ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 331:

  Which of the following is NOT a common backup method?

  A. Full backup method
  B. Daily backup method
  C. Incremental backup method
  D. Differential backup method
  B. Daily backup method

  ---

  A daily backup is not a backup method, but defines periodicity at which backups are made. There can be daily full, incremental or differential backups.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page

  69).

• Question 332:

  When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems?

  A. Executive management staff
  B. Senior business unit management
  C. BCP committee
  D. Functional business units
  B. Senior business unit management

  ---

  Many elements of a BCP will address senior management, such as the statement of importance and priorities, the statement of organizational responsibility, and the statement of urgency and timing. Executive management staff initiates the project, gives final approval and gives ongoing support. The BCP committee directs the planning, implementation, and tests processes whereas functional business units participate in implementation and testing.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 275).

• Question 333:

  Which of the following is an example of discretionary access control?

  A. Identity-based access control
  B. Task-based access control
  C. Role-based access control
  D. Rule-based access control
  A. Identity-based access control

  ---

  An identity-based access control is an example of discretionary access control that is based on an individual's identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a

  characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.

  Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non- discretionary access controls.

  Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.

  In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user.

  Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.

  Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.

  BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES:

  MAC = Mandatory Access Control

  Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user's access but simply configure the proper level of access as

  dictated by the Data Owner. The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship.

  The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access.

  MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a

  security clearance of Secret it does not mean he would be able to access any Secret documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where

  the user belong to one of the categories attached to the object.

  If there is no clearance and no labels then IT IS NOT Mandatory Access Control.

  Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category.

  DAC = Discretionary Access Control

  DAC is also known as: Identity Based access control system.

  The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users.

  Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with other users without the knowledge or permission of the owner of the file. Very

  quickly this could become the wild wild west as there is no control on the dissimination of the information.

  RBAC = Role Based Access Control

  RBAC is a form of Non-Discretionary access control.

  Role Based access control usually maps directly with the different types of jobs performed by employees within a company.

  For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and assign the administrators to the role. Once an administrator has been assigned

  to a role, he will IMPLICITLY inherit the permissions of that role.

  RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example.

  RBAC or RuBAC = Rule Based Access Control

  RuBAC is a form of Non-Discretionary access control.

  A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 33.

  and

  NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf

  and

  http://itlaw.wikia.com/wiki/Identity-based_access_control

• Question 334:

  Which of the following is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism?

  A. OAKLEY
  B. Internet Security Association and Key Management Protocol (ISAKMP)
  C. Simple Key-management for Internet Protocols (SKIP)
  D. IPsec Key exchange (IKE)
  B. Internet Security Association and Key Management Protocol (ISAKMP)

  ---

  RFC 2828 (Internet Security Glossary) defines the Internet Security Association and Key Management Protocol (ISAKMP) as an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key

  generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

  Let's clear up some confusion here first. Internet Key Exchange (IKE) is a hybrid protocol, it consists of 3 "protocols"

  ISAKMP: It's not a key exchange protocol per se, it's a framework on which key exchange protocols operate. ISAKMP is part of IKE. IKE establishs the shared security policy and authenticated keys. ISAKMP is the protocol that specifies the

  mechanics of the key exchange.

  Oakley: Describes the "modes" of key exchange (e.g. perfect forward secrecy for keys, identity protection, and authentication). Oakley describes a series of key exchanges and services.

  SKEME: Provides support for public-key-based key exchange, key distribution centres, and manual installation, it also outlines methods of secure and fast key refreshment. So yes, IPSec does use IKE, but ISAKMP is part of IKE.

  The questions did not ask for the actual key negotiation being done but only for the "exchange of key generation and authentication data" being done. Under Oakly it would be Diffie Hellman (DH) that would be used for the actual key

  nogotiation.

  The following are incorrect answers:

  Simple Key-management for Internet Protocols (SKIP) is a key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

  OAKLEY is a key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie- Hellman algorithm and designed to be a compatible component of ISAKMP.

  IPsec Key Exchange (IKE) is an Internet, IPsec, key-establishment protocol [R2409] (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such

  as in AH and ESP.

  Reference used for this question:

  SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 335:

  Degaussing is used to clear data from all of the following medias except:

  A. Floppy Disks
  B. Read-Only Media
  C. Video Tapes
  D. Magnetic Hard Disks
  B. Read-Only Media

  ---

  Atoms and Data

  Shon Harris says: "A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on

  magnetic media by the representation of the polarization of the atoms.

  Degaussing changes"

  The latest ISC2 book says:

  "Degaussing can also be a form of media destruction. High-power degaussers are so strong in some cases that they can literally bend and warp the platters in a hard drive. Shredding and burning are effective destruction methods for nonrigid magnetic media. Indeed, some shredders are capable of shredding some rigid media such as an optical disk. This may be an effective alternative for any optical media containing nonsensitive information due to the residue size

  remaining after feeding the disk into the machine. However, the residue size might be too large for media containing sensitive information. Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state media.

