ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 941:

  Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio transmissions?

  A. Because infrared eavesdropping requires more sophisticated equipment.
  B. Because infrared operates only over short distances.
  C. Because infrared requires direct line-of-sight paths.
  D. Because infrared operates at extra-low frequencies (ELF).
  C. Because infrared requires direct line-of-sight paths.

  ---

  Infrared is generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 4: Cryptography (page 173).

• Question 942:

  Which of the following statements pertaining to software testing approaches is correct?

  A. A bottom-up approach allows interface errors to be detected earlier.
  B. A top-down approach allows errors in critical modules to be detected earlier.
  C. The test plan and results should be retained as part of the system's permanent documentation.
  D. Black box testing is predicated on a close examination of procedural detail.
  C. The test plan and results should be retained as part of the system's permanent documentation.

  ---

  A bottom-up approach to testing begins testing of atomic units, such as programs or modules, and works upwards until a complete system testing has taken place. It allows errors in critical modules to be found early. A top-down approach allows for early detection of interface errors and raises confidence in the system, as programmers and users actually see a working system. White box testing is predicated on a close examination of procedural detail. Black box testing examines some aspect of the system with little regard for the internal logical structure of the software.

  Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).

  Top Down Testing: An approach to integration testing where the component at the top of the component hierarchy is tested first, with lower level components being simulated by stubs. Tested components are then used to test lower level components. The process is repeated until the lowest level components have been tested.

  Bottom Up Testing: An approach to integration testing where the lowest level components are tested first, then used to facilitate the testing of higher level components. The process is repeated until the component at the top of the hierarchy is tested.

  Black Box Testing: Testing based on an analysis of the specification of a piece of software without reference to its internal workings. The goal is to test how well the component conforms to the published requirements for the component.

• Question 943:

  Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are important elements for which of the following?

  A. Accountability of biometrics systems
  B. Acceptability of biometrics systems
  C. Availability of biometrics systems
  D. Adaptability of biometrics systems
  B. Acceptability of biometrics systems

  ---

  Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 39.

• Question 944:

  The RSA algorithm is an example of what type of cryptography?

  A. Asymmetric Key.
  B. Symmetric Key.
  C. Secret Key.
  D. Private Key.
  A. Asymmetric Key.

  ---

  The following answers are incorrect.

  Symmetric Key. Is incorrect because RSA is a Public Key or a Asymmetric Key cryptographic system and not a Symmetric Key or a Secret Key cryptographic system.

  Secret Key. Is incorrect because RSA is a Public Key or a Asymmetric Key cryptographic system and not a Secret Key or a Symmetric Key cryptographic system.

  Private Key. Is incorrect because Private Key is just one part if an Asymmetric Key cryptographic system, a Private Key used alone is also called a Symmetric Key cryptographic system.

• Question 945:

  Which of the following statements pertaining to RADIUS is incorrect:

  A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains.
  B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy.
  C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes.
  D. Most RADIUS servers can work with DIAMETER servers.
  D. Most RADIUS servers can work with DIAMETER servers.

  ---

  This is the correct answer because it is FALSE.

  Diameter is an AAA protocol, AAA stands for authentication, authorization and accounting protocol for computer networks, and it is a successor to RADIUS.

  The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius).

  The main differences are as follows:

  Reliable transport protocols (TCP or SCTP, not UDP)

  The IETF is in the process of standardizing TCP Transport for RADIUS

  Network or transport layer security (IPsec or TLS)

  The IETF is in the process of standardizing Transport Layer Security for RADIUS

  Transition support for RADIUS, although Diameter is not fully compatible with RADIUS

  Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits)

  Clientserver protocol, with exception of supporting some server-initiated messages as well

  Both stateful and stateless models can be used

  Dynamic discovery of peers (using DNS SRV and NAPTR)

  Capability negotiation

  Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539)

  Error notification

  Better roaming support

  More easily extended; new commands and attributes can be defined

  Aligned on 32-bit boundaries

  Basic support for user-sessions and accounting

  A Diameter Application is not a software application, but a protocol based on the Diameter base protocol (defined in RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory

  AVPs. Adding a new optional AVP does not require a new application.

  Examples of Diameter applications:

  Diameter Mobile IPv4 Application (MobileIP, RFC 4004)

  Diameter Network Access Server Application (NASREQ, RFC 4005)

  Diameter Extensible Authentication Protocol (EAP) Application (RFC 4072)

  Diameter Credit-Control Application (DCCA, RFC 4006)

  Diameter Session Initiation Protocol Application (RFC 4740)

  Various applications in the 3GPP IP Multimedia Subsystem

  All of the other choices presented are true. So Diameter is backwork compatible with Radius (to some extent) but the opposite is false.

