• Home
  • Articles
  • [Oct-2021] Valid Way To Pass ISC Exam Dumps with SSCP Exam Study Guide [Q127-Q152]

[Oct-2021] Valid Way To Pass ISC Exam Dumps with SSCP Exam Study Guide [Q127-Q152]

Share

[Oct-2021] Valid Way To Pass ISC Exam Dumps with SSCP Exam Study Guide

All SSCP Dumps and System Security Certified Practitioner (SSCP) Training Courses Help candidates to study and pass the Exams hassle-free!


ISC SSCP Practice Test Questions, ISC SSCP Exam Practice Test Questions

The (ISC)2 SSCP certificate is designed for the IT directors, managers, administrators, and other network security professionals who are responsible for practical operational security of the critical assets of their organizations. The candidates for this path demonstrate the advanced knowledge and technical skills required to administer, implement, and monitor IT infrastructure with the use of the security procedures, policies, and best practices. To get the SSCP certification, you must pass one qualifying exam and fulfill some requirements.

 

NEW QUESTION 127
The DES algorithm is an example of what type of cryptography?

  • A. Two-key
  • B. Asymmetric Key
  • C. Public Key
  • D. Secret Key

Answer: D

Explanation:
Explanation/Reference:
DES is also known as a Symmetric Key or Secret Key algorithm.
DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption.
For the exam remember that:
DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits)
DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only.
DES has a total key length of 64 Bits.
The following answers are incorrect:
Two-key This is incorrect because DES uses the same key for encryption and decryption.
Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a Private Key.
Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the same key is used for encryption and decryption.
References used for this question:
http://en.wikipedia.org/wiki/Data_Encryption_Standard

 

NEW QUESTION 128
Kerberos can prevent which one of the following attacks?

  • A. playback (replay) attack.
  • B. destructive attack.
  • C. tunneling attack.
  • D. process attack.

Answer: A

Explanation:
Explanation/Reference:
Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of attacks.
The following answers are incorrect:
tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access low-level systems. Kerberos cannot totally prevent these types of attacks.
destructive attack. This is incorrect because depending on the type of destructive attack, Kerberos cannot prevent someone from physically destroying a server.
process attack. This is incorrect because with Kerberos cannot prevent an authorzied individuals from running processes.

 

NEW QUESTION 129
What can best be defined as the sum of protection mechanisms inside the computer, including hardware, firmware and software?

  • A. Security perimeter
  • B. Trusted system
  • C. Trusted computing base
  • D. Security kernel

Answer: C

Explanation:
The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that these components will enforce the security policy and not violate it.
The security kernel is made up of hardware, software, and firmware components at fall
within the TCB and implements and enforces the reference monitor concept.
Reference:
AIOv4 Security Models and Architecture pgs 268, 273

 

NEW QUESTION 130
Which of the following type of cryptography is used when both parties use the same key to communicate securely with each other?

  • A. PKI - Public Key Infrastructure
  • B. Diffie-Hellman
  • C. DSS - Digital Signature Standard
  • D. Symmetric Key Cryptography

Answer: D

Explanation:
Section: Cryptography
Explanation/Reference:
Symmetric-key algorithms are a class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext (sender) and decryption of ciphertext (receiver). The keys may be identical, in practice, they represent a shared secret between two or more parties that can be used to maintain a private information link.
This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encryption. This is also known as secret key encryption. In symmetric key cryptography, each end of the conversation must have the same key or they cannot decrypt the message sent to them by the other party.
Symmetric key crypto is very fast but more difficult to manage due to the need to distribute the key in a secure means to all parts needing to decrypt the data. There is no key management built within Symmetric crypto.
PKI provides CIA - Confidentiality (Through encryption) Integrity (By guaranteeing that the message hasn't change in transit) and Authentication (Non-repudiation). Symmetric key crypto provides mostly Confidentiality.
The following answers are incorrect:
- PKI - Public Key Infrastructure: This is the opposite of symmetric key crypto. Each side in PKI has their own private key and public key. What one key encrypt the other one can decrypt. You make use of the receiver public key to communicate securely with a remote user. The receiver will use their matching private key to decrypt the data.
- Diffie-Hellman: Sorry, this is an asymmetric key technique. It is used for key agreement over an insecure network such as the Internet. It allows two parties who has never met to negotiate a secret key over an insecure network while preventing Man-In-The-Middle (MITM) attacks.
- DSS - Digital Signature Standard: Sorry, this is an asymmetric key technique.
The following reference(s) was used to create this question:
To learn more about this Qs and 100% of the Security+ CBK, subscribe to our Holistic Computer Based Tutorial (CBT) on our Learning Management System at: http://www.cccure.tv and
http://en.wikipedia.org/wiki/Symmetric-key_algorithm

