ISC2 SSCP Systems Security Certified Practitioner Official Practice Tests E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

Introduction

SSCP Certification

Taking the SSCP Exam

Work Experience Requirement

Recertification Requirements

Using This Book to Practice

Using the Online Practice Tests

Chapter 1: Security Operations and Administration (Domain 1)

Chapter 2: Access Controls (Domain 2)

Chapter 3: Risk Identification, Monitoring, and Analysis (Domain 3)

Chapter 4: Incident Response and Recovery (Domain 4)

Chapter 5: Cryptography (Domain 5)

Chapter 6: Network and Communications Security (Domain 6)

Chapter 7: Systems and Application Security (Domain 7)

Chapter 8: Practice Test 1

Chapter 9: Practice Test 2

Appendix Answers to Review Questions

Chapter 1: Security Operations and Administration (Domain 1)

Chapter 2: Access Controls (Domain 2)

Chapter 3: Risk Identification, Monitoring, and Analysis (Domain 3)

Chapter 4: Incident Response and Recovery (Domain 4)

Chapter 5: Cryptography (Domain 5)

Chapter 6: Network and Communications Security (Domain 6)

Chapter 7: Systems and Application Security (Domain 7)

Chapter 8: Practice Test 1

Chapter 9: Practice Test 2

Index

End User License Agreement

Guide

Cover Page

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

Introduction

Begin Reading

Index

End User License Agreement

Pages

iii

iv

v

vii

viii

xi

xii

xiii

xiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

(ISC)2®SSCP® Systems Security Certified Practitioner

Official Practice Tests

Second Edition

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

978-1-119-85207-0978-1-119-85208-7 (ebk.)978-1-119-85209-4 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021947164

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2 and SSCP are trademarks or registered certification marks of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover Image: ©Getty Images Inc./Jeremy WoodhouseCover Design: Wiley

Acknowledgments

The authors would like to thank the many people who made this book possible. First, Ricky Chapple and Matthew Chapple provided crucial assistance in formatting and laying out the chapters for this book. Without their help, we would never have completed this project on schedule.

We also owe our thanks to a large supporting team from the publishing world. Jim Minatel at Wiley Publishing helped us extend the Sybex security certification franchise to include this new title and gain important support from the International Information Systems Security Consortium (ISC)2. Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Ben Malisow, our technical editor, continues to provide wonderful input and suggestions that keep us on our toes and help us produce a high-quality final product. Lily Miller served as the project editor and managed the project smoothly.

About the Authors

Mike Chapple, Ph.D., Security+, CISSP, CISA, PenTest+, CySA+, is teaching professor of IT, analytics, and operations at the University of Notre Dame. He is also academic director of the university’s master’s program in business analytics.

Mike is a cybersecurity professional with more than 20 years of experience in the field. Prior to his current role, Mike served as the senior director for IT service delivery at Notre Dame, where he oversaw the university’s cybersecurity program, cloud computing efforts, and other areas. Mike also previously served as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force.

Mike is a frequent contributor to several magazines and websites and is the author or coauthor of more than 25 books including CISSP Official (ISC)2Study Guide, CISSP Official (ISC)2Practice Tests, CompTIA CySA+ Study Guide, and CompTIA CySA+ Practice Tests, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.

Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications at his website, certmike.com.

David Seidl is the Vice President for Information Technology and CIO at Miami University of Ohio. During his more than 23 years in information technology, he has served in a variety of leadership, technical, and information security roles, including leading the University of Notre Dame’s Campus Technology Services operations and infrastructure division as well as heading up Notre Dame’s information security team as Notre Dame’s director of information security.

He has written books on security certification and cyberwarfare, including co-authoring CompTIA CySA+ Study Guide: Exam CS0-002, CompTIA CySA+ Practice Tests: Exam CS0-002, and CISSP Official (ISC)2Practice Tests and CompTIA Security+ Study Guide: Exam SY0-601 and CompTIA Security+ Practice Tests: Exam SY0-601, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.

David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, GCIH, CySA+, and PenTest+ certifications.

About the Technical Editor

Ben Malisow is a consultant and writer with more than 25 years of experience in the fields of information, security, and information security. He teaches SSCP, CISSP, and CCSP preparation courses for (ISC)2 and has written the Official (ISC)2CCSP Study Guide and the Official (ISC)2Practice Tests books, among other titles; his latest works include CCSP Practice Tests and Exposed: How Revealing Your Data and Eliminating Privacy Increases Trust and Liberates Humanity. He and his partner, Robin Cabe, host the weekly podcast “The Sensuous Sounds of INFOSEC,” from his website, www.securityzed.com.

