[2024年11月14日]SSCPサンプルには正確で更新された問題
SSCP試験情報と無料練習テスト
SSCP認定はIT業界で高く評価され、システムセキュリティのポジションに必要とされることがあります。この認定は、専門知識やスキルを検証し、プロフェッショナルな成長にコミットすることを証明する素晴らしい方法です。また、この認定はISCが提供する「Certified Information Systems Security Professional (CISSP)」認定などの高度な認定につながる足がかりにもなります。全体的に、SSCP認定はシステムセキュリティのキャリアを進めたいIT専門家にとって貴重な資産です。
SSCP 認定試験は、情報セキュリティのキャリアを追求したり、既存の知識とスキルを向上させたい人に最適です。また、セキュリティオペレーション、リスク管理、アクセス制御などの分野で知識と専門知識を拡大したい IT 専門家にも適しています。この認定は情報セキュリティにおける堅固な基盤を提供し、候補者の重要な情報資産を保護する能力を検証します。
質問 # 207
Which protocol is used to send email?
- A. Post Office Protocol (POP).
- B. Simple Mail Transfer Protocol (SMTP).
- C. Network File System (NFS).
- D. File Transfer Protocol (FTP).
正解:B
解説:
Section: Network and Telecommunications
Explanation/Reference:
Simple Mail Transfer Protocol (SMTP) is a protocol for sending e-mail messages between servers. POP is a protocol used to retrieve e-mail from a mail server. NFS is a TCP/IP client/server application developed by Sun that enables different types of file systems to interoperate regardless of operating system or network architecture. FTP is the protocol that is used to facilitate file transfer between two machines.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 88.
質問 # 208
How is Annualized Loss Expectancy (ALE) derived from a threat?
- A. SLE/EF
- B. ARO x (SLE - EF)
- C. AV x EF
- D. SLE x ARO
正解:D
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
Three steps are undertaken in a quantitative risk assessment:
Initial management approval
Construction of a risk assessment team, and
The review of information currently available within the organization.
There are a few formulas that you MUST understand for the exam. See them below:
SLE (Single Loss Expectancy)
Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit.
The formula for calculating SLE is as follows: SLE = asset value (in $) × exposure factor (loss due to successful threat exploit, as a %) Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues).
ALE (Annualized Loss Expectancy)
Next, the organization would calculate the annualized rate of occurrence (ARO).
This is done to provide an accurate calculation of annualized loss expectancy (ALE).
ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.
When this is completed, the organization calculates the annualized loss expectancy (ALE).
The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after an SLE.
The calculation follows ALE = SLE x ARO
Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine what the organization should spend, if anything, to apply a countermeasure for the risk in question.
Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.
Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (i.e., use within the organization). Finally, the organization is able to compare the cost of the risk versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection.
The following were incorrect answers:
All of the other choices were incorrect.
The following reference(s) were used for this quesiton:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle Edition.
質問 # 209
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)?
- A. 172.140.42.5
- B. 172.31.42.5
- C. 172.15.42.5
- D. 172.12.42.5
正解:B
解説:
Section: Network and Telecommunications
Explanation/Reference:
This is a valid Class B reserved address. For Class B networks, the reserved addresses are 172.16.0.0 -
172.31.255.255.
The private IP address ranges are defined within RFC 1918:
RFC 1918 private ip address range
The following answers are incorrect:
172.12.42.5 Is incorrect because it is not a Class B reserved address.
172.140.42.5 Is incorrect because it is not a Class B reserved address.
172.15.42.5 Is incorrect because it is not a Class B reserved address.
質問 # 210
Which of the following statements pertaining to biometrics is FALSE?
- A. User can be authenticated based on unique physical attributes.
- B. A biometric system's accuracy is determined by its crossover error rate (CER).
- C. User can be authenticated based on behavior.
- D. User can be authenticated by what he knows.
正解:D
解説:
Explanation/Reference:
As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example.
Please make a note of the negative 'FALSE' within the question. This question may seem tricky to some of you but you would be amazed at how many people cannot deal with negative questions. There will be a few negative questions within the real exam, just like this one the keyword NOT or FALSE will be in Uppercase to clearly indicate that it is negative.
Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of performing authentication (one to one matching) or identification (a one to many matching).
A biometric system scans an attribute or behavior of a person and compares it to a template store within an authentication server datbase, such template would be created in an earlier enrollment process.
Because this system inspects the grooves of a person's fingerprint, the pattern of someone's retina, or the pitches of someone's voice, it has to be extremely sensitive.
The system must perform accurate and repeatable measurements of anatomical or physiological characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must be calibrated so that these false positives and false negatives occur infrequently and the results are as accurate as possible.
There are two types of failures in biometric identification:
False Rejection also called False Rejection Rate (FRR) - The system fail to recognize a legitimate user.
While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate users who are refused access because the scanner does not recognize them.
False Acceptance or False Acceptance Rate (FAR) - This is an erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user.
Physiological Examples:
Unique Physical Attributes:
Fingerprint (Most commonly accepted)
Hand Geometry
Retina Scan (Most accurate but most intrusive)
Iris Scan
Vascular Scan
Behavioral Examples:
Repeated Actions
Keystroke Dynamics
(Dwell time (the time a key is pressed) and Flight time (the time between "key up" and the next "key down").
Signature Dynamics
(Stroke and pressure points)
EXAM TIP:
Retina scan devices are the most accurate but also the most invasive biometrics system available today.
The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security option. Unfortunately, the cost of the proprietary hardware as well the stigma of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations.
Remember for the exam that fingerprints are the most commonly accepted type of biometrics system.
The other answers are incorrect:
'Users can be authenticated based on behavior.' is incorrect as this choice is TRUE as it pertains to BIOMETRICS.
Biometrics systems makes use of unique physical characteristics or behavior of users.
'User can be authenticated based on unique physical attributes.' is also incorrect as this choice is also TRUE as it pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of users.
'A biometric system's accuracy is determined by its crossover error rate (CER)' is also incorrect as this is TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.
質問 # 211
Which of the following protocols is not implemented at the Internet layer of the TCP/IP protocol model?
- A. Internet Group Management Protocol (IGMP)
- B. User datagram protocol (UDP)
- C. Internet protocol (IP)
- D. Internet control message protocol (ICMP)
正解:B
解説:
The User Datagram Protocol (UDP) is implemented at the host-to-host transport layer, not at the internet layer.
Protocol at what layer?
Ensure you are familiar with both the OSI model and the DoD TCP/IP model as well. You need to know how to contrast the two side by side and what are the names being used on both side.
Below you have a graphic showing the two and how things maps between the two as well as some of the most common protcolos found at each of the layers:
Protocols at what layers of the DoD TCP/IP model
The following are incorrect answers:
All of the other protocols sit at the Internet Layer of the TCP/IP model.
NOTE:
Some reference are calling the Transport layer on the DoD model Host-to-Host.
質問 # 212
Which layer defines how packets are routed between end systems?
- A. Session layer
- B. Data link layer
- C. Network layer
- D. Transport layer
正解:C
解説:
The network layer (layer 3) defines how packets are routed and relayed between end systems on the same network or on interconnected networks. Message routing, error detection and control of node traffic are managed at this level.
質問 # 213
Encapsulating Security Payload (ESP) provides some of the services of Authentication Headers (AH), but it is primarily designed to provide:
- A. Cryptography
- B. Access Control
- C. Digital signatures
- D. Confidentiality
正解:D
解説:
Explanation/Reference:
Source: TIPTON, Harold F & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 164.
質問 # 214
Which of the following does not apply to system-generated passwords?
- A. Passwords are harder to guess for attackers.
- B. If the password-generating algorithm gets to be known, the entire system is in jeopardy.
- C. Passwords are harder to remember for users.
- D. Passwords are more vulnerable to brute force and dictionary attacks.
正解:D
解説:
Users tend to choose easier to remember passwords. System-generated passwords can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user's desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy.
質問 # 215
Which method of password cracking takes the most time and effort?
