[Free] New Updated (October) ISC SSCP Real Exam 81-90

Ensurepass

 

QUESTION 81

How can an individual/person best be identified or authenticated to prevent local masquarading attacks?

 

A.

UserId and password

B.

Smart card and PIN code

C.

Two-factor authentication

D.

Biometrics

 

Correct Answer: D

Explanation:

The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.

 

Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.

 

A UserId only provides for identification.

 

A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.

 

A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.

 

Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.

 

Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.

 

As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and information, because unauthorized persons can (and do) obtain the cards and information.

 

Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required. The authorized person does not lose physical characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten. This is why card access systems require systems and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost.

 

NOTE FROM CLEMENT:

This question has been generating lots of interest. The keyword in the question is:

 

Individual (the person) and also the authenticated portion as well.

 

I totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication. However the question is not asking what is the strongest mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology. When answering questions do not make assumptions to facts not presented in the question or answers.

 

Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan. This is why it is the best method to authenticate the user.

 

I think the reference is playing with semantics and that makes it a bit confusing. I have improved the question to make it a lot clearer and I have also improve the explanations attached with the question.

 

The reference mentioned above refers to authenticating the identity for access. So the distinction is being made that there is identity and there is authentication. In the case of physical security the enrollment process is where the identity of the user would be validated and then the biometrics features provided by the user would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates. In the case of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes.

 

Biometric can also be used for Identification purpose where you do a one to many match. You take a facial scan of someone within an airport and you attempt to match it with a large database of known criminal and terrorists. This is how you could use biometric for Identification.

 

There are always THREE means of authentication, they are:

 

Something you know (Type 1)

Something you have (Type 2)

Something you are (Type 3)

 

Reference(s) used for this question:

 

TIPTON, Harold F.& KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7).

Search Security at http://searchsecurity.techtarget.com/definition/masquerade

 

 

 

 

 

QUESTION 82

Which of the following statements pertaining to access control is false?

 

A.

Users should only access data on a need-to-know basis.

B.

If access is not explicitly denied, it should be implicitly allowed.

C.

Access rights should be granted based on the level of trust a company has on a subject.

D.

Roles can be an efficient way to assign rights to a type of user who performs certain tasks.

 

Correct Answer: B

Explanation:

Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 4: Access Control (page 143).

 

 

QUESTION 83

Which of the following is NOT a factor related to Access Control?

 

A.

integrity

B.

authenticity

C.

confidentiality

D.

availability

 

Correct Answer: B

Explanation:

These factors cover the integrity, confidentiality, and availability components of information system security.

 

Integrity is important in access control as it relates to ensuring only authorized subjects can make changes to objects.

 

Authenticity is different from authentication. Authenticity pertains to something being authentic, not necessarily having a direct correlation to access control.

 

Confidentiality is pertinent to access control in that the access to sensitive information is controlled to protect confidentiality.

 

vailability is protected by access controls in that if an attacket attempts to disrupt availability they would first need access.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

 

 

QUESTION 84

Which of the following would be true about Static password tokens?

 

A.

The owner identity is authenticated by the token

B.

The owner will never be authenticated by the token.

C.

The owner will authenticate himself to the system.

D.

The token does not authenticates the token owner but the system.

 

Correct Answer: A

Explanation:

Password Tokens

Tokens are electronic devices or cards that supply a user’s password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system will normally log a user in but a dynamic system the user will often have to log themselves in.

 

Static Password Tokens:

The owner identity is authenticated by the token. This is done by the person who issues the token to the owner (normally the employer). The owner of the token is now authenticated by “something you have”. The token authenticates the identity of the owner to the information system. An example of this occurring is when an employee swipes his or her smart card over an electronic lock to gain access to a store room.

 

Synchronous Dynamic Password Tokens:

This system is a lot more complex then the static token password. The synchronous dynamic password tokens generate new passwords at certain time intervals that are synched with the main system. The password is generated on a small device similar to a pager or a calculator that can often be attached to the user’s key ring. Each password is only valid for a certain time period, typing in the wrong password in the wrong time period will invalidate the authentication. The time factor can also be the systems downfall. If a clock on the system or the password token device becomes out of synch, a user can have troubles authenticating themselves to the system.

 

Asynchronous Dynamic Password Tokens:

The clock synching problem is eliminated with asynchronous dynamic password tokens. This system works on the same principal as the synchronous one but it does not have a time frame. A lot of big companies use this system especially for employee’s who may work from home on the companies VPN (Virtual private Network).

 

Challenge Response Tokens:

This is an interesting system. A user will be sent special “challenge” strings at either random or timed intervals. The user inputs this challenge string into their token device and the device will respond by generating a challenge response. The user then types this response into the system and if it is correct they are authenticated.

 

Reference(s) used for this question:

 

http://www.informit.com/guides/content.aspx?g=security&seqNum=146

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 

 

QUESTION 85

What mechanism automatically causes an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters?

 

A.

