ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 571:

  Which of the following are WELL KNOWN PORTS assigned by the IANA?

  A. Ports 0 to 255
  B. Ports 0 to 1024
  C. Ports 0 to 1023
  D. Ports 0 to 127
  C. Ports 0 to 1023

  ---

  The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The range for assigned "Well Known" ports managed by the IANA (Internet Assigned Numbers Authority) is 0-1023.

  Source: iana.org: port assignments.

• Question 572:

  Which access control model would a lattice-based access control model be an example of?

  A. Mandatory access control.
  B. Discretionary access control.
  C. Non-discretionary access control.
  D. Rule-based access control.
  A. Mandatory access control.

  ---

  In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files.

  TIPS FROM CLEMENT

  Mandatory Access Control is in place whenever you have permissions that are being imposed on the subject and the subject cannot arbitrarily change them. When the subject/owner of the file can change permissions at will, it is discretionary

  access control. Here is a breakdown largely based on s provided by Doug Landoll. I am reproducing below using my own word and not exactly how Doug explained it:

  FIRST: The Lattice

  A lattice is simply an access control tool usually used to implement Mandatory Access Control (MAC) and it could also be used to implement RBAC but this is not as common. The lattice model can be used for Integrity level or file permissions

  as well. The lattice has a least upper bound and greatest lower bound. It makes use of pair of elements such as the subject security clearance pairing with the object sensitivity label.

  SECOND: DAC (Discretionary Access Control)

  Let's get into Discretionary Access Control: It is an access control method where the owner (read the creator of the object) will decide who has access at his own discretion. As we all know, users are sometimes insane. They will share their

  files with other users based on their identity but nothing prevent the user from further sharing it with other users on the network. Very quickly you loose control on the flow of information and who has access to what. It is used in small and

  friendly environment where a low level of security is all that is required.

  THIRD: MAC (Mandatory Access Control)

  All of the following are forms of Mandatory Access Control:

  Mandatory Access control (MAC) (Implemented using the lattice)

  You must remember that MAC makes use of Security Clearance for the subject and also Labels will be assigned to the objects. The clearance of the Subject must dominate (be equal or higher) the clearance of the Object being accessed.

  The label attached to the object will indicate the sensitivity leval and the categories the object belongs to. The categories are used to implement the Need to Know. All of the following are forms of Non Discretionary Access Control:

  Role Based Access Control (RBAC)

  Rule Based Access Control (Think Firewall in this case)

  The official ISC2 book says that RBAC (synonymous with Non Discretionary Access Control) is a form of DAC but they are simply wrong. RBAC is a form of Non Discretionary Access Control. Non Discretionary DOES NOT equal mandatory

  access control as there is no labels and clearance involved.

  I hope this clarifies the whole drama related to what is what in the world of access control. In the same line of taught, you should be familiar with the difference between Explicit permission (the user has his own profile) versus Implicit (the user

  inherit permissions by being a member of a role for example).

  The following answers are incorrect:

  Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC) model, access is restricted based on the authorization granted to the users. It is identity based access control only. It does not make use of a lattice.

  Non-discretionary access control. Is incorrect because Non-discretionary Access Control (NDAC) uses the role-based access control method to determine access rights and permissions. It is often times used as a synonym to RBAC which is

  Role Based Access Control. The user inherit permission from the role when they are assigned into the role. This type of access could make use of a lattice but could also be implemented without the use of a lattice in some case. Mandatory Access Control was a better choice than this one, but RBAC could also make use of a lattice. The BEST answer was MAC. Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access Control (NDAC) access control mode. You have rules that are globally applied to all users. There is no such thing as a lattice being use in Rule-Based Access Control.

  References:

  AIOv3 Access Control (pages 161 - 168)

  AIOv3 Security Models and Architecture (pages 291 - 293)

• Question 573:

  How long are IPv4 addresses?

  A. 32 bits long.
  B. 64 bits long.
  C. 128 bits long.
  D. 16 bits long.
  A. 32 bits long.

  ---

  IPv4 addresses are currently 32 bits long. IPv6 addresses are 128 bits long.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 87.

• Question 574:

  Crime Prevention Through Environmental Design (CPTED) is a discipline that: A. Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.

  B. Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior.
  C. Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior.
  D. Outlines how the proper design of the administrative control environment can reduce crime by directly affecting human behavior.
  A

  ---

  Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime

  prevention through proper facility contruction and environmental components and procedures.

  CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also

  for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and traffic circulation patterns. It looks at microenvironments,

  such as offices and rest-rooms, and macroenvironments, like campuses and cities.

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 435). McGraw-Hill.

  Kindle Edition.

  and

  CPTED Guide Book

• Question 575:

  A trusted system does NOT involve which of the following?

  A. Enforcement of a security policy.
  B. Sufficiency and effectiveness of mechanisms to be able to enforce a security policy.
  C. Assurance that the security policy can be enforced in an efficient and reliable manner.
  D. Independently-verifiable evidence that the security policy-enforcing mechanisms are sufficient and effective.
  C. Assurance that the security policy can be enforced in an efficient and reliable manner.

