CISSP exam questions: 5 drag & drop and hotspot questions
So you’re thinking of earning your CISSP certification. Wouldn’t you like to see some sample CISSP exam questions from the legendary CISSP test? Back in 2014, the CISSP exam expanded beyond the traditional multiple-choice format to include two new types of questions: CISSP drag and drop questions and CISSP hotspot questions.
Examples of both types of questions are shown below.
CISSP exam drag-and-drop questions
CISSP drag-and-drop questions require you to move one or more correct answers from a pool of possible answers into the “Correct Answers” area. For example:
1. Which of the following algorithms are examples of symmetric cryptography? Drag and drop the correct answers from left to right.
To solve the question, simply click, drag and drop each correct answer from the “Possible Answers” section to the “Correct Answers” box. In this case, we should drag-and-drop AES, Blowfish and DES into the “Correct Answers” box.
Whatever you do, don’t let the CISSP exam’s “drag-and-drop” questions unnerve you! You’ve seen these types of questions before on dozens of other tests when they were simply called “multiple choice” questions — and they allowed you to pick multiple answers.
For example, here’s what the previous drag-and-drop example would look like as a traditional “select all that apply” multiple-choice question.
1. (restated as multiple choice): Which of the following algorithms are examples of symmetric cryptography. Select ALL correct answers that apply.
- A) Advanced Encryption Standard (AES)
- B) Blowfish
- C) El Gamal
- D) Data Encryption Standard (DES)
- E) Rivest Shamir Adleman (RSA)
Of course, the correct solution would be to select A, B and D, since AES, Blowfish and DES are all types of symmetric encryption.
CISSP exam hot spot questions
CISSP “Hot Spot” questions require you to click on the correct part of a diagram to answer a question. Once you click on a piece of the diagram (one of the possible hot spots), it will light up with a colored background. For example:
2. To secure outbound connections from internal computers, protect internal resources from inbound connections from the internet, and use a separate “DMZ” segment to allow web connections from the internet, the security practitioner wants to deploy a single firewall. Click on the area below where the firewall should be placed.
To solve the question, hover your mouse cursor on one of the areas on the diagram. All available areas will light up as your mouse travels over them, and your selected answer will stay lit when you click on it. In this case, we’d want to deploy a firewall where we could have a “three-legged” configuration: internet, internal (with desktop and file server) and DMZ (with the web server).
Hot spot questions, like drag-and-drop questions, are just a fancy version of a question you’ve seen thousands of times before. Specifically, multiple-choice questions. For example, here’s the same question presented in a traditional multiple-choice format.
2. (restated as multiple choice): To secure outbound connections from internal computers, protect internal resources (desktops and a file server) from inbound connections from the internet, and use a separate “DMZ” segment to allow web connections from the internet, the security practitioner wants to deploy a single firewall. What is the best place to deploy this firewall?
- A) Between the desktops and the Internet, with a separate “DMZ” segment for the file server (The web server would be directly connected to the internet)
- B) Between all internal resources (desktops and the file server) and the internet (The web server would be directly connected to the internet — this is called a “DMZ”)
- C) Between all internal resources (desktops and the file server) and the internet, with a separate “DMZ” segment for the web server
- D) Between all company resources (desktops, the file server and the web server) and the Internet (The web server would use the same segment as other resources but different firewall rules — this is called a “DMZ”)
The answer here is “C,” and it’s the same solution as the one selected in the hotspot version of the question. However, you can probably see how the hotspot version could be easier to understand than the same question written out; it’s a simple case of a picture being worth a thousand words.
More sample questions from a CISSP exam
Easy “access control” question
Now that you understand the new question format, let’s start with a relatively easy one from the “access control” domain. Traditionally, this question would be presented this way:
3. Three common methods used to authenticate a user to a system or network are:
- A) authorization, identification and tokens
- B) passwords, biometrics and tokens
- C) encryption, passwords and identification
- D) authorization, identification and encryption
However, as a drag-and-drop question, you might see it as:
3. (drag-and-drop): Which of the following methods are used to authenticate a user to a system or network? Drag and drop the correct answers from left to right.
The correct answer is passwords, biometrics and tokens, where “tokens” covers a wide range of “things you can have,” like client certificates, SSH keys and hardware tokens.
You may have progressed to the correct answer by noting that “authorization” is almost a nonsense word in this context (e.g., “you authenticate by authorizing?”) and that “encryption” is generally used to keep data hidden, rather than authenticate users.
However, a trained CISSP candidate would have gotten the answer even faster because they would have known that access control consists of multiple steps: identification, authentication, authorization and accountability (the CBK’s so-called “I triple-A”).
- Identification is typically accomplished by providing a username
- Authentication is basically about providing a password, biometric or token
- Authorization is granting an authenticated user access to specific resources
- Accountability is all about the audit trail of the authenticated user’s actions
With that in mind, a CISSP candidate would know that any answer to an “authentication methods” question featuring “identification,” “authorization” or anything else (e.g., “encryption”) would be obviously wrong. Now, let’s kick the difficulty up a notch.
