[Free] New Updated (October) ISC SSCP Real Exam 421-430

Ensurepass

 

QUESTION 421

Which of the following is BEST defined as a physical control?

 

A.

Monitoring of system activity

B.

Fencing

C.

Identification and authentication methods

D.

Logical access control mechanisms

 

Correct Answer: B

Explanation:

Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.

 

The following answers are incorrect answers:

Monitoring of system activity is considered to be administrative control.

Identification and authentication methods are considered to be a technical control.

Logical access control mechanisms is also considered to be a technical control.

 

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 1280-1282). McGraw-Hill. Kindle Edition.

 

 

QUESTION 422

Which of the following is NOT a fundamental component of an alarm in an intrusion detection system?

 

A.

Communications

B.

Enunciator

C.

Sensor

D.

Response

 

Correct Answer: D

Explanation:

Response is the correct choice. A response would essentially be the action that is taken once an alarm has been produced by an IDS, but is not a fundamental component of the alarm.

 

The following are incorrect answers:

 

Communications is the component of an alarm that delivers alerts through a variety of channels such as email, pagers, instant messages and so on.

An Enunciator is the component of an alarm that uses business logic to compose the content and format of an alert and determine the recipients of that alert.

A sensor is a fundamental component of IDS alarms. A sensor detects an event and produces an appropriate notification.

Domain: Access Control

 

Reference:

Official guide to the CISSP CBK. page 203.

 

 

QUESTION 423

What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)?

 

A.

It can be very invasive to the host operating system

B.

Monitors all processes and activities on the host system only

C.

Virtually eliminates limits associated with encryption

D.

They have an increased level of visibility and control compared to NIDS

 

Correct Answer: A

Explanation:

The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing.

 

HIDS versus NIDS

A host-based IDS (HIDS) can be installed on individual workstations and/ or servers to watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way.

 

So, whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is limited to the computer itself. A HIDS does not understand or review network traffic, and a NIDS does not “look in” and monitor a system’s activity. Each has its own job and stays out of the other’s way.

 

The ISC2 official study book defines an IDS as:

An intrusion detection system (IDS) is a technology that alerts organizations to adverse or unwanted activity. An IDS can be implemented as part of a network device, such as a router, switch, or firewall, or it can be a dedicated IDS device monitoring traffic as it traverses the network. When used in this way, it is referred to as a network IDS, or NIDS. IDS can also be used on individual host systems to monitor and report on file, disk, and process activity on that host. When used in this way it is referred to as a host-based IDS, or HIDS.

 

An IDS is informative by nature and provides real-time information when suspicious activities are identified. It is primarily a detective device and, acting in this traditional role, is not used to directly prevent the suspected attack.

 

What about IPS?

In contrast, an intrusion prevention system (IPS), is a technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. An IPS permits a predetermined set of functions and actions to occur on a network or system; anything that is not permitted is considered unwanted activity and blocked. IPS is engineered specifically to respond in real time to an event at the system or network layer. By proactively enforcing policy, IPS can thwart not only attackers, but also authorized users attempting to perform an action that is not within policy. Fundamentally, IPS is considered an access control and policy enforcement technology, whereas IDS is considered network monitoring and audit technology.

 

The following answers were incorrect:

All of the other answer were advantages and not drawback of using HIDS

 

TIP FOR THE EXAM:

Be familiar with the differences that exists between an HIDS, NIDS, and IPS. Know that IDS’s are mostly detective but IPS are preventive. IPS’s are considered an access control and policy enforcement technology, whereas IDS’s are considered network monitoring and audit technology.

 

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5817-5822). McGraw-Hill. Kindle Edition.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition.

Access Control ((ISC)2 Press), Domain1, Page 180-188 or on the kindle version look for Kindle Locations 3199-3203. Auerbach Publications.

 

 

QUESTION 424

Network-based Intrusion Detection systems:

 

A.

Commonly reside on a discrete network segment and monitor the traffic on that network segment.

B.

Commonly will not reside on a discrete network segment and monitor the traffic on that network segment.

C.

Commonly reside on a discrete network segment and does not monitor the traffic on that network segment.

D.

Commonly reside on a host and and monitor the traffic on that specific host.

 

Correct Answer: A

Explanation:

Network-based ID systems:  Commonly reside on a discrete network segment and monitor the traffic on that network segment  Usually consist of a network appliance with a Network Interface Card (NIC) that is operating in promiscuous mode and is intercepting and analyzing the network packets in real time

 

“A passive NIDS takes advantage of promiscuous mode access to the network, allowing it to gain visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting the network, performance, or the systems and applications utilizing the network.”

