[Free] New Updated (October) ISC SSCP Real Exam 211-220

Ensurepass

 

QUESTION 211

The Terminal Access Controller Access Control System (TACACS) employs which of the following?

 

A.

a user ID and static password for network access

B.

a user ID and dynamic password for network access

C.

a user ID and symmetric password for network access

D.

a user ID and asymmetric password for network access

 

Correct Answer: A

Explanation:

For networked applications, the Terminal Access Controller Access Control System (TACACS) employs a user ID and a static password for network access.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.

 

 

QUESTION 212

Physical security is accomplished through proper facility construction, fire and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a component that achieves this type of security?

 

A.

Administrative control mechanisms

B.

Integrity control mechanisms

C.

Technical control mechanisms

D.

Physical control mechanisms

 

Correct Answer: B

Explanation:

Integrity Controls Mechanisms are not part of physical security. All of the other detractors were correct this one was the wrong one that does not belong to Physical Security. Below you have more details extracted from the SearchSecurity web site:

Information security depends on the security and management of the physical space in which computer systems operate. Domain 9 of the CISSP exam’s Common Body of Knowledge addresses the challenges of securing the physical space, its systems and the people who work within it by use of administrative, technical and physical controls. The following QUESTION NO: s are covered:

 

Facilities management: The administrative processes that govern the maintenance and protection of the physical operations space, from site selection through emergency response.

Risks, issues and protection strategies: Risk identification and the selection of security protection components.

Perimeter security: Typical physical protection controls.

 

Facilities management

Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical information system environment. Facilities management responsibilities include site selection and physical security planning (i.e. facility construction, design and layout, fire and water damage protection, antitheft mechanisms, intrusion detection and security procedures.) Protections must extend to both people and assets. The necessary level of protection depends on the value of the assets and data. CISSP?candidates must learn the concept of critical-path analysis as a means of determining a component’s business function criticality relative to the cost of operation and replacement. Furthermore, students need to gain an understanding of the optimal location and physical attributes of a secure facility. Among the QUESTION NO: s covered in this domain are site inspection, location, accessibility and obscurity, considering the area crime rate, and the likelihood of natural hazards such as floods or earthquakes.

 

This domain also covers the quality of construction material, such as its protective qualities and load capabilities, as well as how to lay out the structure to minimize risk of forcible entry and accidental damage. Regulatory compliance is also touched on, as is preferred proximity to civil protection services, such as fire and police stations. Attention is given to computer and equipment rooms, including their location, configuration (entrance/egress requirements) and their proximity to wiring distribution centers at the site.

 

Physical risks, issues and protection strategies

An overview of physical security risks includes risk of theft, service interruption, physical damage, compromised system integrity and unauthorized disclosure of information. Interruptions to business can manifest due to loss of power, services, telecommunications connectivity and water supply. These can also seriously compromise electronic security monitoring alarm/response devices. Backup options are also covered in this domain, as is a strategy for quantifying the risk exposure by simple formula.

 

Investment in preventive security can be costly. Appropriate redundancy of people skills, systems and infrastructure must be based on the criticality of the data and assets to be preserved. Therefore a strategy is presented that helps determine the selection of cost appropriate controls. Among the QUESTION NO: s covered in this domain are regulatory and legal requirements, common standard security protections such as locks and fences, and the importance of establishing service level agreements for maintenance and disaster support. Rounding out the optimization approach are simple calculations for determining mean time between failure and mean time to repair (used to estimate average equipment life expectancy) — essential for estimating the cost/benefit of purchasing and maintaining redundant equipment.

 

As the lifeblood of computer systems, special attention is placed on adequacy, quality and protection of power supplies. CISSP candidates need to understand power supply concepts and terminology, including those for quality (i.e. transient noise vs. clean power); types of interference (EMI and RFI); and types of interruptions such as power excess by spikes and surges, power loss by fault or blackout, and power degradation from sags and brownouts. A simple formula is presented for determining the total cost per hour for backup power. Proving power reliability through testing is recommended and the advantages of three power protection approaches are discussed (standby UPS, power line conditioners and backup sources) including minimum requirements for primary and alternate power provided.

 

Environmental controls are explored in this domain, including the value of positive pressure water drains and climate monitoring devices used to control temperature, humidity and reduce static electricity. Optimal temperatures and humidity settings are provided. Recommendations include strict procedures during emergencies, preventing typical risks (such as blocked fans), and the use of antistatic armbands and hygrometers. Positive pressurization for proper ventilation and monitoring for air born contaminants is stressed.

 

The pros and cons of several detection response systems are deeply explored in this domain. The concept of combustion, the classes of fire and fire extinguisher ratings are detailed. Mechanisms behind smoke-activated, heat-activated and flame-activated devices and Automatic Dial-up alarms are covered, along with their advantages, costs and shortcomings. Types of fire sources are distinguished and the effectiveness of fire suppression methods for each is included. For instance, Halon and its approved replacements are covered, as are the advantages and the inherent risks to equipment of the use of water sprinklers.

 

Administrative controls

The physical security domain also deals with administrative controls applied to physical sites and assets. The need for skilled personnel, knowledge sharing between them, separation of duties, and appropriate oversight in the care and maintenance of equipment and environments is stressed. A list of management duties including hiring checks, employee maintenance activities and recommended termination procedures is offered. Emergency measures include accountability for evacuation and system shutdown procedures, integration with disaster and business continuity plans, assuring documented procedures are easily available during different types of emergencies, the scheduling of periodic equipment testing, administrative reviews of documentation, procedures and recovery plans, responsibilities delegation, and personnel training and drills.

 

Perimeter security

Domain nine also covers the devices and techniques used to control access to a space. These include access control devices, surveillance monitoring, intrusion detection and corrective actions. Specifications are provided for optimal external boundary protection, including fence heights and placement, and lighting placement and types. Selection of door types and lock characteristics are covered. Surveillance methods and intrusion-detection methods are explained, including the use of video monitoring, guards, dogs, proximity de
tection systems, photoelectric/photometric systems, wave pattern devices, passive infrared systems, and sound and motion detectors, and current flow sensitivity devices that specifically address computer theft. Room lock types — both preset and cipher locks (and their variations) — device locks, such as portable laptop locks, lockable server bays, switch control locks and slot locks, port controls, peripheral switch controls and cable trap locks are also covered. Personal access control methods used to identify authorized users for site entry are covered at length, noting social engineering risks such as piggybacking. Wireless proximity devices, both user access and system sensing readers are covered (i.e. transponder based, passive devices and field powered devices) in this domain.

 

Now that you’ve been introduced to the key concepts of Domain 9, watch the Domain 9, Physical Security video

Return to the CISSP Essentials Security School main page See all SearchSecurity.com’s resources on CISSP certification training

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2001, Page 280.

 

 

QUESTION 213

Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection?

 

A.

C

B.

B

C.

A

D.

D

 

Correct Answer: A

Explanation:

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197.

Also: THE source for all TCSEC “level” questions:

http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

 

 

QUESTION 214

What is the Biba security model concerned with?

 

A.

Confidentiality

B.

Reliability

C.

Availability

D.

Integrity

 

Correct Answer: D

Explanation:

The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when subjects can read data at lower levels.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244).

 

 

QUESTION 215

Which of the following attacks could capture network user passwords?

 

A.

Data diddling

B.

Sniffing

C.

IP Spoofing

D.

Smurfing

 

Correct Answer: B

Explanation:

A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to.

Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with customized software.

 

A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub (which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is designed to limit what traffic gets sent to which port) will have to be specially configured to send all traffic to the port where the sniffer is plugged in.

 

Another method for sniffing is to use a network tap–a device that literally splits a network transmission into two identical streams; one going to the original network destination and the other going to the sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility, and the desire to maintain the secrecy of the sniffing activity.

 

The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/password are contained in a packet or packets traversing the segment the sniffer is connected to, it will capture and display that information (and any other information on that segment it can see).

 

Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still captured and displayed, but it is in an unreadable format.

The following answers are incorrect:

 

Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted.

 

Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication – or causing a system to respond to the wrong address.

 

Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service.

 

The following reference(s) were/was used to create this question:

 

CISA Review manual 2014 Page number 321

Official ISC2 Guide to the CISSP 3rd edition Page Number 153

 

 

QUESTION 216

Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations?

 

A.

Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access to.

B.

The initial logon process is cumbersome to discourage potential intruders.

C.

Once a user obtains access to the system through the initial log-on, they only need to logon to some applications.

D.

Once a user obtains access to the system through the initial log-on, he has to logout from all other systems

 

Correct Answer: A

Explanation:

Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to.

All the other answers are incorrect as they are distractors.

 

 

QUESTION 217

Which division of the Orange Book deals with discretionary protection (need-to-know)?

 

A.

D

B.

C

C.

B

D.

A

 

Correct Answer: B

Explanation:

C deals with discretionary protection. See matric below:

 

clip_image002

 

TCSEC Matric

 

The following are incorrect answers:

 

D is incorrect. D deals with minimal security.

B is incorrect. B deals with mandatory protection.

A is incorrect. A deals with verified protection.

Reference(s) used for this question:

CBK, p. 329 ?330

 

Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393

 

 

QUESTION 218

Who developed one of the first mathematical models of a multilevel-security computer system?

 

A.

Diffie and Hellman.

B.

Clark and Wilson.

C.

Bell and LaPadula.

D.

Gasser and Lipner.

 

Correct Answer: C

Explanation:

In 1973 Bell and LaPadula created the first mathematical model of a multi- level security system.

 

The following answers are incorrect:

 

Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography.

Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark-Wilson model came later, 1987.

Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model.

 

 

QUESTION 219

What refers to legitimate users accessing networked services that would normally be restricted to them?

 

A.

Spoofing

B.

Piggybacking

C.

Eavesdropping

D.

Logon abuse

 

Correct Answer: D

Explanation:

Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 74).

 

 

QUESTION 220

Which TCSEC class specifies discretionary protection?

 

A.

B2

B.

B1

C.

C2

D.

C1

 

Correct Answer: D

Explanation:

C1 involves discretionary protection, C2 involves controlled access protection, B1 involves labeled security protection and B2 involves structured protection. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.