ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 511:

  What is the MOST critical piece to disaster recovery and continuity planning?

  A. Security policy
  B. Management support
  C. Availability of backup information processing facilities
  D. Staff training
  B. Management support

  ---

  The keyword is ' MOST CRITICAL ' and the correct answer is ' Management Support ' as the management must be convinced of its necessity and that's why a business case must be made. The decision of how a company should recover

  from any disaster is purely a business decision and should be treated as so.

  The other answers are incorrect because :

  Security policy is incorrect as it is not the MOST CRITICAL piece.

  Availability of backup information processing facilities is incorrect as this comes once the organization has BCP Plans in place and for a BCP Plan , management support must be there.

  Staff training comes after the plans are in place with the support from management.

  Reference : Shon Harris , AIO v3 , Chapter-9: Business Continuity Planning , Page : 697.

• Question 512:

  Another example of Computer Incident Response Team (CIRT) activities is:

  A. Management of the netware logs, including collection, retention, review, and analysis of data
  B. Management of the network logs, including collection and analysis of data
  C. Management of the network logs, including review and analysis of data
  D. Management of the network logs, including collection, retention, review, and analysis of data
  D. Management of the network logs, including collection, retention, review, and analysis of data

  ---

  Additional examples of CIRT activities are:

  Management of the network logs, including collection, retention, review, and analysis of data

  Management of the resolution of an incident, management of the remediation of a vulnerability, and post- event reporting to the appropriate parties.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 64.

• Question 513:

  Which one of the following authentication mechanisms creates a problem for mobile users?

  A. Mechanisms based on IP addresses
  B. Mechanism with reusable passwords
  C. one-time password mechanism.
  D. challenge response mechanism.
  A. Mechanisms based on IP addresses

  ---

  Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be

  restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.

  NOTE FROM CLEMENT:

  The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier

  network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well.

  The following answers are incorrect:

  mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval.

  one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user.

  challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users.

• Question 514:

  Which of the following control pairings include: organizational policies and procedures, pre- employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?

  A. Preventive/Administrative Pairing
  B. Preventive/Technical Pairing
  C. Preventive/Physical Pairing
  D. Detective/Administrative Pairing
  A. Preventive/Administrative Pairing

  ---

  The Answer: Preventive/Administrative Pairing: These mechanisms include organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 34.

• Question 515:

  Which of the following would NOT violate the Due Diligence concept?

  A. Security policy being outdated
  B. Data owners not laying out the foundation of data protection
  C. Network administrator not taking mandatory two-week vacation as planned
  D. Latest security patches for servers being installed as per the Patch Management process
  D. Latest security patches for servers being installed as per the Patch Management process

  ---

  To be effective a patch management program must be in place (due diligence) and detailed procedures would specify how and when the patches are applied properly (Due Care). Remember, the question asked for NOT a violation of Due

  Diligence, in this case, applying patches demonstrates due care and the patch management process in place demonstrates due diligence.

  Due diligence is the act of investigating and understanding the risks the company faces. A company practices by developing and implementing security policies, procedures, and standards. Detecting risks would be based on standards such

  as ISO 2700, Best Practices, and other published standards such as NIST standards for example. Due Diligence is understanding the current threats and risks. Due diligence is practiced by activities that make sure that the protection

  mechanisms are continually maintained and operational where risks are constantly being evaluated and reviewed. The security policy being outdated would be an example of violating the due diligence concept.

  Due Care is implementing countermeasures to provide protection from those threats. Due care is when the necessary steps to help protect the company and its resources from possible risks that have been identifed. If the information owner

  does not lay out the foundation of data protection (doing something about it) and ensure that the directives are being enforced (actually being done and kept at an acceptable level), this would violate the due care concept.

  If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. Liability is usually established based on

  Due Diligence and Due Care or the lack of either.

  A good way to remember this is using the first letter of both words within Due Diligence (DD) and Due Care (DC).