 

NEW QUESTION 131
In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in?

  • A. Containment
  • B. Analysis and tracking
  • C. Triage
  • D. Recovery

Answer: B

Explanation:
Explanation/Reference:
In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident.
Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production
Containment is incorrect as containment is about reducing the potential impact of an incident.
Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives
Reference:
Official Guide to the CISSP CBK, pages 700-704

 

NEW QUESTION 132
During which phase of an IT system life cycle are security requirements developed?

  • A. Implementation
  • B. Functional design analysis and Planning
  • C. Initiation
  • D. Operation

Answer: B

Explanation:
Section: Security Operation Adimnistration
Explanation
Explanation/Reference:
The software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering software systems, and the models and methodologies that people use to develop these systems.
The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:
This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include:
* Conduct the risk assessment and use the results to supplement the baseline security controls;
* Analyze security requirements;
* Perform functional and security testing;
* Prepare initial documents for system certification and accreditation; and
* Design security architecture.
Reviewing this publication you may want to pick development/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware/software components then you would also develop the security controls for these. The Shon Harris reference below is correct as well.
Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently:
Project initiation
Functional design analysis and planning
System design specifications
Software development
Installation
Maintenance support
Revision and replacement
According to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase.
SDLC POSITIONING FROM NIST 800-64

SDLC Positioning in the enterprise
Information system security processes and activities provide valuable input into managing IT systems and their development, enabling risk identification, planning and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above). The most effective way to implement risk management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA) processes to establish insight into the agency's vital business operations, their supporting assets, and existing interdependencies and relationships.
With critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services they provide and assess the consequences of their disruption. By identifying these systems, an agency can manage security effectively by establishing priorities. This positions the security office to facilitate the IT program's cost- effective performance as well as articulate its business impact and value to the agency.
SDLC OVERVIEW FROM NIST 800-64
SDLC Overview from NIST 800-64 Revision 2

NIST 800-64 Revision 2 is one publication within the NISTstandards that I would recommend you look at for more details about the SDLC. It describe in great details what activities would take place and they have a nice diagram for each of the phases of the SDLC. You will find a copy at:
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf DISCUSSION:
Different sources present slightly different info as far as the phases names are concerned.
People sometimes gets confused with some of the NIST standards. For example NIST 800-64 Security Considerations in the Information System Development Life Cycle has slightly different names, the activities mostly remains the same.
NIST clearly specifies that Security requirements would be considered throughout ALL of the phases. The keyword here is considered, if a question is about which phase they would be developed than Functional Design Analysis would be the correct choice.
Within the NIST standard they use different phase, howeverr under the second phase you will see that they talk specifically about Security Functional requirements analysis which confirms it is not at the initiation stage so it become easier to come out with the answer to this question. Here is what is stated:
The security functional requirements analysis considers the system security environment, including the enterprise information security policy and the enterprise security architecture. The analysis should address all requirements for confidentiality, integrity, and availability of information, and should include a review of all legal, functional, and other security requirements contained in applicable laws, regulations, and guidance.
At the initiation step you would NOT have enough detailed yet to produce the Security Requirements. You are mostly brainstorming on all of the issues listed but you do not develop them all at that stage.
By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start.
NIST says:
NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-64, Security Considerations in the Information System Development Life Cycle, by Tim Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their planning for every phase of the system life cycle, and to select, acquire, and use appropriate and cost-effective security controls.
I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for this exam.
References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth Edition, Page 956 and NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf and
http://www.mks.com/resources/resource-pages/software-development-life-cycle-sdlc-system-development