Introduction

(ISC)2SSCP Systems Security Certified Practitioner Official Practice Tests, 2nd Edition is a companion volume to the SSCP (ISC)2Systems Security Certified Practitioner Official Study Guide, 3rd Edition. If you’re looking to test your knowledge before you take the SSCP exam, this book will help you by providing a combination of practice questions that cover the SSCP Common Body of Knowledge and easy-­to-­understand explanations of both right and wrong answers. This book as well as the 3rd edition of the Study Guide are updated according to the Exam Outline effective November 2021.

If you’re just starting to prepare for the SSCP exam, we highly recommend that you use the SSCP (ISC)2Certified Information Systems Security Professional Official Study Guide, 3rd Edition to help you learn about each of the domains covered by the SSCP exam. Once you’re ready to test your knowledge, use this book to help find places where you may need to study more, or to practice for the exam itself.

Since this is a companion to the SSCP Study Guide, this book is designed to be similar to taking the SSCP exam. It contains multipart scenarios as well as standard multiple-­choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into 9 chapters: 7 domain-­centric chapters covering each domain, and 2 chapters that contain full-­length practice tests to simulate taking the exam itself.

SSCP Certification

The SSCP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. They achieve this mission by delivering the world’s leading information security certification program. The SSCP is the entry-­level credential in this series and is accompanied by several other (ISC)2 programs:

Certified Information Systems Security Professional (CISSP)

Certified Authorization Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

Certified Cyber Forensic Professional (CCFP)

HealthCare Information Security Privacy Practitioner (HCISPP)

Certified Cloud Security Professional (CCSP)

There are also three advanced CISSP certifications for those who wish to move on from the base credential to demonstrate advanced expertise in a domain of information security:

Information Systems Security Architecture Professional (CISSP-­ISSAP)

Information Systems Security Engineering Professional (CISSP-­ISSEP)

Information Systems Security Management Professional (CISSP-­ISSMP)

The SSCP certification covers seven domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession. They include:

Access Controls

Security Operations and Administration

Risk Identification, Monitoring, and Analysis

Incident Response and Recovery

Cryptography

Network and Communications Security

Systems and Application Security

Complete details on the SSCP Common Body of Knowledge (CBK) are contained in the Candidate Information Bulletin (CIB). The CIB, which includes a full outline of exam topics, can be found on the ISC2 website at www.isc2.org.

Taking the SSCP Exam

The SSCP exam is a 3-­hour exam that consists of 125 questions covering the seven domains. Passing requires achieving a score of at least 700 out of 1,000 points. It’s important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily. That said, as you work through these practice exams, you might want to use 70 percent as a yardstick to help you get a sense of whether you’re ready to sit for the actual exam. When you’re ready, you can schedule an exam via links provided on the (ISC)2 website—­tests are offered in locations throughout the world.

The questions on the SSCP exam are all multiple choice questions with four answer options. You will be asked to select the one correct answer for each question. Watch out for questions that ask you to exercise judgement—­these are commonly used on (ISC)2 exams. You might be asked to identify the “best” option or select the “least” expensive approach. These questions require that you use professional judgement to come to the correct answer.

Computer-­Based Testing Environment

Almost all SSCP exams are now administered in a computer-­based testing (CBT) format. You’ll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, Japanese, and Brazilian Portuguese.

You’ll take the exam in a computer-­based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you’d like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center: https://home.pearsonvue.com/test-­taker/Pearson-­Professional-­Center-­Tour.aspx.

When you sit down to take the exam, you’ll be seated at a computer that has the exam software already loaded and running. It’s a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from Pearson at: http://www.vue.com/athena/athena.asp.

Be aware that the testing software will not let you move back to questions that you previously saw. Each time a question is presented to you, you must provide your answer before moving on to the next question. Be sure to read each question carefully and thoroughly before advancing because you will not have any other opportunity to check your work.

