SSCP : System Security Certified Practitioner (SSCP) : Part 27

SSCP : System Security Certified Practitioner (SSCP) : Part 27

1. A proxy can control which services (FTP and so on) are used by a workstation , and also aids in protecting the network from outsiders who may be trying to get information about the:

   • network’s design
   • user base
   • operating system design
   • net BIOS’ design

   Explanation:

   To the untrusted host, all traffic seems to originate from the proxy server and addresses on the trusted network are not revealed.

   “User base” is incorrect. The proxy hides the origin of the request from the untrusted host.

   “Operating system design” is incorrect. The proxy hides the origin of the request from the untrusted host.

   “Net BIOS’ design” is incorrect. The proxy hides the origin of the request from the untrusted host.

   References:
   CBK, p. 467
   AIO3, pp. 486 – 490

2. Good security is built on which of the following concept?

   • The concept of a pass-through device that only allows certain traffic in and out
   • The Concept of defense in depth
   • The Concept of Preventative controls
   • The Concept of Defensive Controls
   Explanation:

   This the best of the four answers as a defense that depends on multiple layers is superior to one where all protection is embedded in a single layer (e.g., a firewall). Defense in depth would include all categories of controls.

   The Following answers are incorrect:

   “Concept of a pass through device that only allows certain traffic in and out” is incorrect. This is one definition of a firewall which can be a component of a defense in depth strategy in combination with other measures.

   “Concept of preventative controls” is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.

   “Concept of defensive controls” is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.

   References:
   http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
   http://www.nsa.gov/snac/support/defenseindepth.pdf

3. A DMZ is also known as a

   • screened subnet
   • three legged firewall
   • a place to attract hackers
   • bastion host
   Explanation:

   This is another name for the demilitarized zone (DMZ) of a network.

   “Three legged firewall” is incorrect. While a DMZ can be implemented on one leg of such a device, this is not the best answer.

   “A place to attract hackers” is incorrect. The DMZ is a way to provide limited public access to an organization’s internal resources (DNS, EMAIL, public web, etc) not as an attractant for hackers.

   “Bastion host” is incorrect. A bastion host serves as a gateway between trusted and untrusted network.

   References:
   CBK, p. 434
   AIO3, pp. 495 – 496

4. The general philosophy for DMZ’s is that:

   • any system on the DMZ can be compromized because it’s accessible from the Internet.
   • any system on the DMZ cannot be compromized because it’s not accessible from the Internet.
   • some systems on the DMZ can be compromized because they are accessible from the Internet.
   • any system on the DMZ cannot be compromized because it’s by definition 100 percent safe and not accessible from the Internet.
   Explanation:

   Because the DMZ systems are accessible from the Internet, they are more at risk for attacka nd compromise and must be hardened appropriately.

   “Any system on the DMZ cannot be compromised because it’s not accessible from the Internet” is incorrect. The reason a system is placed in the DMZ is so it can be accessible from the Internet.

   “Some systems on the DMZ can be compromised because they are accessible from the Internet” is incorrect. All systems in the DMZ face an increased risk of attack and compromise because they are accessible from the Internet.

   “Any system on the DMZ cannot be compromised because it’s by definition 100 percent safe and not accessible from the Internet” is incorrect. Again, a system is placed in the DMZ because it must be accessible from the Internet.

   References:
   CBK, p. 434
   AIO3, p. 483

5. A DMZ is located:

   • right behind your first Internet facing firewall
   • right in front of your first Internet facing firewall
   • right behind your first network active firewall
   • right behind your first network passive Internet http firewall
   Explanation:

   While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.

   In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone”, an area between nation states in which military operation is not permitted.

   The following are incorrect answers:

   “Right in front of your first Internet facing firewall” While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.

   “Right behind your first network active firewall” This is an almost-right-sounding answer meant to distract the unwary.

   “Right behind your first network passive Internet http firewall” This is an almost-right-sounding answer meant to distract the unwary.

