ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 921:

  Which of the following categories of hackers poses the greatest threat?

  A. Disgruntled employees
  B. Student hackers
  C. Criminal hackers
  D. Corporate spies
  A. Disgruntled employees

  ---

  According to the authors, hackers fall in these categories, in increasing threat order: security experts, students, underemployed adults, criminal hackers, corporate spies and disgruntled employees. Disgruntled employees are the most dangerous security problem of all because they are most likely to have a good knowledge of the organization's IT systems and security measures.

  Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers.

• Question 922:

  Which of the following statements pertaining to Kerberos is TRUE?

  A. Kerberos does not address availability
  B. Kerberos does not address integrity
  C. Kerberos does not make use of Symmetric Keys
  D. Kerberos cannot address confidentiality of information
  A. Kerberos does not address availability

  ---

  The question was asking for a TRUE statement and the only correct statement is "Kerberos does not address availability".

  Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 42).

• Question 923:

  In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server?

  A. Peer-to-peer authentication
  B. Only server authentication (optional)
  C. Server authentication (mandatory) and client authentication (optional)
  D. Role based authentication scheme
  C. Server authentication (mandatory) and client authentication (optional)

  ---

  RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley Professional; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

• Question 924:

  When it comes to magnetic media sanitization, what difference can be made between clearing and purging information?

  A. Clearing completely erases the media whereas purging only removes file headers, allowing the recovery of files.
  B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack.
  C. They both involve rewriting the media.
  D. Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable to a keyboard attack.
  B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack.

  ---

  The removal of information from a storage medium is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by a keyboard

  attack) and purging (rendering it unrecoverable against laboratory attack).

  There are three general methods of purging media: overwriting, degaussing, and destruction.

  There should be continuous assurance that sensitive information is protected and not allowed to be placed in a circumstance wherein a possible compromise can occur. There are two primary levels of threat that the protector of information

  must guard against: keyboard attack (information scavenging through system software capabilities) and laboratory attack (information scavenging through laboratory means). Procedures should be implemented to address these threats

  before the Automated Information System (AIS) is procured, and the procedures should be continued throughout the life cycle of the AIS.

  Reference(s) use for this question:

  SWANSON, Marianne and GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September

  1996 (page 26).

  and

  A guide to understanding Data Remanence in Automated Information Systems

• Question 925:

  Which of the following statements pertaining to the maintenance of an IT contingency plan is incorrect?

  A. The plan should be reviewed at least once a year for accuracy and completeness.
  B. The Contingency Planning Coordinator should make sure that every employee gets an up-to- date copy of the plan.
  C. Strict version control should be maintained.
  D. Copies of the plan should be provided to recovery personnel for storage offline at home and office.
  B. The Contingency Planning Coordinator should make sure that every employee gets an up-to- date copy of the plan.

  ---

  Because the contingency plan contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Not all employees would obtain a copy, but only those involved in the execution of the plan.

  All other statements are correct.

  NOTE FROM CLEMENT:

  I have received multiple emails stating the s contradict the correct answer. It seems many people have a hard time with negative question. In this case the Incorrect choice (the one that is not true) is the correct choice. Be very carefull of such questions, you will get some on the real exam as well.

  Reference(s) used for this question: SWANSON, Marianne, and al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems

• Question 926:

  Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

  A. SESAME
  B. RADIUS
  C. KryptoKnight
  D. TACACS+
  A. SESAME

  ---

  Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional

  access control support.

  Reference:

  TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184.

  ISC OIG Second Edition, Access Controls, Page 111

• Question 927:

  A server cluster looks like a:

  A. single server from the user's point of view
  B. dual server from the user's point of view
  C. triple server from the user's point of view
  D. quardle server from the user's point of view
  A. single server from the user's point of view

  ---

  The cluster looks like a single server from the user's point of view.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 67.

• Question 928:

  Which of the following is NOT true about IPSec Tunnel mode?

  A. Fundamentally an IP tunnel with encryption and authentication
  B. Works at the Transport layer of the OSI model
  C. Have two sets of IP headers
  D. Established for gateway service
  B. Works at the Transport layer of the OSI model

  ---

  IPSec can be run in either tunnel mode or transport mode. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution:

  Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

  Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host--for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual

  destination. As Figure 1 shows, basically transport mode should be used for end-to- end sessions and tunnel mode should be used for everything else. (Refer to the figure for the following discussion.) Figure 1 Tunnel and transport modes in

  IPSec. Figure 1 displays some examples of when to use tunnel versus transport mode:

  Tunnel mode is most commonly used to encrypt traffic between secure IPSec gateways, such as between the Cisco router and PIX Firewall (as shown in example A in Figure 1). The IPSec gateways proxy IPSec for the devices behind them,

  such as Alice's PC and the HR servers in Figure 1. In example A, Alice connects to the HR servers securely through the IPSec tunnel set up between the gateways. Tunnel mode is also used to connect an end-station running IPSec software,

  such as the Cisco Secure VPN Client, to an IPSec gateway, as shown in example B. In example C, tunnel mode is used to set up an IPSec tunnel between the Cisco router and a server running IPSec software. Note that Cisco IOS software

  and the PIX Firewall sets tunnel mode as the default IPSec mode. Transport mode is used between end-stations supporting IPSec, or between an end-station and a gateway, if the gateway is being treated as a host. In example D, transport

  mode is used to set up an encrypted Telnet session from Alice's PC running Cisco Secure VPN Client software to terminate at the PIX Firewall, enabling Alice to remotely configure the PIX Firewall securely.

