ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 431:

  Which of the following is NOT an administrative control?

  A. Logical access control mechanisms
  B. Screening of personnel
  C. Development of policies, standards, procedures and guidelines
  D. Change control procedures
  A. Logical access control mechanisms

  ---

  It is considered to be a technical control.

  Logical is synonymous with Technical Control. That was the easy answer. There are three broad categories of access control: Administrative, Technical, and Physical.

  Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

  Each category of access control has several components that fall within it, as shown here:

  Administrative Controls

  Policy and procedures

  Personnel controls

  Supervisory structure

  Security-awareness training

  Testing

  Physical Controls Network segregation Perimeter security Computer controls Work area separation Data backups Technical Controls

  System access Network architecture Network access Encryption and protocols

  Control zone

  Auditing The following answers are incorrect : Screening of personnel is considered to be an administrative control Development of policies, standards, procedures and guidelines is considered to be an administrative control Change control procedures is considered to be an administrative control. Reference : Shon Harris AIO v3 , Chapter - 3 : Security Management Practices , Page : 52-54

• Question 432:

  Which of the following statements pertaining to Asynchronous Transfer Mode (ATM) is false?

  A. It can be used for voice
  B. it can be used for data
  C. It carries various sizes of packets
  D. It can be used for video
  C. It carries various sizes of packets

  ---

  ATM is an example of a fast packet-switching network that can be used for either data, voice or video, but packets are of fixed size. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  7: Telecommunications and Network Security (page 455).

• Question 433:

  In order to ensure the privacy and integrity of the data, connections between firewalls over public networks should use:

  A. Screened subnets
  B. Digital certificates
  C. An encrypted Virtual Private Network
  D. Encryption
  C. An encrypted Virtual Private Network

  ---

  Virtual Private Networks allow a trusted network to communicate with another trusted network over untrusted networks such as the Internet. Screened Subnet: A screened subnet is essentially the same as the screened host architecture, but adds an extra strata of security by creating a network which the bastion host resides (often call perimeter network) which is separated from the internal network. A screened subnet will be deployed by adding a perimeter network in order to separate the internal network from the external. This assures that if there is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the screening router that is connected between the internal and perimeter network. Digital Certificates: Digital Certificates will be used in the intitial steps of establishing a VPN but they would not provide the encryption and integrity by themselves. Encryption: Even thou this seems like a choice that would include the other choices, encryption by itself does not provide integrity mechanims. So encryption would satisfy only half of the requirements of the question. Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 65).

• Question 434:

  Why would anomaly detection IDSs often generate a large number of false positives?

  A. Because they can only identify correctly attacks they already know about.
  B. Because they are application-based are more subject to attacks.
  C. Because they can't identify abnormal behavior.
  D. Because normal patterns of user and system behavior can vary wildly.
  D. Because normal patterns of user and system behavior can vary wildly.

  ---

  Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature- based) IDSs. Application-based IDSs are a special subset of host- based IDSs that analyze the events transpiring within a software application. They are more vulnerable to attacks than host-based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified.

  Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 92).

• Question 435:

  What ISO/OSI layer do switches primarily operate at?

  Do take note that this question makes reference to a plain vanilla switch and not one of the smart switches that is available on the market today.

  A. Physical layer
  B. Network layer
  C. Data link layer
  D. Session layer
  C. Data link layer

  ---

  Switches primarily operate at the data link layer (layer 2), although intelligent, extremely fast Layer 3 switching techniques are being more frequently used.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 111).

• Question 436:

  In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected?

  A. The transactions should be dropped from processing.
  B. The transactions should be processed after the program makes adjustments.
  C. The transactions should be written to a report and reviewed.
  D. The transactions should be corrected and reprocessed.
  C. The transactions should be written to a report and reviewed.

  ---

  In an online transaction processing system (OLTP) all transactions are recorded as they occur. When erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

  As explained in the ISC2 OIG:

  OLTP is designed to record all of the business transactions of an organization as they occur. It is a data processing system facilitating and managing transaction-oriented applications. These are characterized as a system used by many

  concurrent users who are actively adding and modifying data to effectively change real-time data.

  OLTP environments are frequently found in the finance, telecommunications, insurance, retail, transportation, and travel industries. For example, airline ticket agents enter data in the database in real- time by creating and modifying travel

  reservations, and these are increasingly joined by users directly making their own reservations and purchasing tickets through airline company Web sites as well as discount travel Web site portals. Therefore, millions of people may be

  accessing the same flight database every day, and dozens of people may be looking at a specific flight at the same time.

  The security concerns for OLTP systems are concurrency and atomicity.

