ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 951:

  The Diffie-Hellman algorithm is primarily used to provide which of the following?

  A. Confidentiality
  B. Key Agreement
  C. Integrity
  D. Non-repudiation
  B. Key Agreement

  ---

  Diffie and Hellman describe a means for two parties to agree upon a shared secret in such a way that the secret will be unavailable to eavesdroppers. This secret may then be converted into cryptographic keying material for other (symmetric)

  algorithms. A large number of minor variants of this process exist. See RFC 2631 Diffie-Hellman Key Agreement Method for more details.

  In 1976, Diffie and Hellman were the first to introduce the notion of public key cryptography, requiring a system allowing the exchange of secret keys over non-secure channels. The Diffie- Hellman algorithm is used for key exchange between

  two parties communicating with each other, it cannot be used for encrypting and decrypting messages, or digital signature.

  Diffie and Hellman sought to address the issue of having to exchange keys via courier and other unsecure means. Their efforts were the FIRST asymmetric key agreement algorithm. Since the Diffie-Hellman algorithm cannot be used for

  encrypting and decrypting it cannot provide confidentiality nor integrity. This algorithm also does not provide for digital signature functionality and thus non-repudiation is not a choice.

  NOTE: The DH algorithm is susceptible to man-in-the-middle attacks.

  KEY AGREEMENT VERSUS KEY EXCHANGE

  A key exchange can be done multiple way. It can be done in person, I can generate a key and then encrypt the key to get it securely to you by encrypting it with your public key. A Key Agreement protocol is done over a public medium such as

  the internet using a mathematical formula to come out with a common value on both sides of the communication link, without the ennemy being able to know what the common agreement is.

  The following answers were incorrect:

  All of the other choices were not correct choices

  Reference(s) used for this question:

  Shon Harris, CISSP All In One (AIO), 6th edition . Chapter 7, Cryptography, Page 812.

  http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange http://www.google.com/patents?vid=4200770

• Question 952:

  Which of the following best describes the purpose of debugging programs?

  A. To generate random data that can be used to test programs before implementing them.
  B. To ensure that program coding flaws are detected and corrected.
  C. To protect, during the programming phase, valid changes from being overwritten by other changes.
  D. To compare source code versions before transferring to the test environment
  B. To ensure that program coding flaws are detected and corrected.

  ---

  Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production.

  Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 298).

• Question 953:

  It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security?

  A. security administrator
  B. security analyst
  C. systems auditor
  D. systems programmer
  D. systems programmer

  ---

  Reason: The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs. The system programmer does not need access to the working (AKA: Production) security

  systems.

  Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business). To maintain system integrity, any changes they make to production

  systems should be tracked by the organization's change management control system.

  Because the security administrator's job is to perform security functions, the performance of non-security tasks must be strictly limited. This separation of duties reduces the likelihood of loss that results from users abusing their authority by

  taking actions outside of their assigned functional responsibilities.

  References:

  OFFICIAL (ISC)2?GUIDE TO THE CISSP?EXAM (2003), Hansche, S., Berti, J., Hare, H., Auerbach Publication, FL, Chapter 5 - Operations Security, section 5.3,"Security Technology and Tools," Personnel section (page 32).

  KRUTZ, R. and VINES, R. The CISSP Prep Guide: Gold Edition (2003), Wiley Publishing Inc., Chapter 6: Operations Security, Separations of Duties (page 303).

• Question 954:

  Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean?

  A. System functions are layered, and none of the functions in a given layer can access data outside that layer.
  B. Auditing processes and their memory addresses cannot be accessed by user processes.
  C. Only security processes are allowed to write to ring zero memory.
  D. It is a form of strong encryption cipher.
  A. System functions are layered, and none of the functions in a given layer can access data outside that layer.

  ---

  Data Hiding is protecting data so that it is only available to higher levels this is done and is also performed by layering, when the software in each layer maintains its own global data and does not directly reference data outside its layers.

  The following answers are incorrect:

  Auditing processes and their memory addresses cannot be accessed by user processes. Is incorrect because this does not offer data hiding.

  Only security processes are allowed to write to ring zero memory. This is incorrect, the security kernel would be responsible for this.

  It is a form of strong encryption cipher. Is incorrect because this does not conform to the definition of data hiding.

• Question 955:

  Why do buffer overflows happen? What is the main cause?

  A. Because buffers can only hold so much data
  B. Because of improper parameter checking within the application
  C. Because they are an easy weakness to exploit
  D. Because of insufficient system memory
  B. Because of improper parameter checking within the application

  ---

  Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make

  sure that the length of the input is less than the size of the buffer in the program.

  The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the introduction of interactive computing. It can result when a program fills up the assigned buffer of

  memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the program's execution path can be changed, or data can be written into areas used by the operating system itself. This can

  lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system.