Exam Retake Policy

If you don’t pass the SSCP exam, you shouldn’t panic. Many individuals don’t reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you’ll have the benefit of familiarity with the CBT environment and SSCP exam format. You’ll also have time to study up on the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-­based exam. If you’re not successful on that attempt, you must then wait 60 more days before your third attempt and 90 more days before any additional attempt. You may only attempt the SSCP exam four times within any 12-­month period. For more information on the Retake Policy, see https://www.isc2.org/Exams/After-­Your-­Exam.

(ISC)2 exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam.

Work Experience Requirement

Candidates who wish to earn the SSCP credential must not only pass the exam but also demonstrate that they have at least one year of work experience in the information security field. Your work experience must cover activities in at least one of the seven domains of the SSCP program and must be paid employment.

You may be eligible to waive the work experience requirement based on your educational achievements. If you hold a bachelor’s or master’s degree in cybersecurity, you may be eligible for a degree waiver that covers one of those years. For more information see https://www.isc2.org/Certifications/SSCP/experience-­requirements.

If you haven’t yet completed your work experience requirement, you may still attempt the SSCP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have two years to complete the work experience requirement.

Recertification Requirements

Once you’ve earned your SSCP credential, you’ll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the SSCP exam. Currently, the annual maintenance fees for the SSCP credential are $125 per year.

To maintain your SSCP certification, you must earn at least 60 CPE credits during each three-­year renewal period. (ISC)2 provides an online portal where members may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

Using This Book to Practice

This book is composed of 9 chapters. Each of the first seven chapters covers a domain, with a variety of questions that can help you test your knowledge of real-­world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine if you’re ready for the SSCP exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time, and then using the domain-­specific chapters to test your domain knowledge where it is weak. Once you’re ready, take the second practice exam to make sure you’ve covered all of the material and are ready to attempt the SSCP exam.

Using the Online Practice Tests

All of the questions in this book are also available in Sybex’s online practice test tool. To get access to this online format, go to www.wiley.com/go/sybextestprep and start by registering your book. You’ll receive a pin code and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.

Do you need more? If you are not seeing passing grades on these practice tests, look for the all new (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Third Edition by Michael S. Wills (ISBN: 978-­1-­119-­85498-2). This book is an excellent resource to master any SSCP topics causing problems. This book maps every official exam objective to the corresponding chapter in the book to help track exam prep objective-­by-­objective, challenging review questions in each chapter to prepare for exam day, and online test prep materials with flashcards and additional practice tests.

Chapter 1Security Operations and Administration (Domain 1)

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1.0: Security Operations and Administration

1.1 Comply with codes of ethics

(ISC)

2

Code of Ethics

Organizational code of ethics

1.2 Understand security concepts

Confidentiality

Integrity

Availability

Accountability

Privacy

Non-repudiation

Least privilege

Segregation of duties (SoD)

1.3 Identify and implement security controls

Technical controls (e.g., session timeout, password aging)

Physical controls (e.g., mantraps, cameras, locks)

Administrative controls (e.g., security policies, standards, procedures, baselines)

Assessing compliance

Periodic audit and review

1.4 Document and maintain functional security controls

Deterrent controls

Preventative controls

Detective controls

Corrective controls

Compensating controls

1.5 Participate in asset management lifecycle (hardware, software, and data)

Process, planning, design, and initiation

Development/Acquisition

Inventory and licensing

Implementation/Assessment

Operation/Maintenance

Archiving and retention requirements

Disposal and destruction

1.6 Participate in change management lifecycle

Change management (e.g., roles, responsibilities, processes)

Security impact analysis

Configuration management (CM)

1.7 Participate in implementing security awareness and training (e.g., social engineering/phishing)

1.8 Collaborate with physical security operations (e.g., data center assessment, badging)

Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation?

Street addresses

Item codes

Mobile phone numbers

Social Security numbers

Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns?

Firewall rules

Policy documents

Security standards

Periodic audits

Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance?

Organizational code of ethics

(ISC)

2

code of ethics

Organizational security policy

(ISC)

2

security policy

Which one of the following is an administrative control that can protect the confidentiality of information?

Encryption

Nondisclosure agreement

Firewall

Fault tolerance

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?

His supply chain

His vendor contracts

His post-purchase build process

The original equipment manufacturer (OEM)

The (ISC)

2

code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code?

Protect society, the common good, the necessary public trust and confidence, and the infrastructure.

Disclose breaches of privacy, trust, and ethics.

Provide diligent and competent service to the principles.

