ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 261:

  What is called a system that is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it?

  A. A fail safe system
  B. A fail soft system
  C. A fault-tolerant system
  D. A failover system
  C. A fault-tolerant system

  ---

  A fault-tolerant system is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it. In a fail-safe system, program execution is terminated, and the system is protected from being compromised when a hardware or software failure occurs and is detected. In a fail- soft system, when a hardware or software failure occurs and is detected, selected, non-critical processing is terminated. The term failover refers to switching to a duplicate "hot" backup component in real-time when a hardware or software failure occurs, enabling processing to continue.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 5: Security Architecture and Models (page 196).

• Question 262:

  Which of the following statements pertaining to quantitative risk analysis is false?

  A. Portion of it can be automated
  B. It involves complex calculations
  C. It requires a high volume of information
  D. It requires little experience to apply
  D. It requires little experience to apply

  ---

  Assigning the values for the inputs to a purely quantitative risk assessment requires both a lot of time and significant experience on the part of the assessors. The most experienced employees or representatives from each of the departments

  would be involved in the process. It is NOT an easy task if you wish to come up with accurate values.

  "It can be automated" is incorrect. There are a number of tools on the market that automate the process of conducting a quantitative risk assessment.

  "It involves complex calculations" is incorrect. The calculations are simple for basic scenarios but could become fairly complex for large cases. The formulas have to be applied correctly.

  "It requires a high volume of information" is incorrect. Large amounts of information are required in order to develop reasonable and defensible values for the inputs to the quantitative risk assessment.

  References:

  CBK, pp. 60-61

  AIO3, p. 73, 78

  The Cissp Prep Guide - Mastering The Ten Domains Of Computer Security - 2001, page 24

• Question 263:

  A Business Continuity Plan should be tested:

  A. Once a month.
  B. At least twice a year.
  C. At least once a year.
  D. At least once every two years.
  C. At least once a year.

  ---

  It is recommended that testing does not exceed established frequency limits. For a plan to be effective, all components of the BCP should be tested at least once a year. Also, if there is a major change in the operations of the organization, the plan should be revised and tested not more than three months after the change becomes operational.

  Source: BARNES, James C. and ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley and Sons, 2001 (page 165).

• Question 264:

  Which of the following would be an example of the best password?

  A. golf001
  B. Elizabeth
  C. T1me4g0lF
  D. password
  C. T1me4g0lF

  ---

  The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and

  lower case characters, a special character, and/or a number. Shouldn't be used:

  common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.

  Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1.

• Question 265:

  Which of the following statements pertaining to software testing is incorrect?

  A. Unit testing should be addressed and considered when the modules are being designed.
  B. Test data should be part of the specifications.
  C. Testing should be performed with live data to cover all possible situations.
  D. Test data generators can be used to systematically generate random test data that can be used to test programs.
  C. Testing should be performed with live data to cover all possible situations.

  ---

  Live or actual field data is not recommended for use in the testing procedures because both data types may not cover out of range situations and the correct outputs of the test are unknown. Live data would not be the best data to use because of the lack of anomalies and also because of the risk of exposure to your live data.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 7: Applications and Systems Development (page 251).

• Question 266:

  In what way could Java applets pose a security threat?

  A. Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP
  B. Java interpreters do not provide the ability to limit system access that an applet could have on a client system.
  C. Executables from the Internet may attempt an intentional attack when they are downloaded on a client system.
  D. Java does not check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system.
  C. Executables from the Internet may attempt an intentional attack when they are downloaded on a client system.

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 267:

  Which xDSL flavour can deliver up to 52 Mbps downstream over a single copper twisted pair?

  A. VDSL
  B. SDSL
  C. HDSL
  D. ADSL
  A. VDSL

  ---

  Very-high data-rate Digital Subscriber Line (VDSL) can deliver up to 52 Mbps downstream over a single copper twisted pair over a relatively short distance (1000 to 4500 feet).

  DSL (Digital Subscriber Line) is a modem technology for broadband data access over ordinary copper telephone lines (POTS) from homes and businesses. xDSL refers collectively to all types of DSL, such as ADSL (and G.Lite), HDSL,

  SDSL, IDSL and VDSL etc. They are sometimes referred to as last-mile (or first mile) technologies because they are used only for connections from a telephone switching station to a home or office, not between switching stations.

  xDSL is similar to ISDN in as much as both operate over existing copper telephone lines (POTS) using sophisticated modulation schemes and both require the short runs to a central telephone office

  Graphic below from: http://computer.howstuffworks.com/vdsl3.htm

  

  DSL speed chart

  The following are incorrect answers:

  Single-line Digital Subscriber Line (SDSL) deliver 2.3 Mbps of bandwidth each way.

  High-rate Digital Subscriber Line (HDSL) deliver 1.544 Mbps of bandwidth each way.

  ADSL delivers a maximum of 8 Mbps downstream for a total combined speed of almost 9 Mbps up and down.

  Reference used for this question:

  http://computer.howstuffworks.com/vdsl3.htm

  and

  http://www.javvin.com/protocolxDSL.html

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 115).

• Question 268:

  Which of the following is less likely to be used today in creating a Virtual Private Network?

  A. L2TP
  B. PPTP
  C. IPSec
  D. L2F
  D. L2F

  ---

  L2F (Layer 2 Forwarding) provides no authentication or encryption. It is a Protocol that supports the creation of secure virtual private dial-up networks over the Internet.

  At one point L2F was merged with PPTP to produce L2TP to be used on networks and not only on dial up links.

  IPSec is now considered the best VPN solution for IP environments.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter

  8: Cryptography (page 507).

• Question 269:

  All following observations about IPSec are correct except:

  A. Default Hashing protocols are HMAC-MD5 or HMAC-SHA-1
  B. Default Encryption protocol is Cipher Block Chaining mode DES, but other algorithms like ECC (Elliptic curve cryptosystem) can be used
  C. Support two communication modes - Tunnel mode and Transport mode
  D. Works only with Secret Key Cryptography
  D. Works only with Secret Key Cryptography

  ---

  Source: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.

• Question 270:

  What is the primary role of cross certification?

  A. Creating trust between different PKIs
  B. Build an overall PKI hierarchy
  C. set up direct trust to a second root CA
  D. Prevent the nullification of user certificates by CA certificate revocation
  A. Creating trust between different PKIs

  ---

  More and more organizations are setting up their own internal PKIs. When these independent PKIs need to interconnect to allow for secure communication to take place (either between departments or different companies), there must be a

  way for the two root CAs to trust each other.

  These two CAs do not have a CA above them they can both trust, so they must carry out cross certification. A cross certification is the process undertaken by CAs to establish a trust relationship in which they rely upon each other's digital

  certificates and public keys as if they had issued them themselves.

  When this is set up, a CA for one company can validate digital certificates from the other company and vice versa.

  Reference(s) used for this question:

  For more information and illustration on Cross certification:

  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03q swp.mspx http://www.entrust.com/resources/pdf/cross_certification.pdf also see:

  Shon Harris, CISSP All in one book, 4th Edition, Page 727

  and

  RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile; FORD, Warwick and BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption (2nd Edition), 2000, Prentice

  Hall PTR, Page 254.