SSCP日本語試験問題集を使って一日でISC Certification試験合格目指す(最新の1076解答) [Q212-Q236]

Share

SSCP日本語試験問題集を使って一日でISC Certification試験合格目指す(最新の1076解答)

SSCP日本語試験正確な問題集、学習ノートと理論

質問 212
同期動的パスワード トークン:

  • A. トークンは、一定の時間間隔で新しいパスワード値を生成します (このパスワードは、秘密鍵で暗号化された時刻に基づく場合があります)。
  • B. システムまたはワークステーションの認証エンティティは、所有者の秘密鍵と PIN を知っており、エンティティは、入力されたパスワードが無効であること、および無効な時間帯に入力されたことを確認します。
  • C. 一意のパスワードは、所有者の PIN と共にシステムまたはワークステーションに入力されません。
  • D. トークンは、一定の時間間隔で一意ではない新しいパスワード値を生成します (このパスワードは、秘密鍵で暗号化された時刻に基づく場合があります)。

正解: A

解説:
Synchronous dynamic password tokens:
-The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key).
-the unique password is entered into a system or workstation along with an owner's PIN.
-The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 

質問 213
1 サイクルから数秒までの瞬間的な低電圧は、次のとおりです。

  • A. フォルト
  • B. たるみ
  • C. スパイク
  • D. 停電

正解: B

解説:
A momentary low voltage is a sag. A synonym would be a dip.
Risks to electrical power supply:
POWER FAILURE
Blackout: complete loss of electrical power Fault: momentary power outage POWER DEGRADATION Brownout: an intentional reduction of voltage by the power company. Sag/dip: a short period of low voltage POWER EXCESS Surge: Prolonged rise in voltage Spike: Momentary High Voltage In-rush current: the initial surge of current required by a load before it reaches normal operation.
- Transient: line noise or disturbance is superimposed on the supply circuit and can cause fluctuations in electrical power Refence(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 462). McGraw- Hill. Kindle Edition.

 

質問 214
瞬間的な低電圧とは何を定義できますか?

  • A. ブラウンアウト
  • B. フォルト
  • C. たるみ
  • D. スパイク

正解: C

解説:
A sag is a momentary low voltage. A spike is a momentary high voltage. A fault is a momentary power out and a brownout is a prolonged power supply that is below normal voltage. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical security (page 299)

 

質問 215
危機管理計画の実施における最初のステップは、以下を実行することです。

  • A. アプリケーション ソフトウェアのバックアップ
  • B. オペレーティング システム ソフトウェアのバックアップ
  • C. ファームウェアのバックアップ
  • D. データのバックアップ

正解: D

解説:
A data backup is the first step in contingency planning.
Without data, there is nothing to process. "No backup, no recovery".
Backup for hardware should be taken care of next.
Formal arrangements must be made for alternate processing capability in case the need should arise.
Operating systems and application software should be taken care of afterwards.
Source: VALLABHANENI, S. Rao, CISSP Examination Textbooks, Volume 2: Practice, SRV Professional Publications, 2002, Chapter 8, Business Continuity Planning & Disaster Recovery Planning (page 506).

 

質問 216
システム開発ライフ サイクルのどの基本フェーズで、セキュリティ要件が正式化されますか?

