Browsed by
Tag: SSCP exam question

[Latest Version] Easily Pass SSCP Exam With Geekcert Updated ISC SSCP Preparation Materials

[Latest Version] Easily Pass SSCP Exam With Geekcert Updated ISC SSCP Preparation Materials

No debt that the ISC ISC Certification Latest SSCP vce dumps dumps are very popular and Geekcert provides variety of ISC ISC Certification Newest SSCP pdf exam dumps in PDF and VCE format. Geekcert will continue to release latest ISC Certification Jan 15,2022 Latest SSCP pdf dumps System Security Certified Practitioner (SSCP) study materials to meet the rapidly increasing demand of the IT industry.

Geekcert| SSCP exam dumps with pdf and vce, 100% pass guaranteed! free SSCP exam sample questions, SSCP exam practice online, SSCP exam practice on mobile phone, SSCP pdf, SSCP books, SSCP pdf file download! latest SSCP exam dumps. get your certification easily- Geekcert. Geekcert certification SSCP practice exams.

We Geekcert has our own expert team. They selected and published the latest SSCP preparation materials from ISC Official Exam-Center: https://www.geekcert.com/SSCP.html

The following are the SSCP free dumps. Go through and check the validity and accuracy of our SSCP dumps.The following questions and answers are from the latest SSCP free dumps. It will help you understand the validity of the latest SSCP dumps.

Question 1:

A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?

A. Content-dependent access control

B. Context-dependent access control

C. Least privileges access control

D. Ownership-based access control

Correct Answer: A

When access control is based on the content of an object, it is considered to be content dependent access control.

Content-dependent access control is based on the content itself.

The following answers are incorrect:

context-dependent access control. Is incorrect because this type of control is based on what the context is, facts about the data rather than what the object contains. least privileges access control. Is incorrect because this is based on the

least amount of rights needed to perform their jobs and not based on what is contained in the database. ownership-based access control. Is incorrect because this is based on the owner of the data and and not based on what is contained in

the database.

References:

OIG CBK Access Control (page 191)


Question 2:

Which of the following attacks could capture network user passwords?

A. Data diddling

B. Sniffing

C. IP Spoofing

D. Smurfing

Correct Answer: B

A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to.

Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with customized software.

A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub (which is designed to relay all traffic

passing through it to all of its ports) will automatically begin sending all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is designed to limit what traffic gets sent to which port) will have to be

specially configured to send all traffic to the port where the sniffer is plugged in.

Another method for sniffing is to use a network tap–a device that literally splits a network transmission into two identical streams; one going to the original network destination and the other going to the sniffing device. Each of these methods

has its advantages and disadvantages, including cost, feasibility, and the desire to maintain the secrecy of the sniffing activity.

The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/ password are contained in a packet or packets traversing the segment the sniffer is connected to, it will capture and display that

information (and any other information on that segment it can see).

Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still captured and displayed, but it is in an unreadable format.

The following answers are incorrect:

Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted.

Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication – or causing a system to respond to the wrong address. Smurfing would refer to the smurf attack, where an attacker sends spoofed

packets to the broadcast address on a gateway in order to cause a denial of service.

The following reference(s) were/was used to create this question:

CISA Review manual 2014 Page number 321

Official ISC2 Guide to the CISSP 3rd edition Page Number 153


Question 3:

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

A. clipping level

B. acceptance level

C. forgiveness level

D. logging level

Correct Answer: A

The correct answer is “clipping level”. This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc.

Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user\’s account after three failed login attemts, that is the “clipping level”.

The other answers are not correct because:

Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security.

Reference:

Official ISC2 Guide – The term “clipping level” is not in the glossary or index of that book. I cannot find it in the text either. However, I\’m quite certain that it would be considered part of the CBK, despite its exclusion from the Official Guide.

All in One Third Edition page: 136 – 137


Question 4:

Guards are appropriate whenever the function required by the security program involves which of the following?

A. The use of discriminating judgment

B. The use of physical force

C. The operation of access control devices

D. The need to detect unauthorized access

Correct Answer: A

The Answer: The use of discriminating judgment, a guard can make the determinations that hardware or other automated security devices cannot make due to its ability to adjust to rapidly changing conditions, to learn and alter recognizable

patterns, and to respond to various conditions in the environment. Guards are better at making value decisions at times of incidents. They are appropriate whenever immediate, discriminating judgment is required by the security entity.

