5 exercises — CISSP domains, hashing vs. encryption, penetration testing and rules of engagement, the CIA triad, and vulnerability/threat/risk distinctions.
0 / 5 completed
1 / 5
A CISSP practice question asks: "Which of the eight CISSP domains covers firewalls, VPNs, and intrusion detection systems?" How should you approach a domain-identification question like this?
CISSP is explicitly structured around 8 domains defined by (ISC)², each weighted differently in the exam blueprint. Understanding the domain structure — not just individual facts — is itself a tested skill, because many questions are really asking "which domain does this concept belong to," which then determines the correct framing of the answer.
Domain-recognition vocabulary is exam-critical because CISSP intentionally tests breadth across security governance (policy, risk, compliance) as much as technical depth (cryptography, network security). A question about firewalls tests network security domain knowledge; a question about the same firewall's procurement policy might test Security and Risk Management instead.
Study strategy implication: memorising the 8 domain names and roughly what falls under each is a foundational exam-reading skill — it helps you correctly interpret ambiguous scenario questions by first asking "which domain is this really testing?" before evaluating the answer choices.
2 / 5
A CompTIA Security+ question reads: "An organisation wants to ensure that even if an attacker steals a password database, the passwords cannot be easily reversed to plaintext." Which control is being described, and how is it distinct from encryption?
Security+ frequently tests the distinction between hashing and encryption because candidates often use the words interchangeably in casual speech, which is a critical error in security contexts.
• Encryption — reversible with the correct key; used when you need to recover the original data later (data at rest, data in transit) • Hashing — one-way, designed to be irreversible; used for integrity verification and password storage, where you never need the original value back, only the ability to verify a match • Salting — adding random, unique data to each password before hashing, so that identical passwords produce different hashes, defeating precomputed "rainbow table" attacks
Exam signal phrases: "cannot be reversed," "verify without storing the original," "prevent rainbow table attacks" → hashing (with salt). "Must be recoverable," "decrypt when needed" → encryption. Confusing these in an interview or exam answer is one of the most common Security+ failure points.
3 / 5
A CEH (Certified Ethical Hacker) exam scenario describes: "A tester is authorised by the organisation to attempt to breach its systems using the same techniques as a real attacker, in order to identify vulnerabilities before they're exploited maliciously." What is this activity called, and what makes it legally distinct from an actual attack?
CEH exam content places heavy emphasis on the legal and ethical framing of hacking techniques, not just the techniques themselves — this is the entire point of the "ethical" in Certified Ethical Hacker.
Key vocabulary: • Penetration testing — a time-boxed, authorised simulated attack against defined systems, typically to satisfy a specific goal (find as many vulnerabilities as possible, test a specific control) • Rules of Engagement (RoE) — the document defining scope (which systems), timing (testing windows), and permitted techniques, signed before testing begins — this is what makes the activity legal • Red teaming — a related but distinct discipline, typically broader and more adversarial in style, simulating a realistic attacker's full campaign (including social engineering, physical security) rather than a scoped technical assessment; also requires authorisation • Black-box / white-box / grey-box testing — describes how much internal information the tester is given beforehand
The single most exam-critical fact: without documented authorisation, the exact same actions are a crime, regardless of intent — this is tested repeatedly across CEH material.
4 / 5
A CompTIA Security+ exam question asks about "the CIA triad" in the context of a scenario where a database was modified by an unauthorised user, but no data was viewed or deleted — only altered. Which principle of the CIA triad was violated?
The CIA triad is one of the most foundational vocabulary frameworks across nearly every security certification (Security+, CISSP, CEH), and exam questions frequently test whether you can correctly map a specific scenario to exactly the right principle — not "security in general," but the precise one being violated.
Precise definitions matter: • Confidentiality — only authorised parties can view the data (violated by: data breach, eavesdropping, exposed API returning data to unauthenticated users) • Integrity — data cannot be modified without authorisation and detection (violated by: unauthorised tampering, a man-in-the-middle attacker altering data in transit, a bug corrupting records) • Availability — authorised parties can access the system/data when needed (violated by: DDoS attacks, ransomware, hardware failure, outages)
This scenario — data altered, not viewed or made unavailable — maps cleanly to Integrity alone. Security certifications reward this kind of precise, one-to-one mapping between a described event and the exact principle it violates, rather than a vague "it's a security issue" answer.
5 / 5
A candidate preparing for CISSP asks a colleague: "What's the difference between a vulnerability, a threat, and a risk? I keep seeing all three in practice questions and I mix them up." How should this be explained?
This vulnerability/threat/risk distinction is one of the highest-yield vocabulary concepts across essentially every security certification, because it underpins the entire discipline of risk management, itself a major CISSP domain.
Precise relationships: • Vulnerability — a flaw or weakness (unpatched CVE, misconfigured permission, weak password policy) — exists independent of whether anyone is trying to exploit it • Threat — an entity or event with the potential to exploit a vulnerability (a specific attacker group, a malware family, even a natural disaster for physical security) — a threat can exist even against a system with no known vulnerabilities • Risk — the intersection: risk only materialises where a real threat could exploit a real vulnerability, typically expressed as Risk = Likelihood × Impact
Why the distinction is exam-critical: risk treatment decisions (accept, mitigate, transfer, avoid) are always about risk, not vulnerabilities or threats in isolation — a question about "what should the organisation do" is testing whether you understand that patching a vulnerability with no realistic threat may not be worth the cost, while a credible threat against an unpatched vulnerability demands urgent action.
What will I practice in "Security Certification Language — CISSP, Security+, CEH Exam Vocabulary"?
This is a Certification Prep exercise set. It walks through 5 scenario-based multiple-choice questions built around real usage of Certification Prep terminology that IT professionals encounter on the job.
Is this exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is free to complete with no account, sign-up, or paywall.
How many questions are in this exercise?
This set contains 5 questions. Each one shows immediate feedback and a detailed explanation after you answer, so you learn the correct usage right away rather than waiting for a final score.
Do I need prior experience to complete this exercise?
No prior experience is required. Each question includes a full explanation covering the reasoning behind the correct answer, so the exercise itself teaches the Certification Prep vocabulary as you go.
Can I retry the exercise if I get questions wrong?
Yes — use the "Try again" button on the results screen to reset your answers and go through all the questions again. There is no limit on attempts.
Is my progress saved?
Your answers and score for the current session are tracked in the browser as you go. No account or login is needed, and there is nothing to install.
What if I don't understand a term used in a question?
Read the explanation shown after you answer each question — it breaks down the correct term in plain English with a real-world example. You can also check the site Glossary for quick definitions.
How is this different from reading a blog article on the topic?
Exercises like this one are interactive drills that test and reinforce specific vocabulary through multiple-choice questions, while blog articles explain concepts in prose. Practising here after reading builds active recall, not just passive recognition.
Where can I find more Certification Prep exercises?
See the Certification Prep exercises hub for the full set of related pages, or browse all exercise categories from the main Exercises index.
Can I use this exercise to prepare for a technical interview?
Yes — Certification Prep vocabulary comes up often in technical discussions and interviews. Pair this exercise with our dedicated Interview Preparation section for role-specific practice.