ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 201:

  The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to?

  A. Illiminated at nine feet high with at least three foot-candles
  B. Illiminated at eight feet high with at least three foot-candles
  C. Illiminated at eight feet high with at least two foot-candles
  D. Illuminated at nine feet high with at least two foot-candles
  B. Illiminated at eight feet high with at least three foot-candles

  ---

  The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high with at least two foot- candles.

  It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of two foot-candles. One footcandle 10.764 lux. The footcandle (or lumen per square foot) is a non-SI unit of illuminance. Like the BTU, it is obsolete but it

  is still in fairly common use in the United States, particularly in construction- related engineering and in building codes. Because lux and footcandles are different units of the same quantity, it is perfectly valid to convert footcandles to lux and

  vice versa.

  The name "footcandle" conveys "the illuminance cast on a surface by a one-candela source one foot away." As natural as this sounds, this style of name is now frowned upon, because the dimensional formula for the unit is not foot ?candela,

  but lumens per square foot.

  Some sources do however note that the "lux" can be thought of as a "metre-candle" (i.e. the illuminance cast on a surface by a one-candela source one meter away). A source that is farther away casts less illumination than one that is close,

  so one lux is less illuminance than one footcandle. Since illuminance follows the inverse-square law, and since one foot = 0.3048 m, one lux = 0.30482 footcandle 1/10.764 footcandle.

  TIPS FROM CLEMENT:

  Illuminance (light level) The amount of light, measured in foot-candles (US unit), that falls n a surface, either horizontal or vertical.

  Parking lots lighting needs to be an average of 2 foot candles; uniformity of not more than 3:1, no area less than 1 fc.

  All illuminance measurements are to be made on the horizontal plane with a certified light meter calibrated to NIST standards using traceable light sources.

  The CISSP Exam Cram 2 from Michael Gregg says:

  Lighting is a commonly used form of perimeter protection. Some studies have found that up to 80% of criminal acts at businesses and shopping centers happen in adjacent parking lots. Therefore, it's easy to see why lighting can be such an

  important concern.

  Outside lighting discourages prowlers and thieves.

  The National Institute of Standards and Technologies (NIST) states that, for effective perimeter control, buildings should be illuminated 8 feet high, with 2-foot candle power.

  Reference used for this question:

  HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 325.

  and

  Shon's AIO v5 pg 459

  and

  http://en.wikipedia.org/wiki/Foot-candle

• Question 202:

  What is considered the most important type of error to avoid for a biometric access control system?

  A. Type I Error
  B. Type II Error
  C. Combined Error Rate
  D. Crossover Error Rate
  B. Type II Error

  ---

  When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor.

  A Type I error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid company employee is rejected by the system and he cannot get access even thou

  it is a valid user.

  The Crossover Error Rate (CER) is the point at which the false rejection rate equals the false acceptance rate if your would create a graph of Type I and Type II errors. The lower the CER the better the device would be.

  The Combined Error Rate is a distracter and does not exist. Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 10).

• Question 203:

  Which of the following is an unintended communication path that is NOT protected by the system's normal security mechanisms?

  A. A trusted path
  B. A protection domain
  C. A covert channel
  D. A maintenance hook
  C. A covert channel

  ---

  A covert channel is an unintended communication path within a system, therefore it is not protected by the system's normal security mechanisms. Covert channels are a secret way to convey information.

  Covert channels are addressed from TCSEC level B2.

  The following are incorrect answers:

  A trusted path is the protected channel that allows a user to access the Trusted Computing Base (TCB) without being compromised by other processes or users.

  A protection domain consists of the execution and memory space assigned to each process.

  A maintenance hook is a hardware or software mechanism that was installed to permit system maintenance and to bypass the system's security protections.

  Reference used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 6: Operations Security (page 219).

• Question 204:

  Which of the following would MOST likely ensure that a system development project meets business objectives?

  A. Development and tests are run by different individuals
  B. User involvement in system specification and acceptance
  C. Development of a project plan identifying all development activities
  D. Strict deadlines and budgets
  B. User involvement in system specification and acceptance

  ---

  Effective user involvement is the most critical factor in ensuring that the application meets business objectives.

  A great way of getting early input from the user community is by using Prototyping. The prototyping method was formally introduced in the early 1980s to combat the perceived weaknesses of the waterfall model with regard to the speed of

  development. The objective is to build a simplified version (prototype) of the application, release it for review, and use the feedback from the users' review to build a second, better version.

  This is repeated until the users are satisfied with the product. t is a four-step process:

  initial concept,

  design and implement initial prototype,

  refine prototype until acceptable, and

  complete and release final version.

