ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 631:

  Which software development model is actually a meta-model that incorporates a number of the software development models?

  A. The Waterfall model
  B. The modified Waterfall model
  C. The Spiral model
  D. The Critical Path Model (CPM)
  C. The Spiral model

  ---

  The spiral model is actually a meta-model that incorporates a number of the software development models. This model depicts a spiral that incorporates the various phases of software development. The model states that each cycle of the spiral involves the same series of steps for each part of the project. CPM refers to the Critical Path Methodology.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 7: Applications and Systems Development (page 246).

• Question 632:

  Which of the following is NOT a task normally performed by a Computer Incident Response Team (CIRT)?

  A. Develop an information security policy.
  B. Coordinate the distribution of information pertaining to the incident to the appropriate parties.
  C. Mitigate risk to the enterprise.
  D. Assemble teams to investigate the potential vulnerabilities.
  A. Develop an information security policy.

  ---

  Writing a corporate security policy is normally a task of upper management in an organization. Other tasks would usually be performed by a Computer Incident Response Team.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 64).

• Question 633:

  Which of the following models does NOT include data integrity or conflict of interest?

  A. Biba
  B. Clark-Wilson
  C. Bell-LaPadula
  D. Brewer-Nash
  C. Bell-LaPadula

  ---

  Bell LaPadula model (Bell 1975): The granularity of objects and subjects is not predefined, but the model prescribes simple access rights. Based on simple access restrictions the Bell LaPadula model enforces a discretionary access control

  policy enhanced with mandatory rules. Applications with rigid confidentiality requirements and without strong integrity requirements may properly be modeled.

  These simple rights combined with the mandatory rules of the policy considerably restrict the spectrum of applications which can be appropriately modeled.

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

  Also check:

  Proceedings of the IFIP TC11 12th International Conference on Information Security, Samos (Greece), May 1996, On Security Models.

• Question 634:

  Which of the following protects Kerberos against replay attacks?

  A. Tokens
  B. Passwords
  C. Cryptography
  D. Time stamps
  D. Time stamps

  ---

  A replay attack refers to the recording and retransmission of packets on the network. Kerberos uses time stamps, which protect against this type of attack.

  Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  8: Cryptography (page 581).

• Question 635:

  For maximum security design, what type of fence is most effective and cost-effective method (Foot are being used as measurement unit below)?

  A. 3' to 4' high
  B. 6' to 7' high
  C. 8' high and above with strands of barbed wire
  D. Double fencing
  D. Double fencing

  ---

  The most commonly used fence is the chain linked fence and it is the most affordable. The standard is a six-foot high fence with two-inch mesh square openings. The material should consist of nine-gauge vinyl or galvanized metal. Nine-gauge is a typical fence material installed in residential areas. Additionally, it is recommended to place barbed wire strands angled out from the top of the fence at a 45?angle and away from the protected area with three strands running across the top. This will provide for a seven-foot fence. There are several variations of the use of "top guards" using V-shaped barbed wire or the use of concertina wire as an enhancement, which has been a replacement for more traditional three strand barbed wire "top guards."

  The fence should be fastened to ridged metal posts set in concrete every six feet with additional bracing at the corners and gate openings. The bottom of the fence should be stabilized against intruders crawling under by attaching posts along the bottom to keep the fence from being pushed or pulled up from the bottom. If the soil is sandy, the bottom edge of the fence should be installed below ground level.

  For maximum security design, the use of double fencing with rolls of concertina wire positioned between the two fences is the most effective deterrent and cost-efficient method. In this design, an intruder is required to use an extensive array of ladders and equipment to breach the fences.

  Most fencing is largely a psychological deterrent and a boundary marker rather than a barrier, because in most cases such fences can be rather easily penetrated unless added security measures are taken to enhance the security of the fence. Sensors attached to the fence to provide electronic monitoring of cutting or scaling the fence can be used.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 24416-24431). Auerbach Publications. Kindle Edition.

• Question 636:

  During the salvage of the Local Area Network and Servers, which of the following steps would normally be performed first?

