ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 191:

  At which OSI/ISO layer is an encrypted authentication between a client software package and a firewall performed?

  A. Network layer
  B. Session layer
  C. Transport layer
  D. Data link layer
  C. Transport layer

  ---

  Encrypted authentication is a firewall feature that allows users on an external network to authenticate themselves to prove that they are authorized to access resources on the internal network. Encrypted authentication is convenient because it happens at the transport layer between a client software and a firewall, allowing all normal application software to run without hindrance. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding Firewalls.

• Question 192:

  Which type of attack would a competitive intelligence attack best classify as?

  A. Business attack
  B. Intelligence attack
  C. Financial attack
  D. Grudge attack
  A. Business attack

  ---

  Business attacks concern information loss through competitive intelligence gathering and computer-related attacks. These attacks can be very costly due the loss of trade secrets and reputation.

  Intelligence attacks are aimed at sensitive military and law enforcement files containing military data and investigation reports.

  Financial attacks are concerned with frauds to banks and large corporations.

  Grudge attacks are targeted at individuals and companies who have done something that the attacker doesn't like.

  The CISSP for Dummies book has nice coverage of the different types of attacks, here is an extract:

  Terrorism Attacks

  Terrorism exists at many levels on the Internet. In April 2001, during a period of tense relations between China and the U.S. (resulting from the crash landing of a U.S. Navy reconnaissance plane on Hainan Island), Chinese hackers

  ( cyberterrorists ) launched a major effort to disrupt critical U.S. infrastructure, which included U.S. government and military systems.

  Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells are using online capabilities to coordinate attacks,

  transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, and gain useful information about developing techniques and instruments of terror, including nuclear , biological, and chemical weapons.

  Military and intelligence attacks

  Military and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and

  conflict.

  Financial attacks

  Banks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or

  businesses, or obtain the personal credit card numbers of customers.

  Business attacks

  Businesses are becoming the targets of more and more computer and Internet attacks. These attacks include competitive intelligence gathering, denial of service, and other computer- related attacks. Businesses are often targeted for several

  reasons including Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise.

  Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.

  Lack of reporting or prosecution : Because of public relations concerns and the inability to prosecute computer criminals due to either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go

  unreported.

  The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation.

  Grudge attacks

  Grudge attacks are targeted at individuals or businesses and are motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic

  bomb in a critical system or application.

  Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:

  The attacker is often known to the victim.

  The attack has a visible impact that produces a viable evidence trail.

  Most businesses (already sensitive to the possibility of wrongful termination suits ) have well- established termination procedures

  "Fun" attacks

  "Fun" attacks are perpetrated by thrill seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they're still dangerous and

  their activities are still illegal. These attacks can also be relatively easy to detect and prosecute. Because the perpetrators are often script kiddies or otherwise inexperienced hackers, they may not know how to cover their tracks effectively.

  Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You've seen the film at

  11: "We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable !" Such action, however, will likely motivate others to launch a more serious and concerted grudge

  attack against the business.

  Many computer criminals in this category only seek notoriety. Although it's one thing to brag to a small circle of friends about defacing a public Web site, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom.

  These twisted individuals want to be caught to revel in their 15 minutes of fame.

  References: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 187) and CISSP Professional Study Guide by James Michael Stewart, Ed Tittel, Mike Chapple, page 607- and CISSP for Dummies, Miller L. H. and Gregory P. H. ISBN: 0470537914, page 309-311

• Question 193:

  Which of the following is used to interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes?

  A. Key escrow
  B. Rotation of duties
  C. Principle of need-to-know
  D. Principle of least privilege
  B. Rotation of duties

  ---

  Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working with sensitive information or systems where there might be the opportunity for personal gain through collusion can benefit by

  integrating job rotation with segregation of duties. Rotating the position may uncover activities that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent behavior.

  Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the amount of time the subject is assigned to perform the task before being moved to a different task.

  The following are incorrect answers:

  Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled by different departments. Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to

  decrypt information. Key escrow also should be considered mandatory for most organization's use of cryptography as encrypted information belongs to the organization and not the individual; however often an individual's key is used to

  encrypt the information.

  Separation of duties is a basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person can have on a system. One individual should not have the capability to execute all of the steps of a particular process. This is especially important in critical business areas, where individuals may have greater access and capability to modify, delete, or add data to the system. Failure to separate duties could result in individuals embezzling money from the company without the involvement of others.

  The need-to-know principle specifies that a person must not only be cleared to access classified or other sensitive information, but have requirement for such information to carry out assigned job duties. Ordinary or limited user accounts are what most users are assigned. They should be restricted only to those privileges that are strictly required, following the principle of least privilege. Access should be limited to specific objects following the principle of need-to-know. The principle of least privilege requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Least privilege refers to granting users only the accesses that are required to perform their job functions. Some employees will require greater access than others based upon their job functions. For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run reports regarding the information that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10628-10631). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10635-10638). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10693-10697). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 16338-16341). Auerbach Publications. Kindle Edition.