   References:
   CBK, p. 434
   and
   AIO3, p. 483
   and
   http://en.wikipedia.org/wiki/DMZ_%28computing%29

6. The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of:

   • Confidentiality, Integrity, and Entity (C.I.E.).
   • Confidentiality, Integrity, and Authenticity (C.I.A.).
   • Confidentiality, Integrity, and Availability (C.I.A.).
   • Confidentiality, Integrity, and Liability (C.I.L.).
   Explanation:

   The CIA acronym stands for Confidentiality, Integrity and Availability.

   “Confidentiality, Integrity and Entity (CIE)” is incorrect. “Entity” is not part of the telecommunications domain definition.

   “Confidentiality, Integrity and Authenticity (CIA)” is incorrect. While authenticity is included in the telecommunications domain, CIA is the acronym for confidentiality, integrity and availability.

   “Confidentiality, Integrity, and Liability (CIL)” is incorrect. Liability is not part of the telecommunications domain definition.

   References:
   CBK, pp. 407 – 408

7. Which of the following elements of telecommunications is not used in assuring confidentiality?

   • Network security protocols
   • Network authentication services
   • Data encryption services
   • Passwords
   Explanation:

   Passwords are one of the multiple ways to authenticate (prove who you claim to be) an identity which allows confidentiality controls to be enforced to assure the identity can only access the information for which it is authorized. It is the authentication that assists assurance of confidentiality not the passwords.

   “Network security protocols” is incorrect. Network security protocols are quite useful in assuring confidentiality in network communications.

   “Network authentication services” is incorrect. Confidentiality is concerned with allowing only authorized users to access information. An important part of determining authorization is authenticating an identity and this service is supplied by network authentication services.

   “Data encryption services” is incorrect. Data encryption services are quite useful in protecting the confidentiality of information.

   Reference(s) used for this question:
   Official ISC2 Guide to the CISSP CBK, pp. 407 – 520
   AIO 3rd Edition, pp. 415 – 580

8. Which of the following would be used to detect and correct errors so that integrity and confidentiality of transactions over networks may be maintained while preventing unauthorize interception of the traffic?

   • Information security
   • Server security
   • Client security
   • Communications security
   Explanation:

   Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the United States Department of Defense culture, it is often referred to by the abbreviation COMSEC. The field includes cryptosecurity, transmission security, emission security, traffic-flow security and physical security of COMSEC equipment.

   All of the other answers are incorrect answers:

   Information security
   Information security would be the overall program but communications security is the more specific and better answer. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

   The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.

   These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.

   Server security
   While server security plays a part in the overall information security program, communications security is a better answer when talking about data over the network and preventing interception. See publication 800-123 listed in the reference below to learn more.

   Client security
   While client security plays a part in the overall information security program, communications security is a better answer. Securing the client would not prevent interception of data or capture of data over the network. Today people referred to this as endpoint security.

   References:
   http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
   and
   https://en.wikipedia.org/wiki/Information_security
   and
   https://en.wikipedia.org/wiki/Communications_security

9. Which of the following prevents, detects, and corrects errors so that the integrity, availability, and confidentiality of transactions over networks may be maintained?

   • Communications security management and techniques
   • Information security management and techniques
   • Client security management and techniques
   • Server security management and techniques
   Explanation:

   Communications security and techniques are the best area for addressing this objective.

   “Information security management and techniques” is incorrect. While the overall information security program would include this objective, communications security is the more specific and better answer.

   “Client security management and techniques” is incorrect. While client security plays a part in this overall objective, communications security is the more specific and better answer.

   “Server security management and techniques” is incorrect. While server security plays a part in this overall objective, communications security is the more specific and better answer.

   References:
   CBK, p. 408

10. Application Layer Firewalls operate at the:

    • OSI protocol Layer seven, the Application Layer.
    • OSI protocol Layer six, the Presentation Layer.
    • OSI protocol Layer five, the Session Layer.
    • OSI protocol Layer four, the Transport Layer.
    Explanation:

    Since the application layer firewall makes decisions based on application-layer information in the packet, it operates at the application layer of the OSI stack.