- A. Dictionary attack
- B. Hybrid
- C. Brute Force
- D. Shoulder Surfing
- E. Guessing
正解:C
質問 # 216
Which of the following are WELL KNOWN PORTS assigned by the IANA?
- A. Ports 0 to 255
- B. Ports 0 to 1024
- C. Ports 0 to 1023
- D. Ports 0 to 127
正解:C
解説:
Explanation/Reference:
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The range for assigned "Well Known" ports managed by the IANA (Internet Assigned Numbers Authority) is 0-1023.
Source: iana.org: port assignments.
質問 # 217
What works as an E-mail message transfer agent?
- A. S-RPC
- B. SMTP
- C. S/MIME
- D. SNMP
正解:B
解説:
SMTP (Simple Mail Transfer Protocol) works as a message transfer agent. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.
質問 # 218
Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects is part of:
- A. Incident Evaluation
- B. Incident Recognition
- C. Incident Response
- D. Incident Protection
正解:C
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
These are core functions of the incident response process.
"Incident Evaluation" is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.
"Incident Recognition" is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.
"Incident Protection" is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.
References
CBK, pp. 698 - 703
質問 # 219
Related to information security, integrity is the opposite of which of the following?
- A. accreditation
- B. alteration
- C. application
- D. abstraction
正解:B
解説:
Section: Security Operation Adimnistration
Explanation/Reference:
Integrity is the opposite of "alteration."
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
質問 # 220
Which of the following is most appropriate to notify an external user that session monitoring is being conducted?
- A. Employee Handbook
- B. Wall poster
- C. Written agreement
- D. Logon Banners
正解:D
解説:
Explanation/Reference:
Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing.
This is a tricky question, the keyword in the question is External user.
There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous user.
Internal users should always have a written agreement first, then logon banners serve as a constant reminder.
Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50.
and
Shon Harris, CISSP All-in-one, 5th edition, pg 873
質問 # 221
Which of the following is not an example of a block cipher?
- A. Blowfish
- B. IDEA
- C. Skipjack
- D. RC4
正解:D
解説:
RC4 is a proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc. Skipjack, IDEA and Blowfish are examples of block ciphers.
質問 # 222
In biometrics, "one-to-many" search against database of stored biometric images is done in:
- A. Authentication
- B. Identity-based access control
- C. Identities
- D. Identification
正解:D
解説:
In biometrics, identification is a "one-to-many" search of an individual's characteristics from a database of stored images.
質問 # 223
Which of the following statements pertaining to Secure Sockets Layer (SSL) is false?
- A. SSL can be used with applications such as Telnet, FTP and email protocols.
- B. Web pages using the SSL protocol start with HTTPS
- C. The SSL protocol was developed by Netscape to secure Internet client-server transactions.
- D. The SSL protocol's primary use is to authenticate the client to the server using public key cryptography and digital certificates.
正解:D
解説:
All of these statements pertaining to SSL are true except that it is primary
use is to authenticate the client to the server using public key cryptography and digital
certificates. It is the opposite, Its primary use is to authenticate the server to the client.
The following reference(s) were used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page
170).
質問 # 224
Which of the following is not a one-way hashing algorithm?
- A. SHA-1
- B. RC4
- C. MD2
- D. HAVAL
正解:B
解説:
Section: Cryptography
Explanation/Reference:
RC4 was designed by Ron Rivest of RSA Security in 1987. While it is officially termed "Rivest Cipher 4", the RC acronym is alternatively understood to stand for "Ron's Code" (see also RC2, RC5 and RC6).
RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list. It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet. The leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4. Because the algorithm is known, it is no longer a trade secret. The name RC4 is trademarked, so RC4 is often referred to as ARCFOUR or ARC4 (meaning alleged RC4) to avoid trademark problems. RSA Security has never officially released the algorithm; Rivest has, however, linked to the English Wikipedia article on RC4 in his own course notes. RC4 has become part of some commonly used encryption protocols and standards, including WEP and WPA for wireless cards and TLS.
