INFORMATION SYSTEMS SECURITY C845
SSCP - COMPOSITE MASSIVE TEST
Which of the following is not a type of attack used against access controls? - Correct
Answers -Teardrop - Dictionary, brute-force, and man-in-the-middle attacks are all types
of attacks that are frequently aimed at access controls. Teardrop attacks are a type of
denial-of-service attack.
George is assisting a prosecutor with a case against a hacker who attempted to break
into the computer systems at George's company. He provides system logs to the
prosecutor for use as evidence, but the prosecutor insists that George testify in court
about how he gathered the logs. What rule of evidence requires George's testimony? -
Correct Answers -Hearsay rule - The hearsay rule says that a witness cannot testify
about what someone else told them, except under specific exceptions. The courts have
applied the hearsay rule to include the concept that attorneys may not introduce logs
into evidence unless they are authenticated by the system administrator. The best
evidence rule states that copies of documents may not be submitted into evidence if the
originals are available. The parol evidence rule states that if two parties enter into a
written agreement, that written document is assumed to contain all the terms of the
agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
Jim has been asked to individually identify devices that users are bringing to work as
part of a new BYOD policy. The devices will not be joined to a central management
system like Active Directory, but he still needs to uniquely identify the systems. Which of
the following options will provide Jim with the best means of reliably identifying each
unique device? - Correct Answers -Use device fingerprinting via a web-based
registration system - Device fingerprinting via a web portal can require user
authentication and can gather data like operating systems, versions, software
information, and many other factors that can uniquely identify systems. Using an
automated fingerprinting system is preferable to handling manual registration, and
pairing user authentication with data gathering provides more detail than a port scan.
MAC addresses can be spoofed, and systems may have more than one depending on
how many network interfaces they have, which can make unique identification
challenging.
Greg would like to implement application control technology in his organization. He
would like to limit users to installing only approved software on their systems. What type
of application control would be appropriate in this situation? - Correct Answers -
Bluelisting - The whitelisting approach to application control allows users to install only
those software packages specifically approved by administrators. This would be an
,appropriate approach in a scenario where application installation needs to be tightly
controlled.
Which pair of the following factors is key for user acceptance of biometric identification
systems? - Correct Answers -The throughput rate and the time required to enroll -
Biometric systems can face major usability challenges if the time to enroll is long (more
than a couple of minutes) and if the speed at which the biometric system is able to scan
and accept or reject the user is too slow. FAR and FRR may be important in the design
decisions made by administrators or designers, but they aren't typically visible to users.
CER and ERR are the same and are the point where FAR and FRR meet. Reference
profile requirements are a system requirement, not a user requirement.
Sally is wiring a gigabit Ethernet network. What cabling choices should she make to
ensure she can use her network at the full 1000 Mbps she wants to provide to her
users? - Correct Answers -Category 5e and Category 6 UTP cable are both rated to
1000 Mbps. Cat 5 (not Cat 5e) is rated only to 100 Mbps, whereas Cat 7 is rated to 10
Gbps. There is no Cat 4e.
If Alex hires a new employee and the employee's account is provisioned after HR
manually inputs information into the provisioning system based on data Alex provides
via a series of forms, what type of provisioning has occurred? - Correct Answers -
Workflow-based account provisioning - Provisioning that occurs through an established
workflow, such as through an HR process, is workflow-based account provisioning. If
Alex had set up accounts for his new hire on the systems he manages, he would have
been using discretionary account provisioning. If the provisioning system allowed the
new hire to sign up for an account on their own, they would have used self-service
account provisioning, and if there was a central, software-driven process, rather than
HR forms, it would have been automated account provisioning.
Alex has access to B, C, and D. What concern should he raise to the university's identity
management team?
B - Application Servers
C - Database Servers
D - Active Directory
F - Incident Management System
E - Directory Server - Correct Answers -Privilege creep may be taking place. - As Alex
has changed roles, he retained access to systems that he no longer administers. The
provisioning system has provided rights to workstations and the application servers he
manages, but he should not have access to the databases he no longer administers.
Privilege levels are not specified, so we can't determine whether he has excessive
rights. Logging may or may not be enabled, but it isn't possible to tell from the problem.
When Alex changes roles, what should occur? - Correct Answers -He should be
provisioned for only the rights that match his role. - When a user's role changes, they
should be provisioned based on their role and other access entitlements.
