究極のガイド準備SSCP認証試験ISC Certificationは2024年更新
リアルSSCP問題集でISC正確なアンサーは最新問題は2024年更新
SSCP 認定試験は、情報セキュリティの専門家がその知識と専門知識を証明したい場合に有用な資格です。情報セキュリティの概念、原則、およびベストプラクティスの理解を試験するよう設計された、グローバルに認知された認定資格です。この認定資格を取得することで、候補者はキャリアの展望を向上させ、重要な情報資産の機密性、完全性、可用性を確保することへの取り組みを証明できます。
ISC SSCP 認定試験は、サイバーセキュリティの分野で専門家を訓練し認定する非営利団体であるInternational Information System Security Certification Consortium (ISC)²によって実施されます。SSCP認定は、サイバーセキュリティの分野で最も求められる認定資格の1つであり、米国国防総省などの主要な組織に認められています。
質問 # 433
What are the three most important functions that Digital Signatures perform?
- A. Authorization, Authentication and Nonrepudiation
- B. Integrity, Confidentiality and Authorization
- C. Integrity, Authentication and Nonrepudiation
- D. Authorization, Detection and Accountability
正解:C
解説:
Explanation/Reference:
Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2.
質問 # 434
Proxies works by transferring a copy of each accepted data packet from one network to another, thereby masking the:
- A. data's owner
- B. data's payload
- C. data's details
- D. data's origin
正解:D
解説:
Section: Network and Telecommunications
Explanation/Reference:
The application firewall (proxy) relays the traffic from a trusted host running a specific application to an untrusted server. It will appear to the untrusted server as if the request originated from the proxy server.
"Data's payload" is incorrect. Only the origin is changed.
"Data's details" is incorrect. Only the origin is changed.
"Data's owner" is incorrect. Only the origin is changed.
References:
CBK, p. 467
AIO3, pp. 486 - 490
質問 # 435
Which of the following is most affected by denial-of-service (DOS) attacks?
- A. Integrity
- B. Accountability
- C. Availability
- D. Confidentiality
正解:C
解説:
Explanation/Reference:
Denial of service attacks obviously affect availability of targeted systems.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page
61).
質問 # 436
Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property?
- A. It allows "write up."
- B. It allows "read up."
- C. It addresses management of access controls.
- D. It addresses covert channels.
正解:A
解説:
Explanation/Reference:
Bell-LaPadula Confidentiality Model10 The Bell-LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another.
When the strong star property is not being used it means that both the property and the Simple Security Property rules would be applied.
The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example.
The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example.
You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed.
For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance.
The following are incorrect answers because they are all FALSE:
"It allows read up" is incorrect. The "simple security" property forbids read up.
"It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell-LaPadula model.
"It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.
質問 # 437
In telephony different types of connections are being used. The connection from the phone company's branch office to local customers is referred to as which of the following choices?
- A. loopback
- B. indigenous loop
- C. local loop
- D. new loop
正解:C
解説:
Explanation/Reference:
Transmission on fiber optic wire requires repeating at distance intervals. The glass fiber requires more protection within an outer cable than copper. For these reasons and because the installation of any new wiring is labor-intensive, few communities yet have fiber optic wires or cables from the phone company's branch office to local customers (local loop).
In telephony, a local loop is the wired connection from a telephone company's central office in a locality to its customers' telephones at homes and businesses. This connection is usually on a pair of copper wires called twisted pair. The system was originally designed for voice transmission only using analog transmission technology on a single voice channel. Today, your computer's modem makes the conversion between analog signals and digital signals. With Integrated Services Digital Network (ISDN) or Digital Subscriber Line (DSL), the local loop can carry digital signals directly and at a much higher bandwidth than they do for voice only.
Local Loop diagram
Image from: http://www.thenetworkencyclopedia.com/entry/local-loop/
The following are incorrect answers:
New loop This is only a detractor and does not exist
Loopback In telephone systems, a loopback is a test signal sent to a network destination that is returned as received to the originator. The returned signal may help diagnose a problem.
Ingenious loop This is only a detractor and does not exist
Reference(s) used for this question:
http://searchnetworking.techtarget.com/definition/local-loop
and
STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 14.
質問 # 438
The IDEA algorithm (used in PGP) is _______ bits long.
- A. 0
- B. 1
- C. 2
- D. 3
正解:B
質問 # 439
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented?
- A. Data link layer
- B. Transport layer
- C. Session layer
- D. Network layer
正解:C
解説:
Explanation/Reference:
Session layer, which establishes, maintains and manages sessions and synchronization of data flow. Session layer protocols control application-to-application communications, which is what an RPC call is.
The following answers are incorrect:
Transport layer: The Transport layer handles computer-to computer communications, rather than application-to-application communications like RPC.