The following answers are incorrect:

The use of physical force This is not the best answer. A guard provides discriminating judgment, and the ability to discern the need for physical force. The operation of access control devices A guard is often uninvolved in the operations of an

automated access control device such as a biometric reader, a smart lock, mantrap, etc. The need to detect unauthorized access The primary function of a guard is not to detect unauthorized access, but to prevent unauthorized physical

access attempts and may deter social engineering attempts.

The following reference(s) were/was used to create this question:

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 10: Physical security (page 339).

Source: ISC2 Offical Guide to the CBK page 288-289.


Question 5:

In which of the following security models is the subject\’s clearance compared to the object\’s classification such that specific rules can be applied to control how the subject-to-object interactions take place?

A. Bell-LaPadula model

B. Biba model

C. Access Matrix model

D. Take-Grant model

Correct Answer: A

The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.

A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by programmers through programming code. So we have a policy that encompasses security goals, such as “each subject must be authenticated and authorized before accessing an object.” The security model takes this requirement and provides the necessary mathematical formulas, relationships, and logic structure to be followed to accomplish this goal.

A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell- LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject\’s clearance is compared to the object\’s classification and then specific rules are applied to control how subject-to-object subject-to- object interactions can take place.

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw-Hill. Kindle Edition.


Question 6:

Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?

A. B

B. A

C. C

D. D

Correct Answer: A

B level is the first Mandatory Access Control Level. First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems. Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems. As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used.

Reference used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17920-17926). Auerbach Publications. Kindle Edition.

and

THE source for all TCSEC “level” questions:

http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one)


Question 7:

Which of the following division is defined in the TCSEC (Orange Book) as minimal protection?

A. Division D

B. Division C

C. Division B

D. Division A

Correct Answer: A

The criteria are divided into four divisions: D, C, B, and A ordered in a hierarchical manner with the highest division (A) being reserved for systems providing the most comprehensive security.

Each division represents a major improvement in the overall confidence one can place in the system for the protection of sensitive information.

Within divisions C and B there are a number of subdivisions known as classes. The classes are also ordered in a hierarchical manner with systems representative of division C and lower classes of division B being characterized by the set of

computer security mechanisms that they possess. Assurance of correct and complete design and implementation for these systems is gained mostly through testing of the security- relevant portions of the system. The security-relevant

portions of a system are referred to throughout this document as the Trusted Computing Base (TCB).

Systems representative of higher classes in division B and division A derive their security attributes more from their design and implementation structure. Increased assurance that the required features are operative, correct, and tamperproof

under all circumstances is gained through progressively more rigorous analysis during the design process.

TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels: Division D – minimal security Division C – discretionary protection Division B – mandatory protection Division A – verified protection Reference: page 358 AIO V.5 Shon Harris also Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197. Also: THE source for all TCSEC “level” questions:

http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt


Question 8:

Which of the following is not a physical control for physical security?

A. lighting

B. fences

C. training

D. facility construction materials

Correct Answer: C

Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls include facility selection and construction, facility management, personnel controls, training, and emergency response and procedures.

From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403.


Question 9:

Crime Prevention Through Environmental Design (CPTED) is a discipline that: A. Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.

B. Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior.

C. Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior.

D. Outlines how the proper design of the administrative control environment can reduce crime by directly affecting human behavior.

Correct Answer: A

Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime

prevention through proper facility contruction and environmental components and procedures.

CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also

for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and traffic circulation patterns. It looks at microenvironments,

such as offices and rest-rooms, and macroenvironments, like campuses and cities.

Reference(s) used for this question:

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 435). McGraw-Hill.

Kindle Edition.

and

CPTED Guide Book


Question 10:

The following is NOT a security characteristic we need to consider while choosing a biometric identification systems:

A. data acquisition process

B. cost

C. enrollment process

D. speed and user interface

Correct Answer: B

Cost is a factor when considering Biometrics but it is not a security characteristic.

All the other answers are incorrect because they are security characteristics related to Biometrics.

data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process.

enrollment process can cause a security concern because the enrollment process has to be quick and efficient. This process captures data for authentication.

speed and user interface can cause a security concern because this also impacts the users acceptance rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices or otherwise attempt to

circumvent them.

