ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 211:

  What is the primary role of smartcards in a PKI?

  A. Transparent renewal of user keys
  B. Easy distribution of the certificates between the users
  C. Fast hardware encryption of the raw data
  D. Tamper resistant, mobile storage and application of private keys of the users
  D. Tamper resistant, mobile storage and application of private keys of the users

  ---

  Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139;

  SNYDER, J., What is a SMART CARD?.

  Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance

  Security

  Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so

  that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures. Examples of tamper-resistant chips include all secure

  cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.

  It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:

  physical attack of various forms (microprobing, drills, files, solvents, etc.)

  freezing the device

  applying out-of-spec voltages or power surges

  applying unusual clock signals

  inducing software errors using radiation

  measuring the precise time and power requirements of certain operations (see power analysis)

  Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for

  "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled.

  Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

• Question 212:

  What protocol is used on the Local Area Network (LAN) to obtain an IP address from it's known MAC address?

  A. Reverse address resolution protocol (RARP)
  B. Address resolution protocol (ARP)
  C. Data link layer
  D. Network address translation (NAT)
  A. Reverse address resolution protocol (RARP)

  ---

  The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a request to be informed of the IP address that should be assigned to that MAC.

  Diskless workstations do not have a full operating system but have just enough code to know how to boot up and broadcast for an IP address, and they may have a pointer to the server that holds the operating system. The diskless

  workstation knows its hardware address, so it broadcasts this information so that a listening server can assign it the correct IP address.

  As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but only the RARP server responds. Once the RARP server receives this request, it looks in its table to see which IP address matches the

  broadcast hardware address. The server then sends a message that contains its IP address back to the requesting computer. The system now has an IP address and can function on the network.

  The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP provides for diskless workstations. The diskless workstation can receive its IP address, the name server address for future name resolutions,

  and the default gateway address from the BOOTP server. BOOTP usually provides more functionality to diskless workstations than does RARP.

  The evolution of this protocol has unfolded as follows: RARP evolved into BOOTP, which evolved into DHCP.

  The following are incorrect answers:

  NAT is a tool that is used for masking true IP addresses by employing internal addresses. ARP does the opposite of RARP, it finds the MAC address that maps with an existing IP address.

  Data Link layer The Data Link layer is not a protocol; it is represented at layer 2 of the OSI model. In the TCP/IP model, the Data Link and Physical layers are combined into the Network Access layer, which is sometimes called the Link layer

  or the Network Interface layer.

  Reference(s) used for this question:

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Telecommunications and Network Security, Page 584-585 and also 598. For Kindle users see Kindle Locations 12348-12357. McGraw-Hill.

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 87).

• Question 213:

  What is NOT true about a one-way hashing function?

  A. It provides authentication of the message
  B. A hash cannot be reverse to get the message used to create the hash
  C. The results of a one-way hash is a message digest
  D. It provides integrity of the message
  A. It provides authentication of the message

  ---

  A one way hashing function can only be use for the integrity of a message and not for authentication or confidentiality. Because the hash creates just a fingerprint of the message which cannot be reversed and it is also very difficult to create a

  second message with the same hash.

  A hash by itself does not provide Authentication. It only provides a weak form or integrity. It would be possible for an attacker to perform a Man-In-The-Middle attack where both the hash and the digest could be changed without the receiver

  knowing it. A hash combined with your session key will produce a Message Authentication Code (MAC) which will provide you with both authentication of the source and integrity. It is sometimes referred to as a Keyed Hash.

  A hash encrypted with the sender private key produce a Digital Signature which provide authentication, but not the hash by itself.

  Hashing functions by themselves such as MD5, SHA1, SHA2, SHA-3 does not provide authentication.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page

• Question 214:

  What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?

  A. A capability table
  B. An access control list
  C. An access control matrix
  D. A role-based matrix
  B. An access control list

  ---

  "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188

  A capability table is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject,

  and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. The distinction that makes this an incorrect choice is that access is based on posession of a capability by the subject.

  To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL." An access control matrix is incorrect. The access

  control matrix is a way of describing the rules for an access control strategy. The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access

  is allowed or indicate the type of access. CBK pp 317 - 318.

  AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects.

  In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc.

  A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool for thinking about the access control to be applied to a set of objects. The results of the analysis could then be implemented using RBAC.

  References:

  CBK, Domain 2: Access Control.

  AIO3, Chapter 4: Access Control

• Question 215:

  Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?

  A. Access control lists
  B. Discretionary access control
  C. Role-based access control
  D. Non-mandatory access control
  C. Role-based access control

  ---

  Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise- specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non- mandatory access control is not a defined access control technique.

  Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9).

• Question 216:

  After a company is out of an emergency state, what should be moved back to the original site first?

  A. Executives
  B. Least critical components
  C. IT support staff
  D. Most critical components
  B. Least critical components

  ---

  This will expose any weaknesses in the plan and ensure the primary site has been properly repaired before moving back. Moving critical assets first may induce a second disaster if the primary site has not been repaired properly.

  The first group to go back would test items such as connectivity, HVAC, power, water, improper procedures, and/or steps that has been overlooked or not done properly. By moving these first, and fixing any problems identified, the critical operations of the company are not negatively affected. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  9: Disaster Recovery and Business continuity (page 621).

• Question 217:

  Which of the following types of Intrusion Detection Systems uses behavioral characteristics of a system's operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host?

  A. Network-based ID systems.
  B. Anomaly Detection.
  C. Host-based ID systems.
  D. Signature Analysis.
  B. Anomaly Detection.

  ---

  There are two basic IDS analysis methods: pattern matching (also called signature analysis) and anomaly detection. Anomaly detection uses behavioral characteristics of a system's operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host. Anomalies may include but are not limited to: Multiple failed log-on attempts Users logging in at strange hours Unexplained changes to system clocks Unusual error messages The following are incorrect answers: Network-based ID Systems (NIDS) are usually incorporated into the network in a passive architecture, taking advantage of promiscuous mode access to the network. This means that it has visibility into every packet traversing the network

  segment. This allows the system to inspect packets and monitor sessions without impacting the network or the systems and applications utilizing the network. Host-based ID Systems (HIDS) is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system. However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network. This offers unfettered access to system logs, processes, system information, and device information, and virtually eliminates limits associated with encryption. The level of integration represented by HIDS increases the level of visibility and control at the disposal of the HIDS application.

  Signature Analysis Some of the first IDS products used signature analysis as their detection method and simply looked for known characteristics of an attack (such as specific packet sequences or text in the data stream) to produce an alert if that pattern was detected. For example, an attacker manipulating an FTP server may use a tool that sends a specially constructed packet. If that particular packet pattern is known, it can be represented in the form of a signature that IDS can then compare to incoming packets. Pattern- based IDS will have a database of hundreds, if not thousands, of signatures that are compared to traffic streams. As new attack signatures are produced, the system is updated, much like antivirus solutions. There are drawbacks to pattern-based IDS. Most importantly, signatures can only exist for known attacks. If a new or different attack vector is used, it will not match a known signature and, thus, slip past the IDS. Additionally, if an attacker knows that the IDS is present, he or she can alter his or her methods to avoid detection. Changing packets and data streams, even slightly, from known signatures can cause an IDS to miss the attack. As with some antivirus systems, the IDS is only as good as the latest signature database on the system.

  For additional information on Intrusion Detection Systems - http://en.wikipedia.org/wiki/ Intrusion_detection_system

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3623-3625, 3649-3654, 3666-3686). Auerbach Publications.

  Kindle Edition.

• Question 218:

  The session layer provides a logical persistent connection between peer hosts. Which of the following is one of the modes used in the session layer to establish this connection?

  A. Full duplex
  B. Synchronous
  C. Asynchronous
  D. Half simplex
  A. Full duplex

  ---

  Layer 5 of the OSI model is the Session Layer. This layer provides a logical persistent connection between peer hosts. A session is analogous to a conversation that is necessary for applications to exchange information.

  The session layer is responsible for establishing, managing, and closing end-to-end connections, called sessions, between applications located at different network endpoints. Dialogue control management provided by the session layer

  includes full-duplex, half-duplex, and simplex communications. Session layer management also helps to ensure that multiple streams of data stay synchronized with each other, as in the case of multimedia applications like video conferencing,

  and assists with the prevention of application related data errors.

  The session layer is responsible for creating, maintaining, and tearing down the session.

  Three modes are offered:

  (Full) Duplex: Both hosts can exchange information simultaneously, independent of each other.

  Half Duplex: Hosts can exchange information, but only one host at a time.

  Simplex: Only one host can send information to its peer. Information travels in one direction only.

  Another aspect of performance that is worthy of some attention is the mode of operation of the network or connection. Obviously, whenever we connect together device A and device B, there must be some way for A to send to B and B to

  send to A. Many people don't realize, however, that networking technologies can differ in terms of how these two directions of communication are handled. Depending on how the network is set up, and the characteristics of the technologies

  used, performance may be improved through the selection of performance-enhancing modes.

  Basic Communication Modes of Operation

  Let's begin with a look at the three basic modes of operation that can exist for any network connection, communications channel, or interface.