Advance and protect the profession.

Which one of the following control categories does not accurately describe a fence around a facility?

Physical

Detective

Deterrent

Preventive

Which one of the following actions might be taken as part of a business continuity plan?

Restoring from backup tapes

Implementing RAID

Relocating to a cold site

Restarting business operations

Which one of the following is an example of physical infrastructure hardening?

Antivirus software

Hardware-based network firewall

Two-factor authentication

Fire suppression system

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

Availability

Confidentiality

Disclosure

Distributed

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

Mandatory vacation

Separation of duties

Defense in depth

Job rotation

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

Integrity

Availability

Confidentiality

Denial

For questions 13–15, please refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?

Digital signatures

Virtual private network

Virtual LAN

Digital content management

You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?

Server clustering

Load balancing

RAID

Scheduled backups

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

Hashing

ACLs

Read-only attributes

Firewalls

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

Separation of duties

Least privilege

Defense in depth

Mandatory vacation

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

Policy

Baseline

Guideline

Procedure

Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?

Confidentiality

Integrity

Availability

Denial

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?

Availability

Denial

Confidentiality

Integrity

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?

Denial

Confidentiality

Integrity

Availability

Which one of the following is not an example of a technical control?

Session timeout

Password aging

Encryption

Data classification

For questions 22–25, please refer to the following scenario.

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

Jasper would like to establish a governing body for the organization’s change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes?

Chief information officer

Senior leadership team

Change control board

Software developer

During what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness?

Recording

Analysis/Impact Assessment

Approval

Decision Making and Prioritization

Who should the organization appoint to manage the policies and procedures surrounding change management?

Project manager

Change manager

System security officer

Architect

Which one of the following elements is not a crucial component of a change request?

Description of the change

Implementation plan

Backout plan

Incident response plan

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?

Authentication

Authorization

Integrity

Nonrepudiation

What principle of information security states that an organization should implement overlapping security controls whenever possible?

Least privilege

Separation of duties

Defense in depth

Security through obscurity

Which one of the following is not a goal of a formal change management program?

Implement change in an orderly fashion.

Test changes prior to implementation.

Provide rollback plans for changes.

Inform stakeholders of changes after they occur.

Ben is assessing the compliance of his organization with credit card security requirements. He finds payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

Purchasing insurance

Encrypting the database contents

Removing the data

Objecting to the exception

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?

Integrity

Denial

Availability

Confidentiality

Which one of the following is the first step in developing an organization’s vital records program?

Identifying vital records

Locating vital records

Archiving vital records

Preserving vital records

Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?

Awareness

Training

Education

Indoctrination

Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?

Training

Education

Indoctrination

Awareness

Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?

Erasing

Clearing

Sanitization

Destruction

What term is used to describe a set of common security configurations, often provided by a third party?

Security policy

Baseline

DSS

NIST SP 800-53

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?

Information classification

Remanence

Transmitting data

Clearing

Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?

Source: NIST SP 800-88

Destroy, validate, document

Clear, purge, document

Purge, document, validate

Purge, validate, document

Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?

It applies in all circumstances, allowing consistent security controls.

They are approved by industry standards bodies, preventing liability.

They provide a good starting point that can be tailored to organizational needs.

They ensure that systems are always in a secure state.

Retaining and maintaining information for as long as it is needed is known as what?

Data storage policy

Data storage

Asset maintenance

Record retention

Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?

Image reprinted from CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

Incipient

Smoke

Flame

Heat

What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?

Wet pipe

Dry pipe

Deluge

Preaction

Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?

CCTV

IPS

Turnstiles

Faraday cages

Referring to the figure shown here, what is the name of the security control indicated by the arrow?

Image reprinted from CISSP (ISC) 2Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

Mantrap

Turnstile

Intrusion prevention system

Portal

Which one of the following does not describe a standard physical security requirement for wiring closets?

Place only in areas monitored by security guards.

Do not store flammable items in the closet.

Use sensors on doors to log entries.

Perform regular inspections of the closet.

Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?

Firewall

Intrusion detection system

Parameter checking

Vulnerability scanning

Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door?

Mantrap

Electric lock

Magnetic lock

Turnstile

Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?

Smart card

Proximity card

Magnetic stripe card

Phase three card

Which one of the following facilities would have the highest level of physical security requirements?

Data center

Network closet

SCIF

Cubicle work areas

Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated?

