For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
An Access Control List (ACL) represents a set of subjects by using which of the following constructs?
Reference: Fites & Kratz, pg 149
You can easily drop the key and domain answers here. You might be a bit confused by the group and capability options. Again, this is an example of "if you don't know it, it isn't necessarily the right answer." ACLs almost always have options for groups, even if that isn't always the primary use. Capability? Well, that's kind of related. It's an older term for what might now be described as an authorization that is digitally signed.
Which of the following is the LEAST important information to record when logging a security violation?
a. User’s name
c. Type of violation
d. Date and time of the violation
OK, an easy one for you today. Just remember that the usere's name generally isn't known from direct evidence, but inferred from the userid.
What determines the assignment of data classifications in a mandatory access control philosophy?
a. The analysis of the users in conjunction with the audit department.
b. The assessment by the information security department.
c. The steward’s evaluation of the particular information element.
d. The requirement of the organization’s published security policy.
Reference: Computer Security Basics; Russell & Gangemi; pg 72-74
While analysis by users, the audit department, the infosec office, and possibly a steward have places or responsibilities for access control, determination is at the direction of policy.
What role does biometrics have in logical access control?
Reference: Computer Security Basics; Russell & Gangemi; pg 57-58.
OK, I know that there is going to be discussion on this one. Authorization and confirmation are out, of course, but there are instances where biometrics are going to be used for identification (sometimes paired with authentication). The principle to keep in mind here is: don't fight the exam. The point is not to prove that you can come up with a counterexample, the point is what are most security professionals going to say. And most security professionals are going to agree that the most important and significant role biometrics plays is in authentication. After all, biometrics is the "something you are" that is the third pillar of authentication besides something you know and something you have.
Which of the following procedures could BEST be utilized to validate the continued need for privileged user access to system resources?
a. Periodic review and recertification of privileged usercodes.
b. Periodic review of audit logs.
c. Revoke processes which can grant access to sensitive files.
d. Periodic review of data classifications by management.
OK, this is one case where sticking to the "management answer" heuristic will get you into trouble. The correct, and pretty complete, answer is that periodic review and recertification of privileged usercodes will will verify the continued need for privileged access. Remember, the best answer is one that completely (or as completely as possible) answers the question. Option "a" does.
Review of audit logs may not indicate privileged access and doesn’t validate the need for such access. Revoking processes which can grant access to sensitive information may (probably will) be disruptive to ongoing operations.
Answer "d" looks like the management answer, but remember: review of data classifications does not address the privileges assigned to individual users, so it actually doesn't really answer the question.
What is the BEST method of storing user passwords for a system?
a. Password-protected file.
b. File restricted to one individual.
c. One-way encrypted file.
d. Two-way encrypted file.
Reference: Computer Security Basics; Russell & Gangemi; pg 65-66.
A password protected file could leave the passwords in the file in clear text so that anyone with the password could see all user’s passwords, making it impossible to hold users accountable for what happens under their ID.
The file restricted to one individual has the same problem as a.
Answer c - One-way encryption means that the password file is never decrypted, therefore, only the user knows the password (and hackers that use a dictionary attack, but nobody's perfect).
What is "two-way encryption"? As I keep telling you, just because you don't understand it doesn't mean it's the right answer!
19. What is the purpose of a ticket-oriented security mechanism?
a. Permits the subject’s access to objects
b. Assigns access modes to objects
c. Grants subject’s discretionary control
d. Assures user access accountability
Reference: Handbook of Information Security Management; Ruthberg & Tipton; pg 538-539.
You could say that this is an example of all the answers being correct. However, the answer that most completely answers the question asked is the most correct, and therefore the answer that will get you that point. Answer a may seem a bit broad: after all, that's the purpose of any access control mechanism, and doesn't differentiate a ticket-oriented system from any other. But that's the most correct. Since no other answer (that you're given) distinguishes a ticket-oriented system from any other, "ticket-oriented" is irrelevant.
thank you @rslade for these questions. For the first time I understand why people fail this exam. I went through quite a few tests and would say that I'm well versed in taking them, but this is going to be really really difficult for me
21. Which of the following is a rule-based control mechanism?
a. Discretionary Access Control
b. Task-based Access Control
c. Subject-based Access Control
d. Token-based Access Control
Reference: Handbook of Info. Sys. Sec.; Ruthberg & Tipton; pg 517.
Answer a - some access control systems contain rules that are used to determine whether or not an individual can achieve the access requested. This is particularly true for discretionary access control. Remember your ACL (Access Control List)? A list of rules, right?
For those wanting to answer b, c, or d, remember that if you don't know what it is, that doesn't mean it's the right answer. As far as I know, none of those are actual access control systems (unless some marketing department is out there messing with things again).