25,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Smarter, faster prep for the SSCP exam The (ISC)² SSCP Official Practice Tests is the only (ISC)²-endorsed set of practice questions for the Systems Security Certified Practitioner (SSCP). This book's first seven chapters cover each of the seven domains on the SSCP exam with sixty or more questions per domain, so you can focus your study efforts exactly where you need more review. When you feel well prepared, use the two complete practice exams from Sybex's online interactive learning environment as time trials to assess your readiness to take the exam. Coverage of all exam objectives, including: * Access Controls * Security Operations and Administration * Risk Identification, Monitoring, and Analysis * Incident Response and Recovery * Cryptography * Network and Communications Security * Systems and Application Security SSCP certification demonstrates you have the advanced technical skills and knowledge to implement, monitor and administer IT infrastructure using security best practices, policies and procedures. It's ideal for students pursuing cybersecurity degrees as well as those in the field looking to take their careers to the next level.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 450
Veröffentlichungsjahr: 2018
Ähnliche
(ISC)2®SSCP Systems SecurityCertified Practitioner
Official Practice Tests
Mike Chapple
David Seidl
Technical Editor: Scott Pike
Production Manager: Kathleen Wisor
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Associate Publisher: Jim Minatel
Book Designer: Judy Fung and Bill Gibson
Proofreader: Nancy Carrasco
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: ©Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-54305-3
ISBN: 978-1-119-54299-5 (ebk.)
ISBN: 978-1-119-54309-1 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018957472
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)² is a registered trademark and SSCP is a registered certification mark of International Information Systems Security Certificate Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
Acknowledgments
The authors would like to thank the many people who made this book possible. First, Ricky Chapple and Matthew Chapple provided crucial assistance in formatting and laying out the chapters for this book. Without their help, we would never have completed this project on schedule.
We also owe our thanks to a large supporting team from the publishing world. Jim Minatel at Wiley Publishing helped us extend the Sybex security certification franchise to include this new title and gain important support from the International Information Systems Security Consortium (ISC)2. Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Scott Pike, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. Benji served as the project editor and managed the project smoothly. Many other people we’ll never meet worked behind the scenes to make this book a success.
About the Authors
Mike Chapple, Ph.D., Security+, CISSP, CISA, PenTest+, CySA+, is associate teaching professor of IT, analytics, and operations at the University of Notre Dame. He is also academic director of the university’s master’s program in business analytics.
Mike is a cybersecurity professional with more than 20 years of experience in the field. Prior to his current role, Mike served as the senior director for IT service delivery at Notre Dame, where he oversaw the university’s cybersecurity program, cloud computing efforts, and other areas. Mike also previously served as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force.
Mike is a frequent contributor to several magazines and websites and is the author or coauthor of more than 25 books including CISSP Official (ISC)2 Study Guide, CISSP Official (ISC)2Practice Tests, CompTIA CySA+ Study Guide, and CompTIA CySA+ Practice Tests, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.
Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications at his website, certmike.com.
David Seidl is the Vice President for Information Technology and CIO at Miami University of Ohio. During his more than 23 years in information technology, he has served in a variety of leadership, technical, and information security roles, including leading the University of Notre Dame’s Campus Technology Services operations and infrastructure division as well as heading up Notre Dame’s information security team as Notre Dame’s director of information security.
He has written books on security certification and cyberwarfare, including co-authoring CompTIA CySA+ Study Guide: Exam CS0-001, CompTIA CySA+ Practice Tests: Exam CS0-001, and CISSP Official (ISC)2 Practice Tests, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.
David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, GCIH, CySA+, and PenTest+ certifications.
