ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 751:

  The Orange Book states that "Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB [Trusted Computing Base]." This statement is the formal requirement for:

  A. Security Testing.
  B. Design Verification.
  C. System Integrity.
  D. System Architecture Specification.
  C. System Integrity.

  ---

  This is a requirement starting as low as C1 within the TCSEC rating.

  The Orange book requires the following for System Integrity Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB.

  NOTE FROM CLEMENT:

  This is a question that confuses a lot of people because most people take for granted that the orange book with its associated Bell LaPadula model has nothing to do with integrity. However you have to be careful about the context in which

  the word integrity is being used. You can have Data Integrity and you can have System Integrity which are two completely different things.

  Yes, the Orange Book does not specifically address the Integrity requirements, however it has to run on top of systems that must meet some integrity requirements.

  This is part of what they call operational assurance which is defined as a level of confidence of a trusted system's architecture and implementation that enforces the system's security policy. It includes:

  System architecture

  Covert channel analysis

  System integrity

  Trusted recovery

  DATA INTEGRITY

  Data Integrity is very different from System Integrity. When you have integrity of the data, there are three goals:

  1.

  Prevent authorized users from making unauthorized modifications

  2.

  Preven unauthorized users from making modifications

  3.

  Maintaining internal and external consistancy of the data

  Bell LaPadula which is based on the Orange Book address does not address Integrity, it addresses only Confidentiality.

  Biba address only the first goal of integrity.

  Clark-Wilson addresses the three goals of integrity.

  In the case of this question, there is a system integrity requirement within the TCB. As mentioned above here is an extract of the requirements: Hardware and/or software features shall be provided that can be used to periodically validate the

  correct operation of the on-site hardware and firmware elements of the TCB.

  The following answers are incorrect:

  Security Testing. Is incorrect because Security Testing has no set of requirements in the Orange book.

  Design Verification. Is incorrect because the Orange book's requirements for Design Verification include: A formal model of the security policy must be clearly identified and documented, including a mathematical proof that the model is

  consistent with its axioms and is sufficient to support the security policy.

  System Architecture Specification. Is incorrect because there are no requirements for System Architecture Specification in the Orange book.

  The following reference(s) were used for this question:

  Trusted Computer Security Evaluation Criteria (TCSEC), DoD 5200.28-STD, page 15, 18, 25, 31, 40, 50.

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Security Architecture and Design, Page 392-397, for users with the Kindle Version see Kindle Locations 28504- 28505.

  and DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm

• Question 752:

  What is the goal of the Maintenance phase in a common development process of a security policy?

  A. to review the document on the specified review date
  B. publication within the organization
  C. to write a proposal to management that states the objectives of the policy
  D. to present the document to an approving body
  A. to review the document on the specified review date

  ---

  "publication within the organization" is the goal of the Publication Phase "write a proposal to management that states the objectives of the policy" is part of Initial and Evaluation Phase "Present the document to an approving body" is part of

  Approval Phase.

  Reference: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.

  Also: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).

• Question 753:

  A prolonged high voltage is a:

  A. spike
  B. blackout
  C. surge
  D. fault
  C. surge

  ---

  A prolonged high voltage is a surge.

  From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw- Hill/Osborne, 2005, page 368.

• Question 754:

  Which of the following statements pertaining to IPSec is incorrect?

  A. IPSec can help in protecting networks from some of the IP network attacks.
  B. IPSec provides confidentiality and integrity to information transferred over IP networks through transport layer encryption and authentication.
  C. IPSec protects against man-in-the-middle attacks.
  D. IPSec protects against spoofing.
  B. IPSec provides confidentiality and integrity to information transferred over IP networks through transport layer encryption and authentication.

  ---

  IPSec provides confidentiality and integrity to information transferred over IP networks through network (not transport) layer encryption and authentication. All other statements are correct. Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 6, Extranet Access Control Issues (page 110).

• Question 755:

  Which virus category has the capability of changing its own code, making it harder to detect by anti-virus software?

  A. Stealth viruses
  B. Polymorphic viruses
  C. Trojan horses
  D. Logic bombs
  B. Polymorphic viruses

  ---

  A polymorphic virus has the capability of changing its own code, enabling it to have many different variants, making it harder to detect by anti-virus software. The particularity of a stealth virus is that it tries to hide its presence after infecting a system. A Trojan horse is a set of unauthorized instructions that are added to or replacing a legitimate program. A logic bomb is a set of instructions that is initiated when a specific event occurs. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/ Osborne, 2002, chapter 11: Application and System Development (page 786).

• Question 756:

  Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?

  A. Kerberos
  B. SESAME
  C. KryptoKnight
  D. NetSP
  A. Kerberos

  ---

  Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT.

  Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/ server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

  The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to "sniff" passwords off of the network are in common use by systems crackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/ server applications rely on the client program to be "honest" about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

  Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that "the bad guys" are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network --- and powered off!) In many places, these restrictions are simply unrealistic and unacceptable. Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

  Kerberos is freely available from MIT, under a copyright permission notice very similar to the one used for the BSD operating and X11 Windowing system. MIT provides Kerberos in source form, so that anyone who wishes to use it may look over the code for themselves and assure themselves that the code is trustworthy. In addition, for those who prefer to rely on a professional supported product, Kerberos is available as a product from many different vendors.

  In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. We hope you find Kerberos as useful as it has been to us. At MIT, Kerberos has been invaluable to our Information/Technology architecture.

  KryptoKnight is a Peer to Peer authentication protocol incorporated into the NetSP product from IBM.

  SESAME is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA- style Privilege Attribute Service. The complete Sesame protocol is a two step process. In the first step, the client successfully authenticates itself to the Authentication Server and obtains a ticket that can be presented to the Privilege Attribute Server. In the second step, the initiator obtains proof of his access rights in the form of Privilege Attributes Certificate (PAC). The PAC is a specific form of Access Control Certificate as defined in the ECMA-219 document. This document describes the extensions to Kerberos for public key based authentication as adopted in Sesame.

  SESAME, KryptoKnight, and NetSP never took off and the protocols are no longer commonly used. References:

  http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis

  and

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 40.

• Question 757:

  What is defined as the manner in which the network devices are organized to facilitate communications?

  A. LAN transmission methods
  B. LAN topologies
  C. LAN transmission protocols
  D. LAN media access methods
  B. LAN topologies

  ---

  A network topology defines the manner in which the network devices are organized to facilitate communications. Common LAN technologies are: bus ring star meshed LAN transmission methods refer to the way packets are sent on the network and are: unicast multicast broadcast LAN transmission protocols are the rules for communicating between computers on a LAN.

  Common LAN transmission protocols are: CSMA/CD polling token-passing

  LAN media access methods control the use of a network (physical and data link layers). They can be: Ethernet ARCnet Token ring FDDI Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 105).

• Question 758:

  If an employee's computer has been used by a fraudulent employee to commit a crime, the hard disk may be seized as evidence and once the investigation is complete it would follow the normal steps of the Evidence Life Cycle. In such case, the Evidence life cycle would not include which of the following steps listed below?

  A. Acquisition collection and identification
  B. Analysis
  C. Storage, preservation, and transportation
  D. Destruction
  D. Destruction

  ---

  Unless the evidence is illegal then it should be returned to owner, not destroyed.

  The Evidence Life Cycle starts with the discovery and collection of the evidence. It progresses through the following series of states until it is finally returned to the victim or owner:

  Acquisition collection and identification

  Analysis

  Storage, preservation, and transportation

  Presented in court

  Returned to victim (owner)

  The Second edition of the ISC2 book says on page 529-530:

  Identifying evidence: Correctly identifying the crime scene, evidence, and potential containers of evidence.

  Collecting or acquiring evidence: Adhering to the criminalistic principles and ensuring that the contamination and the destruction of the scene are kept to a minimum. Using sound, repeatable, collection techniques that allow for the

  demonstration of the accuracy and integrity of evidence, or copies of evidence.

  Examining or analyzing the evidence: Using sound scientific methods to determine the characteristics of the evidence, conducting comparison for individuation of evidence, and conducting event reconstruction.

  Presentation of findings: Interpreting the output from the examination and analysis based on findings of fact and articulating these in a format appropriate for the intended audience (e.g., court brief, executive memo, report).

  Note on returning the evidence to the Owner/Victim

  The final destination of most types of evidence is back with its original owner. Some types of evidence, such as

  drugs or drug paraphernalia (i.e., contraband), are destroyed after the trial.

  Any evidence gathered during a search, although maintained by law enforcement, is legally under the control of the courts. And although a seized item may be yours and may even have your name on it, it might not be returned to you unless

  the suspect signs a release or after a hearing by the court. Unfortunately, many victims do not want to go to trial; they just want to get their property back. Many investigations merely need the information on a disk to prove or disprove a fact in

  question; thus, there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying.

  Mirror copies of the suspect disk are obtained using forensic software and then one of those copies can be returned to the victim so that business operations can resume.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 309).

  and

  The Official Study Book, Second Edition, Page 529-230

• Question 759:

  What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access?

  A. Clark and Wilson Model
  B. Harrison-Ruzzo-Ullman Model
  C. Rivest and Shamir Model
  D. Bell-LaPadula Model
  D. Bell-LaPadula Model

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 760:

  A Packet Filtering Firewall system is considered a:

  A. first generation firewall.
  B. second generation firewall.
  C. third generation firewall.
  D. fourth generation firewall.
  A. first generation firewall.

  ---

  The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL's. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context

  of the communication and inspects every single packet one by one without understanding the context of the connection.

  "Second generation firewall" is incorrect. The second generation of firewall were Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit- level proxy firewall. The application level proxy is very

  smart and understand the inner structure of the protocol itself. The Circui- Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to

  the net. Today a great example of this would be the SOCKS protocol.

  "Third generation firewall" is incorrect. The third generation firewall is the Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.

  "Fourth generation firewall" is incorrect. The fourth generation firewall is the dynamic packet filtering firewall.

  References:

  CBK, p. 464

  AIO3, pp. 482 - 484

  Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/ user/scf4ch3.htm for a general

  discussion of the different generations.