Rob Slade on CISSP Questions

whattoexpectinsexamday_09-16306Image Source: Kaplan Finance

Rob Slade posted an article “CISSP questions” and started the thread on‎ 02-03-2019 02:44 PM in the forum, (ISC)² Community > Certification > Exams.

I found the following discussion valuable:

  • You will notice a reference. Every exam question is (or was) backed up by at least two references from source security literature. Note that CISSP study guides are not source security literature.
  • If you are confronted with four “right” answers, and one of them is the “management” answer, that one is probably the one that will get you the point.
  • Actually, a good way to study is to try and *write* questions. That gets you into the mindset of the exam itself.
  • Remember Bloom’s Taxonomy: simple facts, synthesis of two or more facts, analysis of the implications of two or more facts, and, most importantly, questions requiring judgment and critical thinking.
  • What Rob is doing here is similar to what we know about the (ISC)² test development process. The difference being that Rob follows up by explaining the thought process behind the answer, whereas (ISC)²’s next step is to use the question on actual exams, with zero-weighting until the answer is “proven” good, bad or indifferent. (denbesten)
  • It is not about a building a “brain dump” of actual questions… It’s learning to get inside the head of the test-writers, understanding how/why the questions were written and selecting the answer that matches their way of thinking. (denbesten)
  • The last time, I attended an item writing workshop, we not only had to provide the reference but we also had to write a justification for the correct answer and why the wrong answers were wrong. So a lot of thought goes into questions. (Diana)
  • At the same time, I think that, as an example, it does emphasize two important points:
    1) the importance of the “management” answer, and
    2) read the question carefully!
  • This also serves as an example of why Psycho-analytics are performed on the exam Over time, (ISC)² deletes questions which are regularly answered incorrectly by those who pass. So, if most people disagree with “D”, the question will eventually get kicked out, regardless of if D is right or wrong.
    Although this may seem like a harmful practice of “live patient trials”, there are two mitigating factors. First, new questions are not graded until they have passed muster and secondly, if you truly deserve the certificate (know your stuff, exceed the experience requirements and are able to “think like a manager”) you will easily be able to afford a few “unjust” hits. (denbesten)
  • Actually they really resist a question getting kicked out as in eliminated. I just participated in something ISC2 tried for the first time and that is a CISSP item rework workshop. We got questions “kicked back” to rework to address some defect that statistics showed as a poor performer. There were many scenarios the questions fell in and although I thought it would be easier than writing original content it was not. There were a few that were so easy they were not salvageable, in my opinion anyone subject to a good security awareness program could answer the question and thus I recommended tossing it. It was another great learning experience for me provided by ISC2. (TXWayne)
  • The fascinating part to me is that although citations and references are important to the question development process, it is group consensus that ultimately determines the correct answer. Over time, this eliminates the problem of faulty references. (denbesten)
  • You have to ensure that: –
    1. You have a good understanding of the foundational concepts that the domains cover.
    2. You are able to relate these concepts to situations in the real world.
    3. You can use your experience to determine the best options based on circumstances. (Shannon)