 

NOTE FROM CLEMENT:

A discrete network is a synonym for a SINGLE network. Usually the sensor will monitor a single network segment, however there are IDS today that allow you to monitor multiple LAN’s at the same time.

 

References used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 62.

Official (ISC)2 Guide to the CISSP CBK, Hal Tipton and Kevin Henry, Page 196

Additional information on IDS systems can be found here:

http://en.wikipedia.org/wiki/Intrusion_detection_system

 

 

QUESTION 425

What IDS approach relies on a database of known attacks?

 

A.

Signature-based intrusion detection

B.

Statistical anomaly-based intrusion detection

C.

Behavior-based intrusion detection

D.

Network-based intrusion detection

 

Correct Answer: A

Explanation:

A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly- based (also called behavior-based).

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 49).

 

 

QUESTION 426

Due care is not related to:

 

A.

Good faith

B.

Prudent man

C.

Profit

D.

Best interest

 

Correct Answer: C

Explanation:

Officers and directors of a company are expected to act carefully in fulfilling their tasks. A director shall act in good faith, with the care an ordinarily prudent person in a like position would exercise under similar circumstances and in a manner he reasonably believes is in the best interest of the enterprise. The notion of profit would tend to go against the due care principle.

Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 186).

 

 

QUESTION 427

What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system?

 

A.

Accountability controls

B.

Mandatory access controls

C.

Assurance procedures

D.

Administrative controls

 

Correct Answer: C

Explanation:

Controls provide accountability for individuals accessing information. Assurance procedures ensure that access control mechanisms correctly implement the security policy for the entire life cycle of an information system.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering
the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

 

 

QUESTION 428

The viewing of recorded events after the fact using a closed-circuit TV camera is considered a

 

A.

Preventative control.

B.

Detective control

C.

Compensating control

D.

Corrective control

 

Correct Answer: B

Explanation:

Detective se
curity controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection.

 

Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution.

 

When events are monitored, it is considered preventative whereas recording of events is considered detective in nature.

 

Below you have explanations of other types of security controls from a nice guide produce by James Purcell (see reference below):

 

Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example preventive controls follow:

 

Policy – Unauthorized network connections are prohibited.

Firewall – Blocks unauthorized network connections.

Locked wiring closet – Prevents unauthorized equipment from being physically plugged into a network switch.

 

Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section.

 

Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow:

 

Procedure to clean a virus from an infected system

A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address

 

Note that in many cases the corrective security control is triggered by a detective security control.

Recovery security controls are those controls that put a system back into production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape.

 

Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline.

 

Deterrent security controls are controls that discourage security violations. For instance, “Unauthorized Access Prohibited” signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access.

 

Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment.

 

Note that there is a third popular taxonomy developed by NIST and described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.” NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families. Within each security control family are dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is one the CISSP should be aware of if you are employed within the US federal workforce.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340).

CISSP Study Guide By Eric Conrad, Seth Misenar, Joshua Feldman, page 50-52

Security Control Types and Operational Security, James E.Purcell, http://www.giac.org/cissp-papers/207.pdf

 

 

 

 

 

 

QUESTION 429

Which of the following usually provides reliable, real-time information without consuming network or host resources?

 

A.

network-based IDS

B.

host-based IDS

C.

application-based IDS

D.

firewall-based IDS

 

Correct Answer: A

Explanation:

A network-based IDS usually provides reliable, real-time information without consuming network or host resources.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

 

 

QUESTION 430

Which of the following are the two MOST common implementations of Intrusion Detection Systems?

 

A.

Server-based and Host-based.

B.

Network-based and Guest-based.

C.

Network-based and Client-based.

D.

Network-based and Host-based.

 

Correct Answer: D

Explanation:

The two most common implementations of Intrusion Detection are Network- based and Host-based.

 

IDS can be implemented as a network device, such as a router, switch, firewall, or dedicated device monitoring traffic, typically referred to as network IDS (NIDS).

 

The” (IDS) “technology can also be incorporated into a host system (HIDS) to monitor a single system for undesirable activities. “

 

A network intrusion detection system (NIDS) is a network device …. that monitors traffic traversing the network segment for which it is integrated.” Remember that NIDS are usually passive in nature.

 

HIDS is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system. However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network.

 

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3649-3652). Auerbach Publications. Kindle Edition.

 

 

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

 

 

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.