ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 221:

  Network-based Intrusion Detection systems:

  A. Commonly reside on a discrete network segment and monitor the traffic on that network segment.
  B. Commonly will not reside on a discrete network segment and monitor the traffic on that network segment.
  C. Commonly reside on a discrete network segment and does not monitor the traffic on that network segment.
  D. Commonly reside on a host and and monitor the traffic on that specific host.
  A. Commonly reside on a discrete network segment and monitor the traffic on that network segment.

  ---

  Network-based ID systems:

  -

  Commonly reside on a discrete network segment and monitor the traffic on that network segment

  -

  Usually consist of a network appliance with a Network Interface Card (NIC) that is operating in promiscuous mode and is intercepting and analyzing the network packets in real time

  "A passive NIDS takes advantage of promiscuous mode access to the network, allowing it to gain visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting

  the network, performance, or the systems and applications utilizing the network."

  NOTE FROM CLEMENT:

  A discrete network is a synonym for a SINGLE network. Usually the sensor will monitor a single network segment, however there are IDS today that allow you to monitor multiple LAN's at the same time.

  References used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 62.

  and

  Official (ISC)2 Guide to the CISSP CBK, Hal Tipton and Kevin Henry, Page 196

  and

  Additional information on IDS systems can be found here:

  http://en.wikipedia.org/wiki/Intrusion_detection_system

• Question 222:

  Which of the following is NOT a compensating measure for access violations?

  A. Backups
  B. Business continuity planning
  C. Insurance
  D. Security awareness
  D. Security awareness

  ---

  Security awareness is a preventive measure, not a compensating measure for access violations.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 50).

• Question 223:

  What is the maximum key size for the RC5 algorithm?

  A. 128 bits
  B. 256 bits
  C. 1024 bits
  D. 2040 bits
  D. 2040 bits

  ---

  RC5 is a fast block cipher created by Ron Rivest and analyzed by RSA Data Security, Inc. It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds.

  Allowable choices for the block size are 32 bits (for experimentation and evaluation purposes only), 64 bits (for use a drop-in replacement for DES), and 128 bits.

  The number of rounds can range from 0 to 255, while the key can range from 0 bits to 2040 bits in size.

  Please note that some sources such as the latest Shon Harris book mentions that RC5 maximum key size is of 2048, not 2040 bits. I would definitively use RSA as the authoritative source which specifies a key of 2040 bits. It is an error in

  Shon's book.

  The OIG book says:

  RC5 was developed by Ron Rivest of RSA and is deployed in many of RSA's products. It is a very adaptable product useful for many applications, ranging from software to hardware implementations. The key for RC5 can vary from 0 to 2040

  bits, the number of rounds it executes can be adjusted from 0 to 255, and the length of the input words can also be chosen from 16-, 32-, and 64-bit lengths.

  The following answers were incorrect choices:

  All of the other answers were wrong.

  Reference(s) used for this question:

  Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

  Cryptography (Kindle Locations 1098-1101). . Kindle Edition. Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 16744-16747). McGraw-Hill. Kindle Edition.

  http://www.rsa.com/rsalabs/node.asp?id=2251, What are RC5 and RC6, RSA The Security Division of EMC.

  From Rivest himself, see http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf

  Also see the draft IETF IPSEC standard which clearly mention that it is in fact 2040 bits as a MAXIMUM key size:

  http://www.tools.ietf.org/html/draft-ietf-ipsec-esp-rc5-cbc-00

  http://en.wikipedia.org/wiki/RC5, Mention a maximum key size of 2040 as well.

• Question 224:

  What can a packet filtering firewall also be called?

  A. a scanning router
  B. a shielding router
  C. a sniffing router
  D. a screening router
  D. a screening router

  ---

  While neither CBK nor AIO3 use the term "screening router," they both discuss how the packet filtering capabilities of a router can be used to block traffic much like a packet filtering firewall.

  Krutz and Vine use this term on p. 90.

  "A scanning router" is incorrect. This is a nonsense term to distract you.

  "A shielding router" is incorrect. This is a nonsense term to distract you.

  "A sniffing router" is incorrect. This is a nonsense term to distract you.

  References:

  CBK, p. 433

  AIO3, pp.484 - 485

• Question 225:

  What would BEST define risk management?

  A. The process of eliminating the risk
  B. The process of assessing the risks
  C. The process of reducing risk to an acceptable level
  D. The process of transferring risk
  C. The process of reducing risk to an acceptable level

  ---

  This is the basic process of risk management.

  Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization

  identifies as acceptable.

  Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy. The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the

  acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items: Objectives of IRM team Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article) Formal processes of risk identification Connection between the IRM policy and the organization's strategic planning processes Responsibilities that fall under IRM and the roles that are to fulfill them Mapping of risk to internal controls Approach for changing staff behaviors and resource allocation in response to risk analysis

  Mapping of risks to performance targets and budgets

  Key indicators to monitor the effectiveness of controls Shon Harris provides a 10,000-foot view of the risk management process below:

  A big question that companies have to deal with is, "What is enough security?" This can be restated as, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security

  unless you know your necessary baseline risk level.

  To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and

  objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's

  acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.

  Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:

  Identify company assets

  Assign a value to each asset

  Identify each asset's vulnerabilities and associated threats

  Calculate the risk for the identified assets

  Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.

