ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 251:

  Which of the following cannot be undertaken in conjunction or while computer incident handling is ongoing?

  A. System development activity
  B. Help-desk function
  C. System Imaging
  D. Risk management process
  A. System development activity

  ---

  If Incident Handling is underway an incident has potentially been identified. At that point all use of the system should stop because the system can no longer be trusted and any changes could contaminate the evidence. This would include all

  System Development Activity.

  Every organization should have plans and procedures in place that deals with Incident Handling.

  Employees should be instructed what steps are to be taken as soon as an incident occurs and how to report it. It is important that all parties involved are aware of these steps to protect not only any possible evidence but also to prevent any

  additional harm.

  It is quite possible that the fraudster has planted malicous code that could cause destruction or even a Trojan Horse with a back door into the system. As soon as an incident has been identified the system can no longer be trusted and all use

  of the system should cease.

  Shon Harris in her latest book mentions:

  Although we commonly use the terms "event" and "incident" interchangeably, there are subtle differences between the two. An event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of

  events that negatively affects the company and/ or impacts its security posture. This is why we call reacting to these issues "incident response" (or "incident handling"), because something is negatively affecting the company and causing a

  security breach.

  Many types of incidents (virus, insider attack, terrorist attacks, and so on) exist, and sometimes it is just human error. Indeed, many incident response individuals have received a frantic call in the middle of the night because a system is acting

  "weird." The reasons could be that a deployed patch broke something, someone misconfigured a device, or the administrator just learned a new scripting language and rolled out some code that caused mayhem and confusion. When a

  company endures a computer crime, it should leave the environment and evidence unaltered and contact whomever has been delegated to investigate these types of situations. Someone who is unfamiliar with the proper process of collecting

  data and evidence from a crime scene could instead destroy that evidence, and thus all hope of prosecuting individuals, and achieving a conviction would be lost.

  Companies should have procedures for many issues in computer security such as enforcement procedures, disaster recovery and continuity procedures, and backup procedures. It is also necessary to have a procedure for dealing with

  computer incidents because they have become an increasingly important issue of today's information security departments. This is a direct result of attacks against networks and information systems increasing annually. Even though we don't

  have specific numbers due to a lack of universal reporting and reporting in general, it is clear that the volume of attacks is increasing.

  Just think about all the spam, phishing scams, malware, distributed denial-of-service, and other attacks you see on your own network and hear about in the news. Unfortunately, many companies are at a loss as to who to call or what to do

  right after they have been the victim of a cybercrime. Therefore, all companies should have an incident response policy that indicates who has the authority to initiate an incident response, with supporting procedures set up before an incident

  takes place.

  This policy should be managed by the legal department and security department. They need to work together to make sure the technical security issues are covered and the legal issues that surround criminal activities are properly dealt with.

  The incident response policy should be clear and concise. For example, it should indicate if systems can be taken offline to try to save evidence or if systems have to continue functioning at the risk of destroying evidence. Each system and

  functionality should have a priority assigned to it. For instance, if the file server is infected, it should be removed from the network, but not shut down. However, if the mail server is infected, it should not be removed from the network or shut

  down because of the priority the company attributes to the mail server over the file server. Tradeoffs and decisions will have to be made, but it is better to think through these issues before the situation occurs, because better logic is usually

  possible before a crisis, when there's less emotion and chaos.

  The Australian Computer Emergency Response Team's General Guidelines for Computer Forensics:

  Keep the handling and corruption of original data to a minimum.

  Document all actions and explain changes.

  Follow the Five Rules for Evidence (Admissible, Authentic, Complete, Accurate, Convincing).

  ?Bring in more experienced help when handling and/ or analyzing the evidence is beyond your knowledge, skills, or abilities.

  Adhere to your organization's security policy and obtain written permission to conduct a forensics investigation.

  Capture as accurate an image of the system( s) as possible while working quickly.

  Be ready to testify in a court of law.

  Make certain your actions are repeatable.

  Prioritize your actions, beginning with volatile and proceeding to persistent evidence.