 

NEW QUESTION 133
Secure Shell (SSH) is a strong method of performing:

  • A. client authentication
  • B. host authentication
  • C. server authentication
  • D. guest authentication

Answer: A

Explanation:
Secure shell (SSH) was designed as an alternative to some of the insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol.
SSH's services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel.
The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates.
Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.
There are two incompatible versions of the protocol, SSH-1 and SSH-2, though many servers support both. SSH-2 has improved integrity checks (SSH-1 is vulnerable to an insertion attack due to weak CRC-32 integrity checking) and supports local extensions and additional types of digital certificates such as Open PGP. SSH was originally designed for UNIX, but there are now implementations for other operating systems, including Windows, Macintosh, and OpenVMS.
Is SSH 3.0 the same as SSH3? The short answer is: NO SSH 3.0 refers to version 3 of SSH Communications SSH2 protocol implementation and it could also refer to OpenSSH Version 3.0 of its SSH2 software. The "3" refers to the software release version not the protocol version. As of this writing (July 2013), there is no SSH3 protocol.
"Server authentication" is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.
"Host authentication" is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.
"Guest authentication" is incorrect. The general idea of "guest" is that it is unauthenticated access.
Reference(s) used for this question:
http://www.ietf.org/rfc/rfc4252.txt Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7080-7088). Auerbach Publications. Kindle Edition.

 

NEW QUESTION 134
What is the essential difference between a self-audit and an independent audit?

  • A. Objectivity
  • B. Competence
  • C. Results
  • D. Tools used

Answer: A

Explanation:
Explanation/Reference:
To maintain operational assurance, organizations use two basic methods: system audits and monitoring.
Monitoring refers to an ongoing activity whereas audits are one-time or periodic events and can be either internal or external. The essential difference between a self-audit and an independent audit is objectivity, thus indirectly affecting the results of the audit. Internal and external auditors should have the same level of competence and can use the same tools.
Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (page 25).

 

NEW QUESTION 135
What works as an E-mail message transfer agent?

  • A. S/MIME
  • B. SMTP
  • C. SNMP
  • D. S-RPC

Answer: B

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
SMTP (Simple Mail Transfer Protocol) works as a message transfer agent.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.

 

NEW QUESTION 136
ICMP and IGMP belong to which layer of the OSI model?

  • A. Data Link Layer.
  • B. Network Layer.
  • C. Datagram Layer.
  • D. Transport Layer.

Answer: B

Explanation:
The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP)
The following answers are incorrect:
Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer.
Transport Layer. Is incorrect because it is used to data between applications and uses the
TCP and UDP protocols.
Data Link Layer. Is incorrect because this layer deals with addressing hardware.

 

NEW QUESTION 137
Which of the following technologies has been developed to support TCP/IP networking over low-speed serial interfaces?

  • A. T1
  • B. ISDN
  • C. xDSL
  • D. SLIP

Answer: D

Explanation:
Explanation/Reference:
Serial Line IP (SLIP) was developed in 1984 to support TCP/IP networking over low-speed serial interfaces.
Source: KRUTZ, Ronald L & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page
114).

 

NEW QUESTION 138
What type of cable is used with 100Base-TX Fast Ethernet?

  • A. Category 3 or 4 unshielded twisted-pair (UTP).
  • B. Category 5 unshielded twisted-pair (UTP).
  • C. Fiber-optic cable
  • D. RG-58 cable.

