SSCP : System Security Certified Practitioner (SSCP) : Part 14

SSCP : System Security Certified Practitioner (SSCP) : Part 14

1. Which type of attack would a competitive intelligence attack best classify as?

   • Business attack
   • Intelligence attack
   • Financial attack
   • Grudge attack

   Explanation:

   Business attacks concern information loss through competitive intelligence gathering and computer-related attacks. These attacks can be very costly due the loss of trade secrets and reputation.

   Intelligence attacks are aimed at sensitive military and law enforcement files containing military data and investigation reports.

   Financial attacks are concerned with frauds to banks and large corporations.

   Grudge attacks are targeted at individuals and companies who have done something that the attacker doesn’t like.

   The CISSP for Dummies book has nice coverage of the different types of attacks, here is an extract:

   Terrorism Attacks
   Terrorism exists at many levels on the Internet. In April 2001, during a period of tense relations between China and the U.S. (resulting from the crash landing of a U.S. Navy reconnaissance plane on Hainan Island), Chinese hackers ( cyberterrorists ) launched a major effort to disrupt critical U.S. infrastructure, which included U.S. government and military systems.

   Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells are using online capabilities to coordinate attacks, transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, and gain useful information about developing techniques and instruments of terror, including nuclear , biological, and chemical weapons.
   Military and intelligence attacks

   Military and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and conflict.
   Financial attacks

   Banks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or businesses, or obtain the personal credit card numbers of customers.
   Business attacks

   Businesses are becoming the targets of more and more computer and Internet attacks. These attacks include competitive intelligence gathering, denial of service, and other computer- related attacks. Businesses are often targeted for several reasons including

   Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise.
   Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.
   Lack of reporting or prosecution : Because of public relations concerns and the inability to prosecute computer criminals due to either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go unreported.

   The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation.
   Grudge attacks

   Grudge attacks are targeted at individuals or businesses and are motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic bomb in a critical system or application.

   Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:

   The attacker is often known to the victim.
   The attack has a visible impact that produces a viable evidence trail.
   Most businesses (already sensitive to the possibility of wrongful termination suits ) have well-established termination procedures

   “Fun” attacks
   “Fun” attacks are perpetrated by thrill seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they’re still dangerous and their activities are still illegal.

   These attacks can also be relatively easy to detect and prosecute. Because the perpetrators are often script kiddies or otherwise inexperienced hackers, they may not know how to cover their tracks effectively.

   Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You’ve seen the film at 11: “We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable !” Such action, however, will likely motivate others to launch a more serious and concerted grudge attack against the business.

   Many computer criminals in this category only seek notoriety. Although it’s one thing to brag to a small circle of friends about defacing a public Web site, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom. These twisted individuals want to be caught to revel in their 15 minutes of fame.

   References:
   ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 187)
   and
   CISSP Professional Study Guide by James Michael Stewart, Ed Tittel, Mike Chapple, page 607-609
   and
   CISSP for Dummies, Miller L. H. and Gregory P. H. ISBN: 0470537914, page 309-311

2. Which of the following is an advantage of a qualitative over a quantitative risk analysis?

   • It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.
   • It provides specific quantifiable measurements of the magnitude of the impacts.
   • It makes a cost-benefit analysis of recommended controls easier.
   • It can easily be automated.
   Explanation:

   The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME’s), it can not be easily automated.

   Reference used for this question:
   STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 23).

3. Which of the following would best describe secondary evidence?

   • Oral testimony by a non-expert witness
   • Oral testimony by an expert witness
   • A copy of a piece of evidence
   • Evidence that proves a specific act
   Explanation:

   Secondary evidence is defined as a copy of evidence or oral description of its contents. It is considered not as reliable as best evidence. Evidence that proves or disproves a specific act through oral testimony based on information gathered through he witness’s five senses is considered direct evidence. The fact that testimony is given by an expert only affects the witness’s ability to offer an opinion instead of only testifying of the facts.

   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).

4. Why would a memory dump be admissible as evidence in court?

   • Because it is used to demonstrate the truth of the contents.
   • Because it is used to identify the state of the system.
   • Because the state of the memory cannot be used as evidence.
   • Because of the exclusionary rule.
   Explanation:

   A memory dump can be admitted as evidence if it acts merely as a statement of fact. A system dump is not considered hearsay because it is used to identify the state of the system, not the truth of the contents. The exclusionary rule mentions that evidence must be gathered legally or it can’t be used. This choice is a distracter.

   Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law, Investigation, and Ethics (page 187).

5. When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?

   • Back up the compromised systems.
   • Identify the attacks used to gain access.
   • Capture and record system information.
   • Isolate the compromised systems.
   Explanation:

   When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court, the following actions should be performed in the following order:

   Capture and record system information and evidence that may be lost, modified, or not captured during the execution of a backup procedure. Start with the most volative memory areas first.
   Make at least two full backups of the compromised systems, using hardware-write-protectable or write-once media. A first backup may be used to re-install the compromised system for further analysis and the second one should be preserved in a secure location to preserve the chain of custody of evidence.
   Isolate the compromised systems.
   Search for signs of intrusions on other systems.
   Examine logs in order to gather more information and better identify other systems to which the intruder might have gained access.
   Search through logs of compromised systems for information that would reveal the kind of attacks used to gain access.
   Identify what the intruder did, for example by analyzing various log files, comparing checksums of known, trusted files to those on the compromised machine and by using other intrusion analysis tools.

   Regardless of the exact steps being followed, if you wish to prosecute in a court of law it means you MUST capture the evidence as a first step before it could be lost or contaminated. You always start with the most volatile evidence first.

   NOTE:
   I have received feedback saying that some other steps may be done such as Disconnecting the system from the network or shutting down the system. This is true. However, those are not choices listed within the 4 choices attached to this question, you MUST avoid changing the question. You must stick to the four choices presented and pick which one is the best out of the four presented.

   In real life, Forensic is not always black or white. There are many shades of grey. In real life you would have to consult your system policy (if you have one), get your Computer Incident team involved, and talk to your forensic expert and then decide what is the best course of action.

   Reference(s) Used for this question:
   http://www.newyorkcomputerforensics.com/learn/forensics_process.php
   and
   ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).

6. In order to be able to successfully prosecute an intruder:

   • A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies.
   • A proper chain of custody of evidence has to be preserved.
   • Collection of evidence has to be done following predefined procedures.
   • Whenever possible, analyze a replica of the compromised resource, not the original, thereby avoiding inadvertently tamping with evidence.
   Explanation:
   If you intend on prosecuting an intruder, evidence has to be collected in a lawful manner and, most importantly, protected through a secure chain-of-custody procedure that tracks who has been involved in handling the evidence and where it has been stored. All other choices are all important points, but not the best answer, since no prosecution is possible without a proper, provable chain of custody of evidence.
   Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 282-285).

7. Which of the following questions is less likely to help in assessing an organization’s contingency planning controls?

   • Is damaged media stored and/or destroyed?
   • Are the backup storage site and alternate site geographically far enough from the primary site?
   • Is there an up-to-date copy of the plan stored securely off-site?
   • Is the location of stored backups identified?
   Explanation:

   Contingency planning involves more than planning for a move offsite after a disaster destroys a facility.

   It also addresses how to keep an organization’s critical functions operating in the event of disruptions, large and small.

   Handling of damaged media is an operational task related to regular production and is not specific to contingency planning.
   Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-27 to A-28).

8. When a possible intrusion into your organization’s information system has been detected, which of the following actions should be performed first?

   • Eliminate all means of intruder access.
   • Contain the intrusion.
   • Determine to what extent systems and data are compromised.
   • Communicate with relevant parties.
   Explanation:

   Once an intrusion into your organization’s information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action.

   This is the good old saying: “Do not cry wolf until you know there is a wolf for sure” Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf. Technical problems or bad hardware might cause problems that looks like an intrusion even thou it might not be. You must make sure that a crime has in fact been committed before implementing your reaction plan.

   Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures. This first analysis will provide information such as what attacks were used, what systems and data were accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained).

   The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities.

   Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion. It must be carefully collected, labelled, catalogued, and securely stored.

   Containing the intrusion, where tactical actions are performed to stop the intruder’s access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next.

   Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process.

   Reference used for this question:
   ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).

9. When we encrypt or decrypt data there is a basic operation involving ones and zeros where they are compared in a process that looks something like this:

   0101 0001 Plain text
   0111 0011 Key stream
   0010 0010 Output

   What is this cryptographic operation called?

   • Exclusive-OR
   • Bit Swapping
   • Logical-NOR
   • Decryption
   Explanation:

   When we encrypt data we are basically taking the plaintext information and applying some key material or keystream and conducting something called an XOR or Exclusive-OR operation.

   The symbol used for XOR is the following: ⊕ This is a type of cipher known as a stream cipher.

   The operation looks like this:
   0101 0001 Plain text
   0111 0011 Key stream
   0010 0010 Output (ciphertext)

   As you can see, it’s not simple addition and the XOR Operation uses something called a truth table that explains why 0+1=1 and 1+1=0.

   The rules are simples, if both bits are the same the result is zero, if both bits are not the same the result is one.

   The following answers are incorrect:

   – Bit Swapping: Incorrect. This isn’t a known cryptographic operations.

   – Logical NOR: Sorry, this isn’t correct but is where only 0+0=1. All other combinations of 1+1, 1+0 equals 0. More on NOR here.

   – Decryption: Sorry, this is the opposite of the process of encryption or, the process of applying the keystream to the plaintext to get the resulting encrypted text.

   The following reference(s) was used to create this question:

   For more details on XOR and all other Qs of cryptography. Subscribe to our holistic Security+ CBT tutorial at http://www.cccure.tv
   and
   http://en.wikipedia.org/wiki/Exclusive-or
   and
   http://en.wikipedia.org/wiki/Stream_cipher

10. What works as an E-mail message transfer agent?

    • SMTP
    • SNMP
    • S-RPC
    • S/MIME
    Explanation:
    SMTP (Simple Mail Transfer Protocol) works as a message transfer agent.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.

11. What is the main characteristic of a multi-homed host?

    • It is placed between two routers or firewalls.
    • It allows IP routing.
    • It has multiple network interfaces, each connected to separate networks.
    • It operates at multiple layers.
    Explanation:

    The main characteristic of a multi-homed host is that is has multiple network interfaces, each connected to logically and physically separate networks. IP routing should be disabled to prevent the firewall from routing packets directly from one interface to the other.

    Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 2 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause).

12. In the UTP category rating, the tighter the wind:

    • the higher the rating and its resistance against interference and crosstalk.
    • the slower the rating and its resistance against interference and attenuation.
    • the shorter the rating and its resistance against interference and attenuation.
    • the longer the rating and its resistance against interference and attenuation.
    Explanation:

    The category rating is based on how tightly the copper cable is wound within the shielding: The tighter the wind, the higher the rating and its resistance against interference and crosstalk.

    Twisted pair copper cabling is a form of wiring in which two conductors are wound together for the purposes of canceling out electromagnetic interference (EMI) from external sources and crosstalk from neighboring wires. Twisting wires decreases interference because the loop area between the wires (which determines the magnetic coupling into the signal) is reduced. In balanced pair operation, the two wires typically carry equal and opposite signals (differential mode) which are combined by subtraction at the destination. The noise from the two wires cancel each other in this subtraction because the two wires have been exposed to similar EMI.

    The twist rate (usually defined in twists per metre) makes up part of the specification for a given type of cable. The greater the number of twists, the greater the attenuation of crosstalk. Where pairs are not twisted, as in most residential interior telephone wiring, one member of the pair may be closer to the source than the other, and thus exposed to slightly different induced EMF.

    Reference:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 101.
    and
    http://www.consultants-online.co.za/pub/itap_101/html/ch04s05.html

13. In this type of attack, the intruder re-routes data traffic from a network device to a personal machine. This diversion allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Pick the best choice below.

    • Network Address Translation
    • Network Address Hijacking
    • Network Address Supernetting
    • Network Address Sniffing
    Explanation:

    Network address hijacking allows an attacker to reroute data traffic from a network device to a personal computer.

    Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization.

    Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a data stream. It is normally based on sequence number attacks, where sequence numbers are either guessed or intercepted.

    The following are incorrect answers:
    Network address translation (NAT) is a methodology of modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device for the purpose of remapping one IP address space into another. See RFC 1918 for more details.

    Network Address Supernetting There is no such thing as Network Address Supernetting. However, a supernetwork, or supernet, is an Internet Protocol (IP) network that is formed from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix. The new routing prefix for the combined network aggregates the prefixes of the constituent networks.
    Network Address Sniffing This is another bogus choice that sound good but does not even exist. However, sniffing is a common attack to capture cleartext password and information unencrypted over the network. Sniffier is accomplished using a sniffer also called a Protocol Analyzer. A network sniffers monitors data flowing over computer network links. It can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Also sometimes called “network probes” or “snoops,” sniffers examine network traffic, making a copy of the data but without redirecting or altering it.

    The following reference(s) were used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press ) (Kindle Locations 8641-8642). Auerbach Publications. Kindle Edition.
    http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
    http://wiki.answers.com/Q/What_is_network_address_hijacking
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 239.

14. All hosts on an IP network have a logical ID called a(n):

    • IP address.
    • MAC address.
    • TCP address.
    • Datagram address.
    Explanation:

    All hosts on a network have a logical ID that is called an IP address. An IP address is a numeric identifier that is assigned to each machine on an IP network. It designates the location of a device on a network. A MAC address is typically called a hardware address because it is “burned” into the NIC card. TCP address and Datagram address are imposter answers.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.

15. Each data packet is assigned the IP address of the sender and the IP address of the:

    • recipient.
    • host.
    • node.
    • network.
    Explanation:

    Each data packet is assigned the IP address of the sender and the IP address of the recipient. The term network refers to the part of the IP address that identifies each network. The terms host and node refer to the parts of the IP address that identify a specific machine on a network.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.

16. What is the main characteristic of a bastion host?

    • It is located on the internal network.
    • It is a hardened computer implementation
    • It is a firewall.
    • It does packet filtering.
    Explanation:

    A bastion host is a special purpose computer on a network specifically designed and configured to withstand attack. The computer hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.

    References:
    http://en.wikipedia.org/wiki/Bastion_host

17. Which of the following statements pertaining to packet switching is incorrect?

    • Most data sent today uses digital signals over network employing packet switching.
    • Messages are divided into packets.
    • All packets from a message travel through the same route.
    • Each network node or point examines each packet for routing.
    Explanation:

    When using packet switching, messages are broken down into packets. Source and destination address are added to each packet so that when passing through a network node, they can be examined and eventually rerouted through different paths as conditions change. All message packets may travel different paths and not arrive in the same order as sent. Packets need to be collected and reassembled into the original message at destination.

    Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

18. Which communication method is characterized by very high speed transmission rates that are governed by electronic clock timing signals?

    • Asynchronous Communication.
    • Synchronous Communication.
    • Automatic Communication.
    • Full duplex Communication.
    Explanation:
    Synchronous Communication is characterized by very high speed transmission rates that are governed by electronic clock timing signals.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100

19. Domain Name Service is a distributed database system that is used to map:

    • Domain Name to IP addresses.
    • MAC addresses to domain names.
    • MAC Address to IP addresses.
    • IP addresses to MAC Addresses.
    Explanation:

    The Domain Name Service is a distributed database system that is used to map domain names to IP addresses and IP addresses to domain names.

    The Domain Name System is maintained by a distributed database system, which uses the client-server model. The nodes of this database are the name servers. Each domain has at least one authoritative DNS server that publishes information about that domain and the name servers of any domains subordinate to it. The top of the hierarchy is served by the root nameservers, the servers to query when looking up (resolving) a TLD.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100.
    and
    https://en.wikipedia.org/wiki/Domain_Name_System

20. Communications devices must operate:

    • at different speeds to communicate.
    • at the same speed to communicate.
    • at varying speeds to interact.
    • at high speed to interact.
    Explanation:

    Communications devices must operate at the same speed to communicate.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100.