ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 401:

  In what type of attack does an attacker try, from several encrypted messages, to figure out the key used in the encryption process?

  A. Known-plaintext attack
  B. Ciphertext-only attack
  C. Chosen-Ciphertext attack
  D. Plaintext-only attack
  B. Ciphertext-only attack

  ---

  In a ciphertext-only attack, the attacker has the ciphertext of several messages encrypted with the same encryption algorithm. Its goal is to discover the plaintext of the messages by figuring out the key used in the encryption process. In a known-plaintext attack, the attacker has the plaintext and the ciphertext of one or more messages. In a chosen-ciphertext attack, the attacker can chose the ciphertext to be decrypted and has access to the resulting plaintext.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter

  8: Cryptography (page 578).

• Question 402:

  Devices that supply power when the commercial utility power system fails are called which of the following?

  A. power conditioners
  B. uninterruptible power supplies
  C. power filters
  D. power dividers
  B. uninterruptible power supplies

  ---

  From Shon Harris AIO Fifth Edition:

  Protecting power can be done in three ways: through UPSs, power line conditioners, and backup sources. UPSs use battery packs that range in size and capacity. A UPS can be online or standby.

  Online UPS systems use AC line voltage to charge a bank of batteries. When in use, the UPS has an inverter that changes the DC output from the batteries into the required AC form and that regulates the voltage as it powers computer

  devices.

  Online UPS systems have the normal primary power passing through them day in and day out. They constantly provide power from their own inverters, even when the electric power is in proper use. Since the environment's electricity passes

  through this type of UPS all the time, the UPS device is able to quickly detect when a power failure takes place. An online UPS can provide the necessary electricity and picks up the load after a power failure much more quickly than a standby

  UPS.

  Standby UPS devices stay inactive until a power line fails. The system has sensors that detect a power failure, and the load is switched to the battery pack. The switch to the battery pack is what causes the small delay in electricity being

  provided.

  So an online UPS picks up the load much more quickly than a standby UPS, but costs more of course.

• Question 403:

  How many bits is the effective length of the key of the Data Encryption Standard algorithm?

  A. 168
  B. 128
  C. 56
  D. 64
  C. 56

  ---

  The correct answer is "56". This is actually a bit of a trick question, since the actual key length is 64 bits. However, every eighth bit is ignored because it is used for parity. This makes the "effective length of the key" that the question actually

  asks for 56 bits.

  The other answers are not correct because:

  168 - This is the number of effective bits in Triple DES (56 times 3).

  128 - Many encryption algorithms use 128 bit key, but not DES. Note that you may see 128 bit encryption referred to as "military strength encryption" because many military systems use key of this length.

  64 - This is the actual length of a DES encryption key, but not the "effective length" of the DES key.

  Reference:

  Official ISC2 Guide page: 238

  All in One Third Edition page: 622

• Question 404:

  What attribute is included in a X.509-certificate?

  A. Distinguished name of the subject
  B. Telephone number of the department
  C. secret key of the issuing CA
  D. the key pair of the certificate holder
  A. Distinguished name of the subject

  ---

  RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile; GUTMANN, P., X.509 style guide; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

• Question 405:

  The basic language of modems and dial-up remote access systems is:

  A. Asynchronous Communication.
  B. Synchronous Communication.
  C. Asynchronous Interaction.
  D. Synchronous Interaction.
  A. Asynchronous Communication.

  ---

  Asynchronous Communication is the basic language of modems and dial-up remote access systems.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 100.

• Question 406:

  In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols?

  A. Transport layer
  B. Application layer
  C. Physical layer
  D. Network layer
  A. Transport layer

  ---

  Connection-oriented protocols such as TCP provides reliability. It is the responsibility of such protocols in the transport layer to ensure every byte is accounted for. The network layer does not provide reliability. It only privides the best route to

  get the traffic to the final destination address.

