SSCP EXAM QUESTIONS AND ANSWERS
The false rejection rate (FRR) - Correct Answers -A measurement of valid users that will
be falsely rejected by the system. This is called a Type I error.
The false acceptance rate (FAR) - Correct Answers -A measurement of the percentage
of invalid users that will be falsely accepted by the system. This is called a Type II error.
Type II errors are more dangerous than Type I errors.
Greg is the network administrator for a large stadium that hosts many events throughout
the course of the year. They equip ushers with handheld scanners to verify tickets.
Ushers turn over frequently and are often hired at the last minute. Scanners are handed
out to ushers before each event, but different ushers may use different scanners.
Scanners are secured in a locked safe when not in use. What network access control
approach would be most effective for this scenario?
1 Multifactor authentication
2 Device authentication
3 Password authentication
4 No authentication - Correct Answers -Device Authentication:
Device authentication allows the venue to restrict network access to authorized
scanners but does not require individual ushers to sign in to the device. This seems an
acceptable level of security for this environment, as the scanners are carefully
controlled. Moving to any authentication scheme
Norma is helping her organization create a specialized network designed for vendors
that need to connect to Norma's organization's network to process invoices and upload
inventory. This network should be segmented from the rest of the corporate network but
have a much higher degree of access than the general public. What type of network is
Norma building?
1 Internet
2 Intranet
3 Outranet
4 Extranet - Correct Answers -Extranet:
The purpose of an extranet is to allow outside organizations that are business partners
to access limited resources on the corporate network. That describes the situation in
this scenario, so Norma is building an extranet.
Which one of the following is an example of a nondiscretionary access control system?
1 File ACLs
2 MAC
3 DAC
,4 Visitor lis - Correct Answers -MAC:
A mandatory access control (MAC) scheme is an example of a nondiscretionary
approach to access control, as the owner of objects does not have the ability to set
permissions on those objects. It is possible for a visitor list or file ACLs to be configured
using a nondiscretionary scheme, but these approaches can also be configured as
discretionary access control (DAC) implementations.
Wanda is configuring device-based authentication for systems on her network. Which
one of the following approaches offers the strongest way to authenticate devices?
IP address
MAC address
Digital certificate
Password - Correct Answers -C. Digital certificates:
are the strongest device-based access control mechanism listed in this scenario.
Administrators may create certificates for each device and tie them to the physical
device. Passwords are easily transferred to other devices and are not as strong an
approach. IP addresses are easily changed and should not be used. MAC addresses
theoretically identify devices uniquely, but it is possible to alter a MAC address, so they
should not be relied upon for authentication
Kaiden is creating an extranet for his organization and is concerned about unauthorized
eavesdropping on network communications. Which one of the following technologies
can he use to mitigate this risk?
VPN
Firewall
Content filter
Proxy server - Correct Answers -vpn:
Kaiden should use a virtual private network (VPN) for all remote connections to the
extranet. The VPN will encrypt traffic sent over public networks and protect it from
eavesdropping.
Which one of the following tools is most often used for identification purposes and is not
suitable for use as an authenticator?
Password
Retinal scan
Username
Token - Correct Answers -Usernames:
are an identification tool. They are not secret, so they are not suitable for use as a
password.
,Gary is preparing to create an account for a new user and assign privileges to the HR
database. What two elements of information must Gary verify before granting this
access?
Credentials and need to know
Clearance and need to know
Password and clearance
Password and biometric scan
Ben's organization is adopting biometric authentication for its high-security building's
access control system. Use the following chart to answer questions 9-11 about the
organization's adoption of the technology. - Correct Answers -Clearance & N2K:
Before granting access, Gary should verify that the user has a valid security clearance
and a business need to know the information. Gary is performing an authorization task,
so he does not need to verify the user's credentials, such as a password or biometric
scan.
the point where false acceptance rate and false rejection rate cross over and is a
standard assessment used to compare the accuracy of biometric devices. - Correct
Answers -CER: crossover error rate
When a subject claims an identity, what process is occurring?
Login
Identification
Authorization
Token presentation - Correct Answers -Identification:
The process of a subject claiming or professing an identity is known as identification.
Authorization verifies the identity of a subject by checking a factor such as a password.
Logins typically include both identification and authorization, and token presentation is a
type of authentication.
Files, databases, computers, programs, processes, devices, and media are all
examples of what?
