Last Updated on March 10, 2022 by Admin 3

SSCP : System Security Certified Practitioner (SSCP) : Part 37

  1. Which of the following is needed for System Accountability?

    • Audit mechanisms.
    • Documented design as laid out in the Common Criteria.
    • Authorization.
    • Formal verification of system design.

    Explanation

    Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.

    Accountability is the ability to identify users and to be able to track user actions.

    The following answers are incorrect:

    Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

    Authorization. Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

    Formal verification of system design. Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability.

    References:
    OIG CBK Glossary (page 778)

  2. Kerberos can prevent which one of the following attacks?

    • tunneling attack.
    • playback (replay) attack.
    • destructive attack.
    • process attack.
    Explanation:

    Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of attacks.

    The following answers are incorrect:

    tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access low-level systems. Kerberos cannot totally prevent these types of attacks.

    destructive attack. This is incorrect because depending on the type of destructive attack, Kerberos cannot prevent someone from physically destroying a server.

    process attack. This is incorrect because with Kerberos cannot prevent an authorzied individuals from running processes.

  3. Guards are appropriate whenever the function required by the security program involves which of the following?

    • The use of discriminating judgment
    • The use of physical force
    • The operation of access control devices
    • The need to detect unauthorized access
    Explanation:

    The Answer: The use of discriminating judgment, a guard can make the determinations that hardware or other automated security devices cannot make due to its ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment. Guards are better at making value decisions at times of incidents. They are appropriate whenever immediate, discriminating judgment is required by the security entity.

    The following answers are incorrect:

    The use of physical force This is not the best answer. A guard provides discriminating judgment, and the ability to discern the need for physical force.
    The operation of access control devices A guard is often uninvolved in the operations of an automated access control device such as a biometric reader, a smart lock, mantrap, etc.
    The need to detect unauthorized access The primary function of a guard is not to detect unauthorized access, but to prevent unauthorized physical access attempts and may deter social engineering attempts.

    The following reference(s) were/was used to create this question:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 339).

    Source: ISC2 Offical Guide to the CBK page 288-289.

  4. What physical characteristic does a retinal scan biometric device measure?

    • The amount of light reaching the retina
    • The amount of light reflected by the retina
    • The pattern of light receptors at the back of the eye
    • The pattern of blood vessels at the back of the eye
    Explanation:

    The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain – the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina’s four cell layers.

    The following answers are incorrect:

    The amount of light reaching the retina The amount of light reaching the retina is not used in the biometric scan of the retina.
    The amount of light reflected by the retina The amount of light reflected by the retina is not used in the biometric scan of the retina.

    The pattern of light receptors at the back of the eye This is a distractor

    The following reference(s) were/was used to create this question:

    Reference: Retina Scan Technology.
    ISC2 Official Guide to the CBK, 2007 (Page 161)

  5. The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

    • clipping level
    • acceptance level
    • forgiveness level
    • logging level
    Explanation:

    The correct answer is “clipping level”. This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc.

    Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user’s account after three failed login attemts, that is the “clipping level”.

    The other answers are not correct because:

    Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security.

    Reference:

    Official ISC2 Guide – The term “clipping level” is not in the glossary or index of that book. I cannot find it in the text either. However, I’m quite certain that it would be considered part of the CBK, despite its exclusion from the Official Guide.
    All in One Third Edition page: 136 – 137

  6. Examples of types of physical access controls include all EXCEPT which of the following?

    • badges
    • locks
    • guards
    • passwords
    Explanation:

    Passwords are considered a Preventive/Technical (logical) control.

    The following answers are incorrect:

    badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical control, but the actual badge itself is primarily a physical control.

    locks Locks are a Preventative Physical control and has no Technical association.
    guards Guards are a Preventative Physical control and has no Technical association.

    The following reference(s) were/was used to create this question:

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 35).

  7. The end result of implementing the principle of least privilege means which of the following?

    • Users would get access to only the info for which they have a need to know
    • Users can access all systems.
    • Users get new privileges added when they change positions.
    • Authorization creep.
    Explanation:

    The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems.

