SSCP : System Security Certified Practitioner (SSCP) : Part 09

SSCP : System Security Certified Practitioner (SSCP) : Part 09

1. Which of the following is less likely to accompany a contingency plan, either within the plan itself or in the form of an appendix?

   • Contact information for all personnel.
   • Vendor contact information, including offsite storage and alternate site.
   • Equipment and system requirements lists of the hardware, software, firmware and other resources required to support system operations.
   • The Business Impact Analysis.

   Explanation:

   Why is this the correct answer? Simply because it is WRONG, you would have contact information for your emergency personnel within the plan but NOT for ALL of your personnel. Be careful of words such as ALL.
   According to NIST’s Special publication 800-34, contingency plan appendices provide key details not contained in the main body of the plan. The appendices should reflect the specific technical, operational, and management contingency requirements of the given system. Contact information for recovery team personnel (not all personnel) and for vendor should be included, as well as detailed system requirements to allow for supporting of system operations. The Business Impact Analysis (BIA) should also be included as an appendix for reference should the plan be activated.

   Reference(s) used for this question:
   SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems

2. In which of the following phases of system development life cycle (SDLC) is contingency planning most important?

   • Initiation
   • Development/acquisition
   • Implementation
   • Operation/maintenance
   Explanation:

   Contingency planning requirements should be considered at every phase of SDLC, but most importantly when a new IT system is being conceived. In the initiation phase, system requirements are identified and matched to their related operational processes, allowing determination of the system’s appropriate recovery priority.

   Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 12).
   and
   The Official ISC2 Guide to the CBK, Second Edition, Application Security, page 180-185

3. Which of the following teams should NOT be included in an organization’s contingency plan?

   • Damage assessment team
   • Hardware salvage team
   • Tiger team
   • Legal affairs team
   Explanation:

   According to NIST’s Special publication 800-34, a capable recovery strategy will require some or all of the following functional groups: Senior management official, management team, damage assessment team, operating system administration team, systems software team, server recovery team, LAN/WAN recovery team, database recovery team, network operations recovery team, telecommunications team, hardware salvage team, alternate site recovery coordination team, original site restoration/salvage coordination team, test team, administrative support team, transportation and relocation team, media relations team, legal affairs team, physical/personal security team, procurements team. Ideally, these teams would be staffed with the personnel responsible for the same or similar operation under normal conditions. A tiger team, originally a U.S. military jargon term, defines a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. Used today for teams performing ethical hacking.

   Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 23).

4. Which of the following item would best help an organization to gain a common understanding of functions that are critical to its survival?

   • A risk assessment
   • A business assessment
   • A disaster recovery plan
   • A business impact analysis
   Explanation:

   A Business Impact Analysis (BIA) is an assessment of an organization’s business functions to develop an understanding of their criticality, recovery time objectives, and resources needed.
   By going through a Business Impact Analysis, the organization will gain a common understanding of functions that are critical to its survival.

   A risk assessment is an evaluation of the exposures present in an organization’s external and internal environments.
   A Business Assessment generally include Business Analysis as a discipline and it has heavy overlap with requirements analysis sometimes also called requirements engineering, but focuses on identifying the changes to an organization that are required for it to achieve strategic goals. These changes include changes to strategies, structures, policies, processes, and information systems.
   A disaster recovery plan is the comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss of information systems resources.

   Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 57).

5. What can be defined as the maximum acceptable length of time that elapses before the unavailability of the system severely affects the organization?

   • Recovery Point Objectives (RPO)
   • Recovery Time Objectives (RTO)
   • Recovery Time Period (RTP)
   • Critical Recovery Time (CRT)
   Explanation:

   One of the results of a Business Impact Analysis is a determination of each business function’s Recovery Time Objectives (RTO). The RTO is the amount of time allowed for the recovery of a business function. If the RTO is exceeded, then severe damage to the organization would result.
   The Recovery Point Objectives (RPO) is the point in time in which data must be restored in order to resume processing.

   Reference(s) used for this question:
   BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 68).
   and
   And: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 47).

6. Which of the following server contingency solutions offers the highest availability?

   • System backups
   • Electronic vaulting/remote journaling
   • Redundant arrays of independent disks (RAID)
   • Load balancing/disk replication
   Explanation:

   Of the offered technologies, load balancing/disk replication offers the highest availability, measured in terms of minutes of lost data or server downtime.
   A Network-Attached Storage (NAS) or a Storage Area Network (SAN) solution combined with virtualization would offer an even higher availability.

   Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 49).

7. What assesses potential loss that could be caused by a disaster?

   • The Business Assessment (BA)
   • The Business Impact Analysis (BIA)
   • The Risk Assessment (RA)
   • The Business Continuity Plan (BCP)
   Explanation:

   The Business Assessment is divided into two components. Risk Assessment (RA) and Business Impact Analysis (BIA). Risk Assessment is designed to evaluate existing exposures from the organization’s environment, whereas the BIA assesses potential loss that could be caused by a disaster. The Business Continuity Plan’s goal is to reduce the risk of financial loss by improving the ability to recover and restore operations efficiently and effectively.

   Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 57).
   And: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 276).

8. An Intrusion Detection System (IDS) is what type of control?

   • A preventive control.
   • A detective control.
   • A recovery control.
   • A directive control.
   Explanation:

   These controls can be used to investigate what happen after the fact. Your IDS may collect information on where the attack came from, what port was use, and other details that could be used in the investigation steps.

   “Preventative control” is incorrect. Preventative controls preclude events or actions that might compromise a system or cause a policy violation. An intrusion prevention system would be an example of a preventative control.

   “Recovery control” is incorrect. Recover controls include processes used to return the system to a secure state after the occurrence of a security incident. Backups and redundant components are examples of recovery controls.

   “Directive controls” is incorrect. Directive controls are administrative instruments such as policies, procedures, guidelines, and aggreements. An acceptable use policy is an example of a directive control.

   References:
   CBK, pp. 646 – 647

9. Which backup method copies only files that have changed since the last full backup, but does not clear the archive bit?

   • Differential backup method.
   • Full backup method.
   • Incremental backup method.
   • Tape backup method.
   Explanation:

   One of the key item to understand regarding backup is the archive bit. The archive bit is used to determine what files have been backuped already. The archive bit is set if a file is modified or a new file is created, this indicates to the backup program that it has to be saved on the next backup. When a full backup is performed the archive bit will be cleared indicating that the files were backup. This allows backup programs to do an incremental or differential backup that only backs up the changes to the filesystem since the last time the bit was cleared
   Full Backup (or Reference Backup)
   A Full backup will backup all the files and folders on the drive every time you run the full backup. The archive bit is cleared on all files indicating they were all backuped.

   Advantages:
   All files from the selected drives and folders are backed up to one backup set.
   In the event you need to restore files, they are easily restored from the single backup set.

   Disadvantages:
   A full backup is more time consuming than other backup options.
   Full backups require more disk, tape, or network drive space.
   Incremental Backup
   An incremental backup provides a backup of files that have changed or are new since the last incremental backup.

   For the first incremental backup, all files in the file set are backed up (just as in a full backup). If you use the same file set to perform a incremental backup later, only the files that have changed are backed up. If you use the same file set for a third backup, only the files that have changed since the second backup are backed up, and so on.

   Incremental backup will clear the archive bit.
   Advantages:
   Backup time is faster than full backups.
   Incremental backups require less disk, tape, or network drive space.
   You can keep several versions of the same files on different backup sets.
   Disadvantages:
   In order to restore all the files, you must have all of the incremental backups available.
   It may take longer to restore a specific file since you must search more than one backup set to find the latest version of a file.
   Differential Backup

   A differential backup provides a backup of files that have changed since a full backup was performed. A differential backup typically saves only the files that are different or new since the last full backup. Together, a full backup and a differential backup include all the files on your computer, changed and unchanged.

   Differential backup do not clear the archive bits.

   Advantages:
   Differential backups require even less disk, tape, or network drive space than incremental backups.
   Backup time is faster than full or incremental backups.
   Disadvantages:
   Restoring all your files may take considerably longer since you may have to restore both the last differential and full backup.
   Restoring an individual file may take longer since you have to locate the file on either the differential or full backup.

   For more info see: http://support.microsoft.com/kb/136621
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

10. Which backup method is additive because the time and tape space required for each night’s backup grows during the week as it copies the day’s changed files and the previous days’ changed files up to the last full backup?

    • differential backup method
    • full backup method
    • incremental backup method
    • tape backup method.
    Explanation:

    The Differential Backup Method is additive because the time and tape space required for each night’s backup grows during the week as it copies the day’s changed files and the previous days’ changed files up to the last full backup.
    Archive Bits

    Unless you’ve done a lot of backups in your time you’ve probably never heard of an Archive Bit. An archive bit is, essentially, a tag that is attached to every file. In actuality, it is a binary digit that is set on or off in the file, but that’s crummy technical jargon that doesn’t really tell us anything. For the sake of our discussion, just think of it as the flag on a mail box. If the flag is up, it means the file has been changed. If it’s down, then the file is unchanged.

