SSCP : System Security Certified Practitioner (SSCP) : Part 18

SSCP : System Security Certified Practitioner (SSCP) : Part 18

1. Why is traffic across a packet switched network difficult to monitor?

   • Packets are link encrypted by the carrier
   • Government regulations forbids monitoring
   • Packets can take multiple paths when transmitted
   • The network factor is too high

   Explanation:

   With a packet switched network, packets are difficult to monitor because they can be transmitted using different paths.

   A packet-switched network is a digital communications network that groups all transmitted data, irrespective of content, type, or structure into suitably sized blocks, called packets. The network over which packets are transmitted is a shared network which routes each packet independently from all others and allocates transmission resources as needed.

   The principal goals of packet switching are to optimize utilization of available link capacity, minimize response times and increase the robustness of communication. When traversing network adapters, switches and other network nodes, packets are buffered and queued, resulting in variable delay and throughput, depending on the traffic load in the network.

   Most modern Wide Area Network (WAN) protocols, including TCP/IP, X.25, and Frame Relay, are based on packet-switching technologies. In contrast, normal telephone service is based on a circuit-switching technology, in which a dedicated line is allocated for transmission between two parties. Circuit-switching is ideal when data must be transmitted quickly and must arrive in the same order in which it’s sent. This is the case with most real-time data, such as live audio and video. Packet switching is more efficient and robust for data that can withstand some delays in transmission, such as e-mail messages and Web pages.

   All of the other answer are wrong

   Reference(s) used for this question:
   TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
   and
   https://en.wikipedia.org/wiki/Packet-switched_network
   and
   http://www.webopedia.com/TERM/P/packet_switching.html

2. Which one of the following is used to provide authentication and confidentiality for e-mail messages?

   • Digital signature
   • PGP
   • IPSEC AH
   • MD4
   Explanation:

   Instead of using a Certificate Authority, PGP uses a “Web of Trust”, where users can certify each other in a mesh model, which is best applied to smaller groups.

   In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). The web of trust concept was first put forth by PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0.

   Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.

   As per Shon Harris’s book:
   Pretty Good Privacy (PGP) was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991. It was the first widespread public key encryption program. PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and files. It can use RSA public key encryption for key management and use IDEA symmetric cipher for bulk encryption of data, although the user has the option of picking different types of algorithms for these functions. PGP can provide confidentiality by using the IDEA encryption algorithm, integrity by using the MD5 hashing algorithm, authentication by using the public key certificates, and nonrepudiation by using cryptographically signed messages. PGP initially used its own type of digital certificates rather than what is used in PKI, but they both have similar purposes. Today PGP support X.509 V3 digital certificates.

   Reference(s) used for this question:
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 169).

   Shon Harris, CISSP All in One book
   https://en.wikipedia.org/wiki/Pretty_Good_Privacy
   TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

3. Layer 4 of the OSI stack is known as:

   • the data link layer
   • the transport layer
   • the network layer
   • the presentation layer
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

4. Another name for a VPN is a:

   • tunnel
   • one-time password
   • pipeline
   • bypass
   Explanation:
   Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

5. Which of the following was developed as a simple mechanism for allowing simple network terminals to load their operating system from a server over the LAN?

   • DHCP
   • BootP
   • DNS
   • ARP
   Explanation:
   BootP was developed as a simple mechanism for allowing simple network terminals to load their operating system from a server over the LAN. Over time, it has expanded to allow centralized configuration of many aspects of a host’s identity and behavior on the network. Note that DHCP, more complex, has replaced BootP over time.
   Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services from a Security Viewpoint.

6. What is the greatest danger from DHCP?

   • An intruder on the network impersonating a DHCP server and thereby misconfiguring the DHCP clients.
   • Having multiple clients on the same LAN having the same IP address.
   • Having the wrong router used as the default gateway.
   • Having the organization’s mail server unreachable.
   Explanation:
   The greatest danger from BootP or DHCP (Dynamic Host Control Protocol) is from an intruder on the network impersonating a DHCP server and thereby misconfiguring the DHCP clients. Other choices are possible consequences of DHCP impersonation.
   Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services from a Security Viewpoint.

7. Before the advent of classless addressing, the address 128.192.168.16 would have been considered part of:

   • a class A network.
   • a class B network.
   • a class C network.
   • a class D network.
   Explanation:
   Before the advent of classless addressing, one could tell the size of a network by the first few bits of an IP address. If the first bit was set to zero (the first byte being from 0 to 127), the address was a class A network. Values from 128 to 191 were used for class B networks whereas values between 192 and 223 were used for class C networks. Class D, with values from 224 to 239 (the first three bits set to one and the fourth to zero), was reserved for IP multicast.
   Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a Security Viewpoint.

8. What is an IP routing table?

   • A list of IP addresses and corresponding MAC addresses.
   • A list of station and network addresses with corresponding gateway IP address.
   • A list of host names and corresponding IP addresses.
   • A list of current network interfaces on which IP routing is enabled.
   Explanation:
   A routing table is used when a destination IP address is not located on the current LAN segment. It consists of a list of station and network addresses and a corresponding gateway IP address further along to which a routing equipment should send packets that match that station or network address. A list of IP addresses and corresponding MAC addresses is an ARP table. A DNS is used to match host names and corresponding IP addresses. The last choice is a distracter.
   Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a Security Viewpoint.

9. Which of the following can be defined as an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client?

   • IMAP4
   • SMTP
   • MIME
   • PEM
   Explanation:

   RFC 2828 (Internet Security Glossary) defines the Internet Message Access Protocol, version 4 (IMAP4) as an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client.

   IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services.

   MIME is the MultiPurpose Internet Mail Extension. MIME extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.

   Simple Mail Transfer Protocol (SMTP) is a TCP-based, application-layer, Internet Standard protocol for moving electronic mail messages from one computer to another.

   Privacy Enhanced Mail (PEM) is an Internet protocol to provide data confidentiality, data integrity, and data origin authentication for electronic mail.

   Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

10. Which of the following NAT firewall translation modes offers no protection from hacking attacks to an internal host using this functionality?

    • Network redundancy translation
    • Load balancing translation
    • Dynamic translation
    • Static translation
    Explanation:

    Static translation (also called port forwarding), assigns a fixed address to a specific internal network resource (usually a server).

    Static NAT is required to make internal hosts available for connection from external hosts.

    It merely replaces port information on a one-to-one basis. This affords no protection to statistically translated hosts: hacking attacks will be just as efficiently translated as any other valid connection attempt.

    NOTE FROM CLEMENT:
    Hiding Nat or Overloaded Nat is when you have a group of users behind a unique public IP address. This will provide you with some security through obscurity where an attacker scanning your network would see the unique IP address on the outside of the gateway but could not tell if there is one user, ten users, or hundreds of users behind that IP.

    NAT was NEVER built as a security mechanism.
    In the case of Static NAT used for some of your servers for example, your web server private IP is map to a valid external public IP on a one on one basis, your SMTP server private IP is mapped to a static public IP, and so on.

    If an attacker scan the IP address range on the external side of the gateway he would discover every single one of your servers or any other hosts using static natting. Ports that are open, services that are listening, and all of this info could be gathered just as if the server was in fact using a public IP. It does not provide this security through obscurity mentioned above.

    All of the other answer are incorrect.

    Reference used for this question:
    STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 7: Network Address Translation.

11. Which of the following should NOT normally be allowed through a firewall?

    • SNMP
    • SMTP
    • HTTP
    • SSH
    Explanation:

    The Simple Network Management Protocol (SNMP) is a useful tool for remotely managing network devices.

    Since it can be used to reconfigure devices, SNMP traffic should be blocked at the organization’s firewall.

    Using a VPN with encryption or some type of Tunneling software would be highly recommended in this case.

    Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services from a Security Viewpoint.

12. What can best be defined as a strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall?

    • A bastion host
    • A screened subnet
    • A dual-homed host
    • A proxy server
    Explanation:
    The Internet Security Glossary (RFC2828) defines a bastion host as a strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.
    Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

13. What is a packet sniffer?

    • It tracks network connections to off-site locations.
    • It monitors network traffic for illegal packets.
    • It scans network segments for cabling faults.
    • It captures network traffic for later analysis.
    Explanation:
    Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

14. What do the ILOVEYOU and Melissa virus attacks have in common?

    • They are both denial-of-service (DOS) attacks.
    • They have nothing in common.
    • They are both masquerading attacks.
    • They are both social engineering attacks.
    Explanation:
    While a masquerading attack can be considered a type of social engineering, the Melissa and ILOVEYOU viruses are examples of masquerading attacks, even if it may cause some kind of denial of service due to the web server being flooded with messages. In this case, the receiver confidently opens a message coming from a trusted individual, only to find that the message was sent using the trusted party’s identity.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 650).

15. Crackers today are MOST often motivated by their desire to:

    • Help the community in securing their networks.
    • Seeing how far their skills will take them.
    • Getting recognition for their actions.
    • Gaining Money or Financial Gains.
    Explanation:

    A few years ago the best choice for this question would have been seeing how far their skills can take them. Today this has changed greatly, most crimes committed are financially motivated.

    Profit is the most widespread motive behind all cybercrimes and, indeed, most crimes- everyone wants to make money. Hacking for money or for free services includes a smorgasbord of crimes such as embezzlement, corporate espionage and being a “hacker for hire”. Scams are easier to undertake but the likelihood of success is much lower. Money-seekers come from any lifestyle but those with persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy make better “hacks for hire”.

    “White hats” are the security specialists (as opposed to Black Hats) interested in helping the community in securing their networks. They will test systems and network with the owner authorization.

    A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization before they attempt to comprise the security mechanisms in place.

    “Grey Hats” are people who sometimes work as a White hat and other times they will work as a “Black Hat”, they have not made up their mind yet as to which side they prefer to be.

    The following are incorrect answers:

    All the other choices could be possible reasons but the best one today is really for financial gains.

    References used for this question:
    http://library.thinkquest.org/04oct/00460/crimeMotives.html
    and
    http://www.informit.com/articles/article.aspx?p=1160835
    and
    http://www.aic.gov.au/documents/1/B/A/%7B1BA0F612-613A-494D-B6C5-06938FE8BB53%7Dhtcb006.pdf

16. The high availability of multiple all-inclusive, easy-to-use hacking tools that do NOT require much technical knowledge has brought a growth in the number of which type of attackers?

    • Black hats
    • White hats
    • Script kiddies
    • Phreakers
    Explanation:

    As script kiddies are low to moderately skilled hackers using available scripts and tools to easily launch attacks against victims.

    The other answers are incorrect because :

    Black hats is incorrect as they are malicious , skilled hackers.
    White hats is incorrect as they are security professionals.
    Phreakers is incorrect as they are telephone/PBX (private branch exchange) hackers.
    Reference : Shon Harris AIO v3 , Chapter 12: Operations security , Page : 830

17. Which of the following computer crime is MORE often associated with INSIDERS?

    • IP spoofing
    • Password sniffing
    • Data diddling
    • Denial of service (DOS)
    Explanation:

    It refers to the alteration of the existing data , most often seen before it is entered into an application.This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed.

    The other answers are incorrect because :

    IP Spoofing is not correct as the questions asks about the crime associated with the insiders. Spoofing is generally accomplished from the outside.

    Password sniffing is also not the BEST answer as it requires a lot of technical knowledge in understanding the encryption and decryption process.

    Denial of service (DOS) is also incorrect as most Denial of service attacks occur over the internet.

    Reference : Shon Harris , AIO v3 , Chapter-10 : Law , Investigation & Ethics , Page : 758-760.

18. What is malware that can spread itself over open network connections?

    • Worm
    • Rootkit
    • Adware
    • Logic Bomb
    Explanation:

    Computer worms are also known as Network Mobile Code, or a virus-like bit of code that can replicate itself over a network, infecting adjacent computers.

    A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

    A notable example is the SQL Slammer computer worm that spread globally in ten minutes on January 25, 2003. I myself came to work that day as a software tester and found all my SQL servers infected and actively trying to infect other computers on the test network.

    A patch had been released a year prior by Microsoft and if systems were not patched and exposed to a 376 byte UDP packet from an infected host then system would become compromised.

    Ordinarily, infected computers are not to be trusted and must be rebuilt from scratch but the vulnerability could be mitigated by replacing a single vulnerable dll called sqlsort.dll.

    Replacing that with the patched version completely disabled the worm which really illustrates to us the importance of actively patching our systems against such network mobile code.

    The following answers are incorrect:

    – Rootkit: Sorry, this isn’t correct because a rootkit isn’t ordinarily classified as network mobile code like a worm is. This isn’t to say that a rootkit couldn’t be included in a worm, just that a rootkit isn’t usually classified like a worm. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of “root” (the traditional name of the privileged account on Unix operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.

    – Adware: Incorrect answer. Sorry but adware isn’t usually classified as a worm. Adware, or advertising-supported software, is any software package which automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. The term is sometimes used to refer to software that displays unwanted advertisements.

    – Logic Bomb: Logic bombs like adware or rootkits could be spread by worms if they exploit the right service and gain root or admin access on a computer.

    The following reference(s) was used to create this question:

    The CCCure CompTIA Holistic Security+ Tutorial and CBT
    and
    http://en.wikipedia.org/wiki/Rootkit
    and
    http://en.wikipedia.org/wiki/Computer_worm
    and
    http://en.wikipedia.org/wiki/Adware

19. Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?

    • Web Applications
    • Intrusion Detection Systems
    • Firewalls
    • DNS Servers
    Explanation:

    XSS or Cross-Site Scripting is a threat to web applications where malicious code is placed on a website that attacks the use using their existing authenticated session status.

    Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
    Mitigation:
    Configure your IPS – Intrusion Prevention System to detect and suppress this traffic.
    Input Validation on the web application to normalize inputted data.
    Set web apps to bind session cookies to the IP Address of the legitimate user and only permit that IP Address to use that cookie.

    See the XSS (Cross Site Scripting) Prevention Cheat Sheet

    See the Abridged XSS Prevention Cheat Sheet
    See the DOM based XSS Prevention Cheat Sheet
    See the OWASP Development Guide article on Phishing.
    See the OWASP Development Guide article on Data Validation.

    The following answers are incorrect:

    Intrusion Detection Systems: Sorry. IDS Systems aren’t usually the target of XSS attacks but a properly-configured IDS/IPS can “detect and report on malicious string and suppress the TCP connection in an attempt to mitigate the threat.

    Firewalls: Sorry. Firewalls aren’t usually the target of XSS attacks.

    DNS Servers: Same as above, DNS Servers aren’t usually targeted in XSS attacks but they play a key role in the domain name resolution in the XSS attack process.

    The following reference(s) was used to create this question:
    CCCure Holistic Security+ CBT and Curriculum
    and
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

20. What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account?

    • Data fiddling
    • Data diddling
    • Salami techniques
    • Trojan horses
    Explanation:
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 644.