CONTENTS
Introduction
SSCP Certification
Taking the SSCP Exam
Work Experience Requirement
Recertification Requirements
Using This Book to Practice
Using the Online Practice Tests
Chapter 1 Access Controls (Domain 1)
Chapter 2 Security Operations and Administration (Domain 2)
Chapter 3 Risk Identification, Monitoring, and Analysis (Domain 3)
Chapter 4 Incident Response and Recovery (Domain 4)
Chapter 5 Cryptography (Domain 5)
Chapter 6 Network and Communications Security (Domain 6)
Chapter 7 Systems and Application Security (Domain 7)
Chapter 8 Practice Test 1
Chapter 9 Practice Test 2
Appendix Answers to Review Questions
Chapter 1: Access Controls (Domain 1)
Chapter 2: Security Operations and Administration (Domain 2)
Chapter 3: Risk Identification, Monitoring, and Analysis (Domain 3)
Chapter 4: Incident Response and Recovery (Domain 4)
Chapter 5: Cryptography (Domain 5)
Chapter 6: Network and Communications Security (Domain 6)
Chapter 7: Systems and Application Security (Domain 7)
Chapter 8: Practice Test 1
Chapter 9: Practice Test 2
Index
Advert
End User License Agreement
Guide
Cover
Table of Contents
Introduction
Pages
iii
v
xi
xii
xiii
xiv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
Introduction
SSCP Official (ISC)2 Practice Tests is a companion volume to the SSCP (ISC)2 Systems Security Certified Practitioner Official Study Guide. If you’re looking to test your knowledge before you take the SSCP exam, this book will help you by providing a combination of practice questions that cover the SSCP Common Body of Knowledge and easy-to-understand explanations of both right and wrong answers.
If you’re just starting to prepare for the SSCP exam, we highly recommend that you use the SSCP (ISC)2 Certified Information Systems Security Professional Official Study Guide to help you learn about each of the domains covered by the SSCP exam. Once you’re ready to test your knowledge, use this book to help find places where you may need to study more, or to practice for the exam itself.
Since this is a companion to the SSCP Study Guide, this book is designed to be similar to taking the SSCP exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into 9 chapters: 7 domain-centric chapters covering each domain, and 2 chapters that contain full-length practice tests to simulate taking the exam itself.
SSCP Certification
The SSCP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. They achieve this mission by delivering the world’s leading information security certification program. The SSCP is the entry-level credential in this series and is accompanied by several other (ISC)2 programs:
Certified Information Systems Security Professional (CISSP)
Certified Authorization Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Cyber Forensic Professional (CCFP)
HealthCare Information Security Privacy Practitioner (HCISPP)
Certified Cloud Security Professional (CCSP)
There are also three advanced CISSP certifications for those who wish to move on from the base credential to demonstrate advanced expertise in a domain of information security:
Information Systems Security Architecture Professional (CISSP-ISSAP)
Information Systems Security Engineering Professional (CISSP-ISSEP)
Information Systems Security Management Professional (CISSP-ISSMP)
The SSCP certification covers seven domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession. They include:
Access Controls
Security Operations and Administration
Risk Identification, Monitoring, and Analysis
Incident Response and Recovery
Cryptography
Network and Communications Security
Systems and Application Security
Complete details on the SSCP Common Body of Knowledge (CBK) are contained in the Candidate Information Bulletin (CIB). The CIB, which includes a full outline of exam topics, can be found on the ISC2 website at www.isc2.org.
Taking the SSCP Exam
The SSCP exam is a 3-hour exam that consists of 125 questions covering the seven domains. Passing requires achieving a score of at least 700 out of 1,000 points. It’s important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily. That said, as you work through these practice exams, you might want to use 70 percent as a yardstick to help you get a sense of whether you’re ready to sit for the actual exam. When you’re ready, you can schedule an exam via links provided on the (ISC)2 website—tests are offered in locations throughout the world.
The questions on the SSCP exam are all multiple choice questions with four answer options. You will be asked to select the one correct answer for each question. Watch out for questions that ask you to exercise judgement—these are commonly used on (ISC)2 exams. You might be asked to identify the “best” option or select the “least” expensive approach. These questions require that you use professional judgement to come to the correct answer.
Computer-Based Testing Environment
Almost all SSCP exams are now administered in a computer-based testing (CBT) format. You’ll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, Japanese, and Brazilian Portuguese.
You’ll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you’d like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center: https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx.
When you sit down to take the exam, you’ll be seated at a computer that has the exam software already loaded and running. It’s a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from Pearson at: http://www.vue.com/athena/athena.asp.
Exam Retake Policy
If you don’t pass the SSCP exam, you shouldn’t panic. Many individuals don’t reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you’ll have the benefit of familiarity with the CBT environment and SSCP exam format. You’ll also have time to study up on the areas where you felt less confident.
After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you’re not successful on that attempt, you must then wait 90 days before your third attempt and 180 days before your fourth attempt. You may not take the exam more than three times in a single calendar year.
Work Experience Requirement
Candidates who wish to earn the SSCP credential must not only pass the exam but also demonstrate that they have at least one year of work experience in the information security field. Your work experience must cover activities in at least one of the seven domains of the SSCP program and must be paid employment.
You may be eligible to waive the work experience requirement based on your educational achievements. If you hold a bachelor’s or master’s degree in cybersecurity, you may be eligible for a degree waiver that covers one of those years. For more information see https://www.isc2.org/Certifications/SSCP/experience-requirements#.
If you haven’t yet completed your work experience requirement, you may still attempt the SSCP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have two years to complete the work experience requirement.
Recertification Requirements
Once you’ve earned your SSCP credential, you’ll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the SSCP exam. Currently, the annual maintenance fees for the SSCP credential are $85 per year.
The SSCP CPE requirement mandates earning at least 20 CPE credits each year toward the 60-credit three-year requirement. (ISC)2 provides an online portal where certificants may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.
Using This Book to Practice
This book is composed of 9 chapters. Each of the first seven chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine if you’re ready for the SSCP exam.
We recommend taking the first practice exam to help identify where you may need to spend more study time, and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you’re ready, take the second practice exam to make sure you’ve covered all of the material and are ready to attempt the SSCP exam.
Using the Online Practice Tests
All of the questions in this book are also available in Sybex’s online practice test tool. To get access to this online format, go to www.wiley.com/go/sybextestprep and start by registering your book. You’ll receive a pin code and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.
Do you need more? If you are not seeing passing grades on these practice tests, look for the all new (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, 2nd Edition by Michael S. Wills and Wesley E. Phillips, Jr. (ISBN: 978-1-119-54294-0) available early 2019. This book is an excellent resource to master any SSCP topics causing problems. This book maps every official exam objective to the corresponding chapter in the book to help track exam prep objective-by-objective, challenging review questions in each chapter to prepare for exam day, and online test prep materials with flashcards and additional practice tests.
Chapter 1Access Controls (Domain 1)
THIS CHAPTER COVERS THE FOLLOWING SSCP EXAM OBJECTIVES:
1.1 Implement and maintain authentication methods
Single/multifactor authentication
Single sign-on
Device authentication
Federated access
1.2 Support internetwork trust architectures
Trust relationships (e.g., 1-way, 2-way, transitive)
Extranet
Third party connections
1.3 Participate in the identity management lifecycle
Authorization
Proofing
Provisioning/de-provisioning
Maintenance
Entitlement
Identity and access management (IAM) systems
1.4 Implement access controls
Mandatory
Non-discretionary
Discretionary
Role-based
Attribute-based
Subject-based
Object-based
Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario?
Multifactor authenticationDevice authenticationPassword authenticationNo authenticationNorma is helping her organization create a specialized network designed for vendors that need to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building?
InternetIntranetOutranetExtranetWhich one of the following is an example of a nondiscretionary access control system?
File ACLsMACDACVisitor listWanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?
IP addressMAC addressDigital certificatePasswordKaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk?
VPNFirewallContent filterProxy serverWhen Ben lists the files on a Linux system, he sees the set of attributes shown here.
The letters rwx indicate different levels of what?
IdentificationAuthorizationAuthenticationAccountabilityWhich one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?
PasswordRetinal scanUsernameTokenGary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?
Credentials and need to knowClearance and need to knowPassword and clearancePassword and biometric scanBen’s organization is adopting biometric authentication for its high-security building’s access control system. Use the following chart to answer questions 9–11 about the organization’s adoption of the technology.
Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?
The FRR crossoverThe FAR pointThe CERThe CFRAt point B, what problem is likely to occur?
False acceptance will be very high.False rejection will be very high.False rejection will be very low.False acceptance will be very low.What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?
Adjust the sensitivity of the biometric devices.Assess other biometric systems to compare them.Move the CER.Adjust the FRR settings in software.When a subject claims an identity, what process is occurring?
LoginIdentificationAuthorizationToken presentationFiles, databases, computers, programs, processes, devices, and media are all examples of what?
SubjectsObjectsFile storesUsersMAC models use three types of environments. Which of the following is not a mandatory access control design?
HierarchicalBracketedCompartmentalizedHybridRyan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement?
Mandatory access controlsSingle sign-onMultifactor authenticationAutomated deprovisioningThe leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?
