[Free] New Updated (October) ISC SSCP Real Exam 491-500




Which type of attack would a competitive intelligence attack best classify as?



Business attack


Intelligence attack


Financial attack


Grudge attack


Correct Answer: A


Business attacks concern information loss through competitive intelligence gathering and computer-related attacks. These attacks can be very costly due the loss of trade secrets and reputation.


Intelligence attacks are aimed at sensitive military and law enforcement files containing military data and investigation reports.


Financial attacks are concerned with frauds to banks and large corporations.


Grudge attacks are targeted at individuals and companies who have done something that the attacker doesn’t like.


The CISSP for Dummies book has nice coverage of the different types of attacks, here is an extract:


Terrorism Attacks

Terrorism exists at many levels on the Internet. In April 2001, during a period of tense relations between China and the U.S. (resulting from the crash landing of a U.S. Navy reconnaissance plane on Hainan Island), Chinese hackers ( cyberterrorists ) launched a major effort to disrupt critical U.S. infrastructure, which included U.S. government and military systems.


Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells are using online capabilities to coordinate attacks, transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, and gain useful information about developing techniques and instruments of terror, including nuclear , biological, and chemical weapons.

Military and intelligence attacks


Military and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and conflict.

Financial attacks


Banks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or businesses, or obtain the personal credit card numbers of customers.

Business attacks


Businesses are becoming the targets of more and more computer and Internet attacks. These attacks include competitive intelligence gathering, denial of service, and other computer- related attacks. Businesses are often targeted for several reasons including


Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise. Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.

Lack of reporting or prosecution : Because of public relations concerns and the inability to prosecute computer criminals due to either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go unreported.


The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation.


Grudge attacks

Grudge attacks are targeted at individuals or businesses and are motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic bomb in a critical system or application.


Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:


The attacker is often known to the victim.

The attack has a visible impact that produces a viable evidence trail. Most businesses (already sensitive to the possibility of wrongful termination suits ) have well-established termination procedures


“Fun” attacks

“Fun” attacks are perpetrated by thrill seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they’re still dangerous and their activities are still illegal.


These attacks can also be relatively easy
to detect and prosecute. Because the perpetrators are often script kiddies or otherwise inexperienced hackers, they may not know how to cover their tracks effectively.


Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You’ve seen the film at 11: “We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable !” Such action, however, will likely motivate others to launch a more serious and concerted grudge attack against the business.


Many computer criminals in this category only seek notoriety. Although it’s one thing to brag to a small circle of friends about defacing a public Web site, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom. These twisted individuals want to be caught to revel in their 15 minutes of fame.



ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 187)

CISSP Professional Study Guide by James Michael Stewart, Ed Tittel, Mike Chapple, page 607-609

CISSP for Dummies, Miller L.H.and Gregory P.H.ISBN: 0470537914, page 309-311




Which of the following statements pertaining to disaster recovery is incorrect?



A recovery team’s primary task is to get the pre-defined critical business functions at the alternate backup processing site.


A salvage team’s task is to ensure that the primary site returns to normal processing conditions.


The disaster recovery plan should include how the company will return from the alternate site to the primary site.


When returning to the primary site, the most critical applications should be brought back first.


Correct Answer: D


It’s interesting to note that the steps to resume normal processing operations will be different than the steps in the recovery plan; that is, the least critical work should be brought back first to the primary site.


My explanation:

at the point where the primary site is ready to receive operations again, less critical systems should be brought back first because one has to make sure that everything will be running smoothly at the primary site before returning critical systems, which are already operating normally at the recovery site.


This will limit the possible interruption of processing to a minimum for most critical systems, thus making it the best option.


Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 291).




A momentary low voltage, from 1 cycle to a few seconds, is a:











Correct Answer: C


A momentary low voltage is a sag. A synonym would be a dip.


Risks to electrical power supply:




Blackout: complete loss of electrical power

Fault: momentary power outage




Brownout: an intentional reduction of voltage by the power company.

Sag/dip: a short period of low voltage




Surge: Prolonged rise in voltage

Spike: Momentary High Voltage

In-rush current: the initial surge of current required by a load before it reaches normal operation.

Transient: line noise or disturbance is superimposed on the supply circuit and can cause fluctuations in electrical power


Refence(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 462). McGraw- Hill. Kindle Edition.




Which of the following is NOT a common category/classification of threat to an IT system?











Correct Answer: D


Hackers are classified as a human threat and not a classification by itself.


All the other answers are incorrect. Threats result from a variety of factors, although they are classified in three types: Natural (e.g., hurricane, tornado, flood and fire), human (e.g. operator error, sabotage, malicious code) or technological (e.g. equipment failure, software error, telecommunications network outage, electric power failure).



SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11- 2010.pdf, June 2002 (page 6).