The main factors in RC4's success over such a wide range of applications are its speed and simplicity: efficient implementations in both software and hardware are very easy to develop.
The following answer were not correct choices:
SHA-1 is a one-way hashing algorithms. SHA-1 is a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHA stands for "secure hash algorithm".
The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-
1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.
SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used security applications and protocols. In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable. Although no successful attacks have yet been reported on the SHA-2 variants, they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives. A new hash standard, SHA-3, is currently under development - an ongoing NIST hash function competition is scheduled to end with the selection of a winning function in 2012.
SHA-1 produces a 160-bit message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms, but has a more conservative design.
MD2 is a one-way hashing algorithms. The MD2 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1989. The algorithm is optimized for 8-bit computers. MD2 is specified in RFC
1319. Although MD2 is no longer considered secure, even as of 2010 it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA.
Haval is a one-way hashing algorithms. HAVAL is a cryptographic hash function. Unlike MD5, but like most modern cryptographic hash functions, HAVAL can produce hashes of different lengths. HAVAL can produce hashes in lengths of 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits. HAVAL also allows users to specify the number of rounds (3, 4, or 5) to be used to generate the hash.
The following reference(s) were used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
and
https://en.wikipedia.org/wiki/HAVAL
and
https://en.wikipedia.org/wiki/MD2_%28cryptography%29
and
https://en.wikipedia.org/wiki/SHA-1
質問 # 225
Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length?
- A. Axial cable
- B. Twisted Pair cable
- C. Coaxial cable
- D. Fiber Optic cable
正解:D
解説:
Section: Network and Telecommunications
Explanation/Reference:
Fiber Optic cable is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length (up to two kilometers in some cases).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 72.
質問 # 226
What is the primary reason why some sites choose not to implement Trivial File Transfer Protocol (TFTP)?
- A. It cannot support the Lightwight Directory Access Protocol (LDAP)
- B. It is too complex to manage user access restrictions under TFTP
- C. Due to the inherent security risks
- D. It does not offer high level encryption like FTP
正解:C
解説:
Explanation/Reference:
Some sites choose not to implement Trivial File Transfer Protocol (TFTP) due to the inherent security risks.
TFTP is a UDP-based file transfer program that provides no security. There is no user authentication.
Source: KRUTZ, Ronald L & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 88.
質問 # 227
Why do buffer overflows happen? What is the main cause?
- A. Because they are an easy weakness to exploit
- B. Because of insufficient system memory
- C. Because of improper parameter checking within the application
- D. Because buffers can only hold so much data
正解:C
解説:
Section: Access Control
Explanation/Reference:
Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program.
The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the introduction of interactive computing. It can result when a program fills up the assigned buffer of memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the program's execution path can be changed, or data can be written into areas used by the operating system itself. This can lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system.
As explained by Gaurab, it can become very complex. At the time of input even if you are checking the length of the input, it has to be check against the buffer size. Consider a case where entry point of data is stored in Buffer1 of Application1 and then you copy it to Buffer2 within Application2 later on, if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2.
A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam:
It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security strengths and weaknesses of various application development processes.
The following are incorrect answers:
"Because buffers can only hold so much data" is incorrect. This is certainly true but is not the best answer because the finite size of the buffer is not the problem -- the problem is that the programmer did not check the size of the input before moving it into the buffer.
"Because they are an easy weakness to exploit" is incorrect. This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the size of the user input.
"Because of insufficient system memory" is incorrect. This is irrelevant to the occurrence of a buffer overflow.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.
質問 # 228
Which of the following is best defined as an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards?
- A. Certification
- B. Accreditation
- C. Audit
- D. Declaration
正解:B
解説:
Accreditation: is an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. It is usually based on a technical certification of the system's security mechanisms.
Certification: Technical evaluation (usually made in support of an accreditation action) of an information system\'s security features and other safeguards to establish the extent to which the system\'s design and implementation meet specified security requirements. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
質問 # 229
......
合格させるISC SSCPプレミアムお試しセットテストエンジンPDFで無料問題集セット:https://jp.fast2test.com/SSCP-premium-file.html