  Do not run any programs on the system( s) that are potential evidence.

  Act ethically and in good faith while conducting a forensics investigation, and do not attempt to do any harm.

  The following answers are incorrect:

  help-desk function. Is incorrect because during an incident, employees need to be able to communicate with a central source. It is most likely that would be the help-desk. Also the help- desk would need to be able to communicate with the

  employees to keep them informed.

  system imaging. Is incorrect because once an incident has occured you should perform a capture of evidence starting with the most volatile data and imaging would be doen using bit for bit copy of storage medias to protect the evidence.

  risk management process. Is incorrect because incident handling is part of risk management, and should continue.

  Reference(s) used for this question:

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21468-21476).

  McGraw-Hill. Kindle Edition.

  and

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21096-21121).

  McGraw-Hill. Kindle Edition.

  and

  NIST Computer Security incident handling http://csrc.nist.gov/publications/nistpubs/800-12/800- 12-html/ chapter12.html

• Question 252:

  Which of the following is needed for System Accountability?

  A. Audit mechanisms.
  B. Documented design as laid out in the Common Criteria.
  C. Authorization.
  D. Formal verification of system design.
  A. Audit mechanisms.

  ---

  Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. Accountability is the ability to identify users and

  to be able to track user actions.

  The following answers are incorrect:

  Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

  Authorization. Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

  Formal verification of system design. Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability.

  References:

  OIG CBK Glossary (page 778)

• Question 253:

  Within the legal domain what rule is concerned with the legality of how the evidence was gathered ?

  A. Exclusionary rule
  B. Best evidence rule
  C. Hearsay rule
  D. Investigation rule
  A. Exclusionary rule

  ---

  The exclusionary rule mentions that evidence must be gathered legally or it can't be used.

  The principle based on federal Constitutional Law that evidence illegally seized by law enforcement officers in violation of a suspect's right to be free from unreasonable searches and seizures cannot be used against the suspect in a criminal prosecution.

  The exclusionary rule is designed to exclude evidence obtained in violation of a criminal defendant's Fourth Amendment rights. The Fourth Amendment protects against unreasonable searches and seizures by law enforcement personnel. If the search of a criminal suspect is unreasonable, the evidence obtained in the search will be excluded from trial. The exclusionary rule is a court-made rule. This means that it was created not in statutes passed by legislative bodies but rather by the U.S. Supreme Court. The exclusionary rule applies in federal courts by virtue of the Fourth Amendment. The Court has ruled that it applies in state courts although the due process clause of the Fourteenth Amendment.(The Bill of Rights-- the first ten amendments-- applies to actions by the federal government. The Fourteenth Amendment, the Court has held, makes most of the protections in the Bill of Rights applicable to actions by the states.)

  The exclusionary rule has been in existence since the early 1900s. Before the rule was fashioned, any evidence was admissible in a criminal trial if the judge found the evidence to be relevant. The manner in which the evidence had been seized was not an issue. This began to change in 1914, when the U.S. Supreme Court devised a way to enforce the Fourth Amendment. In Weeks v. United States, 232 U.S. 383, 34 S. Ct. 341, 58 L. Ed. 652 (1914), a federal agent had conducted a warrantless search for evidence of gambling at the home of Fremont Weeks. The evidence seized in the search was used at trial, and Weeks was convicted. On appeal, the Court held that the Fourth Amendment barred the use of evidence secured through a warrantless search. Weeks's conviction was reversed, and thus was born the exclusionary rule.

  The best evidence rule concerns limiting potential for alteration. The best evidence rule is a common law rule of evidence which can be traced back at least as far as the 18th century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was "the best that the nature of the case will allow". The general rule is that secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability. The rationale for the best evidence rule can be understood from the context in which it arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.

  The hearsay rule concerns computer-generated evidence, which is considered second-hand evidence.

  Hearsay is information gathered by one person from another concerning some event, condition, or thing of which the first person had no direct experience. When submitted as evidence, such statements are called hearsay evidence. As a legal term, "hearsay" can also have the narrower meaning of the use of such information as evidence to prove the truth of what is asserted. Such use of "hearsay evidence" in court is generally not allowed. This prohibition is called the hearsay rule.

