ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 841:

  Which of the following statements pertaining to Kerberos is false?

  A. The Key Distribution Center represents a single point of failure.
  B. Kerberos manages access permissions.
  C. Kerberos uses a database to keep a copy of all users' public keys.
  D. Kerberos uses symmetric key cryptography.
  C. Kerberos uses a database to keep a copy of all users' public keys.

  ---

  Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network. One weakness of Kerberos is its Key

  Distribution Center (KDC), which represents a single point of failure.

  The KDC contains a database that holds a copy of all of the symmetric/secret keys for the principals.

  Reference(s) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page40).

• Question 842:

  Which of the following questions is less likely to help in assessing identification and authentication controls?

  A. Is a current list maintained and approved of authorized users and their access?
  B. Are passwords changed at least every ninety days or earlier if needed?
  C. Are inactive user identifications disabled after a specified period of time?
  D. Is there a process for reporting incidents?
  D. Is there a process for reporting incidents?

  ---

  Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control).

  Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to A-32).

• Question 843:

  A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?

  A. Content-dependent access control
  B. Context-dependent access control
  C. Least privileges access control
  D. Ownership-based access control
  A. Content-dependent access control

  ---

  When access control is based on the content of an object, it is considered to be content dependent access control.

  Content-dependent access control is based on the content itself.

  The following answers are incorrect:

  context-dependent access control. Is incorrect because this type of control is based on what the context is, facts about the data rather than what the object contains. least privileges access control. Is incorrect because this is based on the

  least amount of rights needed to perform their jobs and not based on what is contained in the database. ownership-based access control. Is incorrect because this is based on the owner of the data and and not based on what is contained in

  the database.

  References:

  OIG CBK Access Control (page 191)

• Question 844:

  Risk reduction in a system development life-cycle should be applied:

  A. Mostly to the initiation phase.
  B. Mostly to the development phase.
  C. Mostly to the disposal phase.
  D. Equally to all phases.
  D. Equally to all phases.

  ---

  Risk is defined as the combination of the probability that a particular threat source will exploit, or trigger, a particular information system vulnerability and the resulting mission impact should this occur. Previously, risk avoidance was a common IT security goal. That changed as the nature of the risk became better understood. Today, it is recognized that elimination of all risk is not cost-effective. A cost-benefit analysis should be conducted for each proposed control. In some cases, the benefits of a more secure system may not justify the direct and indirect costs. Benefits include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence. Direct costs include the cost of purchasing and installing a given technology; indirect costs include decreased system performance and additional training. The goal is to enhance mission/business capabilities by managing mission/ business risk to an acceptable level.

  Source: STONEBURNER, Gary and al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 8).

• Question 845:

  What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects?

  A. Flow Model
  B. Discretionary access control
  C. Mandatory access control
  D. Non-discretionary access control
  D. Non-discretionary access control

  ---

  As a security administrator you might configure user profiles so that users cannot change the system's time, alter system configuration files, access a command prompt, or install unapproved applications. This type of access control is referred

  to as nondiscretionary, meaning that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the

  organization's most critical assets.

  Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. Centralized access control is not an existing security model.

  Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category.

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill.

  Kindle Edition.

  and

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 33).

• Question 846:

  Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)?

  A. TCP is connection-oriented, UDP is not.
  B. UDP provides for Error Correction, TCP does not.
  C. UDP is useful for longer messages, rather than TCP.
  D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.
  A. TCP is connection-oriented, UDP is not.

  ---

  TCP is a reliable connection-oriented transport for guaranteed delivery of data.

  Protocols represent certain rules and regulations that are essential in order to have data communication between two entities. Internet Protocols work in sending and receiving data packets. This type of communication may be either

  connection-less or connection-oriented. In a connection-oriented scenario, an acknowledgement is being received by the sender from the receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.

  On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's not a guaranteed method, but,

  once a connection is established, UDP works much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.

  The following answers are incorrect:

  UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP does.

  UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its connectionless nature.

  TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.

  References Used for this question:

  http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/ http://www.skullbox.net/ tcpudp.php

  James's TCP-IP FAQ - Understanding Port Numbers.

• Question 847:

  A confidential number used as an authentication factor to verify a user's identity is called a: A. PIN

  B. User ID
  C. Password
  D. Challenge
  A

  ---

  PIN Stands for Personal Identification Number, as the name states it is a combination of numbers.

  The following answers are incorrect:

  User ID This is incorrect because a Userid is not required to be a number and a Userid is only used to establish identity not verify it.

  Password. This is incorrect because a password is not required to be a number, it could be any combination of characters.

  Challenge. This is incorrect because a challenge is not defined as a number, it could be anything.

• Question 848:

  Which of the following technologies has been developed to support TCP/IP networking over low-speed serial interfaces?

  A. ISDN
  B. SLIP
  C. xDSL
  D. T1
  B. SLIP

  ---

  Serial Line IP (SLIP) was developed in 1984 to support TCP/IP networking over low-speed serial interfaces.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 114).

• Question 849:

  The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of:

  A. Confidentiality, Integrity, and Entity (C.I.E.).
  B. Confidentiality, Integrity, and Authenticity (C.I.A.).
  C. Confidentiality, Integrity, and Availability (C.I.A.).
  D. Confidentiality, Integrity, and Liability (C.I.L.).
  C. Confidentiality, Integrity, and Availability (C.I.A.).

  ---

  The CIA acronym stands for Confidentiality, Integrity and Availability.

  "Confidentiality, Integrity and Entity (CIE)" is incorrect. "Entity" is not part of the telecommunications domain definition.

  "Confidentiality, Integrity and Authenticity (CIA)" is incorrect. While authenticity is included in the telecommunications domain, CIA is the acronym for confidentiality, integrity and availability.

  "Confidentiality, Integrity, and Liability (CIL)" is incorrect. Liability is not part of the telecommunications domain definition.

  References:

  CBK, pp. 407 - 408

• Question 850:

  What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?

  A. Risk management
  B. Risk analysis
  C. Threat analysis
  D. Due diligence
  C. Threat analysis

  ---

  Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

  The following answers are incorrect:

  Risk analysis is the process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is synonymous with risk

  assessment and part of risk management, which is the ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities

  and selecting appropriate, cost- effective controls to achieve and maintain an acceptable level or risk.

  Due Diligence is identifying possible risks that could affect a company based on best practices and standards.

  Reference(s) used for this question:

  STONEBURNER, Gary and al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page B-3).