Subjects
Objects
File stores
Users - Correct Answers -Objects:
All of these are objects. Although some of these items can be subjects, files, databases,
and storage media can't be. Processes and programs aren't file stores, and of course
none of these is a user.
MAC models use three types of environments. Which of the following is not a
mandatory access control design?
Hierarchical
Bracketed
, Compartmentalized
Hybrid - Correct Answers -Hierarchical, Compartmentalized, Hybrid
Mandatory access control systems can be hierarchical, where each domain is ordered
and related to other domains above and below it; compartmentalized, where there is no
relationship between each domain; or hybrid, where both hierarchy and compartments
are used. There is no concept of bracketing in mandatory access control design.
Ryan would like to implement an access control technology that is likely to both improve
security and increase user satisfaction. Which one of the following technologies meets
this requirement?
Mandatory access controls
Single sign-on
Multifactor authentication
Automated deprovisioning - Correct Answers -SSO:
All of the controls listed here, if properly implemented, have the potential to improve the
organization's security posture. However, only single sign-on is likely to improve the
user experience by eliminating barriers to authentication across multiple systems.
Mandatory access control and multifactor authentication will likely be seen as
inconveniences by users, while automated deprovisioning will improve the experience of
identity and access management administrators but not affect the end user experience.
The leadership at Susan's company has asked her to implement an access control
system that can support rule declarations like "Only allow access to salespeople from
managed devices on the wireless network between 8 a.m. and 6 p.m." What type of
access control system would be Susan's best choice?
ABAC
Rule-based access control (RBAC)
DAC
MAC - Correct Answers -ABAC:
An attribute-based access control (ABAC) system will allow Susan to specify details
about subjects, objects, and access, allowing granular control. Although a rule-based
access control system (RBAC) might allow this, the attribute-based access control
system can be more specific and thus is more flexible. Discretionary access control
(DAC) would allow object owners to make decisions, and mandatory access controls
(MACs) would use classifications; neither of these capabilities was described in the
requirements.
What is the primary advantage of decentralized access control?
It provides better redundancy.
It provides control of access to people closer to the resources.
It is less expensive. - Correct Answers -It provides control of access to people closer to
the resources:
The false rejection rate (FRR) - Correct Answers -A measurement of valid users that will
be falsely rejected by the system. This is called a Type I error.
The false acceptance rate (FAR) - Correct Answers -A measurement of the percentage
of invalid users that will be falsely accepted by the system. This is called a Type II error.
Type II errors are more dangerous than Type I errors.
Greg is the network administrator for a large stadium that hosts many events throughout
the course of the year. They equip ushers with handheld scanners to verify tickets.
Ushers turn over frequently and are often hired at the last minute. Scanners are handed
out to ushers before each event, but different ushers may use different scanners.
Scanners are secured in a locked safe when not in use. What network access control
approach would be most effective for this scenario?
1 Multifactor authentication
2 Device authentication
3 Password authentication
4 No authentication - Correct Answers -Device Authentication:
Device authentication allows the venue to restrict network access to authorized
scanners but does not require individual ushers to sign in to the device. This seems an
acceptable level of security for this environment, as the scanners are carefully
controlled. Moving to any authentication scheme
Norma is helping her organization create a specialized network designed for vendors
that need to connect to Norma's organization's network to process invoices and upload
inventory. This network should be segmented from the rest of the corporate network but
have a much higher degree of access than the general public. What type of network is
Norma building?
1 Internet
2 Intranet
3 Outranet
4 Extranet - Correct Answers -Extranet:
The purpose of an extranet is to allow outside organizations that are business partners
to access limited resources on the corporate network. That describes the situation in
this scenario, so Norma is building an extranet.
Which one of the following is an example of a nondiscretionary access control system?
1 File ACLs
2 MAC
3 DAC
,4 Visitor lis - Correct Answers -MAC:
A mandatory access control (MAC) scheme is an example of a nondiscretionary
approach to access control, as the owner of objects does not have the ability to set
permissions on those objects. It is possible for a visitor list or file ACLs to be configured
using a nondiscretionary scheme, but these approaches can also be configured as
discretionary access control (DAC) implementations.
Wanda is configuring device-based authentication for systems on her network. Which
one of the following approaches offers the strongest way to authenticate devices?