  • A. 廃棄
  • B. 機能要件定義
  • C. 開発と実装
  • D. システム設計仕様

正解: B

解説:
During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet end-user needs. The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security requirements should be formalized.
The Development Life Cycle is a project management tool that can be used to plan, execute, and control a software development project usually called the Systems Development Life Cycle (SDLC).
The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development. Because there is no industry-wide SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be shown together or as separate elements. The model chosen should be based on the project.
For example, some models work better with long-term, complex projects, while others are more suited for short-term projects. The key element is that a formalized SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and implement) on up.
The basic phases of SDLC are:
Project initiation and planning Functional requirements definition System design specifications Development and implementation Documentation and common program controls Testing and evaluation control, (certification and accreditation) Transition to production (implementation) The system life cycle (SLC) extends beyond the SDLC to include two additional phases:
Operations and maintenance support (post-installation) Revisions and system replacement System Design Specifications This phase includes all activities related to designing the system and software. In this phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are designed, generally based on the overall security architecture for the company.
Development and Implementation During this phase, the source code is generated, test scenarios and test cases are developed, unit and integration testing is conducted, and the program and system are documented for maintenance and for turnover to acceptance testing and production. As well as general care for software quality, reliability, and consistency of operation, particular care should be taken to ensure that the code is analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks.
Documentation and Common Program Controls These are controls used when editing the data within the program, the types of logging the program should be doing, and how the program versions should be stored. A large number of such controls may be needed, see the reference below for a full list of controls.
Acceptance In the acceptance phase, preferably an independent group develops test data and tests the code to ensure that it will function within the organization's environment and that it meets all the functional and security requirements. It is essential that an independent group test the code during all applicable stages of development to prevent a separation of duties issue. The goal of security testing is to ensure that the application meets its security requirements and specifications. The security testing should uncover all design and implementation flaws that would allow a user to violate the software security policy and requirements. To ensure test validity, the application should be tested in an environment that simulates the production environment. This should include a security certification package and any user documentation.
Certification and Accreditation (Security Authorization) Certification is the process of evaluating the security stance of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements. The certification or evaluation document should contain an analysis of the technical and nontechnical security features and countermeasures and the extent to which the software or system meets the security requirements for its mission and operational environment.
Transition to Production (Implementation) During this phase, the new system is transitioned from the acceptance phase into the live production environment. Activities during this phase include obtaining security accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if necessary, conducting any parallel operations.
Revisions and System Replacement As systems are in production mode, the hardware and software baselines should be subject to periodic evaluations and audits. In some instances, problems with the application may not be defects or flaws, but rather additional functions not currently developed in the application. Any changes to the application must follow the same SDLC and be recorded in a change management system. Revision reviews should include security planning and procedures to avoid future problems. Periodic application audits should be conducted and include documenting security incidents when problems occur. Documenting system failures is a valuable resource for justifying future system enhancements.
Below you have the phases used by NIST in it's 800-63 Revision 2 document As noted above, the phases will vary from one document to another one. For the purpose of the exam use the list provided in the official ISC2 Study book which is presented in short form above. Refer to the book for a more detailed description of activities at each of the phases of the SDLC.
However, all references have very similar steps being used. As mentioned in the official book, it could be as simple as three phases in it's most basic version (concept, design, and implement) or a lot more in more detailed versions of the SDLC.
The key thing is to make use of an SDLC.

SDLC phases
Reference(s) used for this question:
NIST SP 800-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf and Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach Publications. Kindle Edition.

 

質問 217
オレンジ ブックはどのセキュリティ ポリシー モデルに基づいていますか?

  • A. ベル ラパデュラ モデル
  • B. Clark-Wilson モデル
  • C. テンペスト
  • D. ビバ モデル

正解: A

解説:
From the glossary of Computer Security Basics: The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, "A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving the system is secure. A system state is defined to be 'secure' if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode." The Biba Model is an integrity model of computer security policy that describes a set of rules. In this model, a subject may not depend on any object or other subject that is less trusted than itself. The Clark Wilson Model is an integrity model for computer security policy designed for a commercial environment. It addresses such concepts as nondiscretionary access control, privilege separation, and least privilege. TEMPEST is a government program that prevents the compromising electrical and electromagnetic signals that emanate from computers and related equipment from being intercepted and deciphered. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991. Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).

 

質問 218
日常的に最も高速な一般的なバックアップ方法はどれですか?

  • A. 差分バックアップ方式
  • B. 増分バックアップ方式
  • C. 高速バックアップ方法
  • D. フルバックアップ方式

正解: B

解説:
The incremental backup method only copies files that have been recently changed or added. Only files with their archive bit set are backed up. This method is fast and uses less tape space but has some inherent vulnerabilities, one being that all incremental backups need to be available and restored from the date of the last full backup to the desired date should a restore be needed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).

 

質問 219
組織の内部ネットワークとインターネットの間に設置されたファイアウォールに見られる次のファイアウォール ルールのうち、内部ネットワークに最大の危険をもたらすものはどれですか?

  • A. ローカル ホスト間のすべてのトラフィックを許可します。
  • B. すべてのインバウンド ssh トラフィックを許可します。
  • C. log-server.abc.org へのすべての syslog トラフィックを許可します。
  • D. すべてのインバウンド tcp 接続を許可します。

正解: D

解説:
Any opening of an internal network to the Internet is susceptible of creating a new vulnerability.
Of the given rules, the one that permits all inbound tcp connections is the less likely to be used since it amounts to almost having no firewall at all, tcp being widely used on the Internet.
Reference(s) used for this question:
ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 409).