  For your exam you should know the information below about OSI model:

  The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open

  Systems Interconnection project at the International Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.

  The model groups communication functions into seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path

  needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. Two instances at one layer are connected by a horizontal.

  OSI Model

  

  Image source: http://www.petri.co.il/images/osi_model.JPG

  PHYSICAL LAYER

  The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the

  physical medium, and carries the signals for all of the higher layers. It provides:

  Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It determines:

  What signal state represents a binary 1

  How the receiving station knows when a "bit-time" starts

  How the receiving station delimits a frame

  DATA LINK LAYER

  The data link layer provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error-free transmission over the link.

  To do this, the data link layer provides:

  Link establishment and termination: establishes and terminates the logical link between two nodes.

  Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are available.

  Frame sequencing: transmits/receives frames sequentially.

  Frame acknowledgment: provides/expects frame acknowledgments. Detects and recovers from errors that occur in the physical layer by retransmitting non-acknowledged frames and handling duplicate frame receipt.

  Frame delimiting: creates and recognizes frame boundaries.

  Frame error checking: checks received frames for integrity.

  Media access management: determines when the node "has the right" to use the physical medium.

  NETWORK LAYER

  The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors. It provides:

  Routing: routes frames among networks.

  Subnet traffic control: routers (network layer intermediate systems) can instruct a sending station to "throttle back" its frame transmission when the router's buffer fills up.

  Frame fragmentation: if it determines that a downstream router's maximum transmission unit (MTU) size is less than the frame size, a router can fragment a frame for transmission and re-assembly at the destination station.

  Logical-physical address mapping: translates logical addresses, or names, into physical addresses.

  Subnet usage accounting: has accounting functions to keep track of frames forwarded by subnet intermediate systems, to produce billing information.

  Communications Subnet

  The network layer software must build headers so that the network layer software residing in the subnet intermediate systems can recognize them and use them to route data to the destination address.

  This layer relieves the upper layers of the need to know anything about the data transmission and intermediate switching technologies used to connect systems. It establishes, maintains and terminates connections across the intervening

  communications facility (one or several intermediate systems in the communication subnet).

  In the network layer and the layers below, peer protocols exist between a node and its immediate neighbor, but the neighbor may be a node through which data is routed, not the destination station. The source and destination stations may be

  separated by many intermediate systems.

  TRANSPORT LAYER

  The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern with the transfer of data between them and their peers.

  The size and complexity of a transport protocol depends on the type of service it can get from the network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is required. If the network layer is unreliable

  and/or only supports datagrams, the transport protocol should include extensive error detection and recovery.

  The transport layer provides:

  Message segmentation: accepts a message from the (session) layer above it, splits the message into smaller units (if not already small enough), and passes the smaller units down to the network layer. The transport layer at the destination

  station reassembles the message.

  Message acknowledgment: provides reliable end-to-end message delivery with acknowledgments.

  Message traffic control: tells the transmitting station to "back-off" when no message buffers are available.

  Session multiplexing: multiplexes several message streams, or sessions onto one logical link and keeps track of which messages belong to which sessions (see session layer). Typically, the transport layer can accept relatively large

  messages, but there are strict message size limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the messages into smaller units, or frames, prepending a header to each frame.

  The transport layer header information must then include control information, such as message start and message end flags, to enable the transport layer on the other end to recognize message boundaries. In addition, if the lower layers do

  not maintain sequence, the transport header must contain sequence information to enable the transport layer on the receiving end to get the pieces back together in the right order before handing the received message up to the layer above.

  End-to-end layers

  Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned with the details of the underlying

  communications facility. Transport layer software (and software above it) on the source station carries on a conversation with similar software on the destination station by using message headers and control messages.

  SESSION LAYER

  The session layer allows session establishment between processes running on different stations.

  It provides:

  Session establishment, maintenance and termination: allows two application processes on different machines to establish, use and terminate a connection, called a session.