  Simplex Operation

  In simplex operation, a network cable or communications channel can only send information in one direction; it's a "one-way street". This may seem counter-intuitive: what's the point of communications that only travel in one direction? In fact,

  there are at least two different places where simplex operation is encountered in modern networking.

  The first is when two distinct channels are used for communication: one transmits from A to B and the other from B to A. This is surprisingly common, even though not always obvious. For example, most if not all fiber optic communication is

  simplex, using one strand to send data in each direction. But this may not be obvious if the pair of fiber strands are combined into one cable.

  Simplex operation is also used in special types of technologies, especially ones that are asymmetric. For example, one type of satellite Internet access sends data over the satellite only for downloads, while a regular dial-up modem is used for

  upload to the service provider. In this case, both the satellite link and the dial-up connection are operating in a simplex mode.

  Half-Duplex Operation

  Technologies that employ half-duplex operation are capable of sending information in both directions between two nodes, but only one direction or the other can be utilized at a time. This is a fairly common mode of operation when there is

  only a single network medium (cable, radio frequency and so forth) between devices.

  While this term is often used to describe the behavior of a pair of devices, it can more generally refer to any number of connected devices that take turns transmitting. For example, in conventional Ethernet networks, any device can transmit,

  but only one may do so at a time. For this reason, regular (unswitched) Ethernet networks are often said to be "half-duplex", even though it may seem strange to describe a LAN that way.

  Full-Duplex Operation

  In full-duplex operation, a connection between two devices is capable of sending data in both directions simultaneously. Full-duplex channels can be constructed either as a pair of simplex links (as described above) or using one channel

  designed to permit bidirectional simultaneous transmissions. A full-duplex link can only connect two devices, so many such links are required if multiple devices are to be connected together.

  Note that the term "full-duplex" is somewhat redundant; "duplex" would suffice, but everyone still says "full- duplex" (likely, to differentiate this mode from half-duplex).

  For a listing of protocols associated with Layer 5 of the OSI model, see below:

  ADSP - AppleTalk Data Stream Protocol

  ASP - AppleTalk Session Protocol

  H.245 - Call Control Protocol for Multimedia Communication

  ISO-SP

  OSI session-layer protocol (X.225, ISO 8327)

  iSNS - Internet Storage Name Service

  The following are incorrect answers:

  Synchronous and Asynchronous are not session layer modes.

  Half simplex does not exist. By definition, simplex means that information travels one way only, so half- simplex is a oxymoron.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 5603-5636). Auerbach Publications. Kindle Edition.

  and

  http://www.tcpipguide.com/free/t_SimplexFullDuplexandHalfDuplexOperation.htm

  and

  http://www.wisegeek.com/what-is-a-session-layer.htm

• Question 219:

  In regards to information classification what is the main responsibility of information (data) owner?

  A. determining the data sensitivity or classification level
  B. running regular data backups
  C. audit the data users
  D. periodically check the validity and accuracy of the data
  A. determining the data sensitivity or classification level

  ---

  Making the determination to decide what level of classification the information requires is the main responsibility of the data owner.

  The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the Chief Financial Officer (CFO) who has been entrusted with all financial date or

  it could be the Human Resource Director who has been entrusted with all Human Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and

  Sensitivity of the data.

  The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT decide what classification to apply, it is the Data Owner who will dictate to the

  Custodian what is the classification to apply.

  NOTE:

  The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if I create a file on my system then I am the owner of the file and I can decide who else

  could get access to the file. It is left to my discretion. Within DAC access is granted based solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control.

  The other choices were not the best answer

  Running regular backups is the responsibility of custodian. Audit the data users is the responsibility of the auditors

  Periodically check the validity and accuracy of the data is not one of the data owner responsibility

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Page 14, Chapter 1: Security Management Practices.

• Question 220:

  Which of the following is NOT a common integrity goal?

  A. Prevent unauthorized users from making modifications.
  B. Maintain internal and external consistency.
  C. Prevent authorized users from making improper modifications.
  D. Prevent paths that could lead to inappropriate disclosure.
  D. Prevent paths that could lead to inappropriate disclosure.

  ---

  Inappropriate disclosure is a confidentiality, not an integrity goal.

  All of the other choices above are integrity goals addressed by the Clark-Wilson integrity model.

  The Clark-Wilson model is an integrity model that addresses all three integrity goals:

  1.

  prevent unauthorized users from making modifications,

  2.

  prevent authorized users from making improper modifications, and

  3.

  maintain internal and external consistency through auditing. NOTE: Biba address only the first goal of integrity above

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw-Hill.

  Kindle Edition.