Re: CISSP OSG Online Quiz Comment

[CCCure Support]

Good day to all,

The list has been fairly quiet.  I have a question for you.   You will see the answer further down below.

However, try to solve it first before looking at the answer.

I received an inquiry from one of my quiz user.  See below:

Question: An IS auditor should know information about different network transmission media. Which of the following transmission media is used for short distance transmission?

a.  Fiber Optics      b.  Copper Wire      c.   HF Radio link      d.   Satellite radio link

 

The user comment was:
 

Comment:
Hello, Nothing in the question can make us differentiate between the Radio frequency and the cobber cable !!! at all. How we can deiced if both of them used for short distance ????
-----------------------------

 Which of the choice is the best answer?  see further below the answer.

Best regards

Clement

The correct answer is: Copper Cable

Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data.

The keyword within the question is "media ".

Network media is the actual path over which an electrical signal travels as it moves from one component to another. The common types of network media are including twisted-pair cable, coaxial cable, fiber-optic cable, and wireless.

[Kevin Jimenez]

Copper was y choice. 

Fiber is used mainly for long distances, radio I don't even know, but is not used much for data I think, and satellite definitely not for short distances. 

The only one I hesitated is radio, since I don't know what it's used for, but still I inclined more to copper.

--
===========================================================
Another resource brought to you by CCCure for our Learners
 
Having any issues, contact us at: sup...@cccure.com
 
Visit our quiz at: https://www.freepracticetests.org
 
Visit our learning portal at: https://cccure.training
 
Visit the CCCure Web Store at: https://www.cccure.com
===========================================================
---
You received this message because you are subscribed to the Google Groups "CISSP Study Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cissptalks+unsubscribe@googlegroups.com.
To post to this group, send email to cissp...@googlegroups.com.
Visit this group at https://groups.google.com/group/cissptalks.
To view this discussion on the web visit https://groups.google.com/d/msgid/cissptalks/CAA3tmKsJ58f%3DXrPsWdwYXT%2BFJT9RQRHYy4sLY4rrfUYK0SH0gA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Clement Dupuis]

Good thinking and elimination,

Radio and Satellite signals are over the air and not over physical media.

Best regards

Clement

---------------------------------------------------------------------------------------------

Clement Dupuis, CD
CCCure Owner and Founder
Chief Learning Officer (CLO) and Security Evangelist
The CCCure Family of Portals
GCFW, GCIA, Security+ 301, CEH V7, CCSA, CCSE,  + 12 others

For support or queries send an email to:  Sup...@CCCure.Com

----------------------------------------------------------------------------------------------
Maintainer of :

The CCCure Learning Portal  -  Find the best Security Tutorials

The CCCure Quiz Engine
 
Knowledge sharing and giving back to the community

To view this discussion on the web visit https://groups.google.com/d/msgid/cissptalks/CABGste4cwmFo7qdj%2Bj%3DTor71ZoCkMpSWm-A2o9thSxQMwD3a3w%40mail.gmail.com.

[Evros Nireas]

I also picked the "C"  :)

Thank you for explanation

To view this discussion on the web visit https://groups.google.com/d/msgid/cissptalks/CALR7dM3HJZ1ow%3DxhkRvfM15a9OjJYWY5kwGYi-Rmc9VYr0fsfA%40mail.gmail.com.

[JH2015]

" C "  for me also.

Thanks you.

To view this discussion on the web visit https://groups.google.com/d/msgid/cissptalks/CAFjgqnqX8wGGm7Mr6s7JE6X-MnX%2B%2BbjOrxr13MoLTriP-JD%2Bgw%40mail.gmail.com.

[CCCure Support]

Good day Brian,

This is a great question and I have decided to include my mailing list as well so they can benefit from the answer.

The fact that a word could not be found doing a search within the digital version of the 7th Edition or the 4th edition book does not necessarily mean it cannot be on the exam.  That would be a serious mistake to make.

In fact, it has been reported that questions on the exams are not using word for word extract from the official study book.  They tend to use synonyms and they always test how you apply your knowledge.

The 7th Edition book is only one reference out of more than 200 different references used within the CBK.   The exhaustive list of references is a document called the Candidate Information Bulletin or the CIB.   Add on top of this the five years of experience required where you may get questions that are not in any of the references but anyone with five years of experience would know.

When you have two words that are synonymous, they will never be presented at the same time within the same question as the correct answer.    However, the opposite may be true,  where you may have a question on cryptography and two of the choices are Symmetric Cipher and Secret Key cipher.   Knowing they are both synonymous you can eliminate them right away. 

Comment I have received from one of my student below:

Quiz Question number: 1883

Question: Steven, who is one of the experts on your security testing team has been tasked to validate physical security of CCCure. Steven did some research on the target company and decided that the best way to compromise physical security would be to gain entry to the building by following someone who has legitimate access (using their credential) and then gain access to the target area. What would you call such an attack?

