SSCP : System Security Certified Practitioner (SSCP) : Part 48

SSCP : System Security Certified Practitioner (SSCP) : Part 48

1. Which of the following is an advantage of prototyping?

   • Prototype systems can provide significant time and cost savings.
   • Change control is often less complicated with prototype systems.
   • It ensures that functions or extras are not added to the intended system.
   • Strong internal controls are easier to implement.

   Explanation:

   Prototype systems can provide significant time and cost savings, however they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated and it often leads to functions or extras being added to the system that were not originally intended.
   Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 306).

2. Which of the following is a CHARACTERISTIC of a decision support system (DSS) in regards to Threats and Risks Analysis?

   • DSS is aimed at solving highly structured problems.
   • DSS emphasizes flexibility in the decision making approach of users.
   • DSS supports only structured decision-making tasks.
   • DSS combines the use of models with non-traditional data access and retrieval functions.
   Explanation:

   DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions and supports semi-structured decision-making tasks.

   DSS is sometimes referred to as the Delphi Method or Delphi Technique:
   The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

   Here is the ISC2 book coverage of the subject:
   One of the methods that uses consensus relative to valuation of information is the consensus/modified Delphi method. Participants in the valuation exercise are asked to comment anonymously on the task being discussed. This information is collected and disseminated to a participant other than the original author. This participant comments upon the observations of the original author. The information gathered is discussed in a public forum and the best course is agreed upon by the group (consensus).

   EXAM TIP:
   The DSS is what some of the books are referring to as the Delphi Method or Delphi Technique. Be familiar with both terms for the purpose of the exam.

   The other answers are incorrect:

   ‘DSS is aimed at solving highly structured problems’ is incorrect because it is aimed at solving less structured problems.

   ‘DSS supports only structured decision-making tasks’ is also incorrect as it supports semi-structured decision-making tasks.

   ‘DSS combines the use of models with non-traditional data access and retrieval functions’ is also incorrect as it combines the use of models and analytic techniques with traditional data access and retrieval functions.

   Reference(s) used for this question:

   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 91). McGraw-Hill. Kindle Edition.
   and
   Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations 1424-1426). Auerbach Publications. Kindle Edition.

3. Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users?

   • Inadequate quality assurance (QA) tools.
   • Constantly changing user needs.
   • Inadequate user participation in defining the system’s requirements.
   • Inadequate project management.
   Explanation:

   Inadequate user participation in defining the system’s requirements. Most projects fail to meet the needs of the users because there was inadequate input in the initial steps of the project from the user community and what their needs really are.

   The other answers, while potentially valid, are incorrect because they do not represent the most common problem assosciated with information systems failing to meet the needs of users.

   References: All in One pg 834

   Only users can define what their needs are and, therefore, what the system should accomplish. Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that doesn’t fully or adequately address the needs of the user.
   Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).

4. Which of the following would be the MOST serious risk where a systems development life cycle methodology is inadequate?

   • The project will be completed late.
   • The project will exceed the cost estimates.
   • The project will be incompatible with existing systems.
   • The project will fail to meet business and user needs.
   Explanation:

   This is the most serious risk of inadequate systems development life cycle methodolgy.

   The following answers are incorrect because :

   The project will be completed late is incorrect as it is not most devastating as the above answer.

   The project will exceed the cost estimates is also incorrect when compared to the above correct answer.

   The project will be incompatible with existing systems is also incorrect when compared to the above correct answer.

   Reference: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 290).

5. What would BEST define a covert channel?

   • An undocumented backdoor that has been left by a programmer in an operating system
   • An open system port that should be closed.
   • A communication channel that allows transfer of information in a manner that violates the system’s security policy.
   • A trojan horse.
   Explanation:

   The Answer: A communication channel that allows transfer of information in a manner that violates the system’s security policy.

   A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way.

   Receiving information in this manner clearly violates the system’s security policy. The channel to transfer this unauthorized data is the result of one of the following conditions:• Oversight in the development of the product

   • Improper implementation of access controls
   • Existence of a shared resource between the two entities
   • Installation of a Trojan horse

   The following answers are incorrect:

   An undocumented backdoor that has been left by a programmer in an operating system is incorrect because it is not a means by which unauthorized transfer of information takes place. Such backdoor is usually referred to as a Maintenance Hook.

   An open system port that should be closed is incorrect as it does not define a covert channel.

