ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 521:

  A momentary low voltage, from 1 cycle to a few seconds, is a:

  A. spike
  B. blackout
  C. sag
  D. fault
  C. sag

  ---

  A momentary low voltage is a sag. A synonym would be a dip. Risks to electrical power supply: POWER FAILURE Blackout: complete loss of electrical power Fault: momentary power outage POWER DEGRADATION Brownout: an intentional reduction of voltage by the power company. Sag/dip: a short period of low voltage POWER EXCESS Surge: Prolonged rise in voltage Spike: Momentary High Voltage In-rush current: the initial surge of current required by a load before it reaches normal operation. - Transient: line noise or disturbance is superimposed on the supply circuit and can cause fluctuations in electrical power Refence(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 462). McGraw-Hill.

  Kindle Edition.

• Question 522:

  Which of the following is most appropriate to notify an internal user that session monitoring is being conducted?

  A. Logon Banners
  B. Wall poster
  C. Employee Handbook
  D. Written agreement
  D. Written agreement

  ---

  This is a tricky question, the keyword in the question is Internal users.

  There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users.

  Internal users should always have a written agreement first, then logon banners serve as a constant reminder.

  Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system, who is authorized and unauthorized, and if it is an unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.

  References used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 50.

  and

  Shon Harris, CISSP All-in-one, 5th edition, pg 873

• Question 523:

  Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion detection?

  A. Anomaly detection tends to produce more data
  B. A pattern matching IDS can only identify known attacks
  C. Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams
  D. An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines
  C. Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams

  ---

  This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern

  matching to the next level.

  As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few

  hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.

  The following answers are all incorrect:

  Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as any activity outside of expected behavior is recorded.

  A pattern matching IDS can only identify known attacks is true as a pattern matching IDS works by comparing traffic streams against signatures. These signatures are created for known attacks.

  An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines is true as the assertion is a characteristic of a statistical anomaly-based IDS.

  Reference:

  Official guide to the CISSP CBK. Pages 198 to 201

  http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.pdf

• Question 524:

  What can best be defined as the sum of protection mechanisms inside the computer, including hardware, firmware and software?

  A. Trusted system
  B. Security kernel
  C. Trusted computing base
  D. Security perimeter
  C. Trusted computing base

  ---

  The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that

  these components will enforce the security policy and not violate it.

  The security kernel is made up of hardware, software, and firmware components at fall within the TCB and implements and enforces the reference monitor concept.

  Reference:

  AIOv4 Security Models and Architecture pgs 268, 273

• Question 525:

  Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful?

  A. host-based IDS
  B. firewall-based IDS
  C. bastion-based IDS
  D. server-based IDS
  A. host-based IDS

  ---

  A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 48.

• Question 526:

  What can best be described as a domain of trust that shares a single security policy and single management?

  A. The reference monitor
  B. A security domain
  C. The security kernel
  D. The security perimeter
  B. A security domain

  ---

  A security domain is a domain of trust that shares a single security policy and single management.

  The term security domain just builds upon the definition of domain by adding the fact that resources within this logical structure (domain) are working under the same security policy and managed by the same group.

  So, a network administrator may put all of the accounting personnel, computers, and network resources in Domain 1 and all of the management personnel, computers, and network resources in Domain 2. These items fall into these individual

  containers because they not only carry out similar types of business functions, but also, and more importantly, have the same type of trust level. It is this common trust level that allows entities to be managed by one single security policy.

  The different domains are separated by logical boundaries, such as firewalls with ACLs, directory services making access decisions, and objects that have their own ACLs indicating which individuals and groups can carry out operations on

  them.

  All of these security mechanisms are examples of components that enforce the security policy for each domain. Domains can be architected in a hierarchical manner that dictates the relationship between the different domains and the ways in

  which subjects within the different domains can communicate. Subjects can access resources in domains of equal or lower trust levels.

  The following are incorrect answers:

  The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. Concept that defines a set of design requirements of a

  reference validation mechanism (security kernel), which enforces an access control policy over subjects' (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system. The reference monitor

  components must be small enough to test properly and be tamperproof.

  The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept.

  The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted.

  not every process and resource falls within the TCB, so some of these components fall outside of an imaginary boundary referred to as the security perimeter. A security perimeter is a boundary that divides the trusted from the untrusted. For

  the system to stay in a secure and trusted state, precise communication standards must be developed to ensure that when a component within the TCB needs to communicate with a component outside the TCB, the communication cannot

  expose the system to unexpected security compromises. This type of communication is handled and controlled through interfaces.

  Reference(s) used for this question:

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 28548-28550).

  McGraw-Hill. Kindle Edition.

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 7873- 7877).

  McGraw-Hill. Kindle Edition.

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition , Access Control, Page 214-217 Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :

  Security Architecture and Design (Kindle Locations 1280-1283). . Kindle Edition. TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

  AIO 6th edition chapter 3 access control page 214-217 defines Security domains. Reference monitor, Security Kernel, and Security Parameter are defined in Chapter 4, Security Architecture and Design.

• Question 527:

  Which of the following is implemented through scripts or smart agents that replays the users multiple log- ins against authentication servers to verify a user's identity which permit access to system services?

  A. Single Sign-On
  B. Dynamic Sign-On
  C. Smart cards
  D. Kerberos
  A. Single Sign-On

  ---

  SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user's identity and to permit access to system services.

  Single Sign on was the best answer in this case because it would include Kerberos.

  When you have two good answers within the 4 choices presented you must select the BEST one. The high level choice is always the best. When one choice would include the other one that would be the best as well.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 40.

• Question 528:

  IT security measures should:

  A. Be complex
  B. Be tailored to meet organizational security goals.
  C. Make sure that every asset of the organization is well protected.
  D. Not be developed in a layered fashion.
  B. Be tailored to meet organizational security goals.

  ---

  In general, IT security measures are tailored according to an organization's unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security- related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.

  The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.

  Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more.

  The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.

  Source: STONEBURNER, Gary and al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).

• Question 529:

  Which of the following is true of two-factor authentication?

  A. It uses the RSA public-key signature based on integers with large prime factors.
  B. It requires two measurements of hand geometry.
  C. It does not use single sign-on technology.
  D. It relies on two independent proofs of identity.
  D. It relies on two independent proofs of identity.

  ---

  The Answer: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on.

  The following answers are incorrect: It requires two measurements of hand geometry. Measuring hand geometry twice does not yield two independent proofs.

  It uses the RSA public-key signature based on integers with large prime factors. RSA encryption uses integers with exactly two prime factors, but the term "two-factor authentication" is not used in that context.

  It does not use single sign-on technology. This is a detractor.

  The following reference(s) were/was used to create this question: Shon Harris AIO v.3 p.129 ISC2 OIG, 2007 p. 126

• Question 530:

  Sensitivity labels are an example of what application control type?

  A. Preventive security controls
  B. Detective security controls
  C. Compensating administrative controls
  D. Preventive accuracy controls
  A. Preventive security controls

  ---

  Sensitivity labels are a preventive security application controls, such as are firewalls, reference monitors, traffic padding, encryption, data classification, one-time passwords, contingency planning, separation of development, application and

  test environments.

  The incorrect answers are:

  Detective security controls - Intrusion detection systems (IDS), monitoring activities, and audit trails.

  Compensating administrative controls - There no such application control.

  Preventive accuracy controls - data checks, forms, custom screens, validity checks, contingency planning, and backups.

  Sources:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 7: Applications and Systems Development (page 264).

  KRUTZ, Ronald and VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Application Controls, Figure 7.1 (page 360).