ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 911:

  Which of the following would best describe certificate path validation?

  A. Verification of the validity of all certificates of the certificate chain to the root certificate
  B. Verification of the integrity of the associated root certificate
  C. Verification of the integrity of the concerned private key
  D. Verification of the revocation status of the concerned certificate
  A. Verification of the validity of all certificates of the certificate chain to the root certificate

  ---

  With the advent of public key cryptography (PKI), it is now possible to communicate securely with untrusted parties over the Internet without prior arrangement. One of the necessities arising from such communication is the ability to accurately verify someone's identity (i.e. whether the person you are communicating with is indeed the person who he/she claims to be). In order to be able to perform identity check for a given entity, there should be a fool-proof method of "binding" the entity's public key to its unique domain name (DN).

  A X.509 digital certificate issued by a well known certificate authority (CA), like Verisign, Entrust, Thawte, etc., provides a way of positively identifying the entity by placing trust on the CA to have performed the necessary verifications. A X.509 certificate is a cryptographically sealed data object that contains the entity's unique DN, public key, serial number, validity period, and possibly other extensions.

  The Windows Operating System offers a Certificate Viewer utility which allows you to double- click on any certificate and review its attributes in a human-readable format. For instance, the "General" tab in the Certificate Viewer Window (see below) shows who the certificate was issued to as well as the certificate's issuer, validation period and usage functions.

  

  Certification Path graphic

  The "Certification Path" tab contains the hierarchy for the chain of certificates. It allows you to select the certificate issuer or a subordinate certificate and then click on "View Certificate" to open the certificate in the Certificate Viewer.

  Each end-user certificate is signed by its issuer, a trusted CA, by taking a hash value (MD5 or SHA-1) of ASN.1 DER (Distinguished Encoding Rule) encoded object and then encrypting the resulting hash with the issuer's private key (CA's Private Key) which is a digital signature. The encrypted data is stored in the "signatureValue" attribute of the entity's (CA) public certificate.

  Once the certificate is signed by the issuer, a party who wishes to communicate with this entity can then take the entity's public certificate and find out who the issuer of the certificate is. Once the issuer's of the certificate (CA) is identified, it would be possible to decrypt the value of the "signatureValue" attribute in the entity's certificate using the issuer's public key to retrieve the hash value. This hash value will be compared with the independently calculated hash on the entity's certificate. If the two hash values match, then the information contained within the certificate must not have been altered and, therefore, one must trust that the CA has done enough background check to ensure that all details in the entity's certificate are accurate. The process of cryptographically checking the signatures of all certificates in the certificate chain is called "key chaining". An additional check that is essential to key chaining is verifying that the value of the "subjectKeyIdentifier" extension in one certificate matches the same in the subsequent certificate.

  Similarly, the process of comparing the subject field of the issuer certificate to the issuer field of the subordinate certificate is called "name chaining". In this process, these values must match for each pair of adjacent certificates in the certification path in order to guarantee that the path represents unbroken chain of entities relating directly to one another and that it has no missing links.

  The two steps above are the steps to validate the Certification Path by ensuring the validity of all certificates of the certificate chain to the root certificate as described in the two paragraphs above.

  Reference(s) used for this question: FORD, Warwick and BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 262. and https://www.tibcommunity.com/docs/DOC-2197

• Question 912:

  Which of the following statements pertaining to biometrics is FALSE?

  A. User can be authenticated based on behavior.
  B. User can be authenticated based on unique physical attributes.
  C. User can be authenticated by what he knows.
  D. A biometric system's accuracy is determined by its crossover error rate (CER).
  C. User can be authenticated by what he knows.

  ---

  As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or

  PIN for example.

  Please make a note of the negative 'FALSE' within the question. This question may seem tricky to some of you but you would be amazed at how many people cannot deal with negative questions. There will be a few negative questions within

  the real exam, just like this one the keyword NOT or FALSE will be in Uppercase to clearly indicate that it is negative.

  Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of performing authentication (one to one matching) or identification (a one to many

  matching).

  A biometric system scans an attribute or behavior of a person and compares it to a template store within an authentication server datbase, such template would be created in an earlier enrollment process. Because this system inspects the

  grooves of a person's fingerprint, the pattern of someone's retina, or the pitches of someone's voice, it has to be extremely sensitive.

  The system must perform accurate and repeatable measurements of anatomical or physiological characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must be calibrated so that these false

  positives and false negatives occur infrequently and the results are as accurate as possible.

  There are two types of failures in biometric identification:

  False Rejection also called False Rejection Rate (FRR) -- The system fail to recognize a legitimate user. While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate

  users who are refused access because the scanner does not recognize them.

  False Acceptance or False Acceptance Rate (FAR) -- This is an erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user.