    The following answers are incorrect:
    Users can access all systems. Although the principle of least privilege limits what access and systems users have authorization to, not all users would have a need to know to access all of the systems. The best answer is still Users would get access to only the info for which they have a need to know as some of the users may not have a need to access a system.

    Users get new privileges when they change positions. Although true that a user may indeed require new privileges, this is not a given fact and in actuality a user may require less privileges for a new position. The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked.

    Authorization creep. Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep.

    The following reference(s) were/was used to create this question:

    ISC2 OIG 2007 p.101,123
    Shon Harris AIO v3 p148, 902-903

  8. Which of the following is the most reliable authentication method for remote access?

    • Variable callback system
    • Synchronous token
    • Fixed callback system
    • Combination of callback and caller ID
    Explanation:

    A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

    The following answers are incorrect:
    Variable callback system. Although variable callback systems are more flexible than fixed callback systems, the system assumes the identity of the individual unless two-factor authentication is also implemented. By itself, this method might allow an attacker access as a trusted user.

    Fixed callback system. Authentication provides assurance that someone or something is who or what he/it is supposed to be. Callback systems authenticate a person, but anyone can pretend to be that person. They are tied to a specific place and phone number, which can be spoofed by implementing call-forwarding.

    Combination of callback and Caller ID. The caller ID and callback functionality provides greater confidence and auditability of the caller’s identity. By disconnecting and calling back only authorized phone numbers, the system has a greater confidence in the location of the call. However, unless combined with strong authentication, any individual at the location could obtain access.

    The following reference(s) were/was used to create this question:

    Shon Harris AIO v3 p. 140, 548
    ISC2 OIG 2007 p. 152-153, 126-127

  9. Which is the last line of defense in a physical security sense?

    • people
    • interior barriers
    • exterior barriers
    • perimeter barriers
    Explanation:
    “Ultimately, people are the last line of defense for your company’s assets” (Pastore & Dulaney, 2006, p. 529).
    Pastore, M. and Dulaney, E. (2006). CompTIA Security+ study guide: Exam SY0-101. Indianapolis, IN: Sybex.
  10. The Computer Security Policy Model the Orange Book is based on is which of the following?

    • Bell-LaPadula
    • Data Encryption Standard
    • Kerberos
    • Tempest
    Explanation:
    The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary.
    The Data Encryption Standard (DES) is a cryptographic algorithm. National Information Security Glossary.
    TEMPEST is related to limiting the electromagnetic emanations from electronic equipment.
    Reference: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).
  11. Who developed one of the first mathematical models of a multilevel-security computer system?

    • Diffie and Hellman.
    • Clark and Wilson.
    • Bell and LaPadula.
    • Gasser and Lipner.
    Explanation:

    In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system.

    The following answers are incorrect:

    Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography.
    Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark-Wilson model came later, 1987.
    Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model.

  12. A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?

    • Content-dependent access control
    • Context-dependent access control
    • Least privileges access control
    • Ownership-based access control
    Explanation:

    When access control is based on the content of an object, it is considered to be content dependent access control.

    Content-dependent access control is based on the content itself.

    The following answers are incorrect:

    context-dependent access control. Is incorrect because this type of control is based on what the context is, facts about the data rather than what the object contains.
    least privileges access control. Is incorrect because this is based on the least amount of rights needed to perform their jobs and not based on what is contained in the database.
    ownership-based access control. Is incorrect because this is based on the owner of the data and and not based on what is contained in the database.

    References:

    OIG CBK Access Control (page 191)

  13. In discretionary access environments, which of the following entities is authorized to grant information access to other people?

    • Manager
    • Group Leader
    • Security Manager
    • Data Owner
    Explanation:

    In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file.

    The following answers are incorrect:

    manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

    group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

    security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

    IMPORTANT NOTE:
    The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the classification and need to know is on the specific set of data.