  Concurrency controls ensure that two users cannot simultaneously change the same data, or that one user cannot make changes before another user is finished with it. In an airline ticket system, it is critical for an agent processing a

  reservation to complete the transaction, especially if it is the last seat available on the plane.

  Atomicity ensures that all of the steps involved in the transaction complete successfully. If one step should fail, then the other steps should not be able to complete. Again, in an airline ticketing system, if the agent does not enter a name into

  the name data field correctly, the transaction should not be able to complete. OLTP systems should act as a monitoring system and detect when individual processes abort, automatically restart an aborted process, back out of a transaction if

  necessary, allow distribution of multiple copies of application servers across machines, and perform dynamic load balancing.

  A security feature uses transaction logs to record information on a transaction before it is processed, and then mark it as processed after it is done. If the system fails during the transaction, the transaction can be recovered by reviewing the

  transaction logs.

  Checkpoint restart is the process of using the transaction logs to restart the machine by running through the log to the last checkpoint or good transaction. All transactions following the last checkpoint are applied before allowing users to

  access the data again.

  Wikipedia has nice coverage on what is OLTP:

  Online transaction processing, or OLTP, refers to a class of systems that facilitate and manage transaction-oriented applications, typically for data entry and retrieval transaction processing. The term is somewhat ambiguous; some

  understand a "transaction" in the context of computer or database transactions, while others (such as the Transaction Processing Performance Council) define it in terms of business or commercial transactions.

  OLTP has also been used to refer to processing in which the system responds immediately to user requests. An automatic teller machine (ATM) for a bank is an example of a commercial transaction processing application.

  The technology is used in a number of industries, including banking, airlines, mailorder, supermarkets, and manufacturing. Applications include electronic banking, order processing, employee time clock systems, e- commerce, and eTrading.

  There are two security concerns for OLTP system: Concurrency and Atomicity

  ATOMICITY

  In database systems, atomicity (or atomicness) is one of the ACID transaction properties. In an atomic transaction, a series of database operations either all occur, or nothing occurs. A guarantee of atomicity prevents updates to the database

  occurring only partially, which can cause greater problems than rejecting the whole series outright.

  The etymology of the phrase originates in the Classical Greek concept of a fundamental and indivisible component; see atom.

  An example of atomicity is ordering an airline ticket where two actions are required: payment, and a seat reservation. The potential passenger must either:

  both pay for and reserve a seat; OR

  neither pay for nor reserve a seat.

  The booking system does not consider it acceptable for a customer to pay for a ticket without securing the seat, nor to reserve the seat without payment succeeding.

  CONCURRENCY

  Database concurrency controls ensure that transactions occur in an ordered fashion.

  The main job of these controls is to protect transactions issued by different users/applications from the effects of each other. They must preserve the four characteristics of database transactions ACID test:

  Atomicity, Consistency, Isolation, and Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test.

  Thus concurrency control is an essential element for correctness in any system where two database transactions or more, executed with time overlap, can access the same data, e.g., virtually in any general- purpose database system. A well

  established concurrency control theory exists for database systems:

  serializability theory, which allows to effectively design and analyze concurrency control methods and mechanisms.

  Concurrency is not an issue in itself, it is the lack of proper concurrency controls that makes it a serious issue.

  The following answers are incorrect:

  The transactions should be dropped from processing. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

  The transactions should be processed after the program makes adjustments. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the

  logs.

  The transactions should be corrected and reprocessed. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

  References:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle Edition.

  and

  http://en.wikipedia.org/wiki/Online_transaction_processing

  and

  http://databases.about.com/od/administration/g/concurrency.htm

• Question 437:

  Which of the following is a LAN transmission method?

  A. Broadcast
  B. Carrier-sense multiple access with collision detection (CSMA/CD)
  C. Token ring
  D. Fiber Distributed Data Interface (FDDI)
  A. Broadcast

  ---

  LAN transmission methods refer to the way packets are sent on the network and are either unicast, multicast or broadcast.

  CSMA/CD is a common LAN media access method.

  Token ring is a LAN Topology.

  LAN transmission protocols are the rules for communicating between computers on a LAN.

  Common LAN transmission protocols are: polling and token-passing.

  A LAN topology defines the manner in which the network devices are organized to facilitate communications.

  Common LAN topologies are: bus, ring, star or meshed.

  LAN transmission methods refer to the way packets are sent on the network and are either unicast, multicast or broadcast.

  LAN media access methods control the use of a network (physical and data link layers). They can be Ethernet, ARCnet, Token ring and FDDI.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 103).