Answer: B

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
This is the type of cabling recommended for 100Base-TX networks.
Fiber-optic cable is incorrect. Incorrect media type for 100Base-TX -- 100Base-FX would denote fiber optic cabling.
"Category 3 or 4 unshielded twisted-pair (UTP)" is incorrect. These types are not recommended for 100Mbps operation.
RG-58 cable is incorrect. Incorrect media type for 100Base-TX.
References
CBK, p. 428
AIO3, p. 455

 

NEW QUESTION 139
Which of the following best allows risk management results to be used knowledgeably?

  • A. A threat identification
  • B. An uncertainty analysis
  • C. A likelihood assessment
  • D. A vulnerability analysis

Answer: B

Explanation:
Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and analysis of data part of the risk assessment, one of the primary activities of risk management. Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (pages 19-21).

 

NEW QUESTION 140
Which of the following is defined as the most recent point in time to which data must be synchronized without adversely affecting the organization (financial or operational impacts)?

  • A. Recovery Point Objective
  • B. Recovery Time Objective
  • C. Critical Time Objective
  • D. Point of Time Objective

Answer: A

Explanation:
Section: Risk, Response and Recovery
Explanation/Reference:
The recovery point objective (RPO) is the maximum acceptable level of data loss following an unplanned
"event", like a disaster (natural or man-made), act of crime or terrorism, or any other business or technical disruption that could cause such data loss. The RPO represents the point in time, prior to such an event or incident, to which lost data can be recovered (given the most recent backup copy of the data).
The recovery time objective (RTO) is a period of time within which business and / or technology capabilities must be restored following an unplanned event or disaster. The RTO is a function of the extent to which the interruption disrupts normal operations and the amount of revenue lost per unit of time as a result of the disaster.
These factors in turn depend on the affected equipment and application(s). Both of these numbers represent key targets that are set by key businesses during business continuity and disaster recovery planning; these targets in turn drive the technology and implementation choices for business resumption services, backup / recovery / archival services, and recovery facilities and procedures.
Many organizations put the cart before the horse in selecting and deploying technologies before understanding the business needs as expressed in RPO and RTO; IT departments later bear the brunt of user complaints that their service expectations are not being met. Defining the RPO and RTO can avoid that pitfall, and in doing so can also make for a compelling business case for recovery technology spending and staffing.
For the CISSP candidate studying for the exam, there are no such objectives for "point of time," and "critical time." Those two answers are simply detracters.
Reference:
http://www.wikibon.org/Recovery_point_objective_/_recovery_time_objective_strategy

 

NEW QUESTION 141
Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack?

  • A. The use of good key generators.
  • B. The use of session keys.
  • C. Nothing can defend you against a brute force crypto key attack.
  • D. Algorithms that are immune to brute force key attacks.

Answer: B

Explanation:
If we assume a crytpo-system with a large key (and therefore a large key space) a brute force attack will likely take a good deal of time - anywhere from several hours to several years depending on a number of variables. If you use a session key for each message you encrypt, then the brute force attack provides the attacker with only the key for that one message. So, if you are encrypting 10 messages a day, each with a different session key, but it takes me a month to break each session key then I am fighting a loosing battle.
The other answers are not correct because:
"The use of good key generators" is not correct because a brute force key attack will
eventually run through all possible combinations of key. Therefore, any key will eventually
be broken in this manner given enough time.
"Nothing can defend you against a brute force crypto key attack" is incorrect, and not the
best answer listed. While it is technically true that any key will eventually be broken by a
brute force attack, the question remains "how long will it take?". In other words, if you
encrypt something today but I can't read it for 10,000 years, will you still care? If the key is
changed every session does it matter if it can be broken after the session has ended? Of
the answers listed here, session keys are "often considered a good protection against the
brute force cryptography attack" as the question asks.
"Algorithms that are immune to brute force key attacks" is incorrect because there currently
are no such algorithms.
References:
Official ISC2 Guide page: 259
All in One Third Edition page: 623

 

NEW QUESTION 142
Which of the following is a problem regarding computer investigation issues?

  • A. Evidence is easy to gather.
  • B. Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence.
  • C. Information is tangible.
  • D. In many instances, an expert or specialist is not required.

Answer: B

Explanation:
Section: Risk, Response and Recovery
Explanation/Reference:
Because computer-generated records normally fall under the category of hearsay evidence because they cannot be proven accurate and reliable this can be a problem.
Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court. This inadmissibility is known as the hearsay rule, although there are some exceptions for how, when, by whom and in what circumstances data was collected.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).
IMPORTANT NOTE:
For the purpose of the exam it is very important to remember the Business Record exemption to the Hearsay Rule. For example: if you create log files and review them on a regular basis as part of a business process, such files would be admissable in court and they would not be considered hearsay because they were made in the course of regular business and it is part of regular course of business to create such record.
Here is another quote from the HISM book:
Business Record Exemption to the Hearsay Rule
Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by or from information transmitted by a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.
To meet Rule 803(6) the witness must:
* Have custody of the records in question on a regular basis.
* Rely on those records in the regular course of business.
* Know that they were prepared in the regular course of business.
Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order disclosure of the details of the computer, logs, and maintenance records in respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or reviewed - at least the exceptions (e.g., failed log-on attempts) - in the regular course of business, they do not meet the criteria for admissibility.
Federal Rules of Evidence 1001(3) provide another exception to the hearsay rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business. This dump merely acts as statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer.
BUSINESS RECORDS LAW EXAMPLE:
The business records law was enacted in 1931 (PA No. 56). For a document to be admissible under the statute, the proponent must show: (1) the document was made in the regular course of business; (2) it was the regular course of business to make the record; and (3) the record was made when the act, transaction, or event occurred, or shortly thereafter (State v. Vennard, 159 Conn. 385, 397 (1970); Mucci v. LeMonte, 157 Conn. 566, 570 (1969). The failure to establish any one of these essential elements renders the document inadmissible under the statute (McCahill v. Town and Country Associates, Ltd. , 185 Conn. 37 (1981); State v.
Peary, 176 Conn. 170 (1978); Welles v. Fish Transport Co. , , 123 Conn. 49 (1937).
The statute expressly provides that the person who made the business entry does not have to be unavailable as a witness and the proponent does not have to call as a witness the person who made the record or show the person to be unavailable (State v. Jeustiniano, 172 Conn. 275 (1977).
The person offering the business records as evidence does not have to independently prove the trustworthiness of the record. But, there is no presumption that the record is accurate; the record's accuracy and weight are issues for the trier of fact (State v. Waterman, 7 Conn. App. 326 (1986); Handbook of Connecticut Evidence, Second Edition, ยง 11. 14. 3).
Reference: http://search.cga.state.ct.us/dtsearch_lpa.asp?cmd=getdoc&DocId=16833&Index=I%3A%5Czindex
%5C1995&HitCount=0&hits=&hc=0&req=&Item=712

 

NEW QUESTION 143
What is called a password that is the same for each log-on session?

  • A. static password
  • B. dynamic password
  • C. "two-time password"
  • D. "one-time password"

Answer: A

Explanation:
Explanation/Reference:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

 

NEW QUESTION 144
Which of the following best describes the purpose of debugging programs?

  • A. To ensure that program coding flaws are detected and corrected.
  • B. To generate random data that can be used to test programs before implementing them.
  • C. To protect, during the programming phase, valid changes from being overwritten by other changes.
  • D. To compare source code versions before transferring to the test environment

Answer: A

Explanation:
Explanation/Reference:
Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 298).

 

NEW QUESTION 145
What is NOT an authentication method within IKE and IPsec?