  Physiological Examples:

  Unique Physical Attributes:

  Fingerprint (Most commonly accepted)

  Hand Geometry

  Retina Scan (Most accurate but most intrusive)

  Iris Scan

  Vascular Scan

  Behavioral Examples:

  Repeated Actions

  Keystroke Dynamics

  (Dwell time (the time a key is pressed) and Flight time (the time between "key up" and the next "key down").

  Signature Dynamics

  (Stroke and pressure points)

  EXAM TIP:

  Retina scan devices are the most accurate but also the most invasive biometrics system available today. The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security

  option. Unfortunately, the cost of the proprietary hardware as well the stigma of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations.

  Remember for the exam that fingerprints are the most commonly accepted type of biometrics system.

  The other answers are incorrect:

  'Users can be authenticated based on behavior.' is incorrect as this choice is TRUE as it pertains to BIOMETRICS.

  Biometrics systems makes use of unique physical characteristics or behavior of users. 'User can be authenticated based on unique physical attributes.' is also incorrect as this choice is also TRUE as it pertains to BIOMETRICS. Biometrics

  systems makes use of unique physical characteristics or behavior of users.

  'A biometric system's accuracy is determined by its crossover error rate (CER)' is also incorrect as this is TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the false acceptance rates are

  equal. The smaller the value of the CER, the more accurate the system.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.

• Question 913:

  Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?

  A. DAC
  B. MAC
  C. Access control matrix
  D. TACACS
  B. MAC

  ---

  MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.

  DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.

  Access control matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables,

  etc.

  TACACS is incorrect. TACACS is a tool for performing user authentication.

  References:

  CBK, p. 187, Domain 2: Access Control.

  AIO3, Chapter 4, Access Control.

• Question 914:

  If an organization were to monitor their employees' e-mail, it should not:

  A. Monitor only a limited number of employees.
  B. Inform all employees that e-mail is being monitored.
  C. Explain who can read the e-mail and how long it is backed up.
  D. Explain what is considered an acceptable use of the e-mail system.
  A. Monitor only a limited number of employees.

  ---

  Monitoring has to be conducted is a lawful manner and applied in a consistent fashion; thus should be applied uniformly to all employees, not only to a small number.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 304).

• Question 915:

  In addition to the Legal Department, with what company function must the collection of physical evidence be coordinated if an employee is suspected?

  A. Human Resources
  B. Industrial Security
  C. Public Relations
  D. External Audit Group
  A. Human Resources

  ---

  If an employee is suspected of causing an incident, the human resources department may be involved--for example, in assisting with disciplinary proceedings. Legal Department. The legal experts should review incident response plans, policies, and procedures to ensure their compliance with law and Federal guidance, including the right to privacy. In addition, the guidance of the general counsel or legal department should be sought if there is reason to believe that an incident may have legal ramifications, including evidence collection, prosecution of a suspect, or a lawsuit, or if there may be a need for a memorandum of understanding (MOU) or other binding agreements involving liability limitations for information sharing.

  Public Affairs, Public Relations, and Media Relations. Depending on the nature and impact of an incident, a need may exist to inform the media and, by extension, the public.

  The Incident response team members could include:

  Management

  Information Security

  Legal / Human Resources

  Public Relations

  Communications

  Physical Security

  Network Security

  Network and System Administrators

  Network and System Security Administrators

  Internal Audit

  Events versus Incidents

  An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events

  are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse

  events that are computer security- related, not those caused by natural disasters, power failures, etc.

  A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

  Examples of incidents are:

  An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.

  Users are tricked into opening a "quarterly report" sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.

  An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.

  A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

  The following answers are incorrect:

  Industrial Security. Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected.

  public relations. Is incorrect because it is not the best answer. It would be an important element to minimize public image damage but not the best choice for this question. External Audit Group. Is incorrect because it is not the best answer,

  the human resource department must be involved with the collection of physical evidence if an employee is suspected.

  Reference(s) used for this question:

  NIST Special Publication 800-61

• Question 916:

  Which of the following is the best reason for the use of an automated risk analysis tool?

  A. Much of the data gathered during the review cannot be reused for subsequent analysis.
  B. Automated methodologies require minimal training and knowledge of risk analysis.
  C. Most software tools have user interfaces that are easy to use and does not require any training.
  D. Information gathering would be minimized and expedited due to the amount of information already built into the tool.
  D. Information gathering would be minimized and expedited due to the amount of information already built into the tool.

  ---

  The use of tools simplifies this process. Not only do they usually have a database of assests, threats, and vulnerabilities but they also speed up the entire process.

  Using Automated tools for performing a risk assessment can reduce the time it takes to perform them and can simplify the process as well. The better types of these tools include a well- researched threat population and associated statistics.