  ---

  A trusted system is one that meets its intended security requirements. It involves sufficiency and effectiveness, not necessarily efficiency, in enforcing a security policy. Put succinctly, trusted systems have (1) policy, (2) mechanism, and (3) assurance.

  Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

• Question 576:

  Which of the following security models does NOT concern itself with the flow of data?

  A. The information flow model
  B. The Biba model
  C. The Bell-LaPadula model
  D. The noninterference model
  D. The noninterference model

  ---

  The goal of a noninterference model is to strictly separate differing security levels to assure that higher- level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows

  between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

  The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects.

  The information flow model is incorrect. The information flow models have a similar framework to the Bell- LaPadula model and control how information may flow between objects based on security classes.

  The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell- LaPadula model in that higher levels of integrity are more trusted than lower levels. Access control us based on these integrity levels to

  assure that read/write operations do not decrease an object's integrity.

  References:

  CBK, pp 325 - 326 AIO3, pp. 290 - 291

• Question 577:

  Secure Shell (SSH) is a strong method of performing:

  A. client authentication
  B. server authentication
  C. host authentication
  D. guest authentication
  A. client authentication

  ---

  Secure shell (SSH) was designed as an alternative to some of the insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. The Secure Shell Protocol (SSH) is a protocol for secure

  remote login and other secure network services over an insecure network. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol.

  SSH's services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X

  Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel. The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH

  over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates.

  Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.

  There are two incompatible versions of the protocol, SSH-1 and SSH-2, though many servers support both. SSH-2 has improved integrity checks (SSH-1 is vulnerable to an insertion attack due to weak CRC- 32 integrity checking) and

  supports local extensions and additional types of digital certificates such as Open PGP. SSH was originally designed for UNIX, but there are now implementations for other operating systems, including Windows, Macintosh, and OpenVMS.

  Is SSH 3.0 the same as SSH3?

  The short answer is: NO SSH 3.0 refers to version 3 of SSH Communications SSH2 protocol implementation and it could also refer to OpenSSH Version 3.0 of its SSH2 software. The "3" refers to the software release version not the protocol

  version. As of this writing (July 2013), there is no SSH3 protocol.

  "Server authentication" is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.

  "Host authentication" is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.

  "Guest authentication" is incorrect. The general idea of "guest" is that it is unauthenticated access.

  Reference(s) used for this question:

  http://www.ietf.org/rfc/rfc4252.txt

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7080-7088). Auerbach Publications. Kindle Edition.

• Question 578:

  A DMZ is also known as a

  A. screened subnet
  B. three legged firewall
  C. a place to attract hackers
  D. bastion host
  A. screened subnet

  ---

  This is another name for the demilitarized zone (DMZ) of a network.

  "Three legged firewall" is incorrect. While a DMZ can be implemented on one leg of such a device, this is not the best answer.

  "A place to attract hackers" is incorrect. The DMZ is a way to provide limited public access to an organization's internal resources (DNS, EMAIL, public web, etc) not as an attractant for hackers.

  "Bastion host" is incorrect. A bastion host serves as a gateway between trusted and untrusted network.

  References:

  CBK, p. 434

  AIO3, pp. 495 - 496

• Question 579:

  Which of the following methods of providing telecommunications continuity involves the use of an alternative media?

  A. Alternative routing
  B. Diverse routing
  C. Long haul network diversity
  D. Last mile circuit protection
  A. Alternative routing

  ---

  Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable. Diverse routing routes traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and therefore subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. This type of access is time- consuming and costly. Long haul network diversity is a diverse long-distance network utilizing T1 circuits among the major long-distance carriers. It ensures long-distance access should any one carrier experience a network failure. Last mile circuit protection is a redundant combination of local carrier T1s microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local carrier routing is also utilized.

  Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 5: Disaster Recovery and Business Continuity (page 259).

• Question 580:

  Which of the following protocols is not implemented at the Internet layer of the TCP/IP protocol model?

  A. User datagram protocol (UDP)
  B. Internet protocol (IP)
  C. Internet Group Management Protocol (IGMP)
  D. Internet control message protocol (ICMP)
  A. User datagram protocol (UDP)

  ---

  The User Datagram Protocol (UDP) is implemented at the host-to-host transport layer, not at the internet layer.

  Protocol at what layer?

  Ensure you are familiar with both the OSI model and the DoD TCP/IP model as well. You need to know how to contrast the two side by side and what are the names being used on both side. Below you have a graphic showing the two and

  how things maps between the two as well as some of the most common protcolos found at each of the layers:

  Protocols at what layers of the DoD TCP/IP model

  

  Graphic from http://technet.microsoft.com/en-us/library/cc958821.aspx

  The following are incorrect answers:

  All of the other protocols sit at the Internet Layer of the TCP/IP model.

  NOTE:

  Some reference are calling the Transport layer on the DoD model Host-to-Host.

  Reference(s) used for this question:

  Shon Harris, CISSP All In One (AIO), 6th edition , Telecommunication and Network Security, Page 518,534

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 85).

  and

  Microsoft Technet at http://technet.microsoft.com/en-us/library/cc958821.aspx