  A. Damage mitigation
  B. Install LAN communications network and servers
  C. Assess damage to LAN and servers
  D. Recover equipment
  C. Assess damage to LAN and servers

  ---

  The first activity in every recovery plan is damage assessment, immediately followed by damage mitigation.

  This first activity would typically include assessing the damage to all network and server components (including cables, boards, file servers, workstations, printers, network equipment), making a list of all items to be repaired or replaced,

  selecting appropriate vendors and relaying findings to Emergency Management Team.

  Following damage mitigation, equipment can be recovered and LAN communications network and servers can be reinstalled.

  Source: BARNES, James C. and ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley and Sons, 2001 (page 135).

• Question 637:

  Computer security should be first and foremost which of the following:

  A. Cover all identified risks
  B. Be cost-effective.
  C. Be examined in both monetary and non-monetary terms.
  D. Be proportionate to the value of IT systems.
  B. Be cost-effective.

  ---

  Computer security should be first and foremost cost-effective.

  As for any organization, there is a need to measure their cost-effectiveness, to justify budget usage and provide supportive arguments for their next budget claim. But organizations often have difficulties to accurately measure the

  effectiveness and the cost of their information security activities.

  The classical financial approach for ROI calculation is not particularly appropriate for measuring security- related initiatives: Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms,

  when you invest in security, you don't expect benefits; you expect to reduce the risks threatening your assets.

  The concept of the ROI calculation applies to every investment. Security is no exception. Executive decision-makers want to know the impact security is having on the bottom line. In order to know how much they should spend on security,

  they need to know how much is the lack of security costing to the business and what

  are the most cost-effective solutions.

  Applied to security, a Return On Security Investment (ROSI) calculation can provide quantitative answers to essential financial questions:

  Is an organization paying too much for its security?

  What financial impact on productivity could have lack of security?

  When is the security investment enough?

  Is this security product/organisation beneficial?

  The following are other concerns about computer security but not the first and foremost:

  The costs and benefits of security should be carefully examined in both monetary and non- monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value

  of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.

  Requirements for security vary, depending upon the particular IT system. Therefore it does not make sense for computer security to cover all identified risks when the cost of the measures exceeds the value of the systems they are protecting.

  Reference(s) used for this question:

  SWANSON, Marianne and GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September

  1996 (page 6).

  and

  http://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security- investment

• Question 638:

  Which of the following elements of telecommunications is not used in assuring confidentiality?

  A. Network security protocols
  B. Network authentication services
  C. Data encryption services
  D. Passwords
  D. Passwords

  ---

  Passwords are one of the multiple ways to authenticate (prove who you claim to be) an identity which allows confidentiality controls to be enforced to assure the identity can only access the information for which it is authorized. It is the

  authentication that assists assurance of confidentiality not the passwords.

  "Network security protocols" is incorrect. Network security protocols are quite useful in assuring confidentiality in network communications.

  "Network authentication services" is incorrect. Confidentiality is concerned with allowing only authorized users to access information. An important part of determining authorization is authenticating an identity and this service is supplied by

  network authentication services.

  "Data encryption services" is incorrect. Data encryption services are quite useful in protecting the confidentiality of information.

  Reference(s) used for this question:

  Official ISC2 Guide to the CISSP CBK, pp. 407 - 520

  AIO 3rd Edition, pp. 415 - 580

• Question 639:

  Which of the following logical access exposures INVOLVES CHANGING data before, or as it is entered into the computer?

  A. Data diddling
  B. Salami techniques
  C. Trojan horses
  D. Viruses
  A. Data diddling

  ---

  It involves changing data before , or as it is entered into the computer or in other words , it refers to the alteration of the existing data.

  The other answers are incorrect because :

  Salami techniques : A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed.

  Trojan horses: A Trojan Horse is a program that is disguised as another program.

  Viruses:A Virus is a small application , or a string of code , that infects applications.

  Reference: Shon Harris , AIO v3

  Chapter - 11: Application and System Development, Page : 875-880

  Chapter - 10: Law, Investigation and Ethics , Page : 758-759

• Question 640:

  Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?

  A. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision.
  B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols.
  C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
  D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.
  C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.

  ---

  Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 33.