
[2025年04月最新リリース]SSCP問題集でISC Certification認証
最新の完璧なSSCP問題集問題と解答で100%パスさせます
質問 # 445
An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n):
- A. active attack
- B. passive attack
- C. outside attack
- D. inside attack
正解:D
解説:
Section: Access Control
Explanation/Reference:
An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
質問 # 446
Overloading or congesting a system's resources so that it is unable to provide required services is referred to as:
- A. A passive attack
- B. Swamping
- C. Bandwidth displacement
- D. Denial of Service
- E. ICMP redirect
正解:D
質問 # 447
Which backup method is used if backup time is critical and tape space is at an extreme premium?
- A. Differential backup method.
- B. Incremental backup method.
- C. Full backup method.
- D. Tape backup method.
正解:B
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
Full Backup/Archival Backup - Complete/Full backup of every selected file on the system regardless of whether it has been backup recently.. This is the slowest of the backup methods since it backups all the data. It's however the fastest for restoring data.
Incremental Backup - Any backup in which only the files that have been modified since last full back up are backed up. The archive attribute should be updated while backing up only modified files, which indicates that the file has been backed up. This is the fastest of the backup methods, but the slowest of the restore methods.
Differential Backup - The backup of all data files that have been modified since the last incremental backup or archival/full backup. Uses the archive bit to determine what files have changed since last incremental backup or full backup. The files grows each day until the next full backup is performed clearing the archive attributes.
This enables the user to restore all files changed since the last full backup in one pass. This is a more neutral method of backing up data since it's not faster nor slower than the other two Easy Way To Remember each of the backup type properties:
Backup Speed Restore Speed
Full 3 1
Differential 2 2
Incremental 1 3
Legend: 1 = Fastest 2 = Faster 3 = Slowest
Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
and
http://www.proprofs.com/mwiki/index.php/Full_Backup,_Incremental_%26_Differential_Backup
質問 # 448
Passfilt.dll enforces which of the following? (Choose all that apply)
- A. 90 day password change
- B. 8 character minimum password length
- C. 6 character minimum password length
- D. Each password must have a combination of upper case, lower case, numbers and special characters
正解:C、D
質問 # 449
Which of the following statements pertaining to disaster recovery is incorrect?
- A. The disaster recovery plan should include how the company will return from the alternate site to the primary site.
- B. A salvage team's task is to ensure that the primary site returns to normal processing conditions.
- C. When returning to the primary site, the most critical applications should be brought back first.
- D. A recovery team's primary task is to get the pre-defined critical business functions at the alternate backup processing site.
正解:C
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
It's interesting to note that the steps to resume normal processing operations will be different than the steps in the recovery plan; that is, the least critical work should be brought back first to the primary site.
My explanation:
at the point where the primary site is ready to receive operations again, less critical systems should be brought back first because one has to make sure that everything will be running smoothly at the primary site before returning critical systems, which are already operating normally at the recovery site.
This will limit the possible interruption of processing to a minimum for most critical systems, thus making it the best option.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 291).
質問 # 450
Which of the following is NOT a common integrity goal?
- A. Prevent unauthorized users from making modifications.
- B. Maintain internal and external consistency.
- C. Prevent authorized users from making improper modifications.
- D. Prevent paths that could lead to inappropriate disclosure.
正解:D
解説:
Section: Security Operation Adimnistration
Explanation/Reference:
Inappropriate disclosure is a confidentiality, not an integrity goal.
All of the other choices above are integrity goals addressed by the Clark-Wilson integrity model.
The Clark-Wilson model is an integrity model that addresses all three integrity goals:
1. prevent unauthorized users from making modifications,
2. prevent authorized users from making improper modifications, and
3. maintain internal and external consistency through auditing.
NOTE: Biba address only the first goal of integrity above
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw-Hill. Kindle Edition.
質問 # 451
Which of the following tape formats can be used to backup data systems in addition to its original intended audio uses?
- A. Digital Voice Tape (DVT).
- B. Digital Analog Tape (DAT).
- C. Digital Video Tape (DVT).
- D. Digital Audio Tape (DAT).
正解:D
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
Digital Audio Tape (DAT) can be used to backup data systems in addition to its original intended audio uses.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 70.
質問 # 452
What does "System Integrity" mean?
- A. Users can't tamper with processes they do not own.
- B. Design specifications have been verified against the formal top-level specification.
- C. Hardware and firmware have undergone periodic testing to verify that they are functioning properly.
- D. The software of the system has been implemented as designed.
正解:C
解説:
Section: Security Operation Adimnistration
Explanation
Explanation/Reference:
System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly.
The following answers are incorrect:
The software of the system has been implemented as designed. Is incorrect because this would fall under Trusted system distribution.
Users can't tamper with processes they do not own. Is incorrect because this would fall under Configuration Management.
Design specifications have been verified against the formal top-level specification. Is incorrect because this would fall under Specification and verification.
References:
AIOv3 Security Models and Architecture (pages 302 - 306)
DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm
質問 # 453
What are the components of an object's sensitivity label?
- A. A single classification and a single compartment.
- B. A single classification and a Compartment Set.
- C. A Classification Set and user credentials.
- D. A Classification Set and a single Compartment.
正解:B
解説:
Section: Access Control
Explanation/Reference:
Both are the components of a sensitivity label.
The following are incorrect:
A Classification Set and a single Compartment. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not a "single compartment" but a Compartment Set.
A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a "single compartment" but a Compartment Set.
A Classification Set and user credentials. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not "user credential" but a Compartment Set. The user would have their own sensitivity label.
質問 # 454
Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length?
- A. Fiber Optic cable
- B. Axial cable
- C. Coaxial cable
- D. Twisted Pair cable
正解:A
解説:
Fiber Optic cable is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length (up to two kilometers in some cases).