ABACRule-based access control (RBAC)DACMACWhat is the primary advantage of decentralized access control?
It provides better redundancy.It provides control of access to people closer to the resources.It is less expensive.It provides more granular control of access.Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
An access control listAn implicit denial listA capability tableA rights management matrixMatch each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.
Authentication techniqueCategoryPasswordID cardRetinal scanSmartphone tokenFingerprint analysisSomething you haveSomething you knowSomething you areSusan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?
KerberosLDAPOpenIDSESAMEBen uses a software-based token that changes its code every minute. What type of token is he using?
AsynchronousSmart cardSynchronousStaticHow does single sign-on increase security?
It decreases the number of accounts required for a subject.It helps decrease the likelihood that users will write down their passwords.It provides logging for each system that it is connected to.It provides better encryption for authentication data.Which of the following multifactor authentication technologies provides both low management overhead and flexibility?
BiometricsSoftware tokensSynchronous hardware tokensAsynchronous hardware tokensTom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?
Informing other employees of the terminationRetrieving the employee’s photo IDCalculating the final paycheckRevoking electronic access rightsJim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?
Set up a two-way transitive trust.Set up a one-way transitive trust.Set up a one-way nontransitive trust.Set up a two-way nontransitive trust.The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?
Identity proofingPassword verificationAuthenticating with Type 2 authentication factorOut-of-band identity proofingLauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur?
A credential management systemA strong password policySeparation of dutiesSingle sign-onWhat type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains?
Transitive trustInheritable trustNontransitive trustNoninheritable trustAdam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process?
AdamFile serverServer administratorAdam’s supervisorAfter 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices?
An issue with least privilegePrivilege creepAccount creepAccount terminationAdam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create?
An access control listAn access control entryRole-based access controlMandatory access controlQuestions like “What is your pet’s name?” are examples of what type of identity proofing?
Knowledge-based authenticationDynamic knowledge-based authenticationOut-of-band identity proofingA Type 3 authentication factorWhat access management concept defines what rights or privileges a user has?
IdentificationAccountabilityAuthorizationAuthenticationSusan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?
MAC, because it provides greater scalability and flexibility because you can simply add more labels as neededDAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibilityMAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale wellDAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authorityWhich of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?
Log reviewManual review of permissionsSignature-based detectionReview the audit trailJoe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?
Read onlyEditorAdministratorNo accessA new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?
A registration errorA Type 1 errorA Type 2 errorA time-of-use, method-of-use errorLaura is in the process of logging into a system and she just entered her password. What term best describes this activity?
AuthenticationAuthorizationAccountingIdentificationKelly is adjusting her organization’s password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration?
30 days90 days180 daysNo expirationBen is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?
HTMLXACMLSAMLSPMLWhat access control scheme labels subjects and objects and allows subjects to access objects when the labels match?
DACMACRule-based access control (RBAC)Role-based access control (RBAC)Mandatory access control is based on what type of model?
DiscretionaryGroup-basedLattice-basedRule-basedRicky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?
RickyVPNRemote file serverFiles contained on the remote serverWhat type of access control is typically used by firewalls?
Discretionary access controlsRule-based access controlsTask-based access controlMandatory access controlsGabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?
More complex passwordsUser education against social engineeringMultifactor authenticationAddition of security questions based on personal knowledgeDuring a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?
Two-factor authenticationBiometric authenticationSelf-service password resetPassphrasesJim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?
KerberosOAuthOpenIDLDAPWhich one of the following activities is an example of an authorization process?
User providing a passwordUser passing a facial recognition checkSystem logging user activitySystem consulting an access control listRaul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor’s organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing?
Federated authenticationTransitive trustMultifactor authenticationSingle sign-onIn Luke’s company, users change job positions on a regular basis. Luke would like the company’s access control system to make it easy for administrators to adjust permissions when these changes occur. Which model of access control is best suited for Luke’s needs?
Mandatory access controlDiscretionary access controlRule-based access controlRole-based access controlWhen you input a user ID and password, you are performing what important identity and access management activity?
AuthorizationValidationAuthenticationLoginWhich of the following is a ticket-based authentication protocol designed to provide secure communication?
RADIUSOAuthSAMLKerberosWhich of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors?
Voice pattern recognitionHand geometryPalm scansHeart/pulse patternsWhat type of token-based authentication system uses a challenge/response process in which the challenge must be entered on the token?
