This article can also be found in the Premium Editorial Download "Information Security magazine: Defense-in-Depth: Securing the network from the perimeter to the core."
Download it now to read this article plus other related content.
Anybody who says the CISSP exam is easy isn't telling the whole story. There are plenty of difficult questions--some legitimate, some goofy.
When taking the CISSP exam, expect to encounter at least a couple dozen questions that will frustrate the hell out of you. (ISC)2 exam designers claim these (and all) questions are psychometrically valid. Annoying or not, they're a useful mechanism for separating qualified candidates (infosecurity professionals who have mastered the CBK to an acceptable level) from unqualified professionals (those without mastery of the material who are simply good at taking multiple-choice exams).
Whether you buy this line of reasoning or not, these questions will drive you nuts if you're not expecting them. For discussion purposes, I've divided these questions into four categories, comprising both the "factual" and "interpretive" question types. With each of these categories, I'll try to explain what makes the question difficult, and offer an example. These examples may be a bit exaggerated to illustrate a point. That said, they're not far from the truth, either.
1. Obscure facts. Several questions require you to recall very specific details from the CBK. These are absolutely legitimate, fact-oriented questions that don't require a lot of interpretation. The problem is that you just don't know or can't remember the answer unless you happened to study it recently, have hands-on experience with it, or have a photographic memory.
Here's an example:
1. Which of the following characterizes the Data Encryption Standard (DES) Electronic Code Book
a. "Stream mode" cipher, first ciphertext block is XORed with next text block.
b. "Block mode" cipher, 64-bit plaintext blocks loaded sequentially.
c. "Block mode" cipher, 64-bit data blocks processed individually one at a time.
d. "Stream mode" cipher, keystream is XORed with message stream; simulates one-time pad.
The answer is "C," but it's a really hard question because it's very detailed and technical. Moreover, the options include both legitimate DES modes that aren't ECB (answer B is cipher block chaining (CBC); answer D is output feedback mode (OFB)) and a made-up answer (answer "A" also describes CBC, except CBC is a block mode cipher). You either know the answer here or you don't. It's impossible to dope it out if you didn't study it.
2. Misleading interpretive questions. A chunk of questions ask you to pinpoint the "best" answer or course of action given a scenario or context. Granted, by their very nature, these questions are very difficult to craft, but the CISSP exam seems to have more than its share of doozies.
Selecting the best answer to these questions is problematic because (a) what you would consider "best" isn't one of the options; or (b) you need more context to determine what the exam-creators would consider best. Here's an example question that captures both of these problems:
2. Which of the following is usually considered to be the best type of firewall:
a. Static packet filter
b. Application-layer proxy
c. Circuit-level firewall
d. PC firewall
Many people would consider a dynamic/stateful-inspection firewall to be the "best" general-purpose firewall available today. But that's not one of the answers. So you're left to determine what's best from the list of four "next-best-but-not-really-best" alternatives.
Compounding the problem, you're not given any context in which to make an educated decision. "Best" under what circumstances? What type of access control or traffic filtering are you trying to enforce? What type of network or hosts is the firewall intended to protect?
Moreover, the answers are not "equal" in the sense that they're not all of the same type or quality. Is this on purpose or by accident? Again, you can only guess.
OK, you probably wouldn't select "D," because a PC firewall is a specific example of a host application filter. The other three options are core technologies, not form-factor examples of those technologies.
Option A, static packet filter, is a "first-generation" network-layer firewall that does basic IP address and port filtering. It's probably the widest deployed firewall today, so if "best" means "most accepted," option A would be your answer.
However, if by "best" they mean "most able to filter traffic at a granular application header or payload level," then "application-layer proxy" is your answer. But wait: Circuit-level firewalls are "better" than static packet filters because they filter on Transport layer headers as well as IP headers; and they're "better" than application proxies because they can filter on a wider variety of protocols and are easier to maintain. But do two "betters" add up to one "best"?
You get the point. You have to determine what "best" means before you can select the "best" (er, "next-best") answer. This question is aggravating because it doesn't test your knowledge of firewalls--how they work, how they compare, which one's most applicable to a given scenario--but rather your ability to guess how the exam creators would define "best."
3. Questions where more than one answer is correct. In some questions, more than one answer seems correct. And, indeed, more than one is correct, depending on your perspective.
3. Which OSI layer(s) does SSL operate at?
a. Layer 4
b. Layer 5
c. Layers 4 and 5
d. Layers 5 and 7
Each of these is correct under different scenarios. In preparing for the exam, I came across different sources that actually gave these answers. Which one is correct? More to the point: Which answer would (ISC)2 consider correct? Guess!
With questions like these, it's clearly a matter of interpretation and context, and one would hope the CISSP exam would steer away from them. Unfortunately, it doesn't.
4. Confusing wording in the question itself. Perhaps the most frustrating questions on the CISSP exam are ones that force you to guess at exactly what the question is trying to ask. A sloppily written phrase forces you to interpret the meaning of the question--do they mean this, or do they mean that?--which in turn affects your interpretation of the answers.
4. Which of the following best describes a "protective profile"?
a. Implementation-dependent statement of security needs for a set of general IT products.
b. Management-level description of resources necessary to protect a security domain.
c. General framework of physical security requirements for a data center.
d. Includes the "Target of Evaluation" description of an IT product and its purpose, but not necessarily from a security perspective.
If you studied the Common Criteria security evaluation standard, you know that the "protection profile" is an implementation-independent statement of security requirements within the CC. Ah, but the question says protective profile--and what's worse, it puts the phrase in quotes.
Is this a simple spelling or usage mistake? Or are the exam developers specifically trying to bait you into answering the question as though it specifies "protection profile," when in fact they mean something more generic and completely unrelated to the Common Criteria?
It may seem like I'm picking on (ISC)2 and the exam creators by going into this level of detail. But to be forewarned is to be forearmed, and no book, study guide or boot camp prepared me for these types of questions, and no sample test I came across quite captured the essence of these questions. Everybody talks about how some CISSP exam questions are frustrating. Hopefully, I've illustrated why they can be frustrating.
This was first published in June 2003