Last Updated on March 10, 2022 by Admin 3

SSCP : System Security Certified Practitioner (SSCP) : Part 41

  1. In biometrics, the “one-to-one” search used to verify claim to an identity made by a person is considered:

    • Authentication
    • Identification
    • Auditing
    • Authorization

    Explanation:

    Biometric devices can be use for either IDENTIFICATION or AUTHENTICATION
    ONE TO ONE is for AUTHENTICATION
    This means that you as a user would provide some biometric credential such as your fingerprint. Then they will compare the template that you have provided with the one stored in the Database. If the two are exactly the same that prove that you are who you pretend to be.

    ONE TO MANY is for IDENTIFICATION
    A good example of this would be within airport. Many airports today have facial recognition cameras, as you walk through the airport it will take a picture of your face and then compare the template (your face) with a database full of templates and see if there is a match between your template and the ones stored in the Database. This is for IDENTIFICATION of a person.

    Some additional clarification or comments that might be helpful are: Biometrics establish authentication using specific information and comparing results to expected data. It does not perform well for identification purposes such as scanning for a person’s face in a moving crowd for example.

    Identification methods could include: username, user ID, account number, PIN, certificate, token, smart card, biometric device or badge.

    Auditing is a process of logging or tracking what was done after the identity and authentication process is completed.

    Authorization is the rights the subject is given and is performed after the identity is established.

    Reference OIG (2007) p148, 167

    Authentication in biometrics is a “one-to-one” search to verify claim to an identity made by a person.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

  2. Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access?

    • Smart cards
    • Single Sign-On (SSO)
    • Symmetric Ciphers
    • Public Key Infrastructure (PKI)
    Explanation:
    The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.
  3. Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations?

    • Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access to.
    • The initial logon process is cumbersome to discourage potential intruders.
    • Once a user obtains access to the system through the initial log-on, they only need to logon to some applications.
    • Once a user obtains access to the system through the initial log-on, he has to logout from all other systems
    Explanation:

    Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to.

    All the other answers are incorrect as they are distractors.

  4. Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are important elements for which of the following?

    • Accountability of biometrics systems
    • Acceptability of biometrics systems
    • Availability of biometrics systems
    • Adaptability of biometrics systems
    Explanation:
    Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.
  5. Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity?

    • Retina scans
    • Iris scans
    • Palm scans
    • Skin scans
    Explanation:

    The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity:

    Fingerprints
    Retina scans
    Iris scans
    Facial scans
    Palm scans
    Hand geometry
    Voice
    Handwritten signature dynamics

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.
    And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 127-131).

  6. Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and it’s sensitivity level ?

    • System Auditor
    • Data or Information Owner
    • System Manager
    • Data or Information user
    Explanation:

    The data or information owner also referred to as “Data Owner” would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner.

    The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.

    Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem.

    The Official ISC2 Guide (OIG) says:
    IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

    Example:
    Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob’s department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the “information/data custodians”) and they set the file permissions for Sally’s and Richard’s user accounts so that Sally has read/write access, while Richard has only read access.

    So in short Bob will determine what controls are required, what is the sensitivily and criticality of the Data. Bob will communicate this to the custodians who will implement the requirements on the systems/DB. The auditor would assess if the controls are in fact providing the level of security the Data Owner expects within the systems/DB. The auditor does not determine the sensitivity of the data or the crititicality of the data.

    The other answers are not correct because:

    A “system auditor” is never responsible for anything but auditing… not actually making control decisions but the auditor would be the best person to determine the adequacy of controls and then make recommendations.

    A “system manager” is really just another name for a system administrator, which is actually an information custodian as explained above.

    A “Data or information user” is responsible for implementing security controls on a day-to-day basis as they utilize the information, but not for determining what the controls should be or if they are adequate.

    References:
    Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477
    Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations 294-298). Auerbach Publications. Kindle Edition.
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3108-3114).

    Information Security Glossary
    Responsibility for use of information resources

  7. Which of the following tools is NOT likely to be used by a hacker?

    • Nessus
    • Saint
    • Tripwire
    • Nmap
    Explanation:

    It is a data integrity assurance software aimed at detecting and reporting accidental or malicious changes to data.

    The following answers are incorrect :

    Nessus is incorrect as it is a vulnerability scanner used by hackers in discovering vulnerabilities in a system.
    Saint is also incorrect as it is also a network vulnerability scanner likely to be used by hackers.
    Nmap is also incorrect as it is a port scanner for network exploration and likely to be used by hackers.

