ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 891:

  Which of the following firewall rules found on a firewall installed between an organization's internal network and the Internet would present the greatest danger to the internal network?

  A. Permit all traffic between local hosts.
  B. Permit all inbound ssh traffic.
  C. Permit all inbound tcp connections.
  D. Permit all syslog traffic to log-server.abc.org.
  C. Permit all inbound tcp connections.

  ---

  Any opening of an internal network to the Internet is susceptible of creating a new vulnerability. Of the given rules, the one that permits all inbound tcp connections is the less likely to be used since it amounts to almost having no firewall at all,

  tcp being widely used on the Internet.

  Reference(s) used for this question:

  ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 409).

• Question 892:

  Which of the following questions is less likely to help in assessing physical access controls?

  A. Does management regularly review the list of persons with physical access to sensitive facilities?
  B. Is the operating system configured to prevent circumvention of the security software and application controls?
  C. Are keys or other access devices needed to enter the computer room and media library?
  D. Are visitors to sensitive areas signed in and escorted?
  B. Is the operating system configured to prevent circumvention of the security software and application controls?

  ---

  Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical access controls except for the one regarding operating system configuration, which is a logical access control.

  Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).

• Question 893:

  What security model is dependent on security labels?

  A. Discretionary access control
  B. Label-based access control
  C. Mandatory access control
  D. Non-discretionary access control
  C. Mandatory access control

  ---

  With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and the classification or sensitivity of the object. Label- based access control is not defined.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 33).

• Question 894:

  Which of the following specifically addresses cyber attacks against an organization's IT systems?

  A. Continuity of support plan
  B. Business continuity plan
  C. Incident response plan
  D. Continuity of operations plan
  C. Incident response plan

  ---

  The incident response plan focuses on information security responses to incidents affecting systems and/ or networks. It establishes procedures to address cyber attacks against an organization's IT systems. These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware or software. The continuity of support plan is the same as an IT contingency plan. It addresses IT system disruptions and establishes procedures for recovering a major application or general support system. It is not business process focused. The business continuity plan addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. The continuity of operations plan addresses the subset of an organization's missions that are deemed most critical and procedures to sustain these functions at an alternate site for up to 30 days.

  Source: SWANSON, Marianne, and al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 8).

• Question 895:

  If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is MOST likely to exist?

  A. Disclosure of residual data.
  B. Unauthorized obtaining of a privileged execution state.
  C. Data leakage through covert channels.
  D. Denial of service through a deadly embrace.
  A. Disclosure of residual data.

  ---

  Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the chance for the disclosure of residual data.

  Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process. Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions. In some cases, it is necessary to share these resources between various system applications. However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes. Disclosure of residual data and Unauthorized obtaining of a

  privileged execution state are both a problem with shared memory and resources. Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody's session if the security token/ identify was maintained

  in that space. This is generally more malicious and intentional than accidental though. The MOST common issue would be Disclosure of residual data.

  The following answers are incorrect:

  Unauthorized obtaining of a privileged execution state. Is incorrect because this is not a problem with Object Reuse.

  Data leakage through covert channels. Is incorrect because it is not the best answer. A covert channel is a communication path. Data leakage would not be a problem created by Object Reuse. In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is defined as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC.

  Denial of service through a deadly embrace. Is incorrect because it is only a detractor. References: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4174-4179). Auerbach Publications. Kindle Edition. and https://www.fas.org/irp/nsa/rainbow/tg018.htm and http://en.wikipedia.org/wiki/Covert_channel

• Question 896:

  Which of the following is an example of an active attack?

  A. Traffic analysis
  B. Scanning
  C. Eavesdropping
  D. Wiretapping
  B. Scanning

  ---

  Scanning is definitively a very active attack. The attacker will make use of a scanner to perform the attack, the scanner will send a very large quantity of packets to the target in order to illicit responses that allows the attacker to find

  information about the operating system, vulnerabilities, misconfiguration and more. The packets being sent are sometimes attempting to identify if a known vulnerability exist on the remote hosts.

  A passive attack is usually done in the footprinting phase of an attack. While doing your passive reconnaissance you never send a single packet to the destination target. You gather information from public databases such as the DNS servers,

  public information through search engines, financial information from finance web sites, and technical infomation from mailing list archive or job posting for example.

  An attack can be active or passive.

  An "active attack" attempts to alter system resources or affect their operation.

  A "passive attack" attempts to learn or make use of information from the system but does not affect system resources. (E.g., see: wiretapping.)

  The following are all incorrect answers because they are all passive attacks:

  Traffic Analysis - Is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the

  greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer

  security.

  Eavesdropping - Eavesdropping is another security risk posed to networks. Because of the way some networks are built, anything that gets sent out is broadcast to everyone. Under normal circumstances, only the computer that the data was

  meant for will process that information. However, hackers can set up programs on their computers called "sniffers" that capture all data being broadcast over the network. By carefully examining the data, hackers can often reconstruct real

  data that was never meant for them. Some of the most damaging things that get sniffed include passwords and credit card information.

  In the cryptographic context, Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system.

  Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages, modifying system files, and masquerading as another individual are acts that are

  considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack."

  Wiretapping - Wiretapping refers to listening in on electronic communications on telephones, computers, and other devices. Many governments use it as a law enforcement tool, and it is also used in fields like corporate espionage to gain

  access to privileged information. Depending on where in the world one is, wiretapping may be tightly controlled with laws that are designed to protect privacy rights, or it may be a widely accepted practice with little or no protections for

  citizens. Several advocacy organizations have been established to help civilians understand these laws in their areas, and to fight illegal wiretapping.

  Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Cryptography, Page and http://en.wikipedia.org/wiki/Attack_%28computing%29 and http://www.wisegeek.com/what-is-wiretapping.htm and https://pangea.stanford.edu/computing/resources/network/security/risks.php and http://en.wikipedia.org/wiki/Traffic_analysis

• Question 897:

  Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring?

  A. Wave pattern motion detectors
  B. Capacitance detectors
  C. Field-powered devices
  D. Audio detectors
  B. Capacitance detectors

  ---

  Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate and alarm. Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver. Field-powered devices are a type of personnel access control devices. Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an alarm.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 10: Physical security (page 344).

• Question 898:

  Which ISO/OSI layer establishes the communications link between individual devices over a physical link or channel?

  A. Transport layer
  B. Network layer
  C. Data link layer
  D. Physical layer
  C. Data link layer

  ---

  The data link layer (layer 2) establishes the communications link between individual devices over a physical link or channel. It also ensures that messages are delivered to the proper device and translates the messages from layers above into bits for the physical layer (layer 1) to transmit. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 83).

• Question 899:

  What is the main problem of the renewal of a root CA certificate?

  A. It requires key recovery of all end user keys
  B. It requires the authentic distribution of the new root CA certificate to all PKI participants
  C. It requires the collection of the old root CA certificates from all the users
  D. It requires issuance of the new root CA certificate
  B. It requires the authentic distribution of the new root CA certificate to all PKI participants

  ---

  The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users).

  In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could be very costly.

  Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX- reference), but these solutions works only well for scenarios with currently valid root CA certificates (and not for emergency cases e.g.

  compromise of the current root CA certificate).

  The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored during PKI deployment.

  Reference: Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL

  Profile.

• Question 900:

  Which of the following choices describe a Challenge-response tokens generation?

  A. A workstation or system that generates a random challenge string that the user enters into the token when prompted along with the proper PIN.
  B. A workstation or system that generates a random login id that the user enters when prompted along with the proper PIN.
  C. A special hardware device that is used to generate ramdom text in a cryptography system.
  D. The authentication mechanism in the workstation or system does not determine if the owner should be authenticated.
  A. A workstation or system that generates a random challenge string that the user enters into the token when prompted along with the proper PIN.

  ---

  Challenge-response tokens are:

  -

  A workstation or system generates a random challenge string and the owner enters the string into the token along with the proper PIN.

  -

  The token generates a response that is then entered into the workstation or system.

  -

  The authentication mechanism in the workstation or system then determines if the owner should be authenticated.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 37. Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/ Osborne, 2002, chapter 4: Access Control (pages 136-137).