,Deprovisioning and reprovisioning is time-consuming and can lead to problems with
changed IDs and how existing credentials work. Simply adding new rights leads to
privilege creep, and matching another user's rights can lead to excessive privileges
because of privilege creep for that other user.
Vivian works for a chain of retail stores and would like to use a software product that
restricts the software used on point-of-sale terminals to those packages on a
preapproved list. What approach should Vivian use? - Correct Answers -Whitelist - The
blacklist approach to application control blocks certain prohibited packages but allows
the installation of other software on systems. The whitelist approach uses the reverse
philosophy and allows only approved software. Antivirus software would only detect the
installation of malicious software after the fact. Heuristic detection is a variant of
antivirus software.
What type of motion detector senses changes in the electromagnetic fields in monitored
areas? - Correct Answers -Capacitance - Capacitance motion detectors monitor the
electromagnetic field in a monitored area, sensing disturbances that correspond to
motion.
Don's company is considering the use of an object-based storage system where data is
placed in a vendor-managed storage environment through the use of API calls. What
type of cloud computing service is in use? - Correct Answers -IaaS - In this scenario,
the vendor is providing object-based storage, a core infrastructure service. Therefore,
this is an example of infrastructure as a service (IaaS).
What is the minimum interval at which an organization should conduct business
continuity plan refresher training for those with specific business continuity roles? -
Correct Answers -Annually - Individuals with specific business continuity roles should
receive training on at least an annual basis.
Which one of the following technologies is not normally a capability of mobile device
management (MDM) solutions? - Correct Answers -Assuming control of a nonregistered
BYOD mobile device - MDM products do not have the capability of assuming control of
a device not currently managed by the organization. This would be equivalent to
hacking into a device owned by someone else and might constitute a crime.
Alex is preparing to solicit bids for a penetration test of his company's network and
systems. He wants to maximize the effectiveness of the testing rather than the realism
of the test. What type of penetration test should he require in his bidding process? -
Correct Answers -Crystal box - Crystal-box penetration testing, which is also sometimes
called white-box penetration testing, provides the tester with information about
networks, systems, and configurations, allowing highly effective testing. It doesn't
simulate an actual attack like black- and gray-box testing can and thus does not have
the same realism, and it can lead to attacks succeeding that would fail in a zero- or
limited-knowledge attack.
, What RADIUS alternative is commonly used for Cisco network gear and supports two-
factor authentication? - Correct Answers -TACACS+ - TACACS+ is the most modern
version of TACACS, the Terminal Access Controller Access-Control System. It is a
Cisco proprietary protocol with added features beyond what RADIUS provides, meaning
it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a
network authentication protocol rather than a remote user authentication protocol, and
RADIUS+ is a made-up term.
Exam Tip
TACACS+ encrypts the entire authentication session. In contrast, RADIUS encrypts
only the user's password.
Exam Tip
RADIUS is not only for dial-up. It also provides AAA services for VPN remote access
connections. Other implementations include configuring RADIUS as an 802.1x
authentication server to require authentication for wireless clients, commonly known as
WPA2-Enterprise.
What type of fire extinguisher is useful against liquid-based fires? - Correct Answers -
Class B - Class B fire extinguishers use carbon dioxide, halon, or soda acid as their
suppression material and are useful against liquid-based fires. Water may not be used
against liquid-based fires because it may cause the burning liquid to splash, and many
burning liquids, such as oil, will float on water.
Which one of the following components should be included in an organization's
emergency response guidelines? - Correct Answers -Immediate response procedures -
The emergency response guidelines should include the immediate steps an
organization should follow in response to an emergency situation. These include
immediate response procedures, a list of individuals who should be notified of the
emergency, and secondary response procedures for first responders. They do not
include long-term actions such as activating business continuity protocols, ordering
equipment, or activating DR sites.
Which one of the following disaster recovery test types involves the actual activation of
the disaster recovery facility? - Correct Answers -Parallel test - During a parallel test,
the team activates the disaster recovery site for testing, but the primary site remains
operational. A simulation test involves a roleplay of a prepared scenario overseen by a
moderator. Responses are assessed to help improve the organization's response
process. The checklist review is the least disruptive type of disaster recovery test.
During a checklist review, team members each review the contents of their disaster
recovery checklists on their own and suggest any necessary changes. During a tabletop
exercise, team members come together and walk through a scenario without making
any changes to information systems.
