cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
rslade
Influencer II

> denbesten (Community Champion) posted a new reply in Exams on 03-18-2021 01:53

> I was somewhat "calmed down" when I realized that it plays into the importance
> of associating "Diffie-Hellman Key Exchange" with "Public Key Encryption". 
> That said, I concur that it probably would best be rewritten to not appear quite
> so much like trivia question.

A valid point, by both Diana and William. I thought of it myself, when I posted
the question, and I probably should have been more explicit in my discussion.

Part of the reason I included it was in regard to the point that the "best" answer is
sometimes the "least bad," or, as one of my fellow instructors had it, "which
answer stinks the least." First off, we can throw out both Fred Cohen and David
Kahn. But then we are left with Martin Hellman and Adi Shamir, both involved
with the development of asymmetric crypto. And it's an arguable point. Diffie
and Hellman's original work did lay the foundation of asymmetric crypto, but their
algorithm was for key exchange, rather than a full cryptosystem. On the other
hand, they were first (except for Merkle and GCHQ), and El Gamal did make a full
cryptosystem based on their algorithm.

You will see some "trivia" type questions on the exam. And, for those, as I've said
before, just be grateful you only need to get 70%.

In terms of Merkle and GCHQ, this points out yet another important factor on
the exam: answer the question asked *from the answers given.* The answer that
is available may *not* be the very best, and may not *even* be completely
correct. In this case "the best is the enemy of" the actually correct answer for the
exam. That's part of critical thinking and judgment: you have to be able to accept
imperfect if that is all you have.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Why is public key management recommended for use in the process of securing
facsimiles?

a. The keys are never transmitted over the network.
b. Data compression decreases key change frequency.
c. Key data is not recognizable from facsimile data.
d. It securely passes the session key to the receiving machine.

Answer: d.

Fax encryption would probably involve use of a symmetric key which would need
to be transmitted to the receiver. Therefore, “a.” is wrong.
“b” wrong because not related to the subject
“c.” is wrong because the key data would be separate from but attached to the
message.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
kamalamalhotra
Newcomer III

I cleared my exam today. 

sg2278
Newcomer II

kamalamalhotra,

 

Today was your day.  Please know that you were in my thoughts and prayers.  I hope you had a successful outcome.  I test next Saturday. 

 

best regards

kamalamalhotra
Newcomer III

next Saturday is your day. All the best.

rslade
Influencer II

Which of the following is a public-key cipher for commercial data that is based on
the products of prime numbers?

a. Data Encryption Algorithm
b. Message Authentication Code
c. Rivest-Shamir-Adleman Algorithm
d. Turing Engine

Answer: c.

Answer a- The Data Encryption Algorithm is a symmetric (single key) algorithm.
Answer b - The Message Authentication Code is a hash algorithm.
Answer d - The Turing Engine is not a public-key algorithm.

(Hey, some of the questions just *are* based on facts. Like I said, just be glad you
only need 70% ...)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following describes the process of creating a DES session key?

a. Key clustering
b. Key escrow
c. Key signing
d. Key exchange

Answer: d.

Reference: Applied Cryptography; Bruce Schneier; pg 47.

Discussion:
Answer a - Key clustering is where 2 different keys will produce the same cipher
text from the same plain text.
Answer b- Key escrow is where a decryption key is placed in escrow with one or
more agents so it can be obtained by law enforcement with court approval.
Answer c - Key signing is the certification of an individual’s identity by a trusted
party or certificate authority.
Answer d - Key exchange is the process of creating a DES session key.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
PuettK
Newcomer III

One of more favorite questions - well done Robert

rslade
Influencer II

How many bits is the effective length of the key in the Data Encryption Standard
algorithm?

a. 16
b. 32
c. 56
d. 64

Answer: c.

Reference: Applied Cryptography; B. Schneier; Wiley; 1996; pg 270.

Discussion:
Answer a - 16 is the number of rounds of substitution & permutation.
Answer b - 32 is a meaningless distractor.
Answer c - 56 is the effective key length.
Answer d - 64 is the block size.

Even a simple, fact-based, question can be tricky at times. While 56 bits is the
effective length of the key, in processing, because of the error-correcting
properties of DES, 8 bits of Hmming code is appended to the key, for a total
length of 64 bits (which also comes in handy when doing the block operations).
Some vendors would actually use this as a selling point, saying that, while
everyone else used a 56 bit key, *their* verison of DES used a *64* bit key!

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
scootoure
Viewer III

@rslade This access controls concept is something that I am finding extremely confusing due to the mixed information across resources.

Sybex Official Study Guide Edition 8, specifically separates Rule-Based Access control from Discretionary Access control (p.628) stating each is 1 of the 5 access control models. However, the Desitination Certification video (https://www.youtube.com/watch?v=BUcoABZzeQ4&list=PLZKdGEfEyJhKWyryIvx_jm1jn6ZMTi7gW&index=16) explicitly states that both Rule-Based and Role-Based Access Controls are Discretionary and mentions in the comments that everyone else that says otherwise is incorrect.

 

Can you provide insight into why your logic contradicts the Sybex official study guide. What should I follow?