ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 421:

  What can best be defined as a strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall?

  A. A bastion host
  B. A screened subnet
  C. A dual-homed host
  D. A proxy server
  A. A bastion host

  ---

  The Internet Security Glossary (RFC2828) defines a bastion host as a strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 422:

  Which of the following is NOT a true statement regarding the implementaton of the 3DES modes?

  A. DES-EEE1 uses one key
  B. DES-EEE2 uses two keys
  C. DES-EEE3 uses three keys
  D. DES-EDE2 uses two keys
  A. DES-EEE1 uses one key

  ---

  There is no DES mode call DES-EEE1. It does not exist.

  The following are the correct modes for triple-DES (3DES):

  DES-EEE3 uses three keys for encryption and the data is encrypted, encrypted, encrypted;

  DES-EDE3 uses three keys and encrypts, decrypts and encrypts data.

  DES-EEE2 and DES-EDE2 are the same as the previous modes, but the first and third operations use the same key.

  Reference(s) used for this question:

  Shon Harris, CISSP All In One (AIO) book, 6th edition , page 808

  and

  Official ISC2 Guide to the CISSP CBK, 2nd Edition (2010) , page 344-345

• Question 423:

  What is Kerberos?

  A. A three-headed dog from the egyptian mythology.
  B. A trusted third-party authentication protocol.
  C. A security model.
  D. A remote authentication dial in user server.
  B. A trusted third-party authentication protocol.

  ---

  Is correct because that is exactly what Kerberos is.

  The following answers are incorrect:

  A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with Information Security and not the Egyptian mythology but the Greek Mythology.

  A security model. Is incorrect because Kerberos is an authentication protocol and not just a security model.

  A remote authentication dial in user server. Is incorrect because Kerberos is not a remote authentication dial in user server that would be called RADIUS.

• Question 424:

  What is NOT an authentication method within IKE and IPsec?

  A. CHAP
  B. Pre shared key
  C. certificate based authentication
  D. Public key authentication
  A. CHAP

  ---

  CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way

  handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).

  After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.

  The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.

  The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.

  At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

  The following were incorrect answers:

  Pre Shared Keys

  In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should

  be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless access points (AP) and all clients share the same key.

  The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password like 'bret13i', a passphrase like 'Idaho hung gear id gene', or a

  hexadecimal string like '65E4 E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.

  Certificat Based Authentication

  The most common form of trusted authentication between parties in the wide world of Web commerce is the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished Name (DN) and an associated

  public key.

  The certificate is digitally signed by a trusted third party known as the Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. Each principal in the transaction presents certificate as its credentials. The recipient

  then validates the certificate's signature against its cache of known and trusted CA certificates. A "personal

  certificate" identifies an end user in a transaction; a "server certificate" identifies the service provider.

  Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the Open Systems Interconnect (OSI) X.500 specification. Public Key Authentication Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up. In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means

  that if the server has been hacked, or spoofed an attacker can learn your password. Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have a copy of that private key; but anybody who has your public key can verify that a particular signature is genuine. So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

  There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to your computer will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, you must decrypt the key, so you have to type your passphrase.

  References: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand and HARKINS, Dan Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E. Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467. http://en.wikipedia.org/wiki/Pre-shared_key http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

• Question 425:

  Which layer defines how packets are routed between end systems?

  A. Session layer
  B. Transport layer
  C. Network layer
  D. Data link layer
  C. Network layer

  ---

  The network layer (layer 3) defines how packets are routed and relayed between end systems on the same network or on interconnected networks. Message routing, error detection and control of node traffic are managed at this level.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 82).

• Question 426:

  What are the components of an object's sensitivity label?

  A. A Classification Set and a single Compartment.
  B. A single classification and a single compartment.
  C. A Classification Set and user credentials.
  D. A single classification and a Compartment Set.
  D. A single classification and a Compartment Set.

  ---

  Both are the components of a sensitivity label.

  The following are incorrect:

  A Classification Set and a single Compartment. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not a "single compartment" but a Compartment Set.

  A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a "single compartment" but a Compartment Set.

  A Classification Set and user credentials. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not "user credential" but a Compartment Set. The user would have their own sensitivity label.

