ISC SSCP Online Practice Questions and Exam Preparation

ISC SSCP Online Questions & Answers

• Question 981:

  In what way can violation clipping levels assist in violation tracking and analysis?

  A. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.
  B. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant.
  C. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status.
  D. Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations.
  A. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.

  ---

  Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. The threshold is a baseline for violation activities that may be normal for a user to commit before alarms are raised. This baseline is referred to as a clipping level.

  The following are incorrect answers:

  Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. This is not the best answer, you would not record ONLY security relevant violations, all

  violations would be recorded as well as all actions performed by authorized users which may not trigger a violation. This could allow you to indentify abnormal activities or fraud after the fact.

  Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status. It could record all security violations whether the user is a normal user or a

  privileged user.

  Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations. The keyword "ALL" makes this question wrong. It may detect SOME but not all of

  violations. For example, application level attacks may not be detected.

  Reference(s) used for this question:

  Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1239). McGraw-Hill.

  Kindle Edition.

  and

  TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

• Question 982:

  Which of the following server contingency solutions offers the highest availability?

  A. System backups
  B. Electronic vaulting/remote journaling
  C. Redundant arrays of independent disks (RAID)
  D. Load balancing/disk replication
  D. Load balancing/disk replication

  ---

  Of the offered technologies, load balancing/disk replication offers the highest availability, measured in terms of minutes of lost data or server downtime. A Network-Attached Storage (NAS) or a Storage Area Network (SAN) solution combined with virtualization would offer an even higher availability.

  Source: SWANSON, Marianne, and al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 49).

• Question 983:

  Which of the following is NOT a property of a one-way hash function?

  A. It converts a message of a fixed length into a message digest of arbitrary length.
  B. It is computationally infeasible to construct two different messages with the same digest.
  C. It converts a message of arbitrary length into a message digest of a fixed length.
  D. Given a digest value, it is computationally infeasible to find the corresponding message.
  A. It converts a message of a fixed length into a message digest of arbitrary length.

  ---

  An algorithm that turns messages or text into a fixed string of digits, usually for security or data management purposes. The "one way" means that it's nearly impossible to derive the original text from the string.

  A one-way hash function is used to create digital signatures, which in turn identify and authenticate the sender and message of a digitally distributed message. A cryptographic hash function is a deterministic procedure that takes an arbitrary

  block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message," and the hash value is

  sometimes called the message digest or simply digest.

  The ideal cryptographic hash function has four main or significant properties:

  it is easy (but not necessarily quick) to compute the hash value for any given message

  it is infeasible to generate a message that has a given hash

  it is infeasible to modify a message without changing the hash

  it is infeasible to find two different messages with the same hash

  Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index

  data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (digital)

  fingerprints, checksums, or just hash values, even though all these terms stand for functions with rather different properties and purposes.

  Source:

  TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

  and

  http://en.wikipedia.org/wiki/Cryptographic_hash_function

• Question 984:

  The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when:

  A. (C < L) or C is less than L
  B. (C < L - (residual risk)) or C is less than L minus residual risk
  C. (C > L) or C is greather than L
  D. (C > L - (residual risk)) or C is greather than L minus residual risk
  A. (C < L) or C is less than L

  ---

  If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards.

  Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-Leach- Bliley Act (GLBA) Safeguards Rule and the

  broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or

  appropriate administrative and technical security measures to protect consumer information.

  The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S.

  Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible for

  compliance. Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply.

  The act of compliance includes demonstrating due diligence, which is defined as "reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations". Reasonableness in software systems includes

  industries standards and may allow for imperfection. Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes "reasonable" security

  measures for several reasons, including:

  1.

  Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology;

  2.

  Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and

  3.

  Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non-compliance. In general, the costs of improved security are certain, but the

  improvement in security depends on unknown variables and probabilities outside the control of companies.

  The following reference(s) were used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 315.

  and

  http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf

• Question 985:

  What is the main purpose of Corporate Security Policy?

  A. To transfer the responsibility for the information security to all users of the organization
  B. To communicate management's intentions in regards to information security
  C. To provide detailed steps for performing specific actions
  D. To provide a common framework for all development activities
  B. To communicate management's intentions in regards to information security

  ---

  A Corporate Security Policy is a high level document that indicates what are management`s intentions in regard to Information Security within the organization. It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc.. The organization's requirements for access control should be defined and documented in its security policies. Access rules and rights for each user or group of users should be clearly stated in an access policy statement. The access control policy should minimally consider:

  Statements of general security principles and their applicability to the organization

  Security requirements of individual enterprise applications, systems, and services

  Consistency between the access control and information classification policies of different systems and networks

  Contractual obligations or regulatory compliance regarding protection of assets

  Standards defining user access profiles for organizational roles

  Details regarding the management of the access control system

  As a Certified Information System Security Professional (CISSP) you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines.

  Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor

  solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well.

  The following are incorrect answers:

  To transfer the responsibility for the information security to all users of the organization is bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with upper management. The keyworks ALL and

  USERS is also an indication that it is the wrong choice.

  To provide detailed steps for performing specific actions is also a bogus detractor. A step by step document is referred to as a procedure. It details how to accomplish a specific task. To provide a common framework for all development

  activities is also an invalid choice. Security Policies are not restricted only to development activities.

  Reference Used for this question:

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition.

  and

  Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition.

• Question 986:

  Which backup method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed files and the previous days' changed files up to the last full backup?

  A. differential backup method
  B. full backup method
  C. incremental backup method
  D. tape backup method.
  A. differential backup method

  ---

  The Differential Backup Method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed files and the previous days' changed files up to the last full backup.

  Archive Bits

  Unless you've done a lot of backups in your time you've probably never heard of an Archive Bit. An archive bit is, essentially, a tag that is attached to every file. In actuality, it is a binary digit that is set on or off in the file, but that's crummy

  technical jargon that doesn't really tell us anything. For the sake of our discussion, just think of it as the flag on a mail box. If the flag is up, it means the file has been changed. If it's down, then the file is unchanged.

  Archive bits let the backup software know what needs to be backed up. The differential and incremental backup types rely on the archive bit to direct them.

  Backup Types

  Full or Normal

  The "Full" or "normal" backup type is the most standard. This is the backup type that you would use if you wanted to backup every file in a given folder or drive. It backs up everything you direct it to regardless of what the archive bit says. It

  also resets all archive bits (puts the flags down). Most backup software, including the built-in Windows backup software, lets you select down to the individual file that you want backed up. You can also choose to backup things like the "system

  state".

  Incremental

  When you schedule an incremental backup, you are in essence instructing the software to only backup files that have been changed, or files that have their flag up. After the incremental backup of that file has occured, that flag will go back

  down. If you perform a normal backup on Monday, then an incremental backup on Wednesday, the only files that will be backed up are those that have changed since Monday. If on Thursday someone deletes a file by accident, in order to get

  it back you will have to restore the full backup from Monday, followed by the Incremental backup from Wednesday.

  Differential

  Differential backups are similar to incremental backups in that they only backup files with their archive bit, or flag, up. However, when a differential backup occurs it does not reset those archive bits which means, if the following day, another

  differential backup occurs, it will back up that file again regardless of whether that file has been changed or not.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 69.

  And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9:

  Disaster Recovery and Business continuity (pages 617-619).

  And: http://www.brighthub.com/computing/windows-platform/articles/24531.aspx

• Question 987:

  A X.509 public key certificate with the key usage attribute "non repudiation" can be used for which of the following?

  A. encrypting messages
  B. signing messages
  C. verifying signed messages
  D. decrypt encrypted messages
  C. verifying signed messages

  ---

  References: RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile; GUTMANN, P., X.509 style guide.

• Question 988:

  Which of the following is NOT an advantage that TACACS+ has over TACACS?

  A. Event logging
  B. Use of two-factor password authentication
  C. User has the ability to change his password
  D. Ability for security tokens to be resynchronized
  A. Event logging

  ---

  Although TACACS+ provides better audit trails, event logging is a service that is provided with TACACS.

  Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 3: Telecommunications and Network Security (page 121).

• Question 989:

  In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on:

  A. The societies role in the organization
  B. The individual's role in the organization
  C. The group-dynamics as they relate to the individual's role in the organization
  D. The group-dynamics as they relate to the master-slave role in the organization
  B. The individual's role in the organization

  ---

  In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be

  based on the individual's role in the organization.

  Reference(S) used for this question:

  KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 33.

• Question 990:

  Which of the following rules is least likely to support the concept of least privilege?

  A. The number of administrative accounts should be kept to a minimum.
  B. Administrators should use regular accounts when performing routine operations like reading mail.
  C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible.
  D. Only data to and from critical systems and applications should be allowed through the firewall.
  D. Only data to and from critical systems and applications should be allowed through the firewall.

  ---

  Only data to and from critical systems and applications should be allowed through the firewall is a detractor. Critical systems or applications do not necessarily need to have traffic go through a firewall. Even if they did, only the minimum

  required services should be allowed. Systems that are not deemed critical may also need to have traffic go through the firewall.

  Least privilege is a basic tenet of computer security that means users should be given only those rights required to do their jobs or tasks. Least privilege is ensuring that you have the minimum privileges necessary to do a task. An admin NOT

  using his admin account to check email is a clear example of this.

  Reference(s) used for this question:

  National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute Network Security Guide, February 2002, page 9.