ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 831:

  Examples of types of physical access controls include all EXCEPT which of the following?

  A. badges
  B. locks
  C. guards
  D. passwords
  D. passwords

  ---

  Passwords are considered a Preventive/Technical (logical) control.

  The following answers are incorrect:

  badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical control, but the actual badge itself is primarily a physical control.

  locks Locks are a Preventative Physical control and has no Technical association. guards Guards are a Preventative Physical control and has no Technical association.

  The following reference(s) were/was used to create this question:

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 35).

• Question 832:

  Which of the following is an advantage in using a bottom-up versus a top-down approach to software testing?

  A. Interface errors are detected earlier.
  B. Errors in critical modules are detected earlier.
  C. Confidence in the system is achieved earlier.
  D. Major functions and processing are tested earlier.
  B. Errors in critical modules are detected earlier.

  ---

  The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and work upwards until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices refer to advantages of a top down approach which follows the opposite path. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

• Question 833:

  Which of the following phases of a software development life cycle normally incorporates the security specifications, determines access controls, and evaluates encryption options?

  A. Detailed design
  B. Implementation
  C. Product design
  D. Software plans and requirements
  C. Product design

  ---

  The Product design phase deals with incorporating security specifications, adjusting test plans and data, determining access controls, design documentation, evaluating encryption options, and verification.

  Implementation is incorrect because it deals with Installing security software, running the system, acceptance testing, security software testing, and complete documentation certification and accreditation (where necessary).

  Detailed design is incorrect because it deals with information security policy, standards, legal issues, and the early validation of concepts.

  software plans and requirements is incorrect because it deals with addressesing threats, vulnerabilities, security requirements, reasonable care, due diligence, legal liabilities, cost/benefit analysis, level of protection desired, test plans.

  Sources:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 7: Applications and Systems Development (page 252).

  KRUTZ, Ronald and VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Security Life Cycle Components, Figure 7.5 (page 346). At which of the basic phases of the System Development Life Cycle are

  security requirements formalized?

  A. Disposal

  B. System Design Specifications

  C. Development and Implementation

  D. Functional Requirements Definition Answer: D During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet

  end-user needs. The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security

  requirements should be formalized.

  The Development Life Cycle is a project management tool that can be used to plan, execute, and control a software development project usually called the Systems Development Life Cycle (SDLC).

  The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development. Because there is no industry-wide SDLC, an organization can use any one, or a combination of

  SDLC methods.

  The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be

  shown together or as separate elements. The model chosen should be based on the project.

  For example, some models work better with long-term, complex projects, while others are more suited for short-term projects. The key element is that a formalized SDLC is utilized.

  The number of phases can range from three basic phases (concept, design, and implement) on up.

  The basic phases of SDLC are:

  Project initiation and planning

  Functional requirements definition

  System design specifications

  Development and implementation

  Documentation and common program controls

  Testing and evaluation control, (certification and accreditation)

  Transition to production (implementation)

  The system life cycle (SLC) extends beyond the SDLC to include two additional phases:

  Operations and maintenance support (post-installation)

  Revisions and system replacement

  System Design Specifications

  This phase includes all activities related to designing the system and software. In this phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and

  security features are designed, generally based on the overall security architecture for the company. Development and Implementation During this phase, the source code is generated, test scenarios and test cases are developed, unit and integration testing is conducted, and the program and system are documented for maintenance and for turnover to acceptance testing

  and production. As well as general care for software quality, reliability, and consistency of operation, particular care should be taken to ensure that the code is analyzed to eliminate common vulnerabilities that might lead to security exploits

  and other risks.

  Documentation and Common Program Controls

  These are controls used when editing the data within the program, the types of logging the program should be doing, and how the program versions should be stored. A large number of such controls may be needed, see the reference below for a full list of controls.

  Acceptance In the acceptance phase, preferably an independent group develops test data and tests the code to ensure that it will function within the organization's environment and that it meets all the functional and security requirements. It is essential that an independent group test the code during all applicable stages of development to prevent a separation of duties issue. The goal of security testing is to ensure that the application meets its security requirements and specifications. The security testing should uncover all design and implementation flaws that would allow a user to violate the software security policy and requirements. To ensure test validity, the application should be tested in an environment that simulates the production environment. This should include a security certification package and any user documentation.

  Certification and Accreditation (Security Authorization)

  Certification is the process of evaluating the security stance of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements. The certification or evaluation document should contain an analysis of the technical and nontechnical security features and countermeasures and the extent to which the software or system meets the security requirements for its mission and operational environment.

  Transition to Production (Implementation)

  During this phase, the new system is transitioned from the acceptance phase into the live production environment. Activities during this phase include obtaining security accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if necessary, conducting any parallel operations.

  Revisions and System Replacement As systems are in production mode, the hardware and software baselines should be subject to periodic evaluations and audits. In some instances, problems with the application may not be defects or flaws, but rather additional functions not currently developed in the application. Any changes to the application must follow the same SDLC and be recorded in a change management system. Revision reviews should include security planning and procedures to avoid future problems. Periodic application audits should be conducted and include documenting security incidents when problems occur. Documenting system failures is a valuable resource for justifying future system enhancements.

