[Free] New Updated (October) ISC SSCP Real Exam 401-410

Ensurepass

 

QUESTION 401

One of these statements about the key elements of a good configuration process is NOT true

 

A.

Accommodate the reuse of proven standards and best practices

B.

Ensure that all requirements remain clear, concise, and valid

C.

Control modifications to system hardware in order to prevent resource changes

D.

Ensure changes, standards, and requirements are communicated promptly and precisely

 

Correct Answer: C

Explanation:

Configuration management isn’t about preventing change but ensuring the integrity of IT resources by preventing unauthorised or improper changes.

 

According to the Official ISC2 guide to the CISSP exam, a good CM process is one that can:

 

(1) accommodate change;

(2) accommodate the reuse of proven standards and best practices;

(3) ensure that all requirements remain clear, concise, and valid;

(4) ensure changes, standards, and requirements are communicated promptly and precisely; and

(5) ensure that the results conform to each instance of the product.

 

Configuration management

Configuration management (CM) is the detailed recording and updating of information that describes an enterprise’s computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed.

 

An advantage of a configuration management application is that the entire collection of systems can be reviewed to make sure any changes made to one system do not adversely affect any of the other systems

 

Configuration management is also used in software development, where it is called Unified Configuration Management (UCM). Using UCM, developers can keep track of the source code, documentation, problems, changes requested, and changes made.

 

Change management

In a computer system environment, change management refers to a systematic approach to keeping track of the details of the system (for example, what operating system release is running on each computer and which fixes have been applied).

 

 

QUESTION 402

Which of the following is a set of data processing elements that increases the performance in a computer by overlapping the steps of different instructions?

 

A.

pipelining

B.

complex-instruction-set-computer (CISC)

C.

reduced-instruction-set-computer (RISC)

D.

multitasking

 

Correct Answer: A

Explanation:

Pipelining is a natural concept in everyday life, e.g. on an assembly line. Consider the assembly of a car: assume that certain steps in the assembly line are to install the engine, install the hood, and install the wheels (in that order, with arbitrary interstitial steps). A car on the assembly line can have only one of the three steps done at once. After the car has its engine installed, it moves on to having its hood installed, leaving the engine installation facilities available for the next car. The first car then moves on to wheel installation, the second car to hood installation, and a third car begins to have its engine installed. If engine installation takes 20 minutes, hood installation takes 5 minutes, and wheel installation takes 10 minutes,
then finishing all three cars when only one car can be assembled at once would take 105 minutes. On the other hand, using the assembly line, the total time to complete all three is 75 minutes. At this point, additional cars will come off the assembly line at 20 minute increments.

 

In computing, a pipeline is a set of data processing elements connected in series, so that the output of one element is the input of the next one. The elements of a pipeline are often executed in parallel or in time-sliced fashion; in that case, some amount of buffer storage is often inserted between elements. Pipelining is used in processors to allow overlapping execution of multiple instructions within the same circuitry. The circuitry is usually divided into stages, including instruction decoding, arithmetic, and register fetching stages, wherein each stage processes one instruction at a time.

 

The following were not correct answers:

 

CISC: is a CPU design where single instructions execute several low-level operations (such as a load from memory, an arithmetic operation, and a memory store) within a single instruction.

 

RISC: is a CPU design based on simplified instructions that can provide higher performance as the simplicity enables much faster execution of each instruction.

 

Multitasking: is a method where multiple tasks share common processing resources, such as a CPU, through a method of fast scheduling that gives the appearance of parallelism, but in reality only one task is being performed at any one time.

 

Reference:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 188-189.

 

Also see

http://en.wikipedia.org/wiki/Pipeline_(computing)

 

 

QUESTION 403

Which of the following statements pertaining to a security
policy is incorrect?

 

A.

Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets.

B.

It specifies how hardware and software should be used throughout the organization.

C.

It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective.

D.

It must be flexible to the changing environment.

 

Correct Answer: B

Explanation:

A security policy would NOT define how hardware and software should be used throughout the organization. A standard or a procedure would provide such details but not a policy.

A security policy is a formal statement of the rules that people who are given access to anorganization’s technology and information assets must abide. The policy communicates the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss.

 

The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets.

 

The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization. A good security policy must:

 

Be able to be implemented through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods

Be able to be enforced with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible

Clearly define the areas of responsibility for the users, the administrators, and the managers

Be communicated to all once it is established

Be flexible to the changing environment of a computer network since it is a living document

 

Reference(s) used for this question:

 

National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute Network Security Guide, February 2002, page 7.

or

A local copy is kept at:

https://www.freepracticetests.org/documents/The%2060%20Minute%20Network%20Security%20Guide.pdf

 

 

QUESTION 404

Which property ensures that only the intended recipient can access the data and nobody else?

 

A.

Confidentiality

B.

Capability

C.

Integrity

D.

