
SSCP日本語のPDF問題集で2024年12月25日試験問題 有効なSSCP日本語問題集
究極のSSCP日本語準備ガイドで無料最新のISC練習テスト問題集
質問 # 620
アプリケーション層ファイアウォールのバリエーションは、次のように呼ばれます。
- A. 現在のレベルのファイアウォール。
- B. キャッシュ レベル ファイアウォール。
- C. セッション レベル ファイアウォール。
- D. サーキット レベルのファイアウォール。
正解:D
解説:
Terminology can be confusing between the different souces as both CBK and AIO3 call an application layer firewall a proxy and proxy servers are generally classified as either circuit-level proxies or application level proxies.
The distinction is that a circuit level proxy creates a conduit through which a trusted host can communicate with an untrusted one and doesn't really look at the application contents of the packet (as an application level proxy does). SOCKS is one of the better known circuit-level proxies.
Firewalls Packet Filtering Firewall - First Generation
n Screening Router n Operates at Network and Transport level n Examines Source and Destination IP Address n Can deny based on ACLs n Can specify Port Application Level Firewall - Second Generation n Proxy Server n Copies each packet from one network to the other n Masks the origin of the data n Operates at layer 7 (Application Layer) n Reduces Network performance since it has do analyze each packet and decide what to do with it.
n Also Called Application Layer Gateway Stateful Inspection Firewalls - Third Generation n Packets Analyzed at all OSI layers n Queued at the network level n Faster than Application level Gateway Dynamic Packet Filtering Firewalls - Fourth Generation n Allows modification of security rules n Mostly used for UDP n Remembers all of the UDP packets that have crossed the network's perimeter, and it decides whether to enable packets to pass through the firewall. Kernel Proxy - Fifth Generation n Runs in NT Kernel n Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies.
"Current level firewall" is incorrect. This is an amost-right-sounding distractor to confuse the unwary.
"Cache level firewall" is incorrect. This too is a distractor.
"Session level firewall" is incorrect. This too is a distractor.
References
CBK, p. 466 - 467
AIO3, pp. 486 - 490 CISSP Study Notes from Exam Prep Guide
質問 # 621
センサーやカメラからの入力を評価して実際の脅威が存在するかどうかを判断するために人間が通常必要とするコントロールは、次のものに関連付けられています。
- A. 探偵/行政
- B. 予防/物理
- C. 探偵/物理
- D. 探偵/技術者
正解:C
解説:
Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.
質問 # 622
ネットワーク ファイル システム (NFS) が使用されるのはなぜですか?
- A. 2 種類のファイル システムで IP/IPX を使用できるようにします。
- B. 2 つの異なるタイプのファイル システムを相互運用できるようにします。
- C. 2 つの異なるタイプのファイル システムが Sun アプリケーションを共有できるようにします。
- D. 2 つの異なるタイプのファイル システムを相互にエミュレートできるようにします。
正解:B
解説:
Network File System (NFS) is a TCP/IP client/server application developed by Sun that enables different types of file systems to interoperate regardless of operating system or network architecture. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 88.
質問 # 623
危機管理計画の実施における最初のステップは、以下を実行することです。
- A. ファームウェアのバックアップ
- B. アプリケーション ソフトウェアのバックアップ
- C. オペレーティング システム ソフトウェアのバックアップ
- D. データのバックアップ
正解:D
解説:
A data backup is the first step in contingency planning.
Without data, there is nothing to process. "No backup, no recovery".
Backup for hardware should be taken care of next.
Formal arrangements must be made for alternate processing capability in case the need should arise.
Operating systems and application software should be taken care of afterwards.
Source: VALLABHANENI, S. Rao, CISSP Examination Textbooks, Volume 2: Practice, SRV Professional Publications, 2002, Chapter 8, Business Continuity Planning & Disaster Recovery Planning (page 506).
質問 # 624
既知の MAC アドレスから IP アドレスを取得するためにローカル エリア ネットワーク (LAN) で使用されるプロトコルは何ですか?
- A. 逆アドレス解決プロトコル (RARP)
- B. データリンク層
- C. ネットワークアドレス変換 (NAT)
- D. アドレス解決プロトコル (ARP)
正解:A
解説:
The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a request to be informed of the IP address that should be assigned to that MAC.
Diskless workstations do not have a full operating system but have just enough code to know how to boot up and broadcast for an IP address, and they may have a pointer to the server that holds the operating system. The diskless workstation knows its hardware address, so it broadcasts this information so that a listening server can assign it the correct IP address.