Data minimization

Accuracy

Storage limitations

Purpose limitations

What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?

Corrective

Logical

Compensating

Administrative

Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.

Controls

Password

Account reviews

Badge readers

MFA

IDP

Categories

Administrative

Technical

Physical

Which of the following access control categories would not include a door lock?

Physical

Corrective

Preventative

Deterrent

For questions 53–54, please refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

Separation of duties

Least privilege

Aggregation

Separation of privileges

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?

Segregation of duties

Aggregation

Two-person control

Defense in depth

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?

Need to know

Least privilege

Separation of duties

Two-person control

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

Least privilege

Two-person control

Job rotation

Separation of duties

Which of the following is not true about the (ISC)

2

code of ethics?

Adherence to the code is a condition of certification.

Failure to comply with the code may result in revocation of certification.

The code applies to all members of the information security profession.

Members who observe a breach of the code are required to report the possible violation.

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

Need to know

Least privilege

Two-person control

Transitive trust

Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

Espionage

Confidentiality breach

Sabotage

Integrity breach

Which one of the following is not a canon of the (ISC)

2

code of ethics?

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Promptly report security vulnerabilities to relevant authorities.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?

Least privilege

Separation of duties

Job rotation

Security through obscurity

Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?

Security guidelines

Security policy

Baseline configuration

Running configuration

Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?

Unit testing

Acceptance testing

Regression testing

Vulnerability testing

Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives?

Defense in depth

Security through obscurity

Least privilege

Separation of duties

What technology asset management practice would an organization use to ensure that systems meet baseline security standards?

Change management

Patch management

Configuration management

Identity management

The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment?

Review the logs and require digital signatures for each log.

Require authentication for all actions taken and capture logs centrally.

Log the use of administrative credentials and encrypt log data in transit.

Require authorization and capture logs centrally.

Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft?

Implementation/assessment

Operation/maintenance

Inventory and licensing

Process, planning, design, and initiation

Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?

GNU Public License

Freeware

Open source

Public domain

When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded?

Trojan horse

Social engineering

Phishing

Whaling

Chapter 2Access Controls (Domain 2)

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 2.0: Access Controls

2.1 Implement and maintain authentication methods

Single/multi-factor authentication (MFA)

Single sign-on (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID Connect)

Device authentication

Federated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))

2.2 Support internetwork trust architectures

Trust relationships (e.g., 1-way, 2-way, transitive, zero)

Internet, intranet, and extranet

Third-party connections

2.3 Participate in the identity management lifecycle

Authorization

Proofing

Provisioning/de-provisioning

Maintenance

Entitlement

Identity and access management (IAM) systems

2.4 Understand and apply access controls

Mandatory

Discretionary

Role-based (e.g., attribute-, subject-, object-based)

Rule-based

Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario?

Multifactor authentication

Device authentication

Password authentication

No authentication

Norma is helping her organization create a specialized third-party network connection for a set of vendors needing to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building?

Internet

Intranet

Outranet

Extranet

Which one of the following is an example of a nondiscretionary access control system?

File ACLs

MAC

DAC

Visitor list

Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?

IP address

MAC address

Digital certificate

Password

Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk?

VPN

Firewall

Content filter

Proxy server

When Ben lists the files on a Linux system, he sees the set of attributes shown here.

The letters rwx indicate different levels of what?

Identification

Authorization

Authentication

Accountability

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

Password

Retinal scan

Username

Token

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

Credentials and need to know

Clearance and need to know

Password and clearance

Password and biometric scan

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Use the following chart to answer questions 9–11 about the organization’s adoption of the technology.

Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?

The FRR crossover

The FAR point

The CER

The CFR

At point B, what problem is likely to occur?

False acceptance will be very high.

False rejection will be very high.

False rejection will be very low.

False acceptance will be very low.

What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?

Adjust the sensitivity of the biometric devices.

Assess other biometric systems to compare them.

Move the CER.

Adjust the FRR settings in software.

When a subject claims an identity, what process is occurring?

Login

Identification

Authorization

Token presentation

Files, databases, computers, programs, processes, devices, and media are all examples of what?

Subjects

Objects

File stores

Users

MAC models use three types of environments. Which of the following is not a mandatory access control design?

Hierarchical

Bracketed

Compartmentalized

Hybrid

Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement?