Availability

 

Correct Answer: A

Explanation:

Confidentiality is defined as the property that ensures that only the intended recipient can access the data and nobody else. It is usually achieve using cryptogrphic methods, tools, and protocols.

 

Confidentiality supports the principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one’s identity through knowledge of confidential information obtained from various sources.

 

The following are incorrect answers:

Capability is incorrect. Capability is relevant to access control. Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure.

 

Integrity is incorrect. Integrity protects information from unauthorized modification or loss. Availability is incorrect. Availability assures that information and services are available for use by authorized entities according to the service level objective.

 

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9345-9349). Auerbach Publications. Kindle Edition.

http://en.wikipedia.org/wiki/Capability-based_security

 

 

QUESTION 405

What prevents a process from accessing another process’ data?

 

A.

Memory segmentation

B.

Process isolation

C.

The reference monitor

D.

Data hiding

 

Correct Answer: B

Explanation:

Process isolation is where each process has its own distinct address space for its application code and data. In this way, it is possible to prevent each process from accessing another process’ data. This prevents data leakage, or modification to the data while it is in memory. Memory segmentation is a virtual memory management mechanism. The reference monitor is an abstract machine that mediates all accesses to objects by subjects. Data hiding, also known as information hiding, is a mechanism that makes information available at one processing level is not available at another level.

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

 

 

QUESTION 406

Which of the following security mode of operation does NOT require all users to have the clearance for all information processed on the system?

 

A.

Compartmented security mode

B.

Multilevel security mode

C.

System-high security mode

D.

Dedicated security mode

 

Correct Answer: B

Explanation:

The multilevel security mode permits two or more classification levels of information to be processed at the same time when all the users do not have the clearance of formal approval to access all the information being processed by the system.

 

In dedicated security mode, all users have the clearance or authorization and need-to-know to all data processed within the system.

 

In system-high security mode, all users have a security clearance or authorization to access the information but not necessarily a need-to-know for all the information processed on the system (only some of the data).

 

In compartmented security mode, all users have the clearance to access all the information processed by the system, but might not have the need-to-know and formal access approval.

 

Generally, Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain
information at various levels of security classification.

 

The mode of operation is determined by:

 

The type of users who will be directly or indirectly accessing the system. The type of data, including classification levels, compartments, and categories, that are processed on the system.

The type of levels of users, their need to know, and formal access approvals that the users will have.

 

Dedicated security mode

In this mode of operation, all users must have:

 

Signed NDA for ALL information on the system.

Proper clearance for ALL information on the system.

Formal access approval for ALL information on the system.

A valid need to know for ALL information on the system.

 

All users can access ALL data.

System high security mode

 

In this mode of operation, all users must have:

 

Signed NDA for ALL information on the system.

Proper clearance for ALL information on the system. Formal access approval for ALL information on the system. A valid need to know for SOME information on the system.

 

All users can access SOME data, based on their need to know.

 

Compartmented security mode

In this mode of operation, all users must have:

 

Signed NDA for ALL information on the system.

Proper clearance for ALL information on the system. Formal access approval for SOME information they will access on the system. A valid need to know for SOME information on the system.

 

All users can access SOME data, based on their need to know and formal access approval.

 

Multilevel security mode

In this mode of operation, all users must have:

 

Signed NDA for ALL information on the system.

Proper clearance for SOME information on the system. Formal access approval for SOME information on the system. A valid need to know for SOME information on the system.

 

All users can access SOME data, based on their need to know, clearance and formal access approval.

 

References:

WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April 2002 (page 6).

http://en.wikipedia.org/wiki/Security_Modes

 

 

QUESTION 407

It is a violation of the “separation of duties” principle when which of the following individuals access the software on systems implementing security?

 

A.

security administrator

B.

security analyst

C.

systems auditor

D.

systems programmer

 

Correct Answer: D

Explanation:

Reason: The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs. The system programmer does not need access to the working (AKA: Production) security systems.

 

Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business). To maintain system integrity, any changes they make to production systems should be tracked by the organization’s change management control system.

 

Because the security administrator’s job is to perform security functions, the performance of non-security tasks must be strictly limited. This separation of duties reduces the likelihood of loss that results from users abusing their authority by taking actions outside of their assigned functional responsibilities.

 

References:

OFFICIAL (ISC)2?GUIDE TO THE CISSP?EXAM (2003), Hansche, S., Berti, J., Hare, H., Auerbach Publication, FL, Chapter 5 – Operations Security, section 5.3,”Security Technology and Tools,” Personnel section (page 32).

KRUTZ, R. & VINES, R. The CISSP Prep Guide: Gold Edition (2003), Wiley Publishing Inc., Chapter 6: Operations Security, Separations of Duties (page 303).

 

 

QUESTION 408

Which of the following is an advantage in using a bottom-up versus a top-down approach to software testing?

 

A.

Interface errors are detected earlier.