  For example, a witness says "Susan told me Tom was in town". Since the witness did not see Tom in town, the statement would be hearsay evidence to the fact that Tom was in town, and not admissible. However, it would be admissible as evidence that Susan said Tom was in town, and on the issue of her knowledge of whether he was in town.

  Hearsay evidence has many exception rules. For the purpose of the exam you must be familiar with the business records exception rule to the Hearsay Evidence. The business records created during the ordinary course of business are considered reliable and can usually be brought in under this exception if the proper foundation is laid when the records are introduced into evidence. Depending on which jurisdiction the case is in, either the records custodian or someone with knowledge of the records must lay a foundation for the records. Logs that are collected as part of a document business process being carried at regular interval would fall under this exception. They could be presented in court and not be considered Hearsay.

  Investigation rule is a detractor.

  Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 9.

  and

  The FREE Online Law Dictionary at: http://legaldictionary.thefreedictionary.com/Exclusionary+Rule

  and

  Wikipedia has a nice article on this subject at: http://en.wikipedia.org/wiki/Exclusionary_rule

  and

  http://en.wikipedia.org/wiki/Hearsay_in_United_States_law#Hearsay_exceptions

• Question 254:

  In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified. Such a model can be used to quickly summarize what permissions a subject has for various system objects.

  A. Access Control Matrix model
  B. Take-Grant model
  C. Bell-LaPadula model
  D. Biba model
  A. Access Control Matrix model

  ---

  An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced

  by the operating system.

  This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).

  Capability Table

  A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

  Access control lists (ACLs)

  ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and they define what level of authorization is granted. Authorization can be specific

  to an individual, group, or role. ACLs map values from the access control matrix to the object.

  Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix.

  NOTE: Ensure you are familiar with the terms Capability and ACLs for the purpose of the exam.

  Resource(s) used for this question:

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5264- 5267).

  McGraw-Hill. Kindle Edition.

  or

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Page 229 and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1923-1925). Auerbach Publications. Kindle Edition.

• Question 255:

  What physical characteristic does a retinal scan biometric device measure?

  A. The amount of light reaching the retina
  B. The amount of light reflected by the retina
  C. The pattern of light receptors at the back of the eye
  D. The pattern of blood vessels at the back of the eye
  D. The pattern of blood vessels at the back of the eye

  ---

  The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric

  identification are located along the neural retina, the outermost of retina's four cell layers.

  The following answers are incorrect:

  The amount of light reaching the retina The amount of light reaching the retina is not used in the biometric scan of the retina.

  The amount of light reflected by the retina The amount of light reflected by the retina is not used in the biometric scan of the retina.

  The pattern of light receptors at the back of the eye This is a distractor

  The following reference(s) were/was used to create this question:

  Reference: Retina Scan Technology.

  ISC2 Official Guide to the CBK, 2007 (Page 161)

• Question 256:

  A Wide Area Network (WAN) is basically everything outside of:

  A. a Local Area Network (LAN).
  B. a Campus Area Network (CAN).
  C. a Metropolitan Area Network (MAN).
  D. the Internet.
  A. a Local Area Network (LAN).

  ---

  A WAN is basically everything outside of a LAN.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 99.

• Question 257:

  Which of the following protocols is designed to send individual messages securely?

  A. Kerberos
  B. Secure Electronic Transaction (SET).
  C. Secure Sockets Layer (SSL).
  D. Secure HTTP (S-HTTP).
  D. Secure HTTP (S-HTTP).

  ---

  An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and

  MasterCard as an Internet credit card protocol using digital signatures. Kerberos is an authentication system. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide:

  Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 89.

• Question 258:

  Who should measure the effectiveness of Information System security related controls in an organization?