Data link Layer: The Data Link layer protocols can be divided into either Logical Link Control (LLC) or Media Access Control (MAC) sublayers. Protocols like SLIP, PPP, RARP and L2TP are at this layer. An application-to-application protocol like RPC would not be addressed at this layer.
Network layer: The Network Layer is mostly concerned with routing and addressing of information, not application-to-application communication calls such as an RPC call.
The following reference(s) were/was used to create this question:
The Remote Procedure Call (RPC) protocol is implemented at the Session layer, which establishes, maintains and manages sessions as well as synchronization of the data flow.
Source: Jason Robinett's CISSP Cram Sheet: domain2.
Source: Shon Harris AIO v3 pg. 423
質問 # 440
Password management falls into which control category?
- A. Preventive
- B. Compensating
- C. Technical
- D. Detective
正解:A
解説:
Password management is an example of preventive control. Proper passwords prevent unauthorized users from accessing a system.
There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need.
For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy, and a plethora of other controls.
However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories.
The seven main categories of access control are:
1. Directive: Controls designed to specify acceptable rules of behavior within an organization
2. Deterrent: Controls designed to discourage people from violating security directives
3. Preventive: Controls implemented to prevent a security incident or information breach
4. Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level
5. Detective: Controls designed to signal a warning when a security control has been breached
6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls
7. Recovery: Controls implemented to restore conditions to normal after a security incident
質問 # 441
In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process?
- A. Using a write blocker
- B. Created a message digest for log files
- C. Made a full-disk image
- D. Displayed the contents of a folder
正解:D
解説:
Explanation/Reference:
Displaying the directory contents of a folder can alter the last access time on each listed file.
Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing to its hard drives.
Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fragments.
Created a message digest for log files is wrong because creating a message digest for log files. A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g. changes to the content of a log file)
Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS
References:
AIO 3rd Edition, page 783-784
NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20
質問 # 442
There are ______ available service ports
- A. 0
- B. 1
- C. 1024 D. 1-1024
- D. Unlimited
正解:B
質問 # 443
What attribute is included in a X.509-certificate?
- A. Distinguished name of the subject
- B. Telephone number of the department
- C. secret key of the issuing CA
- D. the key pair of the certificate holder
正解:A
解説:
Section: Cryptography
Explanation/Reference:
RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile; GUTMANN, P., X.509 style guide; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
質問 # 444
Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier?
- A. Encrypted authentication
- B. Dynamic authentication
- C. Robust authentication
- D. Continuous authentication
正解:D
解説:
Continuous authentication is a type of authentication that provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier. There are other combinations of cryptography that can provide this form of authentication but current strategies rely on applying some type of cryptography to every bit of data sent. Otherwise, any unprotected bit would be suspect. Robust authentication relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, but does not provide protection against active attacks. Encrypted authentication is a distracter. Source: GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A Technical Guide, Draft Version, May 25, 2000 (page 34).
質問 # 445
What would BEST define risk management?
- A. The process of assessing the risks
- B. The process of transferring risk
- C. The process of reducing risk to an acceptable level
- D. The process of eliminating the risk
正解:C
解説:
Explanation/Reference:
This is the basic process of risk management.
Risk is the possibility of damage happening and the ramifications of such damage should it occur.
Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree.
The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy.
The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization.
The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:
Objectives of IRM team
Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article)
Formal processes of risk identification
Connection between the IRM policy and the organization's strategic planning processes Responsibilities that fall under IRM and the roles that are to fulfill them Mapping of risk to internal controls
Approach for changing staff behaviors and resource allocation in response to risk analysis Mapping of risks to performance targets and budgets
Key indicators to monitor the effectiveness of controls
Shon Harris provides a 10,000-foot view of the risk management process below:
A big question that companies have to deal with is, "What is enough security?" This can be restated as,
"What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level.
To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.
Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:
Identify company assets
Assign a value to each asset
Identify each asset's vulnerabilities and associated threats
Calculate the risk for the identified assets
Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.
When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories:
Physical damage Fire, water, vandalism, power loss, and natural disasters Human interaction Accidental or intentional action or inaction that can disrupt productivity Equipment malfunction Failure of systems and peripheral devices
Inside and outside attacks Hacking, cracking, and attacking
Misuse of data Sharing trade secrets, fraud, espionage, and theft
Loss of data Intentional or unintentional loss of information through destructive means Application error Computation errors, input errors, and buffer overflows The following answers are incorrect:
The process of eliminating the risk is not the best answer as risk cannot be totally eliminated.
The process of assessing the risks is also not the best answer.
The process of transferring risk is also not the best answer and is one of the ways of handling a risk after a risk analysis has been performed.
References:
Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68 and
http://searchsecurity.techtarget.com/tip/Understanding-risk
質問 # 446
Name three types of firewalls __________, _______________, and _________________ (Choose three)
- A. Microsoft Proxy
- B. Raptor Firewall
- C. Packet Filtering
- D. SonicWall
- E. Application Proxy
- F. Stateful Inspection
正解:C、E、F
質問 # 447
In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy.