• Question 194:

  What is the most critical characteristic of a biometric identifying system?

  A. Perceived intrusiveness
  B. Storage requirements
  C. Accuracy
  D. Scalability
  C. Accuracy

  ---

  Accuracy is the most critical characteristic of a biometric identifying verification system.

  Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II errors).

  The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy.

  Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 9).

• Question 195:

  What is a hot-site facility?

  A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.
  B. A site in which space is reserved with pre-installed wiring and raised floors.
  C. A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS.
  D. A site with ready made work space with telecommunications equipment, LANs, PCs, and terminals for work groups.
  A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 196:

  Which of the following statements pertaining to firewalls is incorrect?

  A. Firewalls create bottlenecks between the internal and external network.
  B. Firewalls allow for centralization of security services in machines optimized and dedicated to the task.
  C. Firewalls protect a network at all layers of the OSI models.
  D. Firewalls are used to create security checkpoints at the boundaries of private networks.
  C. Firewalls protect a network at all layers of the OSI models.

  ---

  Firewalls can protect a network at multiple layers of the OSI models, however most of the firewalls do not have the ability to monitor the payload of the packets and see if an application level attack is taking place. Today there are a new breed of firewall called Unified Threat Managers or UTM. They are a collection of products on a single computer and not necessarily a typical firewall. A UTM can address all of the layers but typically a firewall cannot. Firewalls are security checkpoints at the boundaries of internal networks through which every packet must pass and be inspected, hence they create bottlenecks between the internal and external networks. But since external connections are relatively slow compared to modern computers, the latency caused by this bottleneck can almost be transparent. By implementing the concept of border security, they centralize security services in machines optimized and dedicated to the task, thus relieving the other hosts on the network from that function. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding Firewalls.

• Question 197:

  The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

  A. clipping level
  B. acceptance level
  C. forgiveness level
  D. logging level
  A. clipping level

  ---

  The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc.

  Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user's account after three failed login attemts, that is the "clipping level".

  The other answers are not correct because:

  Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security.

  Reference:

  Official ISC2 Guide - The term "clipping level" is not in the glossary or index of that book. I cannot find it in the text either. However, I'm quite certain that it would be considered part of the CBK, despite its exclusion from the Official Guide.

  All in One Third Edition page: 136 - 137

• Question 198:

  Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished:

  A. through access control mechanisms that require identification and authentication and through the audit function.
  B. through logical or technical controls involving the restriction of access to systems and the protection of information.
  C. through logical or technical controls but not involving the restriction of access to systems and the protection of information.
  D. through access control mechanisms that do not require identification and authentication and do not operate through the audit function.
  A. through access control mechanisms that require identification and authentication and through the audit function.

  ---

  Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 33.

• Question 199:

  Kerberos can prevent which one of the following attacks?

  A. tunneling attack.
  B. playback (replay) attack.
  C. destructive attack.
  D. process attack.
  B. playback (replay) attack.

  ---

  Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of attacks.

  The following answers are incorrect:

  tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access low-level systems. Kerberos cannot totally prevent these types of attacks. destructive attack. This is incorrect because depending on

  the type of destructive attack, Kerberos cannot prevent someone from physically destroying a server.

  process attack. This is incorrect because with Kerberos cannot prevent an authorzied individuals from running processes.

• Question 200:

  What attack involves the perpetrator sending spoofed packet(s) wich contains the same destination and source IP address as the remote host, the same port for the source and destination, having the SYN flag, and targeting any open ports that are open on the remote host?

  A. Boink attack
  B. Land attack
  C. Teardrop attack
  D. Smurf attack
  B. Land attack

  ---

  The Land attack involves the perpetrator sending spoofed packet(s) with the SYN flag set to the victim's machine on any open port that is listening. The packet(s) contain the same destination and source IP address as the host, causing the victim's machine to reply to itself repeatedly. In addition, most systems experience a total freeze up, where as CTRL-ALT-DELETE fails to work, the mouse and keyboard become non operational and the only method of correction is to reboot via a reset button on the system or by turning the machine off. The Boink attack, a modified version of the original Teardrop and Bonk exploit programs, is very similar to the Bonk attack, in that it involves the perpetrator sending corrupt UDP packets to the host. It however allows the attacker to attack multiple ports where Bonk was mainly directed to port 53 (DNS). The Teardrop attack involves the perpetrator sending overlapping packets to the victim, when their machine attempts to re-construct the packets the victim's machine hangs. A Smurf attack is a network- level attack against hosts where a perpetrator sends a large amount of ICMP echo (ping) traffic at broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet. Resources: http://en.wikipedia.org/wiki/Denial-of-service_attack http://en.wikipedia.org/wiki/LAND