SSCP : System Security Certified Practitioner (SSCP) : Part 26

SSCP : System Security Certified Practitioner (SSCP) : Part 26

1. Which of the following security-focused protocols has confidentiality services operating at a layer different from the others?

   • Secure HTTP (S-HTTP)
   • FTP Secure (FTPS)
   • Secure socket layer (SSL)
   • Sequenced Packet Exchange (SPX)

   Explanation:

   All the previous protocols operate at the transport layer except for Secure HTTP (S-HTTP), which operates at the application layer. S-HTTP has been replaced by SSL and TLS.

   As it is very well explained in the Shon Harris book:

   The transport layer receives data from many different applications and assembles the data into a stream to be properly transmitted over the network. The main protocols that work at this layer are TCP, UDP, Secure Sockets Layer (SSL), and Sequenced Packet Exchange (SPX).

   NOTE:
   Different references can place specific protocols at different layers. For example, many references place the SSL protocol in the session layer, while other references place it in the transport layer. It is not that one is right or wrong. The OSI model tries to draw boxes around reality, but some protocols straddle the different layers. SSL is made up of two protocols— one works in the lower portion of the session layer and the other works in the transport layer.
   For purposes of the CISSP exam, SSL resides in the transport layer.

   Reference(s) used for this question:
   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 526). McGraw-Hill. Kindle Edition.

2. Which of the following is an advantage that UDP has over TCP?

   • UDP is connection-oriented whereas TCP is not.
   • UDP is more reliable than TCP.
   • UDP is faster than TCP.
   • UDP makes a better effort to deliver packets.
   Explanation:
   UDP is a scaled-down version of TCP. It is used like TCP, but only offers a “best effort” delivery. It is connectionless, does not offer error correction, does not sequence the packet segments, and less reliable than TCP but because of its lower overhead, it provides a faster transmission than TCP.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 86).

3. What protocol is used to match an IP address to the appropriate hardware address of the packet’s destination so it can be sent?

   • Routing tables
   • Address resolution protocol (ARP)
   • Reverse address resolution protocol (RARP)
   • Internet Control Message Protocol (ICMP)
   Explanation:

   The Address Resolution Protocol (ARP) is used to match an IP address to an Ethernet address so the packet can be sent to the appropriate node.

   Shon Harris in her book says:
   MAC and IP addresses must be properly mapped so they can be correctly resolved. This happens through the Address Resolution Protocol (ARP). When the data link layer receives a frame, the network layer has already attached the destination IP address to it, but the data link layer cannot understand the IP address and thus invokes ARP for help.

   ARP broadcasts a frame requesting the MAC address that corresponds with the destination IP address. Each computer on the subnet receives this broadcast frame, and all but the computer that has the requested IP address ignore it.

   The computer that has the destination IP address responds with its MAC address. Now ARP knows what hardware address corresponds with that specific IP address. The data link layer takes the frame, adds the hardware address to it, and passes it on to the physical layer, which enables the frame to hit the wire and go to the destination computer.

   ARP maps the hardware address and associated IP address and stores this mapping in its table for a predefined amount of time. This caching is done so that when another frame destined for the same IP address needs to hit the wire, ARP does not need to broadcast its request again. It just looks in its table for this information.

   Man-In-The-Middle attack
   Because ARP does not require authentication, an attacker could place bogus entries into the ARP cache of a remote host (gratuitous ARP replies) to carry out attacks, such as a man-in-the-middle attacks. This attack is called ARP poisoning.

   The following answers were incorrect:

   RARP is used to match an Ethernet address to an IP address.
   ICMP is a management protocol whose function is to send message between network devices.
   Routing tables are used by routers to choose the appropriate interface to route packets.

   Reference(s) used for this question:
   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Chapter 6 Telecommunications and Network Security, Pages 580-581 or on the Kindle edition look around Locations 12298-12306. McGraw-Hill. Kindle Edition.
   and
   Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK , Third Edition: Telecommunications and Network Security, Page 342.

4. Which cable technology refers to the CAT3 and CAT5 categories?

   • Coaxial cables
   • Fiber Optic cables
   • Axial cables
   • Twisted Pair cables
   Explanation:
   Twisted Pair cables currently have two categories in common usage. CAT3 and CAT5.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 72.

5. Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the bulk of the data being sent over the session and it uses asymmetric or public key cryptography for:

   • Peer Authentication
   • Peer Identification
   • Server Authentication
   • Name Resolution
   Explanation:

   SSL provides for Peer Authentication. Though peer authentication is possible, authentication of the client is seldom used in practice when connecting to public e-commerce web sites. Once authentication is complete, confidentiality is assured over the session by the use of symmetric encryption in the interests of better performance.