References:

OIG Access Control (Biometrics) (pgs 165-167)

From: TIPTON, Harold F. and KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6.

in process of correction


Question 11:

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:

A. Preventive/physical

B. Detective/technical

C. Detective/physical

D. Detective/administrative

Correct Answer: C

Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists.

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 36.


Question 12:

A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:

A. Mandatory Access Control

B. Discretionary Access Control

C. Non-Discretionary Access Control

D. Rule-based Access control

Correct Answer: C

A central authority determines what subjects can have access to certain objects based on the organizational security policy.

The key focal point of this question is the \’central authority\’ that determines access rights. Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as:

“MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which seems to indicate there could be two good answers to this question.

However if you read the NISTR document mentioned in the references below, it is also mentioned that:

MAC is the most mentioned NDAC policy. So MAC is a form of NDAC policy.

Within the same document it is also mentioned: “In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are

not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.”

Under NDAC you have two choices:

Rule Based Access control and Role Base Access Control MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC.

It is a subset of NDAC.

This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look closely if one of the choices would be higher level or if one of the choice falls

under one of the other choice. In this case NDAC is a better choice because MAC is falling under NDAC through the use of Rule Based Access Control.

The following are incorrect answers:

MANDATORY ACCESS CONTROL

In Mandatory Access Control the labels of the object and the clearance of the subject determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than the object being accessed.

The need for a MAC mechanism arises when the security policy of a system dictates that:

1.

Protection decisions must not be decided by the object owner.

2.

The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner).

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the “simple security rule,” or “no read up.”

Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the “*-property” (pronounced “star property”) or “no write down.” The *-property is required to maintain system security in an automated environment.

DISCRETIONARY ACCESS CONTROL

In Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, not one central authority.

DAC leaves a certain amount of access control to the discretion of the object\’s owner or anyone else who is authorized to control the object\’s access. For example, it is generally used to limit a user\’s access to a file; it is the owner of the file who controls other users\’ accesses to the file. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the file.

DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons:

First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann\’s file to an object that Bob controls. Bob may now grant any other user access to the copy of Ann\’s file without Ann\’s knowledge.

Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann\’s files. When investigating the problem, the audit files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows:

Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system.

No restrictions apply to the usage of information when the user has received it.

The privileges for accessing objects are decided by the owner of the object, rather than through a system- wide policy that reflects the organization\’s security requirements. ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have the capabilities to implement a DAC policy.

RULE BASED ACCESS CONTROL

In Rule-based Access Control a central authority could in fact determine what subjects can have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer.

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. “Rule-based access” is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control encompasses a broad range of systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well. RuBAC meets the business needs as well as the technical needs of controlling service access. It allows business rules to be applied to access control–for example, customers who have overdue balances may be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role- based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation to the data and the application\’s function. In addition, individuals within each group have different job responsibilities that may be identified using several types of attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance.

References used for this question:

http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf

and

AIO v3 p162-167 and OIG (2007) p.186-191 also

KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 33.


Question 13:

What is called the verification that the user\’s claimed identity is valid and is usually implemented through a user password at log-on time?

A. Authentication

B. Identification

C. Integrity

D. Confidentiality

Correct Answer: A

Authentication is verification that the user\’s claimed identity is valid and is usually implemented through a user password at log-on time.

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 36.


Question 14:

Which one of the following factors is NOT one on which Authentication is based?

A. Type 1. Something you know, such as a PIN or password

B. Type 2. Something you have, such as an ATM card or smart card

C. Type 3. Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan

D. Type 4. Something you are, such as a system administrator or security administrator

Correct Answer: D

Authentication is based on the following three factor types:

Type 1. Something you know, such as a PIN or password

Type 2. Something you have, such as an ATM card or smart card

Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina scan

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 36.

Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4:

Access Control (pages 132-133).


Question 15:

What is called a sequence of characters that is usually longer than the allotted number for a password?

A. passphrase

B. cognitive phrase

C. anticipated phrase

D. Real phrase

Correct Answer: A

A passphrase is a sequence of characters that is usually longer than the allotted number for a password.

Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, page 37.