[Free] New Updated (October) ISC SSCP Real Exam 31-40

Ensurepass

 

QUESTION 31

Examples of types of physical access controls include all EXCEPT which of the following?

 

A.

badges

B.

locks

C.

guards

D.

passwords

 

Correct Answer: D

Explanation:

Passwords are considered a Preventive/Technical (logical) control.

 

The following answers are incorrect:

 

badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical control, but the actual badge itself is primarily a physical control.

 

locks Locks are a Preventative Physical control and has no Technical association. guards Guards are a Preventative Physical control and has no Technical association.

 

The following reference(s) were/was used to create this question:

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 35).

 

 

QUESTION 32

Which of the following is NOT a type of motion detector?

 

A.

Photoelectric sensor

B.

Passive infrared sensors

C.

Microwave Sensor.

D.

Ultrasonic Sensor.

 

Correct Answer: A

Explanation:

A photoelectric sensor does not “directly” sense motion there is a narrow beam that won’t set off the sensor unless the beam is broken. Photoelectric sensors, along with dry contact switches, are a type of perimeter intrusion detector.

 

All of the other answers are valid types of motion detectors types.

 

The content below on the different types of sensors is from Wikepedia:

Indoor Sensors

 

These types of sensors are designed for indoor use. Outdoor use would not be advised due to false alarm vulnerability and weather durability.Passive infrared detectors

 

clip_image001

 

Passive Infrared Sensor

The passive infrared detector (PIR) is one of the most comm
on detectors found in household and small business environments because it offers affordable and reliable functionality. The term passive means the detector is able to function without the need to generate and radiate its own energy (unlike ultrasonic and microwave volumetric intrusion detectors that are “active” in operation). PIRs are able to distinguish if an infrared emitting object is present by first learning the ambient temperature of the monitored space and then detecting a change in the temperature caused by the presence of an object. Using the principle of differentiation, which is a check of presence or nonpresence, PIRs verify if an intruder or object is actually there. Creating individual zones of detection where each zone comprises one or more layers can achieve differentiation. Between the zones there are areas of no sensitivity (dead zones) that are used by the sensor for comparison.

 

Ultrasonic detectors

Using frequencies between 15 kHz and 75 kHz, these active detectors transmit ultrasonic sound waves that are inaudible to humans. The Doppler shift principle is the underlying method of operation, in which a change in frequency is detected due to object motion. This is caused when a moving object changes the frequency of sound waves around it. Two conditions must occur to successfully detect a Doppler shift event:

 

There must be motion of an object either towards or away from the receiver. The motion of the object must cause a change in the ultrasonic frequency to the receiver relative to the transmitting frequency.

 

The ultrasonic detector operates by the transmitter emitting an ultrasonic signal into the area to be protected. The sound waves are reflected by solid objects (such as the surrounding floor, walls and ceiling) and then detected by the receiver. Because ultrasonic waves are transmitted through air, then hard-surfaced objects tend to reflect most of the ultrasonic energy, while soft surfaces tend to absorb most energy.

 

When the surfaces are stationary, the frequency of the waves detected by the receiver will be equal to the transmitted frequency. However, a change in frequency will occur as a result of the Doppler principle, when a person or object is moving towards or away from the detector. Such an event initiates an alarm signal. This technology is considered obsolete by many alarm professionals, and is not actively installed.

Microwave detectors

This device emits microwaves from a transmitter and detects any reflected microwaves or reduction in beam intensity using a receiver. The transmitter and receiver are usually combined inside a single housing (monostatic) for indoor applications, and separate housings (bistatic) for outdoor applications. To reduce false alarms this type of detector is usually combined with a passive infrared detector or “Dualtec” alarm.

 

Microwave detectors respond to a Doppler shift in the frequency of the reflected energy, by a phase shift, or by a sudden reduction of the level of received energy. Any of these effects may indicate motion of an intruder.

Photo-electric beams

Photoelectric beam systems detect the presence of an intruder by transmitting visible or infrared light beams across an area, where these beams may be obstructed. To improve the detection surface area, the beams are often employed in stacks of two or more. However, if an intruder is aware of the technology’s presenc
e, it can be avoided. The technology can be an effective long-range detection system, if installed in stacks of three or more where the transmitters and receivers are staggered to create a fence-like barrier. Systems are available for both internal and external applications. To prevent a clandestine attack using a secondary light source being used to hold the detector in a ‘sealed’ condition whilst an intruder passes through, most systems use and detect a modulated light source.

