ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 291:

  What is defined as inference of information from other, intermediate, relevant facts?

  A. Secondary evidence
  B. Conclusive evidence
  C. Hearsay evidence
  D. Circumstantial evidence
  D. Circumstantial evidence

  ---

  Circumstantial evidence is defined as inference of information from other, intermediate, relevant facts. Secondary evidence is a copy of evidence or oral description of its contents. Conclusive evidence is incontrovertible and overrides all other evidence and hearsay evidence is evidence that is not based on personal, first-hand knowledge of the witness, but was obtained from another source. Computer-generated records normally fall under the category of hearsay evidence.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

• Question 292:

  What is the maximum length of cable that can be used for a twisted-pair, Category 5 10Base-T cable?

  A. 80 meters
  B. 100 meters
  C. 185 meters
  D. 500 meters
  B. 100 meters

  ---

  As a signal travels though a medium, it attenuates (loses strength) and at some point will become indistinguishable from noise. To assure trouble-free communication, maximum cable lengths are set between nodes to assure that attenuation

  will not cause a problem. The maximum CAT-5 UTP cable length between two nodes for 10BASE-T is 100M.

  The following answers are incorrect:

  80 meters. It is only a distracter. 185 meters. Is incorrect because it is the maximum length for 10Base-2 500 meters. Is incorrect because it is the maximum length for 10Base-5

• Question 293:

  Once evidence is seized, a law enforcement officer should emphasize which of the following?

  A. Chain of command
  B. Chain of custody
  C. Chain of control
  D. Chain of communications
  B. Chain of custody

  ---

  All people that handle the evidence from the time the crime was committed through the final disposition must be identified. This is to ensure that the evidence can be used and has not been tampered with.

  The following answers are incorrect:

  chain of command. Is incorrect because chain of command is the order of authority and does not apply to evidence.

  chain of control. Is incorrect because it is a distractor.

  chain of communications. Is incorrect because it is a distractor.

• Question 294:

  In stateful inspection firewalls, packets are:

  A. Inspected at only one layer of the Open System Interconnection (OSI) model
  B. Inspected at all Open System Interconnection (OSI) layers
  C. Decapsulated at all Open Systems Interconnect (OSI) layers.
  D. Encapsulated at all Open Systems Interconnect (OSI) layers.
  B. Inspected at all Open System Interconnection (OSI) layers

  ---

  Many times when a connection is opened, the firewall will inspect all layers of the packet. While this inspection is scaled back for subsequent packets to improve performance, this is the best of the four answers.

  When packet filtering is used, a packet arrives at the firewall, and it runs through its ACLs to determine whether this packet should be allowed or denied. If the packet is allowed, it is passed on to the destination host, or to another network

  device, and the packet filtering device forgets about the packet. This is different from stateful inspection, which remembers and keeps track of what packets went where until each particular connection is closed. A stateful firewall is like a nosy

  neighbor who gets into people's business and conversations. She keeps track of the suspicious cars that come into the neighborhood, who is out of town for the week, and the postman who stays a little too long at the neighbor lady's house.

  This can be annoying until your house is burglarized. Then you and the police will want to talk to the nosy neighbor, because she knows everything going on in the neighborhood and would be the one most likely to know something unusual

  happened.

  "Inspected at only one Open Systems Interconnetion (OSI) layer" is incorrect. To perform stateful packet inspection, the firewall must consider at least the network and transport layers.

  "Decapsulated at all Open Systems Interconnection (OSI) layers" is incorrect. The headers are not stripped ("decapsulated" if there is such a word) and are passed through in their entirety IF the packet is passed.

  "Encapsulated at all Open Systems Interconnect (OSI) layers" is incorrect. Encapsulation refers to the adding of a layer's header/trailer to the information received from the above level. This is done when the packet is assembled not at the

  firewall.

  Reference(s) used for this question:

  CBK, p. 466

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (pp. 632-633). McGraw- Hill. Kindle Edition.

• Question 295:

  Which of the following is NOT a form of detective administrative control?

