ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 491:

  In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because:

  A. people need not use discretion
  B. the access controls are based on the individual's role or title within the organization.
  C. the access controls are not based on the individual's role or title within the organization
  D. the access controls are often based on the individual's role or title within the organization
  B. the access controls are based on the individual's role or title within the organization.

  ---

  In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization.

  You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role.

  These access permissions defined within the role do not need to be changed whenever a new person takes over the role.

  Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a

  firewall.

  This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended.

  Shon Harris in her book list the following ways of managing RBAC:

  Role-based access control can be managed in the following ways:

  Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used)

  Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be

  used for applications that do not support roles)

  Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles. Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted)

  NIST defines RBAC as:

  Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the

  organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be

  executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 32.

  and

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill.

  and

  http://csrc.nist.gov/groups/SNS/rbac/

• Question 492:

  Which of the following is most appropriate to notify an external user that session monitoring is being conducted?

  A. Logon Banners
  B. Wall poster
  C. Employee Handbook
  D. Written agreement
  A. Logon Banners

  ---

  Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the

  system and if it is an unauthorized user then he is fully aware of trespassing.

  This is a tricky question, the keyword in the question is External user.

  There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous user.

  Internal users should always have a written agreement first, then logon banners serve as a constant reminder.

  Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.

  References used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 50.

  and

  Shon Harris, CISSP All-in-one, 5th edition, pg 873

• Question 493:

  Which of the following can best define the "revocation request grace period"?

  A. The period of time allotted within which the user must make a revocation request upon a revocation reason
  B. Minimum response time for performing a revocation by the CA
  C. Maximum response time for performing a revocation by the CA
  D. Time period between the arrival of a revocation request and the publication of the revocation information
  D. Time period between the arrival of a revocation request and the publication of the revocation information

  ---

  The length of time between the Issuer's receipt of a revocation request and the time the Issuer is required to revoke the certificate should bear a reasonable relationship to the amount of risk the participants are willing to assume that someone

  may rely on a certificate for which a proper evocation request has been given but has not yet been acted upon.

  How quickly revocation requests need to be processed (and CRLs or certificate status databases need to be updated) depends upon the specific application for which the Policy Authority is rafting the Certificate Policy.

  A Policy Authority should recognize that there may be risk and lost tradeoffs with respect to grace periods for revocation notices.

  If the Policy Authority determines that its PKI participants are willing to accept a grace period of a few hours in exchange for a lower implementation cost, the Certificate Policy may reflect that decision.

• Question 494:

  What is the proper term to refer to a single unit of IP data?

  A. IP segment.
  B. IP datagram.
  C. IP frame.
  D. IP fragment.
  B. IP datagram.

  ---

  IP is a datagram based technology.

  DIFFERENCE BETWEEN PACKETS AND DATAGRAM

  As specified at: http://en.wikipedia.org/wiki/Packet_(information_technology)

  In general, the term packet applies to any message formatted as a packet, while the term datagram is generally reserved for packets of an "unreliable" service.

  A "reliable" service is one that notifies the user if delivery fails, while an "unreliable" one does not notify the user if delivery fails. For example, IP provides an unreliable service.

  Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these protocols use packets, but UDP packets are generally called datagrams.

  If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET indicated that the network itself could not

  reliably detect all packet delivery failures, and this pushed responsibility for error detection onto the sending host in any case. This led to the development of the end-to-end principle, which is one of the Internet's fundamental design

  assumptions.

  The following answers are incorrect:

  IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is a datagram based technology.

  IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame.

  IP is a datagram based technology.

  IP fragment. Is incorrect because IP fragment is a detractor.

  References:

  Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol

• Question 495:

  Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?

  A. Validation
  B. Verification
  C. Assessment
  D. Accuracy
  B. Verification

  ---

  Verification vs. Validation:

  Verification determines if the product accurately represents and meets the specifications. A product can be developed that does not match the original specifications. This step ensures that the specifications are properly met.

  Validation determines if the product provides the necessary solution intended real-world problem. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met.

  From DITSCAP:

  6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities.

  6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall

  culminate in an approval to operate.

  You must also be familiar with Verification and Validation for the purpose of the exam. A simple definition for Verification would be whether or not the developers followed the design specifications along with the security requirements. A simple

  definition for Validation would be whether or not the final product meets the end user needs and can be use for a specific purpose.

  Wikipedia has an informal description that is currently written as: Validation can be expressed by the query "Are you building the right thing?" and Verification by "Are you building it right? NOTE:

  DITSCAP was replaced by DIACAP some time ago (2007). While DITSCAP had defined both a verification and a validation phase, the DIACAP only has a validation phase. It may not make a difference in the answer for the exam; however,

  DIACAP is the cornerstone policy of DOD CandA and IA efforts today. Be familiar with both terms just in case all of a sudden the exam becomes updated with the new term.

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1106). McGraw-Hill.

  Kindle Edition. http://iase.disa.mil/ditscap/DITSCAP.html https://en.wikipedia.org/wiki/Verification_and_validation For the definition of "validation" in DIACAP, Click Here Further sources for the phases in DIACAP, Click Here

• Question 496:

  Which protocol is NOT implemented in the Network layer of the OSI Protocol Stack?

  A. hyper text transport protocol
  B. Open Shortest Path First
  C. Internet Protocol
  D. Routing Information Protocol
  A. hyper text transport protocol

  ---

  Open Shortest Path First, Internet Protocol, and Routing Information Protocol are all protocols implemented in the Network Layer. Domain: Telecommunications and Network Security References: AIO 3rd edition. Page 429 Official Guide to the CISSP CBK. Page 411

• Question 497:

  Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used) ?

  A. A subject is not allowed to read up.
  B. The property restriction can be escaped by temporarily downgrading a high level subject.
  C. A subject is not allowed to read down.
  D. It is restricted to confidentiality.
  C. A subject is not allowed to read down.

  ---

  It is not a property of Bell LaPadula model.

  The other answers are incorrect because:

  A subject is not allowed to read up is a property of the 'simple security rule' of Bell LaPadula model.

  The property restriction can be escaped by temporarily downgrading a high level subject can be escaped by temporarily downgrading a high level subject or by identifying a set of trusted objects which are permitted to violate the property as

  long as it is not in the middle of an operation.

  It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of access control.

  Reference: Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture , Page:279-282

• Question 498:

  Which of the following layers provides end-to-end data transfer service?

  A. Network Layer.
  B. Data Link Layer.
  C. Transport Layer.
  D. Presentation Layer.
  C. Transport Layer.

  ---

  It is the Transport Layer that is responsible for reliable end-to-end data transfer between end systems.

  The following answers are incorrect:

  Network Layer. Is incorrect because the Network Layer is the OSI layer that is responsible for routing, switching, and subnetwork access across the entire OSI environment.

  Data Link Layer. Is incorrect because the Data Link Layer is the serial communications path between nodes or devices without any intermediate switching nodes.

  Presentation Layer. Is incorrect because the Presentation Layer is the OSI layer that determines how application information is represented (i.e., encoded) while in transit between two end systems.

• Question 499:

  What is the role of IKE within the IPsec protocol?

  A. peer authentication and key exchange
  B. data encryption
  C. data signature
  D. enforcing quality of service
  A. peer authentication and key exchange

  ---

  Reference: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand and HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

• Question 500:

  The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:

  A. Preventive/physical
  B. Detective/technical
  C. Detective/physical
  D. Detective/administrative
  B. Detective/technical

  ---

  The detective/technical control measures are intended to reveal the violations of security policy using technical means.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 35.