Comment:
Tailgating is obviously the only option that makes any sense here, but nowhere in any of the study guides or CISSP CBK documentation have I ever seen it referred to as "tailgating". It's ONLY ever referred to as "piggybacking". See (ISC)2 Official Study Guide Seventh Edition (Stewart, Chapple, Gibson) page 398; Chapter 10: Physical Security Requirements - Access Abuses. So riddle me this Batman, if "piggybacking" and "tailgating" were BOTH listed as options here, which one would be the *most* correct in THAT case?

Best regards to all

Clement

--

[CCCure Support]

Good morning Roshad,

Thanks for your feedback,  your question is a great question covering important topics to understand for the exam.  This is why I have included my mailing list with this reply.

I must say that Gibson is definitively WRONG in the way he explained Due Care and Due Diligence in the 7th Edition book.    It is not the first time and probably not the last.  A few users have reported errors within the book.  Any large book of this size will have some.

Question #1100 that you reference below has the proper definition of both terms explained in simple terms.  The 4th Edition Official CISSP study book from ISC2 also agrees with the definition used within the quiz engine, so does the Eric Conrad book,  the Shon Harris book, and many others.

Due Diligence is what I like to map to Do Detect.  During Due Diligence you use best practices, consensus of experts, ISO standards, etc....  to identify possible risks that could affect your company.

Due Care is what I like to map to Do Correct.  During Due Care you deploy counter measures, safeguards, controls to address the risk identified during Due Diligence and you bring them down to an acceptable level before your company assets could be affected or damaged.

Here is an extract from the 4th Edition Official CISSP study book from ISC2:

Due Care

Due care is an important topic for the information security professional to understand. It is primarily a legal term used to describe the care a “reasonable person” would exercise under given circumstances. In other words, it is used to also describe what an individual’s or organization’s legal duty is considered to be. The lack of due care is often considered negligence, and in most countries, it is actionable under law. If an organization is legally mandated to comply with regulations or information security requirements, knowingly or unknowingly neglecting those requirements could lead to legal exposure from a due care perspective.

Due Diligence

Due diligence is similar to due care with the exception that it is a preemptive measure made to avoid harm to other persons or their property. If performed correctly, due diligence leads to due care when needed and avoids other situations where due care may need to be exercised. Due diligence is a practice that should be adopted by the information security professionals as a core tenant of their career. Examples of due diligence in an organization include but are not limited to:
Background checks of employees
Credit checks of business partners
Information system security assessments
Risk assessments of physical security systems
Penetration tests of firewalls
Contingency testing of backup systems
Threat intelligence services being used to check on the availability of company Intellectual Property (IP) posted to public forums and in the cloud

 . Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 33). CRC Press. Kindle Edition.

Best regards

Clement

ROSHAD HERE IS THE INFO ABOUT OUR MAILING LIST:

Our mailing list name is:  CISSPtalks

To SUBSCRIBE to our Mailing List you can send an email to:  cissptalks...@googlegroups.com

You can visit the group online at:  http://groups.google.com/group/cissptalks.

Members can post messages to the list using the email address:  cissp...@googlegroups.com

From: Roshad 

Question number: 1100

Question: When attempting to establish Liability,  which of the following would be described as performing the ongoing maintenance necessary to keep something in proper working order, updated, effective, or to abide by what is commonly expected in a situation?

Comment:
Darril Gibson has this information listed the exact opposite way. How does one determine which is correct? "Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization." In the above example, due care is implementing the control while diligence is maintaining due care.

[CCCure Support]

Good day to all,

I have received some feedback on a question talking about scripts and WHY they should be stored in a secured area.    I have revised botht the question and the explanations, see a copy further down below.  

First you must realize that a scripts can be used for different purposes.  It could be for daily task that an operator has automated through a script,  Which would be a good thing.   But it can also be used for other security tasks such as an in-house Single Sign-On (SSO) system.  So the questions below would make a lot of sense if you are aware of the different usage of scripts.

 

SEE BELOW THE COMMENT I HAVE RECEIVED FROM ABDULLA:

 

From: abdulla

Question number: 1433

Question: Why should batch files and scripts be stored in a protected area?

Comment:
Hello, If we consider the perspective of security in this question and best practice. As best practice we can't hard code the credentials in the code. So, the choice of having credential in the code should be skipped. Other choices make more sense. so it should be protracted because it can't be accessed by users is make more sense This is my opinion and how i read the question.

The question is:  why should batch files and scripts be stored in a protected area?

The correct answer is: Because they may contain credentials.

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts over a network must be dealt with carefully.

Scripted access or logon scripts establish communication links by providing an automated process to transmit logon credentials at the start of a logon session. Scripted access can often simulate SSO even though the environment still requires a unique authentication process to connect to each server or resource. Scripts can be used to implement SSO in environments where true SSO technologies are not available. Scripts and batch files should be stored in a protected area because they usually contain access credentials in clear text.

