can carry up to three types of statements:

  • Authentication statements include information about the assertion issuer, the authenticated subscriber, validity period, and other authentication information. For example, an Authentication Assertion would state the subscriber “John” was authenticated using a password at 10:32 pm on 06-06-2004.

  • Attribute statements contain specific additional characteristics related to the subscriber. For example, the subject “John” is associated with the attribute “Role” with the value “Manager”.

  • Authorization statements identify the resources the subscriber has permission to access. These resources may include specific devices, files, and information on specific web servers. For example, subject “John” for action “Read” on “Webserver1002” given evidence “Role”.

 



The following answers are incorrect:

 

Authentication, Attribute and Authorization

These are not the main components of SAML

 

Assertions, Protocol, and Authorization

These are not the main components of SAML

 

Assertions, Protocol, and Authentication

These are not the main components of SAML

dcontesti
Community Champion

So, if you are going to post a question for folks that may or may not be using this string as a learning tool, you should include the answer when posting the question also the reference.

 

I personally do not like the question.  Rationale:  B are parts of Assertions.

 

for C and D, they are partially correct as they have Assertions and Protocol in them and therefore could be misleading.

 

Profiles are also part of SAML, however most folk only discuss Assertions, Protocols and Bindings .

 

Just my two cents

 

 

 

rslade
Influencer II

An encryption system’s work factor is defined as the

a. length of time required to scramble the data.
b. algorithm effort used to scramble the data.
c. length of time required to crack the encryption.
d. encrypted key multiplied by itself.

Answer: c.
Reference: Applied Cryptography, Bruce Schneir, 2nd Ed., Wiley 1996, pg 9.

Discussion:
Answer a - incorrect because the data is already scrambled (encrypted) and the
work factor is the time required to perform the attack.
Answer b - incorrect like a.
Answer c - correct because the work factor is defined as the time required to crack
the encryption or perform the attack.
Answer d - incorrect because the key multiplied by itself has nothing to do with
cracking the encrypted message.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> kamalamalhotra (Newcomer II) posted a new reply in Exams on 02-15-2021 12:37 PM

> The correct answer is: Assertions, Protocol, and Binding This is correct, SAML
> main components are Assertions, Protocol, and Binding.   DISCUSSION: Security
> Assertion Markup Language (SAML) is an open standard that allows identity
> providers (IdP) to pass authorization credentials to service providers (SP).
[an awful lot of bumpf elided for reasons of space]
>    The following answers are incorrect:   Authentication,
> Attribute and Authorization These are not the main components of SAML  
> Assertions, Protocol, and Authorization These are not the main components of
> SAML   Assertions, Protocol, and Authentication These are not the main
> components of SAML

Your question, and answer, is correct. However, it is trivial. It is simply fact, with
no requirement for understanding or analysis. You *will* encounter simple, fact-
based, questions on the exam, but they are not the important ones. Your lengthy
"discussion" is simply padding. You have made the same mistake that all too
many purveyors of sample "exam" questions make: make the question "hard" by
relying on esoteric trivia.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468