  There is also the Modified Prototype Model (MPM. This is a form of prototyping that is ideal for Web application development. It allows for the basic functionality of a desired system or component to be formally deployed in a quick time frame.

  The maintenance phase is set to begin after the deployment. The goal is to have the process be flexible enough so the application is not based on the state of the organization at any given time. As the organization grows and the environment

  changes, the application evolves with it, rather than being frozen in time.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12101-12108 and 12099-12101). Auerbach Publications.

  Kindle Edition.

  and

  Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).

• Question 205:

  Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks?

  A. Monitoring and auditing for such activity
  B. Require user authentication
  C. Making sure only necessary phone numbers are made public
  D. Using completely different numbers for voice and data accesses
  B. Require user authentication

  ---

  Knowlege of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized

  access over a modem line.

  "Monitoring and auditing for such activity" is incorrect. While monitoring and auditing can assist in detecting a wardialing attack, they do not defend against a successful wardialing attack.

  "Making sure that only necessary phone numbers are made public" is incorrect. Since a wardialing attack blindly calls all numbers in a range, whether certain numbers in the range are public or not is irrelevant.

  "Using completely different numbers for voice and data accesses" is incorrect. Using different number ranges for voice and data access might help prevent an attacker from stumbling across the data lines while wardialing the public voice

  number range but this is not an adequate countermeaure.

  References:

  CBK, p. 214

  AIO3, p. 534-535

• Question 206:

  Secure Sockets Layer (SSL) is very heavily used for protecting which of the following?

  A. Web transactions.
  B. EDI transactions.
  C. Telnet transactions.
  D. Electronic Payment transactions.
  A. Web transactions.

  ---

  SSL was developed Netscape Communications Corporation to improve security and privacy of HTTP transactions.

  SSL is one of the most common protocols used to protect Internet traffic.

  It encrypts the messages using symmetric algorithms, such as IDEA, DES, 3DES, and Fortezza, and also calculates the MAC for the message using MD5 or SHA-1. The MAC is appended to the message and encrypted along with the

  message data.

  The exchange of the symmetric keys is accomplished through various versions of Diffie Hellmann or RSA. TLS is the Internet standard based on SSLv3. TLSv1 is backward compatible with SSLv3. It uses the same algorithms as SSLv3;

  however, it computes an HMAC instead of a MAC along with other enhancements to improve security.

  The following are incorrect answers:

  "EDI transactions" is incorrect. Electronic Data Interchange (EDI) is not the best answer to this question though SSL could play a part in some EDI transactions.

  "Telnet transactions" is incorrect. Telnet is a character mode protocol and is more likely to be secured by Secure Telnet or replaced by the Secure Shell (SSH) protocols.

  "Eletronic payment transactions" is incorrect. Electronic payment is not the best answer to this question though SSL could play a part in some electronic payment transactions.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 16615-16619). Auerbach Publications. Kindle Edition.

  and

  http://en.wikipedia.org/wiki/Transport_Layer_Security

• Question 207:

  Which of the following protocols' primary function is to send messages between network devices regarding the health of the network?

  A. Reverse Address Resolution Protocol (RARP).
  B. Address Resolution Protocol (ARP).
  C. Internet Protocol (IP).
  D. Internet Control Message protocol (ICMP).
  D. Internet Control Message protocol (ICMP).

  ---

  Its primary function is to send messages between network devices regarding the health of the network. ARP matches an IP address to an Ethernet address. RARP matches and Ethernet address to an IP address. ICMP runs on top of IP. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 87.

• Question 208:

  Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and it's sensitivity level ?

  A. System Auditor
  B. Data or Information Owner
  C. System Manager
  D. Data or Information user
  B. Data or Information Owner

  ---

  The data or information owner also referred to as "Data Owner" would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate

  security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner.

  The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make

  sure the organization complies with its own policies and the applicable laws and regulations.

  Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information

  security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have

  missed and help you understand how to fix the problem.

  The Official ISC2 Guide (OIG) says:

  IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on

  systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented,

  operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

  Example:

  Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob's department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the "information/ data custodians") and they set the file permissions for Sally's and Richard's user accounts so that Sally has read/write access, while Richard has only read access.

  So in short Bob will determine what controls are required, what is the sensitivily and criticality of the Data. Bob will communicate this to the custodians who will implement the requirements on the systems/DB. The auditor would assess if the

  controls are in fact providing the level of security the Data Owner expects within the systems/DB. The auditor does not determine the sensitivity of the data or the crititicality of the data.

