[Free] New Updated (October) ISC SSCP Real Exam 471-480

Ensurepass

 

QUESTION 471

A host-based IDS is resident on which of the following?

 

A.

On each of the critical hosts

B.

decentralized hosts

C.

central hosts

D.

bastion hosts

 

Correct Answer: A

Explanation:

A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack on the host and to determine if the attack was successful. All critical serves should have a Host Based Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make sense or detect pattern of attacks within encrypted traffic. A HIDS might be able to detect such attack after the traffic has been decrypted on the host. This is why critical ser
vers should have both NIDS and HIDS.

 

FROM WIKIPEDIA:

A HIDS will monitor all or part of the dynamic behavior and of the state of a computer system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources and assure that (say) a word-processor hasn’t suddenly and inexplicably started modifying the system password-database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file- system, or elsewhere; and check that the contents of these appear as expected.

 

One can think of a HIDS as an agent that monitors whether anything/anyone – internal or external – has circumvented the security policy that the operating system tries to enforce.

http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

 

 

QUESTION 472

Which of the following is most likely to be useful in detecting intrusions?

 

A.

Access control lists

B.

Security labels

C.

Audit trails

D.

Information security policies

 

Correct Answer: C

Explanation:

If audit trails have been properly defined and implemented, they will record information that can assist in detecting intrusions.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 4: Access Control (page 186).

 

 

QUESTION 473

Which of the following tools is NOT likely to be used by a hacker?

 

A.

Nessus

B.

Saint

C.

Tripwire

D.

Nmap

 

Correct Answer: C

Explanation:

It is a data integrity assurance software aimed at detecting and reporting accidental or malicious changes to data.

 

The following answers are incorrect:

 

Nessus is incorrect as it is a vulnerability scanner used by hackers in discovering vulnerabilities in a system.

Saint is also incorrect as it is also a network vulnerability scanner likely to be used by hackers.

Nmap is also incorrect as it is a port scanner for network exploration and likely to be used by hackers.

 

Reference :

Tripwire : http://www.tripwire.com

Nessus : http://www.nessus.org

Saint : http://www.saintcorporation.com/saint

Nmap : http://insecure.org/nmap

 

 

QUESTION 474

How often should a Business Continuity Plan be reviewed?

 

A.

At least once a month

B.

At least every six months

C.

At least once a year

D.

At least Quarterly

 

Correct Answer: C

Explanation:

As stated in SP 800-34 Rev. 1:

To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. During the Operation/Maintenance phase of the SDLC, information systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies.

 

As a general rule, the plan should be reviewed for accuracy and completeness at an organization-defined frequency (at least once a year for the purpose of the exam) or whenever significant changes occur to any element of the plan. Certain elements, such as contact lists, will require more frequent reviews.

 

Remember, there could be two good answers as specified above. Either once a year or whenever significant changes occur to the plan. You will of course get only one of the two presented within you exam.

 

Reference(s) used for this question:

NIST SP 800-34 Revision 1

 

 

QUESTION 475

In order to enable users to perform tasks and duties without having to go through extra steps it is important that the security controls and mechanisms that are in place have a degree of?

 

A.

Complexity

B.

Non-transparency

C.

Transparency

D.

Simplicity

 

Correct Answer: C

Explanation:

The security controls and mechanisms that are in place must have a degree of transparency.

 

This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them. If the controls are too obvious, an attacker can figure out how to compromise them more easily.

 

Security (more specifically, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work flow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user.

 

For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area.

 

In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then specifically requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the specific resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on predefined need, not user preference.

 

When de
veloping and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work flow as little as possible.

 

The following answers were incorrect:

All of the other detractors were incorrect.

 

Reference(s) used for this question:

 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th edition. Operations Security, Page 1239-1240

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25278-25281). McGraw-Hill. Kindle Edition.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition.

Access Control ((ISC)2 Press) (Kindle Locations 713-729). Auerbach Publications. Kindle Edition.

 

 

 

 

QUESTION 476

Attributable data should be:

 

A.

always traced to individuals responsible for observing and recording the data

B.

sometimes traced to individuals responsible for observing and recording the data

C.

never traced to individuals responsible for observing and recording the data

D.

often traced to individuals responsible for observing and recording the data

 

Correct Answer: A

Explanation:

As per FDA data should be attributable, original, accurate, contemporaneous and legible. In an automated system attributability could be achieved by a computer system designed to identify individuals responsible for any input.

Source: U.S. Department of Health and Human Services, Food and Drug Administration, Guidance for Industry – Computerized Systems Used in Clinical Trials, April 1999, page 1.

 

 

QUESTION 477

Why would anomaly detection IDSs often generate a large number of false positives?

 

A.

Because they can only identify correctly attacks they already know about.

B.

Because they are application-based are more subject to attacks.

C.

Because they can’t identify abnormal behavior.

D.

Because normal patterns of user and system behavior can vary wildly.

 

Correct Answer: D

Explanation:

Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature-based) IDSs. Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. They are more vulnerable to attacks than host- based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified.

Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 92).

 

 

QUESTION 478

In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process?

 

A.

Using a write blocker

B.

Made a full-disk image

C.

Created a message digest for log files

D.

Displayed the contents of a folder

 

Correct Answer: D

Explanation:

Displaying the directory contents of a folder can alter the last access time on each listed file.

 

Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing to its hard drives.

 

Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fr
agments.

 

Created a message digest for log files is wrong because creating a message digest for log files. A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g. changes to the content of a log file)

 

Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS

 

References:

AIO 3rd Edition, page 783-784

NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20

 

 

QUESTION 479

Which conceptual approach to intrusion detection system is the most common?

 

A.

Behavior-based intrusion detection

B.

Knowledge-based intrusion detection

C.

Statistical anomaly-based intrusion detection

D.

Host-based intrusion detection

 

Correct Answer: B

Explanation:

There are two conceptual approaches to intrusion detection. Knowledge- based intrusion detection uses a database of known vulnerabilities to look for current attempts to exploit them on a system and trigger an alarm if an attempt is found. The other approach, not as common, is called behaviour-based or statistical analysis-based. A host- based intrusion detection system is a common implementation of intrusion detection, not a conceptual approach.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 63).

Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 193-194).

 

 

QUESTION 480

Which of the following is a disadvantage of a statistical anomaly-based intrusion detection system?

 

A.

it may truly detect a non-attack event that had caused a momentary anomaly in the system.

B.

it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

C.

it may correctly detect a non-attack event that had caused a momentary anomaly in the system.

D.

it may loosely detect a non-attack event that had caused a momentary anomaly in the system.

 

Correct Answer: B

Explanation:

Some disadvantages of a statistical anomaly-based ID are that it will not detect an attack that does not significantly change the system operating characteristics, or it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.