ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 461:

  Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in a system?

  A. Fail proof
  B. Fail soft
  C. Fail safe
  D. Fail Over
  C. Fail safe

  ---

  NOTE: This question is referring to a system which is Logical/Technical, so it is in the context of a system that you must choose the right answer. This is very important to read the question carefully and to identify the context whether it is in

  the Physical world or in the Technical/Logical world.

  RFC 2828 (Internet Security Glossary) defines fail safe as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system.

  A secure state means in the Logical/Technical world that no access would be granted or no packets would be allowed to flow through the system inspecting the packets such as a firewall for example.

  If the question would have made reference to a building or something specific to the Physical world then the answer would have been different. In the Physical World everything becomes open and full access would be granted. See the valid

  choices below for the Physical context.

  Fail-safe in the physical security world is when doors are unlocked automatically in case of emergency. Used in environment where humans work around. As human safety is prime concern during Fire or other hazards.

  The following were all wrong choices:

  Fail-secure in the physical security world is when doors are locked automatically in case of emergency. Can be in an area like Cash Locker Room provided there should be alternative manually operated exit door in case of emergency.

  Fail soft is selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system.

  Fail Over is a redundancy mechanism and does not apply to this question.

  There is a great post within the CCCure Forums on this specific

• Question 462:

  Which type of attack involves impersonating a user or a system?

  A. Smurfing attack
  B. Spoofing attack
  C. Spamming attack
  D. Sniffing attack
  B. Spoofing attack

  ---

  A spoofing attack is when an attempt is made to gain access to a computer system by posing as an authorized user or system. Spamming refers to sending out or posting junk advertising and unsolicited mail. A smurf attack is a type of denial-of-service attack using PING and a spoofed address. Sniffing refers to observing packets passing on a network.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 77).

• Question 463:

  What is the name of the third party authority that vouches for the binding between the data items in a digital certificate?

  A. Registration authority
  B. Certification authority
  C. Issuing authority
  D. Vouching authority
  B. Certification authority

  ---

  A certification authority (CA) is a third party entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate. An issuing authority could be considered a correct answer, but not the best answer, since it is too generic.

  Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 464:

  What can be defined as a momentary low voltage?

  A. Spike
  B. Sag
  C. Fault
  D. Brownout
  B. Sag

  ---

  A sag is a momentary low voltage. A spike is a momentary high voltage. A fault is a momentary power out and a brownout is a prolonged power supply that is below normal voltage. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  6: Physical security (page 299)

• Question 465:

  Which of the following is a disadvantage of a statistical anomaly-based intrusion detection system?

  A. it may truly detect a non-attack event that had caused a momentary anomaly in the system.
  B. it may falsely detect a non-attack event that had caused a momentary anomaly in the system.
  C. it may correctly detect a non-attack event that had caused a momentary anomaly in the system.
  D. it may loosely detect a non-attack event that had caused a momentary anomaly in the system.
  B. it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

  ---

  Some disadvantages of a statistical anomaly-based ID are that it will not detect an attack that does not significantly change the system operating characteristics, or it may falsely detect a non- attack event that had caused a momentary anomaly in the system.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 49.

• Question 466:

  The security of a computer application is most effective and economical in which of the following cases?

  A. The system is optimized prior to the addition of security.
  B. The system is procured off-the-shelf.
  C. The system is customized to meet the specific security threat.
  D. The system is originally designed to provide the necessary security.
  D. The system is originally designed to provide the necessary security.

  ---

  The earlier in the process that security is planned for and implement the cheaper it is. It is also much more efficient if security is addressed in each phase of the development cycle rather than an add-on because it gets more complicated to add at the end. If security plan is developed at the beginning it ensures that security won't be overlooked.

  The following answers are incorrect:

  The system is optimized prior to the addition of security. Is incorrect because if you wait to implement security after a system is completed the cost of adding security increases dramtically and can become much more complex.

  The system is procured off-the-shelf. Is incorrect because it is often difficult to add security to off-the shelf systems.

  The system is customized to meet the specific security threat. Is incorrect because this is a distractor. This implies only a single threat.

• Question 467:

  What kind of Encryption technology does SSL utilize?

  A. Secret or Symmetric key
  B. Hybrid (both Symmetric and Asymmetric)
  C. Public Key
  D. Private key
  B. Hybrid (both Symmetric and Asymmetric)

  ---

  SSL use public-key cryptography to secure session key, while the session key (secret key) is used to secure the whole session taking place between both parties communicating with each other.

  The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0."

  SSL version 3.0, released in 1996, was a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier.

  All of the other answers are incorrect

• Question 468:

  Which of the following is NOT a known type of Message Authentication Code (MAC)?

