ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 551:

  The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something:

  A. you need.
  B. you read.
  C. you are.
  D. you do.
  C. you are.

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 552:

  What can best be defined as high-level statements, beliefs, goals and objectives?

  A. Standards
  B. Policies
  C. Guidelines
  D. Procedures
  B. Policies

  ---

  Policies are high-level statements, beliefs, goals and objectives and the general means for their attainment for a specific subject area. Standards are mandatory activities, action, rules or regulations designed to provide policies with the support structure and specific direction they require to be effective. Guidelines are more general statements of how to achieve the policies objectives by providing a framework within which to implement procedures. Procedures spell out the specific steps of how the policy and supporting standards and how guidelines will be implemented.

  Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

• Question 553:

  Out of the steps listed below, which one is not one of the steps conducted during the Business Impact Analysis (BIA)?

  A. Alternate site selection
  B. Create data-gathering techniques
  C. Identify the company's critical business functions
  D. Select individuals to interview for data gathering
  A. Alternate site selection

  ---

  Selecting and Alternate Site would not be done within the initial BIA. It would be done at a later stage of the BCP and DRP recovery effort. All of the other choices were steps that would be conducted during the BIA. See below the list of steps that would be done during the BIA. A BIA (business impact analysis ) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions ; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function's criticality level.

  BIA Steps

  1.

  Select individuals to interview for data gathering.

  2.

  Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).

  3.

  Identify the company's critical business functions.

  4.

  Identify the resources these functions depend upon.

  5.

  Calculate how long these functions can survive without these resources.

  6.

  Identify vulnerabilities and threats to these functions.

  7.

  Calculate the risk for each different business function.

  8.

  Document findings and report them to management.

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 905-909). McGraw- Hill. Kindle Edition.

• Question 554:

  The general philosophy for DMZ's is that:

  A. any system on the DMZ can be compromized because it's accessible from the Internet.
  B. any system on the DMZ cannot be compromized because it's not accessible from the Internet.
  C. some systems on the DMZ can be compromized because they are accessible from the Internet.
  D. any system on the DMZ cannot be compromized because it's by definition 100 percent safe and not accessible from the Internet.
  A. any system on the DMZ can be compromized because it's accessible from the Internet.

  ---

  Because the DMZ systems are accessible from the Internet, they are more at risk for attacka nd compromise and must be hardened appropriately.

  "Any system on the DMZ cannot be compromised because it's not accessible from the Internet" is incorrect. The reason a system is placed in the DMZ is so it can be accessible from the Internet.

  "Some systems on the DMZ can be compromised because they are accessible from the Internet" is incorrect. All systems in the DMZ face an increased risk of attack and compromise because they are accessible from the Internet.

  "Any system on the DMZ cannot be compromised because it's by definition 100 percent safe and not accessible from the Internet" is incorrect. Again, a system is placed in the DMZ because it must be accessible from the Internet.

  References:

  CBK, p. 434

  AIO3, p. 483

• Question 555:

  Which of the following questions is less likely to help in assessing an organization's contingency planning controls?

  A. Is damaged media stored and/or destroyed?
  B. Are the backup storage site and alternate site geographically far enough from the primary site?
  C. Is there an up-to-date copy of the plan stored securely off-site?
  D. Is the location of stored backups identified?
  A. Is damaged media stored and/or destroyed?

  ---

  Contingency planning involves more than planning for a move offsite after a disaster destroys a facility.

  It also addresses how to keep an organization's critical functions operating in the event of disruptions, large and small.

  Handling of damaged media is an operational task related to regular production and is not specific to contingency planning.

  Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-27 to A-28).

• Question 556:

  Which of the following can prevent hijacking of a web session?

  A. RSA
  B. SET
  C. SSL
  D. PPP
  C. SSL

  ---

  The Secure Socket Layer (SSL) protocol is used between a web server and client and provides entire session encryption, thus preventing from session hijacking. RSA is asymmetric encryption algorithm that can be used in setting up a SSL session. SET is the Secure Electronic Transaction protocol that was introduced by Visa and Mastercard to allow for more credit card transaction possibilities. PPP is a point-to- point protocol.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 89).

• Question 557:

  Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model?

  A. Prevention of the modification of information by unauthorized users.
  B. Prevention of the unauthorized or unintentional modification of information by authorized users.
  C. Preservation of the internal and external consistency.
  D. Prevention of the modification of information by authorized users.
  A. Prevention of the modification of information by unauthorized users.

  ---

  There is no need to prevent modification from authorized users. They are authorized and allowed to make the changes. On top of this, it is also NOT one of the goal of Integrity within Clark-Wilson.

  As it turns out, the Biba model addresses only the first of the three integrity goals which is Prevention of the modification of information by unauthorized users. Clark-Wilson addresses all three goals of integrity.

  The ClarkWilson model improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment. In addition to preventing changes by unauthorized subjects, Clark and

  Wilson realized that high-integrity systems would also have to prevent undesirable changes by authorized subjects and to ensure that the system continued to behave consistently. It also recognized that it would need to ensure that there is

  constant mediation between every subject and every object if such integrity was going to be maintained.

  Integrity is addressed through the following three goals:

  1.

  Prevention of the modification of information by unauthorized users.

  2.

  Prevention of the unauthorized or unintentional modification of information by authorized users.

  3.

  Preservation of the internal and external consistency.

  The following reference(s) were used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17689-17694). Auerbach Publications. Kindle Edition.

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 31.

• Question 558:

  Which of the following is the primary reason why a user would choose a dial-up modem connection to the Internet when they have a faster, secure Internet connection through the organization's network?

  A. To access web sites that blocked by the organization's proxy server.
  B. To set up public services using the organization's resources.
  C. To check their personal e-mail.
  D. To circumvent the organization's security policy.
  D. To circumvent the organization's security policy.

  ---

  All the choices above represent examples of circumventing the organization's security policy, which is the primary reason why a user would be using a dial-up Internet connection when a secure connection is available through the

  organization's network. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1:

  Understanding Firewalls.

• Question 559:

  Which one of the following is NOT one of the outcomes of a vulnerability assessment?

  A. Quantative loss assessment
  B. Qualitative loss assessment
  C. Formal approval of BCP scope and initiation document
  D. Defining critical support areas
  C. Formal approval of BCP scope and initiation document

  ---

  When seeking to determine the security position of an organization, the security professional will eventually turn to a vulnerability assessment to help identify specific areas of weakness that need to be addressed. A vulnerability assessment is

  the use of various tools and analysis methodologies to determine where a particular system or process may be susceptible to attack or misuse. Most vulnerability assessments concentrate on technical vulnerabilities in systems or

  applications, but the assessment process is equally as effective when examining physical or administrative business processes.

  The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that i t is smaller than a full risk assessment and is focused

  on providing information that is used solely for the business continuity plan or disaster recovery plan.

  A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment, a financial assessment and an operational assessment, it will be necessary to define loss criteria both

  quantitatively and qualitatively.

  Quantitative loss criteria may be defined as follows:

  Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution

  The additional operational expenses incurred due to the disruptive event

  Incurring financial loss from resolution of violation of contract agreements

  Incurring financial loss from resolution of violation of regulatory or compliance requirements

  Qualitative loss criteria may consist of the following:

  The loss of competitive advantage or market share

  The loss of public confidence or credibility, or incurring public mbarrassment

  During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the

  business processes, maintain life safety, or avoid public relations embarrassment.

  Critical support areas could include the following:

  Telecommunications, data communications, or information technology areas

  Physical infrastructure or plant facilities, transportation services

  Accounting, payroll, transaction processing, customer service, purchasing

  The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services the critical support areas need to maintain business continuity

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle Edition.

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Page 277.

• Question 560:

  Which of the following monitors network traffic in real time?

  A. network-based IDS
  B. host-based IDS
  C. application-based IDS
  D. firewall-based IDS
  A. network-based IDS

  ---

  This type of IDS is called a network-based IDS because monitors network traffic in real time.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 48.