• Question 427:

  RADIUS incorporates which of the following services?

  A. Authentication server and PIN codes.
  B. Authentication of clients and static passwords generation.
  C. Authentication of clients and dynamic passwords generation.
  D. Authentication server as well as support for Static and Dynamic passwords.
  D. Authentication server as well as support for Static and Dynamic passwords.

  ---

  A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to

  designated RADIUS servers, and then acting on the response which is returned.

  RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all

  configuration information necessary for the client to deliver service to the user.

  RADIUS authentication is based on provisions of simple username/password credentials. These credentials are encrypted

  by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords.

  Since it uses the PAP and CHAP protocols, it also incluses static passwords.

  RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server. RADIUS features and functions are described primarily in the

  IETF (International Engineering Task Force) document RFC2138.

  The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service.

  The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID

  and a hardware or software token to gain access. Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry

  into the system, the user must generate both this one-time number and provide his or her user ID and password.

  Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active

  attacks.

  RADIUS: Key Features and Benefits

  Features Benefits

  RADIUS supports dynamic passwords and challenge/response passwords.

  Improved system security due to the fact that passwords are not static.

  It is much more difficult for a bogus host to spoof users into giving up their passwords or password- generation algorithms.

  RADIUS allows the user to have a single user ID and password for all computers in a network.

  Improved usability due to the fact that the user has to remember only one login combination.

  RADIUS is able to:

  Prevent RADIUS users from logging in via login (or ftp).

  Require them to log in via login (or ftp)

  Require them to login to a specific network access server (NAS);

  Control access by time of day.

  Provides very granular control over the types of logins allowed, on a per-user basis.

  The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable.

  RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices.

  Stratus Technology Product Brief

  http://www.stratus.com/products/vos/openvos/radius.htm

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Pages 43, 44.

  Also check: MILLER, Lawrence and GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46.

• Question 428:

  Buffer overflow and boundary condition errors are subsets of which of the following?

  A. Race condition errors.
  B. Access validation errors.
  C. Exceptional condition handling errors.
  D. Input validation errors.
  D. Input validation errors.

  ---

  In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. There are two important types of input validation errors: buffer overflows (input received is longer than expected input length) and boundary condition error (where an input received causes the system to exceed an assumed boundary). A race condition occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen.

  Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 105).

• Question 429:

  To understand the 'whys' in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM?

  A. Opportunities
  B. Methods
  C. Motivation
  D. Means
  B. Methods

  ---

  To understand the whys in crime, many times it is necessary to understand the Motivations, Opportunities, and Means (MOM). Motivations are the who and why of a crime. Opportunities are the where and when of a crime, and Means pertains to the capabilities a criminal would need to be successful. Methods is not a component of MOM.

• Question 430:

  Which backup method is used if backup time is critical and tape space is at an extreme premium?

  A. Incremental backup method.
  B. Differential backup method.
  C. Full backup method.
  D. Tape backup method.
  A. Incremental backup method.

  ---

  Full Backup/Archival Backup - Complete/Full backup of every selected file on the system regardless of whether it has been backup recently.. This is the slowest of the backup methods since it backups all the data. It's however the fastest for

  restoring data.

  Incremental Backup - Any backup in which only the files that have been modified since last full back up are backed up. The archive attribute should be updated while backing up only modified files, which indicates that the file has been backed

  up. This is the fastest of the backup methods, but the slowest of the restore methods.

  Differential Backup - The backup of all data files that have been modified since the last incremental backup or archival/full backup. Uses the archive bit to determine what files have changed since last incremental backup or full backup. The

  files grows each day until the next full backup is performed clearing the archive attributes. This enables the user to restore all files changed since the last full backup in one pass. This is a more neutral method of backing up data since it's not

  faster nor slower than the other two

  Easy Way To Remember each of the backup type properties:

  Backup Speed Restore Speed

  Full 3 1

  Differential 2 2

  Incremental 1 3

  Legend: 1 = Fastest 2 = Faster 3 = Slowest

  Source:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 69.

  and

  http://www.proprofs.com/mwiki/index.php/Full_Backup,_Incremental_ %26_Differential_Backup