  A. Keyed-hash message authentication code (HMAC)
  B. DES-CBC
  C. Signature-based MAC (SMAC)
  D. Universal Hashing Based MAC (UMAC)
  C. Signature-based MAC (SMAC)

  ---

  There is no such thing as a Signature-Based MAC. Being the wrong choice in the list, it is the best answer to this question.

  WHAT IS A Message Authentication Code (MAC)?

  In Cryptography, a MAC (Message Authentication Code) also known as a cryptographic checksum, is a small block of data that is generated using a secret key and then appended to the message. When the message is received, the recipient

  can generate their own MAC using the secret key, and thereby know that the message has not changed either accidentally or intentionally in transit. Of course, this assurance is only as strong as the trust that the two parties have that no one

  else has access to the secret key.

  A MAC is a small representation of a message and has the following characteristics:

  A MAC is much smaller than the message generating it.

  Given a MAC, it is impractical to compute the message that generated it.

  Given a MAC and the message that generated it, it is impractical to find another message generating the same MAC.

  See the graphic below from Wikipedia showing the creation of a MAC value:

  

  Message Authentication Code MAC HMAC

  In the example above, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission

  through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can

  safely assume that the integrity of the message was not compromised, and the message was not altered or tampered with during transmission.

  However, to allow the receiver to be able to detect replay attacks, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp, sequence number or use of a one-time MAC). Otherwise an

  attacker could -- without even understanding its content -- record this message and play it back at a later time, producing the same result as the original sender.

  NOTE: There are many ways of producing a MAC value. Below you have a short list of some implementation.

  The following were incorrect answers for this question:

  They were all incorrect answers because they are all real type of MAC implementation.

  In the case of DES-CBC, a MAC is generated using the DES algorithm in CBC mode, and the secret DES key is shared by the sender and the receiver. The MAC is actually just the last block of ciphertext generated by the algorithm. This

  block of data (64 bits) is attached to the unencrypted message and transmitted to the far end. All previous blocks of encrypted data are discarded to prevent any attack on the MAC itself. The receiver can just generate his own MAC using the

  secret DES key he shares to ensure message integrity and authentication. He knows that the message has not changed because the chaining function of CBC would significantly alter the last block of data if any bit had changed anywhere in

  the message. He knows the source of the message (authentication) because only one other person holds the secret key.

  A Keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it

  may be used to simultaneously verify both the data integrity and the authentication of a message. Any cryptographic hash function, such as MD5, SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed

  HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and on the size and quality of the key.

  A message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. UMAC is specified in RFC 4418, it has provable cryptographic strength and is usually a lot less computationally intensive than other MACs.

  What is the MicMac (confusion) with MIC and MAC?

  The term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications, where the acronym MAC traditionally stands for Media Access Control when referring to Networking. However, some authors use MIC as a distinctly different term from a MAC; in their usage of the term the MIC operation does not use secret keys. This lack of security means that any MIC intended for use gauging message integrity should be encrypted or otherwise be protected against tampering. MIC algorithms are created such that a given message will always produce the same MIC assuming the same algorithm is used to generate both. Conversely, MAC algorithms are designed to produce matching MACs only if the same message, secret key and initialization vector are input to the same algorithm. MICs do not use secret keys and, when taken on their own, are therefore a much less reliable gauge of message integrity than MACs. Because MACs use secret keys, they do not necessarily need to be encrypted to provide the same level of assurance.

  Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 15799-15815). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Message_authentication_code and http://tools.ietf.org/html/rfc4418

• Question 469:

  Which type of password token involves time synchronization?

  A. Static password tokens
  B. Synchronous dynamic password tokens
  C. Asynchronous dynamic password tokens
  D. Challenge-response tokens
  B. Synchronous dynamic password tokens

  ---

  Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the password to be accepted.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 37).

  Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, chapter 4: Access Control (page 136).

• Question 470:

  Which of the following best describes signature-based detection?

  A. Compare source code, looking for events or sets of events that could cause damage to a system or network.
  B. Compare system activity for the behaviour patterns of new attacks.
  C. Compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.
  D. Compare network nodes looking for objects or sets of objects that match a predefined pattern of objects that may describe a known attack.
  C. Compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.

  ---

  Misuse detectors compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is

  sometimes called "signature-based detection."

  The most common form of misuse detection used in commercial products specifies each pattern of events corresponding to an attack as a separate signature. However, there are more sophisticated approaches to doing misuse detection

  (called "state-based" analysis techniques) that can leverage a single signature to detect groups of attacks.

  Reference:

  Old Document:

  BACE, Rebecca and MELL, Peter, NIST Special Publication 800-31 on Intrusion Detection Systems, Page 16.

  The publication above has been replaced by 800-94 on page 2-4

  The Updated URL is: http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf