
SSCP問題集PDFで100%合格保証付き
SSCPブレーン問題集でリアル試験最新問題2022年10月30日には1074問題
質問 327
Which of the following backup methods is most appropriate for off-site archiving?
- A. Differential backup method
- B. Full backup method
- C. Off-site backup method
- D. Incremental backup method
正解: B
解説:
Explanation/Reference:
The full backup makes a complete backup of every file on the system every time it is run. Since a single backup set is needed to perform a full restore, it is appropriate for off-site archiving.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page
69).
質問 328
When packets are captured and converted to hexadecimal, _______ represents the ICMP protocol in the IP header.
- A. 0
- B. All of the above
- C. 1
- D. 2
- E. 06
- F. 01
正解: F
質問 329
Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack?
- A. The use of session keys.
- B. The use of good key generators.
- C. Nothing can defend you against a brute force crypto key attack.
- D. Algorithms that are immune to brute force key attacks.
正解: A
解説:
If we assume a crytpo-system with a large key (and therefore a large key space) a brute force attack will likely take a good deal of time - anywhere from several hours to several years depending on a number of variables. If you use a session key for each message you encrypt, then the brute force attack provides the attacker with only the key for that one message. So, if you are encrypting 10 messages a day, each with a different session key, but it takes me a month to break each session key then I am fighting a loosing battle.
The other answers are not correct because:
"The use of good key generators" is not correct because a brute force key attack will
eventually run through all possible combinations of key. Therefore, any key will eventually
be broken in this manner given enough time.
"Nothing can defend you against a brute force crypto key attack" is incorrect, and not the
best answer listed. While it is technically true that any key will eventually be broken by a
brute force attack, the question remains "how long will it take?". In other words, if you
encrypt something today but I can't read it for 10,000 years, will you still care? If the key is
changed every session does it matter if it can be broken after the session has ended? Of
the answers listed here, session keys are "often considered a good protection against the
brute force cryptography attack" as the question asks.
"Algorithms that are immune to brute force key attacks" is incorrect because there currently
are no such algorithms.
References:
Official ISC2 Guide page: 259
All in One Third Edition page: 623
質問 330
After a company is out of an emergency state, what should be moved back to the original site first?
- A. IT support staff
- B. Least critical components
- C. Most critical components
- D. Executives
正解: B
解説:
Explanation/Reference:
This will expose any weaknesses in the plan and ensure the primary site has been properly repaired before moving back. Moving critical assets first may induce a second disaster if the primary site has not been repaired properly.
The first group to go back would test items such as connectivity, HVAC, power, water, improper procedures, and/or steps that has been overlooked or not done properly. By moving these first, and fixing any problems identified, the critical operations of the company are not negatively affected.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter
9: Disaster Recovery and Business continuity (page 621).
質問 331
The viewing of recorded events after the fact using a closed-circuit TV camera is considered a
- A. Preventative control.
- B. Detective control
- C. Compensating control
- D. Corrective control
正解: B
解説:
Detective security controls are like a burglar alarm. They detect and report
an unauthorized or undesired event (or an attempted undesired event). Detective security
controls are invoked after the undesirable event has occurred. Example detective security
controls are log monitoring and review, system audit, file integrity checkers, and motion
detection.
Visual surveillance or recording devices such as closed circuit television are used in
conjunction with guards in order to enhance their surveillance ability and to record events
for future analysis or prosecution.
When events are monitored, it is considered preventative whereas recording of events is
considered detective in nature.
Below you have explanations of other types of security controls from a nice guide produce
by James Purcell (see reference below):
Preventive security controls are put into place to prevent intentional or unintentional
disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example
preventive controls follow:
Policy - Unauthorized network connections are prohibited.
Firewall - Blocks unauthorized network connections.
Locked wiring closet - Prevents unauthorized equipment from being physically plugged into
a network switch.
Notice in the preceding examples that preventive controls crossed administrative, technical,
and physical categories discussed previously. The same is true for any of the controls
discussed in this section.
Corrective security controls are used to respond to and fix a security incident. Corrective
security controls also limit or reduce further damage from an attack. Examples follow:
Procedure to clean a virus from an infected system
A guard checking and locking a door left unlocked by a careless employee
Updating firewall rules to block an attacking IP address
Note that in many cases the corrective security control is triggered by a detective security
control.
Recovery security controls are those controls that put a system back into production after
an incident. Most Disaster Recovery activities fall into this category. For example, after a
disk failure, data is restored from a backup tape.
Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline.
Deterrent security controls are controls that discourage security violations. For instance, "Unauthorized Access Prohibited" signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access.
Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment.
Note that there is a third popular taxonomy developed by NIST and described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families. Within each security control family are dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is one the CISSP should be aware of if you are employed within the US federal workforce.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340). and CISSP Study Guide By Eric Conrad, Seth Misenar, Joshua Feldman, page 50-52 and Security Control Types and Operational Security, James E. Purcell, http://www.giac.org/cissp-papers/207.pdf
質問 332
During the testing of the business continuity plan (BCP), which of the following methods of results analysis provides the BEST assurance that the plan is workable?
- A. Quantitatively measuring the results of the test
- B. Elapsed time for completion of critical tasks
- C. Evaluation of the observed test results
- D. Measurement of accuracy
正解: A
解説:
Section: Risk, Response and Recovery
Explanation/Reference:
It is important to have ways to measure the success of the plan and tests against the stated objectives.
Therefore, results must be quantitatively gauged as opposed to an evaluation based only on observation.
Quantitatively measuring the results of the test involves a generic statement measuring all the activities performed during BCP, which gives the best assurance of an effective plan. Although choices A and B are also quantitative, they relate to specific areas, or an analysis of results from one viewpoint, namely the accuracy of the results and the elapsed time.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 5: Disaster Recovery and Business Continuity (page 269).
質問 333
Which of the following is used in database information security to hide information?
- A. Inheritance
- B. Delegation
- C. Polymorphism
- D. Polyinstantiation
正解: D
解説:
Section: Security Operation Adimnistration
Explanation/Reference:
Polyinstantiation enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. When this information is inserted into a database, lower-level subjects need to be restricted from this information. Instead of just restricting access, another set of data is created to fool the lower-level subjects into thinking that the information actually means something else.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11:
Application and System Development (page 727).
質問 334
When should a post-mortem review meeting be held after an intrusion has been properly taken care of?
- A. Within the first week after prosecution of intruders have taken place, whether successful or not.
- B. Within the first week of completing the investigation of the intrusion.
- C. Within the first three months after the investigation of the intrusion is completed.
- D. Within the first month after the investigation of the intrusion is completed.
正解: B
解説:
Explanation/Reference:
A post-mortem review meeting should be held with all involved parties within three to five working days of completing the investigation of the intrusion. Otherwise, participants are likely to forget critical information.
Even if it enabled an organization to validate the correctness of its chain of custody of evidence, it would not make sense to wait until prosecution is complete because it would take too much time and many cases of intrusion never get to court anyway.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley,
2001, Chapter 7: Responding to Intrusions (page 297).
質問 335
Which of the following is not a preventive login control?
- A. Minimum password length
- B. Account expiration
- C. Last login message
- D. Password aging
正解: C
解説:
Section: Access Control
Explanation/Reference:
The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63).
質問 336
Of the protocols list, which one is connection oriented?
- A. UDP
- B. TCP
- C. IP
- D. DNS
- E. All protocols listed are connection oriented
正解: B
質問 337
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?
- A. DAC
- B. TACACS
- C. Access control matrix
- D. MAC
正解: D
解説:
MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is
ultimately responsible for configuring this protection in accordance with security policy and
directives from the Data Owner.
DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.
Access control matrix is incorrect. The access control matrix is a way of thinking about the
access control needed by a population of subjects to a population of objects. This access
control can be applied using rules, ACL's, capability tables, etc.
TACACS is incorrect. TACACS is a tool for performing user authentication.
References:
CBK, p. 187, Domain 2: Access Control.
AIO3, Chapter 4, Access Control.
質問 338
In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided?
- A. Application
- B. Presentation
- C. Network
- D. Transport
正解: D
解説:
Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure error-free delivery such as TCP.
The following answers are incorrect: Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model.
The following reference(s) were/was used to create this question:
ISC2 OIG, 2007 p. 411 Shon Harris AIO v.3 p. 424
質問 339
Which of the following is NOT true about IPSec Tunnel mode?
- A. Works at the Transport layer of the OSI model
- B. Fundamentally an IP tunnel with encryption and authentication
- C. Have two sets of IP headers
- D. Established for gateway service
正解: A
解説:
Explanation/Reference:
IPSec can be run in either tunnel mode or transport mode. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution:
Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.
Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host-for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.
As Figure 1 shows, basically transport mode should be used for end-to-end sessions and tunnel mode should be used for everything else. (Refer to the figure for the following discussion.) Figure 1 Tunnel and transport modes in IPSec.
Figure 1 displays some examples of when to use tunnel versus transport mode:
Tunnel mode is most commonly used to encrypt traffic between secure IPSec gateways, such as between the Cisco router and PIX Firewall (as shown in example A in Figure 1). The IPSec gateways proxy IPSec for the devices behind them, such as Alice's PC and the HR servers in Figure 1. In example A, Alice connects to the HR servers securely through the IPSec tunnel set up between the gateways.
Tunnel mode is also used to connect an end-station running IPSec software, such as the Cisco Secure VPN Client, to an IPSec gateway, as shown in example B.
In example C, tunnel mode is used to set up an IPSec tunnel between the Cisco router and a server running IPSec software. Note that Cisco IOS software and the PIX Firewall sets tunnel mode as the default IPSec mode.
Transport mode is used between end-stations supporting IPSec, or between an end-station and a gateway, if the gateway is being treated as a host. In example D, transport mode is used to set up an encrypted Telnet session from Alice's PC running Cisco Secure VPN Client software to terminate at the PIX Firewall, enabling Alice to remotely configure the PIX Firewall securely.
AH Tunnel Versus Transport Mode
Figure 2 shows the differences that the IPSec mode makes to AH. In transport mode, AH services protect the external IP header along with the data payload. AH services protect all the fields in the header that don't change in transport. The header goes after the IP header and before the ESP header, if present, and other higher-layer protocols.
In tunnel mode, the entire original header is authenticated, a new IP header is built, and the new IP header is protected in the same way as the IP header in transport mode.
Figure 2 AH tunnel versus transport mode.
AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP address, which breaks the AH header and causes the packets to be rejected by the IPSec peer.
ESP Tunnel Versus Transport Mode
Figure 3 shows the differences that the IPSec mode makes to ESP. In transport mode, the IP payload is encrypted and the original headers are left intact. The ESP header is inserted after the IP header and before the upper-layer protocol header. The upper-layer protocols are encrypted and authenticated along with the ESP header. ESP doesn't authenticate the IP header itself.
NOTE
Higher-layer information is not available because it's part of the encrypted payload.
When ESP is used in tunnel mode, the original IP header is well protected because the entire original IP datagram is encrypted. With an ESP authentication mechanism, the original IP datagram and the ESP header are included; however, the new IP header is not included in the authentication.
When both authentication and encryption are selected, encryption is performed first, before authentication.
One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the receiver can detect the problem and potentially reduce the impact of denial-of-service attacks.
Figure 3 ESP tunnel versus transport mode.
ESP can also provide packet authentication with an optional field for authentication. Cisco IOS software and the PIX Firewall refer to this service as ESP hashed message authentication code (HMAC).
Authentication is calculated after the encryption is done. The current IPSec standard specifies SHA-1 and MD5 as the mandatory HMAC algorithms.
The main difference between the authentication provided by ESP and AH is the extent of the coverage.
Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode). Figure 4 illustrates the fields protected by ESP HMAC.
Figure 4 ESP encryption with a keyed HMAC.
IPSec Transforms
An IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its corresponding security algorithms and mode. Example transforms include the following:
The AH protocol with the HMAC with MD5 authentication algorithm in tunnel mode is used for authentication.
The ESP protocol with the triple DES (3DES) encryption algorithm in transport mode is used for confidentiality of data.
The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with SHA-1 authentication algorithm in tunnel mode is used for authentication and confidentiality.
Transform Sets
A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. During the ISAKMP IPSec security association negotiation that occurs in IKE phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular data flow. Transform sets combine the following IPSec factors:
Mechanism for payload authentication-AH transform
Mechanism for payload encryption-ESP transform
IPSec mode (transport versus tunnel)
Transform sets equal a combination of an AH transform, plus an ESP transform, plus the IPSec mode (either tunnel or transport mode).
This brings us to the end of the second part of this five-part series of articles covering IPSec. Be sure to catch the next installment.
Cisco Press at: http://www.ciscopress.com/articles/printerfriendly.asp?p=25477 and
Source: TIPTON, Harold F & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.
質問 340
Which of the following is NOT a common integrity goal?
- A. Prevent unauthorized users from making modifications.
- B. Prevent authorized users from making improper modifications.
- C. Prevent paths that could lead to inappropriate disclosure.
- D. Maintain internal and external consistency.
正解: C
解説:
Section: Security Operation Adimnistration
Explanation/Reference:
Inappropriate disclosure is a confidentiality, not an integrity goal.
All of the other choices above are integrity goals addressed by the Clark-Wilson integrity model.
The Clark-Wilson model is an integrity model that addresses all three integrity goals:
1. prevent unauthorized users from making modifications,
2. prevent authorized users from making improper modifications, and
3. maintain internal and external consistency through auditing.
NOTE: Biba address only the first goal of integrity above
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw-Hill. Kindle Edition.
質問 341
In a known plaintext attack, the cryptanalyst has knowledge of which of the following?
- A. both the plaintext and the associated ciphertext of several messages
- B. the plaintext and the secret key
- C. the plaintext and the algorithm
- D. the ciphertext and the key
正解: A
解説:
Section: Cryptography
Explanation/Reference:
In a known plaintext attack, the attacker has the plaintext and ciphertext of one or more messages. The goal is to discover the key used to encrypt the messages so that other messages can be deciphered and read.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd Ed., chapter 8:
Cryptography (page 676). Also check out: Handbook of Applied Cryptography 4th Edition by Alfred J.
Menezes, Paul C. van Oorschot and Scott A. Vanstone.
質問 342
From a security standpoint, the product development life cycle consists of which of the following?
- A. All of the items listed
- B. Certification
- C. System Test Review
- D. Functional Design Review
- E. Accreditation
- F. Code Review
正解: A
質問 343
Which one of the following statements about the advantages and disadvantages of network-based Intrusion detection systems is true
- A. The deployment of network-based IDSs has little impact upon an existing network.
- B. Network-based IDSs are not vulnerable to attacks.
- C. Network-based IDSs are well suited for modern switch-based networks.
- D. Most network-based IDSs can automatically indicate whether or not an attack was successful.
正解: A
解説:
Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include network-based IDSs with minimal effort.
Network-based IDSs are not vulnerable to attacks is not true, even thou network-based IDSs can be made very secure against attack and even made invisible to many attackers they still have to read the packets and sometimes a well crafted packet might exploit or kill your capture engine.
Network-based IDSs are well suited for modern switch-based networks is not true as most switches do not provide universal monitoring ports and this limits the monitoring range of a network-based IDS sensor to a single host. Even when switches provide such monitoring ports, often the single port cannot mirror all traffic traversing the switch.
Most network-based IDSs can automatically indicate whether or not an attack was successful is not true as most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.
Reference:
NIST special publication 800-31 Intrusion Detection System pages 15-16
Official guide to the CISSP CBK. Pages 196 to 197
質問 344
......
SSCP問題集には100%厳密検証された問題と解答で合格保証付きもしくは全額返金:https://jp.fast2test.com/SSCP-premium-file.html