    Reference :
    Tripwire : http://www.tripwire.com
    Nessus : http://www.nessus.org
    Saint : http://www.saintcorporation.com/saint
    Nmap : http://insecure.org/nmap

  8. Which of the following would be LESS likely to prevent an employee from reporting an incident?

    • They are afraid of being pulled into something they don’t want to be involved with.
    • The process of reporting incidents is centralized.
    • They are afraid of being accused of something they didn’t do.
    • They are unaware of the company’s security policies and procedures.
    Explanation:

    The reporting process should be centralized else employees won’t bother.

    The other answers are incorrect because :
    They are afraid of being pulled into something they don’t want to be involved with is incorrect as most of the employees fear of this and this would prevent them to report an incident.

    They are afraid of being accused of something they didn’t do is also incorrect as this also prevents them to report an incident.

    They are unaware of the company’s security policies and procedures is also incorrect as mentioned above.

    Reference : Shon Harris AIO v3 , Ch-10 : Laws , Investigatio & Ethics , Page : 675.

  9. Which protocol is NOT implemented in the Network layer of the OSI Protocol Stack?

    • hyper text transport protocol
    • Open Shortest Path First
    • Internet Protocol
    • Routing Information Protocol
    Explanation:

    Open Shortest Path First, Internet Protocol, and Routing Information Protocol are all protocols implemented in the Network Layer.

    Domain: Telecommunications and Network Security

    References: AIO 3rd edition. Page 429
    Official Guide to the CISSP CBK. Page 411

  10. The session layer provides a logical persistent connection between peer hosts. Which of the following is one of the modes used in the session layer to establish this connection?

    • Full duplex
    • Synchronous
    • Asynchronous
    • Half simplex
    Explanation:

    Layer 5 of the OSI model is the Session Layer. This layer provides a logical persistent connection between peer hosts. A session is analogous to a conversation that is necessary for applications to exchange information.

    The session layer is responsible for establishing, managing, and closing end-to-end connections, called sessions, between applications located at different network endpoints. Dialogue control management provided by the session layer includes full-duplex, half-duplex, and simplex communications. Session layer management also helps to ensure that multiple streams of data stay synchronized with each other, as in the case of multimedia applications like video conferencing, and assists with the prevention of application related data errors.

    The session layer is responsible for creating, maintaining, and tearing down the session.

    Three modes are offered:

    (Full) Duplex: Both hosts can exchange information simultaneously, independent of each other.
    Half Duplex: Hosts can exchange information, but only one host at a time.
    Simplex: Only one host can send information to its peer. Information travels in one direction only.

    Another aspect of performance that is worthy of some attention is the mode of operation of the network or connection. Obviously, whenever we connect together device A and device B, there must be some way for A to send to B and B to send to A. Many people don’t realize, however, that networking technologies can differ in terms of how these two directions of communication are handled. Depending on how the network is set up, and the characteristics of the technologies used, performance may be improved through the selection of performance-enhancing modes.
    Basic Communication Modes of Operation

    Let’s begin with a look at the three basic modes of operation that can exist for any network connection, communications channel, or interface.
    Simplex Operation

    In simplex operation, a network cable or communications channel can only send information in one direction; it’s a “one-way street”. This may seem counter-intuitive: what’s the point of communications that only travel in one direction? In fact, there are at least two different places where simplex operation is encountered in modern networking.

    The first is when two distinct channels are used for communication: one transmits from A to B and the other from B to A. This is surprisingly common, even though not always obvious. For example, most if not all fiber optic communication is simplex, using one strand to send data in each direction. But this may not be obvious if the pair of fiber strands are combined into one cable.

    Simplex operation is also used in special types of technologies, especially ones that are asymmetric. For example, one type of satellite Internet access sends data over the satellite only for downloads, while a regular dial-up modem is used for upload to the service provider. In this case, both the satellite link and the dial-up connection are operating in a simplex mode.
    Half-Duplex Operation

    Technologies that employ half-duplex operation are capable of sending information in both directions between two nodes, but only one direction or the other can be utilized at a time. This is a fairly common mode of operation when there is only a single network medium (cable, radio frequency and so forth) between devices.

    While this term is often used to describe the behavior of a pair of devices, it can more generally refer to any number of connected devices that take turns transmitting. For example, in conventional Ethernet networks, any device can transmit, but only one may do so at a time. For this reason, regular (unswitched) Ethernet networks are often said to be “half-duplex”, even though it may seem strange to describe a LAN that way.
    Full-Duplex Operation

    In full-duplex operation, a connection between two devices is capable of sending data in both directions simultaneously. Full-duplex channels can be constructed either as a pair of simplex links (as described above) or using one channel designed to permit bidirectional simultaneous transmissions. A full-duplex link can only connect two devices, so many such links are required if multiple devices are to be connected together.

    Note that the term “full-duplex” is somewhat redundant; “duplex” would suffice, but everyone still says “full-duplex” (likely, to differentiate this mode from half-duplex).

