ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 931:

  What is the PRIMARY use of a password?

  A. Allow access to files.
  B. Identify the user.
  C. Authenticate the user.
  D. Segregate various user's accesses.
  C. Authenticate the user.

  ---

  Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 932:

  Which of the following is not a method to protect objects and the data within the objects?

  A. Layering
  B. Data mining
  C. Abstraction
  D. Data hiding
  B. Data mining

  ---

  Data mining is used to reveal hidden relationships, patterns and trends by running queries on large data stores.

  Data mining is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusions about past, current, or future behavior. Data mining is typically used by large organizations with large databases of customer or consumer behavior. Retail and credit companies will use data mining to identify buying patterns or trends in geographies, age groups, products, or services. Data mining is essentially the statistical analysis of general information in the absence of specific data.

  The following are incorrect answers:

  They are incorrect as they all apply to Protecting Objects and the data within them. Layering, abstraction and data hiding are related concepts that can work together to produce modular software that implements an organizations security policies and is more reliable in operation. Layering is incorrect. Layering assigns specific functions to each layer and communication between layers is only possible through well-defined interfaces. This helps preclude tampering in violation of security policy. In computer

  programming, layering is the organization of programming into separate functional components that interact in some sequential and hierarchical way, with each layer usually having an interface only to the layer above it and the layer below it.

  Abstraction is incorrect. Abstraction "hides" the particulars of how an object functions or stores information and requires the object to be manipulated through well-defined interfaces that can be designed to enforce security policy. Abstraction

  involves the removal of characteristics from an entity in order to easily represent its essential properties. Data hiding is incorrect. Data hiding conceals the details of information storage and manipulation within an object by only exposing well

  defined interfaces to the information rather than the information itslef. For example, the details of how passwords are stored could be hidden inside a password object with exposed interfaces such as check_password, set_password, etc.

  When a password needs to be verified, the test password is passed to the check_password method and a boolean (true/ false) result is returned to indicate if the password is correct without revealing any details of how/where the real

  passwords are stored. Data hiding maintains activities at different security levels to separate these levels from each other.

  The following reference(s) were used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 27535-27540). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4269-4273). Auerbach Publications. Kindle Edition.

• Question 933:

  Organizations should consider which of the following first before allowing external access to their LANs via the Internet?

  A. plan for implementing workstation locking mechanisms.
  B. plan for protecting the modem pool.
  C. plan for providing the user with his account usage information.
  D. plan for considering proper authentication options.
  D. plan for considering proper authentication options.

  ---

  Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access

  control.

  The following answers are incorrect:

  plan for implementing workstation locking mechanisms. This is incorrect because locking the workstations have no impact on the LAN or Internet access.

  plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact on the LAN or Internet access, it just protects the modem.

  plan for providing the user with his account usage information. This is incorrect because the question asks what should be done first. While important your primary concern should be focused on security.

• Question 934:

  Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the system?

  A. Detective Controls
  B. Preventative Controls
  C. Corrective Controls
  D. Directive Controls
  B. Preventative Controls

  ---

  In the Operations Security domain, Preventative Controls are designed to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the system.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 217.

• Question 935:

  Which of the following is NOT a part of a risk analysis?

  A. Identify risks
  B. Quantify the impact of potential threats
  C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure
  D. Choose the best countermeasure
  D. Choose the best countermeasure

  ---

  This step is not a part of RISK ANALYSIS.

  A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter

  3: Security Management Practices (page 73).

  HARRIS, Shon, Mike Meyers' CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.

• Question 936:

  Which of the following is NOT a valid reason to use external penetration service firms rather than corporate resources?

  A. They are more cost-effective
  B. They offer a lack of corporate bias
  C. They use highly talented ex-hackers
  D. They ensure a more complete reporting
  C. They use highly talented ex-hackers

  ---

  Two points are important to consider when it comes to ethical hacking: integrity and independence.

  By not using an ethical hacking firm that hires or subcontracts to ex-hackers of others who have criminal records, an entire subset of risks can be avoided by an organization. Also, it is not cost- effective for a single firm to fund the effort of the

  ongoing research and development, systems development, and maintenance that is needed to operate state-of-the-art proprietary and open source testing tools and techniques.

  External penetration firms are more effective than internal penetration testers because they are not influenced by any previous system security decisions, knowledge of the current system environment, or future system security plans.

  Moreover, an employee performing penetration testing might be reluctant to fully report security gaps. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide:

  Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Appendix F: The Case for Ethical Hacking (page 517).

• Question 937:

  Which of the following pairings uses technology to enforce access control policies?

  A. Preventive/Administrative
  B. Preventive/Technical
  C. Preventive/Physical
  D. Detective/Administrative
  B. Preventive/Technical

  ---

  The preventive/technical pairing uses technology to enforce access control policies.

  TECHNICAL CONTROLS Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Technical controls are sometimes referred to as logical controls.

  Preventive Technical Controls

  Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include:

  Access control software.

  Antivirus software.

  Library control systems.

  Passwords.

  Smart cards.

  Encryption.

  Dial-up access control and callback systems.

  Preventive Physical Controls

  Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect

  against natural disasters. Examples of these controls include:

  Backup files and documentation.

  Fences.

  Security guards.

  Badge systems.

  Double door systems.

  Locks and keys.

  Backup power.

  Biometric access controls.

  Site selection.

  Fire extinguishers.

  Preventive Administrative Controls

  Preventive administrative controls are personnel-oriented techniques for controlling people's behavior to ensure the confidentiality, integrity, and availability of computing data and programs. Examples of preventive administrative controls

  include:

  Security awareness and technical training.

  Separation of duties.

  Procedures for recruiting and terminating employees.

  Security policies and procedures.

  Supervision.

  Disaster recovery, contingency, and emergency plans.

  User registration for computer access.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 34.

• Question 938:

  An effective information security policy should not have which of the following characteristic?

  A. Include separation of duties
  B. Be designed with a short- to mid-term focus
  C. Be understandable and supported by all stakeholders
  D. Specify areas of responsibility and authority
  B. Be designed with a short- to mid-term focus

  ---

  An effective information security policy should be designed with a long-term focus. All other characteristics apply.

  Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

• Question 939:

  Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users?

  A. Inadequate quality assurance (QA) tools.
  B. Constantly changing user needs.
  C. Inadequate user participation in defining the system's requirements.
  D. Inadequate project management.
  C. Inadequate user participation in defining the system's requirements.

  ---

  Inadequate user participation in defining the system's requirements. Most projects fail to meet the needs of the users because there was inadequate input in the initial steps of the project from the user community and what their needs really

  are.

  The other answers, while potentially valid, are incorrect because they do not represent the most common problem assosciated with information systems failing to meet the needs of users.

  References: All in One pg 834

  Only users can define what their needs are and, therefore, what the system should accomplish. Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that doesn't fully or adequately

  address the needs of the user.

  Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).

• Question 940:

  What is the main concern with single sign-on?

  A. Maximum unauthorized access would be possible if a password is disclosed.
  B. The security administrator's workload would increase.
  C. The users' password would be too hard to remember.
  D. User access rights would be increased.
  A. Maximum unauthorized access would be possible if a password is disclosed.

  ---

  A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for.

  The following answers are incorrect:

  The security administrator's workload would increase. Is incorrect because the security administrator's workload would decrease and not increase. The admin would not be responsible for maintaining multiple user accounts just the one.

  The users' password would be too hard to remember. Is incorrect because the users would have less passwords to remember.

  User access rights would be increased. Is incorrect because the user access rights would not be any different than if they had to log into systems manually.