  AH Tunnel Versus Transport Mode

  Figure 2 shows the differences that the IPSec mode makes to AH. In transport mode, AH services protect the external IP header along with the data payload. AH services protect all the fields in the header that don't change in transport. The

  header goes after the IP header and before the ESP header, if present, and other higher-layer protocols. In tunnel mode, the entire original header is authenticated, a new IP header is built, and the new IP header is protected in the same way

  as the IP header in transport mode.

  Figure 2 AH tunnel versus transport mode.

  AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP address, which breaks the AH header and causes the packets to be rejected by the IPSec peer.

  ESP Tunnel Versus Transport Mode

  Figure 3 shows the differences that the IPSec mode makes to ESP. In transport mode, the IP payload is encrypted and the original headers are left intact. The ESP header is inserted after the IP header and before the upper-layer protocol

  header. The upper-layer protocols are encrypted and authenticated along with the ESP header. ESP doesn't authenticate the IP header itself.

  NOTE

  Higher-layer information is not available because it's part of the encrypted payload. When ESP is used in tunnel mode, the original IP header is well protected because the entire original IP datagram is encrypted. With an ESP authentication

  mechanism, the original IP datagram and the ESP header are included; however, the new IP header is not included in the authentication. When both authentication and encryption are selected, encryption is performed first, before

  authentication. One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the receiver can detect the problem and potentially

  reduce the impact of denial-of-service attacks.

  Figure 3 ESP tunnel versus transport mode.

  ESP can also provide packet authentication with an optional field for authentication. Cisco IOS software and the PIX Firewall refer to this service as ESP hashed message authentication code (HMAC). Authentication is calculated after the

  encryption is done. The current IPSec standard specifies SHA-1 and MD5 as the mandatory HMAC algorithms. The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't

  protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode). Figure 4 illustrates the fields protected by ESP HMAC.

  Figure 4 ESP encryption with a keyed HMAC.

  IPSec Transforms

  An IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its corresponding security algorithms and mode. Example transforms include the following:

  The AH protocol with the HMAC with MD5 authentication algorithm in tunnel mode is used for authentication.

  The ESP protocol with the triple DES (3DES) encryption algorithm in transport mode is used for confidentiality of data.

  The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with SHA-1 authentication algorithm in tunnel mode is used for authentication and confidentiality.

  Transform Sets

  A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. During the ISAKMP IPSec security association negotiation that occurs in IKE phase 2 quick mode, the peers agree to use a

  particular transform set for protecting a particular data flow. Transform sets combine the following IPSec factors:

  Mechanism for payload authentication--AH transform

  Mechanism for payload encryption--ESP transform

  IPSec mode (transport versus tunnel)

  Transform sets equal a combination of an AH transform, plus an ESP transform, plus the IPSec mode (either tunnel or transport mode).

  This brings us to the end of the second part of this five-part series of articles covering IPSec. Be sure to catch the next installment.

  Cisco Press at: http://www.ciscopress.com/articles/printerfriendly.asp?p=25477 and Source: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.

• Question 929:

  A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern in the context of what your Disaster Recovery Plan would include?

  A. Marketing/Public relations
  B. Data/Telecomm/IS facilities
  C. IS Operations
  D. Facilities security
  B. Data/Telecomm/IS facilities

  ---

  The main concern when recovering after a disaster is data, telecomm and IS facilities. Other services, in descending priority order are: IS operations, IS support services, market structure, marketing/public relations, customer service and systems support, market regulation/surveillance, listing, application development, accounting services, facilities, human resources, facilities security, legal and Office of the Secretary, national sales. Source: BARNES, James C. and ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley and Sons, 2001 (page 129).

• Question 930:

  What would BEST define a covert channel?

  A. An undocumented backdoor that has been left by a programmer in an operating system
  B. An open system port that should be closed.
  C. A communication channel that allows transfer of information in a manner that violates the system's security policy.
  D. A trojan horse.
  C. A communication channel that allows transfer of information in a manner that violates the system's security policy.

  ---

  The Answer: A communication channel that allows transfer of information in a manner that violates the system's security policy.

  A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system's security policy. The channel to transfer this unauthorized data is the result of one of the following conditions:?Oversight in the development of the product Improper implementation of access controls

  Existence of a shared resource between the two entities

  Installation of a Trojan horse

  The following answers are incorrect:

  An undocumented backdoor that has been left by a programmer in an operating system is incorrect because it is not a means by which unauthorized transfer of information takes place. Such backdoor is usually referred to as a Maintenance

  Hook. An open system port that should be closed is incorrect as it does not define a covert channel.

  A trojan horse is incorrect because it is a program that looks like a useful program but when you install it it would include a bonus such as a Worm, Backdoor, or some other malware without the installer knowing about it.

  Reference(s) used for this question:

  Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture

  AIOv4 Security Architecture and Design (pages 343 - 344)

  AIOv5 Security Architecture and Design (pages 345 - 346)