 

質問 220
Rijndael 暗号化アルゴリズムの最大許容鍵サイズは?

  • A. 192 ビット
  • B. 256 ビット
  • C. 512 ビット
  • D. 128 ビット

正解: B

解説:
The Rijndael algorithm, chosen as the Advanced Encryption Standard (AES) to replace DES, can be categorized as an iterated block cipher with a variable block length and key length that can be independently chosen as 128, 192 or 256 bits.
Below you have a summary of the differences between AES and Rijndael.
AES is the advanced encryption standard defined by FIPS 197. It is implemented differently than Rijndael:
FIPS-197 specifies that the block size must always be 128 bits in AES, and that the key size may be either 128, 192, or 256 bits. Therefore AES-128, AES-192, and AES-256 are actually:
Key Size (bits) Number of rounds
Block Size (bits)
AES-128
128 10 Rounds
128 AES-192
192 12 Rounds
128 AES-256
256 14 Rounds
128
Some book will say "up to 9 rounds will be done with a 128 bits keys". Really it is 10 rounds because you must include round zero which is the first round. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 153).
and FIPS 197 and https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

 

質問 221
人事異動が頻繁に行われる組織では、次の理由から、役割ベースのアクセス制御 (RBAC) を使用した非任意アクセス制御が役立ちます。

  • A. アクセス制御は、組織内での個人の役割または役職に基づいています。
  • B. アクセス制御は、組織内での個人の役割または役職に基づいていません。
  • C. 裁量権を行使する必要はありません
  • D. アクセス制御は、多くの場合、組織内での個人の役割または役職に基づいています。

正解: A

解説:
In an organization where there are frequent personnel changes, nondiscretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization. You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role.
These access permissions defined within the role do not need to be changed whenever a new person takes over the role.
Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall.
This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended.
Shon Harris in her book list the following ways of managing RBAC:
Role-based access control can be managed in the following ways:
Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used) Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles) Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles.
Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted) NIST defines RBAC as: Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill.
and
http://csrc.nist.gov/groups/SNS/rbac/

 

質問 222
建物のセキュリティを維持するための警備員や一般的な手順、サーバー ルームやラップトップのセキュリティ、ケーブルの保護、ドアや窓の磁気スイッチの使用などの制御は、次の例の一部です。

  • A. 技術的コントロール
  • B. 管理コントロール
  • C. 論理制御
  • D. 物理的なコントロール

正解: D

解説:
Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are all examples of Physical Security.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

 

質問 223
次のうち、整合性の一般的な目標でないものはどれですか?

  • A. 内部と外部の一貫性を維持します。
  • B. 許可されたユーザーによる不適切な変更を防止します。
  • C. 不適切な開示につながる可能性のあるパスを防止します。
  • D. 権限のないユーザーによる変更を防止します。

正解: C

解説:
Inappropriate disclosure is a confidentiality, not an integrity goal.
All of the other choices above are integrity goals addressed by the Clark-Wilson integrity model.
The Clark-Wilson model is an integrity model that addresses all three integrity goals:
1.prevent unauthorized users from making modifications,
2.prevent authorized users from making improper modifications, and
3.maintain internal and external consistency through auditing.
NOTE: Biba address only the first goal of integrity above
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw- Hill. Kindle Edition.

 

質問 224
次のうち、IT システムに対する脅威の一般的なカテゴリ/分類でないものはどれですか?

  • A. 人間
  • B. 技術
  • C. ハッカー
  • D. ナチュラル

正解: C

解説:
Hackers are classified as a human threat and not a classification by itself.
All the other answers are incorrect. Threats result from a variety of factors, although they are classified in three types: Natural (e.g., hurricane, tornado, flood and fire), human (e.g. operator error, sabotage, malicious code) or technological (e.g. equipment failure, software error, telecommunications network outage, electric power failure).
Reference:
SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov112010.pdf, June 2002 (page 6).

 

質問 225
クラスレス アドレッシングが登場する前は、アドレス 128.192.168.16 は次の一部と見なされていました。

  • A. クラス A ネットワーク。
  • B. クラス D ネットワーク。
  • C. クラス B ネットワーク。
  • D. クラス C ネットワーク。

正解: C

解説:
Before the advent of classless addressing, one could tell the size of a network by the first few bits of an IP address. If the first bit was set to zero (the first byte being from 0 to 127), the address was a class A network. Values from 128 to 191 were used for class B networks whereas values between 192 and 223 were used for class C networks. Class D, with values from 224 to 239 (the first three bits set to one and the fourth to zero), was reserved for IP multicast.
Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a Security Viewpoint.