Central station alarm

B.

Proprietary alarm

C.

A remote station alarm

D.

An auxiliary station alarm

 

Correct Answer: D

Explanation:

Auxiliary station alarms automatically cause an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters. They are usually Municipal Fire Alarm Boxes are installed at your business or building, they are wired directly into the fire station.

 

Central station alarms are operated by private security organizations. It is very similar to a proprietary alarm system (see below). However, the biggest difference is the monitoring and receiving of alarm is done off site at a central location manned by non staff members. It is a third party.

 

Proprietary alarms are similar to central stations alarms except that monitoring is performed directly on the protected property. This type of alarm is usually use to protect large industrials or commercial buildings. Each of the buildings in the same vincinity has their own alarm system, they are all wired together at a central location within one of the building acting as a common receiving point. This point is usually far away from the other building so it is not under the same danger. It is usually man 24 hours a day by a trained team who knows how to react under different conditions.

 

A remote station alarm is a direct connection between the signal-initiating device at the protected property and the signal-receiving device located at a remote station, such as the fire station or usually a monitoring service. This is the most popular type of implementation and the owner of the premise must pay a monthly monitoring fee. This is what most people use in their home where they get a company like ADT to receive the alarms on their behalf.

 

A remote system differs from an auxiliary system in that it does not use the municipal fire of police alarm circuits.

 

Reference(s) used for this question:

 

ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 11: Physical Security (page 211).

Great presentation J.T. A.Stone on SlideShare

 

 

QUESTION 86

Passwords can be required to change monthly, quarterly, or at other intervals:

 

A.

depending on the criticality of the information needing protection

B.

depending on the criticality of the information needing protection and the password’s frequency of use

C.

depending on the password’s frequency of use

D.

not depending on the criticality of the information needing protection but depending on the password’s frequency of use

 

Correct Answer: B

Explanation:

Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

 

 

QUESTION 87

In biometrics, the “one-to-one” search used to verify claim to an identity made by a person is considered:

 

A.

Authentication

B.

Identification

C.

Auditing

D.

Authorization

 

Correct Answer: A

Explanation:

Biometric devices can be use for either IDENTIFICATION or AUTHENTICATION

ONE TO ONE is for AUTHENTICATION

This means that you as a user would provide some biometric credential such as your fingerprint. Then they will compare the template that you have provided with the one stored in the Database. If the two are exactly the same that prove that you are who you pretend to be.

 

ONE TO MANY is for IDENTIFICATION

A good example of this would be within airport. Many airports today have facial recognition c
ameras, as you walk through the airport it will take a picture of your face and then compare the template (your face) with a database full of templates and see if there is a match between your template and the ones stored in the Database. This is for IDENTIFICATION of a person.

 

Some additional clarification or comments that might be helpful are: Biometrics establish authentication using specific information and comparing results to expected data. It does not perform well for identification purposes such as scanning for a person’s face in a moving crowd for example.

 

Identification methods could include: username, user ID, account number, PIN, certificate, token, smart card, biometric device or badge.

 

Auditing is a process of logging or tracking what was done after the identity and authentication process is completed.

 

Authorization is the rights the subject is given and is performed after the identity is established.

 

Reference OIG (2007) p148, 167

 

Authentication in biometrics is a “one-to-one” search to verify claim to an identity made by a person.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

 

 

QUESTION 88

What are the components of an object’s sensitivity label?

 

A.

A Classification Set and a single Compartment.

B.

A single classification and a single compartment.

C.

A Classification Set and user credentials.

D.

A single classification and a Compartment Set.

 

Correct Answer: D

Explanation:

Both are the components of a sensitivity label.

 

The following are incorrect:

 

A Classification Set and a single Compartment. Is incorrect because the nomenclature “Classification Set” is incorrect, there only one classifcation and it is not a “single compartment” but a Compartment Set.

 

A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a “single compartment” but a Compartment Set.

 

A Classification Set and user credentials. Is incorrect because the nomenclature “Classification Set” is incorrect, there only one classifcation and it is not “user credential” but a Compartment Set. The user would have their own sensitivity label.

 

 

QUESTION 89

In response to Access-request from a client such as a Network Access Server (NAS), which of the following is not one of the response from a RADIUS Server?

 

A.

Access-Accept

B.

Access-Reject

C.

Access-Granted

D.

Access-Challenge

 

Correct Answer: C< /font>

Explanation:

In response to an access-request from a client, a RADIUS server returns one of three authentication responses: access-accept, access-reject, or access-challenge, the latter being a request for additional authentication information such as a one-time password from a token or a callback identifier.

Source: TIPTON, Harold F.& KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 36.

 

 

QUESTION 90

Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring?

 

A.

Wave pattern motion detectors

B.

Capacitance detectors

C.

Field-powered devices

D.

Audio detectors

 

Correct Answer: B

Explanation:

Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate and alarm. Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver. Field-powered devices are a type of personnel access control devices. Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an alarm.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 344).

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.