    “OSI protocol layer 6, the presentation layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.

    “OSI protocol layer 5, the session layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.

    “OSI protocol layer 4, the transport layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.

    References:
    CBK, p. 467
    AIO3, pp.488 – 490

11. A variation of the application layer firewall is called a:

    • Current Level Firewall.
    • Cache Level Firewall.
    • Session Level Firewall.
    • Circuit Level Firewall.
    Explanation:

    Terminology can be confusing between the different souces as both CBK and AIO3 call an application layer firewall a proxy and proxy servers are generally classified as either circuit-level proxies or application level proxies.

    The distinction is that a circuit level proxy creates a conduit through which a trusted host can communicate with an untrusted one and doesn’t really look at the application contents of the packet (as an application level proxy does). SOCKS is one of the better known circuit-level proxies.

    Firewalls
    Packet Filtering Firewall – First Generation

    n Screening Router

    n Operates at Network and Transport level

    n Examines Source and Destination IP Address

    n Can deny based on ACLs

    n Can specify Port
    Application Level Firewall – Second Generation

    n Proxy Server

    n Copies each packet from one network to the other

    n Masks the origin of the data

    n Operates at layer 7 (Application Layer)

    n Reduces Network performance since it has do analyze each packet and decide what to do with it.

    n Also Called Application Layer Gateway
    Stateful Inspection Firewalls – Third Generation

    n Packets Analyzed at all OSI layers

    n Queued at the network level

    n Faster than Application level Gateway
    Dynamic Packet Filtering Firewalls – Fourth Generation

    n Allows modification of security rules

    n Mostly used for UDP

    n Remembers all of the UDP packets that have crossed the network’s perimeter, and it decides whether to enable packets to pass through the firewall.
    Kernel Proxy – Fifth Generation

    n Runs in NT Kernel

    n Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies.

    “Current level firewall” is incorrect. This is an amost-right-sounding distractor to confuse the unwary.

    “Cache level firewall” is incorrect. This too is a distractor.

    “Session level firewall” is incorrect. This too is a distractor.

    References
    CBK, p. 466 – 467
    AIO3, pp. 486 – 490
    CISSP Study Notes from Exam Prep Guide

12. A proxy is considered a:

    • first generation firewall.
    • third generation firewall.
    • second generation firewall.
    • fourth generation firewall.
    Explanation:

    The proxy (application layer firewall, circuit level proxy, or application proxy ) is a second generation firewall

    “First generation firewall” incorrect. A packet filtering firewall is a first generation firewall.
    “Third generation firewall” is incorrect. Stateful Firewall are considered third generation firewalls
    “Fourth generation firewall” is incorrect. Dynamic packet filtering firewalls are fourth generation firewalls

    References:
    CBK, p. 464
    AIO3, pp. 482 – 484

    Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm for a general discussion of the different generations.

13. An application layer firewall is also called a:

    • Proxy
    • A Presentation Layer Gateway.
    • A Session Layer Gateway.
    • A Transport Layer Gateway.
    Explanation:

    An application layer firewall can also be called a proxy.

    “A presentation layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.

    “A session layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.

    “A transport layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.

    References:
    CBK, p. 467
    AIO3, pp. 486 – 490, 960

14. In stateful inspection firewalls, packets are:

    • Inspected at only one layer of the Open System Interconnection (OSI) model
    • Inspected at all Open System Interconnection (OSI) layers
    • Decapsulated at all Open Systems Interconnect (OSI) layers.
    • Encapsulated at all Open Systems Interconnect (OSI) layers.
    Explanation:

    Many times when a connection is opened, the firewall will inspect all layers of the packet. While this inspection is scaled back for subsequent packets to improve performance, this is the best of the four answers.