  Due Diligence = Due Detect

  Steps you take to identify risks based on best practices and standards.

  Due Care = Due Correct.

  Action you take to bring the risk level down to an acceptable level and maintaining that level over time.

  The Following answer were wrong:

  Security policy being outdated:

  While having and enforcing a security policy is the right thing to do (due care), if it is outdated, you are not doing it the right way (due diligence). This questions violates due diligence and not due care.

  Data owners not laying out the foundation for data protection:

  Data owners are not recognizing the "right thing" to do. They don't have a security policy.

  Network administrator not taking mandatory two week vacation:

  The two week vacation is the "right thing" to do, but not taking the vacation violates due diligence (not doing the right thing the right way)

  Reference(s) used for this question

  Shon Harris, CISSP All In One, Version 5, Chapter 3, pg 110

• Question 516:

  Which of the following is not a logical control when implementing logical access security?

  A. access profiles.
  B. userids.
  C. employee badges.
  D. passwords.
  C. employee badges.

  ---

  Employee badges are considered Physical so would not be a logical control.

  The following answers are incorrect:

  userids. Is incorrect because userids are a type of logical control. access profiles. Is incorrect because access profiles are a type of logical control. passwords. Is incorrect because passwords are a type of logical control.

• Question 517:

  Which of the following is a telecommunication device that translates data from digital to analog form and back to digital?

  A. Multiplexer
  B. Modem
  C. Protocol converter
  D. Concentrator
  B. Modem

  ---

  A modem is a device that translates data from digital form and then back to digital for communication over analog lines.

  Source: Information Systems Audit and Control Association,

  Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 114).

• Question 518:

  A Security Kernel is defined as a strict implementation of a reference monitor mechanism responsible for enforcing a security policy. To be secure, the kernel must meet three basic conditions, what are they?

  A. Confidentiality, Integrity, and Availability
  B. Policy, mechanism, and assurance
  C. Isolation, layering, and abstraction
  D. Completeness, Isolation, and Verifiability
  D. Completeness, Isolation, and Verifiability

  ---

  A security kernel is responsible for enforcing a security policy. It is a strict implementation of a reference monitor mechanism. The architecture of a kernel operating system is typically layered, and the kernel should be at the lowest and most primitive level. It is a small portion of the operating system through which all references to information and all changes to authorizations must pass. In theory, the kernel implements access control and information flow control between

  implemented objects according to the security policy.

  To be secure, the kernel must meet three basic conditions:

  completeness (all accesses to information must go through the kernel),

  isolation (the kernel itself must be protected from any type of unauthorized access),

  and verifiability (the kernel must be proven to meet design specifications).

  The reference monitor, as noted previously, is an abstraction, but there may be a reference validator, which usually runs inside the security kernel and is responsible for performing security access checks on objects, manipulating privileges,

  and generating any resulting security audit messages.

  A term associated with security kernels and the reference monitor is the trusted computing base (TCB). The TCB is the portion of a computer system that contains all elements of the system responsible for supporting the security policy and

  the isolation of objects. The security capabilities of products for use in the TCB can be verified through various evaluation criteria, such as the earlier Trusted Computer System Evaluation Criteria (TCSEC) and the current Common Criteria standard. Many of these security terms--reference monitor, security kernel, TCB--are defined loosely by vendors for purposes of marketing literature. Thus, it is necessary for security professionals to read the small print and between the lines to fully

  understand what the vendor is offering in regard to security features.

  TIP FOR THE EXAM:

  The terms Security Kernel and Reference monitor are synonymous but at different levels.

  As it was explained by Diego:

  While the Reference monitor is the concept, the Security kernel is the implementation of such concept (via hardware, software and firmware means).

  The two terms are the same thing, but on different levels: one is conceptual, one is "technical"

  The following are incorrect answers:

  Confidentiality, Integrity, and Availability

  Policy, mechanism, and assurance

  Isolation, layering, and abstraction

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13858-13875). Auerbach Publications. Kindle Edition.