 

Glass break detectors

The glass break detector may be used for internal perimeter building protection. When glass breaks it generates sound in a wide band of frequencies. These can range from infrasonic, which is below 20 hertz (Hz) and can not be heard by the human ear, through the audio band from 20 Hz to 20 kHz which humans can hear, right up to ultrasonic, which is above 20 kHz and again cannot be heard. Glass break acoustic detectors are mounted in close proximity to the glass panes and listen for sound frequencies associated with glass breaking. Seismic glass break detectors are different in that they are installed on the glass pane. When glass breaks it produces specific shock frequencies which travel through the glass and often through the window frame and the surrounding walls and ceiling. Typically, the most intense frequencies generated are between 3 and 5 kHz, depending on the type of glass and the presence of a plastic interlayer. Seismic glass break detectors “feel” these shock frequencies and in turn generate an alarm condition.

 

The more primitive detection method involves gluing a thin strip of conducting foil on the inside of the glass and putting low-power electrical current through it. Breaking the glass is practically guaranteed to tear the foil and break the circuit.

Smoke, heat, and carbon monoxide detectors

 

clip_image002

 

Heat Detection System

Most systems may also be equipped with smoke, heat, and/or carbon monoxide detectors. These are also known as 24 hour zones (which are on at all times). Smoke detectors and heat detectors protect from the risk of fire and carbon monoxide detectors protect from the risk of carbon monoxide. Although an intruder alarm panel may also have these detectors connected, it may not meet all the local fire code requirements of a fire alarm system.

 

Other types of volumetric sensors could be:

 

Active Infrared

Passive Infrared/Microware combined

Radar

Accoustical Sensor/Audio

Vibration Sensor (seismic)

Air Turbulence

 

 

QUESTION 33

Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines?

 

A.

TACACS

B.

Call-back

C.

CHAP

D.

RADIUS

 

Correct Answer: B

Explanation:

Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the system from multiple locations, making call-back inappropriate for them. Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 44).

QUESTION 34

In Synchronous dynamic password tokens:

 

A.

The token generates a new password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key).

B.

The token generates a new non-unique password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key).

C.

The unique password is not entered into a system or workstation along with an owner’s PIN.

D.

The authentication entity in a system or workstation knows an owner’s secret key and PIN, and the entity verifies that the entered password is invalid and that it was entered during the invalid time window.

 

Correct Answer: A

Explanation:

Synchronous dynamic password tokens:

 

clip_image004The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key).

clip_image004[1]The unique password is entered into a system or workstation along with an owner’s PIN.

clip_image004[2]The authentication entity in a system or workstation knows an owner’s secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 

 

QUESTION 35

What would be the name of a Logical or Virtual Table dynamically generated to restrict the information a user can access in a database?

 

A.

Database Management system

B.

Database views

C.

Database security

D.

Database shadowing

 

Correct Answer: B

Explanation:

The Correct Answer: Database views; Database views are mechanisms that restrict access to the information that a user can access in a database

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

 

Wikipedia has a detailed explantion as well:

In database theory, a view is a virtual or logical table composed of the result set of a query. Unlike ordinary tables (base tables) in a relational database, a view is not part of the physical schema: it is a dynamic, virtual table computed or collated from data in the database. Changing the data in a table alters the data shown in the view.

 

Views can provide advantages over tables;

 

They can subset the data contained in a table

 

They can join and simplify multiple tables into a single virtual table Views can act as aggregated tables, where aggregated data (sum, average etc.) are calculated and presented as part of the data

Views can hide the complexity of data, for example a view could appear as Sales2000 or Sales2001, transparently partitioning the actual underlying table Views do not incur any extra storage overhead

Depending on the SQL engine used, views can provide extra security. Limit the exposure to which a table or tables are exposed to outer world

 

Just like functions (in programming) provide abstraction, views can be used to create abstraction. Also, just like functions, views can be nested, thus one view can aggregate data from other views. Without the use of views it would be much harder to normalise databases above second normal form. Views can make it easier to create lossless join decomposition.

 

 

QUESTION 36

Which of the following statements pertaining to Kerberos is TRUE?

 

A.

Kerberos does not address availability

B.

Kerberos does not address integrity

C.

Kerberos does not make use of Symmetric Keys

D.

Kerberos cannot address confidentiality of information

 

Correct Answer: A

Explanation:

The question was asking for a TRUE statement and the only correct statement is “Kerberos does not address availability”.

 

Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).

 

 

QUESTION 37

A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?

 

A.

Content-dependent access control

B.

Context-dependent access control

C.

Least privileges access control

D.

Ownership-based access control

 

Correct Answer: A

Explanation:

When access control is based on the content of an object, it is considered to be content dependent access control.

 

Content-dependent access control is based on the content itself.

 

The following answers are incorrect:

 

context-dependent access control. Is incorrect because this type of control is based on what the context is, facts about the data rather than what the object contains.

least privileges access control. Is incorrect because this is based on the least amount of rights needed to perform their jobs and not based on what is contained in the database. ownership-based access control. Is incorrect because this is based on the owner of the data and and not based on what is contained in the database.

 

References:

OIG CBK Access Control (page 191)

 

 

QUESTION 38

Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?

 

A.

Kerberos

B.

SESAME

C.

KryptoKnight

D.

NetSP

 

Correct Answer: A

Explanation:

Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT.

 

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

 

The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to “sniff” passwords off of the network are in common use by systems crackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/server applications rely on the client program to be “honest” about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

 

Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that “the bad guys” are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network — and powered off!) In many places, these restrictions are simply unrealistic and unacceptable.

 

Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

 

Kerberos is freely available from MIT, under a copyright permission notice very similar to the one used for the BSD operating and X11 Windowing system. MIT provides Kerberos in source form, so that anyone who wishes to use it may look over the code for themselves and assure themselves that the code is trustworthy. In addition, for those who prefer to rely on a professional supported product, Kerberos is available as a product from many different vendors.

 

In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. We hope you find Kerberos as useful as it has been to us. At MIT, Kerberos has been invaluable to our Information/Technology architecture.

 

KryptoKnight is a Peer to Peer authentication protocol incorporated into the NetSP product from IBM.

 

SESAME is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA-style Privilege Attribute Service. The complete Sesame protocol is a two step process. In the first step, the client successfully authenticates itself to the Authentication Server and obtains a ticket that can be presented to the Privilege Attribute Server. In the second step, the initiator obtains proof of his access rights in the form of Privilege Attributes Certificate (PAC). The PAC is a specific form of Access Control Certificate as defined in the ECMA-219 document. This document describes the extensions to Kerberos for public key based authentication as adopted in Sesame.

 

SESAME, KryptoKnight, and NetSP never took off and the protocols are no longer commonly used.

 

References:

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis and

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40.

 

 

QUESTION 39

What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?

 

A.

A capacity table

B.

An access control list

C.

An access control matrix

D.

A capability table

 

Correct Answer: C

Explanation:

The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 – 318.

 

AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL’s, capability tables, etc.

 

“A capacity table” is incorrect.

 

This answer is a trap for the unwary — it sounds a little like “capability table” but is just there to distract you.

 

“An access control list” is incorrect.

 

“It [ACL] specifies a list of users [subjects] who are allowed access to each object” CBK, p. 188 Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself.

 

“A capability table” is incorrect.

 

“Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user’s posession of a capability (or ticket) for the object.” CBK, pp. 191-192. To put it another way, as noted in AIO3 on p. 169, “A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.”

 

Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself.

 

References:

CBK pp. 191-192, 317-318

AIO3, p. 169

 

 

QUESTION 40

Password management falls into which control category?

 

A.

Compensating

B.

Detective

C.

Preventive

D.

Technical

 

Correct Answer: C

Explanation:

Password management is an example of preventive control. Proper passwords prevent unauthorized users from accessing a system.

 

There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need.

 

For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy, and a plethora of other controls. However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories.

 

The seven main categories of access control are:

 

1. Directive: Controls designed to specify acceptable rules of behavior within an organization

 

2. Deterrent: Controls designed to discourage people from violating security directives

 

3. Preventive: Controls implemented to prevent a security incident or information breach

 

4. Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level

 

5. Detective: Controls designed to signal a warning when a security control has been breached

 

6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls

 

7. Recovery: Controls implemented to restore conditions to normal after a security incident

 

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1156-1176). Auerbach Publications. Kindle Edition.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.