Certification Exams and Tricky Language

Michael2Michael2 Member Posts: 305 ■■■□□□□□□□
I know this is a non-certification forum but I just want to ask a general question about exams. Is it even possible to get a perfect score on one? Theoretically, I know it is; but it seems like some of the questions are intentionally designed to prevent people from doing that. For example, in the book I'm using there is a question that asks what type of attack is designed to trick users into revealing their web site credentials. The answer is phishing. I missed this one a lot because of that phrase. What in the world are web site credentials? Another one has a user who is not allowed to access certain files and asks what security principle this exemplifies. The correct answer is separation of duties, but one of the other choices is Least Privilege. It seems very confusing because of the use of the word 'allowed.'These are just examples of what I mean. I suppose it's the same with other exams as well. I would like to get a perfect score when I take mine, but I don't see it happening.

Comments

  • KrisAKrisA Member Posts: 142
    "Website credentials" are referenced to how a person identifies themselves to gain access to a site. Usernames, login email address etc etc and passwords.
    WGU Progress BSIT:NA | Current Term:1 | Transfered To-Do In Progress Completed
    EWB2 BAC1 BBC1 TSV1 WFV1 CLC1 LAE1 LUT1 LAT1 AXV1 TTV1 INC1 INT1 TPV1 SST1 SSC1 GAC1 HHT1 TNV1 QLT1 BOV1 LET1 ORC1 IWC1 IWT1 MGC1 ABV1 AHV1 AJV1 TWA1 CPW2 BRV1
    Currently Reading
    Darril Book
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    It is possible to get a perfect score on a certification exam. I scored a 1000 on my 70-646 MCITP Server Administrator exam. The questions are written in a manner that is intended to make it clear there is one answer more correct than the others while still making you think about what the answer is.

    As KrisA has already pointed out, the term "website credentials" is fairly straight forward and self-explanatory. Before I even hit "website credentials" in the question, my brain was already thinking "social engineering" based on the "what type of attack is designed to trick users" leaving out website from "website credentials" just further confirms this. Adding the term website just makes it more clear this is a phishing social engineering attack.

    Given the possible answers of "least privilege" and "separation of duties" I would need to see the exact wording of the question to see why least privilege is more appropriate than separation of duties. As you explained it, it does sound more like least privilege but there is usually 1 or 2 keywords in the question that identify a specific answer more so than the others (i.e. the above see my above comments about "website" and how that changes the answer from social engineering to the more specific form of social engineering - phishing). In this case, especially with security exams (which I assume is what you're studying for based on the question examples youve given) "allowed" usually is not one of the key words as it could just as easily be disallowed or not allowed.

    The only time "allowed" becomes a key word is if you are trying to write a rule or access control list as "allowed" vs "disallowed" fundamentally changes the way the rule would be written. Even then, its only a keyword as it pertains to the specific function, file, port, etc that is allowed or not.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
Sign In or Register to comment.