  Below you have the phases used by NIST in it's 800-63 Revision 2 document

  As noted above, the phases will vary from one document to another one. For the purpose of the exam use the list provided in the official ISC2 Study book which is presented in short form above. Refer to the book for a more detailed description of activities at each of the phases of the SDLC.

  However, all references have very similar steps being used. As mentioned in the official book, it could be as simple as three phases in it's most basic version (concept, design, and implement) or a lot more in more detailed versions of the SDLC.

  The key thing is to make use of an SDLC.

  

  SDLC phases

  Reference(s) used for this question:

  NIST SP 800-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64- Revision2.pdf

  and

  Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:

  Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach Publications. Kindle Edition.

• Question 834:

  Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model?

  A. Bridge
  B. Repeater
  C. Router
  D. Gateway
  D. Gateway

  ---

  A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.

  Important Note:

  For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall. The second thing you must remembers is the fact that a gateway act as a translation device.

  It could be used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications protocols and allow them to communicate together. A gateway could be at any of the OSI layers but usually tend to be

  higher up in the stack.

  For your exam you should know the information below:

  Repeaters

  A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add- on devices for extending a

  network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

  Repeaters can also work as line conditioners by actually cleaning up the signals. This works much better when amplifying digital signals than when amplifying analog signals, because digital signals are discrete units, which makes extraction

  of background noise from them much easier for the amplifier. If the device is amplifying analog signals, any accompanying noise often is amplified as well, which may further distort the signal.

  A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with

  IP or MAC addresses. When one system sends a signal to go to another system connected to it, the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.

  Repeater

  

  Image Reference- http://www.erg.abdn.ac.uk/~gorry/course/images/repeater.gif Bridges A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a

  bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment. Bridge

  

  Image Reference- http://www.oreillynet.com/network/2001/01/30/graphics/bridge.jpg

  Routers

  Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts.

  Router and Switch

  

  Image Reference- http://www.computer-networking-success.com/images/router-switch.jpg Switches Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port connection device that provides

  connections for individual computers or other hubs and switches. Gateways Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one

  environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet. Gateway Server

  

  Image Referencehttp://static.howtoforge.com/images/screenshots/556af08d5e43aa768260f9e589dc547f- 3024.jpg

  The following answers are incorrect:

  Repeater - A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for

  extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

  Bridges - A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives

  at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

  Routers - Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or

  more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary.

  Following reference(s) were/was used to create this question:

  CISA review manual 2014 Page number 263

  Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230

• Question 835:

  Failure of a contingency plan is usually:

  A. A technical failure.
  B. A management failure.
  C. Because of a lack of awareness.
  D. Because of a lack of training.
  B. A management failure.

  ---

  Failure of a contingency plan is usually management failure to exhibit ongoing interest and concern about the BCP/DRP effort, and to provide financial and other resources as needed. Lack of management support will result in a lack awareness and training.

  Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 9: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) (page 163).

• Question 836:

  What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition?

  A. Running key cipher
  B. One-time pad
  C. Steganography
  D. Cipher block chaining
  B. One-time pad

  ---

  In cryptography, the one-time pad (OTP) is a type of encryption that is impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key (or pad) of

  the same length as the plaintext, resulting in a ciphertext. If the key is truly random, at least as long as the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key.

  It has also been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as OTP keys. However, practical problems have prevented one-time pads from being widely used.

  First described by Frank Miller in 1882, the one-time pad was re-invented in 1917 and patented a couple of years later. It is derived from the Vernam cipher, named after Gilbert Vernam, one of its inventors. Vernam's system was a cipher that

  combined a message with a key read from a punched tape. In its original form, Vernam's system was vulnerable because the key tape was a loop, which was reused whenever the loop made a full cycle. One-time use came a little later when

  Joseph Mauborgne recognized that if the key tape were totally random, cryptanalysis would be impossible.

  The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so the top sheet could be easily torn off and destroyed after use. For easy concealment, the pad was sometimes

  reduced to such a small size that a powerful magnifying glass was required to use it. Photos show captured KGB pads that fit in the palm of one's hand, or in a walnut shell. To increase security, one-time pads were sometimes printed onto

  sheets of highly flammable nitrocellulose so they could be quickly burned.

  The following are incorrect answers:

  A running key cipher uses articles in the physical world rather than an electronic algorithm. In classical cryptography, the running key cipher is a type of polyalphabetic substitution cipher in which a text, typically from a book, is used to provide

  a very long keystream. Usually, the book to be used would be agreed ahead of time, while the passage to use would be chosen randomly for each message and secretly indicated somewhere in the message.

