SSCP Topic 1
Question #: 1
Topic #: 1
A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:
A. concern that the laser beam may cause eye damage
B. the iris pattern changes as a person grows older.
C. there is a relatively high rate of false accepts.
D. the optical unit must be positioned so that the sun does not shine into the aperture.
Selected Answer: C
Question #: 2
Topic #: 1
In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C. The item’s category
D. The items’s need to know
Selected Answer: D
Question #: 3
Topic #: 1
What are the components of an object’s sensitivity label?
A. A Classification Set and a single Compartment.
B. A single classification and a single compartment.
C. A Classification Set and user credentials.
D. A single classification and a Compartment Set.
Selected Answer: A
Question #: 4
Topic #: 1
What does it mean to say that sensitivity labels are “incomparable”?
A. The number of classification in the two labels is different.
B. Neither label contains all the classifications of the other.
C. the number of categories in the two labels are different.
D. Neither label contains all the categories of the other.
Selected Answer: C
Question #: 5
Topic #: 1
Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.
Selected Answer: A
Question #: 6
Topic #: 4
Which of the following recovery plan test results would be most useful to management?
A. elapsed time to perform various activities.
B. list of successful and unsuccessful activities.
C. amount of work completed.
D. description of each activity.
Selected Answer: A
Question #: 6
Topic #: 1
Which of the following is needed for System Accountability?
A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.
Selected Answer: B
Question #: 7
Topic #: 3
Attributable data should be:
A. always traced to individuals responsible for observing and recording the data
B. sometimes traced to individuals responsible for observing and recording the data
C. never traced to individuals responsible for observing and recording the data
D. often traced to individuals responsible for observing and recording the data
Selected Answer: D
Question #: 7
Topic #: 1
What is Kerberos?
A. A three-headed dog from the egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.
Selected Answer: B
Question #: 8
Topic #: 5
Where parties do not have a shared secret and large quantities of sensitive information must be passed, the most efficient means of transferring information is to use Hybrid Encryption Methods. What does this mean?
A. Use of public key encryption to secure a secret key, and message encryption using the secret key.
B. Use of the recipient’s public key for encryption and decryption based on the recipient’s private key.
C. Use of software encryption assisted by a hardware encryption accelerator.
D. Use of elliptic curve encryption.
Selected Answer: A
Question #: 8
Topic #: 1
The three classic ways of authenticating yourself to the computer security software are by something you know, by something you have, and by something:
A. you need.
B. non-trivial
C. you are.
D. you can get.
Selected Answer: D
Question #: 9
Topic #: 1
A timely review of system access audit records would be an example of which of the basic security functions?
A. avoidance.
B. deterrence.
C. prevention.
D. detection.
Selected Answer: B
Question #: 10
Topic #: 1
A confidential number used as an authentication factor to verify a user’s identity is called a:
A. PIN
B. User ID
C. Password
D. Challenge
Selected Answer: D
Question #: 12
Topic #: 3
Which of the following usually provides reliable, real-time information without consuming network or host resources?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
Selected Answer: B
Question #: 15
Topic #: 5
Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack?
A. The use of good key generators.
B. The use of session keys.
C. Nothing can defend you against a brute force crypto key attack.
D. Algorithms that are immune to brute force key attacks.
Selected Answer: A
Question #: 16
Topic #: 3
Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS) ?
A. signature-based IDS
B. statistical anomaly-based IDS
C. event-based IDS
D. inferent-based IDS
Selected Answer: A
Question #: 16
Topic #: 6
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a
Class B network?
A. The first bit of the IP address would be set to zero.
B. The first bit of the IP address would be set to one and the second bit set to zero.
C. The first two bits of the IP address would be set to one, and the third bit set to zero.
D. The first three bits of the IP address would be set to one.
Selected Answer: A
Question #: 20
Topic #: 2
A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle?
A. project initiation and planning phase
B. system design specification phase
C. development & documentation phase
D. acceptance phase
Selected Answer: D
Question #: 21
Topic #: 1
A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?
A. Content-dependent access control
B. Context-dependent access control
C. Least privileges access control
D. Ownership-based access control
Selected Answer: A
Question #: 23
Topic #: 4
Within the realm of IT security, which of the following combinations best defines risk?
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security
Selected Answer: B
Question #: 23
Topic #: 1
Which of the following would constitute the best example of a password to use for access to a system by a network administrator?
A. holiday
B. Christmas12
C. Jenny
D. GyN19Za!
Selected Answer: D
Question #: 23
Topic #: 2
The information security staff’s participation in which of the following system development life cycle phases provides maximum benefit to the organization?
A. project initiation and planning phase
B. system design specifications phase
C. development and documentation phase
D. in parallel with every phase throughout the project D
Selected Answer: D
Question #: 24
Topic #: 3
Which one of the following statements about the advantages and disadvantages of network-based Intrusion detection systems is true
A. Network-based IDSs are not vulnerable to attacks.
B. Network-based IDSs are well suited for modern switch-based networks.
C. Most network-based IDSs can automatically indicate whether or not an attack was successful.
D. The deployment of network-based IDSs has little impact upon an existing network.
Selected Answer: D
Question #: 24
Topic #: 1
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?
A. clipping level
B. acceptance level
C. forgiveness level
D. logging level
Selected Answer: D
Question #: 25
Topic #: 4
Which of the following is NOT a transaction redundancy implementation?
A. on-site mirroring
B. Electronic Vaulting
C. Remote Journaling
D. Database Shadowing
Selected Answer: B
Question #: 26
Topic #: 1
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?
A. clipping level
B. acceptance level
C. forgiveness level
D. logging level
Selected Answer: A
Question #: 27
Topic #: 1
Examples of types of physical access controls include all EXCEPT which of the following?
A. badges
B. locks
C. guards
D. passwords
Selected Answer: B
Question #: 28
Topic #: 1
Guards are appropriate whenever the function required by the security program involves which of the following?
A. The use of discriminating judgment
B. The use of physical force
C. The operation of access control devices
D. The need to detect unauthorized access
Selected Answer: C
Question #: 28
Topic #: 6
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which
OSI/ISO layer is RPC implemented?
A. Session layer
B. Transport layer
C. Data link layer
D. Network layer
Selected Answer: B
Question #: 32
Topic #: 2
Which of the following is the act of performing tests and evaluations to test a system’s security level to see if it complies with the design specifications and security requirements?
A. Validation
B. Verification
C. Assessment
D. Accuracy
Selected Answer: C
Question #: 36
Topic #: 1
Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based on integers with large prime factors.
B. It requires two measurements of hand geometry.
C. It does not use single sign-on technology.
D. It relies on two independent proofs of identity.
Selected Answer: D
Question #: 37
Topic #: 5
In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the following term?
A. Subordinate CA
B. Top Level CA
C. Big CA
D. Master CA B
Selected Answer: B
Question #: 37
Topic #: 1
The primary service provided by Kerberos is which of the following?
A. non-repudiation
B. confidentiality
C. authentication
D. authorization
Selected Answer: C
Question #: 38
Topic #: 2
Which of the following is NOT true concerning Application Control?
A. It limits end users use of applications in such a way that only particular screens are visible.
B. Only specific records can be requested through the application controls
C. Particular usage of the application can be recorded for audit purposes
D. It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
Selected Answer: A
Question #: 39
Topic #: 2
Which of the following are NOT a countermeasure to traffic analysis?
A. Padding messages.
B. Eavesdropping.
C. Sending noise.
D. Faraday Cage B
Selected Answer: B
Question #: 40
Topic #: 1
Which of the following is NOT a type of motion detector?
A. Photoelectric sensor
B. Passive infrared sensors
C. Microwave Sensor.
D. Ultrasonic Sensor.
Selected Answer: C