Susan is configuring her network devices to use syslog. What should she set to ensure
that she is notified about issues but does not receive normal operational issue
SSCP - COMPOSITE MASSIVE TEST
Which of the following is not a type of attack used against access controls? - Correct
Answers -Teardrop - Dictionary, brute-force, and man-in-the-middle attacks are all types
of attacks that are frequently aimed at access controls. Teardrop attacks are a type of
denial-of-service attack.
George is assisting a prosecutor with a case against a hacker who attempted to break
into the computer systems at George's company. He provides system logs to the
prosecutor for use as evidence, but the prosecutor insists that George testify in court
about how he gathered the logs. What rule of evidence requires George's testimony? -
Correct Answers -Hearsay rule - The hearsay rule says that a witness cannot testify
about what someone else told them, except under specific exceptions. The courts have
applied the hearsay rule to include the concept that attorneys may not introduce logs
into evidence unless they are authenticated by the system administrator. The best
evidence rule states that copies of documents may not be submitted into evidence if the
originals are available. The parol evidence rule states that if two parties enter into a
written agreement, that written document is assumed to contain all the terms of the
agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
Jim has been asked to individually identify devices that users are bringing to work as
part of a new BYOD policy. The devices will not be joined to a central management
system like Active Directory, but he still needs to uniquely identify the systems. Which of
the following options will provide Jim with the best means of reliably identifying each
unique device? - Correct Answers -Use device fingerprinting via a web-based
registration system - Device fingerprinting via a web portal can require user
authentication and can gather data like operating systems, versions, software
information, and many other factors that can uniquely identify systems. Using an
automated fingerprinting system is preferable to handling manual registration, and
pairing user authentication with data gathering provides more detail than a port scan.
MAC addresses can be spoofed, and systems may have more than one depending on
how many network interfaces they have, which can make unique identification
challenging.
Greg would like to implement application control technology in his organization. He
would like to limit users to installing only approved software on their systems. What type
of application control would be appropriate in this situation? - Correct Answers -
Bluelisting - The whitelisting approach to application control allows users to install only
those software packages specifically approved by administrators. This would be an
,appropriate approach in a scenario where application installation needs to be tightly
controlled.
Which pair of the following factors is key for user acceptance of biometric identification
systems? - Correct Answers -The throughput rate and the time required to enroll -
Biometric systems can face major usability challenges if the time to enroll is long (more
than a couple of minutes) and if the speed at which the biometric system is able to scan
and accept or reject the user is too slow. FAR and FRR may be important in the design
decisions made by administrators or designers, but they aren't typically visible to users.
CER and ERR are the same and are the point where FAR and FRR meet. Reference
profile requirements are a system requirement, not a user requirement.
Sally is wiring a gigabit Ethernet network. What cabling choices should she make to
ensure she can use her network at the full 1000 Mbps she wants to provide to her
users? - Correct Answers -Category 5e and Category 6 UTP cable are both rated to
1000 Mbps. Cat 5 (not Cat 5e) is rated only to 100 Mbps, whereas Cat 7 is rated to 10
Gbps. There is no Cat 4e.
If Alex hires a new employee and the employee's account is provisioned after HR
manually inputs information into the provisioning system based on data Alex provides
via a series of forms, what type of provisioning has occurred? - Correct Answers -
Workflow-based account provisioning - Provisioning that occurs through an established
workflow, such as through an HR process, is workflow-based account provisioning. If
Alex had set up accounts for his new hire on the systems he manages, he would have
been using discretionary account provisioning. If the provisioning system allowed the
new hire to sign up for an account on their own, they would have used self-service
account provisioning, and if there was a central, software-driven process, rather than
HR forms, it would have been automated account provisioning.
Alex has access to B, C, and D. What concern should he raise to the university's identity
management team?
B - Application Servers
C - Database Servers
D - Active Directory
F - Incident Management System
E - Directory Server - Correct Answers -Privilege creep may be taking place. - As Alex
has changed roles, he retained access to systems that he no longer administers. The
provisioning system has provided rights to workstations and the application servers he
manages, but he should not have access to the databases he no longer administers.
Privilege levels are not specified, so we can't determine whether he has excessive
rights. Logging may or may not be enabled, but it isn't possible to tell from the problem.
When Alex changes roles, what should occur? - Correct Answers -He should be
provisioned for only the rights that match his role. - When a user's role changes, they
should be provisioned based on their role and other access entitlements.