  Specialized devices are available for grinding the face of optical media that either sufficiently scratches the surface to render the media unreadable or actually grinds off the data layer of the disk. Several services also exist which will collect

  drives, destroy them on site if requested and provide certification of completion. It will be the responsibility of the security professional to help, select, and maintain the most appropriate solutions for media cleansing and disposal."

  Degaussing is achieved by passing the magnetic media through a powerful magnet field to rearrange the metallic particles, completely removing any resemblance of the previously recorded signal (from the "all about degaussers link below).

  Therefore, degaussing will work on any electronic based media such as floppy disks, or hard disks - all of these are examples of electronic storage. However, "read-only media" includes items such as paper printouts and CD- ROM wich do

  not store data in an electronic form or is not magnetic storage. Passing them through a magnet field has no effect on them.

  Not all clearing/ purging methods are applicable to all media-- for example, optical media is not susceptible to degaussing, and overwriting may not be effective against Flash devices. The degree to which information may be recoverable by a

  sufficiently motivated and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military classification rules, read and follow the rules

  and standards. I will admit that this is a bit of a trick question. Determining the difference between "read-only media" and "read-only memory" is difficult for the question taker. However, I believe it is representative of the type of question you

  might one day see on an exam.

  The other answers are incorrect because:

  Floppy Disks, Magnetic Tapes, and Magnetic Hard Disks are all examples of magnetic storage, and therefore are erased by degaussing.

  A videotape is a recording of images and sounds on to magnetic tape as opposed to film stock used in filmmaking or random access digital media. Videotapes are also used for storing scientific or medical data, such as the data produced by

  an electrocardiogram. In most cases, a helical scan video head rotates against the moving tape to record the data in two dimensions, because video signals have a very high bandwidth, and static heads would require extremely high tape

  speeds. Videotape is used in both video tape recorders (VTRs) or, more commonly and more recently, videocassette recorder (VCR) and camcorders. A Tape use a linear method of storing information and since nearly all video recordings

  made nowadays are digital direct to disk recording (DDR), videotape is expected to gradually lose importance as non-linear/random- access methods of storing digital video data become more common.

  Reference(s) used for this question:

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25627-25630).

  McGraw-Hill. Kindle Edition.

  Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

  Security Operations (Kindle Locations 580-588). . Kindle Edition.

  All About Degaussers and Erasure of Magnetic Media:

  http://www.degausser.co.uk/degauss/degabout.htm

  http://www.degaussing.net/

  http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

• Question 336:

  Which of the following identifies the encryption algorithm selected by NIST for the new Advanced Encryption Standard?

  A. Twofish
  B. Serpent
  C. RC6
  D. Rijndael
  D. Rijndael

  ---

  The Answer: Rijndael. Rijndael is the new approved method of encrypting sensitive but unclassified information for the U.S. government. It has been accepted by and is also widely used in the public arena as well. It has low memory

  requirements and has been constructed to easily defend against timing attacks.

  The following answers are incorrect: Twofish. Twofish was among the final candidates chosen for AES, but was not selected.

  Serpent. Serpent was among the final candidates chosen for AES, but was not selected.

  RC6. RC6 was among the final candidates chosen for AES, but was not selected.

  The following reference(s) were/was used to create this question:

  ISC2 OIG, 2007 p. 622, 629-630

  Shon Harris AIO, v.3 p 247-250

• Question 337:

  Which IPSec operational mode encrypts the entire data packet (including header and data) into an IPSec packet?

  A. Authentication mode
  B. Tunnel mode
  C. Transport mode
  D. Safe mode
  B. Tunnel mode

  ---

  In tunnel mode, the entire packet is encrypted and encased into an IPSec packet.

  In transport mode, only the datagram (payload) is encrypted, leaving the IP address visible within the IP header.

  Authentication mode and safe mode are not defined IPSec operational modes.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page

  96).

• Question 338:

  Which of the following access control models requires defining classification for objects?

  A. Role-based access control
  B. Discretionary access control
  C. Identity-based access control
  D. Mandatory access control
  D. Mandatory access control

  ---

  With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and classification of objects.

  The Following answers were incorrect:

  Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous.

  Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non Discretionary Access Control (NDAC).

  Tip:

  When you have two answers that are synonymous they are not the right choice for sure.

  There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of those items.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 33).

• Question 339:

  Which of the following access control models requires security clearance for subjects?

  A. Identity-based access control
  B. Role-based access control
  C. Discretionary access control
  D. Mandatory access control
  D. Mandatory access control

  ---

  With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of non-discretionary access control.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 33).

• Question 340:

  Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?

  A. The Bell-LaPadula model
  B. The information flow model
  C. The noninterference model
  D. The Clark-Wilson model
  C. The noninterference model

  ---

  The goal of a noninterference model is to strictly separate differing security levels to assure that higher- level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows

  between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

  The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.

  It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.

  The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.

  The following are incorrect answers:

  The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects. The information flow model is incorrect.

  The information flow models have a similar framework to the Bell- LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security

  policy.

  The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet interface - object).

  References:

  CBK, pp 325 - 326

  AIO3, pp. 290 - 291

  AIOv4 Security Architecture and Design (page 345)

  AIOv5 Security Architecture and Design (pages 347 - 348)

  https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterfere nce_Models