B.

Errors in critical modules are detected earlier.

C.

Confidence in the system is achieved earlier.

D.

Major functions and processing are tested earlier.

 

Correct Answer: B

Explanation:

The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and work upwards until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices refer to advantages of a top down approach which follows the opposite path.

 

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

 

 

QUESTION 409

Degaussing is used to clear data from all of the following medias except:

 

A.

Floppy Disks

B.

Read-Only Media

C.

Video Tapes

D.

Magnetic Hard Disks

 

Correct Answer: B

Explanation:

Atoms and Data

Shon Harris says: “A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes”

 

The latest ISC2 book says:

“Degaussing can also be a form of media destruction. High-power degaussers are so strong in some cases that they can literally bend and warp the platters in a hard drive. Shredding and burning are effective destruction methods for non-rigid magnetic media. Indeed, some shredders are capable of shredding some rigid media such as an optical disk. This may be an effective alternative for any optical media containing nonsensitive information due to the residue size remaining after feeding the disk into the machine. However, the residue size might be too large for media containing sensitive information. Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state media. Specialized devices are available for grinding the face of optical media that either sufficiently scratches the surface to render the media unreadable or actually grinds off the data layer of the disk. Several services also exist which will collect drives, destroy them on site if requested and provide certification of completion. It will be the responsibility of the security professional to help, select, and maintain the most appropriate solutions for media cleansing and disposal.”

 

Degaussing is achieved by passing the magnetic media through a powerful magnet field to rearrange the metallic particles, completely removing any resemblance of the previously recorded signal (from the “all about degaussers link below). Therefore, degaussing will work on any electronic based media such as floppy disks, or hard disks – all of these are examples of electronic storage. However, “read-only media” includes items such as paper printouts and CD-ROM wich do not store data
in an electronic form or is not magnetic storage. Passing them through a magnet field has no effect on them.

 

Not all clearing/ purging methods are applicable to all media– for example, optical media is not susceptible to degaussing, and overwriting may not be effective against Flash devices. The degree to which information may be recoverable by a sufficiently motivated and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military classification rules, read and follow the rules and standards.

 

I will admit that this is a bit of a trick question. Determining the difference between “read- only media” and “read-only memory” is difficult for the question taker. However, I believe it is representative of the type of question you might one day see on an exam.

 

The other answers are incorrect because:

 

Floppy Disks, Magnetic Tapes, and Magnetic Hard Disks are all examples of magnetic storage, and therefore are erased by degaussing.

 

A videotape is a recording of images and sounds on to magnetic tape as opposed to film stock used in filmmaking or random access digital media. Videotapes are also used for storing scientific or medical data, such as the data produced by an electrocardiogram. In most cases, a helical scan video head rotates against the moving tape to record the data in two dimensions, because video signals have a very high bandwidth, and static heads would require extremely high tape speeds. Videotape is used in both video tape recorders (VTRs) or, more commonly and more recently, videocassette recorder (VCR) and camcorders. A Tape use a linear method of storing information and since nearly all video recordings made nowadays are digital direct to disk recording (DDR), videotape is expected to gradually lose importance as non-linear/random-access methods of storing digital video data become more common.

 

Reference(s) used for this question:

 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25627-25630). McGraw-Hill. Kindle Edition.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition.

Security Operations (Kindle Locations 580-588). . Kindle Edition.

 

All About Degaussers and Erasure of Magnetic Media:

http://www.degausser.co.uk/degauss/degabout.htm

http://www.degaussing.net/

http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

 

 

QUESTION 410

Which of the following is considered the weakest link in a security system?

 

A.

People

B.

Software

C.

Communications

D.

Hardware

 

Correct Answer: A

Explanation:

The Correct Answer: People. The other choices can be strengthened and counted on (For the most part) to remain consistent if properly protected. People are fallible and unpredictable. Most security intrusions are caused by employees. People get tired, careless, and greedy. They are not always reliable and may falter in following defined guidelines and best practices. Security professionals must install adequate prevention and detection controls and properly train all systems users Proper hiring and firing practices can eliminate certain risks. Security Awareness training is key to ensuring people are aware of risks and their responsibilities.

 

The following answers are incorrect:Software. Although software exploits are major threat and cause for concern, people are the weakest point in a security posture. Software can be removed, upgraded or patched to reduce risk.

 

Communications. Although many attacks from inside and outside an organization use communication methods such as the network infrastructure, this is not the weakest point in a security posture. Communications can be monitored, devices installed or upgraded to reduce risk and react to attack attempts.

 

Hardware. Hardware components can be a weakness in a security posture, but they are not the weakest link of the choices provided. Access to hardware can be minimized by such measures as installing locks and monitoring access in and out of certain areas.

 

The following reference(s) were/was used to create this question:

 

Shon Harris AIO v.3 P.19, 107-109

ISC2 OIG 2007, p.51-55

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.