,Deprovisioning and reprovisioning is time-consuming and can lead to problems with
changed IDs and how existing credentials work. Simply adding new rights leads to
privilege creep, and matching another user's rights can lead to excessive privileges
because of privilege creep for that other user.
Vivian works for a chain of retail stores and would like to use a software product that
restricts the software used on point-of-sale terminals to those packages on a
preapproved list. What approach should Vivian use? - Correct Answers -Whitelist - The
blacklist approach to application control blocks certain prohibited packages but allows
the installation of other software on systems. The whitelist approach uses the reverse
philosophy and allows only approved software. Antivirus software would only detect the
installation of malicious software after the fact. Heuristic detection is a variant of
antivirus software.
What type of motion detector senses changes in the electromagnetic fields in monitored
areas? - Correct Answers -Capacitance - Capacitance motion detectors monitor the
electromagnetic field in a monitored area, sensing disturbances that correspond to
motion.
Don's company is considering the use of an object-based storage system where data is
placed in a vendor-managed storage environment through the use of API calls. What
type of cloud computing service is in use? - Correct Answers -IaaS - In this scenario,
the vendor is providing object-based storage, a core infrastructure service. Therefore,
this is an example of infrastructure as a service (IaaS).
What is the minimum interval at which an organization should conduct business
continuity plan refresher training for those with specific business continuity roles? -
Correct Answers -Annually - Individuals with specific business continuity roles should
receive training on at least an annual basis.
Which one of the following technologies is not normally a capability of mobile device
management (MDM) solutions? - Correct Answers -Assuming control of a nonregistered
BYOD mobile device - MDM products do not have the capability of assuming control of
a device not currently managed by the organization. This would be equivalent to
hacking into a device owned by someone else and might constitute a crime.
Alex is preparing to solicit bids for a penetration test of his company's network and
systems. He wants to maximize the effectiveness of the testing rather than the realism
of the test. What type of penetration test should he require in his bidding process? -
Correct Answers -Crystal box - Crystal-box penetration testing, which is also sometimes
called white-box penetration testing, provides the tester with information about
networks, systems, and configurations, allowing highly effective testing. It doesn't
simulate an actual attack like black- and gray-box testing can and thus does not have
the same realism, and it can lead to attacks succeeding that would fail in a zero- or
limited-knowledge attack.
, What RADIUS alternative is commonly used for Cisco network gear and supports two-
factor authentication? - Correct Answers -TACACS+ - TACACS+ is the most modern
version of TACACS, the Terminal Access Controller Access-Control System. It is a
Cisco proprietary protocol with added features beyond what RADIUS provides, meaning
it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a
network authentication protocol rather than a remote user authentication protocol, and
RADIUS+ is a made-up term.
Exam Tip
TACACS+ encrypts the entire authentication session. In contrast, RADIUS encrypts
only the user's password.
Exam Tip
RADIUS is not only for dial-up. It also provides AAA services for VPN remote access
connections. Other implementations include configuring RADIUS as an 802.1x
authentication server to require authentication for wireless clients, commonly known as
WPA2-Enterprise.
What type of fire extinguisher is useful against liquid-based fires? - Correct Answers -
Class B - Class B fire extinguishers use carbon dioxide, halon, or soda acid as their
suppression material and are useful against liquid-based fires. Water may not be used
against liquid-based fires because it may cause the burning liquid to splash, and many
burning liquids, such as oil, will float on water.
Which one of the following components should be included in an organization's
emergency response guidelines? - Correct Answers -Immediate response procedures -
The emergency response guidelines should include the immediate steps an
organization should follow in response to an emergency situation. These include
immediate response procedures, a list of individuals who should be notified of the
emergency, and secondary response procedures for first responders. They do not
include long-term actions such as activating business continuity protocols, ordering
equipment, or activating DR sites.
Which one of the following disaster recovery test types involves the actual activation of
the disaster recovery facility? - Correct Answers -Parallel test - During a parallel test,
the team activates the disaster recovery site for testing, but the primary site remains
operational. A simulation test involves a roleplay of a prepared scenario overseen by a
moderator. Responses are assessed to help improve the organization's response
process. The checklist review is the least disruptive type of disaster recovery test.
During a checklist review, team members each review the contents of their disaster
recovery checklists on their own and suggest any necessary changes. During a tabletop
exercise, team members come together and walk through a scenario without making
any changes to information systems.
Susan is configuring her network devices to use syslog. What should she set to ensure
that she is notified about issues but does not receive normal operational issue
