Question # 1
In a Public Key Infrastructure, how are public keys published? | | A. They are sent via e-mail.
| | B. Through digital certificates.
| | C. They are sent by owners.
| | D. They are not published. |
B. Through digital certificates.
Public keys are published through digital certificates, signed by certification
authority (CA), binding the certificate to the identity of its bearer.
A bit more details:
Although “Digital Certificates” is the best (or least wrong!) in the list of answers presented,
for the past decade public keys have been published (ie: made known to the World) by the
means of a LDAP server or a key distribution server (ex.: http://pgp.mit.edu/). An indirect
publishing method is through OCSP servers (to validate digital signatures’ CRL)
Reference used for this question:
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
and
http://technet.microsoft.com/en-us/library/dd361898.aspx
Question # 2
Which of the following is covered under Crime Insurance Policy Coverage? | | A. Inscribed, printed and Written documents
| | B. Manuscripts
| | C. Accounts Receivable
| | D. Money and Securities |
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security
Management Handbook, 4th Edition, Volume 1, Property Insurance overview, Page 589.
Question # 3
A central authority determines what subjects can have access to certain objects based on
the organizational security policy is called: | | A. Mandatory Access Control
| | B. Discretionary Access Control | | C. Non-Discretionary Access Control | | D. Rule-based Access control |
C. Non-Discretionary Access Control
A central authority determines what subjects can have access to certain
objects based on the organizational security policy.
The key focal point of this question is the 'central authority' that determines access rights.
Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as:
"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL
AUTHORITY. Which seems to indicate there could be two good answers to this question.
However if you read the NISTR document mentioned in the references below, it is also
mentioned that: MAC is the most mentioned NDAC policy. So MAC is a form of NDAC
policy.
Within the same document it is also mentioned: "In general, all access control policies
other than DAC are grouped in the category of non- discretionary access control (NDAC).
As the name implies, policies in this category have rules that are not established at the
discretion of the user. Non-discretionary policies establish controls that cannot be changed
by users, but only through administrative action."
Under NDAC you have two choices:
Rule Based Access control and Role Base Access Control
MAC is implemented using RULES which makes it fall under RBAC which is a form of
NDAC. It is a subset of NDAC.
This question is representative of what you can expect on the real exam where you have
more than once choice that seems to be right. However, you have to look closely if one of
the choices would be higher level or if one of the choice falls under one of the other choice.
In this case NDAC is a better choice because MAC is falling under NDAC through the use
of Rule Based Access Control.
The following are incorrectanswers:
MANDATORY ACCESS CONTROL
In Mandatory Access Control the labels of the object and the clearance of the subject
determines access rights, not a central authority. Although a central authority (Better known
as the Data Owner) assigns the label to the object, the system does the determination of
access rights automatically by comparing the Object label with the Subject clearance. The
subject clearance MUST dominate (be equal or higher) than the object being accessed. The need for a MAC mechanism arises when the security policy of a system dictates that:
1. Protection decisions must not be decided by the object owner.
2. The system must enforce the protection decisions (i.e., the system enforces the security
policy over the wishes or intentions of the object owner).
Usually a labeling mechanism and a set of interfaces are used to determine access based
on the MAC policy; for example, a user who is running a process at the Secret
classification should not be allowed to read a file with a label of Top Secret. This is known
as the “simple security rule,” or “no read up.”
Conversely, a user who is running a process with a label of Secret should not be allowed to
write to a file with a label of Confidential. This rule is called the “*-property” (pronounced
“star property”) or “no write down.” The *-property is required to maintain system security in
an automated environment.
DISCRETIONARY ACCESS CONTROL
In Discretionary Access Control the rights are determined by many different entities, each
of the persons who have created files and they are the owner of that file, not one central
authority.