  A. The local security specialist
  B. The business manager
  C. The systems auditor
  D. The central security manager
  C. The systems auditor

  ---

  It is the systems auditor that should lead the effort to ensure that the security controls are in place and effective. The audit would verify that the controls comply with polices, procedures, laws, and regulations where applicable. The findings

  would provide these to senior management.

  The following answers are incorrect:

  the local security specialist. Is incorrect because an independent review should take place by a third party. The security specialist might offer mitigation strategies but it is the auditor that would ensure the effectiveness of the controls

  the business manager. Is incorrect because the business manager would be responsible that the controls are in place, but it is the auditor that would ensure the effectiveness of the controls.

  the central security manager. Is incorrect because the central security manager would be responsible for implementing the controls, but it is the auditor that is responsibe for ensuring their effectiveness.

• Question 259:

  Which of the following statements pertaining to the security kernel is incorrect?

  A. The security kernel is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept.
  B. The security kernel must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof.
  C. The security kernel must be small enough to be able to be tested and verified in a complete and comprehensive manner.
  D. The security kernel is an access control concept, not an actual physical component.
  D. The security kernel is an access control concept, not an actual physical component.

  ---

  The reference monitor, not the security kernel is an access control concept.

  The security kernel is made up of software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects.

  The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems.

  There are three main requirements of the security kernel:

  It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.

  It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.

  It must be small enough to be able to be tested and verified in a complete and comprehensive manner.

  The following answers are incorrect:

  The security kernel is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept. Is incorrect because this is the definition of the security kernel.

  The security kernel must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof. Is incorrect because this is one of the three requirements that make up the security kernel.

  The security kernel must be small enough to be able to be tested and verified in a complete and comprehensive manner. Is incorrect because this is one of the three requirements that make up the security kernel.

• Question 260:

  A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:

  A. concern that the laser beam may cause eye damage
  B. the iris pattern changes as a person grows older.
  C. there is a relatively high rate of false accepts.
  D. the optical unit must be positioned so that the sun does not shine into the aperture.
  D. the optical unit must be positioned so that the sun does not shine into the aperture.

  ---

  Because the optical unit utilizes a camera and infrared light to create the images, sun light can impact the aperture so it must not be positioned in direct light of any type. Because the subject does not need to have direct contact with the

  optical reader, direct light can impact the reader. An Iris recognition is a form of biometrics that is based on the uniqueness of a subject's iris. A camera like device records the patterns of the iris creating what is known as Iriscode. It is the

  unique patterns of the iris that allow it to be one of the most accurate forms of biometric identification of an individual. Unlike other types of biometics, the iris rarely changes over time. Fingerprints can change over time due to scaring and

  manual labor, voice patterns can change due to a variety of causes, hand geometry can also change as well. But barring surgery or an accident it is not usual for an iris to change. The subject has a high-resoulution image taken of their iris

  and this is then converted to Iriscode. The current standard for the Iriscode was developed by John Daugman. When the subject attempts to be authenticated an infrared light is used to capture the iris image and this image is then compared

  to the Iriscode. If there is a match the subject's identity is confirmed. The subject does not need to have direct contact with the optical reader so it is a less invasive means of authentication then retinal scanning would be.

  Reference(s) used for this question:

  AIO, 3rd edition, Access Control, p 134.

  AIO, 4th edition, Access Control, p 182.

  Wikipedia - http://en.wikipedia.org/wiki/Iris_recognition The following answers are incorrect:

  concern that the laser beam may cause eye damage. The optical readers do not use laser so, concern that the laser beam may cause eye damage is not an issue. the iris pattern changes as a person grows older. The question asked about

  the physical installation of the scanner, so this was not the best answer. If the question would have been about long term problems then it could have been the best choice. Recent research has shown that Irises actually do change over time:

  http://www.nature.com/news/ageing-eyes- hinder- biometric-scans-1.10722

  there is a relatively high rate of false accepts. Since the advent of the Iriscode there is a very low rate of false accepts, in fact the algorithm used has never had a false match. This all depends on the quality of the equipment used but because

  of the uniqueness of the iris even when comparing identical twins, iris patterns are unique.