SSCP : System Security Certified Practitioner (SSCP) : Part 11

SSCP : System Security Certified Practitioner (SSCP) : Part 11

1. Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations?

   • The Computer Security Act of 1987.
   • The Federal Sentencing Guidelines of 1991.
   • The Economic Espionage Act of 1996.
   • The Computer Fraud and Abuse Act of 1986.

   Explanation:

   In 1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes. These guidelines provided ways that companies and law enforcement should prevent, detect and report computer crimes. It also outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations.

2. Which element must computer evidence have to be admissible in court?

   • It must be relevant.
   • It must be annotated.
   • It must be printed.
   • It must contain source code.
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

3. For which areas of the enterprise are business continuity plans required?

   • All areas of the enterprise.
   • The financial and information processing areas of the enterprise.
   • The operating areas of the enterprise.
   • The marketing, finance, and information processing areas.
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

4. Under the principle of culpable negligence, executives can be held liable for losses that result from computer system breaches if:

   • The company is not a multi-national company.
   • They have not exercised due care protecting computing resources.
   • They have failed to properly insure computer resources against loss.
   • The company does not prosecute the hacker that caused the breach.
   Explanation:

   Culpable negligence is defined as: Recklessly acting without reasonable caution and putting another person at risk of injury or death (or failing to do something with the same consequences)

   Where a suspected security breach has been caused (through wilful intent or culpable negligence) disciplinary action may be sought in line with the appropriate misconduct guidelines for internal employees.

   By not exercising Due Care and taking the proper actions, the executives would be liable for losses a company has suffered.

   Reference(s) used for this question:

   TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
   and
   http://www.thefreedictionary.com/culpable+negligence

5. The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit is called:

   • alteration
   • investigation
   • entrapment
   • enticement.
   Explanation:

   Enticement deals with someone that is breaking the law. Entrapment encourages someone to commit a crime that the individual may or many have had no intention of committing. Enticement is not necessarily illegal but does raise ethical arguments and may not be admissible in court. Enticement lures someone toward some evidence (a honeypot would be a great example) after that individual has already committed a crime.

   Entrapment is when you persuade someone to commit a crime when the person otherwise had no intention to commit a crime. Entrapment is committed by a law enforcement player where you get tricked into committing a crime for which you woud later on get arrested without knowing you rare committing such a scrime. It is illegal and unethical as well.

   All other choices were not applicable and only detractors.

   References:
   TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
   and
   CISSP Study Guide (Conrad, Misenar, Feldman). Elsevier. 2010. p. 428
   and
   http://www.dummies.com/how-to/content/security-certification-computer-forensics-and-inci.html

6. Which of the following best describes remote journaling?

   • Send hourly tapes containing transactions off-site.
   • Send daily tapes containing transactions off-site.
   • Real-time capture of transactions to multiple storage devices.
   • Real time transmission of copies of the entries in the journal of transactions to an alternate site.
   Explanation:

   Remote Journaling is a technology to facilitate sending copies of the journal of transaction entries from a production system to a secondary system in realtime. The remote nature of such a connection is predicated upon having local journaling already established. Local journaling on the production side allows each change that ensues for a journal-eligible object e.g., database physical file, SQL table, data area, data queue, byte stream file residing within the IFS) to be recorded and logged. It’s these local images that flow to the remote system. Once there, the journal entries serve a variety of purposes, from feeding a high availability software replay program or data warehouse to offering an offline, realtime vault of the most recent database changes.

   Reference(s) used for this question:

   The Essential Guide to Remote Journaling by IBM
   and
   TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
   and
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).

7. All of the following can be considered essential business functions that should be identified when creating a Business Impact Analysis (BIA) except one. Which of the following would not be considered an essential element of the BIA but an important TOPIC to include within the BCP plan:

   • IT Network Support
   • Accounting
   • Public Relations
   • Purchasing
   Explanation:

   Public Relations, although important to a company, is not listed as an essential business function that should be identified and have loss criteria developed for.

   All other entries are considered essential and should be identified and have loss criteria developed.
   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 598).

8. Which of the following will a Business Impact Analysis NOT identify?

   • Areas that would suffer the greatest financial or operational loss in the event of a disaster.
   • Systems critical to the survival of the enterprise.
   • The names of individuals to be contacted during a disaster.
   • The outage time that can be tolerated by the enterprise as a result of a disaster.
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

9. What is a hot-site facility?

   • A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.
   • A site in which space is reserved with pre-installed wiring and raised floors.
   • A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS.
   • A site with ready made work space with telecommunications equipment, LANs, PCs, and terminals for work groups.
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

10. If an employee’s computer has been used by a fraudulent employee to commit a crime, the hard disk may be seized as evidence and once the investigation is complete it would follow the normal steps of the Evidence Life Cycle. In such case, the Evidence life cycle would not include which of the following steps listed below?

    • Acquisition collection and identification
    • Analysis
    • Storage, preservation, and transportation
    • Destruction
    Explanation:

    Unless the evidence is illegal then it should be returned to owner, not destroyed.

    The Evidence Life Cycle starts with the discovery and collection of the evidence. It progresses through the following series of states until it is finally returned to the victim or owner:

    • Acquisition collection and identification
    • Analysis
    • Storage, preservation, and transportation
    • Presented in court
    • Returned to victim (owner)

    The Second edition of the ISC2 book says on page 529-530:

    Identifying evidence: Correctly identifying the crime scene, evidence, and potential containers of evidence.
    Collecting or acquiring evidence: Adhering to the criminalistic principles and ensuring that the contamination and the destruction of the scene are kept to a minimum. Using sound, repeatable, collection techniques that allow for the demonstration of the accuracy and integrity of evidence, or copies of evidence.
    Examining or analyzing the evidence: Using sound scientific methods to determine the characteristics of the evidence, conducting comparison for individuation of evidence, and conducting event reconstruction.
    Presentation of findings: Interpreting the output from the examination and analysis based on findings of fact and articulating these in a format appropriate for the intended audience (e.g., court brief, executive memo, report).

    Note on returning the evidence to the Owner/Victim

    The final destination of most types of evidence is back with its original owner. Some types of evidence, such as
    drugs or drug paraphernalia (i.e., contraband), are destroyed after the trial.

    Any evidence gathered during a search, although maintained by law enforcement, is legally under the control of the courts. And although a seized item may be yours and may even have your name on it, it might not be returned to you unless the suspect signs a release or after a hearing by the court. Unfortunately, many victims do not want to go to trial; they just want to get their property back.

    Many investigations merely need the information on a disk to prove or disprove a fact in question; thus, there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying.

    Mirror copies of the suspect disk are obtained using forensic software and then one of those copies can be returned to the victim so that business operations can resume.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 309).
    and
    The Official Study Book, Second Edition, Page 529-230

11. Which of the following is a problem regarding computer investigation issues?

    • Information is tangible.
    • Evidence is easy to gather.
    • Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence.
    • In many instances, an expert or specialist is not required.
    Explanation:

    Because computer-generated records normally fall under the category of hearsay evidence because they cannot be proven accurate and reliable this can be a problem.

    Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court. This inadmissibility is known as the hearsay rule, although there are some exceptions for how, when, by whom and in what circumstances data was collected.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

    IMPORTANT NOTE:
    For the purpose of the exam it is very important to remember the Business Record exemption to the Hearsay Rule. For example: if you create log files and review them on a regular basis as part of a business process, such files would be admissable in court and they would not be considered hearsay because they were made in the course of regular business and it is part of regular course of business to create such record.

    Here is another quote from the HISM book:

    Business Record Exemption to the Hearsay Rule
    Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by or from information transmitted by a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.

    To meet Rule 803(6) the witness must:

    • Have custody of the records in question on a regular basis.
    • Rely on those records in the regular course of business.
    • Know that they were prepared in the regular course of business.

    Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order disclosure of the details of the computer, logs, and maintenance records in respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or reviewed — at least the exceptions (e.g., failed log-on attempts) — in the regular course of business, they do not meet the criteria for admissibility.

    Federal Rules of Evidence 1001(3) provide another exception to the hearsay rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business. This dump merely acts as statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer.

    BUSINESS RECORDS LAW EXAMPLE:
    The business records law was enacted in 1931 (PA No. 56). For a document to be admissible under the statute, the proponent must show: (1) the document was made in the regular course of business; (2) it was the regular course of business to make the record; and (3) the record was made when the act, transaction, or event occurred, or shortly thereafter (State v. Vennard, 159 Conn. 385, 397 (1970); Mucci v. LeMonte, 157 Conn. 566, 570 (1969). The failure to establish any one of these essential elements renders the document inadmissible under the statute (McCahill v. Town and Country Associates, Ltd. , 185 Conn. 37 (1981); State v. Peary, 176 Conn. 170 (1978); Welles v. Fish Transport Co. , , 123 Conn. 49 (1937).

    The statute expressly provides that the person who made the business entry does not have to be unavailable as a witness and the proponent does not have to call as a witness the person who made the record or show the person to be unavailable (State v. Jeustiniano, 172 Conn. 275 (1977).

    The person offering the business records as evidence does not have to independently prove the trustworthiness of the record. But, there is no presumption that the record is accurate; the record’s accuracy and weight are issues for the trier of fact (State v. Waterman, 7 Conn. App. 326 (1986); Handbook of Connecticut Evidence, Second Edition, § 11. 14. 3).

    Reference: http://search.cga.state.ct.us/dtsearch_lpa.asp?cmd=getdoc&DocId=16833&Index=I%3A%5Czindex%5C1995&HitCount=0&hits=&hc=0&req=&Item=712

12. Which of the following is the most complete disaster recovery plan test type, to be performed after successfully completing the Parallel test?

    • Full Interruption test
    • Checklist test
    • Simulation test
    • Structured walk-through test
    Explanation:

    The difference between this and the full-interruption test is that the primary production processing of the business does not stop; the test processing runs in parallel to the real processing. This is the most common type of disaster recovery plan testing.

    A checklist test is only considered a preliminary step to a real test.

    In a structured walk-through test, business unit management representatives meet to walk through the plan, ensuring it accurately reflects the organization’s ability to recover successfully, at least on paper.

    A simulation test is aimed at testing the ability of the personnel to respond to a simulated disaster, but not recovery process is actually performed.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 289).

13. Which of the following statements pertaining to disaster recovery is incorrect?

    • A recovery team’s primary task is to get the pre-defined critical business functions at the alternate backup processing site.
    • A salvage team’s task is to ensure that the primary site returns to normal processing conditions.
    • The disaster recovery plan should include how the company will return from the alternate site to the primary site.
    • When returning to the primary site, the most critical applications should be brought back first.
    Explanation:

    It’s interesting to note that the steps to resume normal processing operations will be different than the steps in the recovery plan; that is, the least critical work should be brought back first to the primary site.

    My explanation:
    at the point where the primary site is ready to receive operations again, less critical systems should be brought back first because one has to make sure that everything will be running smoothly at the primary site before returning critical systems, which are already operating normally at the recovery site.

    This will limit the possible interruption of processing to a minimum for most critical systems, thus making it the best option.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 291).

14. Which of the following categories of hackers poses the greatest threat?

    • Disgruntled employees
    • Student hackers
    • Criminal hackers
    • Corporate spies
    Explanation:

    According to the authors, hackers fall in these categories, in increasing threat order: security experts, students, underemployed adults, criminal hackers, corporate spies and disgruntled employees.

    Disgruntled employees are the most dangerous security problem of all because they are most likely to have a good knowledge of the organization’s IT systems and security measures.
    Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers.

15. Which of the following best defines a Computer Security Incident Response Team (CSIRT)?

    • An organization that provides a secure channel for receiving reports about suspected security incidents.
    • An organization that ensures that security incidents are reported to the authorities.
    • An organization that coordinates and supports the response to security incidents.
    • An organization that disseminates incident-related information to its constituency and other involved parties.
    Explanation:
    RFC 2828 (Internet Security Glossary) defines a Computer Security Incident Response Team (CSIRT) as an organization that coordinates and supports the response to security incidents that involves sites within a defined constituency. This is the proper definition for the CSIRT. To be considered a CSIRT, an organization must provide a secure channel for receiving reports about suspected security incidents, provide assistance to members of its constituency in handling the incidents and disseminate incident-related information to its constituency and other involved parties. Security-related incidents do not necessarily have to be reported to the authorities.
    Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

16. What is defined as inference of information from other, intermediate, relevant facts?

    • Secondary evidence
    • Conclusive evidence
    • Hearsay evidence
    • Circumstantial evidence
    Explanation:
    Circumstantial evidence is defined as inference of information from other, intermediate, relevant facts. Secondary evidence is a copy of evidence or oral description of its contents. Conclusive evidence is incontrovertible and overrides all other evidence and hearsay evidence is evidence that is not based on personal, first-hand knowledge of the witness, but was obtained from another source. Computer-generated records normally fall under the category of hearsay evidence.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

17. Under the Business Exemption Rule to the hearsay evidence, which of the following exceptions would have no bearing on the inadmissibility of audit logs and audit trails in a court of law?

    • Records are collected during the regular conduct of business.
    • Records are collected by senior or executive management.
    • Records are collected at or near the time of occurrence of the act being investigated to generate automated reports.
    • You can prove no one could have changed the records/data/logs that were collected.
    Explanation:

    Hearsay evidence is not normally admissible in court unless it has firsthand evidence that can be used to prove the evidence’s accuracy, trustworthiness, and reliability like a business person who generated the computer logs and collected them.

    It is important that this person generates and collects logs as a normal part of his business and not just this one time for court. It has to be a documented process that is carried out daily.

    The value of evidence depends upon the genuineness and competence of the source; therefore, since record collection is not an activity likely to be performed by senior or executive management, records collected by senior or executive management are not likely to be admissible in court.

    Hearsay evidence is usually not admissible in court unless it meets the Business Records Exemption rule to the Hearsay evidence.

    • In certain instances computer records fall outside of the hearsay rule (e.g., business records exemption)
    • Information relates to regular business activities
    • Automatically computer generated data
    • No human intervention
    • Prove system was operating correctly
    • Prove no one changed the data

    If you have a documented business process and you make use of intrusion detection tools, log analysis tools, and you produce daily reports of activities, then the computer generated data might be admissible in court and would not be considered Hearsay Evidence.

    Reference(s) used for this question:
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 10: Law, Investigation, and Ethics (page 676).

18. Of the following, which is NOT a specific loss criteria that should be considered while developing a BIA?

    • Loss of skilled workers knowledge
    • Loss in revenue
    • Loss in profits
    • Loss in reputation
    Explanation:
    Although a loss of skilled workers knowledge would cause the company a great loss, it is not identified as a specific loss criteria. It would fall under one of the three other criteria listed as distracters.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 598).

19. Which of the following encryption methods is known to be unbreakable?

    • Symmetric ciphers.
    • DES codebooks.
    • One-time pads.
    • Elliptic Curve Cryptography.
    Explanation:

    A One-Time Pad uses a keystream string of bits that is generated completely at random that is used only once. Because it is used only once it is considered unbreakable.

    The following answers are incorrect:
    Symmetric ciphers. This is incorrect because a Symmetric Cipher is created by substitution and transposition. They can and have been broken

    DES codebooks. This is incorrect because Data Encryption Standard (DES) has been broken, it was replaced by Advanced Encryption Standard (AES).

    Elliptic Curve Cryptography. This is incorrect because Elliptic Curve Cryptography or ECC is typically used on wireless devices such as cellular phones that have small processors. Because of the lack of processing power the keys used at often small. The smaller the key, the easier it is considered to be breakable. Also, the technology has not been around long enough or tested thourough enough to be considered truly unbreakable.

20. What algorithm was DES derived from?

    • Twofish.
    • Skipjack.
    • Brooks-Aldeman.
    • Lucifer.
    Explanation:

    NSA took the 128-bit algorithm Lucifer that IBM developed, reduced the key size to 64 bits and with that developed DES.

    The following answers are incorrect:

    Twofish. This is incorrect because Twofish is related to Blowfish as a possible replacement for DES.
    Skipjack. This is incorrect, Skipjack was developed after DES by the NSA .
    Brooks-Aldeman. This is incorrect because this is a distractor, no algorithm exists with this name.