  A. Rotation of duties
  B. Required vacations
  C. Separation of duties
  D. Security reviews and audits
  C. Separation of duties

  ---

  Detective administrative controls warn of administrative control violations. Rotation of duties, required vacations and security reviews and audits are forms of detective administrative controls. Separation of duties is the practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process, thus a preventive control rather than a detective control.

  Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0 (march 2002).

• Question 296:

  How is Annualized Loss Expectancy (ALE) derived from a threat?

  A. ARO x (SLE - EF)
  B. SLE x ARO
  C. SLE/EF
  D. AV x EF
  B. SLE x ARO

  ---

  Three steps are undertaken in a quantitative risk assessment:

  Initial management approval

  Construction of a risk assessment team, and

  The review of information currently available within the organization.

  There are a few formulas that you MUST understand for the exam. See them below:

  SLE (Single Loss Expectancy)

  Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit.

  The formula for calculating SLE is as follows: SLE = asset value (in $) ?exposure factor (loss due to successful threat exploit, as a %)

  Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues).

  ALE (Annualized Loss Expectancy)

  Next, the organization would calculate the annualized rate of occurrence (ARO).

  This is done to provide an accurate calculation of annualized loss expectancy (ALE).

  ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.

  When this is completed, the organization calculates the annualized loss expectancy (ALE).

  The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after an SLE.

  The calculation follows ALE = SLE x ARO

  Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine

  what the organization should spend, if anything, to apply a countermeasure for the risk in question.

  Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.

  Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (i.e., use within the organization). Finally, the organization is able to compare the cost of the risk

  versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection.

  The following were incorrect answers:

  All of the other choices were incorrect.

  The following reference(s) were used for this quesiton:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle Edition.

• Question 297:

  Qualitative loss resulting from the business interruption does NOT usually include:

  A. Loss of revenue
  B. Loss of competitive advantage or market share
  C. Loss of public confidence and credibility
  D. Loss of market leadership
  A. Loss of revenue

  ---

  This question is testing your ability to evaluate whether items on the list are Qualitative or Quantitative. All of the items listed were Qualitative except Lost of Revenue which is Quantitative.

  Those are mainly two approaches to risk analysis, see a description of each below:

  A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs,

  safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. It is more of a scientific or mathematical approach to risk analysis compared to qualitative. A qualitative

  risk analysis uses a "softer" approach to the data elements of a risk analysis . It does not quantify that data, which means that it does not assign numeric values to the data so that they can be used in equations.

  Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats.

  The effects can be economical, operational, or both. Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and that it describes the real

  risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business impacts.

  Loss criteria must be applied to the individual threats that were identified. The criteria may include the following: Loss in reputation and public confidence Loss of competitive advantages Increase in operational expenses Violations of contract agreements Violations of legal and regulatory requirements Delayed income costs Loss in revenue Loss in productivity Reference used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 909). McGraw-Hill.

  Kindle Edition.

• Question 298:

  How many layers are defined within the US Department of Defense (DoD) TCP/IP Model?

  A. 7
  B. 5
  C. 4
  D. 3
  C. 4

  ---

  The TCP/IP protocol model is similar to the OSI model but it defines only four layers: Application Host-to-host Internet Network access Reference(s) used for this question: http://www.novell.com/documentation/nw65/ntwk_ipv4_nw/data/hozdx4oj.html and KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 84). also see: http://en.wikipedia.org/wiki/Internet_Protocol_Suite#Layer_names_and_number_of_layers_in_t he_literature

• Question 299:

  Most access violations are:

  A. Accidental
  B. Caused by internal hackers
  C. Caused by external hackers
  D. Related to Internet
  A. Accidental

  ---

  The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection of Information Assets (page 192).

• Question 300:

  What algorithm was DES derived from?

  A. Twofish.
  B. Skipjack.
  C. Brooks-Aldeman.
  D. Lucifer.
  D. Lucifer.

  ---

  NSA took the 128-bit algorithm Lucifer that IBM developed, reduced the key size to 64 bits and with that developed DES.

  The following answers are incorrect:

  Twofish. This is incorrect because Twofish is related to Blowfish as a possible replacement for DES.

  Skipjack. This is incorrect, Skipjack was developed after DES by the NSA .

  Brooks-Aldeman. This is incorrect because this is a distractor, no algorithm exists with this name.