  Session support: performs the functions that allow these processes to communicate over the network, performing security, name recognition, logging, and so on.

  PRESENTATION LAYER

  The presentation layer formats the data to be presented to the application layer. It can be viewed as the translator for the network. This layer may translate data from a format used by the application layer into a common format at the sending

  station, then translate the common format to a format known to the application layer at the receiving station.

  The presentation layer provides:

  Character code translation: for example, ASCII to EBCDIC.

  Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.

  Data compression: reduces the number of bits that need to be transmitted on the network.

  Data encryption: encrypt data for security purposes. For example, password encryption.

  APPLICATION LAYER

  The application layer serves as the window for users and application processes to access network services. This layer contains a variety of commonly needed functions:

  Resource sharing and device redirection

  Remote file access

  Remote printer access

  Inter-process communication

  Network management

  Directory services Electronic messaging (such as mail) Network virtual terminals

  The following were incorrect answers:

  Application Layer - The application layer serves as the window for users and application processes to access network services.

  Network layer - The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors.

  Physical Layer - The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional

  interfaces to the physical medium, and carries the signals for all of the higher layers.

  The following reference(s) were/was used to create this question:

  CISA review manual 2014 Page number 260

  and

  Official ISC2 guide to CISSP CBK 3rd Edition Page number 287

  and

  http://en.wikipedia.org/wiki/Tcp_protocol

• Question 407:

  The primary purpose for using one-way hashing of user passwords within a password file is which of the following?

  A. It prevents an unauthorized person from trying multiple passwords in one logon attempt.
  B. It prevents an unauthorized person from reading the password.
  C. It minimizes the amount of storage required for user passwords.
  D. It minimizes the amount of processing time used for encrypting passwords.
  B. It prevents an unauthorized person from reading the password.

  ---

  The whole idea behind a one-way hash is that it should be just that - one-way. In other words, an attacker should not be able to figure out your password from the hashed version of that password in any mathematically feasible way (or within

  any reasonable length of time).

  Password Hashing and Encryption

  In most situations , if an attacker sniffs your password from the network wire, she still has some work to do before she actually knows your password value because most systems hash the password with a hashing algorithm, commonly MD4

  or MD5, to ensure passwords are not sent in cleartext.

  Although some people think the world is run by Microsoft, other types of operating systems are out there, such as Unix and Linux. These systems do not use registries and SAM databases, but contain their user passwords in a file cleverly

  called "shadow." Now, this shadow file does not contain passwords in cleartext; instead, your password is run through a hashing algorithm, and the resulting value is stored in this file.

  Unixtype systems zest things up by using salts in this process. Salts are random values added to the encryption process to add more complexity and randomness. The more randomness entered into the encryption process, the harder it is for

  the bad guy to decrypt and uncover your password. The use of a salt means that the same password can be encrypted into several thousand different formats. This makes it much more difficult for an attacker to uncover the right format for

  your system.

  Password Cracking tools Note that the use of one-way hashes for passwords does not prevent password crackers from guessing passwords. A password cracker runs a plain-text string through the same one-way hash algorithm used by the system to generate a

  hash, then compares that generated has with the one stored on the system. If they match, the password cracker has guessed your password. This is very much the same process used to authenticate you to a system via a password. When you type your username and password, the system hashes the password you typed and compares that generated hash against the one stored on the system - if they match, you are authenticated. Pre-Computed password tables exists today and they allow you to crack passwords on Lan Manager (LM) within a VERY short period of time through the use of Rainbow Tables. A Rainbow Table is a precomputed table for reversing

  cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off also called a Time-Memory trade off, using more computer processing time at the cost of less storage when calculating a hash on every attempt, or less processing time and more storage when compared to a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.

  You may want to review "Rainbow Tables" at the links:

  http://en.wikipedia.org/wiki/Rainbow_table

  http://www.antsight.com/zsl/rainbowcrack/

  Today's password crackers:

  Meet oclHashcat. They are GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

  This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very well- known suites at that time, but now deprecated. There also existed a now very old oclHashcat GPU cracker that was replaced w/ plus and lite,

  which - as said - were then merged into oclHashcat 1.00 again.

