[Free] New Updated (October) ISC SSCP Real Exam 511-520

Ensurepass

 

QUESTION 511

Prior to a live disaster test also called a Full Interruption test, which of the following is most important?

 

A.

Restore all files in preparation for the test.

B.

Document expected findings.

C.

Arrange physical security for the test site.

D.

Conduct of a successful Parallel Test

 

Correct Answer: D

Explanation:

A live disaster test or Full interruption test is an actual simulation of the Disaster Recovery Plan. All operations are shut down and brought back online at the alternate site. This test poses the biggest threat to an organization and should not be performed until a successful Parallell Test has been conducted.

 

1. A Checklist test would be conducted where each of the key players will get a copy of the plan and they read it to make sure it has been properly developed for the specific needs of their departments.

 

2. A Structure Walk Through would be conducted next. This is when all key players meet together in a room and they walk through the test together to identify shortcoming and dependencies between department.

 

3. A simulation test would be next. In this case you go through a disaster scenario up to the point where you would move to the alternate site. You do not move to the alternate site and you learn from your mistakes and you improve the plan. It is the right time to find shortcomings.

 

4. A Parallell Test would be done. You go through a disaster scenario. You move to the alternate site and you process from both sites simultaneously.

 

5. A full interruption test would be conducted. You move to the alternate site and you resume processing at the alternate site.

 

The following answers are incorrect:

 

Restore all files in preparation for the test. Is incorrect because you would restore the files at the alternate site as part of the test not in preparation for the test.

 

Document expected findings. Is incorrect because it is not the best answer. Documenting the expected findings won’t help if you have not performed tests prior to a Full interruption test or live disaster test.

 

Arrange physical security for the test site. Is incorrect because it is not the best answer. why physical security for the test site is important if you have not performed a successful structured walk-through prior to performing a Full interruption test or live disaster test you might have some unexpected and disasterous results.

 

 

QUESTION 512

Which of the following is an example of an active attack?

 

A.

Traffic analysis

B.

Scanning

C.

Eavesdropping

D.

Wiretapping

 

Correct Answer: B

Explanation:

Scanning is definitively a very active attack. The attacker will make use of a scanner to perform the attack, the scanner will send a very large quantity of packets to the target in order to illicit responses that allows the attacker to find information about the operating system, vulnerabilities, misconfiguration and more. The packets being sent are sometimes attempting to identify if a known vulnerability exist on the remote hosts.

 

A passive attack is usually done in the footprinting phase of an attack. While doing your passive reconnaissance you never send a single packet to the destination target. You gather information from public databases such as the DNS servers, public information through search engines, financial information from finance web sites, and technical infomation from mailing list archive or job posting for example.

 

An attack can be active or passive.

An “active attack” attempts to alter system resources or affect their operation.

 

A “passive attack” attempts to learn or make use of information from the system but does not affect system resources. (E.g., see: wiretapping.)

 

The following are all incorrect answers because they are all passive attacks:

 

Traffic Analysis – Is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security.

 

Eavesdropping – Eavesdropping is another security risk posed to networks. Because of the way some networks are built, anything that gets sent out is broadcast to everyone. Under normal circumstances, only the computer that the data was meant for will process that information. However, hackers can set up programs on their computers called “sniffers” that capture all data being broadcast over the network. By carefully examining the data, hackers can often reconstruct real data that was never meant for them. Some of the most damaging things that get sniffed include passwords and credit card information.

 

In the cryptographic context, Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages, modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack.”

 

Wiretapping – Wiretapping refers to listening in on electronic communications on telephones, computers, and other devices. Many governments use it as a law enforcement tool, and it is also used in fields like corporate espionage to gain access to privileged information. Depending on where in the world one is, wiretapping may be tightly controlled with laws that are designed to protect privacy rights, or it may be a widely accepted practice with little or no protections for citizens. Several advocacy organizations have been established to help civilians understand these laws in their areas, and to fight illegal wiretapping.

 

Reference(s) used for this question:

 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Cryptography, Page 865

http://en.wikipedia.org/wiki/Attack_%28computing%29

http://www.wisegeek.com/what-is-wiretapping.htm

https://pangea.stanford.edu/computing/resources/network/security/risks.php

http://en.wikipedia.org/wiki/Traffic_analysis

 

 

QUESTION 513

Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?

 

A.

A threat

B.

A vulnerability

C.

A risk

D.

An exposure

 

Correct Answer: B

Explanation:

It is a software , hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software etc.

 

The following answers are incorrect because:

Threat: A threat is defined as a potential danger to information or systems. The threat is someone or something will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a ‘Threat Agent’. A threat agent could be an intruder accessing the network through a port on the firewall , a process accessing data that violates the security policy.

Risk: A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

 

Exposure: An exposure is an instance of being exposed to losses from a threat agent.

 

References:

SHON HARRIS, ALL IN ONE THIRD EDITION: Chapter 3 : Security Management Practices, Pages: 57-59

 

 

QUESTION 514

Which of the following statements pertaining to disk mirroring is incorrect?

 

A.

Mirroring offers better performance in read operations but writing hinders system performance.

B.

Mirroring is a hardware-based solution only.

C.

Mirroring offers a higher fault tolerance than parity.

D.

Mirroring is usually the less cost-effective solution.

 

Correct Answer: B

Explanation:

With mirroring, the system writes the data simultaneously to separate drives or arrays.

The advantage of mirroring are minimal downtime, simple data recovery, and increased performance in reading from the disk.

The disadvantage of mirroring is that both drives or disk arrays are processing in the writing to disks function, which can hinder system performance.

Mirroring has a high fault tolerance and can be implemented either through a hardware RAID controller or through the operating system. Since it requires twice the disk space than actual data, mirroring is the less cost-efficient data redundancy strategy.

Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 45).

 

 

QUESTION 515

Which of the following specifically addresses cyber attacks against an organization’s IT systems?

 

A.

Continuity of support plan

B.

Business continuity plan

C.

Incident response plan

D.

Continuity of operations plan

 

Correct Answer: C

Explanation:

The incident response plan focuses on information security responses to incidents affecting systems and/or networks. It establishes procedures to address cyber attacks against an organization’s IT systems. These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware or software. The continuity of support plan is the same as an IT contingency plan. It addresses IT system disruptions and establishes procedures for recovering a major application or general support system. It is not business process focused. The business continuity plan addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. The continuity of operations plan addresses the subset of an organization’s missions that are deemed most critical and procedures to sustain these functions at an alternate site for up to 30 days.

Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 8).

 

 

QUESTION 516

Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident’s effects is part of:

 

A.

Incident Evaluation

B.

Incident Recognition

C.

Incident Protection

D.

Incident Response

 

Correct Answer: D

Explanation:

These are core functions of the incident response process.

“Incident Evaluation” is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.

“Incident Recognition” is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.

“Incident Protection” is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.

 

References:

CBK, pp. 698 – 703

 

QUESTION 517

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?

 

A.

Calculate the risk for each different business function.

B.

Identify the company’s critical business functions.

C.

Calculate how long these functions can survive without these resources.

D.

Develop a mission statement.

 

Correct Answer: D

Explanation:

The Business Impact Analysis is critical for the development of a business continuity plan (BCP). It identifies risks, critical processes and resources needed in case of recovery and quantifies the impact a disaster will have upon the organization. The development of a mission statement is normally performed before the BIA.

 

A BIA (business impact analysis ) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions ; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level.

 

BIA Steps

The more detailed and granular steps of a BIA are outlined here:

 

1. Select individuals to interview for data gathering.

2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).

3. Identify the company’s critical business fun
ctions.

4. Identify the resources these functions depend upon.

5. Calculate how long these functions can survive without these resources.

6. Identify vulnerabilities and threats to these functions.

7. Calculate the risk for each different business function.

8. Document findings and report them to management.

 

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 21076). Auerbach Publications. Kindle Edition.

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 905-910). McGraw-Hill. Kindle Edition.

 

 

QUESTION 518

Under United States law, an investigator’s notebook may be used in court in which of the following scenarios?

 

A.

When the investigator is unwilling to testify.

B.

When other forms of physical evidence are not available.

C.

To refresh the investigators memory while testifying.

D.

If the defense has no objections.

 

Correct Answer: C

Explanation:

An investigator’s notebook cannot be used as evidence is court. It can only be used by the investigator to refresh his memory during a proceeding, but cannot be submitted as evidence in any form.

 

The following answers are incorrect:

 

When the investigator is unwilling to testify. Is incorrect because the notebook cannot be submitted as evidence in any form.

When other forms of physical evidence are not available. Is incorrect because the notebook cannot be submitted as evidence in any form.

If the defense has no objections. Is incorrect because the notebook cannot be submitted as evidence in any form.

 

 

QUESTION 519

Which backup method does not reset the archive bit on files that are backed up?

 

A.

Full backup method

B.

Incremental backup method

C.

Differential backup method

D.

Additive backup method

 

Correct Answer: C

Explanation:

The differential backup method only copies files that have changed since the last full backup was performed. It is additive in the fact that it does not reset the archive bit so all changed or added files are backed up in every differential backup until the next full backup. The “additive backup method” is not a common backup method.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).

 

 

QUESTION 520

Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is incorrect?

 

A.

In order to facilitate recovery, a single plan should cover all locations.

B.

There should be requirements to form a committee to decide a course of action. These decisions should be made ahead of time and incorporated into the plan.

C.

In its procedures and tasks, the plan should refer to functions, not specific individuals.

D.

Critical vendors should be contacted ahead of time to validate equipment can be obtained in a timely manner.

 

Correct Answer: A

Explanation:

The first documentation rule when it comes to a BCP/DRP is “one plan, one building”. Much of the plan revolves around reconstructing a facility and replenishing it with production contents. If more than one facility is involved, then the reader of the plan will find it difficult to identify quantities and specifications of replacement resource items. It is possible to have multiple plans for a single building, but those plans must be linked so that the identification and ordering of resource items is centralized. All other statements are correct.

Source: BARNES, James C.& ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 162).

 

 

 

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.