• Question 519:

  Which of the following is a problem regarding computer investigation issues?

  A. Information is tangible.
  B. Evidence is easy to gather.
  C. Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence.
  D. In many instances, an expert or specialist is not required.
  C. Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence.

  ---

  Because computer-generated records normally fall under the category of hearsay evidence because they cannot be proven accurate and reliable this can be a problem.

  Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court. This inadmissibility is known as the hearsay rule, although there are some exceptions for how, when, by whom and in what circumstances data

  was collected.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

  IMPORTANT NOTE:

  For the purpose of the exam it is very important to remember the Business Record exemption to the Hearsay Rule. For example: if you create log files and review them on a regular basis as part of a business process, such files would be

  admissable in court and they would not be considered hearsay because they were made in the course of regular business and it is part of regular course of business to create such record.

  Here is another quote from the HISM book:

  Business Record Exemption to the Hearsay Rule

  Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by or from information transmitted by a person with knowledge, if kept in the course of regularly conducted business

  activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of

  preparation indicate lack of trustworthiness.

  To meet Rule 803(6) the witness must:

  ?Have custody of the records in question on a regular basis.

  ?Rely on those records in the regular course of business.

  ?Know that they were prepared in the regular course of business.

  Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order

  disclosure of the details of the computer, logs, and maintenance records in respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or

  reviewed -- at least the exceptions (e.g., failed log-on attempts) -- in the regular course of business, they do not meet the criteria for admissibility.

  Federal Rules of Evidence 1001(3) provide another exception to the hearsay rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business. This dump merely acts as

  statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer.

  BUSINESS RECORDS LAW EXAMPLE:

  The business records law was enacted in 1931 (PA No. 56). For a document to be admissible under the statute, the proponent must show: (1) the document was made in the regular course of business; (2) it was the regular course of

  business to make the record; and (3) the record was made when the act, transaction, or event occurred, or shortly thereafter (State v. Vennard, 159 Conn. 385, 397 (1970); Mucci v. LeMonte, 157 Conn. 566, 570 (1969). The failure to

  establish any one of these essential elements renders the document inadmissible under the statute (McCahill v. Town and Country Associates, Ltd. , 185 Conn. 37 (1981); State v. Peary, 176 Conn. 170 (1978); Welles v. Fish Transport Co. , ,

  123 Conn. 49 (1937).

  The statute expressly provides that the person who made the business entry does not have to be unavailable as a witness and the proponent does not have to call as a witness the person who made the record or show the person to be

  unavailable (State v. Jeustiniano, 172 Conn. 275 (1977). The person offering the business records as evidence does not have to independently prove the trustworthiness of the record. But, there is no presumption that the record is accurate;

  the record's accuracy and weight are issues for the trier of fact (State v. Waterman, 7 Conn. App. 326 (1986); Handbook of Connecticut Evidence, Second Edition, ?11. 14. 3).

  Reference: http://search.cga.state.ct.us/dtsearch_lpa.asp?cmd=getdocandDocId=16833andIndex=I %3A% 5Czindex%5C1995andHitCount=0andhits=andhc=0andreq=andItem=712

• Question 520:

  The DES algorithm is an example of what type of cryptography?

  A. Secret Key
  B. Two-key
  C. Asymmetric Key
  D. Public Key
  A. Secret Key

  ---

  DES is also known as a Symmetric Key or Secret Key algorithm.

  DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption.

  For the exam remember that:

  DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits)

  DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only.

  DES has a total key length of 64 Bits.

  The following answers are incorrect:

  Two-key This is incorrect because DES uses the same key for encryption and decryption.

  Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a Private Key.

  Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the same key is used for encryption and decryption.

  References used for this question:

  http://en.wikipedia.org/wiki/Data_Encryption_Standard