    Archive bits let the backup software know what needs to be backed up. The differential and incremental backup types rely on the archive bit to direct them.
    Backup Types

    Full or Normal
    The “Full” or “normal” backup type is the most standard. This is the backup type that you would use if you wanted to backup every file in a given folder or drive. It backs up everything you direct it to regardless of what the archive bit says. It also resets all archive bits (puts the flags down). Most backup software, including the built-in Windows backup software, lets you select down to the individual file that you want backed up. You can also choose to backup things like the “system state”.

    Incremental
    When you schedule an incremental backup, you are in essence instructing the software to only backup files that have been changed, or files that have their flag up. After the incremental backup of that file has occured, that flag will go back down. If you perform a normal backup on Monday, then an incremental backup on Wednesday, the only files that will be backed up are those that have changed since Monday. If on Thursday someone deletes a file by accident, in order to get it back you will have to restore the full backup from Monday, followed by the Incremental backup from Wednesday.

    Differential
    Differential backups are similar to incremental backups in that they only backup files with their archive bit, or flag, up. However, when a differential backup occurs it does not reset those archive bits which means, if the following day, another differential backup occurs, it will back up that file again regardless of whether that file has been changed or not.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

    And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (pages 617-619).
    And: http://www.brighthub.com/computing/windows-platform/articles/24531.aspx

11. Which backup method usually resets the archive bit on the files after they have been backed up?

    • Incremental backup method.
    • Differential backup method.
    • Partial backup method.
    • Tape backup method.
    Explanation:

    The incremental backup method usually resets the archive bit on the files after they have been backed up.

    An Incremental Backup will backup all the files that have changed since the last Full Backup (the first time it is run after a full backup was previously completed) or after an Incremental Backup (for the second backup and subsequent backups) and sets the archive bit to 0. This type of backup take less time during the backup phase but it will take more time to restore.

    The other answers are all incorrect choices.

    The following backup types also exists:
    Full Backup – All data are backed up. The archive bit is cleared, which means that it is set to 0.
    Differential Backup – Backup the files that have been modified since the last Full Backup. The archive bit does not change. Take more time while the backup phase is performed and take less time to restore.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

12. Which backup method is used if backup time is critical and tape space is at an extreme premium?

    • Incremental backup method.
    • Differential backup method.
    • Full backup method.
    • Tape backup method.
    Explanation:

    Full Backup/Archival Backup – Complete/Full backup of every selected file on the system regardless of whether it has been backup recently.. This is the slowest of the backup methods since it backups all the data. It’s however the fastest for restoring data.

    Incremental Backup – Any backup in which only the files that have been modified since last full back up are backed up. The archive attribute should be updated while backing up only modified files, which indicates that the file has been backed up. This is the fastest of the backup methods, but the slowest of the restore methods.

    Differential Backup – The backup of all data files that have been modified since the last incremental backup or archival/full backup. Uses the archive bit to determine what files have changed since last incremental backup or full backup. The files grows each day until the next full backup is performed clearing the archive attributes. This enables the user to restore all files changed since the last full backup in one pass. This is a more neutral method of backing up data since it’s not faster nor slower than the other two

    Easy Way To Remember each of the backup type properties:
    Backup Speed Restore Speed
    Full 3 1
    Differential 2 2
    Incremental 1 3

    Legend: 1 = Fastest 2 = Faster 3 = Slowest

    Source:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
    and
    http://www.proprofs.com/mwiki/index.php/Full_Backup,_Incremental_%26_Differential_Backup

13. Which of the following is a large hardware/software backup system that uses the RAID technology?

    • Tape Array.
    • Scale Array.
    • Crimson Array
    • Table Array.
    Explanation:

    A Tape Array is a large hardware/software backup system based on the RAID technology.

    There is a misconception that RAID can only be used with Disks.
    All large storage vendor from HP, to EMC, to Compaq have Tape Array based on RAID technology they offer.

    This is a VERY common type of storage at an affordable price as well.