As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but only the RARP server responds. Once the RARP server receives this request, it looks in its table to see which IP address matches the broadcast hardware address. The server then sends a message that contains its IP address back to the requesting computer. The system now has an IP address and can function on the network.
The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP provides for diskless workstations. The diskless workstation can receive its IP address, the name server address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP usually provides more functionality to diskless workstations than does RARP.
The evolution of this protocol has unfolded as follows: RARP evolved into BOOTP, which evolved into DHCP.
The following are incorrect answers:
NAT is a tool that is used for masking true IP addresses by employing internal addresses. ARP does the opposite of RARP, it finds the MAC address that maps with an existing IP address. Data Link layer The Data Link layer is not a protocol; it is represented at layer 2 of the OSI model. In the TCP/IP model, the Data Link and Physical layers are combined into the Network Access layer, which is sometimes called the Link layer or the Network Interface layer.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Telecommunications and Network Security, Page 584-585 and also 598. For Kindle users see Kindle Locations 12348-12357. McGraw-Hill. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 87).
質問 # 625
ほとんどのアクセス違反は次のとおりです。
- A. インターネット関連
- B. 外部のハッカーが原因
- C. 内部ハッカーが原因
- D. 偶然
正解:D
解説:
The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection of Information Assets (page 192).
質問 # 626
証明書失効情報を配布するのに適切でない方法はどれですか?
- A. CA失効メーリングリスト
- B. OCSP (オンライン証明書ステータス プロトコル)
- C. 配布ポイント CRL
- D. デルタ CRL
正解:D
解説:
SSL use public-key cryptography to secure session key, while the session key (secret key) is used to secure the whole session taking place between both parties communicating with each other.
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0." SSL version 3.0, released in 1996, was a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier.
All of the other answers are incorrect
質問 # 627
次の ASYMMETRIC 暗号化アルゴリズムのうち、大きな数を因数分解することの難しさに基づいているのはどれですか?
- A. 国際データ暗号化アルゴリズム (IDEA)
- B. エル・ガマル
- C. RSA
- D. 楕円曲線暗号システム (ECC)
正解:C
解説:
Named after its inventors Ron Rivest , Adi Shamir and Leonard Adleman is based on the difficulty of factoring large prime numbers.
Factoring a number means representing it as the product of prime numbers. Prime numbers, such as 2, 3, 5, 7, 11, and 13, are those numbers that are not evenly divisible by any smaller number, except 1. A non-prime, or composite number, can be written as the product of smaller primes, known as its prime factors. 665, for example is the product of the primes 5, 7, and 19. A number is said to be factored when all of its prime factors are identified. As the size of the number increases, the difficulty of factoring increases rapidly.
The other answers are incorrect because:
El Gamal is based on the discrete logarithms in a finite field.
Elliptic Curve Cryptosystems (ECCs) computes discrete logarithms of elliptic curves.
International Data Encryption Algorithm (IDEA) is a block cipher and operates on 64 bit blocks of data and is a SYMMETRIC algorithm.
Reference : Shon Harris , AIO v3 , Chapter-8 : Cryptography , Page : 638
質問 # 628
リモート プロシージャ コール (RPC) は、あるプログラムがネットワーク内の別のコンピューターにあるプログラムからサービスを要求するために使用できるプロトコルです。RPC が実装されている OSI/ISO レイヤーはどれですか?
- A. データリンク層
- B. ネットワーク層
- C. セッション層
- D. トランスポート層
正解:C
解説:
The answer: Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The transmission can be connectionless and unreliable such as UDP, or connection- oriented and ensure error-free delivery such as TCP.
The following answers are incorrect:
Network. The Network layer moves information between hosts that are not physically connected.
It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model.
質問 # 629
ブロック暗号とストリーム暗号の主な違いを選択してください。(該当するものをすべて選択してください)
- A. ストリーム = ビットごと。ブロック = 等しいセクションで暗号化される
- B. ストリーム = ハードウェア駆動。ブロック = ソフトウェア駆動
- C. ブロック = ビットごと = 等しいセクションで暗号化
- D. ブロック = ハードウェア駆動。ストリーム = ソフトウェア主導型
- E. ブロック = 暗号化が遅くなります。ストリーム = 高速暗号化
正解:A、B、E
質問 # 630
法廷でメモリダンプが証拠として認められるのはなぜですか?
- A. 内容の真偽を証明するために使用されるため。
- B. 除外規則のため。
- C. メモリの状態は証拠として使用できないため。
- D. システムの状態を識別するために使用されるため。
正解:A
解説:
The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME's), it can not be easily automated.