The access controls may be based on:
- A. The societies role in the organization
- B. The group-dynamics as they relate to the individual's role in the organization
- C. The individual's role in the organization
- D. The group-dynamics as they relate to the master-slave role in the organization
正解:C
解説:
Explanation/Reference:
In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on the organizational security policy.
The access controls may be based on the individual's role in the organization.
Reference(S) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
質問 # 448
Which of the following computer crime is MORE often associated with INSIDERS?
- A. Password sniffing
- B. Data diddling
- C. Denial of service (DOS)
- D. IP spoofing
正解:B
解説:
Explanation/Reference:
It refers to the alteration of the existing data , most often seen before it is entered into an application.This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed.
The other answers are incorrect because :
IP Spoofing is not correct as the questions asks about the crime associated with the insiders. Spoofing is generally accomplished from the outside.
Password sniffing is also not the BEST answer as it requires a lot of technical knowledge in understanding the encryption and decryption process.
Denial of service (DOS) is also incorrect as most Denial of service attacks occur over the internet.
Reference : Shon Harris , AIO v3 , Chapter-10 : Law , Investigation & Ethics , Page : 758-760.
質問 # 449
Which of the following is NOT a proper component of Media Viability Controls?
- A. Marking
- B. Storage
- C. Handling
- D. Writing
正解:D
解説:
Section: Security Operation Adimnistration
Explanation/Reference:
Media Viability Controls include marking, handling and storage.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 231.
質問 # 450
Which of the following would best describe certificate path validation?
- A. Verification of the validity of all certificates of the certificate chain to the root certificate
- B. Verification of the integrity of the associated root certificate
- C. Verification of the revocation status of the concerned certificate
- D. Verification of the integrity of the concerned private key
正解:A
解説:
With the advent of public key cryptography (PKI), it is now possible to communicate securely with untrusted parties over the Internet without prior arrangement. One of the necessities arising from such communication is the ability to accurately verify someone's identity (i.e. whether the person you are communicating with is indeed the person who he/she claims to be). In order to be able to perform identity check for a given entity, there should be a fool-proof method of "binding" the entity's public key to its unique domain name (DN).
A X.509 digital certificate issued by a well known certificate authority (CA), like Verisign, Entrust, Thawte, etc., provides a way of positively identifying the entity by placing trust on the CA to have performed the necessary verifications. A X.509 certificate is a cryptographically sealed data object that contains the entity's unique DN, public key, serial number, validity period, and possibly other extensions.
The Windows Operating System offers a Certificate Viewer utility which allows you to double-click on any certificate and review its attributes in a human-readable format. For instance, the "General" tab in the Certificate Viewer Window (see below) shows who the certificate was issued to as well as the certificate's issuer, validation period and usage functions.
Certification Path graphic
Certification Path graphic The "Certification Path" tab contains the hierarchy for the chain of certificates. It allows you to select the certificate issuer or a subordinate certificate and then click on "View Certificate" to open the certificate in the Certificate Viewer.
Each end-user certificate is signed by its issuer, a trusted CA, by taking a hash value (MD5 or SHA-1) of ASN.1 DER (Distinguished Encoding Rule) encoded object and then encrypting the resulting hash with the issuer's private key (CA's Private Key) which is a digital signature. The encrypted data is stored in the "signatureValue" attribute of the entity's (CA) public certificate.
Once the certificate is signed by the issuer, a party who wishes to communicate with this
entity can then take the entity's public certificate and find out who the issuer of the
certificate is. Once the issuer's of the certificate (CA) is identified, it would be possible to
decrypt the value of the "signatureValue" attribute in the entity's certificate using the
issuer's public key to retrieve the hash value. This hash value will be compared with the
independently calculated hash on the entity's certificate. If the two hash values match, then
the information contained within the certificate must not have been altered and, therefore,
one must trust that the CA has done enough background check to ensure that all details in
the entity's certificate are accurate.
The process of cryptographically checking the signatures of all certificates in the certificate
chain is called "key chaining". An additional check that is essential to key chaining is
verifying that the value of the "subjectKeyIdentifier" extension in one certificate matches the
same in the subsequent certificate.
Similarly, the process of comparing the subject field of the issuer certificate to the issuer
field of the subordinate certificate is called "name chaining". In this process, these values
must match for each pair of adjacent certificates in the certification path in order to
guarantee that the path represents unbroken chain of entities relating directly to one
another and that it has no missing links.
The two steps above are the steps to validate the Certification Path by ensuring the validity
of all certificates of the certificate chain to the root certificate as described in the two
paragraphs above.
Reference(s) used for this question:
FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the
Infrastructure for Digital Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR,
Page 262.
and
https://www.tibcommunity.com/docs/DOC-2197
質問 # 451
......
ISC Certification SSCP試験練習問題集:https://jp.fast2test.com/SSCP-premium-file.html