ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 681:

  Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?

  A. Web Applications
  B. Intrusion Detection Systems
  C. Firewalls
  D. DNS Servers
  A. Web Applications

  ---

  XSS or Cross-Site Scripting is a threat to web applications where malicious code is placed on a website that attacks the use using their existing authenticated session status. Cross-Site Scripting attacks are a type of injection problem, in

  which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a

  different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

  An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source,

  the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

  Mitigation:

  Configure your IPS - Intrusion Prevention System to detect and suppress this traffic. Input Validation on the web application to normalize inputted data. Set web apps to bind session cookies to the IP Address of the legitimate user and only

  permit that IP Address to use that cookie. See the XSS (Cross Site Scripting) Prevention Cheat Sheet See the Abridged XSS Prevention Cheat Sheet

  See the DOM based XSS Prevention Cheat Sheet

  See the OWASP Development Guide article on Phishing. See the OWASP Development Guide article on Data Validation.

  The following answers are incorrect:

  Intrusion Detection Systems: Sorry. IDS Systems aren't usually the target of XSS attacks but a properly- configured IDS/IPS can "detect and report on malicious string and suppress the TCP connection in an attempt to mitigate the threat.

  Firewalls: Sorry. Firewalls aren't usually the target of XSS attacks. DNS Servers: Same as above, DNS Servers aren't usually targeted in XSS attacks but they play a key role in the domain name resolution in the XSS attack process. The

  following reference(s) was used to create this question:

  CCCure Holistic Security+ CBT and Curriculum

  and https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

• Question 682:

  What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?

  A. A capacity table
  B. An access control list
  C. An access control matrix
  D. A capability table
  C. An access control matrix

  ---

  The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318.

  AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects.

  In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc.

  "A capacity table" is incorrect.

  This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you.

  "An access control list" is incorrect.

  "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself.

  "A capability table" is incorrect.

  "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on

  the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the

  object is bound to the ACL."

  Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself.

  References:

  CBK pp. 191-192, 317-318

  AIO3, p. 169

• Question 683:

  The fact that a network-based IDS reviews packets payload and headers enable which of the following?

  A. Detection of denial of service
  B. Detection of all viruses
  C. Detection of data corruption
  D. Detection of all password guessing attacks
  A. Detection of denial of service

  ---

  Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected.

  This question is an easy question if you go through the process of elimination. When you see an answer containing the keyword: ALL It is something a give away that it is not the proper answer. On the real exam you may encounter a few

  question where the use of the work ALL renders the choice invalid. Pay close attention to such keyword.

  The following are incorrect answers:

  Even though most IDSs can detect some viruses and some password guessing attacks, they cannot detect ALL viruses or ALL password guessing attacks. Therefore these two answers are only detractors.

  Unless the IDS knows the valid values for a certain dataset, it can NOT detect data corruption.

  Reference used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 48.

• Question 684:

  The Data Encryption Standard (DES) encryption algorithm has which of the following characteristics?

  A. 64 bits of data input results in 56 bits of encrypted output
  B. 128 bit key with 8 bits used for parity
  C. 64 bit blocks with a 64 bit total key length
  D. 56 bits of data input results in 56 bits of encrypted output
  C. 64 bit blocks with a 64 bit total key length

  ---

  DES works with 64 bit blocks of text using a 64 bit key (with 8 bits used for parity, so the effective key length is 56 bits).

  Some people are getting the Key Size and the Block Size mixed up. The block size is usually a specific length. For example DES uses block size of 64 bits which results in 64 bits of encrypted data for each block. AES uses a block size of 128

  bits, the block size on AES can only be 128 as per the published standard FIPS-197.

  A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The 8 error detecting bits

  are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte1. Authorized users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it.

  IN CONTRAST WITH AES

  The input and output for the AES algorithm each consist of sequences of 128 bits (digits with values of 0 or

  1). These sequences will sometimes be referred to as blocks and the number of bits they contain will be referred to as their length. The Cipher Key for the AES algorithm is a sequence of 128, 192 or 256 bits. Other input, output and Cipher

  Key lengths are not permitted by this standard.

  The Advanced Encryption Standard (AES) specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Rijndael was designed to handle

  additional block sizes and key lengths, however they are not adopted in the AES standard.

  The AES algorithm may be used with the three different key lengths indicated above, and therefore these different "flavors" may be referred to as "AES-128", "AES-192", and "AES- 256".

  The other answers are not correct because:

  "64 bits of data input results in 56 bits of encrypted output" is incorrect because while DES does work with 64 bit block input, it results in 64 bit blocks of encrypted output.

  "128 bit key with 8 bits used for parity" is incorrect because DES does not ever use a 128 bit key.

  "56 bits of data input results in 56 bits of encrypted output" is incorrect because DES always works with 64 bit blocks of input/output, not 56 bits.

  Reference(s) used for this question:

  Official ISC2 Guide to the CISSP CBK, Second Edition, page: 336-343

  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Question 685:

  In the Bell-LaPadula model, the Star-property is also called:

  A. The simple security property
  B. The confidentiality property
  C. The confinement property
  D. The tranquility property
  B. The confidentiality property

  ---

  The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.

  In this formal model, the entities in an information system are divided into subjects and objects.

  The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system satisfies the security objectives of the model.

  The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions.

  A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy.

  To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to

  determine if the subject is authorized for the specific access mode.

  The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties:

  The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).

  The property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The property is also known as the Confinement property.

  The Discretionary Security Property - use an access control matrix to specify the discretionary access control.

  The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the property. Untrusted subjects are.

  Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." Compare the Biba model, the Clark-Wilson model and the Chinese Wall.

  With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up).

  Strong Property

  The Strong Property is an alternative to the Property in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual Property is not present, only a write-to-same level operation.

  The Strong Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns.

  Tranquility principle The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two forms to the tranquility principle: the "principle of strong tranquility" states that security levels do not change during the normal operation of the system and the "principle of weak tranquility" states that security levels do not change in a way that violates the rules of a given security policy.

  Another interpretation of the tranquility principles is that they both apply only to the period of time during which an operation involving an object or subject is occurring. That is, the strong tranquility principle means that an object's security level/ label will not change during an operation (such as read or write); the weak tranquility principle means that an object's security level/label may change in a way that does not violate the security policy during an operation. Reference(s) used for this question: http://en.wikipedia.org/wiki/Biba_Model http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model http://en.wikipedia.org/wiki/Brewer_and_Nash_model

• Question 686:

  Encapsulating Security Payload (ESP) provides some of the services of Authentication Headers (AH), but it is primarily designed to provide:

  A. Confidentiality
  B. Cryptography
  C. Digital signatures
  D. Access Control
  A. Confidentiality

  ---

  Source: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 164.

• Question 687:

  What is the main issue with media reuse?

  A. Degaussing
  B. Data remanence
  C. Media destruction
  D. Purging
  B. Data remanence

  ---

  The main issue with media reuse is data remanence, where residual information still resides on a media that has been erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.

  Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 5).

• Question 688:

  The Secure Hash Algorithm (SHA-1) creates:

  A. a fixed length message digest from a fixed length input message
  B. a variable length message digest from a variable length input message
  C. a fixed length message digest from a variable length input message
  D. a variable length message digest from a fixed length input message
  C. a fixed length message digest from a variable length input message

  ---

  According to The CISSP Prep Guide, "The Secure Hash Algorithm (SHA-1) computes a fixed length message digest from a variable length input message."

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, page 160.

  also see:

  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf

• Question 689:

  Which of the following is most concerned with personnel security?

  A. Management controls
  B. Operational controls
  C. Technical controls
  D. Human resources controls
  B. Operational controls

  ---

  Many important issues in computer security involve human users, designers, implementers, and managers.

  A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs. Since operational controls address security methods focusing on mechanisms primarily

  implemented and executed by people (as opposed to systems), personnel security is considered a form of operational control.

  Operational controls are put in place to improve security of a particular system (or group of systems). They often require specialized expertise and often rely upon management activities as well as technical controls. Implementing dual control

  and making sure that you have more than one person that can perform a task would fall into this category as well.

  Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.

  Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access of misuse, facilitate detection of security violations, and support security requirements

  for applications and data.

  Reference use for this question:

  NIST SP 800-53 Revision 4 http://dx.doi.org/10.6028/NIST.SP.800-53r4

  You can get it as a word document by clicking HERE

  NIST SP 800-53 Revision 4 has superseded the document below:

  SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Page A-18).

• Question 690:

  Because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to:

  A. neither physical attacks nor attacks from malicious code.
  B. physical attacks only
  C. both physical attacks and attacks from malicious code.
  D. physical attacks but not attacks from malicious code.
  C. both physical attacks and attacks from malicious code.

  ---

  Since all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code.

  Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 42.