CISSP PRACTICE QUESTIONS – 20210114

Effective CISSP Questions

According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)?
A. Software Assurance Maturity Model (SAMM)
B. Capability Maturity Model Integration (CMMI)
C. Cybersecurity Maturity Model Certification (CMMC)
D. Systems Security Engineering Capability Maturity Model (SSE-CMM)

Continue reading

CISSP PRACTICE QUESTIONS – 20210113

Effective CISSP Questions

A client sent a Kerberos authentication request to the authentication server (AS) and received a response with an encrypted part containing the session key and ticket-granting ticket (TGT). Which of the following should the client use to decrypt the ciphertext?
A. The client’s secret key
B. The client’s private key
C. The authentication server’s public key
D. The session key shared by the client and the ticket-granting server (TGS)

Continue reading

ISC2 Remote Testing: Safety, Growth, Integrity, and Tradeoff

I believe ISC2’s decision of remote testing surprises the community. I respect their final decision, but I hope our concern and voice could be heard.

Capacity or Safety

Human life always takes priority over any other matter. I consider remote testing is implemented because of the limited or insufficient enrollment capacity or safety concerns about test centers. Isn’t it?

If test centers in the pandemic time are not safe, they should be shut down completely. If some of the test centers can be open, that means the safety issue is addressable. So, I believe that remote testing comes in to compensate for the insufficient capacity. However, in the past six months, the number of CISSP grows as many as in the prior 18 months.

The Growth of CISSP in the Past 6 Months

  • The number of CISSP increases by 6,016, from 141,607 to 147,623, in 6 months (1-Jul-20 to 1-Jan-21) during the peak pandemic time.
  • The number of CISSP increases by only 5,179, from 136,428 to 141,607, in 18 months (31-Dec-18 to 1-Jul-20).

People Safety, ISC2 Growth, Exam Integrity, and Tradeoff

We still have some “safe” test centers available, and the number of CISSP keeps growing (by 6,016 CISSPs in recent 6 months) without remote testing even during the pandemic time. Remote testing undoubtedly boosts the growth of ISC2 members, but it comes with a price of the potential loss of the exam integrity and long-term credit of ISC2 credentials.

The “Exams in Test Centers Only” Strategy

Even though more and more certification bodies have implemented remote testing, it’s an opportunity, in my view, for ISC2 to uniquely distinct itself from the competition by insisting on the strategy of “exams in test centers only.” It, in the meantime, maintains the high standard, exam integrity, and its credit.

Do It Differently

I hope ISC2 remains unique and competitive in the certification market, but remote testing would make it an average player. If remote testing is an unchangeable decision, I hope it is the most rigid and different from others.

Continue reading

CISSP PRACTICE QUESTIONS – 20210112

Effective CISSP Questions

A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject

Continue reading

CISSP PRACTICE QUESTIONS – 20210111

Effective CISSP Questions

A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered?
A. Is the access token altered?
B. Is the web site the genuine origin of the access token?
C. Is the web site signs the access token?
D. Is the access token in transit lost?

Continue reading

CISSP PRACTICE QUESTIONS – 20210109

Effective CISSP Questions

A client submits a user’s identity in the clear text alone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process?
A. Identification
B. Authentication
C. Pre-authentication
D. The TGT (Ticket-granting ticket)

Continue reading

CISSP PRACTICE QUESTIONS – 20210108

Effective CISSP Questions

A session is a temporary logical connection between two end-user application processes for message exchange. Which of the following statements about the session is not true?
A. The session layer in the ISO OSI model maps to the application layer in TCP/IP.
B. The establishment of a session is independent of underlying transports.
C. The RESTful-style architecture prescribes how a session is managed.
D. A session can maintain state information even if the transport is connectionless.

Continue reading