   The following answers were all incorrect:

   “Peer identification” is incorrect. The desired attribute is assurance of the identity of the communicating parties provided by authentication and NOT identification. Identification is only who you claim to be. Authentication is proving who you claim to be.

   “Server authentication” is incorrect. While server authentication only is common practice, the protocol provides for peer authentication (i.e., authentication of both client and server). This answer was not complete.

   “Name resolution” is incorrect. Name resolution is commonly provided by the Domain Name System (DNS) not SSL.

   Reference(s) used for this question:
   CBK, pp. 496 – 497.

6. What can a packet filtering firewall also be called?

   • a scanning router
   • a shielding router
   • a sniffing router
   • a screening router
   Explanation:

   While neither CBK nor AIO3 use the term “screening router,” they both discuss how the packet filtering capabilities of a router can be used to block traffic much like a packet filtering firewall. Krutz and Vine use this term on p. 90.

   “A scanning router” is incorrect. This is a nonsense term to distract you.
   “A shielding router” is incorrect. This is a nonsense term to distract you.
   “A sniffing router” is incorrect. This is a nonsense term to distract you.

   References:
   CBK, p. 433
   AIO3, pp.484 – 485

7. Secure Shell (SSH-2) provides all the following services except:

   • secure remote login
   • command execution
   • port forwarding
   • user authentication
   Explanation:

   This is one of the tricky negative question. You have to pay close attention to the word EXCEPT within the question.

   The SSH transport layer is a secure, low level transport protocol. It provides strong encryption, cryptographic host authentication, and integrity protection.

   Authentication in this protocol level is host-based; this protocol does not perform user authentication. A higher level protocol for user authentication can be designed on top of this protocol.

   The protocol has been designed to be simple and flexible to allow parameter negotiation, and to minimize the number of round-trips. The key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated. It is expected that in most environments, only 2 round-trips will be needed for full key exchange, server authentication, service request, and acceptance notification of service request. The worst case is 3 round-trips.

   The following are incorrect answers:

   “Remote log-on” is incorrect. SSH does provide remote log-on.
   “Command execution” is incorrect. SSH does provide command execution.

   “Port forwarding” is incorrect. SSH does provide port forwarding. SSH also has a wonderful feature called SSH Port Forwarding, sometimes called SSH Tunneling, which allows you to establish a secure SSH session and then tunnel arbitrary TCP connections through it. Tunnels can be created at any time, with almost no effort and no programming, which makes them very appealing. See the article below in the reference to take a look at SSH Port Forwarding in detail, as it is a very useful but often misunderstood technology. SSH Port Forwarding can be used for secure communications in a myriad of different ways.

   You can see a nice tutorial on the PUTTY web site on how to use PUTTY to do port forwarding at:
   http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html

   Reference(s) used for this question:
   RFC 4253 at https://www.ietf.org/rfc/rfc4253.txt
   and
   SSH Port Forwarding by Symantec

8. Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS Record Protocol and the:: 
   • Transport Layer Security (TLS) Internet Protocol.
   • Transport Layer Security (TLS) Data Protocol.
   • Transport Layer Security (TLS) Link Protocol.
   • Transport Layer Security (TLS) Handshake Protocol.

9. A Packet Filtering Firewall system is considered a:

   • first generation firewall.
   • second generation firewall.
   • third generation firewall.
   • fourth generation firewall.
   Explanation:

   The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL’s. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context of the communication and inspects every single packet one by one without understanding the context of the connection.

   “Second generation firewall” is incorrect. The second generation of firewall were Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit-level proxy firewall. The application level proxy is very smart and understand the inner structure of the protocol itself. The Circui-Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to the net. Today a great example of this would be the SOCKS protocol.

   “Third generation firewall” is incorrect. The third generation firewall is the Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.

   “Fourth generation firewall” is incorrect. The fourth generation firewall is the dynamic packet filtering firewall.

   References:
   CBK, p. 464
   AIO3, pp. 482 – 484

   Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm for a general discussion of the different generations.

10. Proxies works by transferring a copy of each accepted data packet from one network to another, thereby masking the:

    • data’s payload
    • data’s details
    • data’s owner
    • data’s origin
    Explanation:

    The application firewall (proxy) relays the traffic from a trusted host running a specific application to an untrusted server. It will appear to the untrusted server as if the request originated from the proxy server.

    “Data’s payload” is incorrect. Only the origin is changed.
    “Data’s details” is incorrect. Only the origin is changed.
    “Data’s owner” is incorrect. Only the origin is changed.

    References:
    CBK, p. 467
    AIO3, pp. 486 – 490

11. Packet Filtering Firewalls examines both the source and destination address of the:

    • incoming and outgoing data packets
    • outgoing data packets only
    • Incoming Data packets only
    • user data packet
    Explanation:

    Packeting filtering firewalls are devices that enforce administrative security policies by filtering incoming traffic as well as outgoing traffic based on rules that can include the source and/or destination addresses.

    “Outgoing data packets” is incorrect. Firewalls filter incoming as well as outgoing traffic. This is sometimes called Egress and Ingress filtering.

    “Incoming data packets only” is incorrect. (see previous explantion)

    “User data packet” is incorrect. A packet filtering firewall does not typicallly look into the data portion of the packet.

    References
    CBK, p. 464
    AIO3, pp. 482 – 484

12. Packet Filtering Firewalls can also enable access for:

    • only authorized application port or service numbers.
    • only unauthorized application port or service numbers.
    • only authorized application port or ex-service numbers.
    • only authorized application port or service integers.
    Explanation:

    Firewall rules can be used to enable access for traffic to specific ports or services. “Service numbers” is rather stilted English but you may encounter these types of wordings on the actual exam — don’t let them confuse you.

    “Only unauthorized application port or service numbers” is incorrect. Unauthorized ports/services would be blocked in a properly installed firewall rather than permitting access.

    “Only authorized application port or ex-service numbers” is incorrect. “Ex-service” numbers is a nonsense term meant to distract you.

    “Only authorized application port or service integers.” While service numbers are in fact integers, the more usual (and therefore better) answer is either service or “service number.”

    References
    CBK, p. 464
    AIO3, pp. 482 – 484

13. Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks?

    • Monitoring and auditing for such activity
    • Require user authentication
    • Making sure only necessary phone numbers are made public
    • Using completely different numbers for voice and data accesses
    Explanation:
    Knowledge of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized access over a modem line. “Monitoring and auditing for such activity” is incorrect. While monitoring and auditing can assist in detecting a wardialing attack, they do not defend against a successful wardialing attack. “Making sure that only necessary phone numbers are made public” is incorrect. Since a wardialing attack blindly calls all numbers in a range, whether certain numbers in the range are public or not is irrelevant. “Using completely different numbers for voice and data accesses” is incorrect. Using different number ranges for voice and data access might help prevent an attacker from stumbling across the data lines while wardialing the public voice number range but this is not an adequate countermeasure. References: CBK, p. 214 AIO3, p. 534-535

14. What is the maximum length of cable that can be used for a twisted-pair, Category 5 10Base-T cable?

    • 80 meters
    • 100 meters
    • 185 meters
    • 500 meters
    Explanation:

    As a signal travels though a medium, it attenuates (loses strength) and at some point will become indistinguishable from noise. To assure trouble-free communication, maximum cable lengths are set between nodes to assure that attenuation will not cause a problem. The maximum CAT-5 UTP cable length between two nodes for 10BASE-T is 100M.

    The following answers are incorrect:

    80 meters. It is only a distracter.
    185 meters. Is incorrect because it is the maximum length for 10Base-2
    500 meters. Is incorrect because it is the maximum length for 10Base-5

15. Which of the following are WELL KNOWN PORTS assigned by the IANA?

    • Ports 0 to 255
    • Ports 0 to 1024
    • Ports 0 to 1023
    • Ports 0 to 127
    Explanation:

    The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The range for assigned “Well Known” ports managed by the IANA (Internet Assigned Numbers Authority) is 0-1023.

    Source: iana.org: port assignments.

16. Which of the following are REGISTERED PORTS as defined by IANA ?

    • Ports 128 to 255
    • Ports 1024 to 49151
    • Ports 1025 to 65535
    • Ports 1024 to 32767
    Explanation:

    Ports 1024 to 49151 has been defined as REGISTERED PORTS by IANA.

    A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1–65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for Assigned Names and Numbers (ICANN) before March 21, 2001) for use with a certain protocol or application.

    Ports with numbers lower than those of the registered ports are called well known ports; ports with numbers greater than those of the registered ports are called dynamic and/or private ports.

    Ports 0-1023 – well known ports
    Ports 1024-49151 – Registered port: vendors use for applications
    Ports >49151 – dynamic / private ports

    The other answers are not correct

    Reference(s) used for this question:
    http://en.wikipedia.org/wiki/Registered_port

17. Secure Shell (SSH) is a strong method of performing:

    • client authentication
    • server authentication
    • host authentication
    • guest authentication
    Explanation:

    Secure shell (SSH) was designed as an alternative to some of the insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol.