  • A. CHAP
  • B. Public key authentication
  • C. Pre shared key
  • D. certificate based authentication

Answer: A

Explanation:
CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme
used by Point to Point Protocol (PPP) servers to validate the identity of remote clients.
CHAP periodically verifies the identity of the client by using a three-way handshake. This
happens at the time of establishing the initial link (LCP), and may happen again at any time
afterwards. The verification is based on a shared secret (such as the client user's
password).
After the completion of the link establishment phase, the authenticator sends a "challenge"
message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge
and the secret combined.
The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authenticator acknowledges the authentication; otherwise it
should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps
1 through 3.
The following were incorrect answers:
Pre Shared Keys
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared
between the two parties using some secure channel before it needs to be used. To build a
key from shared secret, the key derivation function should be used. Such systems almost
always use symmetric key cryptographic algorithms. The term PSK is used in WiFi
encryption such as WEP or WPA, where both the wireless access points (AP) and all
clients share the same key.
The characteristics of this secret or key are determined by the system which uses it; some
system designs require that such keys be in a particular format. It can be a password like
'bret13i', a passphrase like 'Idaho hung gear id gene', or a hexadecimal string like '65E4
E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic
processes used to secure the traffic between the systems.
Certificat Based Authentication
The most common form of trusted authentication between parties in the wide world of Web
commerce is the exchange of certificates. A certificate is a digital document that at a
minimum includes a Distinguished Name (DN) and an associated public key.
The certificate is digitally signed by a trusted third party known as the Certificate Authority
(CA). The CA vouches for the authenticity of the certificate holder. Each principal in the
transaction presents certificate as its credentials. The recipient then validates the
certificate's signature against its cache of known and trusted CA certificates. A "personal
certificate" identifies an end user in a transaction; a "server certificate" identifies the service
provider.
Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the
Open Systems Interconnect
(OSI) X.500 specification.
Public Key Authentication
Public key authentication is an alternative means of identifying yourself to a login server,
instead of typing a password. It is more secure and more flexible, but more difficult to set
up.
In conventional password authentication, you prove you are who you claim to be by proving
that you know the correct password. The only way to prove you know the password is to
tell the server what you think the password is. This means that if the server has been
hacked, or spoofed an attacker can learn your password.
Public key authentication solves this problem. You generate a key pair, consisting of a
public key (which everybody is allowed to know) and a private key (which you keep secret
and do not give to anybody). The private key is able to generate signatures. A signature
created using your private key cannot be forged by anybody who does not have a copy of
that private key; but anybody who has your public key can verify that a particular signature
is genuine.
So you generate a key pair on your own computer, and you copy the public key to the
server. Then, when the server asks you to prove who you are, you can generate a
signature using your private key. The server can verify that signature (since it has your
public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker
does not gain your private key or password; they only gain one signature. And signatures
cannot be re-used, so they have gained nothing.
There is a problem with this: if your private key is stored unprotected on your own
computer, then anybody who gains access to your computer will be able to generate
signatures as if they were you. So they will be able to log in to your server under your
account. For this reason, your private key is usually encrypted when it is stored on your
local machine, using a passphrase of your choice. In order to generate a signature, you
must decrypt the key, so you have to type your passphrase.
References:
RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan
Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks,
1999, Prentice Hall PTR; SMITH, Richard E.
Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP
Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467.
http://en.wikipedia.org/wiki/Pre-shared_key
http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf
http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

 

NEW QUESTION 146
Guards are appropriate whenever the function required by the security program involves which of the following?

  • A. The need to detect unauthorized access
  • B. The use of physical force
  • C. The operation of access control devices
  • D. The use of discriminating judgment

Answer: D

Explanation:
Section: Access Control
Explanation/Reference:
The Answer: The use of discriminating judgment, a guard can make the determinations that hardware or other automated security devices cannot make due to its ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment. Guards are better at making value decisions at times of incidents. They are appropriate whenever immediate, discriminating judgment is required by the security entity.
The following answers are incorrect:
The use of physical force This is not the best answer. A guard provides discriminating judgment, and the ability to discern the need for physical force.
The operation of access control devices A guard is often uninvolved in the operations of an automated access control device such as a biometric reader, a smart lock, mantrap, etc.
The need to detect unauthorized access The primary function of a guard is not to detect unauthorized access, but to prevent unauthorized physical access attempts and may deter social engineering attempts.
The following reference(s) were/was used to create this question:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 339).
Source: ISC2 Offical Guide to the CBK page 288-289.