    When packet filtering is used, a packet arrives at the firewall, and it runs through its ACLs to determine whether this packet should be allowed or denied. If the packet is allowed, it is passed on to the destination host, or to another network device, and the packet filtering device forgets about the packet. This is different from stateful inspection, which remembers and keeps track of what packets went where until each particular connection is closed. A stateful firewall is like a nosy neighbor who gets into people’s business and conversations. She keeps track of the suspicious cars that come into the neighborhood, who is out of town for the week, and the postman who stays a little too long at the neighbor lady’s house. This can be annoying until your house is burglarized. Then you and the police will want to talk to the nosy neighbor, because she knows everything going on in the neighborhood and would be the one most likely to know something unusual happened.

    “Inspected at only one Open Systems Interconnetion (OSI) layer” is incorrect. To perform stateful packet inspection, the firewall must consider at least the network and transport layers.

    “Decapsulated at all Open Systems Interconnection (OSI) layers” is incorrect. The headers are not stripped (“decapsulated” if there is such a word) and are passed through in their entirety IF the packet is passed.

    “Encapsulated at all Open Systems Interconnect (OSI) layers” is incorrect. Encapsulation refers to the adding of a layer’s header/trailer to the information received from the above level. This is done when the packet is assembled not at the firewall.

    Reference(s) used for this question:
    CBK, p. 466
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (pp. 632-633). McGraw-Hill. Kindle Edition.

15. When an outgoing request is made on a port number greater than 1023, this type of firewall creates an ACL to allow the incoming reply on that port to pass:

    • packet filtering
    • CIrcuit level proxy
    • Dynamic packet filtering
    • Application level proxy
    Explanation:

    The dynamic packet filtering firewall is able to create ACL’s on the fly to allow replies on dynamic ports (higher than 1023).

    Packet filtering is incorrect. The packet filtering firewall usually requires that the dynamic ports be left open as a group in order to handle this situiation.

    Circuit level proxy is incorrect. The circuit level proxy builds a conduit between the trusted and untrusted hosts and does not work by dynamically creating ACL’s.

    Application level proxy is incorrect. The application level proxy “proxies” for the trusted host in its communications with the untrusted host. It does not dynamically create ACL’s to control traffic.

16. A circuit level proxy is ___________________ when compared to an application level proxy.

    • lower in processing overhead.
    • more difficult to maintain.
    • more secure.
    • slower.
    Explanation:

    Since the circuit level proxy does not anayze the application content of the packet in making its decisions, it has lower overhead than an application level proxy.

    “More difficult to maintain” is incorrect. Circuit level proxies are typicall easier to configure and simpler to maintain that an application level proxy.

    “More secure” is incorrect. A circuit level proxy is not necessarily more secure than an application layer proxy.

    “Slower” is incorrect. Because it is lower in overhead, a circuit level proxy is typically faster than an application level proxy.

    References:
    CBK,pp. 466 – 467
    AIO3, pp.488 – 490

17. In a stateful inspection firewall, data packets are captured by an inspection engine that is operating at the:

    • Network or Transport Layer.
    • Application Layer.
    • Inspection Layer.
    • Data Link Layer.
    Explanation:

    Most stateful packet inspection firewalls work at the network or transport layers. For the TCP/IP protcol, this allows the firewall to make decisions both on IP addresses, protocols and TCP/UDP port numbers

    Application layer is incorrect. This is too high in the OSI stack for this type of firewall.

    Inspection layer is incorrect. There is no such layer in the OSI stack.

    “Data link layer” is incorrect. This is too low in the OSI stack for this type of firewall.

    References:
    CBK, p. 466
    AIO3, pp. 485 – 486

18. Which of the following biometric parameters are better suited for authentication use over a long period of time?

    • Iris pattern
    • Voice pattern
    • Signature dynamics
    • Retina pattern
    Explanation:
    The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long period of time without needing re-enrollment.
    Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause). 

19. In the CIA triad, what does the letter A stand for?

    • Auditability
    • Accountability
    • Availability
    • Authentication
    Explanation:
    The CIA triad stands for Confidentiality, Integrity and Availability.

20. Which type of control is concerned with avoiding occurrences of risks?

    • Deterrent controls
    • Detective controls
    • Preventive controls
    • Compensating controls
    Explanation:
    Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of compensating control.
    Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.