[Free] New Updated (October) ISC SSCP Real Exam 241-250

Ensurepass

 

QUESTION 241

Which of the following is used by RADIUS for communication between clients and servers?

 

A.

TCP

B.

SSL

C.

UDP

D.

SSH

 

Correct Answer: C

Explanation:

Source: TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33.

 

 

QUESTION 242

In discretionary access environments, which of the following entities is authorized to grant information access to other people?

 

A.

Manager

B.

Group Leader

C.

Security Manager

D.

Data Owner

 

Correct Answer: D

Explanation:

In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file.

 

The following answers are incorrect:

 

manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.

 

IMPORTANT NOTE:

The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the classification and need to know is on the specific set of data.

 

The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other subjects based on their identity.

 

 

QUESTION 243

Which of the following is NOT a technique used to perform a penetration test?

 

A.

traffic padding

B.

scanning and probing

C.

war dialing

D.

sniffing

 

Correct Answer: A

Explanation:

Traffic padding is a countermeasure to traffic analysis.

 

Even if perfect cryptographic routines are used, the attacker can gain knowledge of the amount of traffic that was generated. The attacker might not know what Alice and Bob were talking about, but can know that they were talking and how much they talked. In certain circumstances this can be very bad. Consider for example when a military is organising a secret attack against another nation: it may suffice to alert the other nation for them to know merely that there is a lot of secret activity going on.

 

As another example, when encrypting Voice Over IP streams that use variable bit rate encoding, the number of bits per unit of time is not obscured, and this can be exploited to guess spoken phrases.

 

Padding messages is a way to make it harder to do traffic analysis. Normally, a number of random bits are appended to the end of the message with an indication at the end how much this random data is. The randomness should have a minimum value of 0, a maximum number of N and an even distribution between the two extremes. Note, that increasing 0 does not help, only increasing N helps, though that also means that a lower percentage of the channel will be used to transmit real data. Also note, that since the cryptographic routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a sporadic manner.

 

The other answers are all techniques used to do Penetration Testing.

 

References:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 233, 238.

https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_anal ysis

 

 

QUESTION 244

A confidential number used as an authentication factor to verify a user’s identity is called a:

 

A.

PIN

B.

User ID

C.

Password

D.

Challenge

 

Correct Answer: A

Explanation:

PIN Stands for Personal Identification Number, as the name states it is a combination of numbers.

 

The following answers are incorrect:

 

User ID This is incorrect because a Userid is not required to be a number and a Userid is only used to establish identity not verify it.

Password. This is incorrect because a password is not required to be a number, it could be any combination of characters.

Challenge. This is incorrect because a challenge is not defined as a number, it could be anything.

 

 

QUESTION 245

Which of the following is NOT an advantage that TACACS+ has over TACACS?

 

A.

Event logging

B.

Use of two-factor password authentication

C.

User has the ability to change his password

D.

Ability for security tokens to be resynchronized

 

Correct Answer: A

Explanation:

Although TACACS+ provides better audit trails, event logging is a service that is provided with TACACS.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 121).

 

 

QUESTION 246

The three classic ways of authenticating yourself to the computer security software are:

something you know, something you have, and something:

 

A.

you need.

B.

you read.

C.

you are.

D.

you do.

 

Correct Answer: C

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 247

Which of the following questions is less likely to help in assessing physical and environmental protection?

 

A.

Are entry codes changed periodically?

B.

Are appropriate fire suppression and prevention devices installed and working?

C.

Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information?

D.

Is physical access to data transmission lines controlled?

 

Correct Answer: C

Explanation:

Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical and environmental protection except for the one regarding processes that ensuring that unauthorized individuals cannot access information, which is more a production control.

Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).

 

 

QUESTION 248

This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious?

 

A.

Checkpoint level

B.

Ceiling level

C.

Clipping level

D.

Threshold level

 

Correct Answer: C

Explanation:

Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of such data. To make a violation listing effective, a clipping level must be established.

 

The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is exceeded is a violation record produced. This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale computing facilities often track all violations and use statistical routines to cull out the minor infractions (e.g., forgetting a password or mistyping it several times).

 

If the number of violations being tracked becomes unmanageable, the first step in correcting the problems should be to analyze why the condition has occurr
ed. Do users understand how they are to interact with the computer resource? Are the rules too difficult to follow? Violation tracking and analysis can be valuable tools in assisting an organization to develop thorough but useable controls. Once these are in place and records are produced that accurately reflect serious violations, tracking and analysis become the first line of defense. With this procedure, intrusions are discovered before major damage occurs and sometimes early enough to catch the perpetrator. In addition, business protection and preservation are strengthened.

 

The following answers are incorrect:

All of the other choices presented were simply detractors.

 

The following reference(s) were used for this question:

Handbook of Information Security Management

 

 

QUESTION 249

Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories building?

 

A.

Basement

B.

Ground floor

C.

Third floor

D.

Sixth floor

 

Correct Answer: C

Explanation:

You data center should be located in the middle of the facility or the core of a building to provide protection from natural disasters or bombs and provide easier access to emergency crewmembers if necessary. By being at the core of the facility the external wall would act as a secondary layer of protection as well.

 

Information processing facilities should not be located on the top floors of buildings in case of a fire or flooding coming from the roof. Many crimes and theft have also been conducted by simply cutting a large hole on the roof.

 

They should not be in the basement because of flooding where water has a natural tendancy to flow down 🙂 Even a little amount of water would affect your operation considering the quantity of electrical cabling sitting directly on the cement floor under under your raise floor.

 

The data center should not be located on the first floor due to the presence of the main entrance where people are coming in and out. You have a lot of high traffic areas such as the elevators, the loading docks, cafeteria, coffee shopt, etc.. Really a bad location for a data center.

 

So it was easy to come up with the answer by using the process of elimination where the top, the bottom, and the basement are all bad choices. That left you with only one possible answer which is the third floor.

 

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 5th Edition, Page 425.

 

 

QUESTION 250

Which of the following is related to physical security and is not considered a technical control?

 

A.

Access control Mechanisms

B.

Intrusion Detection Systems

C.

Firewalls

D.

Locks

 

Correct Answer: D

Explanation:

All of the above are considered technical controls except for locks, which are physical controls.

 

Administrative, Technical, and Physical Security Controls

 < /span>

Administrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization’s sensitive information. For example, policy might dictate (and procedures indicate how) that human resources conduct background checks on employees with access to sensitive information. Requiring that information be classified and the process to classify and review information classifications is another example of an administrative control. The organization security awareness program is an administrative control used to make employees cognizant of their security roles and responsibilities. Note that administrative security controls in the form of a policy can be enforced or verified with technical or physical security controls. For instance, security policy may state that computers without antivirus software cannot connect to the network, but a technical control, such as network access control software, will check for antivirus software when a computer tries to attach to the network.

 

Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.

A.of sensitive information. Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems.

 

Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrative policy allowing only authorized employees access to the data center do little good without some kind of physical access control.

From the GIAC.ORG website

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.