ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 351:

  What is the PRIMARY goal of incident handling?

  A. Successfully retrieve all evidence that can be used to prosecute
  B. Improve the company's ability to be prepared for threats and disasters
  C. Improve the company's disaster recovery plan
  D. Contain and repair any damage caused by an event.
  D. Contain and repair any damage caused by an event.

  ---

  This is the PRIMARY goal of an incident handling process.

  The other answers are incorrect because :

  Successfully retrieve all evidence that can be used to prosecute is more often used in identifying weaknesses than in prosecuting.

  Improve the company's ability to be prepared for threats and disasters is more appropriate for a disaster recovery plan.

  Improve the company's disaster recovery plan is also more appropriate for disaster recovery plan.

  Reference : Shon Harris AIO v3 , Chapter - 10 : Law, Investigation, and Ethics , Page : 727-728

• Question 352:

  To be admissible in court, computer evidence must be which of the following?

  A. Relevant
  B. Decrypted
  C. Edited
  D. Incriminating
  A. Relevant

  ---

  Before any evidence can be admissible in court, the evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence. This holds true for computer evidence as well.

  While there are no absolute means to ensure that evidence will be allowed and helpful in a court of law, information security professionals should understand the basic rules of evidence. Evidence should be relevant, authentic, accurate,

  complete, and convincing. Evidence gathering should emphasize these criteria.

  As stated in CISSP for Dummies:

  Because computer-generated evidence can sometimes be easily manipulated, altered , or tampered with, and because it's not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to

  be admissible, evidence must be

  Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

  Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody. (We

  discuss this in the upcoming section

  "Chain of custody and the evidence life cycle.")

  Legally permissible: It must be obtained through legal means. Evidence that's not legally permissible may include evidence obtained through the following means:

  Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some

  circumstances.

  Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

  Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that

  individual has already committed a crime. Enticement is not necessarily illegal but does raise certain ethical arguments and may not be admissible in court.

  Coercion: Coerced testimony or confessions are not legally permissible. Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be

  subject to monitoring.

  The following answers are incorrect:

  decrypted. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

  edited. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence. Edited evidence violates the rules of evidence.

  incriminating. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

  Reference(s) used for this question:

  CISSP STudy Guide (Conrad, Misenar, Feldman) Elsevier. 2012. Page 423

  and

  Mc Graw Hill, Shon Harris CISSP All In One (AIO), 6th Edition , Pages 1051-1056

  and

  CISSP for Dummies , Peter Gregory

• Question 353:

  Which of the following is true of network security?

  A. A firewall is a not a necessity in today's connected world.
  B. A firewall is a necessity in today's connected world.
  C. A whitewall is a necessity in today's connected world.
  D. A black firewall is a necessity in today's connected world.
  B. A firewall is a necessity in today's connected world.

  ---

  Commercial firewalls are a dime-a-dozen in todays world. Black firewall and whitewall are just distracters.

• Question 354:

  Which of the following best allows risk management results to be used knowledgeably?

  A. A vulnerability analysis
  B. A likelihood assessment
  C. An uncertainty analysis
  D. A threat identification
  C. An uncertainty analysis

  ---

  Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and analysis of data part of the risk assessment, one of the primary activities of risk management.

  Source: SWANSON, Marianne and GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (pages 19-21).

• Question 355:

  Which of the following is best defined as an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards?

  A. Certification
  B. Declaration
  C. Audit
  D. Accreditation
  D. Accreditation

  ---

  Accreditation: is an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. It is usually based on a technical certification of the system's security mechanisms.

  Certification: Technical evaluation (usually made in support of an accreditation action) of an information system\'s security features and other safeguards to establish the extent to which the system\'s design and implementation meet specified security requirements.

  Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 356:

  Which of the following best defines add-on security?

  A. Physical security complementing logical security measures.
  B. Protection mechanisms implemented as an integral part of an information system.
  C. Layer security.
  D. Protection mechanisms implemented after an information system has become operational.
  D. Protection mechanisms implemented after an information system has become operational.

  ---

  The Internet Security Glossary (RFC2828) defines add-on security as "The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational." Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 357:

  The standard server port number for HTTP is which of the following?

  A. 81
  B. 80
  C. 8080
  D. 8180
  B. 80

  ---

  HTTP is Port 80.

  Reference: MAIWALD, Eric, Network Security: A Beginner's Guide, McGraw-Hill/Osborne Media, 2001, page 135.

• Question 358:

  Who is responsible for initiating corrective measures and capabilities used when there are security violations?

  A. Information systems auditor
  B. Security administrator
  C. Management
  D. Data owners
  C. Management

  ---

  Management is responsible for protecting all assets that are directly or indirectly under their control. They must ensure that employees understand their obligations to protect the company's assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations.

  Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

• Question 359:

  Which of the following is not a one-way hashing algorithm?

  A. MD2
  B. RC4
  C. SHA-1
  D. HAVAL
  B. RC4

  ---

  RC4 was designed by Ron Rivest of RSA Security in 1987. While it is officially termed "Rivest Cipher 4", the RC acronym is alternatively understood to stand for "Ron's Code" (see also RC2, RC5 and RC6).

  RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list. It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet. The leaked code

  was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4. Because the algorithm is known, it is no longer a trade secret. The name RC4 is trademarked, so RC4 is often referred to as

  ARCFOUR or ARC4 (meaning alleged RC4) to avoid trademark problems. RSA Security has never officially released the algorithm; Rivest has, however, linked to the English Wikipedia article on RC4 in his own course notes. RC4 has

  become part of some commonly used encryption protocols and standards, including WEP and WPA for wireless cards and TLS.

  The main factors in RC4's success over such a wide range of applications are its speed and simplicity:

  efficient implementations in both software and hardware are very easy to develop.

  The following answer were not correct choices:

  SHA-1 is a one-way hashing algorithms. SHA-1 is a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHA

  stands for "secure hash algorithm".

  The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function. SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used security applications and protocols. In 2005, security flaws were identified in SHA- 1, namely that a mathematical weakness might

  exist, indicating that a stronger hash function would be desirable. Although no successful attacks have yet been reported on the SHA-2 variants, they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives. A new hash standard, SHA-3, is currently under development -- an ongoing NIST hash function competition is scheduled to end with the selection of a winning function in 2012.

  SHA-1 produces a 160-bit message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms, but has a more conservative design.

  MD2 is a one-way hashing algorithms. The MD2 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1989. The algorithm is optimized for 8-bit computers. MD2 is specified in RFC 1319. Although MD2 is

  no longer considered secure, even as of 2010 it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA.

  Haval is a one-way hashing algorithms. HAVAL is a cryptographic hash function. Unlike MD5, but like most modern cryptographic hash functions, HAVAL can produce hashes of different lengths. HAVAL can produce hashes in lengths of 128

  bits, 160 bits, 192 bits, 224 bits, and 256 bits. HAVAL also allows users to specify the number of rounds (3, 4, or 5) to be used to generate the hash.

  The following reference(s) were used for this question:

  SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

  and

  https://en.wikipedia.org/wiki/HAVAL

  and

  https://en.wikipedia.org/wiki/MD2_%28cryptography%29

  and

  https://en.wikipedia.org/wiki/SHA-1

• Question 360:

  Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects is part of:

  A. Incident Evaluation
  B. Incident Recognition
  C. Incident Protection
  D. Incident Response
  D. Incident Response

  ---

  These are core functions of the incident response process.

  "Incident Evaluation" is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.

  "Incident Recognition" is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.

  "Incident Protection" is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.

  References

  CBK, pp. 698 - 703