Mandatory access controls

Single sign-on

Multifactor authentication

Automated deprovisioning

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?

ABAC

Rule-based access control (RBAC)

DAC

MAC

What is the primary advantage of decentralized access control?

It provides better redundancy.

It provides control of access to people closer to the resources.

It is less expensive.

It provides more granular control of access.

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?

An access control list

An implicit denial list

A capability table

A rights management matrix

Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.

Authentication technique

Password

ID card

Retinal scan

Smartphone token

Fingerprint analysis

Category

Something you have

Something you know

Something you are

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?

Kerberos

LDAP

OpenID

SESAME

Ben uses a software-based token that changes its code every minute. What type of token is he using?

Asynchronous

Smart card

Synchronous

Static

How does single sign-on increase security?

It decreases the number of accounts required for a subject.

It helps decrease the likelihood that users will write down their passwords.

It provides logging for each system that it is connected to.

It provides better encryption for authentication data.

Which of the following multifactor authentication technologies provides both low management overhead and flexibility?

Biometrics

Software tokens

Synchronous hardware tokens

Asynchronous hardware tokens

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Informing other employees of the termination

Retrieving the employee’s photo ID

Calculating the final paycheck

Revoking electronic access rights

Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?

Set up a two-way transitive trust.

Set up a one-way transitive trust.

Set up a one-way nontransitive trust.

Set up a two-way nontransitive trust.

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?

Identity proofing

Password verification

Authenticating with Type 2 authentication factor

Out-of-band identity proofing

Lauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur?

A credential management system

A strong password policy

Separation of duties

Single sign-on

What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains?

Transitive trust

Inheritable trust

Nontransitive trust

Noninheritable trust

Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process?

Adam

File server

Server administrator

Adam’s supervisor

After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices?

An issue with least privilege

Privilege creep

Account creep

Account termination

Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create?

An access control list

An access control entry

Role-based access control

Mandatory access control

Questions like “What is your pet’s name?” are examples of what type of identity proofing?

Knowledge-based authentication

Dynamic knowledge-based authentication

Out-of-band identity proofing

A Type 3 authentication factor

What access management concept defines what rights or privileges a user has?

Identification

Accountability

Authorization

Authentication

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?

MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed

DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well

DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?

Log review

Manual review of permissions

Signature-based detection

Review the audit trail

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?

Read only

Editor

Administrator

No access

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?

A registration error

A Type 1 error

A Type 2 error

A time-of-use, method-of-use error

Laura is in the process of logging into a system and she just entered her password. What term best describes this activity?

Authentication

Authorization

Accounting

Identification

Kelly is adjusting her organization’s password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration?

30 days

90 days

180 days

No expiration

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?

HTML

XACML

SAML

SPML

What access control scheme labels subjects and objects and allows subjects to access objects when the labels match?

DAC

MAC

Rule-based access control (RBAC)

Role-based access control (RBAC)

Mandatory access control is based on what type of model?

Discretionary

Group-based

Lattice-based

Rule-based

Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?

Ricky

VPN

Remote file server

Files contained on the remote server

What type of access control is typically used by firewalls?

Discretionary access controls

Rule-based access controls

Task-based access control

Mandatory access controls

Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?

More complex passwords

User education against social engineering

Multifactor authentication

Addition of security questions based on personal knowledge

During a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?

Two-factor authentication

Biometric authentication

Self-service password reset

Passphrases

Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?

Kerberos

OAuth

OpenID

LDAP

Which one of the following activities is an example of an authorization process?

User providing a password

User passing a facial recognition check

System logging user activity

System consulting an access control list

Raul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor’s organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing?

Federated authentication

Transitive trust

Multifactor authentication

Single sign-on

In Luke’s company, users change job positions on a regular basis. Luke would like the company’s access control system to make it easy for administrators to adjust permissions when these changes occur. Which model of access control is best suited for Luke’s needs?

Mandatory access control

Discretionary access control

Rule-based access control

Role-based access control

When you input a user ID and password, you are performing what important identity and access management activity?

Authorization

Validation

Authentication

Login

Which of the following is a ticket-based authentication protocol designed to provide secure communication?

RADIUS

OAuth

SAML

Kerberos

Which of the following authenticators is appropriate to use by itself rather than in combination with other biometric factors?

Voice pattern recognition

Hand geometry

Palm scans

Heart/pulse patterns