  Using one of these tools virtually ensures that no relevant threat is overlooked, and associated risks are accepted as a consequence of the threat being overlooked.

  In most situations, the assessor will turn to the use of a variety of automated tools to assist in the vulnerability assessment process. These tools contain extensive databases of specific known vulnerabilities as well as the ability to analyze

  system and network configuration information to predict where a particular system might be vulnerable to different types of attacks. There are many different types of tools currently available to address a wide variety of vulnerability

  assessment needs. Some tools will examine a system from the viewpoint of the network, seeking to determine if a system can be compromised by a remote attacker exploiting available services on a particular host system. These tools will

  test for open ports listening for connections, known vulnerabilities in common services, and known operating system exploits.

  Michael Gregg says:

  Automated tools are available that minimize the effort of the manual process. These programs enable users to rerun the analysis with different parameters to answer "what-ifs." They perform calculations quickly and can be used to estimate

  future expected losses easier than performing the calculations manually.

  Shon Harris in her latest book says:

  The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4655-4661). Auerbach Publications. Kindle Edition.

  and

  CISSP Exam Cram 2 by Michael Gregg

  and

  Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 2333- 2335).

  McGraw-Hill. Kindle Edition.

  The following answers are incorrect:

  Much of the data gathered during the review cannot be reused for subsequent analysis. Is incorrect because the data can be reused for later analysis.

  Automated methodologies require minimal training and knowledge of risk analysis. Is incorrect because it is not the best answer. While a minimal amount of training and knowledge is needed, the analysis should still be performed by skilled

  professionals.

  Most software tools have user interfaces that are easy to use and does not require any training. Is incorrect because it is not the best answer. While many of the user interfaces are easy to use it is better if the tool already has information built

  into it. There is always a training curve when any product is being used for the first time.

• Question 917:

  Which of the following protects a password from eavesdroppers and supports the encryption of communication?

  A. Challenge Handshake Authentication Protocol (CHAP)
  B. Challenge Handshake Identification Protocol (CHIP)
  C. Challenge Handshake Encryption Protocol (CHEP)
  D. Challenge Handshake Substitution Protocol (CHSP)
  A. Challenge Handshake Authentication Protocol (CHAP)

  ---

  CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.

  The authentication is successful if the client's response is the one that the server expected.

  Reference: Page 450, OIG 2007.

  CHAP protects the password from eavesdroppers and supports the encryption of communication.

  Reference: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 44.

• Question 918:

  Which access model is most appropriate for companies with a high employee turnover?

  A. Role-based access control
  B. Mandatory access control
  C. Lattice-based access control
  D. Discretionary access control
  A. Role-based access control

  ---

  The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company. Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed appropriately.

  Mandatory access control is incorrect. While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees constantly leaving or joining the company.

  Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an abstract model of information flow is not an appropriate choice. CBK, pp. 324-325.

  Discretionary access control is incorrect. When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all the objects they own. Problems would also arise when the owner of an object leaves the company. The complexity of assuring that the permissions are added and removed correctly makes this the least desirable solution in this situation. References Alll in One, third edition page 165 RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.

• Question 919:

  How many rounds are used by DES?

  A. 16
  B. 32
  C. 64
  D. 48
  A. 16

  ---

  DES is a block encryption algorithm using 56-bit keys and 64-bit blocks that are divided in half and each character is encrypted one at a time. The characters are put through 16 rounds of transposition and substitution functions. Triple DES uses 48 rounds.

  Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April 2002 (page 3).

• Question 920:

  Compared to RSA, which of the following is true of Elliptic Curve Cryptography(ECC)?

  A. It has been mathematically proved to be more secure.
  B. It has been mathematically proved to be less secure.
  C. It is believed to require longer key for equivalent security.
  D. It is believed to require shorter keys for equivalent security.
  D. It is believed to require shorter keys for equivalent security.

  ---

  The following answers are incorrect: It has been mathematically proved to be less secure. ECC has not been proved to be more or less secure than RSA. Since ECC is newer than RSA, it is considered riskier by some, but that is just a

  general assessment, not based on mathematical arguments.

  It has been mathematically proved to be more secure. ECC has not been proved to be more or less secure than RSA. Since ECC is newer than RSA, it is considered riskier by some, but that is just a general assessment, not based on

  mathematical arguments.

  It is believed to require longer key for equivalent security. On the contrary, it is believed to require shorter keys for equivalent security of RSA.

  Shon Harris, AIO v5 pg719 states:

  "In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter that what RSA requires"

  The following reference(s) were/was used to create this question:

  ISC2 OIG, 2007 p. 258

  Shon Harris, AIO v5 pg719