  Reference(s) used for this question:

  TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 38.

  and

  https://secure.wikimedia.org/wikipedia/en/wiki/Diameter_%28protocol%29

• Question 946:

  The Logical Link Control sub-layer is a part of which of the following?

  A. The ISO/OSI Data Link layer
  B. The Reference monitor
  C. The Transport layer of the TCP/IP stack model
  D. Change management control
  A. The ISO/OSI Data Link layer

  ---

  The OSI/ISO Data Link layer is made up of two sub-layers; (1) the Media Access Control layer refers downward to lower layer hardware functions and (2) the Logical Link Control refers upward to higher layer software functions. Other choices are distracters. Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999.

• Question 947:

  When an outgoing request is made on a port number greater than 1023, this type of firewall creates an ACL to allow the incoming reply on that port to pass:

  A. packet filtering
  B. CIrcuit level proxy
  C. Dynamic packet filtering
  D. Application level proxy
  C. Dynamic packet filtering

  ---

  The dynamic packet filtering firewall is able to create ACL's on the fly to allow replies on dynamic ports (higher than 1023).

  Packet filtering is incorrect. The packet filtering firewall usually requires that the dynamic ports be left open as a group in order to handle this situiation.

  Circuit level proxy is incorrect. The circuit level proxy builds a conduit between the trusted and untrusted hosts and does not work by dynamically creating ACL's.

  Application level proxy is incorrect. The application level proxy "proxies" for the trusted host in its communications with the untrusted host. It does not dynamically create ACL's to control traffic.

• Question 948:

  Computer-generated evidence is considered:

  A. Best evidence
  B. Second hand evidence
  C. Demonstrative evidence
  D. Direct evidence
  B. Second hand evidence

  ---

  Computer-generated evidence normally falls under the category of hearsay evidence, or second- hand evidence, because it cannot be proven accurate and reliable. Under the U.S. Federal Rules of Evidence, hearsay evidence is generally

  not admissible in court. Best evidence is original or primary evidence rather than a copy or duplicate of the evidence. It does not apply to computer- generated evidence. Direct evidence is oral testimony by witness. Demonstrative evidence

  are used to aid the jury (models, illustrations, charts).

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

  And: ROTHKE, Ben, CISSP CBK Review presentation on domain 9.

• Question 949:

  What are called user interfaces that limit the functions that can be selected by a user?

  A. Constrained user interfaces
  B. Limited user interfaces
  C. Mini user interfaces
  D. Unlimited user interfaces
  A. Constrained user interfaces

  ---

  Constrained user interfaces limit the functions that can be selected by a user.

  Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces. This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack and system failure by restricting the processing options that are available to the

  user.

  On an ATM machine, if a user does not have a checking account with the bank he or she will not be shown the "Withdraw money from checking" option. Likewise, an information system might have an "Add/Remove Users" menu option for

  administrators, but if a normal, non- administrative user logs in he or she will not even see that menu option. By not even identifying potential options for non-qualifying users, the system limits the potentially harmful execution of unauthorized

  system or application commands.

  Many database management systems have the concept of "views." A database view is an extract of the data stored in the database that is filtered based on predefined user or system criteria. This permits multiple users to access the same

  database while only having the ability to access data they need (or are allowed to have) and not data for another user. The use of database views is another example of a constrained user interface.

  The following were incorrect answers:

  All of the other choices presented were bogus answers.

  The following reference(s) were used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1989-2002). Auerbach Publications. Kindle Edition.

• Question 950:

  Which of the following would provide the BEST stress testing environment taking under consideration and avoiding possible data exposure and leaks of sensitive data?

  A. Test environment using test data.
  B. Test environment using sanitized live workloads data.
  C. Production environment using test data.
  D. Production environment using sanitized live workloads data.
  B. Test environment using sanitized live workloads data.

  ---

  The best way to properly verify an application or system during a stress test would be to expose it to "live" data that has been sanitized to avoid exposing any sensitive information or Personally Identifiable Data (PII) while in a testing environment. Fabricated test data may not be as varied, complex or computationally demanding as "live" data. A production environment should never be used to test a product, as a production environment is one where the application or system is being put to commercial or operational use. It is a best practice to perform testing in a non- production environment.

  Stress testing is carried out to ensure a system can cope with production workloads, but as it may be tested to destruction, a test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment. If only test data is used, there is no certainty that the system was adequately stress tested.

  Incorrect answers:

  Test environment using test data. This is incorrect because live data is typically more useful during stress testing

  Production environment using test data. This is incorrect because the production environment should not be used for testing.

  Production environment using live workloads. This is incorrect because the production environment should not be used for testing.

  Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

  And:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 251.

  And: