SSCP : System Security Certified Practitioner (SSCP) : Part 10

SSCP : System Security Certified Practitioner (SSCP) : Part 10

1. Which of the following backup methods makes a complete backup of every file on the server every time it is run?

   • full backup method.
   • incremental backup method.
   • differential backup method.
   • tape backup method.

   Explanation:

   The Full Backup Method makes a complete backup of every file on the server every time it is run.

   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

2. Which of the following backup methods is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets?

   • full backup method.
   • incremental backup method.
   • differential backup method.
   • tape backup method.
   Explanation:
   The Full Backup Method is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

3. Which of the following is NOT a correct notation for an IPv6 address?

   • 2001:0db8:0:0:0:0:1428:57ab
   • ABCD:EF01:2345:6789:ABCD:EF01:2345:6789
   • ::1
   • 2001:DB8::8:800::417A
   Explanation:

   This is not a correct notation for an IPv6 address because the the “::” can only appear once in an address. The use of “::” is a shortcut notation that indicates one or more groups of 16 bits of zeros.

   ::1 is the loopback address using the special notation
   Reference: IP Version 6 Addressing Architecture
   http://tools.ietf.org/html/rfc4291#section-2.1

4. Another example of Computer Incident Response Team (CIRT) activities is:

   • Management of the netware logs, including collection, retention, review, and analysis of data
   • Management of the network logs, including collection and analysis of data
   • Management of the network logs, including review and analysis of data
   • Management of the network logs, including collection, retention, review, and analysis of data
   Explanation:

   Additional examples of CIRT activities are:

   Management of the network logs, including collection, retention, review, and analysis of data
   Management of the resolution of an incident, management of the remediation of a vulnerability, and post-event reporting to the appropriate parties.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.

5. Hierarchical Storage Management (HSM) is commonly employed in:

   • very large data retrieval systems
   • very small data retrieval systems
   • shorter data retrieval systems
   • most data retrieval systems
   Explanation:
   Hierarchical Storage Management (HSM) is commonly employed in very large data retrieval systems.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 71.

6. Which of the following is NOT a part of a risk analysis?

   • Identify risks
   • Quantify the impact of potential threats
   • Provide an economic balance between the impact of the risk and the cost of the associated countermeasure
   • Choose the best countermeasure
   Explanation:
   This step is not a part of RISK ANALYSIS.
   A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis.
   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 73).
   HARRIS, Shon, Mike Meyers’ CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.

7. How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?

   • Reject the risk
   • Perform another risk analysis
   • Accept the risk
   • Reduce the risk
   Explanation:

   Which means the company understands the level of risk it is faced.

   The following answers are incorrect because :

   Reject the risk is incorrect as it means ignoring the risk which is dangerous.
   Perform another risk analysis is also incorrect as the existing risk analysis has already shown the results.
   Reduce the risk is incorrect is applicable after implementing the countermeasures.
   Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 39

8. Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?

   • A risk
   • A residual risk
   • An exposure
   • A countermeasure
   Explanation:

   Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

   The following answers are incorrect :
   Residual Risk is very different from the notion of total risk. Residual Risk would be the risks that still exists after countermeasures have been implemented. Total risk is the amount of risk a company faces if it chooses not to implement any type of safeguard.

   Exposure: An exposure is an instance of being exposed to losses from a threat agent.

   Countermeasure: A countermeasure or a safeguard is put in place to mitigate the potential risk. Examples of countermeasures include strong password management , a security guard.

   REFERENCES : SHON HARRIS ALL IN ONE 3rd EDITION
   Chapter – 3: Security Management Practices , Pages : 57-59

9. Which approach to a security program ensures people responsible for protecting the company’s assets are DRIVING the program?

   • The Delphi approach
   • The top-down approach
   • The bottom-up approach
   • The technology approach
   Explanation:

   A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.

   In contrast, a bottom-up approach refers to a situation in which staff members (usually IT ) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail.

   A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program.

   The following are incorrect answers:
   The Delphi approach is incorrect as this is for a brainstorming technique.

   The bottom-up approach is also incorrect as this approach would be if the IT department tried to develop a security program without proper support from upper management.

   The technology approach is also incorrect as it does not fit into the category of best answer.

   Reference(s) used for this question:
   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 63). McGraw-Hill. Kindle Edition.

10. Which of the following statements pertaining to quantitative risk analysis is false?

    • Portion of it can be automated
    • It involves complex calculations
    • It requires a high volume of information
    • It requires little experience to apply
    Explanation:

    Assigning the values for the inputs to a purely quantitative risk assessment requires both a lot of time and significant experience on the part of the assessors. The most experienced employees or representatives from each of the departments would be involved in the process. It is NOT an easy task if you wish to come up with accurate values.

    “It can be automated” is incorrect. There are a number of tools on the market that automate the process of conducting a quantitative risk assessment.

    “It involves complex calculations” is incorrect. The calculations are simple for basic scenarios but could become fairly complex for large cases. The formulas have to be applied correctly.

    “It requires a high volume of information” is incorrect. Large amounts of information are required in order to develop reasonable and defensible values for the inputs to the quantitative risk assessment.

    References:

    CBK, pp. 60-61
    AIO3, p. 73, 78
    The Cissp Prep Guide – Mastering The Ten Domains Of Computer Security – 2001, page 24

11. Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident’s effects is part of:

    • Incident Evaluation
    • Incident Recognition
    • Incident Protection
    • Incident Response
    Explanation:

    These are core functions of the incident response process.

    “Incident Evaluation” is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.

    “Incident Recognition” is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.

    “Incident Protection” is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.

    References
    CBK, pp. 698 – 703

12. What would BEST define risk management?

    • The process of eliminating the risk
    • The process of assessing the risks
    • The process of reducing risk to an acceptable level
    • The process of transferring risk
    Explanation:

    This is the basic process of risk management.

    Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree.

    The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.

    Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an information risk management (IRM) policy and a delegated IRM team. Once you’ve identified your company’s acceptable level of risk, you need to develop an information risk management policy.

    The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:

    Objectives of IRM team
    Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article)
    Formal processes of risk identification
    Connection between the IRM policy and the organization’s strategic planning processes
    Responsibilities that fall under IRM and the roles that are to fulfill them
    Mapping of risk to internal controls
    Approach for changing staff behaviors and resource allocation in response to risk analysis
    Mapping of risks to performance targets and budgets
    Key indicators to monitor the effectiveness of controls

    Shon Harris provides a 10,000-foot view of the risk management process below:
    A big question that companies have to deal with is, “What is enough security?” This can be restated as, “What is our acceptable risk level?” These two questions have an inverse relationship. You can’t know what constitutes enough security unless you know your necessary baseline risk level.

    To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company’s acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.

    Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:

    Identify company assets
    Assign a value to each asset
    Identify each asset’s vulnerabilities and associated threats
    Calculate the risk for the identified assets

    Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.

    When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories:
    Physical damage Fire, water, vandalism, power loss, and natural disasters

    Human interaction Accidental or intentional action or inaction that can disrupt productivity

    Equipment malfunction Failure of systems and peripheral devices

    Inside and outside attacks Hacking, cracking, and attacking

    Misuse of data Sharing trade secrets, fraud, espionage, and theft

    Loss of data Intentional or unintentional loss of information through destructive means

    Application error Computation errors, input errors, and buffer overflows

    The following answers are incorrect:

    The process of eliminating the risk is not the best answer as risk cannot be totally eliminated.

    The process of assessing the risks is also not the best answer.

    The process of transferring risk is also not the best answer and is one of the ways of handling a risk after a risk analysis has been performed.

    References:
    Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68
    and
    http://searchsecurity.techtarget.com/tip/Understanding-risk

13. What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?

    • $300,000
    • $150,000
    • $60,000
    • $1,500
    Explanation:

    The cost of a countermeasure should not be greater in cost than the risk it mitigates (ALE). For a quantitative risk assessment, the equation is ALE = ARO x SLE where the SLE is calculated as the product of asset value x exposure factor. An event that happen once every five years would have an ARO of .2 (1 divided by 5).

    SLE = Asset Value (AV) x Exposure Fact (EF)
    SLE = 1,000,000 x .30 = 300,000

    ALE = SLE x Annualized Rate of Occurance (ARO)
    ALE = 300,000 x .2 = 60,000

    Know your acronyms:
    ALE — Annual loss expectancy
    ARO — Annual rate of occurrence
    SLE — Single loss expectancy

    The following are incorrect answers:
    $300,000 is incorrect. See the explanation of the correct answer for the correct calculation.
    $150,000 is incorrect. See the explanation of the correct answer for the correct calculation.
    $1,500 is incorrect. See the explanation of the correct answer for the correct calculation.

    Reference(s) used for this question:
    Mc Graw Hill, Shon Harris, CISSP All In One (AIO) book, Sixth Edition , Pages 87-88
    and
    Official ISC2 Guide to the CISSP Exam, (OIG), Pages 60-61

14. During the testing of the business continuity plan (BCP), which of the following methods of results analysis provides the BEST assurance that the plan is workable?

    • Measurement of accuracy
    • Elapsed time for completion of critical tasks
    • Quantitatively measuring the results of the test
    • Evaluation of the observed test results
    Explanation:
    It is important to have ways to measure the success of the plan and tests against the stated objectives. Therefore, results must be quantitatively gauged as opposed to an evaluation based only on observation. Quantitatively measuring the results of the test involves a generic statement measuring all the activities performed during BCP, which gives the best assurance of an effective plan. Although choices A and B are also quantitative, they relate to specific areas, or an analysis of results from one viewpoint, namely the accuracy of the results and the elapsed time.
    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 5: Disaster Recovery and Business Continuity (page 269).

15. Which of the following statements regarding an off-site information processing facility is TRUE?

    • It should have the same amount of physical access restrictions as the primary processing site.
    • It should be located in proximity to the originating site so that it can quickly be made operational.
    • It should be easily identified from the outside so in the event of an emergency it can be easily found.
    • Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive.
    Explanation:

    It is very important that the offsite has the same restrictions in order to avoide misuse.

    The following answers are incorrect because:

    It should be located in proximity to the originating site so that it can quickly be made operational is incorrect as the offsite is also subject to the same disaster as of the primary site.

    It should be easily identified from the outside so in the event of an emergency it can be easily found is also incorrect as it should not be easily identified to prevent intentional sabotage.
    Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive is also incorrect as it should be like its primary site.

    Reference : Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 5: Disaster Recovery and Business Continuity (page 265).

16. Physically securing backup tapes from unauthorized access is obviously a security concern and is considered a function of the:

    • Operations Security Domain.
    • Operations Security Domain Analysis.
    • Telecommunications and Network Security Domain.
    • Business Continuity Planning and Disater Recovery Planning.
    Explanation:
    Physically securing the tapes from unauthorized access is obviously a security concern and is considered a function of the Operations Security Domain.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 71.

17. What is the MOST critical piece to disaster recovery and continuity planning?

    • Security policy
    • Management support
    • Availability of backup information processing facilities
    • Staff training
    Explanation:

    The keyword is ‘ MOST CRITICAL ‘ and the correct answer is ‘ Management Support ‘ as the management must be convinced of its necessity and that’s why a business case must be made. The decision of how a company should recover from any disaster is purely a business decision and should be treated as so.

    The other answers are incorrect because :

    Security policy is incorrect as it is not the MOST CRITICAL piece.

    Availability of backup information processing facilities is incorrect as this comes once the organization has BCP Plans in place and for a BCP Plan , management support must be there.

    Staff training comes after the plans are in place with the support from management.
    Reference : Shon Harris , AIO v3 , Chapter-9: Business Continuity Planning , Page : 697.

18. What is the PRIMARY reason to maintain the chain of custody on evidence that has been collected?

    • To ensure that no evidence is lost.
    • To ensure that all possible evidence is gathered.
    • To ensure that it will be admissible in court
    • To ensure that incidents were handled with due care and due diligence.
    Explanation:

    This is the PRIMARY reason for the chain of custody of evidence. Evidence must be controlled every step of the way. If it is not, the evidence can be tampered with and ruled inadmissable. The Chain of Custody will include a detailed record of:

    Who obtained the evidence
    What was the evidence
    Where and when the evidence was obtained
    Who secured the evidence
    Who had control or possession of the evidence

    The following answers are incorrect because :

    To ensure that no evidence is lost is incorrect as it is not the PRIMARY reason.
    To ensure that all possible evidence is gathered is also incorrect as it is not the PRIMARY reason.
    To ensure that incidents were handled with due care and due diligence is also incorrect as it is also not the PRIMARY reason.

    The chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to establish that it is sufficiently trustworthy to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy which would make it admissible in court.

    Reference : Shon Harris AIO v3 , Chapter-10: Law, Investigation, and Ethics , Page : 727

19. Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?

    • A threat
    • A vulnerability
    • A risk
    • An exposure
    Explanation:

    It is a software , hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software etc.

    The following answers are incorrect because:
    Threat: A threat is defined as a potential danger to information or systems. The threat is someone or something will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a ‘Threat Agent’. A threat agent could be an intruder accessing the network through a port on the firewall , a process accessing data that violates the security policy.
    Risk:A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

    Exposure: An exposure is an instance of being exposed to losses from a threat agent.

    REFERENCES:
    SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 3 : Security Management Practices , Pages: 57-59

20. What is the PRIMARY goal of incident handling?

    • Successfully retrieve all evidence that can be used to prosecute
    • Improve the company’s ability to be prepared for threats and disasters
    • Improve the company’s disaster recovery plan
    • Contain and repair any damage caused by an event.
    Explanation:

    This is the PRIMARY goal of an incident handling process.

    The other answers are incorrect because :

    Successfully retrieve all evidence that can be used to prosecute is more often used in identifying weaknesses than in prosecuting.

    Improve the company’s ability to be prepared for threats and disasters is more appropriate for a disaster recovery plan.

    Improve the company’s disaster recovery plan is also more appropriate for disaster recovery plan.
    Reference : Shon Harris AIO v3 , Chapter – 10 : Law, Investigation, and Ethics , Page : 727-728