    For a listing of protocols associated with Layer 5 of the OSI model, see below:

    ADSP – AppleTalk Data Stream Protocol
    ASP – AppleTalk Session Protocol
    H.245 – Call Control Protocol for Multimedia Communication
    ISO-SP
    OSI session-layer protocol (X.225, ISO 8327)
    iSNS – Internet Storage Name Service

    The following are incorrect answers:

    Synchronous and Asynchronous are not session layer modes.

    Half simplex does not exist. By definition, simplex means that information travels one way only, so half-simplex is a oxymoron.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 5603-5636). Auerbach Publications. Kindle Edition.
    and
    http://www.tcpipguide.com/free/t_SimplexFullDuplexandHalfDuplexOperation.htm
    and
    http://www.wisegeek.com/what-is-a-session-layer.htm

  11. Who is responsible for providing reports to the senior management on the effectiveness of the security controls?

    • Information systems security professionals
    • Data owners
    • Data custodians
    • Information systems auditors
    Explanation:

    IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements” and “provide top company management with an independent view of the controls that have been designed and their effectiveness.”

    “Information systems security professionals” is incorrect. Security professionals develop the security policies and supporting baselines, etc.

    “Data owners” is incorrect. Data owners have overall responsibility for information assets and assign the appropriate classification for the asset as well as ensure that the asset is protected with the proper controls.

    “Data custodians” is incorrect. Data custodians care for an information asset on behalf of the data owner.

    References:
    CBK, pp. 38 – 42.
    AIO3. pp. 99 – 104

  12. Which of the following are the two MOST common implementations of Intrusion Detection Systems?

    • Server-based and Host-based.
    • Network-based and Guest-based.
    • Network-based and Client-based.
    • Network-based and Host-based.
    Explanation:

    The two most common implementations of Intrusion Detection are Network-based and Host-based.

    IDS can be implemented as a network device, such as a router, switch, firewall, or dedicated device monitoring traffic, typically referred to as network IDS (NIDS).

    The” (IDS) “technology can also be incorporated into a host system (HIDS) to monitor a single system for undesirable activities. “

    A network intrusion detection system (NIDS) is a network device …. that monitors traffic traversing the network segment for which it is integrated.” Remember that NIDS are usually passive in nature.

    HIDS is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system. However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3649-3652). Auerbach Publications. Kindle Edition.

  13. Which of the following would NOT violate the Due Diligence concept?

    • Security policy being outdated
    • Data owners not laying out the foundation of data protection
    • Network administrator not taking mandatory two-week vacation as planned
    • Latest security patches for servers being installed as per the Patch Management process
    Explanation:

    To be effective a patch management program must be in place (due diligence) and detailed procedures would specify how and when the patches are applied properly (Due Care). Remember, the question asked for NOT a violation of Due Diligence, in this case, applying patches demonstrates due care and the patch management process in place demonstrates due diligence.

    Due diligence is the act of investigating and understanding the risks the company faces. A company practices by developing and implementing security policies, procedures, and standards. Detecting risks would be based on standards such as ISO 2700, Best Practices, and other published standards such as NIST standards for example.

    Due Diligence is understanding the current threats and risks. Due diligence is practiced by activities that make sure that the protection mechanisms are continually maintained and operational where risks are constantly being evaluated and reviewed. The security policy being outdated would be an example of violating the due diligence concept.

    Due Care is implementing countermeasures to provide protection from those threats. Due care is when the necessary steps to help protect the company and its resources from possible risks that have been identifed. If the information owner does not lay out the foundation of data protection (doing something about it) and ensure that the directives are being enforced (actually being done and kept at an acceptable level), this would violate the due care concept.

    If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. Liability is usually established based on Due Diligence and Due Care or the lack of either.

    A good way to remember this is using the first letter of both words within Due Diligence (DD) and Due Care (DC).

    Due Diligence = Due Detect
    Steps you take to identify risks based on best practices and standards.

    Due Care = Due Correct.
    Action you take to bring the risk level down to an acceptable level and maintaining that level over time.

    The Following answer were wrong:

    Security policy being outdated:
    While having and enforcing a security policy is the right thing to do (due care), if it is outdated, you are not doing it the right way (due diligence). This questions violates due diligence and not due care.

    Data owners not laying out the foundation for data protection:
    Data owners are not recognizing the “right thing” to do. They don’t have a security policy.

    Network administrator not taking mandatory two week vacation:
    The two week vacation is the “right thing” to do, but not taking the vacation violates due diligence (not doing the right thing the right way)

    Reference(s) used for this question
    Shon Harris, CISSP All In One, Version 5, Chapter 3, pg 110

  14. What is the primary goal of setting up a honeypot?

    • To lure hackers into attacking unused systems
    • To entrap and track down possible hackers
    • To set up a sacrificial lamb on the network
    • To know when certain types of attacks are in progress and to learn about attack techniques so the network can be fortified.
    Explanation:

    The primary purpose of a honeypot is to study the attack methods of an attacker for the purposes of understanding their methods and improving defenses.