Which of the following best describes what would be expected at a “hot site”?



Computers, climate control, cables and peripherals


Computers and peripherals


Computers and dedicated climate control systems.


Dedicated climate control systems


Correct Answer: A


A Hot Site contains everything needed to become operational in the shortest amount of time.


The following answers are incorrect:


Computers and peripherals. Is incorrect because no mention is made of cables. You would not be fully operational without those.


Computers and dedicated climate control systems. Is incorrect because no mention is made of peripherals. You would not be fully operational without those.


Dedicated climate control systems. Is incorrect because no mentionis made of computers, cables and peripherals. You would not be fully operational without those.


According to the OIG, a hot site is defined as a fully configured site with complete customer required hardware and software provided by the service provider. A hot site in the context of the CBK is always a RENTAL place. If you have your own site fully equipped that you make use of in case of disaster that would be called a redundant site or an alternate site.


Wikipedia: “A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data.”



OIG CBK, Business Continuity and Disaster Recovery Planning (pages 367 – 368) AIO, 3rd Edition, Business Continuity Planning (pages 709 – 714) AIO, 4th Edition, Business Continuity Planning , p 790. Wikipedia – http://en.wikipedia.org/wiki/Hot_site#Hot_Sites




A deviation f
rom an organization-wide security policy requires which of the following?



Risk Acceptance


Risk Assignment


Risk Reduction


Risk Containment


Correct Answer: A


A deviation from an organization-wide security policy requires you to manage the risk. If you deviate from the security policy then you are required to accept the risks that might occur.


In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.


The OIG defines Risk Management as: This term characterizes the overall process.


The first phase of risk assessment includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk.


The second phase of risk management includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures.


Risk management is a continuous process of ever-increasing complexity. It is how we evaluate the impact of exposures and respond to them. Risk management minimizes loss to information assets due to undesirable events through identification, measurement, and control. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, costenefit analysis, management decision, and safeguard identification and implementation, along with ongoing effectiveness review.


Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance.


The 4 ways of dealing with risks are: Avoidance, Transfer, Mitigation, Acceptance


The following answers are incorrect:


Risk assignment. Is incorrect because it is a distractor, assignment is not one of the ways to manage risk.

Risk reduction. Is incorrect because there was a deviation of the security policy. You could have some additional exposure by the fact that you deviated from the policy.


Risk containment. Is incorrect because it is a distractor, containment is not one of the ways to manage risk.


Reference(s) used for this question:


Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8882-8886). Auerbach Publications. Kindle Edition.

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10206-10208). Auerbach Publications. Kindle Edition.




A business continuity plan is an example of which of the following?



Corrective control


Detective control


Preventive control


Compensating control


Correct Answer: A


Business Continuity Plans are designed to minimize the damage done by the event, and facilitate rapid restoration of the organization to its full operational capacity. They are for use “after the fact”, thus are examples of corrective controls.


Reference(s) used for this question:


KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 273).

Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Location 8069). Elsevier Science (reference). Kindle Edition.




All of the following can be considered essential business functions that should be identified when creating a Business Impact Analysis (BIA) except one. Which of the following would not be considered an essential element of the BIA but an important TOPIC to include within the BCP plan:



IT Network Support




Public Relations




Correct Answer: C


Public Relations, although important to a company, is not listed as an essential business function that should be identified and have loss criteria developed for.

All other entries are considered essential and should be identified and have loss criteria developed.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 598).




Which of the following would be MOST important to guarantee that the computer evidence will be admissible in court?



It must prove a fact that is immaterial to the case.


Its reliability must be proven.


The process for producing it must be documented and repeatable.


The chain of custody of the evidence must show who collected, secured, controlled, handled, transported the evidence, and that it was not tampered with.


Correct Answer: D


It has to be material, relevant and reliable, and the chain of custody must be maintained, it is unlikely that it will be admissible in court if it has been tampered with.


The following answers are incorrect:


It must prove a fact that is immaterial to the case. Is incorrect because evidence must be relevant. If it is immaterial then it is not relevant.


Its reliability must be proven. Is incorrect because it is not the best answer. While evidence must be relevant if the chain of custody cannot be verified, then the evidence could lose it’s credibility because there is no proof that the evidence was not tampered with. So, the correct answer above is the BEST answer.


The process for producing it must be documented and repeatable. Is incorrect because just because the process is documented and repeatable does not mean that it will be the same. This amounts to Corroborative Evidence that may help to support a case.




What can be described as a measure of the magnitude of loss or impact on the value of an asset?





Exposure factor






Correct Answer: B


The exposure factor is a measure of the magnitude of loss or impact on the value of an asset.

The probability is the chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur.

A vulnerability is the absence or weakness of a risk-reducing safeguard. A threat is event, the occurrence of which could have an undesired impact.

Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.




Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.