    The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other subjects based on their identity.

  14. What is the main concern with single sign-on?

    • Maximum unauthorized access would be possible if a password is disclosed.
    • The security administrator’s workload would increase.
    • The users’ password would be too hard to remember.
    • User access rights would be increased.
    Explanation:

    A major concern with Single Sign-On (SSO) is that if a user’s ID and password are compromised, the intruder would have access to all the systems that the user was authorized for.

    The following answers are incorrect:

    The security administrator’s workload would increase. Is incorrect because the security administrator’s workload would decrease and not increase. The admin would not be responsible for maintaining multiple user accounts just the one.

    The users’ password would be too hard to remember. Is incorrect because the users would have less passwords to remember.

    User access rights would be increased. Is incorrect because the user access rights would not be any different than if they had to log into systems manually.

  15. The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

    • clipping level
    • acceptance level
    • forgiveness level
    • logging level
    Explanation:

    The correct answer is “clipping level”. This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc.

    Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user’s account after three failed login attemts, that is the “clipping level”.

    The other answers are not correct because:

    Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security.

    Reference:

    Official ISC2 Guide – The term “clipping level” is not in the glossary or index of that book. I cannot find it in the text either. However, I’m quite certain that it would be considered part of the CBK, despite its exclusion from the Official Guide.

    All in One Third Edition page: 136 – 137

  16. Examples of types of physical access controls include all EXCEPT which of the following?

    • badges
    • locks
    • guards
    • passwords
    Explanation:

    Passwords are considered a Preventive/Technical (logical) control.

    The following answers are incorrect:

    badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical control, but the actual badge itself is primarily a physical control.

    locks Locks are a Preventative Physical control and has no Technical association.
    guards Guards are a Preventative Physical control and has no Technical association.

    The following reference(s) were/was used to create this question:

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 35).

  17. Which of the following attacks could capture network user passwords?

    • Data diddling
    • Sniffing
    • IP Spoofing
    • Smurfing
    Explanation:

    A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to.
    Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with customized software.

    A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub (which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is designed to limit what traffic gets sent to which port) will have to be specially configured to send all traffic to the port where the sniffer is plugged in.

    Another method for sniffing is to use a network tap—a device that literally splits a network transmission into two identical streams; one going to the original network destination and the other going to the sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility, and the desire to maintain the secrecy of the sniffing activity.

    The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/password are contained in a packet or packets traversing the segment the sniffer is connected to, it will capture and display that information (and any other information on that segment it can see).

    Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still captured and displayed, but it is in an unreadable format.

    The following answers are incorrect:

    Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted.

    Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication – or causing a system to respond to the wrong address.

    Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service.

    The following reference(s) were/was used to create this question:

    CISA Review manual 2014 Page number 321
    Official ISC2 Guide to the CISSP 3rd edition Page Number 153

  18. Which of the following would constitute the best example of a password to use for access to a system by a network administrator?

    • holiday
    • Christmas12
    • Jenny
    • GyN19Za!
    Explanation:

    GyN19Za! would be the the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks.

    All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The addition of a number to the end of a common word only marginally strengthens it because a common password attack would also check combinations of words:

    Christmas23
    Christmas123
    etc…

  19. Which of the following is the FIRST step in protecting data’s confidentiality?

    • Install a firewall
    • Implement encryption
    • Identify which information is sensitive
    • Review all user access rights
    Explanation:

    In order to protect the confidentiality of the data.

    The following answers are incorrect because :

    Install a firewall is incorrect as this would come after the information has been identified for sensitivity levels.

    Implement encryption is also incorrect as this is one of the mechanisms to protect the data once it has been identified.
    Review all user access rights is also incorrect as this is also a protection mechanism for the identified information.

    Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126

  20. Which of the following best ensures accountability of users for the actions taken within a system or domain?

    • Identification
    • Authentication
    • Authorization
    • Credentials
    Explanation:

    Details:

    The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources.

    References:
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126).