  This cracker can crack Hashes of NTLM Version 2 up to 8 characters in less than a few hours. It is definitively a game changer. It can try hundreds of billions of tries per seconds on a very large cluster of GPU's. It supports up to 128 Video

  Cards at once. I am stuck using Password what can I do to better protect myself?

  You could look at safer alternative such as Bcrypt, PBKDF2, and Scrypt.

  the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains

  resistant to brute-force search attacks even with increasing computation power.

  In cryptography, scrypt is a password-based key derivation function created by Colin Percival, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly to perform large-scale custom hardware

  attacks by requiring large amounts of memory. In 2012, the scrypt algorithm was published by the IETF as an Internet Draft, intended to become an informational RFC, which has since expired. A simplified version of scrypt is used as a proofof-work scheme by a number of cryptocurrencies, such as Litecoin and Dogecoin.

  PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task

  Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.

  PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used

  as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of

  iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple

  passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.

  The other answers are incorrect:

  "It prevents an unauthorized person from trying multiple passwords in one logon attempt." is incorrect because the fact that a password has been hashed does not prevent this type of brute force password guessing attempt.

  "It minimizes the amount of storage required for user passwords" is incorrect because hash algorithms always generate the same number of bits, regardless of the length of the input. Therefore, even short passwords will still result in a longer

  hash and not minimize storage requirements.

  "It minimizes the amount of processing time used for encrypting passwords" is incorrect because the processing time to encrypt a password would be basically the same required to produce a one-way has of the same password.

  Reference(s) used for this question:

  http://en.wikipedia.org/wiki/PBKDF2

  http://en.wikipedia.org/wiki/Scrypt

  http://en.wikipedia.org/wiki/Bcrypt

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 195) . McGraw-Hill.

  Kindle Edition.

• Question 408:

  How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?

  A. Reject the risk
  B. Perform another risk analysis
  C. Accept the risk
  D. Reduce the risk
  C. Accept the risk

  ---

  Which means the company understands the level of risk it is faced.

  The following answers are incorrect because :

  Reject the risk is incorrect as it means ignoring the risk which is dangerous.

  Perform another risk analysis is also incorrect as the existing risk analysis has already shown the results.

  Reduce the risk is incorrect is applicable after implementing the countermeasures.

  Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 39

• Question 409:

  Which of the following protects Kerberos against replay attacks?

  A. Tokens
  B. Passwords
  C. Cryptography
  D. Time stamps
  D. Time stamps

  ---

  A replay attack refers to the recording and retransmission of packets on the network. Kerberos uses time stamps, which protect against this type of attack. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  8: Cryptography (page 581).

• Question 410:

  Which expert system operating mode allows determining if a given hypothesis is valid?

  A. Blackboard
  B. Lateral chaining
  C. Forward chaining
  D. Backward chaining
  D. Backward chaining

  ---

  Backward-chaining mode - the expert system backtracks to determine if a given hypothesis is valid. Backward-chaining is generally used when there are a large number of possible solutions relative to the number of inputs.

  Incorrect answers are:

  In a forward-chaining mode, the expert system acquires information and comes to a conclusion based on that information. Forward-chaining is the reasoning approach that can be used when there is a small number of solutions relative to the

  number of inputs.

  Blackboard is an expert system-reasoning methodology in which a solution is generated by the use of a virtual blackboard, wherein information or potential solutions are placed on the blackboard by a plurality of individuals or expert

  knowledge sources. As more information is placed on the blackboard in an iterative process, a solution is generated.

  Lateral-chaining mode - No such expert system mode.

  Sources:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 7: Applications and Systems Development (page 259).

  KRUTZ, Ronald and VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Expert Systems (page 354).