DAC leaves a certain amount of access control to the discretion of the object's owner or
anyone else who is authorized to control the object's access. For example, it is generally
used to limit a user's access to a file; it is the owner of the file who controls other users'
accesses to the file. Only those users specified by the owner may have some combination
of read, write, execute, and other permissions to the file.
DAC policy tends to be very flexible and is widely used in the commercial and government
sectors. However, DAC is known to be inherently weak for two reasons:
First, granting read access is transitive; for example, when Ann grants Bob read access to
a file, nothing stops Bob from copying the contents of Ann’s file to an object that Bob
controls. Bob may now grant any other user access to the copy of Ann’s file without Ann’s
knowledge.
Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the
identity of the invoking user, Bob may, for example, write a program for Ann that, on the
surface, performs some usefuluseful function, while at the same time destroys the contents of
Ann’s files. When investigating the problem, the audit files would indicate that Ann
destroyed her own files. Thus, formally, the drawbacks of DAC are as follows Discretionary Access Control (DAC) Information can be copied from one object to another;
therefore, there is no real assurance on the flow of information in a system.
No restrictions apply to the usage of information when the user has received it.
The privileges for accessing objects are decided by the owner of the object, rather than
through a system-wide policy that reflects the organization’s security requirements.
ACLs and owner/group/other access control mechanisms are by far the most common
mechanism for implementing DAC policies. Other mechanisms, even though not designed
with DAC in mind, may have the capabilities to implement a DAC policy.
RULE BASED ACCESS CONTROL
In Rule-based Access Control a central authority could in fact determine what subjects can
have access when assigning the rules for access. However, the rules actually determine
the access and so this is not the most correct answer.
RuBAC (as opposed to RBAC, role-based access control) allow users to access systems
and information based on pre determined and configured rules. It is important to note that
there is no commonly understood definition or formally defined standard for rule-based
access control as there is for DAC, MAC, and RBAC. “Rule-based access” is a generic
term applied to systems that allow some form of organization-defined rules, and therefore
rule-based access control encompasses a broad range of systems. RuBAC may in fact be
combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every
access request and compares the rules with the rights of the user to make an access
decision. Most of the rule-based access control relies on a security label system, which
dynamically composes a set of rules defined by a security policy. Security labels are
attached to all objects, including files, directories, and devices. Sometime roles to subjects
(based on their attributes) are assigned as well. RuBAC meets the business needs as well
as the technical needs of controlling service access. It allows business rules to be applied
to access control—for example, customers who have overdue balances may be denied
service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users.
The rules can be established by any attributes of a system related to the users such as
domain, host, protocol, network, or IP addresses. For example, suppose that a user wants
to access an object in another network on the other side of a router. The router employs
RuBAC with the rule composed by the network addresses, domain, and protocol to decide
whether or not the user can be granted access. If employees change their roles within the
organization, their existing authentication credentials remain in effect and do not need to be
re configured. Using rules in conjunction with roles adds greater flexibility because rules
can be applied to people as well as to devices. Rule-based access control can be
combined with role-based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based
policy engines in addition to a role-based policy engine and certain implemented dynamic
policies [Des03]. For example, suppose that two of the primary types of software users are
product engineers and quality engineers. Both groups usually have access to the same
data, but they have different roles to perform in relation to the data and the application's
function. In addition, individuals within each group have different job responsibilities that
may be identified using several types of attributes such as developing programs and testing
areas. Thus, the access decisions can be made in real time by a scripted policy that
regulates the access between the groups of product engineers and quality engineers, and
each individual within these groups. Rules can either replace or complement role-based
access control. However, the creation of rules and security policies is also a complex
process, so each organization will need to strike the appropriate balance.
References used for this question:
http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and
AIO v3 p162-167 and OIG (2007) p.186-191
also
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
Question # 4
Which of the following phases of a software development life cycle normally incorporates
the security specifications, determines access controls, and evaluates encryption options? | | A. Detailed design
| | B. Implementation | | C. Product design
| | D. Software plans and requirements |
The Product design phase deals with incorporating security specifications,
adjusting test plans and data, determining access controls, design documentation,
evaluating encryption options, and verification.