   A trojan horse is incorrect because it is a program that looks like a useful program but when you install it it would include a bonus such as a Worm, Backdoor, or some other malware without the installer knowing about it.

   Reference(s) used for this question:

   Shon Harris AIO v3 , Chapter-5 : Security Models & Architecture
   AIOv4 Security Architecture and Design (pages 343 – 344)
   AIOv5 Security Architecture and Design (pages 345 – 346)

6. Which of the following is NOT an administrative control?

   • Logical access control mechanisms
   • Screening of personnel
   • Development of policies, standards, procedures and guidelines
   • Change control procedures
   Explanation:

   It is considered to be a technical control.

   Logical is synonymous with Technical Control. That was the easy answer.

   There are three broad categories of access control: Administrative, Technical, and Physical.

   Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

   Each category of access control has several components that fall within it, as shown here:

   Administrative Controls

   • Policy and procedures
   • Personnel controls
   • Supervisory structure
   • Security-awareness training
   • Testing

   Physical Controls

   Network segregation
   Perimeter security
   Computer controls
   Work area separation
   Data backups

   Technical Controls

   System access
   Network architecture
   Network access
   Encryption and protocols
   Control zone
   Auditing

   The following answers are incorrect :

   Screening of personnel is considered to be an administrative control

   Development of policies, standards, procedures and guidelines is considered to be an administrative control

   Change control procedures is considered to be an administrative control.
   Reference : Shon Harris AIO v3 , Chapter – 3 : Security Management Practices , Page : 52-54

7. Which of the following is an advantage in using a bottom-up versus a top-down approach to software testing?

   • Interface errors are detected earlier.
   • Errors in critical modules are detected earlier.
   • Confidence in the system is achieved earlier.
   • Major functions and processing are tested earlier.
   Explanation:

   The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and work upwards until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices refer to advantages of a top down approach which follows the opposite path.

   Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

8. Which of the following would be the best reason for separating the test and development environments?

   • To restrict access to systems under test.
   • To control the stability of the test environment.
   • To segregate user and development staff.
   • To secure access to systems under development.
   Explanation:

   The test environment must be controlled and stable in order to ensure that development projects are tested in a realistic environment which, as far as possible, mirrors the live environment.

   Reference(s) used for this question:
   Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).

9. Which of the following would MOST likely ensure that a system development project meets business objectives?

   • Development and tests are run by different individuals
   • User involvement in system specification and acceptance
   • Development of a project plan identifying all development activities
   • Strict deadlines and budgets
   Explanation:

   Effective user involvement is the most critical factor in ensuring that the application meets business objectives.

   A great way of getting early input from the user community is by using Prototyping. The prototyping method was formally introduced in the early 1980s to combat the perceived weaknesses of the waterfall model with regard to the speed of development. The objective is to build a simplified version (prototype) of the application, release it for review, and use the feedback from the users’ review to build a second, better version.

   This is repeated until the users are satisfied with the product. t is a four-step process:

           initial concept,
           design and implement initial prototype,
           refine prototype until acceptable, and
           complete and release final version.

   There is also the Modified Prototype Model (MPM. This is a form of prototyping that is ideal for Web application development. It allows for the basic functionality of a desired system or component to be formally deployed in a quick time frame. The maintenance phase is set to begin after the deployment. The goal is to have the process be flexible enough so the application is not based on the state of the organization at any given time. As the organization grows and the environment changes, the application evolves with it, rather than being frozen in time.

   Reference(s) used for this question:

   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12101-12108 and 12099-12101). Auerbach Publications. Kindle Edition.
   and
   Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).

10. What is RAD?

    • A development methodology
    • A project management technique
    • A measure of system complexity
    • Risk-assessment diagramming
    Explanation:

    RAD stands for Rapid Application Development.

    RAD is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality.

    RAD is a programming system that enables programmers to quickly build working programs.

    In general, RAD systems provide a number of tools to help build graphical user interfaces that would normally take a large development effort.

    Two of the most popular RAD systems for Windows are Visual Basic and Delphi. Historically, RAD systems have tended to emphasize reducing development time, sometimes at the expense of generating in-efficient executable code. Nowadays, though, many RAD systems produce extremely faster code that is optimized.

    Conversely, many traditional programming environments now come with a number of visual tools to aid development. Therefore, the line between RAD systems and other development environments has become blurred.