  When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories:

  Physical damage Fire, water, vandalism, power loss, and natural disasters Human interaction Accidental or intentional action or inaction that can disrupt productivity

  Equipment malfunction Failure of systems and peripheral devices

  Inside and outside attacks Hacking, cracking, and attacking

  Misuse of data Sharing trade secrets, fraud, espionage, and theft

  Loss of data Intentional or unintentional loss of information through destructive means

  Application error Computation errors, input errors, and buffer overflows

  The following answers are incorrect:

  The process of eliminating the risk is not the best answer as risk cannot be totally eliminated.

  The process of assessing the risks is also not the best answer.

  The process of transferring risk is also not the best answer and is one of the ways of handling a risk after a risk analysis has been performed.

  References:

  Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68

  and

  http://searchsecurity.techtarget.com/tip/Understanding-risk

• Question 226:

  Which of the following virus types changes some of its characteristics as it spreads?

  A. Boot Sector
  B. Parasitic
  C. Stealth
  D. Polymorphic
  D. Polymorphic

  ---

  A Polymorphic virus produces varied but operational copies of itself in hopes of evading antivirus software.

  The following answers are incorrect:

  boot sector. Is incorrect because it is not the best answer. A boot sector virus attacks the boot sector of a drive. It describes the type of attack of the virus and not the characteristics of its composition. parasitic. Is incorrect because it is not the

  best answer. A parasitic virus attaches itself to other files but does not change its characteristics.

  stealth. Is incorrect because it is not the best answer. A stealth virus attempts to hide changes of the affected files but not itself.

• Question 227:

  Which of the following is not a form of passive attack?

  A. Scavenging
  B. Data diddling
  C. Shoulder surfing
  D. Sniffing
  B. Data diddling

  ---

  Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting confidentiality.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter

  10: Law, Investigation, and Ethics (page 645).

• Question 228:

  The IP header contains a protocol field. If this field contains the value of 51, what type of data is contained within the ip datagram?

  A. Transmission Control Protocol (TCP)
  B. Authentication Header (AH)
  C. User datagram protocol (UDP)
  D. Internet Control Message Protocol (ICMP)
  B. Authentication Header (AH)

  ---

  TCP has the value of 6

  UDP has the value of 17 ICMP has the value of 1 Reference: SANS http://www.sans.org/resources/tcpip.pdf?ref=3871

• Question 229:

  What would be the name of a Logical or Virtual Table dynamically generated to restrict the information a user can access in a database?

  A. Database Management system
  B. Database views
  C. Database security
  D. Database shadowing
  B. Database views

  ---

  The Answer: Database views; Database views are mechanisms that restrict access to the information that a user can access in a database.Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide:

  Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 35.

  Wikipedia has a detailed explantion as well:

  In database theory, a view is a virtual or logical table composed of the result set of a query. Unlike ordinary tables (base tables) in a relational database, a view is not part of the physical schema: it is a dynamic, virtual table computed or

  collated from data in the database. Changing the data in a table alters the data shown in the view.

  Views can provide advantages over tables;

  They can subset the data contained in a table They can join and simplify multiple tables into a single virtual table Views can act as aggregated tables, where aggregated data (sum, average etc.) are calculated and presented as part of the data Views can hide the complexity of data, for example a view could appear as Sales2000 or Sales2001, transparently partitioning the actual underlying table Views do not incur any extra storage overhead Depending on the SQL engine used, views can provide extra security. Limit the exposure to which a table or tables are exposed to outer world Just like functions (in programming) provide abstraction, views can be used to create abstraction. Also, just like functions, views can be nested, thus one view can

  aggregate data from other views. Without the use of views it would be much harder to normalise databases above second normal form. Views can make it easier to create lossless join decomposition.

• Question 230:

  When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?

  A. Back up the compromised systems.
  B. Identify the attacks used to gain access.
  C. Capture and record system information.
  D. Isolate the compromised systems.
  C. Capture and record system information.

  ---

  When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court, the following actions should be performed in the following order:

  Capture and record system information and evidence that may be lost, modified, or not captured during the execution of a backup procedure. Start with the most volative memory areas first.

  Make at least two full backups of the compromised systems, using hardware-write-protectable or write- once media. A first backup may be used to re-install the compromised system for further analysis and the second one should be

  preserved in a secure location to preserve the chain of custody of evidence.

  Isolate the compromised systems.

  Search for signs of intrusions on other systems.

  Examine logs in order to gather more information and better identify other systems to which the intruder might have gained access.

  Search through logs of compromised systems for information that would reveal the kind of attacks used to gain access.

  Identify what the intruder did, for example by analyzing various log files, comparing checksums of known, trusted files to those on the compromised machine and by using other intrusion analysis tools.

  Regardless of the exact steps being followed, if you wish to prosecute in a court of law it means you MUST capture the evidence as a first step before it could be lost or contaminated. You always start with the most volatile evidence first.

  NOTE:

  I have received feedback saying that some other steps may be done such as Disconnecting the system from the network or shutting down the system. This is true. However, those are not choices listed within the 4 choices attached to this

  question, you MUST avoid changing the question. You must stick to the four choices presented and pick which one is the best out of the four presented.

  In real life, Forensic is not always black or white. There are many shades of grey. In real life you would have to consult your system policy (if you have one), get your Computer Incident team involved, and talk to your forensic expert and then

  decide what is the best course of action.

  Reference(s) Used for this question:

  http://www.newyorkcomputerforensics.com/learn/forensics_process.php

  and

  ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).