Implementation is incorrect because it deals with Installing security software, running the
system, acceptance testing, security software testing, and complete documentation
certification and accreditation (where necessary).
Detailed design is incorrect because it deals with information security policy, standards,
legal issues, and the early validation of concepts.
software plans and requirements is incorrect because it deals with addressesing threats,
vulnerabilities, security requirements, reasonable care, due diligence, legal liabilities,
cost/benefit analysis, level of protection desired, test plans.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 252).
KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Security Life Cycle Components, Figure 7.5 (page 346).
145
At which of the basic phases of the System Development Life Cycle are security
requirements formalized?
A. Disposal
B. System Design Specifications
C. Development and Implementation
D. Functional Requirements Definition
Answer: D
During the Functional Requirements Definition the project management and systems
development teams will conduct a comprehensive analysis of current and possible future
functional requirements to ensure that the new system will meet end-user needs. The
teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project
initiation phase. At this point security requirements should be formalized.
The Development Life Cycle is a project management tool that can be used to plan,
execute, and control a software development project usually called the Systems
Development Life Cycle (SDLC).
The SDLC is a process that includes systems analysts, software engineers, programmers,
and end users in the project design and development. Because there is no industry-wide
SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project
from defining the functional requirements to implementation. Regardless of the method
used, the SDLC outlines the essential phases, which can be shown together or as separate
elements. The model chosen should be based on the project.
For example, some models work better with long-term, complex projects, while others are
more suited for short-term projects. The key element is that a formalized SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and
implement) on up.
The basic phases of SDLC are:
Project initiation and planning
Functional requirements definition
System design specifications
Development and implementation
Documentation and common program controls
Testing and evaluation control, (certification and accreditation)
Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two additional phases:
Operations and maintenance support (post-installation)
Revisions and system replacement
System Design Specifications
This phase includes all activities related to designing the system and software. In this
phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are
designed, generally based on the overall security architecture for the company.
Development and Implementation
During this phase, the source code is generated, test scenarios and test cases are
developed, unit and integration testing is conducted, and the program and system are
documented for maintenance and for turnover to acceptance testing and production. As
well as general care for software quality, reliability, and consistency of operation, particular
care should be taken to ensure that the code is analyzed to eliminate common
vulnerabilities that might lead to security exploits and other risks.
Documentation and Common Program Controls
These are controls used when editing the data within the program, the types of logging the
program should be doing, and how the program versions should be stored. A large number
of such controls may be needed, see the reference below for a full list of controls.
Acceptance
In the acceptance phase, preferably an independent group develops test data and tests the
code to ensure that it will function within the organization’s environment and that it meets
all the functional and security requirements. It is essential that an independent group test
the code during all applicable stages of development to prevent a separation of duties
issue. The goal of security testing is to ensure that the application meets its security
requirements and specifications. The security testing should uncover all design and
implementation flaws that would allow a user to violate the software security policy and
requirements. To ensure test validity, the application should be tested in an environment
that simulates the production environment. This should include a security certification
package and any user documentation.
Certification and Accreditation (Security Authorization)
Certification is the process of evaluating the security stance of the software or system
against a predetermined set of security standards or policies. Certification also examines
how well the system performs its intended functional requirements. The certification or
evaluation document should contain an analysis of the technical and nontechnical security
features and countermeasures and the extent to which the software or system meets the
security requirements for its mission and operational environment.
Transition to Production (Implementation)
During this phase, the new system is transitioned from the acceptance phase into the live
production environment. Activities during this phase include obtaining security
accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if
necessary, conducting any parallel operations.