 

質問 226
生理学的または行動的特徴に基づいて生きている人の身元を識別または認証する自動化された手段と呼ばれるものは何ですか?

  • A. バイオメトリクス
  • B. マクロメトリクス
  • C. マイクロバイオメトリクス
  • D. マイクロメトリクス

正解: A

解説:
Biometrics; Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 37,38.

 

質問 227
次のうち、セキュリティ システムで最も弱いリンクと見なされるものはどれですか?

  • A. 人
  • B. 通信
  • C. ソフトウェア
  • D. ハードウェア

正解: A

解説:
People. The other choices can be strengthened and counted on (For the most part) to remain consistent if properly protected. People are fallible and unpredictable. Most security intrusions are caused by employees. People get tired, careless, and greedy. They are not always reliable and may falter in following defined guidelines and best practices. Security professionals must install adequate prevention and detection controls and properly train all systems users Proper hiring and firing practices can eliminate certain risks. Security Awareness training is key to ensuring people are aware of risks and their responsibilities.
The following answers are incorrect:Software. Although software exploits are major threat and cause for concern, people are the weakest point in a security posture. Software can be removed, upgraded or patched to reduce risk.
Communications. Although many attacks from inside and outside an organization use communication methods such as the network infrastructure, this is not the weakest point in a security posture. Communications can be monitored, devices installed or upgraded to reduce risk and react to attack attempts.
Hardware. Hardware components can be a weakness in a security posture, but they are not the weakest link of the choices provided. Access to hardware can be minimized by such measures as installing locks and monitoring access in and out of certain areas.
The following reference(s) were/was used to create this question:
Shon Harris AIO v.3 P.19, 107-109 ISC2 OIG 2007, p.51-55

 

質問 228
TFTP サーバーが最も役立つのは何ですか?

  • A. ネットワーク デバイスとの間で構成を転送しています。
  • B. ファイル サーバーへの端末アクセス。
  • C. Web サーバーにファイルを転送しています。
  • D. ネットワーク デバイスへの端末アクセス。

正解: A

解説:
A Trivial File Transfer Protocol (TFTP) server can be used when configuring network devices to transfer configurations to and from network devices. Many networking devices now support TFTP.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 73).

 

質問 229
安全な状態の概念、アクセス モード、およびアクセス許可のルールを定義するために使用された、マルチレベル セキュリティ ポリシーの最初の数学的モデルの名前は?

  • A. クラークとウィルソンのモデル
  • B. Bell-LaPadula モデル
  • C. Rivest and Shamir モデル
  • D. Harrison-Ruzzo-Ullman モデル

正解: B

解説:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

質問 230
RC5 アルゴリズムの最大鍵サイズは?

  • A. 2040 ビット
  • B. 256 ビット
  • C. 1024 ビット
  • D. 128 ビット

正解: A

解説:
RC5 is a fast block cipher created by Ron Rivest and analyzed by RSA Data Security, Inc.
It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds.
Allowable choices for the block size are 32 bits (for experimentation and evaluation purposes only), 64 bits (for use a drop-in replacement for DES), and 128 bits.
The number of rounds can range from 0 to 255, while the key can range from 0 bits to 2040 bits in size. Please note that some sources such as the latest Shon Harris book mentions that RC5 maximum key size is of 2048, not 2040 bits. I would definitively use RSA as the authoritative source which specifies a key of 2040 bits. It is an error in Shon's book.
The OIG book says: RC5 was developed by Ron Rivest of RSA and is deployed in many of RSA's products. It is a very adaptable product useful for many applications, ranging from software to hardware implementations. The key for RC5 can vary from 0 to 2040 bits, the number of rounds it executes can be adjusted from 0 to 255, and the length of the input words can also be chosen from 16-, 32-, and 64-bit lengths.
The following answers were incorrect choices:
All of the other answers were wrong.
Reference(s) used for this question:
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Cryptography (Kindle Locations 1098-1101). . Kindle Edition.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 16744-16747). McGraw-Hill. Kindle Edition. http://www.rsa.com/rsalabs/node.asp?id=2251, What are RC5 and RC6, RSA The Security Division of EMC. From Rivest himself, see http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf Also see the draft IETF IPSEC standard which clearly mention that it is in fact 2040 bits as a MAXIMUM key size: http://www.tools.ietf.org/html/draft-ietf-ipsec-esp-rc5-cbc-00 http://en.wikipedia.org/wiki/RC5, Mention a maximum key size of 2040 as well.