    So RAID is not exclusively for DISKS. Often time this is referred to as Tape Librairies or simply RAIT.
    RAIT (redundant array of independent tapes) is similar to RAID, but uses tape drives instead of disk drives. Tape storage is the lowest-cost option for very large amounts of data, but is very slow compared to disk storage. As in RAID 1 striping, in RAIT, data are striped in parallel to multiple tape drives, with or without a redundant parity drive. This provides the high capacity at low cost typical of tape storage, with higher-than-usual tape data transfer rates and optional data integrity.

    References:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 70.
    and
    Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1271). McGraw-Hill. Kindle Edition.

14. This type of backup management provides a continuous on-line backup by using optical or tape “jukeboxes,” similar to WORMs (Write Once, Read Many):

    • Hierarchical Storage Management (HSM).
    • Hierarchical Resource Management (HRM).
    • Hierarchical Access Management (HAM).
    • Hierarchical Instance Management (HIM).
    Explanation:
    Hierarchical Storage Management (HSM) provides a continuous on-line backup by using optical or tape “jukeboxes,” similar to WORMs.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 71.

15. Which of the following backup method must be made regardless of whether Differential or Incremental methods are used?

    • Full Backup Method.
    • Incremental backup method.
    • Supplemental backup method.
    • Tape backup method.
    Explanation:
    A Full Backup must be made regardless of whether Differential or Incremental methods are used.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
    And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (pages 617-619).

16. Which of the following tape formats can be used to backup data systems in addition to its original intended audio uses?

    • Digital Video Tape (DVT).
    • Digital Analog Tape (DAT).
    • Digital Voice Tape (DVT).
    • Digital Audio Tape (DAT).
    Explanation:
    Digital Audio Tape (DAT) can be used to backup data systems in addition to its original intended audio uses.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 70.

17. Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion detection?

    • Anomaly detection tends to produce more data
    • A pattern matching IDS can only identify known attacks
    • Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams
    • An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines
    Explanation:

    This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern matching to the next level.

    As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.

    The following answers are all incorrect:

    Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as any activity outside of expected behavior is recorded.

    A pattern matching IDS can only identify known attacks is true as a pattern matching IDS works by comparing traffic streams against signatures. These signatures are created for known attacks.

    An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines is true as the assertion is a characteristic of a statistical anomaly-based IDS.

    Reference:
    Official guide to the CISSP CBK. Pages 198 to 201
    http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.pdf

18. The IP header contains a protocol field. If this field contains the value of 51, what type of data is contained within the ip datagram?

    • Transmission Control Protocol (TCP)
    • Authentication Header (AH)
    • User datagram protocol (UDP)
    • Internet Control Message Protocol (ICMP)
    Explanation:

    TCP has the value of 6
    UDP has the value of 17
    ICMP has the value of 1

    Reference:
    SANS http://www.sans.org/resources/tcpip.pdf?ref=3871

19. Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used?

    • preventive, corrective, and administrative
    • detective, corrective, and physical
    • Physical, technical, and administrative
    • Administrative, operational, and logical
    Explanation:

    Security is generally defined as the freedom from danger or as the condition of safety. Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the computer system itself against unauthorized use, modification, or denial of service. Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and system operations and administrative personnel work to achieve a satisfactory balance between security and productivity.

    Controls for providing information security can be physical, technical, or administrative.
    These three categories of controls can be further classified as either preventive or detective. Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred. Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept. Effective security awareness programs can help increase users’ level of tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems. Common detective controls include audit trails, intrusion detection methods, and checksums.

    Three other types of controls supplement preventive and detective controls. They are usually described as deterrent, corrective, and recovery.

    Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment).
    Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation. Execution of corrective controls could result in changes to existing physical, technical, and administrative controls.
    Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation.

    Deterrent, corrective, and recovery controls are considered to be special cases within the major categories of physical, technical, and administrative controls; they do not clearly belong in either preventive or detective categories. For example, it could be argued that deterrence is a form of prevention because it can cause an intruder to turn away; however, deterrence also involves detecting violations, which may be what the intruder fears most. Corrective controls, on the other hand, are not preventive or detective, but they are clearly linked with technical controls when antiviral software eradicates a virus or with administrative controls when backup procedures enable restoring a damaged data base. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

    Reference(s) used for this question
    Handbook of Information Security Management, Hal Tipton

20. In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in?

    • Recovery
    • Containment
    • Triage
    • Analysis and tracking
    Explanation:

    In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident.

    Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production

    Containment is incorrect as containment is about reducing the potential impact of an incident.

    Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives

    Reference:
    Official Guide to the CISSP CBK, pages 700-704