質問 # 631
リスクの発生を回避することに関係するのは、どのタイプの管理ですか?
- A. 検出コントロール
- B. 予防管理
- C. 補正コントロール
- D. 抑止力コントロール
正解:B
解説:
Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls.
Supervision is an example of compensating control.
質問 # 632
次のうち、リモート アクセス サーバーを介したダイヤルアップ アクセスをハッキング ベクトルとして排除するのに最も適しているのはどれですか?
- A. リモート アクセス サーバーをファイアウォールの外側にインストールし、正当なユーザーにファイアウォールへの認証を強制します。
- B. TACACS+ サーバーを使用します。
- C. ネットワーク化されていないホストにのみモデムを接続します。
- D. モデムの呼び出し回数を 5 回以上に設定します。
正解:A
解説:
Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet.
The use of a TACACS+ Server by itself cannot eliminate hacking.
Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers.
Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked.
Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers.
質問 # 633
Biba セキュリティ モデルは何に関係していますか?
- A. 可用性
- B. 守秘義務
- C. 整合性
- D. 信頼性
正解:C
解説:
The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when subjects can read data at lower levels. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244).
質問 # 634
情報セキュリティポリシーは__________________であるべきですか? (該当するものをすべて選択してください)
- A. 定期的に監査および改訂されます
- B. 書き留められています
- C. すべてのシステム ユーザーに明確に通知
- D. リストされた選択肢はどれも正しくありません
正解:A、B、C
質問 # 635
事業継続計画を準備する際、タイム クリティカルなシステムの特定と優先順位付けを担当するのは、次のうち誰ですか?
- A. 機能ビジネス ユニット
- B. シニア ビジネス ユニット マネジメント
- C. 経営管理職
- D. BCP委員会
正解:D
解説:
Remember this is a NOT question. Hot sites do not provide a false sense of security since they are the best disaster recovery alternate for backup site that you rent.
A Cold, Warm, and Hot site is always a rental place in the context of the CBK. This is definivily the best choices out of the rental options that exists. It is fully configured and can be activated in a very short period of time.
Cold and Warm sites, not hot sites, provide a false sense of security because you can never fully test your plan.
In reality, using a cold site will most likely make effective recovery impossible or could lead to business closure if it takes more than two weeks for recovery.
質問 # 636
DMZ は、
- A. ハッカーを引き付ける場所
- B. 3 本脚のファイアウォール
- C. 踏み台ホスト
- D. スクリーン サブネット
正解:D
解説:
This is another name for the demilitarized zone (DMZ) of a network.
"Three legged firewall" is incorrect. While a DMZ can be implemented on one leg of such a device, this is not the best answer.
"A place to attract hackers" is incorrect. The DMZ is a way to provide limited public access to an organization's internal resources (DNS, EMAIL, public web, etc) not as an attractant for hackers.
"Bastion host" is incorrect. A bastion host serves as a gateway between trusted and untrusted network.
References:
CBK, p. 434 AIO3, pp. 495 - 496
質問 # 637
侵入検知におけるパターン マッチングと異常検知について、次の主張のうち正しくないものはどれですか?
- A. 異常検出により、より多くのデータが生成される傾向があります
- B. 異常ベースのエンジンは、通常のトラフィック アクティビティとスループットのベースラインを作成し、これらのベースラインからの逸脱を警告します。
- C. パターン マッチング IDS は、既知の攻撃のみを識別できます。
- D. トラフィック ストリームの代わりに個々のパケットを分析することにより、攻撃シグネチャのステートフル マッチング スキャン
正解:D
解説:
This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern matching to the next level.
As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.
The following answers are all incorrect:
Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as any activity outside of expected behavior is recorded.
A pattern matching IDS can only identify known attacks is true as a pattern matching IDS works by comparing traffic streams against signatures. These signatures are created for known attacks.
An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines is true as the assertion is a characteristic of a statistical anomaly-based IDS.
Reference:
Official guide to the CISSP CBK. Pages 198 to 201
http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.p df
質問 # 638
バッチ ファイルとスクリプトを保護領域に保存する必要があるのはなぜですか?
- A. 最小権限の概念のため。
- B. 知る必要があるというコンセプトのためです。
- C. 資格情報が含まれている可能性があるためです。
- D. オペレータがアクセスできないためです。
正解:C
解説:
Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully. Operators might need access to batch files and scripts. The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks. The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information required to perform official tasks or services. Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3)
質問 # 639
......
合格率 取得する秘訣はSSCP日本語認定試験エンジンPDF:https://jp.fast2test.com/SSCP-JPN-premium-file.html