ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 371:

  What are the three most important functions that Digital Signatures perform?

  A. Integrity, Confidentiality and Authorization
  B. Integrity, Authentication and Nonrepudiation
  C. Authorization, Authentication and Nonrepudiation
  D. Authorization, Detection and Accountability
  B. Integrity, Authentication and Nonrepudiation

  ---

  Reference: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2.

• Question 372:

  Which of the following is the WEAKEST authentication mechanism?

  A. Passphrases
  B. Passwords
  C. One-time passwords
  D. Token devices
  B. Passwords

  ---

  Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above.

  The following answers are incorrect because :

  Passphrases is incorrect as it is more secure than a password because it is longer. One-time passwords is incorrect as the name states , it is good for only once and cannot be reused.

  Token devices is incorrect as this is also a password generator and is an one time password mechanism.

  Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 139 , 142.

• Question 373:

  What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?

  A. False Rejection Rate (FRR) or Type I Error
  B. False Acceptance Rate (FAR) or Type II Error
  C. Crossover Error Rate (CER)
  D. Failure to enroll rate (FTE or FER)
  C. Crossover Error Rate (CER)

  ---

  The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.

  Equal error rate or crossover error rate (EER or CER) It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest

  EER is most accurate.

  The other choices were all wrong answers:

  The following are used as performance metrics for biometric systems:

  false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. This

  is when an impostor would be accepted by the system.

  False reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly

  rejected. This is when a valid company employee would be rejected by the system.

  Failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 38.

  and

  https://en.wikipedia.org/wiki/Biometrics

• Question 374:

  Which of the following is the FIRST step in protecting data's confidentiality?

  A. Install a firewall
  B. Implement encryption
  C. Identify which information is sensitive
  D. Review all user access rights
  C. Identify which information is sensitive

  ---

  In order to protect the confidentiality of the data.

  The following answers are incorrect because :

  Install a firewall is incorrect as this would come after the information has been identified for sensitivity levels.

  Implement encryption is also incorrect as this is one of the mechanisms to protect the data once it has been identified.

  Review all user access rights is also incorrect as this is also a protection mechanism for the identified information.

  Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126

• Question 375:

  Which of the following is true about digital certificate?

  A. It is the same as digital signature proving Integrity and Authenticity of the data
  B. Electronic credential proving that the person the certificate was issued to is who they claim to be
  C. You can only get digital certificate from Verisign, RSA if you wish to prove the key belong to a specific user.
  D. Can't contain geography data such as country for example.
  B. Electronic credential proving that the person the certificate was issued to is who they claim to be

  ---

  Digital certificate helps others verify that the public keys presented by users are genuine and valid. It is a form of Electronic credential proving that the person the certificate was issued to is who they claim to be.

  The certificate is used to identify the certificate holder when conducting electronic transactions.

  It is issued by a certification authority (CA). It contains the name of an organization or individual, the business address, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages), and the

  digital signature of the certificate- issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look

  up other users' public keys.

  Digital certificates are key to the PKI process. The digital certificate serves two roles. First, it ensures the integrity of the public key and makes sure that the key remains unchanged and in a valid state. Second, it validates that the public key is

  tied to the stated owner and that all associated information is true and correct. The information needed to accomplish these goals is added into the digital certificate.

  A Certificate Authority (CA) is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates.

  A Registration Authority (RA) performs certificate registration services on behalf of a CA. The RA, a single purpose server, is responsible for the accuracy of the information contained in a certificate request. The RA is also expected to perform

  user validation before issuing a certificate request. A Digital Certificate is not like same as a digital signature, they are two different things, a digital Signature is created by using your Private key to encrypt a message digest and a Digital

  Certificate is issued by a trusted third party who vouch for your identity.

  There are many other third parties which are providing Digital Certifictes and not just Verisign, RSA.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 14894-14903). Auerbach Publications. Kindle Edition.

  Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 24). Wiley. Kindle Edition.

  Please refer to http://en.wikipedia.org/wiki/Digital_certificate

  What is Digital certificate:

  http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.html

  another deifination on http://www.webopedia.com/TERM/D/digital_certificate.html

• Question 376:

  What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?