    Reference:
    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 307)

    Webopedia Homepage

11. An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as:

    • Netware availability
    • Network availability
    • Network acceptability
    • Network accountability
    Explanation:
    Network availability can be defined as an area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.

12. Risk analysis is MOST useful when applied during which phase of the system development process?

    • Project initiation and Planning
    • Functional Requirements definition
    • System Design Specification
    • Development and Implementation
    Explanation:

    In most projects the conditions for failure are established at the beginning of the project. Thus risk management should be established at the commencement of the project with a risk assessment during project initiation.

    As it is clearly stated in the ISC2 book: Security should be included at the first phase of development and throughout all of the phases of the system development life cycle. This is a key concept to understand for the purpose for the exam.

    The most useful time is to undertake it at project initiation, although it is often valuable to update the current risk analysis at later stages.

    Attempting to retrofit security after the SDLC is completed would cost a lot more money and might be impossible in some cases. Look at the family of browsers we use today, for the past 8 years they always claim that it is the most secure version that has been released and within days vulnerabilities will be found.

    Risks should be monitored throughout the SDLC of the project and reassessed when appropriate.

    The phases of the SDLC can very from one source to another one. It could be as simple as Concept, Design, and Implementation. It could also be expanded to include more phases such as this list proposed within the ISC2 Official Study book:

    Project Initiation and Planning
    Functional Requirements Definition
    System Design Specification
    Development and Implementation
    Documentations and Common Program Controls
    Testing and Evaluation Control, certification and accreditation (C&A)
    Transition to production (Implementation)

    And there are two phases that will extend beyond the SDLC, they are:

    Operation and Maintenance Support (O&M)
    Revisions and System Replacement (Disposal)

    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 291).
    and
    The Official ISC2 Guide to the CISSP CBK , Second Edition, Page 182-185

13. Which of the following is a not a preventative control?

    • Deny programmer access to production data.
    • Require change requests to include information about dates, descriptions, cost analysis and anticipated effects.
    • Run a source comparison program between control and current source periodically.
    • Establish procedures for emergency changes.
    Explanation:
    Running the source comparison program between control and current source periodically allows detection, not prevention, of unauthorized changes in the production environment. Other options are preventive controls.
    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).

14. Which of the following would provide the BEST stress testing environment taking under consideration and avoiding possible data exposure and leaks of sensitive data?

    • Test environment using test data.
    • Test environment using sanitized live workloads data.
    • Production environment using test data.
    • Production environment using sanitized live workloads data.
    Explanation:

    The best way to properly verify an application or system during a stress test would be to expose it to “live” data that has been sanitized to avoid exposing any sensitive information or Personally Identifiable Data (PII) while in a testing environment. Fabricated test data may not be as varied, complex or computationally demanding as “live” data. A production environment should never be used to test a product, as a production environment is one where the application or system is being put to commercial or operational use. It is a best practice to perform testing in a non-production environment.

    Stress testing is carried out to ensure a system can cope with production workloads, but as it may be tested to destruction, a test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment. If only test data is used, there is no certainty that the system was adequately stress tested.
    Incorrect answers:

    Test environment using test data. This is incorrect because live data is typically more useful during stress testing

    Production environment using test data. This is incorrect because the production environment should not be used for testing.

    Production environment using live workloads. This is incorrect because the production environment should not be used for testing.

    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).
    And:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 251.
    And:

15. Which of the following best describes the purpose of debugging programs?

    • To generate random data that can be used to test programs before implementing them.
    • To ensure that program coding flaws are detected and corrected.
    • To protect, during the programming phase, valid changes from being overwritten by other changes.
    • To compare source code versions before transferring to the test environment
    Explanation:
    Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production.
    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 298).