    “To lure hackers into attacking unused systems” is incorrect. Honeypots can serve as decoys but their primary purpose is to study the behaviors of attackers.

    “To entrap and track down possible hackers” is incorrect. There are a host of legal issues around enticement vs entrapment but a good general rule is that entrapment is generally prohibited and evidence gathered in a scenario that could be considered as “entrapping” an attacker would not be admissible in a court of law.

    “To set up a sacrificial lamb on the network” is incorrect. While a honeypot is a sort of sacrificial lamb and may attract attacks that might have been directed against production systems, its real purpose is to study the methods of attackers with the goals of better understanding and improving network defenses.

    References
    AIO3, p. 213

  15. Which of the following is a disadvantage of a statistical anomaly-based intrusion detection system?

    • it may truly detect a non-attack event that had caused a momentary anomaly in the system.
    • it may falsely detect a non-attack event that had caused a momentary anomaly in the system.
    • it may correctly detect a non-attack event that had caused a momentary anomaly in the system.
    • it may loosely detect a non-attack event that had caused a momentary anomaly in the system.
    Explanation:

    Some disadvantages of a statistical anomaly-based ID are that it will not detect an attack that does not significantly change the system operating characteristics, or it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

  16. In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process?

    • Using a write blocker
    • Made a full-disk image
    • Created a message digest for log files
    • Displayed the contents of a folder
    Explanation:

    Displaying the directory contents of a folder can alter the last access time on each listed file.

    Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing to its hard drives.

    Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fragments.

    Created a message digest for log files is wrong because creating a message digest for log files. A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g. changes to the content of a log file)

    Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS

    References:
    AIO 3rd Edition, page 783-784
    NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20

  17. Which of the following is an issue with signature-based intrusion detection systems?

    • Only previously identified attack signatures are detected.
    • Signature databases must be augmented with inferential elements.
    • It runs only on the windows operating system
    • Hackers can circumvent signature evaluations.
    Explanation:

    An issue with signature-based ID is that only attack signatures that are stored in their database are detected.

    New attacks without a signature would not be reported. They do require constant updates in order to maintain their effectiveness.

    Reference used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

  18. Which of the following is an IDS that acquires data and defines a “normal” usage profile for the network or host?

    • Statistical Anomaly-Based ID
    • Signature-Based ID
    • dynamical anomaly-based ID
    • inferential anomaly-based ID
    Explanation:
    Statistical Anomaly-Based ID – With this method, an IDS acquires data and defines a “normal” usage profile for the network or host that is being monitored.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.
  19. Which of the following is NOT a fundamental component of an alarm in an intrusion detection system?

    • Communications
    • Enunciator
    • Sensor
    • Response
    Explanation:

    Response is the correct choice. A response would essentially be the action that is taken once an alarm has been produced by an IDS, but is not a fundamental component of the alarm.

    The following are incorrect answers:

    Communications is the component of an alarm that delivers alerts through a variety of channels such as email, pagers, instant messages and so on.
    An Enunciator is the component of an alarm that uses business logic to compose the content and format of an alert and determine the recipients of that alert.
    A sensor is a fundamental component of IDS alarms. A sensor detects an event and produces an appropriate notification.

    Domain: Access Control

    Reference:
    Official guide to the CISSP CBK. page 203.

  20. Which one of the following statements about the advantages and disadvantages of network-based Intrusion detection systems is true

    • Network-based IDSs are not vulnerable to attacks.
    • Network-based IDSs are well suited for modern switch-based networks.
    • Most network-based IDSs can automatically indicate whether or not an attack was successful.
    • The deployment of network-based IDSs has little impact upon an existing network.
    Explanation:

    Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include network-based IDSs with minimal effort.

    Network-based IDSs are not vulnerable to attacks is not true, even thou network-based IDSs can be made very secure against attack and even made invisible to many attackers they still have to read the packets and sometimes a well crafted packet might exploit or kill your capture engine.

    Network-based IDSs are well suited for modern switch-based networks is not true as most switches do not provide universal monitoring ports and this limits the monitoring range of a network-based IDS sensor to a single host. Even when switches provide such monitoring ports, often the single port cannot mirror all traffic traversing the switch.

    Most network-based IDSs can automatically indicate whether or not an attack was successful is not true as most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.

    Reference:
    NIST special publication 800-31 Intrusion Detection System pages 15-16
    Official guide to the CISSP CBK. Pages 196 to 197