[Free] New Updated (October) ISC SSCP Real Exam 411-420

Ensurepass

 

QUESTION 411

Why does compiled code pose more of a security risk than interpreted code?

 

A.

Because malicious code can be embedded in compiled code and be difficult to detect.

B.

If the executed compiled code fails, there is a chance it will fail insecurely.

C.

Because compilers are not reliable.

D.

There is no risk difference between interpreted code and compiled code.

 

Correct Answer: A

Explanation:

From a security standpoint, a compiled program is less desirable than an interpreted one because malicious code can be resident somewhere in the compiled code, and it is difficult to detect in a very large program.

 

 

QUESTION 412

At what stage of the applications development process should the security department become involved?

 

A.

Prior to the implementation

B.

Prior to systems testing

C.

During unit testing

D.

During requirements development

 

Correct Answer: D

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 413

Configuration Management controls what?

 

A.

Auditing of changes to the Trusted Computing Base.

B.

Control of changes to the Trusted Computing Base.

C.

Changes in the configuration access to the Trusted Computing Base.

D.

Auditing and controlling any changes to the Trusted Computing Base.

 

Correct Answer: D

Explanation:

All of these are components of Configuration Management.

 

The following answers are incorrect:

 

Auditing of changes to the Trusted Computing Base. Is incorrect because it refers only to auditing the changes, but nothing about controlling them.

Control of changes to the Trusted Computing Base. Is incorrect because it refers only to controlling the changes, but nothing about ensuring the changes will not lead to a weakness or fault in the system.

Changes in the configuration access to the Trusted Computing Base. Is incorrect because this does not refer to controlling the changes or ensuring the changes will not lead to a weakness or fault in the system.

 

 

QUESTION 414

Which of the following describes a logical form of separation used by secure computing systems?

 

A.

Processes use different levels of security for input and output devices.

B.

Processes are constrained so that each cannot access objects outside its permitted domain.

C.

Processes conceal data and computations to inhibit access by outside processes.

D.

Processes are granted access based on granularity of controlled objects.

 

Correct Answer: B

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 415

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?

 

A.

Limiting the local access of operations personnel

B.

Job rotation of operations personnel

C.

Management monitoring of audit logs

D.

Enforcing regular password changes

 

Correct Answer: A

Explanation:

The questions specifically said: “within a different function” which eliminate Job Rotation as a choice.

 

Management monitoring of audit logs is a detective control and it would not prevent collusion.

Changing passwords regularly would not prevent such attack.

 

This question validates if you understand the concept of separation of duties and least privilege. By having operators that have only the minimum access level they need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism.

 

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 416

Related to information security, availability is the opposite of which of the following?

 

< td style="border-top-style: none; border-left-style: none; background: white; border-bottom-style: none; padding-bottom: 0cm; padding-top: 0cm; border-right-style: none; padding-left: 0cm; padding-right: 0cm" valign="top" width="566">

delegation

A.

B.

distribution

C.

documentation

D.

destruction

 

Correct Answer: D

Explanation:

Availability is the opposite of “destruction.”

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

 

 

QUESTION 417

Which of the following choices describe a condition when RAM and Secondary storage are used together?

 

A.

Primary storage

B.

Secondary storage

C.

Virtual storage

D.

Real storage

 

Correct Answer: C

Explanation:

Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program.

 

Most OS’s have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections.

 

The following are incorrect answers:

Primary storage is incorrect. Primary storage refers to the combination of RAM, cache and the processor registers. Primary Storage The data waits for processing by the processors, it sits in a staging area called primary storage. Whether implemented as memory, cache, or registers (part of the CPU), and regardless of its location, primary storage stores data that has a high probability of being requested by the CPU, so it is usually faster than long-term, secondary storage. The location where data is stored is denoted by its physical memory address. This memory register identifier remains constant and is independent of the value stored there. Some examples of primary storage devices include random-access memory (RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory (ROM). RAM is volatile, that is, when the system shuts down, it flushes the data in RAM although recent research has shown that data may still be retrievable. Contrast this

Secondary storage is incorrect. Secondary storage holds data not currently being used by the CPU and is used when data must be stored for an extended period of time using high- capacity, nonvolatile storage. Secondary storage includes disk, floppies, CD’s, tape, etc. While secondary storage includes basically anything different from primary storage, virtual memory’s use of secondary storage is usually confined to high-speed disk storage.

 

Real storage is incorrect. Real storage is another word for primary storage and distinguishes physical memory from virtual memory.

 

Reference(s) used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17164-17171). Auerbach Publications. Kindle Edition.

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17196-17201). Auerbach Publications. Kindle Edition.

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17186-17187). Auerbach Publications. Kindle Edition.

 

 

QUESTION 418

An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as:

 

A.

Netware availability

B.

Network availability

C.

Network acceptability

D.

Network accountability

 

Correct Answer: B

Explanation:

Network availability can be defined as an area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.

 

 

QUESTION 419

Which of the following would best describe the difference between white-box testing and black-box testing?

 

A.

White-box testing is performed by an independent programmer team.

B.

Black-box testing uses the bottom-up approach.

C.

White-box testing examines the program internal logical structure.

D.

Black-box testing involves the business units

 

Correct Answer: C

Explanation:

Black-box testing observes the system external behavior, while white-box testing is a detailed exam of a logical path, checking the possible conditions.

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

 

 

 

QUESTION 420

Which of the following is most concerned with personnel security?

 

A.

Management controls

B.

Operational controls

C.

Technical controls

D.

Human resources controls

 

Correct Answer: B

Explanation:

Many important issues in computer security involve human users, designers, implementers, and managers.

 

A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs. Since operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems), personnel security is considered a form of operational control.

 

Operational controls are put in place to improve security of a particular system (or group of systems). They often require specialized expertise and often rely upon management activities as well as technical controls. Implementing dual control and making sure that you have more than one person that can perform a task would fall into this category as well.

 

Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.

 

Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access of misuse, facilitate detection of security violations, and support security requirements for applications and data.

 

Reference use for this question:

 

NIST SP 800-53 Revision 4 http://dx.doi.org/10.6028/NIST.SP.800-53r4 You can get it as a word document by clicking HERE

NIST SP 800-53 Revision 4 has superseded the document below:

 

SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Page A-18).

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.