SSCP Online Practice Questions and Answers

Correct Answer: C

The matrix lists the users, groups and roles down the left side and the resources and functions across the

top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK

pp 317 - 318.

AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject

possesses pertaining to specific objects.

In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a

population of objects. This access control can be applied using rules, ACL's, capability tables, etc.

"A capacity table" is incorrect.

This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you.

"An access control list" is incorrect.

"It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access

control lists (ACL) could be used to implement the rules identified by an access control matrix but is

different from the matrix itself.

"A capability table" is incorrect.

"Capability tables are used to track, manage and apply controls based on the object and rights, or

capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a

subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK,

pp. 191-192. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL

because the subject is bound to the capability table, whereas the object is bound to the ACL."

Again, a capability table could be used to implement the rules identified by an access control matrix but is

different from the matrix itself.

References:

CBK pp. 191-192, 317-318

AIO3, p. 169

Correct Answer: B

In the lattice model, users are assigned security clearences and the data is classified. Access decisions are made based on the clearence of the user and the classification of the object. Lattice-based access control is an essential ingredient of formal security models such as Bell- LaPadula, Biba, Chinese Wall, etc.

The bounds concept comes from the formal definition of a lattice as a "partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound." To see the application, consider a file classified as "SECRET" and a user Joe with a security clearence of "TOP SECRET." Under Bell-LaPadula, Joe's "least upper bound" access to the file is "READ" and his least lower bound is "NO WRITE" (star property).

Role-based access control is incorrect. Under RBAC, the access is controlled by the permissions assigned to a role and the specific role assigned to the user.

Biba access control is incorrect. The Biba integrity model is based on a lattice structure but the context of the question disqualiifes it as the best answer.

Content-dependent access control is incorrect. In content dependent access control, the actual content of the information determines access as enforced by the arbiter.

References:

CBK, pp. 324-325.

AIO3, pp. 291-293. See aprticularly Figure 5-19 on p. 293 for an illustration of bounds in action.

Correct Answer: B

A security policy would NOT define how hardware and software should be used throughout the organization. A standard or a procedure would provide such details but not a policy.

A security policy is a formal statement of the rules that people who are given access to anorganization's technology and information assets must abide. The policy communicates the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss.

The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization. A good security policy must:

Be able to be implemented through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods

Be able to be enforced with security tools, where appropriate, and with sanctions, where actual

prevention is not technically feasible

Clearly define the areas of responsibility for the users, the administrators, and the managers

Be communicated to all once it is established

Be flexible to the changing environment of a computer network since it is a living document

Reference(s) used for this question:

National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute Network Security Guide, February 2002, page 7.

or

A local copy is kept at:

https://www.freepracticetests.org/documents/The%2060%20Minute%20Network%20Security % 20Guide.pdf

Correct Answer: D

The Internet Security Glossary (RFC2828) defines add-on security as "The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational."

Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

Correct Answer: D

There are some conflicting figures as to which group is a bigger threat hackers or employees. Employees are still considered to the leading source of computer crime losses. Employees often have an easier time gaining access to systems or source code then ousiders or other means of creating computer crimes.

A word of caution is necessary: although the media has tended to portray the threat of cybercrime as existing almost exclusively from the outside, external to a company, reality paints a much different picture. Often the greatest risk of cybercrime comes from the inside, namely, criminal insiders. Information security professionals must be particularly sensitive to the phenomena of the criminal or dangerous insider, as these individuals usually operate under the radar, inside of the primarily outward/external facing security controls, thus significantly increasing the impact of their crimes while leaving few, if any, audit trails to follow and evidence for prosecution.

Some of the large scale crimes committed agains bank lately has shown that Internal Threats are the worst and they are more common that one would think. The definition of what a hacker is can vary greatly from one country to another but in some of the states in the USA a hacker is defined as Someone who is using resources in a way that is not authorized. A recent case in Ohio involved an internal employee who was spending most of his day on dating website looking for the love of his life. The employee was taken to court for hacking the company resources. The following answers are incorrect: hackers. Is incorrect because while hackers represent a very large problem and both the frequency of attacks and overall losses have grown hackers are considered to be a small segment of combined computer fraudsters.

industrial saboteurs. Is incorrect because industrial saboteurs tend to go after trade secrets. While the loss to the organization can be great, they still fall short when compared to the losses created by employees. Often it is an employee that was involved in industrial sabotage.

foreign intelligence officers. Is incorrect because the losses tend to be national secrets. You really can't put t cost on this and the number of frequency and occurances of this is less than that of employee related losses.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 22327-22331). Auerbach Publications. Kindle Edition.

Correct Answer: C

An investigator's notebook cannot be used as evidence is court. It can only be used by the investigator to

refresh his memory during a proceeding, but cannot be submitted as evidence in any form.

The following answers are incorrect:

When the investigator is unwilling to testify. Is incorrect because the notebook cannot be submitted as

evidence in any form.

When other forms of physical evidence are not available. Is incorrect because the notebook cannot be

submitted as evidence in any form.

If the defense has no objections. Is incorrect because the notebook cannot be submitted as evidence in

any form.

Correct Answer: C

This is the PRIMARY reason for the chain of custody of evidence. Evidence must be controlled every step of the way. If it is not, the evidence can be tampered with and ruled inadmissable. The Chain of Custody will include a detailed record of:

Who obtained the evidence

What was the evidence

Where and when the evidence was obtained

Who secured the evidence

Who had control or possession of the evidence

The following answers are incorrect because :

To ensure that no evidence is lost is incorrect as it is not the PRIMARY reason.