AsynchronousSmart cardSynchronousRFIDAs part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?
RegistrationProvisioningPopulationAuthenticator loadingWhat access control system lets owners decide who has access to the objects they own?
Role-based access controlTask-based access controlDiscretionary access controlRule-based access controlWhen Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?
Role-based access controlRule-based access controlMandatory access control (MAC)Discretionary access control (DAC)The U.S. government CAC is an example of what form of Type 2 authentication factor?
A tokenA biometric identifierA smart cardA PIVWhat term is used to describe the problem that occurs when users change jobs in an organization but never have the access rights associated with their old jobs removed?
Rights managementPrivilege creepTwo-person controlLeast privilegeWhich objects and subjects have a label in a MAC model?
Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.All objects have a label, and all subjects have a compartment.All objects and subjects have a label.All subjects have a label and all objects have a compartment.Jack’s organization is a government agency that handles very sensitive information. They need to implement an access control system that allows administrators to set access rights but does not allow the delegation of those rights to other users. What is the best type of access control design for Jack’s organization?
Discretionary access controlMandatory access controlDecentralized access controlRule-based access controlKathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen’s best option to make sure that the users of the pass cards are who they are supposed to be?
Add a reader that requires a PIN for passcard users.Add a camera system to the facility to observe who is accessing servers.Add a biometric factor.Replace the magnetic stripe keycards with smartcards.What term is used to describe the default set of privileges assigned to a user when a new account is created?
AggregationTransitivityBaselineEntitlementKathleen is implementing an access control system for her organization and builds the following array:
Reviewers: update files, delete filesSubmitters: upload filesEditors: upload files, update filesArchivists: delete filesWhat type of access control system has Kathleen implemented?
Role-based access controlTask-based access controlRule-based access controlDiscretionary access controlWhen a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this?
Knowledge-based authenticationDynamic knowledge-based authenticationOut-of-band identity proofingRisk-based identity proofingChapter 2Security Operations and Administration (Domain 2)
THIS CHAPTER COVERS THE FOLLOWING SSCP EXAM OBJECTIVES:
2.1 Comply with codes of ethics
(ISC)
2
Code of Ethics
Organizational code of ethics
2.2 Understand security concepts
Confidentiality
Integrity
Availability
Accountability
Privacy
Non-repudiation
Least privilege
Separation of duties
2.3 Document, implement, and maintain functional security controls
Deterrent controls
Preventative controls
Detective controls
Corrective controls
Compensating controls
2.4 Participate in asset management
Lifecycle (hardware, software, and data)
Hardware inventory
Software inventory and licensing
Data storage
2.5 Implement security controls and assess compliance
Technical controls (e.g., session timeout, password aging)
Physical controls (e.g., mantrap, cameras, locks)
Administrative controls (e.g., security policies and standards, procedures, baselines)
Periodic audit and review
2.6 Participate in change management
Execute change management process
Identify security impact
Testing/implementing patches, fixes, and updates (e.g., operating system, applications, SDLC)
2.7 Participate in security awareness and training
2.8 Participate in physical security operations (e.g., data center assessment, badging)
Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation?
Street addressesItem codesMobile phone numbersSocial Security numbersCarl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns?
Firewall rulesPolicy documentsSecurity standardsPeriodic auditsDarlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance?
Organizational code of ethics(ISC)2 code of ethicsOrganizational security policy(ISC)2 security policyWhich one of the following is an administrative control that can protect the confidentiality of information?
EncryptionNondisclosure agreementFirewallFault toleranceChris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?
His supply chainHis vendor contractsHis post-purchase build processThe original equipment manufacturer (OEM)The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code?
Protect society, the common good, the necessary public trust and confidence, and the infrastructure.Disclose breaches of privacy, trust, and ethics.Provide diligent and competent service to the principles.Advance and protect the profession.Which one of the following control categories does not accurately describe a fence around a facility?
PhysicalDetectiveDeterrentPreventiveWhich one of the following actions might be taken as part of a business continuity plan?
Restoring from backup tapesImplementing RAIDRelocating to a cold siteRestarting business operationsWhich one of the following is an example of physical infrastructure hardening?
Antivirus softwareHardware-based network firewallTwo-factor authenticationFire suppression systemMary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?
AvailabilityConfidentialityDisclosureDistributedThe Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?