 

NEW QUESTION 147
Which is the last line of defense in a physical security sense?

  • A. exterior barriers
  • B. perimeter barriers
  • C. people
  • D. interior barriers

Answer: C

Explanation:
Section: Access Control
Explanation/Reference:
"Ultimately, people are the last line of defense for your company's assets" (Pastore & Dulaney, 2006, p. 529).
Pastore, M. and Dulaney, E. (2006). CompTIA Security+ study guide: Exam SY0-101. Indianapolis, IN: Sybex.

 

NEW QUESTION 148
At which layer of ISO/OSI does the fiber optics work?

  • A. Transport layer
  • B. Data link layer
  • C. Network layer
  • D. Physical layer

Answer: D

Explanation:
Physical
layer The Physical layer is responsible for the transmission of the data through the physical medium. This includes such things as cables. Fiber optics is a cabling mechanism which works at Physical layer of OSI model
All of the other answers are incorrect.
The following reference(s) were/was used to create this question: Shon Harris all in one - Chapter 7 (Cabling)

 

NEW QUESTION 149
Which of the following tools is less likely to be used by a hacker?

  • A. John the Ripper
  • B. OphCrack
  • C. Tripwire
  • D. l0phtcrack

Answer: C

Explanation:
Explanation/Reference:
Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified.
This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it.
Other programs are password-cracking programs and are likely to be used by security administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site.
NOTE:
The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can get the Open Source version of Tripwire at the following URL: http://sourceforge.net/projects/tripwire/

 

NEW QUESTION 150
What can be defined as: It confirms that users' needs have been met by the supplied solution ?

  • A. Assurance
  • B. Acceptance
  • C. Accreditation
  • D. Certification

Answer: B

Explanation:
Acceptance confirms that users' needs have been met by the supplied solution. Verification and Validation informs Acceptance by establishing the evidence - set against acceptance criteria - to determine if the solution meets the users' needs. Acceptance should also explicitly address any integration or interoperability requirements involving other equipment or systems. To enable acceptance every user and system requirement must have a 'testable' characteristic.
Accreditation is the formal acceptance of security, adequacy, authorization for operation and acceptance of existing risk. Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.
Certification is the formal testing of security safeguards and assurance is the degree of confidence that the implemented security measures work as intended. The certification is a Comprehensive evaluation of the technical and nontechnical security features of an IS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified ecurity requirements.
Assurance is the descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the Security Targets (ST) and Protection Profiles (PP), respectively.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 4, August 1999.
and Official ISC2 Guide to the CISSP CBK, Second Edition, on page 211. and http://www.aof.mod.uk/aofcontent/tactical/randa/content/randaintroduction.htm

 

NEW QUESTION 151
What can be defined as an instance of two different keys generating the same ciphertext from the same plaintext?

  • A. Key clustering
  • B. Key collision
  • C. Ciphertext collision
  • D. Hashing

Answer: A

Explanation:
Section: Cryptography
Explanation/Reference:
Key clustering happens when a plaintext message generates identical ciphertext messages using the same transformation algorithm, but with different keys.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 130).

 

NEW QUESTION 152
......

Real Exam Questions & Answers - ISC SSCP Dump is Ready: https://drive.google.com/open?id=16ic5Ksy8MUDc4U5Hvye03GBLrn8K8LAB

Get Latest [Oct-2021] Conduct effective penetration tests using  Lead2Passed SSCP: https://www.lead2passed.com/ISC/SSCP-practice-exam-dumps.html

Related Articles

more
ISC SSCP Certification Practice Exam