To ensure that all possible evidence is gathered is also incorrect as it is not the PRIMARY reason.

To ensure that incidents were handled with due care and due diligence is also incorrect as it is also not the

PRIMARY reason.

The chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to establish that it is sufficiently trustworthy to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy which would make it admissible in court.

Reference : Shon Harris AIO v3 , Chapter-10: Law, Investigation, and Ethics , Page : 727

Correct Answer: A

Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

The following answers are incorrect :

Residual Risk is very different from the notion of total risk. Residual Risk would be the risks that still exists

after countermeasures have been implemented. Total risk is the amount of risk a company faces if it

chooses not to implement any type of safeguard.

Exposure: An exposure is an instance of being exposed to losses from a threat agent.

Countermeasure: A countermeasure or a safeguard is put in place to mitigate the potential risk. Examples

of countermeasures include strong password management , a security guard.

REFERENCES : SHON HARRIS ALL IN ONE 3rd EDITION

Chapter - 3: Security Management Practices , Pages : 57-59

Correct Answer: A

The first documentation rule when it comes to a BCP/DRP is "one plan, one building". Much of the plan revolves around reconstructing a facility and replenishing it with production contents. If more than one facility is involved, then the reader of the plan will find it difficult to identify quantities and specifications of replacement resource items. It is possible to have multiple plans for a single building, but those plans must be linked so that the identification and ordering of resource items is centralized. All other statements are correct.

Source: BARNES, James C. and ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley and Sons, 2001 (page 162).

Correct Answer: B

The exposure factor is a measure of the magnitude of loss or impact on the value of an asset.

The probability is the chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur.

A vulnerability is the absence or weakness of a risk-reducing safeguard.

A threat is event, the occurrence of which could have an undesired impact.

Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.

Correct Answer: C

The above statement is NOT true and thus the correct answer. The maximum key size on Rijndael is 256 bits.

There are some differences between Rijndael and the official FIPS-197 specification for AES. Rijndael specification per se is specified with block and key sizes that must be a multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Namely, Rijndael allows for both key and block sizes to be chosen independently from the set of { 128, 160, 192, 224, 256 } bits. (And the key size does not in fact have to match the block size).

However, FIPS-197 specifies that the block size must always be 128 bits in AES, and that the key size may be either 128, 192, or 256 bits. Therefore AES-128, AES-192, and AES-256 are actually: Key Size (bits) Block Size (bits) AES-128 128 128 AES-192 192 128 AES-256 256 128 So in short:

Rijndael and AES differ only in the range of supported values for the block length and cipher key length. For Rijndael, the block length and the key length can be independently specified to any multiple of 32 bits, with a minimum of 128 bits, and a maximum of 256 bits.

AES fixes the block length to 128 bits, and supports key lengths of 128, 192 or 256 bits only. References used for this question: http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and- aes.aspx and

http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf

Correct Answer: A

When evidence from a crime is to be used in the prosecution of a criminal it is critical that you follow the law when handling that evidence. Part of that process is called chain of custody and is when you maintain proactive and documented control over ALL evidence involved in a crime.

Failure to do this can lead to the dismissal of charges against a criminal because if the evidence is compromised because you failed to maintain of chain of custody.

A chain of custody is chronological documentation for evidence in a particular case, and is especially important with electronic evidence due to the possibility of fraudulent data alteration, deletion, or creation. A fully detailed chain of custody report is necessary to prove the physical custody of a piece of evidence and show all parties that had access to said evidence at any given time.

Evidence must be protected from the time it is collected until the time it is presented in court.

The following answers are incorrect:

-Locking the laptop in your desk: Even this wouldn't assure that the defense team would try to challenge chain of custody handling. It's usually easy to break into a desk drawer and evidence should be stored in approved safes or other storage facility.

-Making a disk image for examination: This is a key part of system forensics where we make a disk image of the evidence system and study that as opposed to studying the real disk drive. That could lead to loss of evidence. However if the original evidence is not secured than the chain of custoday has not been maintained properly.

-Cracking the admin password with chntpw: This isn't correct. Your first mistake was to compromise the chain of custody of the laptop. The chntpw program is a Linux utility to (re)set the password of any user that has a valid (local) account on a Windows system, by modifying the crypted password in the registry's SAM file. You do not need to know the old password to set a new one. It works offline which means you must have physical access (i.e., you have to shutdown your computer and boot off a linux floppy disk). The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. This utility works with SYSKEY and includes the option to turn it off. A bootdisk image is provided on their website at http://freecode.com/projects/chntpw .

The following reference(s) was used to create this question:

For more details and to cover 100% of the exam

Correct Answer: A

RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a

standard method for transporting multi-protocol datagrams over point-to-point links.

PPP is comprised of three main components:

1 A method for encapsulating multi-protocol datagrams.

2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.

3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer

protocols.

Correct Answer: A

To the untrusted host, all traffic seems to originate from the proxy server and addresses on the trusted

network are not revealed.

"User base" is incorrect. The proxy hides the origin of the request from the untrusted host.

"Operating system design" is incorrect. The proxy hides the origin of the request from the untrusted host.

"Net BIOS' design" is incorrect. The proxy hides the origin of the request from the untrusted host.

References:

CBK, p. 467 AIO3, pp. 486 - 490

Correct Answer: B

Communications devices must operate at the same speed to communicate.

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 100.