    SSH’s services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel.

    The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates.

    Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.

    There are two incompatible versions of the protocol, SSH-1 and SSH-2, though many servers support both. SSH-2 has improved integrity checks (SSH-1 is vulnerable to an insertion attack due to weak CRC-32 integrity checking) and supports local extensions and additional types of digital certificates such as Open PGP. SSH was originally designed for UNIX, but there are now implementations for other operating systems, including Windows, Macintosh, and OpenVMS.

    Is SSH 3.0 the same as SSH3?
    The short answer is: NO SSH 3.0 refers to version 3 of SSH Communications SSH2 protocol implementation and it could also refer to OpenSSH Version 3.0 of its SSH2 software. The “3” refers to the software release version not the protocol version. As of this writing (July 2013), there is no SSH3 protocol.

    “Server authentication” is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.

    “Host authentication” is incorrect. Though many SSH clients allow pre-caching of server/host keys, this is a minimal form of server/host authentication.

    “Guest authentication” is incorrect. The general idea of “guest” is that it is unauthenticated access.

    Reference(s) used for this question:

    http://www.ietf.org/rfc/rfc4252.txt
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7080-7088). Auerbach Publications. Kindle Edition.

18. Secure Shell (SSH-2) supports authentication, compression, confidentiality, and integrity, SSH is commonly used as a secure alternative to all of the following protocols below except:

    • telnet
    • rlogin
    • RSH
    • HTTPS
    Explanation:

    HTTPS is used for secure web transactions and is not commonly replaced by SSH.

    Users often want to log on to a remote computer. Unfortunately, most early implementations to meet that need were designed for a trusted network. Protocols/programs, such as TELNET, RSH, and rlogin, transmit unencrypted over the network, which allows traffic to be easily intercepted. Secure shell (SSH) was designed as an alternative to the above insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. SSH’s services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel. The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates. Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.

    The following were wrong answers:

    telnet is an incorrect choice. SSH is commonly used as an more secure alternative to telnet. In fact Telnet should not longer be used today.
    rlogin is and incorrect choice. SSH is commonly used as a more secure alternative to rlogin.
    RSH is an incorrect choice. SSH is commonly used as a more secure alternative to RSH.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7077-7088). Auerbach Publications. Kindle Edition.

19. What type of cable is used with 100Base-TX Fast Ethernet?

    • Fiber-optic cable
    • Category 3 or 4 unshielded twisted-pair (UTP).
    • Category 5 unshielded twisted-pair (UTP).
    • RG-58 cable.
    Explanation:

    This is the type of cabling recommended for 100Base-TX networks.

    Fiber-optic cable is incorrect. Incorrect media type for 100Base-TX — 100Base-FX would denote fiber optic cabling.

    “Category 3 or 4 unshielded twisted-pair (UTP)” is incorrect. These types are not recommended for 100Mbps operation.

    RG-58 cable is incorrect. Incorrect media type for 100Base-TX.

    References
    CBK, p. 428
    AIO3, p. 455

20. Secure Sockets Layer (SSL) is very heavily used for protecting which of the following?

    • Web transactions.
    • EDI transactions.
    • Telnet transactions.
    • Electronic Payment transactions.
    Explanation:

    SSL was developed Netscape Communications Corporation to improve security and privacy of HTTP transactions.

    SSL is one of the most common protocols used to protect Internet traffic.
    It encrypts the messages using symmetric algorithms, such as IDEA, DES, 3DES, and Fortezza, and also calculates the MAC for the message using MD5 or SHA-1. The MAC is appended to the message and encrypted along with the message data.

    The exchange of the symmetric keys is accomplished through various versions of Diffie–Hellmann or RSA. TLS is the Internet standard based on SSLv3. TLSv1 is backward compatible with SSLv3. It uses the same algorithms as SSLv3; however, it computes an HMAC instead of a MAC along with other enhancements to improve security.

    The following are incorrect answers:

    “EDI transactions” is incorrect. Electronic Data Interchange (EDI) is not the best answer to this question though SSL could play a part in some EDI transactions.

    “Telnet transactions” is incorrect. Telnet is a character mode protocol and is more likely to be secured by Secure Telnet or replaced by the Secure Shell (SSH) protocols.

    “Eletronic payment transactions” is incorrect. Electronic payment is not the best answer to this question though SSL could play a part in some electronic payment transactions.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 16615-16619). Auerbach Publications. Kindle Edition.
    and
    http://en.wikipedia.org/wiki/Transport_Layer_Security