[Free] New Updated (October) ISC SSCP Real Exam 181-190

Ensurepass

 

QUESTION 181

The following is NOT a security characteristic we need to consider while choosing a biometric identification systems:

 

A.

data acquisition process

B.

cost

C.

enrollment process

D.

speed and user interface

 

Correct Answer: B

Explanation:

Cost is a factor when considering Biometrics but it is not a security characteristic.

 

All the other answers are incorrect because they are security characteristics related to Biometrics.

 

data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process.

 

enrollment process can cause a security concern because the enrollment process has to be quick and efficient. This process captures data for authentication.

 

speed and user interface can cause a security concern because this also impacts the users

 

acceptance rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices or otherwise attempt to circumvent them.

 

References:

OIG Access Control (Biometrics) (pgs 165-167)

 

From: TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6.

in process of correction

 

 

QUESTION 182

Which of the following biometric devices offers the LOWEST CER?

 

A.

Keystroke dynamics

B.

Voice verification

C.

Iris scan

D.

Fingerprint

 

Correct Answer: C

Explanation:

From most effective (lowest CER) to least effective (highest CER) are:

Iris scan, fingerprint, voice verification, keystroke dynamics.

Reference:

Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131 Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometric-selection-body-parts-online_139

 

 

QUESTION 183

Which of the following remote access authentication systems is the most robust?

 

A.

TACACS+

B.

RADIUS

C.

PAP

D.

TACACS

 

Correct Answer: A

Explanation:

TACACS+ is a proprietary Cisco enhancement to TACACS and is more robust than RADIUS. PAP is not a remote access authentication system but a remote node security protocol.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 122).

 

 

QUESTION 184

The end result of implementing the principle of least privilege means which of the following?

 

A.

Users would get access to only the info for which they have a need to know

B.

Users can access all systems.

C.

Users get new privileges added when they change positions.

D.

Authorization creep.

 

Correct Answer: A

Explanation:

The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems.

 

The following answers are incorrect:

Users can access all systems. Although the principle of least privilege limits what access and systems users have authorization to, not all users would have a need to know to access all of the systems. The best answer is still Users would get access to only the info for which they have a need to know as some of the users may not have a need to access a system.

 

Users get new privileges when they change positions. Although true that a user may indeed require new privileges, this is not a given fact and in actuality a user may require less privileges for a new position. The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked.

 

Authorization creep. Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep.

 

The following reference(s) were/was used to create this question:

 

ISC2 OIG 2007 p.101,123

Shon Harris AIO v3 p148, 902-903

 

 

QUESTION 185

Which of the following would be an example of the best password?

 

A.

golf001

B.

Elizabeth

C.

T1me4g0lF

D.

password

 

Correct Answer: C

Explanation:

The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn’t be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.

Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1.

 

 

QUESTION 186

What kind of certificate is used to validate a user identity?

 

A.

Public key certificate

B.

Attribute certificate

C.

Root certificate

D.

Code signing certificate

 

Correct Answer: A

Explanation:

In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

 

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.

 

In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The permission can be delegated.

 

Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.

 

A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others.

 

In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as “update firmware”, “access address book”, “use radio interface”, and the most basic one, “install and execute”. When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers.

 

Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher’s identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.

 

References:

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540.

http://en.wikipedia.org/wiki/Attribute_certificate

http://en.wikipedia.org/wiki/Public_key_certificate

 

 

QUESTION 187

Which of the following would assist the most in Host Based intrusion detection?

 

A.

audit trails.

B.

access control lists.

C.

security clearances.

D.

host-based authentication.

 

Correct Answer: A

Explanation:

To assist in Intrusion Detection you would review audit logs for access violations.

 

The following answers are incorrect:

 

access control lists. This is incorrect because access control lists determine who has access to what but do not detect intrusions.

security clearances. This is incorrect because security clearances determine who has access to what but do not detect intrusions.

host-based authentication. This is incorrect because host-based authentication determine who have been authenticated to the system but do not dectect intrusions.

 

 

QUESTION 188

Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of:

 

A.

Administrative controls

B.

Logical controls

C.

Technical controls

D.

Physical controls

 

Correct Answer: D

Explanation:

Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are all examples of Physical Security.

 

Reference(s) used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

 

 

QUESTION 189

What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?

 

A.

False Rejection Rate (FRR) or Type I Error

B.

False Acceptance Rate (FAR) or Type II Error

C.

Crossover Error Rate (CER)

D.

Failure to enroll rate (FTE or FER)

 

< font face="Arial">Correct Answer: C

Explanation:

The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.

 

Equal error rate or crossover error rate (EER or CER) It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.

 

The other choices were all wrong answers:

 

The following are used as performance metrics for biometric systems:

 

False accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. This is when an impostor would be accepted by the system.

 

False reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. This is when a valid company employee would be rejected by the system.

 

Failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.

 

Reference(s) used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

https://en.wikipedia.org/wiki/Biometrics

 

 

QUESTION 190

What is the main concern with single sign-on?

 

A.

Maximum unauthorized access would be possible if a password is disclosed.

B.

The security administrator’s workload would increase.

C.

The users’ password would be too hard to remember.

D.

User access rights would be increased.

 

Correct Answer: A

Explanation:

A major concern with Single Sign-On (SSO) is that if a user’s ID and password are compromised, the intruder would have access to all the systems that the user was authorized for.

 

The following answers are incorrect:

 

The security administrator’s workload would increase. Is incorrect because the security administrator’s workload would decrease and not increase. The admin would not be responsible for maintaining multiple user accounts just the one.

 

The users’ password would be too hard to remember. Is incorrect because the users would have less passwords to remember.

 

User access rights would be increased. Is incorrect because the user access rights would not be any different than if they had to log into systems manually.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.