ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 601:

  What does the simple integrity axiom mean in the Biba model?

  A. No write down
  B. No read down
  C. No read up
  D. No write up
  B. No read down

  ---

  The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity (no read down).

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

• Question 602:

  An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n):

  A. active attack
  B. outside attack
  C. inside attack
  D. passive attack
  C. inside attack

  ---

  An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources.

  Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

• Question 603:

  Which of the following steps should be one of the first step performed in a Business Impact Analysis (BIA)?

  A. Identify all CRITICAL business units within the organization.
  B. Evaluate the impact of disruptive events.
  C. Estimate the Recovery Time Objectives (RTO).
  D. Identify and Prioritize Critical Organization Functions
  D. Identify and Prioritize Critical Organization Functions

  ---

  Project Initiation and Management

  This is the first step in building the Business Continuity program is project initiation and management. During this phase, the following activities will occur: Obtain senior management support to go forward with the project Define a project scope, the objectives to be achieved, and the planning assumptions Estimate the project resources needed to be successful, both human resources and financial resources

  Define a timeline and major deliverables of the project In this phase, the program will be managed like a project, and a project manager should be assigned to the BC and DR domain.

  The next step in the planning process is to have the planning team perform a BIA. The BIA will help the company decide what needs to be recovered, and how quickly. Mission functions are typically designated with terms such as critical,

  essential, supporting and nonessential to help determine the appropriate prioritization.

  One of the first steps of a BIA is to Identify and Prioritize Critical Organization Functions. All organizational functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for

  organization operations are driven by the consequences of not performing the function. The consequences may be the result of organization lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost

  goodwill with customers.

  All other answers are incorrect.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 21073-21075). Auerbach Publications. Kindle Edition.

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20697-20710). Auerbach Publications. Kindle Edition.

• Question 604:

  Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?

  A. Calculate the risk for each different business function.
  B. Identify the company's critical business functions.
  C. Calculate how long these functions can survive without these resources.
  D. Develop a mission statement.
  D. Develop a mission statement.

  ---

  The Business Impact Analysis is critical for the development of a business continuity plan (BCP). It identifies risks, critical processes and resources needed in case of recovery and quantifies the impact a disaster will have upon the

  organization. The development of a mission statement is normally performed before the BIA.

  A BIA (business impact analysis ) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions ; develops a hierarchy of business

  functions; and finally applies a classification scheme to indicate each individual function's criticality level.

  BIA Steps

  The more detailed and granular steps of a BIA are outlined here:

  1.

  Select individuals to interview for data gathering.

  2.

  Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).

  3.

  Identify the company's critical business functions.

  4.

  Identify the resources these functions depend upon.

  5.

  Calculate how long these functions can survive without these resources.

  6.

  Identify vulnerabilities and threats to these functions.

  7.

  Calculate the risk for each different business function.

  8.

  Document findings and report them to management.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 21076). Auerbach Publications. Kindle Edition.

  and

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 905-910). McGraw- Hill. Kindle Edition.

• Question 605:

  A momentary high voltage is a:

  A. spike
  B. blackout
  C. surge
  D. fault
  A. spike

  ---

  Too much voltage for a short period of time is a spike.

  Too much voltage for a long period of time is a surge.

  Not enough voltage for a short period of time is a sag or dip

  Not enough voltage for a long period of time is brownout

  A short power interruption is a fault

  A long power interruption is a blackout

  You MUST know all of the power issues above for the purpose of the exam.

  From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw- Hill/Osborne, 2005, page 368.

• Question 606:

  Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack?

  A. The use of good key generators.
  B. The use of session keys.
  C. Nothing can defend you against a brute force crypto key attack.
  D. Algorithms that are immune to brute force key attacks.
  B. The use of session keys.

  ---

  If we assume a crytpo-system with a large key (and therefore a large key space) a brute force attack will likely take a good deal of time - anywhere from several hours to several years depending on a number of variables. If you use a session key for each message you encrypt, then the brute force attack provides the attacker with only the key for that one message. So, if you are encrypting 10 messages a day, each with a different session key, but it takes me a month to break each session key then I am fighting a loosing battle.

  The other answers are not correct because:

  "The use of good key generators" is not correct because a brute force key attack will eventually run through all possible combinations of key. Therefore, any key will eventually be broken in this manner given enough time.

  "Nothing can defend you against a brute force crypto key attack" is incorrect, and not the best answer listed. While it is technically true that any key will eventually be broken by a brute force attack, the question remains "how long will it take?".

  In other words, if you encrypt something today but I can't read it for 10,000 years, will you still care? If the key is changed every session does it matter if it can be broken after the session has ended? Of the answers listed here, session keys

  are "often considered a good protection against the brute force cryptography attack" as the question asks. "Algorithms that are immune to brute force key attacks" is incorrect because there currently are no such algorithms. References:

  Official ISC2 Guide page: 259 All in One Third Edition page: 623

• Question 607:

  Which of the following item would best help an organization to gain a common understanding of functions that are critical to its survival?

  A. A risk assessment
  B. A business assessment
  C. A disaster recovery plan
  D. A business impact analysis
  D. A business impact analysis

  ---

  A Business Impact Analysis (BIA) is an assessment of an organization's business functions to develop an understanding of their criticality, recovery time objectives, and resources needed.

  By going through a Business Impact Analysis, the organization will gain a common understanding of functions that are critical to its survival.

  A risk assessment is an evaluation of the exposures present in an organization's external and internal environments.

  A Business Assessment generally include Business Analysis as a discipline and it has heavy overlap with requirements analysis sometimes also called requirements engineering, but focuses on identifying the changes to an organization that

  are required for it to achieve strategic goals. These changes include changes to strategies, structures, policies, processes, and information systems.

  A disaster recovery plan is the comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss of information systems resources.

  Source: BARNES, James C. and ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley and Sons, 2001 (page 57).

• Question 608:

  A 'Pseudo flaw' is which of the following?

  A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders.
  B. An omission when generating Psuedo-code.
  C. Used for testing for bounds violations in application programming.
  D. A normally generated page fault causing the system to halt.
  A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders.

  ---

  A Pseudo flaw is something that looks like it is vulnerable to attack, but really acts as an alarm or triggers automatic actions when an intruder attempts to exploit the flaw.

  The following answers are incorrect:

  An omission when generating Psuedo-code. Is incorrect because it is a distractor. Used for testing for bounds violations in application programming. Is incorrect, this is a testing methodology. A normally generated page fault causing the

  system to halt. This is incorrect because it is distractor.

• Question 609:

  What is called a sequence of characters that is usually longer than the allotted number for a password?

  A. passphrase
  B. cognitive phrase
  C. anticipated phrase
  D. Real phrase
  A. passphrase

  ---

  A passphrase is a sequence of characters that is usually longer than the allotted number for a password.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, page 37.

• Question 610:

  Secure Electronic Transaction (SET) and Secure HTTP (S-HTTP) operate at which layer of the OSI model?

  A. Application Layer.
  B. Transport Layer.
  C. Session Layer.
  D. Network Layer.
  A. Application Layer.

  ---

  The Secure Electronic Transaction (SET) and Secure HTTP (S-HTTP) operate at the Application Layer of the Open Systems Interconnect (OSI) model.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 89.