Questions Posted

  1. Which of the following is a key element during the initial security planning process?
    a. Establish system review time frames
    b. Implement a security awareness program
    c. Defining reporting relationships
    d. Institute a change management program
    Answer: c
    Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, pg 75
  2. Which of the following is NOT an element of a security planning mission statement?a. Objectives statement
    b. Background statement
    c. Scope statement
    d. Confidentiality statement
    Answer: d
    Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, page 73
  3. In data processing systems, the value analysis should be performed in terms of which three properties?
    a. Profit, loss, ROI
    b. Intentional, accidental, natural disaster
    c. Assets, personnel, services provided
    d. Availability, integrity, confidentiality
    Answer: d.
    Reference: Information Systems Security; Fites & Kratz; Thompson Press; 1996; pg 54.
  4. Which of the following techniques MOST clearly indicates whether specific risk reduction controls should be implemented?
    a. Threat and vulnerability analysis.
    b. Risk evaluation.
    c. ALE calculation.
    d. Countermeasure cost/benefit analysis.
    Answer: d.
    Reference: Computer Security Handbook (3rd edition) Hutt, Boswirth, Hoyt; pg 3.3.
  5. Prior to implementation, a complete description of an operational security issue should specify threat, vulnerability, and
    a. safeguard.
    b. asset.
    c. exposure.
    d. control.
    Answer: b.
    Reference: Fitzgerald, Jerry, Internal Controls for Computerized Systems, 1978, pg 7
  6. What step can a company take to reduce the risk of its employees violating software copyright laws?
    a. Remove copy programs from personal computers.
    b. Install application licensing meters to prevent an excess of users for each license.
    c. Establish a company policy prohibiting the unauthorized duplicating of software.
    d. Prohibit the use of software on multiple computers.
    Answer: c.
  7. Who is ultimately responsible to ensure that information is categorized and that specific protective measures are taken?
    a. Security Officer
    b. Senior Management
    c. Data Owner
    d. Custodian
    Answer: b.
    Reference: Commonsense Computer Security; Martin Smith; 1993; pg 63.
  8. Which one of the following is NOT a goal of the change control management process?
    a. Ensure changes are authorized.
    b. Ensure coherence of changes.
    c. Ensure changes are documented.
    d. Ensure correctness of changes.
    Answer: b
    Reference: Fites and Kratz, Information Systems Security: A Practitioner’s Reference, International Thompson Computer Press, 1996, 1996, pg 321
  9. Which of the following actions should management take when classified information must be made available to different user populations?
    a. Increase security controls on the information.
    b. Raise the classification label to the next highest level.
    c. Disburse the information to multiple local area network servers.
    d. Require specific approval each time the information is accessed.
    answer: a
  10. The PRIMARY difference between the TCSEC and ITSEC data classifications is:
    a. ITSEC classifications are based on integrity
    b. TCSEC classifications are based on government requirements
    c. ITSEC classifications are based on international requirements
    d. TCSEC classifications are based on mandatory requirements
    answer: a
  11. What is the PRIMARY use of a password?
    a. Allow access to files.
    b. Identify the user.
    c. Authenticate the user.
    d. Segregate various user’s accesses.
    Answer: c.
    Reference: Info Systems Security; Fites & Kratz; pg 4; 1.2.4
  12. An Access Control List (ACL) represents a set of subjects by using which of the following constructs?
    a. Group
    b. Capability
    c. Key
    d. Domain
    Answer: a.
    Reference: Fites & Kratz, pg 149
  13. Which of the following is the LEAST important information to record when logging a security violation?
    a. User’s name
    b. Userid
    c. Type of violation
    d. Date and time of the violation
    Answer: a
  14. What determines the assignment of data classifications in a mandatory access control philosophy?
    a. The analysis of the users in conjunction with the audit department.
    b. The assessment by the information security department.
    c. The steward’s evaluation of the particular information element.
    d. The requirement of the organization’s published security policy.
    Answer: d.
    Reference: Computer Security Basics; Russell & Gangemi; pg 72-74
  15. What role does biometrics have in logical access control?
    a. Identification
    b. Authorization
    c. Authentication
    d. Confirmation
    Answer: c.
    Reference: Computer Security Basics; Russell & Gangemi; pg 57-58.
  16. Which of the following procedures could BEST be utilized to validate the continued need for privileged user access to system resources?
    a. Periodic review and recertification of privileged usercodes.
    b. Periodic review of audit logs.
    c. Revoke processes which can grant access to sensitive files.
    d. Periodic review of data classifications by management.
    Answer: a.
  17. What is the BEST method of storing user passwords for a system?
    a. Password-protected file.
    b. File restricted to one individual.
    c. One-way encrypted file.
    d. Two-way encrypted file.
    Answer: c.
    Reference: Computer Security Basics; Russell & Gangemi; pg 65-66.
  18. What is the purpose of a ticket-oriented security mechanism?
    a. Permits the subject’s access to objects
    b. Assigns access modes to objects
    c. Grants subject’s discretionary control
    d. Assures user access accountability
    Answer: a.
    Reference: Handbook of Information Security Management; Ruthberg & Tipton; pg 538-539.
  19. Which of the following is a rule-based control mechanism?
    a. Discretionary Access Control
    b. Task-based Access Control
    c. Subject-based Access Control
    d. Token-based Access Control
    Answer: a.
    Reference: Handbook of Info. Sys. Sec.; Ruthberg & Tipton; pg 517.
  20. 22. Remote access using a one-time password scheme is most closely associated with which of the following?
    a. Something you are
    b. Something you have
    c. Something you calculate
    d. Something you know
    Answer: b.
    Reference: Handbook of Info. Sec. Mgmt; Krause & Tipton; 1998; pg 682-683.