The fourth edition book says the following about script based SSO usually built in-house:

Further, the security practitioner needs to be aware of the potential security implications of allowing this kind of development to take place. The need to observe secure development practices has to be enforced. In addition, there is the possibility that Script-based SSO solutions can be implemented in an insecure fashion if care is not taken. As a result, they may allow for credential transmission or storage using insecure methods and mechanisms, potentially allowing for the confidentiality and integrity of the credentials to be compromised.


The following are incorrect answers:

Operators might need access to batch files and scripts to do their daily tasks or to authenticate to a service or system. So this is not always a bad thing to have an operating accessing a script of batch file.

The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks. This is also a good thing and not something that is a security issue.

The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information required to perform official tasks or services. That's another key principle in security and when applied properly it is a good thing.


The following reference(s) were used to create this question:

Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press), Page 665

Stewart , James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, seventh edition (Kindle Locations 15523-15526).

ABDULLA:

This is a great question, I invite you to submit them to our mailing list in the future.  This way others can benefit of the answers and other students can chip in and give you more than one answer as well.

Please see below instructions on how to join and participate in our CISSP Study Mailing List.

[CCCure Support]

Good day Brian,

My first advice would be NOT to panic.  

This book like dozens of others is written by three authors who mostly earn their living writing books in series.  Even thou it is one of the two OFFICIAL ISC2 STUDY BOOK, it does not meant it is it and nothing else count as I have explained in my previous answer.

They authors don't have any special or unique knowledge of what could be on the exam other than the topics listed on the CBK.  They obviously did not even follow the ISC2 guide on how to write questions.  ISC2 has a 36 pages guide that people who contribute to the real question bank for the exam receive to guide them on how to come out with a good question.  The guide gives guidelines on how to avoid giving tips to good questions taker.

The questions on the real exam are reviewed by the Exam Review Comity who consist of a group of people from multiple countries around the world.  The comity ensures there is only ONE possible answer that can be valid.  They review every question one by one.

ISC2 has outsourced their exam to a third party, it is a psychometric company they use to maintain that separation of duties that is needed between the non profit side of the house and their for profit side doing training.

In short:  THIS IS  A BAD QUESTION, NOT REPRESENTATIVE OF WHAT YOU CAN EXPECT ON THE REAL EXAM.  YOU WILL NEVER GET A QUESTION WITH TWO PAIR OF SYNONYMS.

With this exam, you have to dummyfy yourself and attempt not to read too much in between the lines.    Remember the CBK is almost two year old.  So you must answer in the context of what existed two years ago.  

Best of luck

Clement
 

 

On Fri, Jan 6, 2017 at 12:43 PM, Brian Lehmann <bjames...@gmail.com> wrote:

"When you have two words that are synonymous, they will never be presented at the same time within the same question".  Really?  Then explain this:

Additionally, in your question - "following someone who has legitimate access (using their credential)" - the highlighted portion is specifically defined as masquerading NOT piggybacking/tailgating.  The distinction being that masquerading involves the use of valid credentials where piggybacking is just following someone through WITHOUT being authenticated themselves.

I'd also like to add that while, yes there are many references in the CIB, if the "official" study guide, which is explicitly endorsed by the CEO of (ISC)2 and published by an (ISC)2 partnered organization, cannot be relied upon as an authoritative reference for specific terminology that is not open to interpretation or substitution (as is indicated by the question pictured above) then what good is it?

After several months of studying numerous resources, I have encountered a ton question/answer combinations that are absolutely infuriating.  I'm taking the exam tomorrow so we'll see how I do, but to tell you the truth, this whole process has seriously diminished my respect for the CISSP credential.  In my opinion it's nothing more than another "test on how to take a test" and not a test of actual security knowledge, which is reinforced by the fact that I've met (and worked with) several CISSP certified individuals who can barely spell "ACL" let alone define what it is!  I'm not saying anyone with a CISSP isn't really a security professional, I'm just saying you clearly don't need to be one to get the cert... but what do I know </rant>

Best Regards,

Brian

[valère Feugwang]

Hello Clement,

Many thanks for your availability .

Could you please share with the link where i could pay for accessing Quizz online? I planed to pass this exam at least between February or March

[CCCure Support]

Good morning Valere,

You can subscribe to our quiz engine at:  https://www.freepracticetests.org

Click on REGISTRATION at the top.

Best regards

Clement

--

===========================================================
Another resource brought to you by CCCure for our Learners
 
Having any issues, contact us at: sup...@cccure.com
 
Visit our quiz at: https://www.freepracticetests.org
 
Visit our learning portal at: https://cccure.training
 
Visit the CCCure Web Store at: https://www.cccure.com
===========================================================
---
You received this message because you are subscribed to the Google Groups "CISSP Study Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cissptalks+unsubscribe@googlegroups.com.
To post to this group, send email to cissp...@googlegroups.com.
Visit this group at https://groups.google.com/group/cissptalks.

To view this discussion on the web visit https://groups.google.com/d/msgid/cissptalks/4e31f090-8895-487c-992e-6966c523b39f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.