Revisions and System Replacement
As systems are in production mode, the hardware and software baselines should be
subject to periodic evaluations and audits. In some instances, problems with the application
may not be defects or flaws, but rather additional functions not currently developed in the
application. Any changes to the application must follow the same SDLC and be recorded in
a change management system. Revision reviews should include security planning and
procedures to avoid future problems. Periodic application audits should be conducted and
include documenting security incidents when problems occur. Documenting system failures
is a valuable resource for justifying future system enhancements.
Below you have the phases used by NIST in it's 800-63 Revision 2 document
As noted above, the phases will vary from one document to another one. For the purpose
of the exam use the list provided in the official ISC2 Study book which is presented in short
form above. Refer to the book for a more detailed description of activities at each of the
phases of the SDLC.
However, all references have very similar steps being used. As mentioned in the official
book, it could be as simple as three phases in it's most basic version (concept, design, and
implement) or a lot more in more detailed versions of the SDLC. The key thing is to make use of an SDLC
2-sscp-certification.jpg)
C:\Users\MCS\Desktop\1.jpg
SDLC phases
Reference(s) used for this question:
NIST SP 800-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-
Rev2/SP800-64-Revision2.pdf
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:
Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach
Publications. Kindle Edition.
Question # 5
Secure Sockets Layer (SSL) is very heavily used for protecting which of the following? | | A. A. Web transactions.
. | | B. B. EDI transactions.
| | C. C. Telnet transactions.
| | D. D. Electronic Payment transactions |
SSL was developed Netscape Communications Corporation to improve
security and privacy of HTTP transactions.
SSL is one of the most common protocols used to protect Internet traffic.
It encrypts the messages using symmetric algorithms, such as IDEA, DES, 3DES, and
Fortezza, and also calculates the MAC for the message using MD5 or SHA-1. The MAC is
appended to the message and encrypted along with the message data. The exchange of the symmetric keys is accomplished through various versions of
Diffie–Hellmann or RSA. TLS is the Internet standard based on SSLv3. TLSv1 is backward
compatible with SSLv3. It uses the same algorithms as SSLv3; however, it computes an
HMAC instead of a MAC along with other enhancements to improve security.
The following are incorrect answers:
"EDI transactions" is incorrect. Electronic Data Interchange (EDI) is not the best answer to
this question though SSL could play a part in some EDI transactions.
"Telnet transactions" is incorrect. Telnet is a character mode protocol and is more likely to
be secured by Secure Telnet or replaced by the Secure Shell (SSH) protocols.
"Eletronic payment transactions" is incorrect. Electronic payment is not the best answer to
this question though SSL could play a part in some electronic payment transactions.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 16615-16619). Auerbach Publications. Kindle
Edition.
and
http://en.wikipedia.org/wiki/Transport_Layer_Security
Question # 6
When submitting a passphrase for authentication, the passphrase is converted into ... | | A. a virtual password by the system
| | B. a new passphrase by the system
| | C. a new passphrase by the encryption technology | | D. a real password by the system which can be used forever |
A. a virtual password by the system
Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between
these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending
on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being
compromised.
It is recommended to use a passphrase instead of a password. A passphrase is more
resistant to attacks. The passphrase is converted into a virtual password by the system.
Often time the passphrase will exceed the maximum length supported by the system and it
must be trucated into a Virtual Password.
Reference(s) used for this question:
http://www.itl.nist.gov/fipspubs/fip112.htm
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.
Question # 7
Which backup method usually resets the archive bit on the files after they have been
backed up? | | A. Incremental backup method.
| | B. Differential backup method.
| | C. Partial backup method.
| | D. Tape backup method. |
A. Incremental backup method.
The incremental backup method usually resets the archive bit on the files
after they have been backed up.
An Incremental Backup will backup all the files that have changed since the last Full
Backup (the first time it is run after a full backup was previously completed) or after an
Incremental Backup (for the second backup and subsequent backups) and sets the archive
bit to 0. This type of backup take less time during the backup phase but it will take more time to restore.
The other answers are all incorrect choices.