  21. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called
    a. keystroke capturing
    b. access validation testing
    c. brute force testing
    d. accountability testing
    Answer: c.
    Reference: Intrusion Detection; Terry Escamilla; pg 44-47.
  22. Which of the following security principles are supported by role-based access control?
    a. Discretionary access control, confidentiality, and non-repudiation
    b. Mandatory access control, auditing, and integrity
    c. Least privilege, separation of duties, and discretionary access control
    d. Least privilege, mandatory access control, and data sensitivity
    Answer: c.
    Reference: Handbook of Info. Sec. Mgmt.; edited by Krause & Tipton, Auerbach. 1998. Pg 606-607, 622.
  23. The act of validating a user with a unique identifier is called
    a. identification
    b. authorization
    c. authentication
    d. registration
    Answer: c.
    Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 23
  24. Which type of access control allows users to specify who can access their files?
    a. Mandatory
    b. Discretionary
    c. Relational
    d. Administrative
    Answer: b.
    Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55
  25. Which of the following results would NOT routinely be expected from a penetration test?
    a. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system.
    b. A description of the company’s vulnerabilities
    c. A risk analysis showing the extent to which a company is at risk within each exposure
    d. Evidence of destruction of any data obtained but not delivered
    Answer: c
  26. Which one of the following is the key element when performing a penetration test?
    a. The tester should have the same access constraints as a normal user.
    b. The tester should have access to the system source code.
    c. The tester should have access to network diagrams.
    d. The tester should have access to vendor manuals and system documentation.
    Answer: a.
    Reference: Network Security (Voice & Data Comm.), Simmons; ISBN 0-07-057634-3, pg 371
  27. What type of attack often tries all possible solutions?
    a. Trojan horse
    b. Trap door
    c. Clone
    d. Brute force
    Answer: d.
    Reference: Handbook of Info. Sec. Mgmt; Auerbach; Tipton & Krause; 1998; pg 406.
  28. Which of the following defines a denial of service attack?
    a. An action that prevents a system from functioning in accordance with its intended purpose.
    b. An action that allows unauthorized users to access some of the computing services available.
    c. An action that allows a hacker to compromise system information.
    d. An action that allows authorized users to access some of the computing services available.
    Answer: a.
    Reference: Information Systems Security: A Practitioner’s Reference; Fites & Kratz; Thomson Computer Press; 1996; pg 437-438.
  29. What type attack is eavesdropping?
    a. Active
    b. Passive
    c. Aggressive
    d. Masquerading
    Answer: b.
    Reference: Information Systems Security; Fites & Kratz; pg 439.
  30. Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?
    a. Limiting the local access of operations personnel
    b. Job rotation of operations personnel
    c. Management monitoring of audit logs
    d. Enforcing regular password changes
    Answer: a.
  31. The concept of “Least Privilege” involves
    a. individual accountability.
    b. access authentication.
    c. authorization levels.
    d. audit mechanisms.
    Answer: c
    Reference: Helsing, Swanson, and Todd, Management Guide to the Protection of Information Resources, NIST Special Publication 500-170, 1989, pg.6
  32. From an operations security standpoint, which one of the following dial-in access configurations is best?
    a. Force the port to log out when the modem loses carrier.
    b. Disable the port when the modem disconnects.
    c. Reset the modem when the phone line disconnects.
    d. Force a modem reset when the DTR line transitions.
    Answer: a
    Reference: Fites & Kratz, Information Systems Security: A Practitioner’s Reference; International Thomson Computer Press; 1996; pg 385.
  33. Which one of the following would NOT be considered a media control task?
    a. Decompressing the storage medium.
    b. Storing on-site backups in a protected area.
    c. Maintaining a control log noting all media entries, removals, and returns.
    d. Erasing volumes at the end of their retention period.
    Answer: a
    Reference: Rita Summer – “Secure Computing: Threats and Safeguards”; McGraw-Hill; 1997; pg 585.
  34. In what way can violation clipping levels assist in violation tracking and analysis?
    a. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.
    b. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant.
    c. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to usercodes with a privileged status.
    d. Clipping levels enable a security administrator to view all reductions in security levels which have been made to usercodes which have incurred violations.
    Answer: a
  35. Which of the following is permitted by an adequate separation of duties in a mainframe computer environment?
    a. Computer users may reconcile control totals.
    b. Computer users may access the system files.
    c. Programmers may change production data.
    d. Programmers may initiate transactions.
    Answer: a
  36. Why are user IDs critical in the review of audit trails?
    a. they show which files were altered.
    b. they establish individual accountability.
    c. they cannot be easily altered.
    d. they trigger corrective controls.
    Answer: b
    Reference: Fites and Kratz, Information Systems Security: A Practitioner’s Reference, International Thomson Computer Press, 1996, pg 127.
  37. At what stage of the applications development process should the security department become involved?
    a. Prior to the implementation
    b. Prior to systems testing
    c. During unit testing
    d. During requirements development
    Answer: d.
    Reference: Secure Computing(Threats & Safeguards); R. Summers; McGraw-Hill; 1997; pg 250.
  38. System Development Controls are based on
    a. a detailed set of business objectives.
    b. a logical design for security testing.
    c. an auditor designated review process.
    d. a standard methodology for project performance.
    Answer: d.
    Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton
    Press, 1991, pg 244



Leave a Reply