16. Which of the following would best describe the difference between white-box testing and black-box testing?

    • White-box testing is performed by an independent programmer team.
    • Black-box testing uses the bottom-up approach.
    • White-box testing examines the program internal logical structure.
    • Black-box testing involves the business units
    Explanation:
    Black-box testing observes the system external behavior, while white-box testing is a detailed exam of a logical path, checking the possible conditions.
    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

17. Which of the following is NOT a technical control?

    • Password and resource management
    • Identification and authentication methods
    • Monitoring for physical intrusion
    • Intrusion Detection Systems
    Explanation:

    It is considered to be a ‘Physical Control’

    There are three broad categories of access control: administrative, technical, and physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

    Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories:

    Administrative Controls
    Policy and procedures

            – A backup policy would be in place

    Personnel controls
    Supervisory structure
    Security-awareness training
    Testing
    Physical Controls
    Network segregation
    Perimeter security
    Computer controls
    Work area separation

    Data backups (actual storage of the media, i:e Offsite Storage Facility)

    Cabling
    Technical Controls
    System access
    Network architecture
    Network access
    Encryption and protocols
    Control zone
    Auditing
    Backup (Actual software doing the backups)

    The following answers are incorrect :

    Password and resource management is considered to be a logical or technical control.

    Identification and authentication methods is considered to be a logical or technical control.

    Intrusion Detection Systems is considered to be a logical or technical control.
    Reference : Shon Harris , AIO v3 , Chapter – 4 : Access Control , Page : 180 – 185

18. Which of the following choices describe a condition when RAM and Secondary storage are used together?

    • Primary storage
    • Secondary storage
    • Virtual storage
    • Real storage
    Explanation:

    Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program.

    Most OS’s have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections.

    The following are incorrect answers:
    Primary storage is incorrect. Primary storage refers to the combination of RAM, cache and the processor registers. Primary Storage The data waits for processing by the processors, it sits in a staging area called primary storage. Whether implemented as memory, cache, or registers (part of the CPU), and regardless of its location, primary storage stores data that has a high probability of being requested by the CPU, so it is usually faster than long-term, secondary storage. The location where data is stored is denoted by its physical memory address. This memory register identifier remains constant and is independent of the value stored there. Some examples of primary storage devices include random-access memory (RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory (ROM). RAM is volatile, that is, when the system shuts down, it flushes the data in RAM although recent research has shown that data may still be retrievable. Contrast this

    Secondary storage is incorrect. Secondary storage holds data not currently being used by the CPU and is used when data must be stored for an extended period of time using high-capacity, nonvolatile storage. Secondary storage includes disk, floppies, CD’s, tape, etc. While secondary storage includes basically anything different from primary storage, virtual memory’s use of secondary storage is usually confined to high-speed disk storage.

    Real storage is incorrect. Real storage is another word for primary storage and distinguishes physical memory from virtual memory.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17164-17171). Auerbach Publications. Kindle Edition.

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17196-17201). Auerbach Publications. Kindle Edition.

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17186-17187). Auerbach Publications. Kindle Edition.

19. Which of the following statements pertaining to protection rings is false?

    • They provide strict boundaries and definitions on what the processes that work within each ring can access.
    • Programs operating in inner rings are usually referred to as existing in a privileged mode.
    • They support the CIA triad requirements of multitasking operating systems.
    • They provide users with a direct access to peripherals
    Explanation:

    In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security.

    Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level.

    Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.

    Special gates between rings are provided to allow an outer ring to access an inner ring’s resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.

    “They provide strict boundaries and definitions on what the processes that work within each ring can access” is incorrect. This is in fact one of the characteristics of a ring protection system.

    “Programs operating in inner rings are usually referred to as existing in a privileged mode” is incorrect. This is in fact one of the characteristics of a ring protection system.

    “They support the CIA triad requirements of multitasking operating systems” is incorrect. This is in fact one of the characteristics of a ring protection system.

    Reference(s) used for this question:

    CBK, pp. 310-311
    AIO3, pp. 253-256
    AIOv4 Security Architecture and Design (pages 308 – 310)
    AIOv5 Security Architecture and Design (pages 309 – 312)

20. Which of the following is not a responsibility of an information (data) owner?

    • Determine what level of classification the information requires.
    • Periodically review the classification assignments against business needs.
    • Delegate the responsibility of data protection to data custodians.
    • Running regular backups and periodically testing the validity of the backup data.
    Explanation:

    This responsibility would be delegated to a data custodian rather than being performed directly by the information owner.

    “Determine what level of classification the information requires” is incorrect. This is one of the major responsibilities of an information owner.

    “Periodically review the classification assignments against business needs” is incorrect. This is one of the major responsibilities of an information owner.

    “Delegates responsibility of maintenance of the data protection mechanisms to the data custodian” is incorrect. This is a responsibility of the information owner.

    References:
    CBK p. 105.
    AIO3, p. 53-54, 960