  A. Authentication
  B. Identification
  C. Integrity
  D. Confidentiality
  A. Authentication

  ---

  Authentication is verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 36.

• Question 377:

  In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm.

  A. virus
  B. worm
  C. Trojan horse.
  D. trapdoor
  C. Trojan horse.

  ---

  A trojan horse is any code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it. A Trojan often also includes a trapdoor as a means to gain access to a computer system bypassing security controls. Wikipedia defines it as: A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in ancient Greece, because computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers. The following answers are incorrect: virus. Is incorrect because a Virus is a malicious program and is does not appear to be harmless, it's sole purpose is malicious intent often doing damage to a system. A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". worm. Is incorrect because a Worm is similiar to a Virus but does not require user intervention to execute. Rather than doing damage to the system, worms tend to self-propagate and devour the resources of a system. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. trapdoor. Is incorrect because a trapdoor is a means to bypass security by hiding an entry point into a system. Trojan Horses often have a trapdoor imbedded in them. References: http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 and http://en.wikipedia.org/wiki/Computer_virus and http://en.wikipedia.org/wiki/Computer_worm and http://en.wikipedia.org/wiki/Backdoor_%28computing%29

• Question 378:

  A group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability is:

  A. server cluster
  B. client cluster
  C. guest cluster
  D. host cluster
  A. server cluster

  ---

  A server cluster is a group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 67.

• Question 379:

  Physical security is accomplished through proper facility construction, fire and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a component that achieves this type of security?

  A. Administrative control mechanisms
  B. Integrity control mechanisms
  C. Technical control mechanisms
  D. Physical control mechanisms
  B. Integrity control mechanisms

  ---

  Integrity Controls Mechanisms are not part of physical security. All of the other detractors were correct this one was the wrong one that does not belong to Physical Security. Below you have more details extracted from the SearchSecurity

  web site:

  Information security depends on the security and management of the physical space in which computer systems operate. Domain 9 of the CISSP exam's Common Body of Knowledge addresses the challenges of securing the physical space,

  its systems and the people who work within it by use of administrative, technical and physical controls. The following

• Question 380:

  Which of the following would be true about Static password tokens?

  A. The owner identity is authenticated by the token
  B. The owner will never be authenticated by the token.
  C. The owner will authenticate himself to the system.
  D. The token does not authenticates the token owner but the system.
  A. The owner identity is authenticated by the token

  ---

  Password Tokens

  Tokens are electronic devices or cards that supply a user's password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system

  will normally log a user in but a dynamic system the user will often have to log themselves in.

  Static Password Tokens:

  The owner identity is authenticated by the token. This is done by the person who issues the token to the owner (normally the employer). The owner of the token is now authenticated by "something you have". The token authenticates the

  identity of the owner to the information system. An example of this occurring is when an employee swipes his or her smart card over an electronic lock to gain access to a store room.

  Synchronous Dynamic Password Tokens:

  This system is a lot more complex then the static token password. The synchronous dynamic password tokens generate new passwords at certain time intervals that are synched with the main system. The password is generated on a small

  device similar to a pager or a calculator that can often be attached to the user's key ring. Each password is only valid for a certain time period, typing in the wrong password in the wrong time period will invalidate the authentication. The time

  factor can also be the systems downfall. If a clock on the system or the password token device becomes out of synch, a user can have troubles authenticating themselves to the system.

  Asynchronous Dynamic Password Tokens:

  The clock synching problem is eliminated with asynchronous dynamic password tokens. This system works on the same principal as the synchronous one but it does not have a time frame. A lot of big companies use this system especially for

  employee's who may work from home on the companies VPN (Virtual private Network).

  Challenge Response Tokens:

  This is an interesting system. A user will be sent special "challenge" strings at either random or timed intervals. The user inputs this challenge string into their token device and the device will respond by generating a challenge response. The

  user then types this response into the system and if it is correct they are authenticated.

  Reference(s) used for this question:

  http://www.informit.com/guides/content.aspx?g=securityandseqNum=146

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 37.