  The Running Key cipher has the same internal workings as the Vigenere cipher. The difference lies in how the key is chosen; the Vigenere cipher uses a short key that repeats, whereas the running key cipher uses a long key such as an

  excerpt from a book. This means the key does not repeat, making cryptanalysis more difficult. The cipher can still be broken though, as there are statistical patterns in both the key and the plaintext which can be exploited. Steganography is a

  method where the very existence of the message is concealed. It is the art and science of encoding hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. it is

  sometimes referred to as Hiding in Plain Sight.

  Cipher block chaining is a DES operating mode. IBM invented the cipher-block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way,

  each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

  Reference(s) used for this question:

  HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 8:

  Cryptography (page 555).

  and

  http://en.wikipedia.org/wiki/One-time_pad

  http://en.wikipedia.org/wiki/Running_key_cipher

  http://en.wikipedia.org/wiki/Cipher_block_chaining#Cipher-block_chaining_.28CBC.29

• Question 837:

  A variation of the application layer firewall is called a:

  A. Current Level Firewall.
  B. Cache Level Firewall.
  C. Session Level Firewall.
  D. Circuit Level Firewall.
  D. Circuit Level Firewall.

  ---

  Terminology can be confusing between the different souces as both CBK and AIO3 call an application layer firewall a proxy and proxy servers are generally classified as either circuit-level proxies or application level proxies.

  The distinction is that a circuit level proxy creates a conduit through which a trusted host can communicate with an untrusted one and doesn't really look at the application contents of the packet (as an application level proxy does). SOCKS is

  one of the better known circuit-level proxies.

  Firewalls

  Packet Filtering Firewall - First Generation

  n Screening Router

  n Operates at Network and Transport level

  n Examines Source and Destination IP Address

  n Can deny based on ACLs

  n Can specify Port

  Application Level Firewall - Second Generation

  n Proxy Server

  n Copies each packet from one network to the other

  n Masks the origin of the data

  n Operates at layer 7 (Application Layer)

  n Reduces Network performance since it has do analyze each packet and decide what to do with it. n Also Called Application Layer Gateway Stateful Inspection Firewalls Third Generation n Packets Analyzed at all OSI layers n Queued at the network level n Faster than Application level Gateway Dynamic Packet Filtering Firewalls Fourth Generation n Allows modification of security rules n Mostly used for UDP n Remembers all of the UDP packets that have crossed the network's perimeter, and it decides whether to enable packets to pass through the firewall.

  Kernel Proxy Fifth Generation n Runs in NT Kernel n Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies.

  "Current level firewall" is incorrect. This is an amost-right-sounding distractor to confuse the unwary. "Cache level firewall" is incorrect. This too is a distractor. "Session level firewall" is incorrect. This too is a distractor. References CBK, p. 466 - 467 AIO3, pp. 486 - 490 CISSP Study Notes from Exam Prep Guide

• Question 838:

  What setup should an administrator use for regularly testing the strength of user passwords?

  A. A networked workstation so that the live password database can easily be accessed by the cracking program.
  B. A networked workstation so the password database can easily be copied locally and processed by the cracking program.
  C. A standalone workstation on which the password database is copied and processed by the cracking program.
  D. A password-cracking program is unethical; therefore it should not be used.
  C. A standalone workstation on which the password database is copied and processed by the cracking program.

  ---

  Poor password selection is frequently a major security problem for any system's security. Administrators should obtain and use password-guessing programs frequently to identify those users having easily guessed passwords.

  Because password-cracking programs are very CPU intensive and can slow the system on which it is running, it is a good idea to transfer the encrypted passwords to a standalone (not networked) workstation. Also, by doing the work on a

  non-networked machine, any results found will not be accessible by anyone unless they have physical access to that system.

  Out of the four choice presented above this is the best choice.

  However, in real life you would have strong password policies that enforce complexity requirements and does not let the user choose a simple or short password that can be easily cracked or guessed. That would be the best choice if it was

  one of the choice presented. Another issue with password cracking is one of privacy. Many password cracking tools can avoid this by only showing the password was cracked and not showing what the password actually is. It is masking the

  password being used from the person doing the cracking.

  Source: National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute Network Security Guide, February 2002, page 8.

• Question 839:

  Which must bear the primary responsibility for determining the level of protection needed for information systems resources?

  A. IS security specialists
  B. Senior Management
  C. Senior security analysts
  D. systems Auditors
  B. Senior Management

  ---

  If there is no support by senior management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show "due diligence" in establishing an effective compliance, or security program. It is senior management that could face legal repercussions if they do not have sufficient controls in place.

  The following answers are incorrect:

  IS security specialists. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed. Senior security analysts. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.

  systems auditors. Is incorrect because it is not the best answer, system auditors are responsible that the controls in place are effective. Senior management bears the primary responsibility for determining the level of protection needed.

• Question 840:

  Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations?

  A. The Computer Security Act of 1987.
  B. The Federal Sentencing Guidelines of 1991.
  C. The Economic Espionage Act of 1996.
  D. The Computer Fraud and Abuse Act of 1986.
  B. The Federal Sentencing Guidelines of 1991.

  ---

  In 1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes. These guidelines provided ways that companies and law enforcement should prevent, detect and report computer crimes. It also outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations.