SSCP : System Security Certified Practitioner (SSCP) : Part 12

SSCP : System Security Certified Practitioner (SSCP) : Part 12

1. Kerberos depends upon what encryption method?

   • Public Key cryptography.
   • Secret Key cryptography.
   • El Gamal cryptography.
   • Blowfish cryptography.

   Explanation:

   Kerberos depends on Secret Keys or Symmetric Key cryptography.

   Kerberos a third party authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The password is used to encrypt and decrypt the keys.

   This question asked specifically about encryption methods. Encryption methods can be SYMMETRIC (or secret key) in which encryption and decryption keys are the same, or ASYMMETRIC (aka ‘Public Key’) in which encryption and decryption keys differ.

   ‘Public Key’ methods must be asymmetric, to the extent that the decryption key CANNOT be easily derived from the encryption key. Symmetric keys, however, usually encrypt more efficiently, so they lend themselves to encrypting large amounts of data. Asymmetric encryption is often limited to ONLY encrypting a symmetric key and other information that is needed in order to decrypt a data stream, and the remainder of the encrypted data uses the symmetric key method for performance reasons. This does not in any way diminish the security nor the ability to use a public key to encrypt the data, since the symmetric key method is likely to be even MORE secure than the asymmetric method.

   For symmetric key ciphers, there are basically two types: BLOCK CIPHERS, in which a fixed length block is encrypted, and STREAM CIPHERS, in which the data is encrypted one ‘data unit’ (typically 1 byte) at a time, in the same order it was received in.

   The following answers are incorrect:

   Public Key cryptography. Is incorrect because Kerberos depends on Secret Keys or Symmetric Key cryptography and not Public Key or Asymmetric Key cryptography.

   El Gamal cryptography. Is incorrect because El Gamal is an Asymmetric Key encryption algorithm.
   Blowfish cryptography. Is incorrect because Blowfish is a Symmetric Key encryption algorithm.

   References:
   OIG CBK Access Control (pages 181 – 184)
   AIOv3 Access Control (pages 151 – 155)

   Wikipedia http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 ; http://en.wikipedia.org/wiki/El_Gamal
   http://www.mrp3.com/encrypt.html

2. The DES algorithm is an example of what type of cryptography?

   • Secret Key
   • Two-key
   • Asymmetric Key
   • Public Key
   Explanation:

   DES is also known as a Symmetric Key or Secret Key algorithm.
   DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption.

   For the exam remember that:
   DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits)
   DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only.
   DES has a total key length of 64 Bits.

   The following answers are incorrect:

   Two-key This is incorrect because DES uses the same key for encryption and decryption.

   Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a Private Key.

   Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the same key is used for encryption and decryption.

   References used for this question:
   http://en.wikipedia.org/wiki/Data_Encryption_Standard

3. Public Key Infrastructure (PKI) uses asymmetric key encryption between parties. The originator encrypts information using the intended recipient’s “public” key in order to get confidentiality of the data being sent. The recipients use their own “private” key to decrypt the information. The “Infrastructure” of this methodology ensures that:

   • The sender and recipient have reached a mutual agreement on the encryption key exchange that they will use.
   • The channels through which the information flows are secure.
   • The recipient’s identity can be positively verified by the sender.
   • The sender of the message is the only other person with access to the recipient’s private key.
   Explanation:

   Through the use of Public Key Infrastructure (PKI) the recipient’s identity can be positively verified by the sender.

   The sender of the message knows he is using a Public Key that belongs to a specific user. He can validate through the Certification Authority (CA) that a public key is in fact the valid public key of the receiver and the receiver is really who he claims to be. By using the public key of the recipient, only the recipient using the matching private key will be able to decrypt the message. When you wish to achieve confidentiality, you encrypt the message with the recipient public key.

   If the sender would wish to prove to the recipient that he is really who he claims to be then the sender would apply a digital signature on the message before encrypting it with the public key of the receiver. This would provide Confidentiality and Authenticity of the message.

   A PKI (Public Key Infrastructure) enables users of an insecure public network, such as the Internet, to securely and privately exchange data through the use of public key-pairs that are obtained and shared through a trusted authority, usually referred to as a Certificate Authority.

   The PKI provides for digital certificates that can vouch for the identity of individuals or organizations, and for directory services that can store, and when necessary, revoke those digital certificates. A PKI is the underlying technology that addresses the issue of trust in a normally untrusted environment.

   The following answers are incorrect:
   The sender and recipient have reached a mutual agreement on the encryption key exchange that they will use. Is incorrect because through the use of Public Key Infrastructure (PKI), the parties do not have to have a mutual agreement. They have a trusted 3rd party Certificate Authority to perform the verification of the sender.

   The channels through which the information flows are secure. Is incorrect because the use of Public Key Infrastructure (PKI) does nothing to secure the channels.

   The sender of the message is the only other person with access to the recipient’s private key. Is incorrect because the sender does not have access to the recipient’s private key though Public Key Infrastructure (PKI).

   Reference(s) used for this question:
   OIG CBK Cryptography (pages 253 – 254)

4. Which of the following statements is true about data encryption as a method of protecting data?

   • It should sometimes be used for password files
   • It is usually easily administered
   • It makes few demands on system resources
   • It requires careful key management
   Explanation:

   In cryptography, you always assume the “bad guy” has the encryption algorithm (indeed, many algorithms such as DES, Triple DES, AES, etc. are public domain). What the bad guy lacks is the key used to complete that algorithm and encrypt/decrypt information. Therefore, protection of the key, controlled distribution, scheduled key change, timely destruction, and several other factors require careful consideration. All of these factors are covered under the umbrella term of “key management”.

   Another significant consideration is the case of “data encryption as a method of protecting data” as the question states. If that data is to be stored over a long period of time (such as on backup), you must ensure that your key management scheme stores old keys for as long as they will be needed to decrypt the information they encrypted.

   The other answers are not correct because:

   “It should sometimes be used for password files.” – Encryption is often used to encrypt passwords stored within password files, but it is not typically effective for the password file itself. On most systems, if a user cannot access the contents of a password file, they cannot authenticate. Encrypting the entire file prevents that access.

   “It is usually easily administered.” – Developments over the last several years have made cryptography significantly easier to manage and administer. But it remains a significant challenge. This is not a good answer.

   “It makes few demands on system resources.” – Cryptography is, essentially, a large complex mathematical algorithm. In order to encrypt and decrypt information, the system must perform this algorithm hundreds, thousands, or even millions/billions/trillions of times. This becomes system resource intensive, making this a very bad answer.

   Reference:
   Official ISC2 Guide page: 266 (poor explanation)
   All in One Third Edition page: 657 (excellent explanation)
   Key Management – Page 732, All in One Fourth Edition

5. What is a characteristic of using the Electronic Code Book mode of DES encryption?

   • A given block of plaintext and a given key will always produce the same ciphertext.
   • Repetitive encryption obscures any repeated patterns that may have been present in the plaintext.
   • Individual characters are encoded by combining output from earlier encryption routines with plaintext.
   • The previous DES output is used as input.
   Explanation:

   A given message and key always produce the same ciphertext.

   The following answers are incorrect:

   Repetitive encryption obscures any repeated patterns that may have been present in the plaintext. Is incorrect because with Electronic Code Book a given 64 bit block of plaintext always produces the same ciphertext

   Individual characters are encoded by combining output from earlier encryption routines with plaintext. This is incorrect because with Electronic Code Book processing 64 bits at a time until the end of the file was reached. This is a characteristic of Cipher Feedback. Cipher Feedback the ciphertext is run through a key-generating device to create the key for the next block of plaintext.

   The previous DES output is used as input. Is incorrect because This is incorrect because with Electronic Code Book processing 64 bits at a time until the end of the file was reached . This is a characteristic of Cipher Block Chaining. Cipher Block Chaining uses the output from the previous block to encrypt the next block.

6. Where parties do not have a shared secret and large quantities of sensitive information must be passed, the most efficient means of transferring information is to use Hybrid Encryption Methods. What does this mean?

   • Use of public key encryption to secure a secret key, and message encryption using the secret key.
   • Use of the recipient’s public key for encryption and decryption based on the recipient’s private key.
   • Use of software encryption assisted by a hardware encryption accelerator.
   • Use of elliptic curve encryption.
   Explanation:

   A Public Key is also known as an asymmetric algorithm and the use of a secret key would be a symmetric algorithm.

   The following answers are incorrect:

   Use of the recipient’s public key for encryption and decryption based on the recipient’s private key. Is incorrect this would be known as an asymmetric algorithm.
   Use of software encryption assisted by a hardware encryption accelerator. This is incorrect, it is a distractor.
   Use of Elliptic Curve Encryption. Is incorrect this would use an asymmetric algorithm.

7. What is electronic vaulting?

   • Information is backed up to tape on a hourly basis and is stored in a on-site vault.
   • Information is backed up to tape on a daily basis and is stored in a on-site vault.
   • Transferring electronic journals or transaction logs to an off-site storage facility
   • A transfer of bulk information to a remote central backup facility.
   Explanation:
   Electronic vaulting is defined as “a method of transferring bulk information to off-site facilities for backup purposes”. Remote Journaling is the same concept as electronic vaulting, but has to do with journals and transaction logs, not the actual files.
   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 619).

8. After a company is out of an emergency state, what should be moved back to the original site first?

   • Executives
   • Least critical components
   • IT support staff
   • Most critical components
   Explanation:

   This will expose any weaknesses in the plan and ensure the primary site has been properly repaired before moving back. Moving critical assets first may induce a second disaster if the primary site has not been repaired properly.

   The first group to go back would test items such as connectivity, HVAC, power, water, improper procedures, and/or steps that has been overlooked or not done properly. By moving these first, and fixing any problems identified, the critical operations of the company are not negatively affected.

   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 621).

9. Of the reasons why a Disaster Recovery plan gets outdated, which of the following is not true?

   • Personnel turnover
   • Large plans can take a lot of work to maintain
   • Continous auditing makes a Disaster Recovery plan irrelevant
   • Infrastructure and environment changes
   Explanation:
   Although a auditing is a part of corporate security, it in no way supercedes the requirments for a disaster recovery plan. All others can be blamed for a plan going out of date.
   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 609).

10. Which backup type run at regular intervals would take the least time to complete?

    • Full Backup
    • Differential Backup
    • Incremental Backup
    • Disk Mirroring
    Explanation:

    Incremental backups only backup changed data (changes archive bit to not backup again if not changed).

    Although the incremental backup is fastest to backup, it is usually more time consuming for the restore process.

    In some cases, the window available for backup may not be long enough to backup all the data on the system during each backup. In that case, differential or incremental backups may be more appropriate.

    In an incremental backup, only the files that changed since the last backup will be backed up.

    In a differential backup, only the files that changed since the last full backup will be backed up.
    In general, differentials require more space than incremental backups while incremental backups are faster to perform. On the other hand, restoring data from incremental backups requires more time than differential backups. To restore from incremental backups, the last full backup and all of the incremental backups performed are combined. In contrast, restoring from a differential backup requires only the last full backup and the latest differential.

    The following are incorrect answers:

    Differential backups backup all data since the last full backup (does not reset archive bit)
    Full backups backup all selected data, regardless of archive bit, and resets the archive bit.
    Disk mirroring is not considered as a backup type.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20385-20390). Auerbach Publications. Kindle Edition.
    and
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 618).

11. Which of the following is true about Kerberos?

    • It utilizes public key cryptography.
    • It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
    • It depends upon symmetric ciphers.
    • It is a second party authentication system.
    Explanation:

    Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The password is used to encrypt and decrypt the keys.

    The following answers are incorrect:

    It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric ciphers).

    It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption and decryption of the keys.

    It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and not the system you are accessing.

    References:
    MIT http://web.mit.edu/kerberos/
    Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
    OIG CBK Access Control (pages 181 – 184)
    AIOv3 Access Control (pages 151 – 155)

12. The RSA algorithm is an example of what type of cryptography?

    • Asymmetric Key.
    • Symmetric Key.
    • Secret Key.
    • Private Key.
    Explanation:

    The following answers are incorrect.

    Symmetric Key. Is incorrect because RSA is a Public Key or a Asymmetric Key cryptographic system and not a Symmetric Key or a Secret Key cryptographic system.

    Secret Key. Is incorrect because RSA is a Public Key or a Asymmetric Key cryptographic system and not a Secret Key or a Symmetric Key cryptographic system.

    Private Key. Is incorrect because Private Key is just one part if an Asymmetric Key cryptographic system, a Private Key used alone is also called a Symmetric Key cryptographic system.

13. How often should tests and disaster recovery drills be performed?

    • At least once a quarter
    • At least once every 6 months
    • At least once a year
    • At least once every 2 years
    Explanation:
    Tests and disaster recovery drills should be performed at least once a year. The company should have no confidence in an untested plan. Since systems and processes can change, frequent testing will aid in ensuring a plan will succeed.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 621).

14. Business Continuity Planning (BCP) is not defined as a preparation that facilitates:

    • the rapid recovery of mission-critical business operations
    • the continuation of critical business functions
    • the monitoring of threat activity for adjustment of technical controls
    • the reduction of the impact of a disaster
    Explanation:

    Although important, The monitoring of threat activity for adjustment of technical controls is not facilitated by a Business Continuity Planning

    The following answers are incorrect:

    All of the other choices are facilitated by a BCP:

    the continuation of critical business functions
    the rapid recovery of mission-critical business operations
    the reduction of the impact of a disaster

15. What can be defined as a batch process dumping backup data through communications lines to a server at an alternate location?

    • Remote journaling
    • Electronic vaulting
    • Data clustering
    • Database shadowing
    Explanation:

    Electronic vaulting refers to the transfer of backup data to an off-site location. This is primarily a batch process of dumping backup data through communications lines to a server at an alternate location.

    Electronic vaulting is accomplished by backing up system data over a network. The backup location is usually at a separate geographical location known as the vault site. Vaulting can be used as a mirror or a backup mechanism using the standard incremental or differential backup cycle. Changes to the host system are sent to the vault server in real-time when the backup method is implemented as a mirror. If vaulting updates are recorded in real-time, then it will be necessary to perform regular backups at the off-site location to provide recovery services due to inadvertent or malicious alterations to user or system data.

    The following are incorrect answers:
    Remote journaling refers to the parallel processing of transactions to an alternate site (as opposed to a batch dump process). Journaling is a technique used by database management systems to provide redundancy for their transactions. When a transaction is completed, the database management system duplicates the journal entry at a remote location. The journal provides sufficient detail for the transaction to be replayed on the remote system. This provides for database recovery in the event that the database becomes corrupted or unavailable.

    Database shadowing uses the live processing of remote journaling, but creates even more redundancy by duplicating the database sets to multiple servers. There are also additional redundancy options available within application and database software platforms. For example, database shadowing may be used where a database management system updates records in multiple locations. This technique updates an entire copy of the database at a remote location.

    Data clustering refers to the classification of data into groups (clusters). Clustering may also be used, although it should not be confused with redundancy. In clustering, two or more “partners” are joined into the cluster and may all provide service at the same time. For example, in an active–active pair, both systems may provide services at any time. In the case of a failure, the remaining partners may continue to provide service but at a decreased capacity.

    The following resource(s) were used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20403-20407 and 20411-20414 and 20375-20377 and 20280-20283). Auerbach Publications. Kindle Edition.

16. What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?

    • Risk management
    • Risk analysis
    • Threat analysis
    • Due diligence
    Explanation:

    Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

    The following answers are incorrect:

    Risk analysis is the process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact.

    Risk analysis is synonymous with risk assessment and part of risk management, which is the ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level or risk.

    Due Diligence is identifying possible risks that could affect a company based on best practices and standards.

    Reference(s) used for this question:
    STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page B-3).

17. The first step in the implementation of the contingency plan is to perform:

    • A firmware backup
    • A data backup
    • An operating systems software backup
    • An application software backup
    Explanation:

    A data backup is the first step in contingency planning.
    Without data, there is nothing to process. “No backup, no recovery”.
    Backup for hardware should be taken care of next.
    Formal arrangements must be made for alternate processing capability in case the need should arise.
    Operating systems and application software should be taken care of afterwards.

    Source: VALLABHANENI, S. Rao, CISSP Examination Textbooks, Volume 2: Practice, SRV Professional Publications, 2002, Chapter 8, Business Continuity Planning & Disaster Recovery Planning (page 506).

18. Computer security should be first and foremost which of the following:

    • Cover all identified risks
    • Be cost-effective.
    • Be examined in both monetary and non-monetary terms.
    • Be proportionate to the value of IT systems.
    Explanation:

    Computer security should be first and foremost cost-effective.

    As for any organization, there is a need to measure their cost-effectiveness, to justify budget usage and provide supportive arguments for their next budget claim. But organizations often have difficulties to accurately measure the effectiveness and the cost of their information security activities.

    The classical financial approach for ROI calculation is not particularly appropriate for measuring security-related initiatives: Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms, when you invest in security, you don’t expect benefits; you expect to reduce the risks threatening your assets.

    The concept of the ROI calculation applies to every investment. Security is no exception. Executive decision-makers want to know the impact security is having on the bottom line. In order to know how much they should spend on security, they need to know how much is the lack of security costing to the business and what
    are the most cost-effective solutions.

    Applied to security, a Return On Security Investment (ROSI) calculation can provide quantitative answers to essential financial questions:

    Is an organization paying too much for its security?
    What financial impact on productivity could have lack of security?
    When is the security investment enough?
    Is this security product/organisation beneficial?

    The following are other concerns about computer security but not the first and foremost:
    The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits.

    Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.

    Requirements for security vary, depending upon the particular IT system. Therefore it does not make sense for computer security to cover all identified risks when the cost of the measures exceeds the value of the systems they are protecting.

    Reference(s) used for this question:
    SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (page 6).
    and
    http://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment

19. Which of the following best allows risk management results to be used knowledgeably?

    • A vulnerability analysis
    • A likelihood assessment
    • An uncertainty analysis
    • A threat identification
    Explanation:
    Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and analysis of data part of the risk assessment, one of the primary activities of risk management.
    Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (pages 19-21).

20. Within the legal domain what rule is concerned with the legality of how the evidence was gathered ?

    • Exclusionary rule
    • Best evidence rule
    • Hearsay rule
    • Investigation rule
    Explanation:

    The exclusionary rule mentions that evidence must be gathered legally or it can’t be used.

    The principle based on federal Constitutional Law that evidence illegally seized by law enforcement officers in violation of a suspect’s right to be free from unreasonable searches and seizures cannot be used against the suspect in a criminal prosecution.
    The exclusionary rule is designed to exclude evidence obtained in violation of a criminal defendant’s Fourth Amendment rights. The Fourth Amendment protects against unreasonable searches and seizures by law enforcement personnel. If the search of a criminal suspect is unreasonable, the evidence obtained in the search will be excluded from trial.

    The exclusionary rule is a court-made rule. This means that it was created not in statutes passed by legislative bodies but rather by the U.S. Supreme Court. The exclusionary rule applies in federal courts by virtue of the Fourth Amendment. The Court has ruled that it applies in state courts although the due process clause of the Fourteenth Amendment.(The Bill of Rights—the first ten amendments— applies to actions by the federal government. The Fourteenth Amendment, the Court has held, makes most of the protections in the Bill of Rights applicable to actions by the states.)

    The exclusionary rule has been in existence since the early 1900s. Before the rule was fashioned, any evidence was admissible in a criminal trial if the judge found the evidence to be relevant. The manner in which the evidence had been seized was not an issue. This began to change in 1914, when the U.S. Supreme Court devised a way to enforce the Fourth Amendment. In Weeks v. United States, 232 U.S. 383, 34 S. Ct. 341, 58 L. Ed. 652 (1914), a federal agent had conducted a warrantless search for evidence of gambling at the home of Fremont Weeks. The evidence seized in the search was used at trial, and Weeks was convicted. On appeal, the Court held that the Fourth Amendment barred the use of evidence secured through a warrantless search. Weeks’s conviction was reversed, and thus was born the exclusionary rule.

    The best evidence rule concerns limiting potential for alteration. The best evidence rule is a common law rule of evidence which can be traced back at least as far as the 18th century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was “the best that the nature of the case will allow”. The general rule is that secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability.

    The rationale for the best evidence rule can be understood from the context in which it arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.
    The hearsay rule concerns computer-generated evidence, which is considered second-hand evidence.
    Hearsay is information gathered by one person from another concerning some event, condition, or thing of which the first person had no direct experience. When submitted as evidence, such statements are called hearsay evidence. As a legal term, “hearsay” can also have the narrower meaning of the use of such information as evidence to prove the truth of what is asserted. Such use of “hearsay evidence” in court is generally not allowed. This prohibition is called the hearsay rule.

    For example, a witness says “Susan told me Tom was in town”. Since the witness did not see Tom in town, the statement would be hearsay evidence to the fact that Tom was in town, and not admissible. However, it would be admissible as evidence that Susan said Tom was in town, and on the issue of her knowledge of whether he was in town.

    Hearsay evidence has many exception rules. For the purpose of the exam you must be familiar with the business records exception rule to the Hearsay Evidence. The business records created during the ordinary course of business are considered reliable and can usually be brought in under this exception if the proper foundation is laid when the records are introduced into evidence. Depending on which jurisdiction the case is in, either the records custodian or someone with knowledge of the records must lay a foundation for the records. Logs that are collected as part of a document business process being carried at regular interval would fall under this exception. They could be presented in court and not be considered Hearsay.

    Investigation rule is a detractor.

    Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 9.
    and
    The FREE Online Law Dictionary at: http://legal-dictionary.thefreedictionary.com/Exclusionary+Rule
    and
    Wikipedia has a nice article on this subject at: http://en.wikipedia.org/wiki/Exclusionary_rule
    and
    http://en.wikipedia.org/wiki/Hearsay_in_United_States_law#Hearsay_exceptions