ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 691:

  In the UTP category rating, the tighter the wind:

  A. the higher the rating and its resistance against interference and crosstalk.
  B. the slower the rating and its resistance against interference and attenuation.
  C. the shorter the rating and its resistance against interference and attenuation.
  D. the longer the rating and its resistance against interference and attenuation.
  A. the higher the rating and its resistance against interference and crosstalk.

  ---

  The category rating is based on how tightly the copper cable is wound within the shielding: The tighter the wind, the higher the rating and its resistance against interference and crosstalk. Twisted pair copper cabling is a form of wiring in which two conductors are wound together for the purposes of canceling out electromagnetic interference (EMI) from external sources and crosstalk from neighboring wires. Twisting wires decreases interference because the loop area between the wires (which determines the magnetic coupling into the signal) is reduced. In balanced pair operation, the two wires typically carry equal and opposite signals (differential mode) which are combined by subtraction at the destination. The noise from the two wires cancel each other in this subtraction because the two wires have been exposed to similar EMI.

  The twist rate (usually defined in twists per metre) makes up part of the specification for a given type of cable. The greater the number of twists, the greater the attenuation of crosstalk. Where pairs are not twisted, as in most residential interior

  telephone wiring, one member of the pair may be closer to the source than the other, and thus exposed to slightly different induced EMF.

  Reference:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 101.

  and

  http://www.consultants-online.co.za/pub/itap_101/html/ch04s05.html

• Question 692:

  In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process?

  A. Using a write blocker
  B. Made a full-disk image
  C. Created a message digest for log files
  D. Displayed the contents of a folder
  D. Displayed the contents of a folder

  ---

  Displaying the directory contents of a folder can alter the last access time on each listed file. Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing

  to its hard drives.

  Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fragments.

  Created a message digest for log files is wrong because creating a message digest for log files. A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g. changes to the

  content of a log file)

  Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS References: AIO 3rd Edition, page 783-784 NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20

• Question 693:

  Which of the following should NOT be performed by an operator?

  A. Implementing the initial program load
  B. Monitoring execution of the system
  C. Data entry
  D. Controlling job flow
  C. Data entry

  ---

  Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data entry personnel.

  System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide day-to-day operations of the mainframe environment, ensuring that scheduled jobs are running

  effectively and troubleshooting problems that may arise. They also act as the arms and legs of the mainframe environment, load and unloading tape and results of job print runs. Operators have elevated privileges, but less than those of

  system administrators. If misused, these privileges may be used to circumvent the system's security policy. As such, use of these privileges should be monitored through audit logs.

  Some of the privileges and responsibilities assigned to operators include:

  Implementing the initial program load: This is used to start the operating system. The boot process or initial program load of a system is a critical time for ensuring system security. Interruptions to this process may reduce the integrity of the

  system or cause the system to crash, precluding its availability. Monitoring execution of the system: Operators respond to various events, to include errors, interruptions, and job completion messages.

  Volume mounting: This allows the desired application access to the system and its data.

  Controlling job flow: Operators can initiate, pause, or terminate programs. This may allow an operator to affect the scheduling of jobs. Controlling job flow involves the manipulation of configuration information needed by the system. Operators

  with the ability to control a job or application can cause output to be altered or diverted, which can threaten the confidentiality.

  Bypass label processing: This allows the operator to bypass security label information to run foreign tapes (foreign tapes are those from a different data center that would not be using the same label format that the system could run). This

  privilege should be strictly controlled to prevent unauthorized access.

  Renaming and relabeling resources: This is sometimes necessary in the mainframe environment to allow programs to properly execute. Use of this privilege should be monitored, as it can allow the unauthorized viewing of sensitive

  information.

  Reassignment of ports and lines: Operators are allowed to reassign ports or lines. If misused, reassignment can cause program errors, such as sending sensitive output to an unsecured location. Furthermore, an incidental port may be

  opened, subjecting the system to an attack through the creation of a new entry point into the system.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 19367-19395). Auerbach Publications. Kindle Edition. Which of the following should be performed by an

  operator?

  A. Changing profiles

  B. Approving changes

  C. Adding and removal of users

  D. Installing system software

  Answer: D

  Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment.

  Source: MOSHER, Richard and ROTHKE, Ben, CISSP CBK Review presentation on domain 7.

• Question 694:

  Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest?

  A. Differential cryptanalysis
  B. Differential linear cryptanalysis
  C. Birthday attack
  D. Statistical attack
  C. Birthday attack

  ---

  A Birthday attack is usually applied to the probability of two different messages using the same hash function producing a common message digest.

  The term "birthday" comes from the fact that in a room with 23 people, the probability of two of more people having the same birthday is greater than 50%.

  Linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely

  used attacks on block ciphers; the other being differential cryptanalysis.

  Differential Cryptanalysis is a potent cryptanalytic technique introduced by Biham and Shamir. Differential cryptanalysis is designed for the study and attack of DES-like cryptosystems. A DES-like cryptosystem is an iterated cryptosystem

  which relies on conventional cryptographic techniques such as substitution and diffusion.

  Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the

  resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behaviour, and exploiting such

  properties to recover the secret key.

  Source:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 4: Cryptography (page 163).

  and

  http://en.wikipedia.org/wiki/Differential_cryptanalysis

• Question 695:

  What is NOT an authentication method within IKE and IPsec?

  A. CHAP
  B. Pre shared key
  C. certificate based authentication
  D. Public key authentication
  A. CHAP

  ---

  CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way

  handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).

  After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.

  The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.

  The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.

  At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

  The following were incorrect answers:

  Pre Shared Keys

  In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should

  be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless access points (AP) and all clients share the same key.

  The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password like 'bret13i', a passphrase like 'Idaho hung gear id gene', or a

  hexadecimal string like '65E4 E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.

  Certificat Based Authentication The most common form of trusted authentication between parties in the wide world of Web commerce is the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished Name (DN) and an associated public key.

  The certificate is digitally signed by a trusted third party known as the Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. Each principal in the transaction presents certificate as its credentials. The recipient

  then validates the certificate's signature against its cache of known and trusted CA certificates. A "personal

  certificate" identifies an end user in a transaction; a "server certificate" identifies the service provider.

  Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the Open Systems Interconnect

  (OSI) X.500 specification.

  Public Key Authentication

  Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up.

  In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means

  that if the server has been hacked, or spoofed an attacker can learn your password.

  Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have a copy of that private key; but anybody who has your public key can verify that a particular signature is genuine. So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

  There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to your computer will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, you must decrypt the key, so you have to type your passphrase.

  References: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand and HARKINS, Dan Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E. Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467. http://en.wikipedia.org/wiki/Pre-shared_key http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

• Question 696:

  As per the Orange Book, what are two types of system assurance?

  A. Operational Assurance and Architectural Assurance.
  B. Design Assurance and Implementation Assurance.
  C. Architectural Assurance and Implementation Assurance.
  D. Operational Assurance and Life-Cycle Assurance.
  D. Operational Assurance and Life-Cycle Assurance.

  ---

  Are the two types of assurance mentioned in the Orange book.

  The following answers are incorrect:

  Operational Assurance and Architectural Assurance. Is incorrect because Architectural Assurance is not a type of assurance mentioned in the Orange book.

  Design Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.

  Architectural Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.

• Question 697:

  Which of the following is not a preventive login control?

  A. Last login message
  B. Password aging
  C. Minimum password length
  D. Account expiration
  A. Last login message

  ---

  The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control.

  Source: RUSSEL, Deborah and GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63).

• Question 698:

  Which protocol of the TCP/IP suite addresses reliable data transport?

  A. Transmission control protocol (TCP)
  B. User datagram protocol (UDP)
  C. Internet protocol (IP)
  D. Internet control message protocol (ICMP)
  A. Transmission control protocol (TCP)

  ---

  TCP provides a full-duplex, connection-oriented, reliable, virtual circuit. It handles the sequencing and retransmission of lost packets.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page

  85).

• Question 699:

  Which of the following is NOT a VPN communications protocol standard?

  A. Point-to-point tunnelling protocol (PPTP)
  B. Challenge Handshake Authentication Protocol (CHAP)
  C. Layer 2 tunnelling protocol (L2TP)
  D. IP Security
  B. Challenge Handshake Authentication Protocol (CHAP)

  ---

  CHAP is an authentication mechanism for point-to-point protocol connections that encrypt the user's password. It is a protocol that uses a three-way handshake. The server sends the client a challenge, which includes a random value (a

  nonce) to thwart replay attacks. The client responds with a MD5 hash of the nonce and the password. The authentication is successful if the client's response is the one that the server expected.

  The VPN communication protocol standards listed above are PPTP, L2TP and IPSec.

  PPTP and L2TP operate at the data link layer (layer 2) of the OSI model and enable only a single point-to- point connection per session.

  The following are incorrect answers:

  PPTP uses native PPP authentication and encryption services. Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol that runs over other protocols. PPTP relies on generic routing encapsulation (GRE) to build the tunnel between the

  endpoints. After the user authenticates, typically with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), a Point-to-Point Protocol (PPP) session creates a tunnel using GRE.

  L2TP is a combination of PPTP and the earlier Layer 2 Forwarding protocol (L2F). Layer 2 Tunneling Protocol (L2TP) is a hybrid of Cisco's Layer 2 Forwarding (L2F) and Microsoft's PPTP. It allows callers over a serial line using PPP to connect over the Internet to a remote network. A dial-up user connects to his ISP's L2TP access concentrator (LAC) with a PPP connection. The LAC encapsulates the PPP packets into L2TP and forwards it to the remote network's layer 2 network server (LNS). At this point, the LNS authenticates the dial-up user. If authentication is successful, the dial-up user will have access to the remote network.

  IPSec operates at the network layer (layer 3) and enables multiple simultaneous tunnels. IP Security (IPSec) is a suite of protocols for communicating securely with IP by providing mechanisms for authenticating and encryption. Implementation of IPSec is mandatory in IPv6, and many organizations are using it over IPv4. Further, IPSec can be implemented in two modes, one that is appropriate for end-to-end protection and one that safeguards traffic between networks.

  Reference used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7067-7071). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 6987-6990). Auerbach Publications. Kindle Edition.

• Question 700:

  A timely review of system access audit records would be an example of which of the basic security functions?

  A. avoidance.
  B. deterrence.
  C. prevention.
  D. detection.
  D. detection.

  ---

  By reviewing system logs you can detect events that have occured.

  The following answers are incorrect:

  avoidance. This is incorrect, avoidance is a distractor. By reviewing system logs you have not avoided anything.

  deterrence. This is incorrect because system logs are a history of past events. You cannot deter something that has already occurred.

  prevention. This is incorrect because system logs are a history of past events. You cannot prevent something that has already occurred.