  The other answers are not correct because:

  A "system auditor" is never responsible for anything but auditing... not actually making control decisions but the auditor would be the best person to determine the adequacy of controls and then make recommendations.

  A "system manager" is really just another name for a system administrator, which is actually an information custodian as explained above.

  A "Data or information user" is responsible for implementing security controls on a day-to-day basis as they utilize the information, but not for determining what the controls should be or if they are adequate.

  References:

  Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477

  Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

  Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations 294- 298).

  Auerbach Publications. Kindle Edition.

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3108- 3114).

  Information Security Glossary

  Responsibility for use of information resources

• Question 209:

  Which of the following is addressed by Kerberos?

  A. Confidentiality and Integrity
  B. Authentication and Availability
  C. Validation and Integrity
  D. Auditability and Integrity
  A. Confidentiality and Integrity

  ---

  Kerberos addresses the confidentiality and integrity of information.

  It also addresses primarily authentication but does not directly address availability.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 42.

  and

  https://www.ietf.org/rfc/rfc4120.txt

  and

  http://learn-networking.com/network-security/how-kerberos-authentication-works

• Question 210:

  Complete the blanks. When using PKI, I digitally sign a message using my ______ key. The recipient verifies my signature using my ______ key.

  A. Private / Public
  B. Public / Private
  C. Symmetric / Asymmetric
  D. Private / Symmetric
  A. Private / Public

  ---

  When we encrypt messages using our private keys which are only available to us. The person who wants to read and decrypt the message need only have our public keys to do so.

  The whole point to PKI is to assure message integrity, authentication of the source, and to provide secrecy with the digital encryption.

  See below a nice walktrough of Digital Signature creation and verification from the Comodo web site:

  Digital Signatures apply the same functionality to an e-mail message or data file that a handwritten signature does for a paper-based document. The Digital Signature vouches for the origin and integrity of a message, document or other data

  file.

  How do we create a Digital Signature?

  The creation of a Digital Signature is a complex mathematical process. However as the complexities of the process are computed by the computer, applying a Digital Signature is no more difficult that creating a handwritten one!

  The following text illustrates in general terms the processes behind the generation of a Digital Signature:

  1.

  Alice clicks 'sign' in her email application or selects which file is to be signed.

  2.

  Alice's computer calculates the 'hash' (the message is applied to a publicly known mathematical hashing function that coverts the message into a long number referred to as the hash).

  3.

  The hash is encrypted with Alice's Private Key (in this case it is known as the Signing Key) to create the Digital Signature.

  4.

  The original message and its Digital Signature are transmitted to Bob.

  5.

  Bob receives the signed message. It is identified as being signed, so his email application knows which actions need to be performed to verify it.

  6.

  Bob's computer decrypts the Digital Signature using Alice's Public Key.

  7.

  Bob's computer also calculates the hash of the original message (remember - the mathematical function used by Alice to do this is publicly known).

  8.

  Bob's computer compares the hashes it has computed from the received message with the now decrypted hash received with Alice's message. digital signature creation and verification

  

  If the message has remained integral during its transit (i.e. it has not been tampered with), when compared the two hashes will be identical.

  However, if the two hashes differ when compared then the integrity of the original message has been compromised. If the original message is tampered with it will result in Bob's computer calculating a different hash value. If a different hash

  value is created, then the original message will have been altered. As a result the verification of the Digital Signature will fail and Bob will be informed.

  Origin, Integrity, Non-Repudiation, and Preventing Men-In-The-Middle (MITM) attacks

  Eve, who wants to impersonate Alice, cannot generate the same signature as Alice because she does not have Alice's Private Key (needed to sign the message digest). If instead, Eve decides to alter the content of the message while in

  transit, the tampered message will create a different message digest to the original message, and Bob's computer will be able to detect that. Additionally, Alice cannot deny sending the message as it has been signed using her Private Key,

  thus ensuring non-repudiation.

  creating and validating a digital signature

  

  Due to the recent Global adoption of Digital Signature law, Alice may now sign a transaction, message or piece of digital data, and so long as it is verified successfully it is a legally permissible means of proof that Alice has made the transaction or written the message.

  The following answers are incorrect:

  -Public / Private: This is the opposite of the right answer.

  -

  Symmetric / Asymmetric: Not quite. Sorry. This form of crypto is asymmetric so you were almost on target.

  -

  Private / Symmetric: Well, you got half of it right but Symmetric is wrong.

  The following reference(s) was used to create this question: The CCCure Holistic Security+ CBT, you can subscribe at: http://www.cccure.tv and http://www.comodo.com/resources/small-business/digital-certificates3.php