質問 # 455
What term describes the amount of risk that remains after the countermeasures have been deployed and the vulnerabilities classified?
- A. Imminent risk
- B. Terminal risk
- C. Residual risk
- D. Infinite risk
正解:C
質問 # 456
In which phase of Internet Key Exchange (IKE) protocol is peer authentication performed?
- A. Phase 2
- B. Phase 1
- C. Pre Initialization Phase
- D. No peer authentication is performed
正解:B
解説:
Section: Cryptography
Explanation/Reference:
The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IPSec can however, be configured without IKE by manually configuring the gateways communicating with each other for example.
A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely.
In phase 1 of this process, IKE creates an authenticated, secure channel between the two IKE peers, called the IKE security association. The Diffie-Hellman key agreement is always performed in this phase.
In phase 2 IKE negotiates the IPSec security associations and generates the required key material for IPSec.
The sender offers one or more transform sets that are used to specify an allowed combination of transforms with their respective settings.
Benefits provided by IKE include:
Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
Allows you to specify a lifetime for the IPSec security association.
Allows encryption keys to change during IPSec sessions.
Allows IPSec to provide anti-replay services.
Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
Allows dynamic authentication of peers.
References:
RFC 2409: The Internet Key Exchange (IKE);
DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
Reference: http://www.ciscopress.com/articles/article.asp?p=25474
質問 # 457
Which of the following protocols that provide integrity and authentication for IPSec, can also provide non- repudiation in IPSec?
- A. Authentication Header (AH)
- B. Secure Sockets Layer (SSL)
- C. Encapsulating Security Payload (ESP)
- D. Secure Shell (SSH-2)
正解:A
解説:
Explanation/Reference:
As per the RFC in reference, the Authentication Header (AH) protocol is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending on which cryptographic algorithm is used and how keying is performed. For example, use of an asymmetric digital signature algorithm, such as RSA, could provide non-repudiation.
from a cryptography point of view, so we will cover it from a VPN point of view here. IPSec is a suite of protocols that was developed to specifically protect IP traffic. IPv4 does not have any integrated security, so IPSec was developed to bolt onto IP and secure the data the protocol transmits. Where PPTP and L2TP work at the data link layer, IPSec works at the network layer of the OSI model. The main protocols that make up the IPSec suite and their basic functionality are as follows: A. Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks. B. Encapsulating Security Payload (ESP) provides confidentiality, data-origin authentication, and data integrity. C. Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. D. Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP.
The following are incorrect answers:
ESP is a mechanism for providing integrity and confidentiality to IP datagrams. It may also provide authentication, depending on which lgorithm and algorithm mode are used. Non-repudiation and protection from traffic analysis are not provided by ESP (RFC 1827).
SSL is a secure protocol used for transmitting private information over the Internet. It works by using a public key to encrypt data that is transferred of the SSL connection. OIG 2007, page 976 SSH-2 is a secure, efficient, and portable version of SSH (Secure Shell) which is a secure replacement for telnet.
Reference(s) used for this question:
Shon Harris, CISSP All In One, 6th Edition , Page 705
and
RFC 1826, http://tools.ietf.org/html/rfc1826, paragraph 1.
質問 # 458
Which of the following elements of telecommunications is not used in assuring confidentiality?
- A. Data encryption services
- B. Network authentication services
- C. Passwords
- D. Network security protocols
正解:C
解説:
Passwords are one of the multiple ways to authenticate (prove who you claim to be) an identity which allows confidentiality controls to be enforced to assure the identity can only access the information for which it is authorized. It is the authentication that assists assurance of confidentiality not the passwords.
"Network security protocols" is incorrect. Network security protocols are quite useful in assuring confidentiality in network communications.
"Network authentication services" is incorrect. Confidentiality is concerned with allowing only authorized users to access information. An important part of determining authorization is authenticating an identity and this service is supplied by network authentication services.
"Data encryption services" is incorrect. Data encryption services are quite useful in protecting the confidentiality of information.
Reference(s) used for this question:
Official ISC2 Guide to the CISSP CBK, pp. 407 - 520 AIO 3rd Edition, pp. 415 - 580
質問 # 459
How should a doorway of a manned facility with automatic locks be configured?
- A. It should not allow piggybacking.
- B. It should have a door delay cipher lock.
- C. It should be configured to be fail-safe.
- D. It should be configured to be fail-secure.
正解:C
解説:
Section: Access Control
Explanation/Reference:
Access controls are meant to protect facilities and computers as well as people.
In some situations, the objectives of physical access controls and the protection of people's lives may come into conflict. In theses situations, a person's life always takes precedence.
Many physical security controls make entry into and out of a facility hard, if not impossible. However, special consideration needs to be taken when this could affect lives. In an information processing facility, different types of locks can be used and piggybacking should be prevented, but the issue here with automatic locks is that they can either be configured as fail-safe or fail-secure.
Since there should only be one access door to an information processing facility, the automatic lock to the only door to a man-operated room must be configured to allow people out in case of emergency, hence to be fail- safe (sometimes called fail-open), meaning that upon fire alarm activation or electric power failure, the locking device unlocks. This is because the solenoid that maintains power to the lock to keep it in a locked state fails and thus opens or unlocks the electronic lock.
Fail Secure works just the other way. The lock device is in a locked or secure state with no power applied.
Upon authorized entry, a solinoid unlocks the lock temporarily. Thus in a Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure mode.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 451). McGraw-Hill. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20249-20251). Auerbach Publications. Kindle Edition.
質問 # 460
......
最新のSSCP試験問題集でISC試験トレーニング:https://jp.fast2test.com/SSCP-premium-file.html