Hard “access control” question
First, here’s what the question would look like as a multiple-choice question CISSP exam.
4. Three management approaches that control access are:
- A) RBAC, TBAP and LBAP
- B) DAC, LBAP and MAC
- C) DAC, RBAC and MAC
- D) TBAP, LBAP and MAC
Now, here’s what it might look like as a drag-and-drop question.
4. (drag-and-drop): Which of the following are NOT management approaches that control access? Drag and drop the correct answers from left to right.
Unfortunately, in either format, you might be thinking, “wait… what?” Without CISSP training, you might know what “RBAC” is (“role-based access control”), but unless you’ve worked with classified or legacy systems, the rest might all be “Greek” to you.
However, a trained CISSP candidate would know what to do here. This is obviously an “access control” question, even though the question asked how to “control access.” While a trained candidate might not remember the exact names of each approach, they would know that DAC, RBAC and MAC are all “access control management approaches,” because those abbreviations all end in “AC.” for “access control.”
Before simply dragging and dropping DAC, RBAC and MAC from left to right, though, you would need to pay close attention to the word “NOT” in the question. With that in mind, the correct answers to this question are simply TBAP and LBAP. (Also note that not every drag-and-drop question has three correct answers — the number will vary!)
For the record:
- MAC — “Mandatory Access Control” — A set of access rules based on a user’s clearance or authorization and classification, or sensitivity of the information. Terms like “Orange Book” and “DoD” (Department of Defense) are often associated with MAC.
- RBAC — “Role-Based Access Control” — A set of access rules based on a user’s role as defined through user class, group permissions, IP address, or similar settings. In non-classified situations, RBAC is usually what’s set up on servers and network equipment regarding “setting up permissions.”
- DAC — “Discretionary Access Control” — A set of access rules that allows the data owner to delegate access to specific resources for specific users. Terms like “Orange Book” and “DoD” (Department of Defense) are also often associated with DAC.
- LBAP — “Layer-Based Access Protocol” — Meaningless; a CISSP exam red herring.
- TBAP — “Target-Based Access Protocol” — Another CISSP exam red herring.
Again, newbies might be confused. Would the (ISC)² organization really put nonsense protocols and definitions in its vaunted CISSP exam?” Unfortunately, the answer is yes, and “LBAP” and “TBAP” just happen to be two of them.
Many questions in your exam will feature red herrings such as these because they test your familiarity with the CISSP common body of knowledge (which defines MAC, RBAC and DAC) and security terminology conventions (such as names of access control rules generally ending with “AC.”) As a practicing CISSP, I find “red herring” questions valuable because CISSPs must be able to quickly sift useful information from jargon like that, every day.
Are you warmed up? Good, now let’s end with a question about physical security.
Physical security question
5. What is the most effective way to reduce security risks with plant entrances?
- A) Minimize the number of windows, doors and loading docks
- B) Reinforce all windows, doors and loading docks
- C) Brightly illuminate all windows, doors and loading docks
- D) Install tamper-proof hardware such as hardened hinges and glass
Before we answer that question, why does the (ISC)² require us to know about physical security? It’s not like we covered that in college. The answer, of course, is that it’s our job to keep company resources confidential while maintaining their integrity and availability. (Did you see what I did there?) If you cannot speak the same language as the security team guarding the building, locking the doors, buying fire protection services and running the motion sensors, you’re putting your employer (and thus your job) at risk. (It doesn’t hurt to learn the night watchmen’s names, too.)
But still, maybe you don’t think you know anything about physical security. So, how do you answer the question? One thing you could do is restate the entire question in terms you DO understand.
5. (restated): What is the most effective way to reduce security risks on a system?
- A) Reduce the number of interfaces
- B) Change existing interfaces to increase the amount of time required to exploit them
- C) Add better logging and “you are being watched” warnings to existing interfaces
- D) Change existing interfaces to increase the amount of time required to exploit them
Got it now? “B” and “D” are basically the same answer, so neither one could be right. “C” might be a good answer, but only if it also included better monitoring. (You can add all the lighting you want to doors, but if no one is watching …) That leaves only “A.” “Reduce the things you need to worry about.” It’s a good answer to help you secure any asset, IT, physical or otherwise.
Believe it or not, that kind of question is a good candidate for restatement as a hotspot question. Take a look at the following diagram and see if its use makes the question easier or more difficult:
5. (hotspot): The following plant has several security weaknesses. If you were in charge of physical security, which one would you fix or upgrade first?
The hotspots here would be “break in fence,” “broken light,” “ordinary skylight” and “ordinary garage door.” The most serious weakness of those four is obviously the big break in the fence.
CISSP drag-and-drop and hotspot takeaways
The introduction of drag-and-drop and hotspot questions into the CISSP exam doesn’t change the difficulty of the exam, it just makes the exam — a bit different. The same concepts and test-taking techniques are still applicable.
I hope this article will help you anticipate the kinds of questions you need to answer on the real thing.