Mandatory vacationSeparation of dutiesDefense in depthJob rotationBeth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?
IntegrityAvailabilityConfidentialityDenialFor questions 13–15, please refer to the following scenario.
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.
Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.
You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.
Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?
Digital signaturesVirtual private networkVirtual LANDigital content managementYou are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?
Server clusteringLoad balancingRAIDScheduled backupsFinally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?
HashingACLsRead-only attributesFirewallsAn accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?
Separation of dutiesLeast privilegeDefense in depthMandatory vacationYolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?
PolicyBaselineGuidelineProcedureFrank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?
ConfidentialityIntegrityAvailabilityDenialSusan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?
AvailabilityDenialConfidentialityIntegrityGary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?
DenialConfidentialityIntegrityAvailabilityWhich one of the following is not an example of a technical control?
Router ACLFirewall ruleEncryptionData classificationFor questions 22–25, please refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.
Jasper would like to establish a governing body for the organization’s change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes?
Chief information officerSenior leadership teamChange control boardSoftware developerDuring what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness?
RecordingAnalysis/Impact AssessmentApprovalDecision Making and PrioritizationWho should the organization appoint to manage the policies and procedures surrounding change management?
Project managerChange managerSystem security officerArchitectWhich one of the following elements is not a crucial component of a change request?
Description of the changeImplementation planBackout planIncident response planBen is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
AuthenticationAuthorizationIntegrityNonrepudiationWhat principle of information security states that an organization should implement overlapping security controls whenever possible?
Least privilegeSeparation of dutiesDefense in depthSecurity through obscurityWhich one of the following is not a goal of a formal change management program?
Implement change in an orderly fashion.Test changes prior to implementation.Provide rollback plans for changes.Inform stakeholders of changes after they occur.Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
Purchasing insuranceEncrypting the database contentsRemoving the dataObjecting to the exceptionYou discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?
IntegrityDenialAvailabilityConfidentialityWhich one of the following is the first step in developing an organization’s vital records program?
Identifying vital recordsLocating vital recordsArchiving vital recordsPreserving vital recordsWhich one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?
AwarenessTrainingEducationIndoctrinationWhich one of the following security programs is designed to establish a minimum standard common denominator of security understanding?
TrainingEducationIndoctrinationAwarenessChris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?
ErasingClearingSanitizationDestructionWhat term is used to describe a set of common security configurations, often provided by a third party?
Security policyBaselineDSSNIST SP 800-53Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?
Information classificationRemanenceTransmitting dataClearingBen is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?
Source: NIST SP 800-88
Destroy, validate, documentClear, purge, documentPurge, document, validatePurge, validate, documentBen has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?
It applies in all circumstances, allowing consistent security controls.They are approved by industry standards bodies, preventing liability.They provide a good starting point that can be tailored to organizational needs.They ensure that systems are always in a secure state.Retaining and maintaining information for as long as it is needed is known as what?
Data storage policyData storageAsset maintenanceRecord retentionReferring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?
Image reprinted from CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.
IncipientSmokeFlameHeatWhat type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?
Wet pipeDry pipeDelugePreactionRalph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?
CCTVIPSTurnstilesFaraday cagesReferring to the figure shown here, what is the name of the security control indicated by the arrow?
Image reprinted from CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.
MantrapTurnstileIntrusion prevention systemPortalWhich one of the following does not describe a standard physical security requirement for wiring closets?
Place only in areas monitored by security guards.Do not store flammable items in the closet.Use sensors on doors to log entries.Perform regular inspections of the closet.Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?
FirewallIntrusion detection systemParameter checkingVulnerability scanningJuan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door?
MantrapElectric lockMagnetic lockTurnstileRhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?
Smart cardProximity cardMagnetic stripe cardPhase three cardWhich one of the following facilities would have the highest level of physical security requirements?
Data centerNetwork closetSCIFCubicle work areasGlenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated?
Data minimizationAccuracyStorage limitationsPurpose limitationsWhat type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?
CorrectiveLogicalCompensatingAdministrativeMatch each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.
ControlsCategoriesPasswordAccount reviewsBadge readersMFAIDPAdministrativeTechnicalPhysicalWhich of the following access control categories would not include a door lock?
PhysicalDirectivePreventativeDeterrentFor questions 53–54, please refer to the following scenario.