The following backup types also exists:
Full Backup - All data are backed up. The archive bit is cleared, which means that it is set
to 0.
Differential Backup - Backup the files that have been modified since the last Full Backup.
The archive bit does not change. Take more time while the backup phase is performed and
take less time to restore.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
ISC SSCP Exam Dumps
5 out of 5
Pass Your System Security Certified Practitioner (SSCP) Exam in First Attempt With SSCP Exam Dumps. Real SSCP Exam Questions As in Actual Exam!
— 1074 Questions With Valid Answers
— Updation Date : 16-Jan-2025
— Free SSCP Updates for 90 Days
— 98% System Security Certified Practitioner (SSCP) Exam Passing Rate
PDF Only Price 99.99$
19.99$
Buy PDF
Speciality
Additional Information
Testimonials
Related Exams
- Number 1 ISC SSCP study material online
- Regular SSCP dumps updates for free.
- System Security Certified Practitioner (SSCP) Practice exam questions with their answers and explaination.
- Our commitment to your success continues through your exam with 24/7 support.
- Free SSCP exam dumps updates for 90 days
- 97% more cost effective than traditional training
- System Security Certified Practitioner (SSCP) Practice test to boost your knowledge
- 100% correct SSCP questions answers compiled by senior IT professionals
ISC SSCP Braindumps
Realbraindumps.com is providing SSCP SSCP braindumps which are accurate and of high-quality verified by the team of experts. The ISC SSCP dumps are comprised of System Security Certified Practitioner (SSCP) questions answers available in printable PDF files and online practice test formats. Our best recommended and an economical package is SSCP PDF file + test engine discount package along with 3 months free updates of SSCP exam questions. We have compiled SSCP exam dumps question answers pdf file for you so that you can easily prepare for your exam. Our ISC braindumps will help you in exam. Obtaining valuable professional ISC SSCP certifications with SSCP exam questions answers will always be beneficial to IT professionals by enhancing their knowledge and boosting their career.
Yes, really its not as tougher as before. Websites like Realbraindumps.com are playing a significant role to make this possible in this competitive world to pass exams with help of SSCP SSCP dumps questions. We are here to encourage your ambition and helping you in all possible ways. Our excellent and incomparable ISC System Security Certified Practitioner (SSCP) exam questions answers study material will help you to get through your certification SSCP exam braindumps in the first attempt.
Pass Exam With ISC SSCP Dumps. We at Realbraindumps are committed to provide you System Security Certified Practitioner (SSCP) braindumps questions answers online. We recommend you to prepare from our study material and boost your knowledge. You can also get discount on our ISC SSCP dumps. Just talk with our support representatives and ask for special discount on SSCP exam braindumps. We have latest SSCP exam dumps having all ISC System Security Certified Practitioner (SSCP) dumps questions written to the highest standards of technical accuracy and can be instantly downloaded and accessed by the candidates when once purchased. Practicing Online SSCP SSCP braindumps will help you to get wholly prepared and familiar with the real exam condition. Free SSCP exam braindumps demos are available for your satisfaction before purchase order.
Send us mail if you want to check ISC SSCP System Security Certified Practitioner (SSCP) DEMO before your purchase and our support team will send you in email.
If you don't find your dumps here then you can request what you need and we shall provide it to you.
Bulk Packages
$60
- Get 3 Exams PDF
- Get $33 Discount
- Mention Exam Codes in Payment Description.
Buy 3 Exams PDF
$90
- Get 5 Exams PDF
- Get $65 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF
$110
- Get 5 Exams PDF + Test Engine
- Get $105 Discount
- Mention Exam Codes in Payment Description.
Buy 5 Exams PDF + Engine
 Jessica Doe
SSCP
We are providing ISC SSCP Braindumps with practice exam question answers. These will help you to prepare your System Security Certified Practitioner (SSCP) exam. Buy SSCP SSCP dumps and boost your knowledge.
|