 

質問 231
パスワード ファイル内でユーザー パスワードの一方向ハッシュを使用する主な目的は、次のうちどれですか?

  • A. 権限のない人が 1 回のログオン試行で複数のパスワードを試すことを防止します。
  • B. パスワードの暗号化に使用される処理時間を最小限に抑えます。
  • C. ユーザーのパスワードに必要なストレージの量を最小限に抑えます。
  • D. 権限のない人がパスワードを読み取るのを防ぎます。

正解: D

解説:
The whole idea behind a one-way hash is that it should be just that - one-way. In other words, an attacker should not be able to figure out your password from the hashed version of that password in any mathematically feasible way (or within any reasonable length of time).
Password Hashing and Encryption In most situations , if an attacker sniffs your password from the network wire, she still has some work to do before she actually knows your password value because most systems hash the password with a hashing algorithm, commonly MD4 or MD5, to ensure passwords are not sent in cleartext.
Although some people think the world is run by Microsoft, other types of operating systems are out there, such as Unix and Linux. These systems do not use registries and SAM databases, but contain their user passwords in a file cleverly called "shadow." Now, this shadow file does not contain passwords in cleartext; instead, your password is run through a hashing algorithm, and the resulting value is stored in this file.
Unixtype systems zest things up by using salts in this process. Salts are random values added to the encryption process to add more complexity and randomness. The more randomness entered into the encryption process, the harder it is for the bad guy to decrypt and uncover your password. The use of a salt means that the same password can be encrypted into several thousand different formats. This makes it much more difficult for an attacker to uncover the right format for your system.
Password Cracking tools
Note that the use of one-way hashes for passwords does not prevent password crackers from guessing passwords. A password cracker runs a plain-text string through the same one-way hash algorithm used by the system to generate a hash, then compares that generated has with the one stored on the system. If they match, the password cracker has guessed your password.
This is very much the same process used to authenticate you to a system via a password.
When you type your username and password, the system hashes the password you typed and compares that generated hash against the one stored on the system - if they match, you are authenticated.
Pre-Computed password tables exists today and they allow you to crack passwords on Lan Manager (LM) within a VERY short period of time through the use of Rainbow Tables. A Rainbow Table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off also called a Time-Memory trade off, using more computer processing time at the cost of less storage when calculating a hash on every attempt, or less processing time and more storage when compared to a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.
You may want to review "Rainbow Tables" at the links:
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
Today's password crackers:
Meet oclHashcat. They are GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.
This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very well-known suites at that time, but now deprecated. There also existed a now very old oclHashcat GPU cracker that was replaced w/ plus and lite, which - as said - were then merged into oclHashcat 1.00 again.
This cracker can crack Hashes of NTLM Version 2 up to 8 characters in less than a few hours. It is definitively a game changer. It can try hundreds of billions of tries per seconds on a very large cluster of GPU's. It supports up to 128 Video Cards at once.
I am stuck using Password what can I do to better protect myself?
You could look at safer alternative such as Bcrypt, PBKDF2, and Scrypt.
bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazieres, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
In cryptography, scrypt is a password-based key derivation function created by Colin Percival, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly to perform large-scale custom hardware attacks by requiring large amounts of memory. In 2012, the scrypt algorithm was published by the IETF as an Internet Draft, intended to become an informational RFC, which has since expired. A simplified version of scrypt is used as a proof-of-work scheme by a number of cryptocurrencies, such as Litecoin and Dogecoin.
PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.
PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
The other answers are incorrect:
"It prevents an unauthorized person from trying multiple passwords in one logon attempt." is incorrect because the fact that a password has been hashed does not prevent this type of brute force password guessing attempt.
"It minimizes the amount of storage required for user passwords" is incorrect because hash algorithms always generate the same number of bits, regardless of the length of the input. Therefore, even short passwords will still result in a longer hash and not minimize storage requirements.
"It minimizes the amount of processing time used for encrypting passwords" is incorrect because the processing time to encrypt a password would be basically the same required to produce a one-way has of the same password.
Reference(s) used for this question:
http://en.wikipedia.org/wiki/PBKDF2 http://en.wikipedia.org/wiki/Scrypt http://en.wikipedia.org/wiki/Bcrypt Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 195) . McGraw-Hill. Kindle Edition.

 

質問 232
構成管理は何ですか?

  • A. 信頼できるコンピューティングベースの変更の制御。
  • B. 信頼できるコンピューティングベースの変更の監査。
  • C. 信頼できるコンピューティングベースへの構成アクセスの変更。
  • D. 信頼できるコンピューティングベースの変更を監査および制御します。

正解: D

解説:
All of these are components of Configuration Management.
The following answers are incorrect:
Auditing of changes to the Trusted Computing Base. Is incorrect because it refers only to auditing the changes, but nothing about controlling them.
Control of changes to the Trusted Computing Base. Is incorrect because it refers only to controlling the changes, but nothing about ensuring the changes will not lead to a weakness or fault in the system.
Changes in the configuration access to the Trusted Computing Base. Is incorrect because this does not refer to controlling the changes or ensuring the changes will not lead to a weakness or fault in the system.

 

質問 233
既知の MAC アドレスから IP アドレスを取得するためにローカル エリア ネットワーク (LAN) で使用されるプロトコルは何ですか?

  • A. 逆アドレス解決プロトコル (RARP)
  • B. データリンク層
  • C. アドレス解決プロトコル (ARP)
  • D. ネットワークアドレス変換 (NAT)

正解: A

解説:
The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a request to be informed of the IP address that should be assigned to that MAC.
Diskless workstations do not have a full operating system but have just enough code to know how to boot up and broadcast for an IP address, and they may have a pointer to the server that holds the operating system. The diskless workstation knows its hardware address, so it broadcasts this information so that a listening server can assign it the correct IP address.
As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but only the RARP server responds. Once the RARP server receives this request, it looks in its table to see which IP address matches the broadcast hardware address. The server then sends a message that contains its IP address back to the requesting computer. The system now has an IP address and can function on the network.
The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP provides for diskless workstations. The diskless workstation can receive its IP address, the name server address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP usually provides more functionality to diskless workstations than does RARP.
The evolution of this protocol has unfolded as follows: RARP evolved into BOOTP, which evolved into DHCP.
The following are incorrect answers:
NAT is a tool that is used for masking true IP addresses by employing internal addresses. ARP does the opposite of RARP, it finds the MAC address that maps with an existing IP address. Data Link layer The Data Link layer is not a protocol; it is represented at layer 2 of the OSI model. In the TCP/IP model, the Data Link and Physical layers are combined into the Network Access layer, which is sometimes called the Link layer or the Network Interface layer.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Telecommunications and Network Security, Page 584-585 and also 598. For Kindle users see Kindle Locations 12348-12357. McGraw-Hill. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 87).

 

質問 234
次の対策のどれが、ワードアリング攻撃による侵入や損害の可能性を防ぐのに最も適切でしょうか?

  • A. 必要な電話番号だけを公開する
  • B. そのような活動の監視と監査
  • C. ユーザー認証が必要
  • D. 音声アクセスとデータ アクセスでまったく別の番号を使用する

正解: C

解説:
Knowlege of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized access over a modem line.
"Monitoring and auditing for such activity" is incorrect. While monitoring and auditing can assist in detecting a wardialing attack, they do not defend against a successful wardialing attack.
"Making sure that only necessary phone numbers are made public" is incorrect. Since a wardialing attack blindly calls all numbers in a range, whether certain numbers in the range are public or not is irrelevant.
"Using completely different numbers for voice and data accesses" is incorrect. Using different number ranges for voice and data access might help prevent an attacker from stumbling across the data lines while wardialing the public voice number range but this is not an adequate countermeaure.
References: CBK, p. 214 AIO3, p. 534-535

 

質問 235
次のうち、予防的管理でないものはどれですか?

  • A. 緊急変更の手順を確立します。
  • B. プログラマーによる本番データへのアクセスを拒否します。
  • C. コントロールと現在のソース間のソース比較プログラムを定期的に実行します。
  • D. 日付、説明、コスト分析、予想される効果に関する情報を変更リクエストに含めるように要求します。

正解: C

解説:
Running the source comparison program between control and current source periodically allows detection, not prevention, of unauthorized changes in the production environment. Other options are preventive controls.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).

 

質問 236
......

SSCP日本語問題集PDFで最速合格希望SSCP日本語:https://jp.fast2test.com/SSCP-JPN-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어