CISSP Practice question #197

Disk striping needs at least how many disks?
A: 1
B: 2
C: 3
D: 4

CBK 7: Security Operations
Source: ThorTeaches.com practice tests

Answer


B: Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in it self does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #196

Penetration testers with full physical access to our facility has found PHI hard copies laying around which of our policies are our employees not following?
A: Clean desk policy.
B: BYOD policy.
C: Wireless policy.
D: Shred policy.

CBK 6: Security Assessment and Testing
Source: ThorTeaches.com practice tests

Answer


A: Clean desk policy requires employees to not have sensitive (or any at all) paperwork on their desks unless they are at the desk. If they are done with the paperwork they should dispose of it, if not lock it away.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

My thoughts on the April 15th CISSP curriculum updates.

TL;DR; No need to buy new study materials, the changes are 1% or less, it is just reshuffling of knowledge areas.

With the updates to the CISSP curriculum I figured I would also give my 2 cents on the updates.

The updates are mostly on the organizational side of the curriculum, and not the actual content. It is mostly renaming, reorganizing and domain weight redistribution.

As a teacher I will buy the new books as soon as they are out (they are already pre-ordered).

If I was studying for the CISSP, I probably would not buy anything to replace my old materials, the changes being 1% actual updates or less.

That really goes for any study materials: Books, videos, practice tests, pod casts, anything.
If you have the 2015 versions, buying newer versions would not help you really.

I am going to update my practice tests in early May with questions from some of the actual updates (attribute-based access control, asset management, more IOT, more AI and some standards).

Previous domain name/weight:                   New domain name/weight:

Domain 1:
Security and Risk Management – 16%        Security and Risk Management – 15%
Mostly format and name changes of content. 0-1% update on actual curriculum.

Domain 2:
Asset Security – 10%                                      Asset Security – 10%
Cryptography moved to domain 3 where it should be and smaller format and name changes of content. 0-1% update on actual curriculum.

Domain 3:
Security Engineering – 12%                            Security Architecture and Engineering – 13%
Mostly format and name changes of content. 1-2% update on actual curriculum, mostly IOT and newer technologies, which are already on the exam and Cryptography being moved in from other domains.

Domain 4:
Communications and Network Security – 12%   Communication and Network Security – 14%
Cryptography moved to domain 3 where it should be and smaller format and name changes of content. 0-1% update on actual curriculum.

Domain 5:
Identity and Access Management – 13%         Identity and Access Management (IAM) – 13%
Mostly format and name changes of content. 0-1% update on actual curriculum.

Domain 6:
Security and Assessment Testing – 11%           Security Assessment and Testing – 12%
Mostly format and name changes of content. 0-1% update on actual curriculum.

Domain 7:
Security Operations – 16%                                 Security Operations – 13%
Mostly format and name changes of content. 0-1% update on actual curriculum.

Domain 8:
Software Development Security – 10%              Software Development Security – 10%
Mostly format and name changes of content. 0-1% update on actual curriculum.

If you have any questions about the upcoming changes feel free to post on this thread.

I hope I can help you get certified,

Thor

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #195

Which agile software development uses a master?
A: XP.
B: Scrum.
C: Spiral.
D: Sashimi.

CBK 8: Software Development Security
Source: ThorTeaches.com practice tests

Answer


B: Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #194

MAC access control is based on what?
A: Labels and clearance.
B: The discretion of the object owner.
C: The job role of the user.
D: IF/THEN statements.

CBK 5: Identity and Access Management
Source: ThorTeaches.com practice tests

Answer


A: MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #193

Attacks on our encryption is mostly targeting which leg of the CIA triad?
A: Authentication.
B: Confidentiality.
C: Availability.
D: Integrity.

CBK 1: Security and Risk Management
Source: ThorTeaches.com practice tests

Answer


B: To ensure confidentiality we use encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). There are many attacks against encryption, it is almost always easier to steal the key than breaking it, this is done with cryptanalysis.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #192

What is the final stage of a penetration test?
A: Auditing.
B: Reporting.
C: Exploration.
D: Deleting log files.

CBK 6: Security Assessment and Testing
Source: ThorTeaches.com practice tests

Answer


B: Penetration Testing normally has 6 phases: Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting. The 6th phase for a real attack would be delete logs/evidence and install backdoors.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #191

Relational databases uses:
A: A hierarchy model.
B: An object model..
C: Star schema model.
D: Tables with rows and columns.

CBK 8: Software Development Security
Source: ThorTeaches.com practice tests

Answer


D: Relational model: Organizes data into one or more tables (or relations) of columns and rows, with a unique key identifying each row. Rows are also called records or tuples. Generally, each table/relation represents one entity type. The rows represent instances of that type of entity and the columns representing values attributed to that instance.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #190

When a system has been certified what does that mean?
A: It has met the data owners security requirements.
B: It has met the data stewards security requirements.
C: The data owner has accepted the certification and the residual risk, which is required before the system is put into production.
D: The data steward has accepted the certification and the residual risk, which is required before the system is put into production.

CBK 2: Asset Security
Source: ThorTeaches.com practice tests

Answer


A: Certification is when a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #189

When a pen tester is trying to gain access to our facility by trying to find an open door or window, which type of access control type is she testing?
A: Administrative.
B: Technical.
C: Physical.
D: Detective.

CBK 6: Security Assessment and Testing
Source: ThorTeaches.com practice tests

Answer


C: Physical Controls: Locks, fences, guards, dogs, gates, bollards, doors, windows, etc.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading