ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 801:

  A proxy can control which services (FTP and so on) are used by a workstation , and also aids in protecting the network from outsiders who may be trying to get information about the:

  A. network's design
  B. user base
  C. operating system design
  D. net BIOS' design
  A. network's design

  ---

  To the untrusted host, all traffic seems to originate from the proxy server and addresses on the trusted network are not revealed.

  "User base" is incorrect. The proxy hides the origin of the request from the untrusted host.

  "Operating system design" is incorrect. The proxy hides the origin of the request from the untrusted host.

  "Net BIOS' design" is incorrect. The proxy hides the origin of the request from the untrusted host.

  References:

  CBK, p. 467

  AIO3, pp. 486 - 490

• Question 802:

  Which of the following ASYMMETRIC encryption algorithms is based on the difficulty of FACTORING LARGE NUMBERS?

  A. El Gamal
  B. Elliptic Curve Cryptosystems (ECCs)
  C. RSA
  D. International Data Encryption Algorithm (IDEA)
  C. RSA

  ---

  Named after its inventors Ron Rivest , Adi Shamir and Leonard Adleman is based on the difficulty of factoring large prime numbers.

  Factoring a number means representing it as the product of prime numbers. Prime numbers, such as 2, 3, 5, 7, 11, and 13, are those numbers that are not evenly divisible by any smaller number, except 1. A non- prime, or composite number,

  can be written as the product of smaller primes, known as its prime factors. 665, for example is the product of the primes 5, 7, and 19. A number is said to be factored when all of its prime factors are identified. As the size of the number

  increases, the difficulty of factoring increases rapidly.

  The other answers are incorrect because:

  El Gamal is based on the discrete logarithms in a finite field. Elliptic Curve Cryptosystems (ECCs) computes discrete logarithms of elliptic curves.

  International Data Encryption Algorithm (IDEA) is a block cipher and operates on 64 bit blocks of data and is a SYMMETRIC algorithm.

  Reference : Shon Harris , AIO v3 , Chapter-8 : Cryptography , Page : 638

• Question 803:

  Which of the following algorithms is a stream cipher?

  A. RC2
  B. RC4
  C. RC5
  D. RC6
  B. RC4

  ---

  RC2, RC4, RC5 and RC6 were developed by Ronal Rivest from RSA Security.

  In the RC family only RC4 is a stream cipher.

  RC4 allows a variable key length.

  RC2 works with 64-bit blocks and variable key lengths,

  RC5 has variable block sizes, key length and number of processing rounds.

  RC6 was designed to fix a flaw in RC5.

  Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 103).

• Question 804:

  Which of the following is the simplest type of firewall ?

  A. Stateful packet filtering firewall
  B. Packet filtering firewall
  C. Dual-homed host firewall
  D. Application gateway
  B. Packet filtering firewall

  ---

  A static packet filtering firewall is the simplest and least expensive type of firewalls, offering minimum security provisions to a low-risk computing environment. A static packet filter firewall examines both the source and destination addresses

  of the incoming data packet and applies ACL's to them. They operates at either the Network or Transport layer.

  They are known as the First generation of firewall.

  Older firewalls that were only packet filters were essentially routing devices that provided access control functionality for host addresses and communication sessions. These devices, also known as stateless inspection firewalls, do not keep

  track of the state of each flow of traffic that passes though the firewall; this means, for example, that they cannot associate multiple requests within a single session to each other. Packet filtering is at the core of most modern firewalls, but

  there are few firewalls sold today that only do stateless packet filtering. Unlike more advanced filters, packet filters are not concerned about the content of packets. Their access control functionality is governed by a set of directives referred to

  as a ruleset. Packet filtering capabilities are built into most operating systems and devices capable of routing; the most common example of a pure packet filtering device is a network router that employs access control lists.

  There are many types of Firewall:

  Application Level Firewalls Often called a Proxy Server. It works by transferring a copy of each accepted data packet from one network to another. They are known as the Second generation of firewalls.

  An application-proxy gateway is a feature of advanced firewalls that combines lower-layer access control with upper-layer functionality. These firewalls contain a proxy agent that acts as an intermediary between two hosts that wish to

  communicate with each other, and never allows a direct connection between them. Each successful connection attempt actually results in the creation of two separate connections--one between the client and the proxy server, and another

  between the proxy server and the true destination. The proxy is meant to be transparent to the two hosts--from their perspectives there is a direct connection. Because external hosts only communicate with the proxy agent, internal IP

  addresses are not visible to the outside world. The proxy agent interfaces directly with the firewall ruleset to determine whether a given instance of network traffic should be allowed to transit the firewall.

  Stateful Inspection Firewall - Packets are captured by the inspection engine operating at the network layer and then analyzed at all layers. They are known as the Third generation of firewalls. Stateful inspection improves on the functions of

  packet filters by tracking the state of connections and blocking packets that deviate from the expected state. This is accomplished by incorporating greater awareness of the transport layer. As with packet filtering, stateful inspection intercepts

  packets at the network layer and inspects them to see if they are permitted by an existing firewall rule, but unlike packet filtering, stateful inspection keeps track of each connection in a state table. While the details of state table entries vary by

  firewall product, they typically include source IP address, destination IP address, port numbers, and connection state information.

  Web Application Firewalls - The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private

  information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.

  Web application firewalls are a relatively new technology, as compared to other firewall technologies, and the type of threats that they mitigate are still changing frequently. Because they are put in front of web servers to prevent attacks on the

  server, they are often considered to be very different than traditional firewalls.

  Host-Based Firewalls and Personal Firewalls - Host-based firewalls for servers and personal firewalls for desktop and laptop personal computers (PC) provide an additional layer of security against network-based attacks. These firewalls are

  software-based, residing on the hosts they are protecting--each monitors and controls the incoming and outgoing network traffic for a single host. They can provide more granular protection than network firewalls to meet the needs of specific

  hosts.

  Host-based firewalls are available as part of server operating systems such as Linux, Windows, Solaris, BSD, and Mac OS X Server, and they can also be installed as third-party add-ons. Configuring a host- based firewall to allow only

  necessary traffic to the server provides protection against malicious activity from all hosts, including those on the same subnet or on other internal subnets not separated by a network firewall. Limiting outgoing traffic from a server may also be

  helpful in preventing certain malware that infects a host from spreading to other hosts.11 Host- based firewalls usually perform logging, and can often be configured to perform address-based and application-based access controls Dynamic

  Packet Filtering Makes informed decisions on the ACL's to apply. They are known as the Fourth generation of firewalls.

  Kernel Proxy - Very specialized architecture that provides modular kernel-based, multi-layer evaluation and runs in the NT executive space. They are known as the Fifth generation of firewalls.

  The following were incorrect answers:

  All of the other types of firewalls listed are more complex than the Packet Filtering Firewall.

  Reference(s) used for this question:

  HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Telecommunications and Network Security, Page 630.

  and NIST Guidelines on Firewalls and Firewalls policies, Special Publication 800-4 Revision 1

• Question 805:

  Who should direct short-term recovery actions immediately following a disaster?

  A. Chief Information Officer.
  B. Chief Operating Officer.
  C. Disaster Recovery Manager.
  D. Chief Executive Officer.
  C. Disaster Recovery Manager.

  ---

  The Disaster Recovery Manager should also be a member of the team that assisted in the development of the Disaster Recovery Plan. Senior-level management need to support the process but would not be involved with the initial process.

  The following answers are incorrect:

  Chief Information Officer. Is incorrect because the Senior-level management are the ones to authorize the recovery plan and process but during the initial recovery process they will most likely be heavily involved in other matters.

  Chief Operating Officer. Is incorrect because the Senior-level management are the ones to authorize the recovery plan and process but during the initial recovery process they will most likely be heavily involved in other matters.

  Chief Executive Officer. Is incorrect because the Senior-level management are the ones to authorize the recovery plan and process but during the initial recovery process they will most likely be heavily involved in other matters.

• Question 806:

  Preservation of confidentiality within information systems requires that the information is not disclosed to:

  A. Authorized person
  B. Unauthorized persons or processes.
  C. Unauthorized persons.
  D. Authorized persons and processes
  B. Unauthorized persons or processes.

  ---

  Confidentiality assures that the information is not disclosed to unauthorized persons or processes.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 31.

• Question 807:

  Which OSI/ISO layer is the Media Access Control (MAC) sublayer part of?

  A. Transport layer
  B. Network layer
  C. Data link layer
  D. Physical layer
  C. Data link layer

  ---

  The data link layer contains the Logical Link Control sublayer and the Media Access Control (MAC) sublayer.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 83).

• Question 808:

  Why would a memory dump be admissible as evidence in court?

  A. Because it is used to demonstrate the truth of the contents.
  B. Because it is used to identify the state of the system.
  C. Because the state of the memory cannot be used as evidence.
  D. Because of the exclusionary rule.
  B. Because it is used to identify the state of the system.

  ---

  A memory dump can be admitted as evidence if it acts merely as a statement of fact. A system dump is not considered hearsay because it is used to identify the state of the system, not the truth of the contents. The exclusionary rule mentions

  that evidence must be gathered legally or it can't be used. This choice is a distracter.

  Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 187).

• Question 809:

  Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines?

  A. TACACS
  B. Call-back
  C. CHAP
  D. RADIUS
  B. Call-back

  ---

  Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the system from multiple locations, making call-back inappropriate for them.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 44).

• Question 810:

  When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?

  A. Eliminate all means of intruder access.
  B. Contain the intrusion.
  C. Determine to what extent systems and data are compromised.
  D. Communicate with relevant parties.
  C. Determine to what extent systems and data are compromised.

  ---

  Once an intrusion into your organization's information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action.

  This is the good old saying: "Do not cry wolf until you know there is a wolf for sure" Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf. Technical problems or bad hardware might cause problems that looks like an

  intrusion even thou it might not be. You must make sure that a crime has in fact been committed before implementing your reaction plan.

  Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures. This first analysis will provide information such as what attacks were used, what systems and data were

  accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained).

  The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities.

  Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion. It must be carefully collected, labelled, catalogued, and securely stored.

  Containing the intrusion, where tactical actions are performed to stop the intruder's access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next.

  Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process.

  Reference used for this question:

  ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).