  As explained by Gaurab, it can become very complex. At the time of input even if you are checking the length of the input, it has to be check against the buffer size. Consider a case where entry point of data is stored in Buffer1 of Application1

  and then you copy it to Buffer2 within Application2 later on, if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2.

  A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam:

  It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It

  is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n) cpy to strcpy in the C language (although all such knowledge is, of

  course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of

  software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security

  strengths and weaknesses of various application development processes.

  The following are incorrect answers:

  "Because buffers can only hold so much data" is incorrect. This is certainly true but is not the best answer because the finite size of the buffer is not the problem -- the problem is that the programmer did not check the size of the input before

  moving it into the buffer.

  "Because they are an easy weakness to exploit" is incorrect. This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the size of the user input.

  "Because of insufficient system memory" is incorrect. This is irrelevant to the occurrence of a buffer overflow.

  Reference(s) used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.

• Question 956:

  How often should a Business Continuity Plan be reviewed?

  A. At least once a month
  B. At least every six months
  C. At least once a year
  D. At least Quarterly
  C. At least once a year

  ---

  As stated in SP 800-34 Rev. 1:

  To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. During the Operation/Maintenance phase of the SDLC, information systems

  undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies.

  As a general rule, the plan should be reviewed for accuracy and completeness at an organization- defined frequency (at least once a year for the purpose of the exam) or whenever significant changes occur to any element of the plan. Certain

  elements, such as contact lists, will require more frequent reviews.

  Remember, there could be two good answers as specified above. Either once a year or whenever significant changes occur to the plan. You will of course get only one of the two presented within you exam.

  Reference(s) used for this question:

  NIST SP 800-34 Revision 1

• Question 957:

  Related to information security, confidentiality is the opposite of which of the following?

  A. closure
  B. disclosure
  C. disposal
  D. disaster
  B. disclosure

  ---

  Confidentiality is the opposite of disclosure.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 59.

• Question 958:

  Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector?

  A. Using a TACACS+ server.
  B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall.
  C. Setting modem ring count to at least 5.
  D. Only attaching modems to non-networked hosts.
  B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall.

  ---

  Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as

  would any other connection coming from the Internet.

  The use of a TACACS+ Server by itself cannot eliminate hacking.

  Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers.

  Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked.

  Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2:

  Hackers.

• Question 959:

  Which of the following security mode of operation does NOT require all users to have the clearance for all information processed on the system?

  A. Compartmented security mode
  B. Multilevel security mode
  C. System-high security mode
  D. Dedicated security mode
  B. Multilevel security mode

  ---

  The multilevel security mode permits two or more classification levels of information to be processed at the same time when all the users do not have the clearance of formal approval to access all the information being processed by the

  system.

  In dedicated security mode, all users have the clearance or authorization and need-to-know to all data processed within the system.

  In system-high security mode, all users have a security clearance or authorization to access the information but not necessarily a need-to-know for all the information processed on the system (only some of the data).

  In compartmented security mode, all users have the clearance to access all the information processed by the system, but might not have the need-to-know and formal access approval.

  Generally, Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification.

  The mode of operation is determined by:

  The type of users who will be directly or indirectly accessing the system.

  The type of data, including classification levels, compartments, and categories, that are processed on the system.

  The type of levels of users, their need to know, and formal access approvals that the users will have.

  Dedicated security mode

  In this mode of operation, all users must have:

  Signed NDA for ALL information on the system.

  Proper clearance for ALL information on the system.

  Formal access approval for ALL information on the system.

  A valid need to know for ALL information on the system.

  All users can access ALL data.

  System high security mode

  In this mode of operation, all users must have:

  Signed NDA for ALL information on the system.

  Proper clearance for ALL information on the system.

  Formal access approval for ALL information on the system.

  A valid need to know for SOME information on the system.

  All users can access SOME data, based on their need to know.

  Compartmented security mode

  In this mode of operation, all users must have:

  Signed NDA for ALL information on the system.

  Proper clearance for ALL information on the system.

  Formal access approval for SOME information they will access on the system.

  A valid need to know for SOME information on the system.

  All users can access SOME data, based on their need to know and formal access approval.

  Multilevel security mode

  In this mode of operation, all users must have:

  Signed NDA for ALL information on the system.

  Proper clearance for SOME information on the system.

  Formal access approval for SOME information on the system.

  A valid need to know for SOME information on the system.

  All users can access SOME data, based on their need to know, clearance and formal access approval.

  REFERENCES:

  WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April 2002 (page 6).

  and

  http://en.wikipedia.org/wiki/Security_Modes

• Question 960:

  Which of the following can be defined as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences?

  A. Extensible Authentication Protocol
  B. Challenge Handshake Authentication Protocol
  C. Remote Authentication Dial-In User Service
  D. Multilevel Authentication Protocol.
  A. Extensible Authentication Protocol

  ---

  RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge- response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial- up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet protocol for carrying dial-in user's authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to authenticate the users of its network access ports. The other option is a distracter.

  Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.