[Free] New Updated (October) ISC SSCP Real Exam 41-50

Ensurepass

 

QUESTION 41

How are memory cards and smart cards different?

 

A.

Memory cards normally hold more memory than smart cards

B.

Smart cards provide a two-factor authentication whereas memory cards don’t

C.

Memory cards have no processing power

D.

Only smart cards can be used for ATM cards

 

Correct Answer: C

Explanation:

The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.

 

A memory card holds a user’s authentication information, so that this user needs only type in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user is successfully authenticated.

 

A common example of a memory card is a swipe card used to provide entry to a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building.

 

Memory cards can also be used with computers, but they require a reader to process the information. The reader adds cost to the process, especially when one is needed for every computer. Additionally, the overhead of PIN and card generation adds additional overhead and complexity to the whole authentication process. However, a memory card provides a more secure authentication method than using only a password because the attacker would need to obtain the card and know the correct PIN.

 

Administrators and management need to weigh the costs and benefits of a memory card implementation as well as the security needs of the organization to determine if it is the right authentication mechanism for their environment.

 

One of the most prevalent weaknesses of memory cards is that data stored on the card are not protected. Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart card, where security controls and logic are embedded in the integrated circuit, memory cards do not employ an inherent mechanism to protect the data from exposure.

Very little trust can be associated with confidentiality and integrity of information on the memory cards.

 

The following answers are incorrect:

 

“Smart cards provide two-factor authentication whereas memory cards don’t” is incorrect. This is not necessarily true. A memory card can be combined with a pin or password to offer two factors authentication where something you have and something you know are used for factors.

 

“Memory cards normally hold more memory than smart cards” is incorrect. While a memory card may or may not have more memory than a smart card, this is certainly not the best answer to the question.

 

“Only smart cards can be used for ATM cards” is incorrect. This depends on the decisions made by the particular institution and is not the best answer to the question.

 

Reference(s) used for this question:

 

Shon Harris, CISSP All In One, 6th edition, Access Control, Page 199 and also for people using the Kindle edition of the book you can look at Locations 4647-4650. Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:

Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications.Kindle Edition.

 

 

QUESTION 42

Which of the following exemplifies proper separation of duties?

 

A.

Operators are not permitted modify the system time.

B.

Programmers are permitted to use the system console.

C.

Console operators are permitted to mount tapes and disks.

D.

Tape operators are permitted to use the system console.

 

Correct Answer: A

Explanation:

This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.

 

AIO defines Separation of Duties as a security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.

 

The following answers are incorrect:

Programmers are permitted to use the system console. Is incorrect because programmers should not be permitted to use the system console, this task should be performed by operators. Allowing programmers access to the system console could allow fraud to occur so this is not an example of Separation of Duties.

 

Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able to mount tapes and disks so this is not an example of Separation of Duties.

 

Tape operators are permitted to use the system console. Is incorrect because operators should be able to use the system console so this is not an example of Separation of Duties.

 

References:

OIG CBK Access Control (page 98 – 101)

AIOv3 Access Control (page 182)

 

QUESTION 43

Which of the following is true about Kerberos?

 

A.

It utilizes public key cryptography.

B.

It encrypts data after a ticket is granted, but passwords are exchanged in plain text.

C.

It depends upon symmetric ciphers.

D.

It is a second party authentication system.

 

Correct Answer: C

Explanation:

Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The password is used to encrypt and decrypt the keys.

 

The following answers are incorr
ect:

It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric ciphers).

 

It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption and decryption of the keys.

 

It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and not the system you are accessing.

 

References:

MIT http://web.mit.edu/kerberos/

Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

 

OIG CBK Access Control (pages 181 – 184)

AIOv3 Access Control (pages 151 – 155)

 

QUESTION 44

There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

 

A.

public keys

B.

private keys

C.

public-key certificates

D.

private-key certificates

 

Correct Answer: C

Explanation:

A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.

 

The following answers are incorrect:

 

public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key.

private keys. Although a Kerberos ticket is not shared publicly, it is not a private key. Private keys are associated with Asymmetric crypto system which is not used by Kerberos.

Kerberos uses only the Symmetric crypto system.

private key certificates. This is a detractor. There is no such thing as a private key certificate.

 

 

QUESTION 45

Which of the following is most appropriate to notify an external user that session monitoring is being conducted?

 

A.

Logon Banners

B.

Wall poster

C.

Employee Handbook

D.

Written agreement

 

Correct Answer: A

Explanation:

Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing.

 

This is a tricky question, the keyword in the question is External user.

 

There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous user. Internal users should always have a written agreement first, then logon banners serve as a constant reminder.

Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.

 

References used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50.

Shon Harris, CISSP All-in-one, 5th edition, pg 873

 

 

QUESTION 46

In biometric identification systems, the parts of the body conveniently available for identification are:

 

A.

neck and mouth

B.

hands, face, and eyes

C.

feet and hair

D.

voice and neck

 

Correct Answer: B

Explanation:

Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes.

From: TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Page 7.

 

 

 

QUESTION 47

Which security model uses division of operations into different parts and requires different users to perform each part?

 

A.

Bell-LaPadula model

B.

Biba model

C.

Clark-Wilson model

D.

Non-interference model

 

Correct Answer: C

Explanation:

The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity.

 

The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

 

The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

 

The model’s enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction.

 

A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state.

In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities.

 

The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark-Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a “safe” CDI.

 

In general, preservation of data integrity has three goals:

 

Prevent data modification by unauthorized parties

Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world)

 

Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity.

 

References:

HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344).

http://en.wikipedia.org/wiki/Clark-Wilson_model

 

QUESTION 48

Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?

 

A.

B

B.

A

C.

C

D.

D

 

Correct Answer: A

Explanation:

B level is the first Mandatory Access Control Level.

 

First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems. Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems. As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used.

 

Reference used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17920-17926). Auerbach Publications. Kindle Edition.

THE source for all TCSEC “level” questions:

http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one)

 

 

QUESTION 49

How would nonrepudiation be best classified as?

 

A.

A preventive control

B.

A logical control

C.

A corrective control

D.

A compensating control

 

Correct Answer: A

Explanation:

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.

Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, December 2001, page 7.

 

 

 

 

 

 

QUESTION 50

Which of the following questions is less likely to help in assessing identification and authentication controls?

 

A.

Is a current list maintained and approved of authorized users and their access?

B.

Are passwords changed at least every ninety days or earlier if needed?

C.

Are inactive user identifications disabled after a specified period of time?

D.

Is there a process for reporting incidents?

 

Correct Answer: D

Explanation:

Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control). Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to A-32).

 

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

 

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.