IP address
MAC address
Digital certificate
Password - Correct Answers -C. Digital certificates:
are the strongest device-based access control mechanism listed in this scenario.
Administrators may create certificates for each device and tie them to the physical
device. Passwords are easily transferred to other devices and are not as strong an
approach. IP addresses are easily changed and should not be used. MAC addresses
theoretically identify devices uniquely, but it is possible to alter a MAC address, so they
should not be relied upon for authentication
Kaiden is creating an extranet for his organization and is concerned about unauthorized
eavesdropping on network communications. Which one of the following technologies
can he use to mitigate this risk?
VPN
Firewall
Content filter
Proxy server - Correct Answers -vpn:
Kaiden should use a virtual private network (VPN) for all remote connections to the
extranet. The VPN will encrypt traffic sent over public networks and protect it from
eavesdropping.
Which one of the following tools is most often used for identification purposes and is not
suitable for use as an authenticator?
Password
Retinal scan
Username
Token - Correct Answers -Usernames:
are an identification tool. They are not secret, so they are not suitable for use as a
password.
,Gary is preparing to create an account for a new user and assign privileges to the HR
database. What two elements of information must Gary verify before granting this
access?
Credentials and need to know
Clearance and need to know
Password and clearance
Password and biometric scan
Ben's organization is adopting biometric authentication for its high-security building's
access control system. Use the following chart to answer questions 9-11 about the
organization's adoption of the technology. - Correct Answers -Clearance & N2K:
Before granting access, Gary should verify that the user has a valid security clearance
and a business need to know the information. Gary is performing an authorization task,
so he does not need to verify the user's credentials, such as a password or biometric
scan.
the point where false acceptance rate and false rejection rate cross over and is a
standard assessment used to compare the accuracy of biometric devices. - Correct
Answers -CER: crossover error rate
When a subject claims an identity, what process is occurring?
Login
Identification
Authorization
Token presentation - Correct Answers -Identification:
The process of a subject claiming or professing an identity is known as identification.
Authorization verifies the identity of a subject by checking a factor such as a password.
Logins typically include both identification and authorization, and token presentation is a
type of authentication.
Files, databases, computers, programs, processes, devices, and media are all
examples of what?
Subjects
Objects
File stores
Users - Correct Answers -Objects:
All of these are objects. Although some of these items can be subjects, files, databases,
and storage media can't be. Processes and programs aren't file stores, and of course
none of these is a user.
MAC models use three types of environments. Which of the following is not a
mandatory access control design?
Hierarchical
Bracketed
, Compartmentalized
Hybrid - Correct Answers -Hierarchical, Compartmentalized, Hybrid
Mandatory access control systems can be hierarchical, where each domain is ordered
and related to other domains above and below it; compartmentalized, where there is no
relationship between each domain; or hybrid, where both hierarchy and compartments
are used. There is no concept of bracketing in mandatory access control design.
Ryan would like to implement an access control technology that is likely to both improve
security and increase user satisfaction. Which one of the following technologies meets
this requirement?
Mandatory access controls
Single sign-on
Multifactor authentication
Automated deprovisioning - Correct Answers -SSO:
All of the controls listed here, if properly implemented, have the potential to improve the
organization's security posture. However, only single sign-on is likely to improve the
user experience by eliminating barriers to authentication across multiple systems.
Mandatory access control and multifactor authentication will likely be seen as
inconveniences by users, while automated deprovisioning will improve the experience of
identity and access management administrators but not affect the end user experience.
The leadership at Susan's company has asked her to implement an access control
system that can support rule declarations like "Only allow access to salespeople from
managed devices on the wireless network between 8 a.m. and 6 p.m." What type of
access control system would be Susan's best choice?
ABAC
Rule-based access control (RBAC)
DAC
MAC - Correct Answers -ABAC:
An attribute-based access control (ABAC) system will allow Susan to specify details
about subjects, objects, and access, allowing granular control. Although a rule-based
access control system (RBAC) might allow this, the attribute-based access control
system can be more specific and thus is more flexible. Discretionary access control
(DAC) would allow object owners to make decisions, and mandatory access controls
(MACs) would use classifications; neither of these capabilities was described in the
requirements.
What is the primary advantage of decentralized access control?
It provides better redundancy.
It provides control of access to people closer to the resources.
It is less expensive. - Correct Answers -It provides control of access to people closer to
the resources:
