SSCP Exam Dumps - ISC 2 Credentials Questions and Answers

This is the most serious risk of inadequate systems development life cycle methodolgy.

The following answers are incorrect because :

The project will be completed late is incorrect as it is not most devastating as the above answer.

The project will exceed the cost estimates is also incorrect when compared to the above correct answer.

The project will be incompatible with existing systems is also incorrect when compared to the above correct answer.

Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production.

Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 298).

The reference monitor concept is an abstract machine that ensures that all subjects have the necessary access rights before accessing objects. Therefore, the kernel will mediates all accesses to objects by subjects and will do so by validating through the reference monitor concept.

The kernel does not decide whether or not the access will be granted, it will be the Reference Monitor which is a subset of the kernel that will say YES or NO.

All access requests will be intercepted by the Kernel, validated through the reference monitor, and then access will either be denied or granted according to the request and the subject privileges within the system.

1. The reference monitor must be small enough to be full tested and valided

2. The Kernel must MEDIATE all access request from subjects to objects

3. The processes implementing the reference monitor must be protected

4. The reference monitor must be tamperproof

The following answers are incorrect:

The security kernel is the mechanism that actually enforces the rules of the reference monitor concept.

The other answers are distractors.

Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330

also see

http://en.wikipedia.org/wiki/Reference_monitor

Although it may cause a denial of service to the victim's system, this type of attack is a Smurf attack. A SYN Flood attack uses up all of a system's resources by setting up a number of bogus communication sockets on the victim's system. A Ping of Death attack is done by sending IP packets that exceed the maximum legal length (65535 octets).

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 789).

TCP is a reliable connection-oriented transport for guaranteed delivery of data.

Protocols represent certain rules and regulations that are essential in order to have data communication between two entities. Internet Protocols work in sending and receiving data packets. This type of communication may be either connection-less or connection-oriented.

In a connection-oriented scenario, an acknowledgement is being received by the sender from the receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.

On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.

The following answers are incorrect:

UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP does.

UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its connectionless nature.

TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.

References Used for this question:

http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/

http://www.skullbox.net/tcpudp.php

James's TCP-IP FAQ - Understanding Port Numbers.

The following answers are incorrect because:

Accountability, confidentiality and integrity is not the correct answer as Accountability is not one of the fundamental principle of security.

Integrity, availability and accountability is not the correct answer as Accountability is not one of the fundamental principle of security.

Availability, accountability and confidentiality is not the correct answer as Accountability is not one of the fundamental objective of security.

References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages : 49-52

If there is no support by management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show “due diligence” in establishing an effective compliance, or security program.

The following answers are incorrect:

The tech support team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

The Operation Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

The Training Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems.

Reference(s) used for this question:

OIG CBK Information Security Management and Risk Management (page 20 - 22)

It is considered to be a technical control.

Logical is synonymous with Technical Control. That was the easy answer.

There are three broad categories of access control: Administrative, Technical, and Physical.

Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

Each category of access control has several components that fall within it, as shown here:

Administrative Controls

• Policy and procedures

• Personnel controls

• Supervisory structure

• Security-awareness training

• Testing

Physical Controls

Network segregation

Perimeter security

Computer controls

Work area separation

Data backups

Technical Controls

System access

Network architecture

Network access

Encryption and protocols

Control zone

Auditing

The following answers are incorrect :

Screening of personnel is considered to be an administrative control

Development of policies, standards, procedures and guidelines is considered to be an administrative control

Change control procedures is considered to be an administrative control.

Reference : Shon Harris AIO v3 , Chapter - 3 : Security Management Practices , Page : 52-54

Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks."

Standards is incorrect. Standards are a "Mandatory statement of minimum requirements that support some part of a policy, the standards in this case is your own company standards and not standards such as the ISO standards"

Guidelines is incorrect. "Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions."

Baselines is incorrect. Baselines "are a minimum acceptable level of security. This minimum is implemented using specific rules necessary to implement the security controls in support of the policy and standards." For example, requiring a password of at leat 8 character would be an example. Requiring all users to have a minimun of an antivirus, a personal firewall, and an anti spyware tool could be another example.

References:

CBK, pp. 12 - 16. Note especially the discussion of the "hammer policy" on pp. 16-17 for the differences between policy, standard, guideline and procedure.

AIO3, pp. 88-93.

Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction. It was based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle. Therefore, by packing more operations into an instruction, the number of fetches could be reduced. Pipelining involves overlapping the steps of different instructions to increase the performance in a computer. Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute. Scalar processors are processors that execute one instruction at a time.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 188).