  HERE IS A NICE OVERVIEW FROM CISCO:

  LAN Transmission Methods

  LAN data transmissions fall into three classifications: unicast, multicast, and broadcast. In each type of transmission, a single packet is sent to one or more nodes.

  In a unicast transmission, a single packet is sent from the source to a destination on a network. First, the source node addresses the packet by using the address of the destination node. The package is then sent onto the network, and finally,

  the network passes the packet to its destination.

  A multicast transmission consists of a single data packet that is copied and sent to a specific subset of nodes on the network. First, the source node addresses the packet by using a multicast address. The packet is then sent into the network,

  which makes copies of the packet and sends a copy to each node that is part of the multicast address.

  A broadcast transmission consists of a single data packet that is copied and sent to all nodes on the network. In these types of transmissions, the source node addresses the packet by using the broadcast address. The packet is then sent on

  to the network, which makes copies of the packet and sends a copy to every node on the network.

  LAN Topologies

  LAN topologies define the manner in which network devices are organized. Four common LAN topologies exist: bus, ring, star, and tree. These topologies are logical architectures, but the actual devices need not be physically organized in

  these configurations. Logical bus and ring topologies, for example, are commonly organized physically as a star. A bus topology is a linear LAN architecture in which transmissions from network stations propagate the length of the medium

  and are received by all other stations. Of the three

  most widely used LAN implementations, Ethernet/IEEE 802.3 networks--including 100BaseT --implement a bus topology

  Sources:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 104).

  http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introlan.htm

• Question 438:

  What does "residual risk" mean?

  A. The security risk that remains after controls have been implemented
  B. Weakness of an assets which can be exploited by a threat
  C. Risk that remains after risk assessment has has been performed
  D. A security risk intrinsic to an asset being audited, where no mitigation has taken place.
  A. The security risk that remains after controls have been implemented

  ---

  Residual risk is "The security risk that remains after controls have been implemented" ISO/IEC TR 13335-1 Guidelines for the Management of IT Security (GMITS), Part 1: Concepts and Models for IT Security, 1996. "Weakness of an assets which can be exploited by a threat" is vulnerability. "The result of unwanted incident" is impact. Risk that remains after risk analysis has been performed is a distracter.

  Risk can never be eliminated nor avoided, but it can be mitigated, transferred or accpeted. Even after applying a countermeasure like for example putiing up an Antivirus. But still it is not 100% that systems will be protected by antivirus.

• Question 439:

  Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used?

  A. preventive, corrective, and administrative
  B. detective, corrective, and physical
  C. Physical, technical, and administrative
  D. Administrative, operational, and logical
  C. Physical, technical, and administrative

  ---

  Security is generally defined as the freedom from danger or as the condition of safety. Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the

  computer system itself against unauthorized use, modification, or denial of service. Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and

  system operations and administrative personnel work to achieve a satisfactory balance between security and productivity.

  Controls for providing information security can be physical, technical, or administrative.

  These three categories of controls can be further classified as either preventive or detective. Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they

  have occurred. Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept. Effective security awareness programs can help increase users' level of

  tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems. Common detective controls include audit trails, intrusion detection methods, and checksums.

  Three other types of controls supplement preventive and detective controls. They are usually described as deterrent, corrective, and recovery.

  Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or

  threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment).

  Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation. Execution of corrective controls could result in changes to existing physical, technical, and

  administrative controls.

  Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation.

  Deterrent, corrective, and recovery controls are considered to be special cases within the major categories of physical, technical, and administrative controls; they do not clearly belong in either preventive or detective categories. For example,

  it could be argued that deterrence is a form of prevention because it can cause an intruder to turn away; however, deterrence also involves detecting violations, which may be what the intruder fears most. Corrective controls, on the other hand, are not preventive or detective, but they are clearly linked with technical controls when antiviral software eradicates a virus or with administrative controls when backup procedures enable restoring a damaged data base. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

  Reference(s) used for this question Handbook of Information Security Management, Hal Tipton

• Question 440:

  What is called an attack in which an attacker floods a system with connection requests but does not respond when the target system replies to those requests?

  A. Ping of death attack
  B. SYN attack
  C. Smurf attack
  D. Buffer overflow attack
  B. SYN attack

  ---

  A SYN attack occurs when an attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when the target system replies to those requests. This causes the target system to "time out" while waiting for the proper response, which makes the system crash or become unusable. A buffer overflow attack occurs when a process receives much more data than expected. One common buffer overflow attack is the ping of death, where an attacker sends IP packets that exceed the maximum legal length (65535 octets). A smurf attack is an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 76).