SSCP Topic 3
Question #: 82
Topic #: 2
Which of the following statements pertaining to protection rings is false?
A. They provide strict boundaries and definitions on what the processes that work within each ring can access.
B. Programs operating in inner rings are usually referred to as existing in a privileged mode.
C. They support the CIA triad requirements of multitasking operating systems.
D. They provide users with a direct access to peripherals D
Selected Answer: D
Question #: 84
Topic #: 1
What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics?
A. Biometrics
B. Micrometrics
C. Macrometrics
D. MicroBiometrics
Selected Answer: A
Question #: 85
Topic #: 6
In stateful inspection firewalls, packets are:
A. Inspected at only one layer of the Open System Interconnection (OSI) model
B. Inspected at all Open System Interconnection (OSI) layers
C. Decapsulated at all Open Systems Interconnect (OSI) layers.
D. Encapsulated at all Open Systems Interconnect (OSI) layers.
Selected Answer: B
Question #: 87
Topic #: 1
What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Rejection Rate (TRR) or Type III Error A
Selected Answer: A
Question #: 90
Topic #: 4
An Intrusion Detection System (IDS) is what type of control?
A. A preventive control.
B. A detective control.
C. A recovery control.
D. A directive control.
Selected Answer: B
Question #: 91
Topic #: 4
To protect and/or restore lost, corrupted, or deleted information, thereby preserving the data integrity and availability is the purpose of:
A. Remote journaling.
B. Database shadowing.
C. A tape backup method.
D. Mirroring.
Selected Answer: B
Question #: 91
Topic #: 1
Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access?
A. Smart cards
B. Single Sign-On (SSO)
C. Symmetric Ciphers
D. Public Key Infrastructure (PKI)
Selected Answer: B
Question #: 93
Topic #: 2
Which of the following is not a component of a Operations Security “triples”?
A. Asset
B. Threat
C. Vulnerability
D. Risk
Selected Answer: D
Question #: 93
Topic #: 1
Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user’s identity which permit access to system services?
A. Single Sign-On
B. Dynamic Sign-On
C. Smart cards
D. Kerberos
Selected Answer: D
Question #: 94
Topic #: 6
Which of the following elements of telecommunications is not used in assuring confidentiality?
A. Network security protocols
B. Network authentication services
C. Data encryption services
D. Passwords D
Selected Answer: B
Question #: 94
Topic #: 1
Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?
A. Kerberos
B. SESAME
C. KryptoKnight
D. NetSP
Selected Answer: C
Question #: 96
Topic #: 1
Which of the following is addressed by Kerberos?
A. Confidentiality and Integrity
B. Authentication and Availability
C. Validation and Integrity
D. Auditability and Integrity
Selected Answer: A
Question #: 98
Topic #: 1
Like the Kerberos protocol, SESAME is also subject to which of the following?
A. timeslot replay
B. password guessing
C. symmetric key guessing
D. asymmetric key guessing
Selected Answer: C
Question #: 99
Topic #: 4
Which of the following is an example of an active attack?
A. Traffic analysis
B. Scanning
C. Eavesdropping
D. Wiretapping
Selected Answer: B
Question #: 100
Topic #: 1
Which of the following protects a password from eavesdroppers and supports the encryption of communication?
A. Challenge Handshake Authentication Protocol (CHAP)
B. Challenge Handshake Identification Protocol (CHIP)
C. Challenge Handshake Encryption Protocol (CHEP)
D. Challenge Handshake Substitution Protocol (CHSP) A
Selected Answer: A
Question #: 109
Topic #: 2
Which of the following security modes of operation involves the highest risk?
A. Compartmented Security Mode
B. Multilevel Security Mode
C. System-High Security Mode
D. Dedicated Security Mode
Selected Answer: D
Question #: 115
Topic #: 1
Which of the following biometric devices offers the LOWEST CER?
A. Keystroke dynamics
B. Voice verification
C. Iris scan
D. Fingerprint
Selected Answer: C
Question #: 115
Topic #: 5
Cryptography does not concern itself with which of the following choices?
A. Availability
B. Integrity
C. Confidentiality
D. Validation
Selected Answer: A
Question #: 118
Topic #: 1
Which of the following statements pertaining to access control is false?
A. Users should only access data on a need-to-know basis.
B. If access is not explicitly denied, it should be implicitly allowed.
C. Access rights should be granted based on the level of trust a company has on a subject.
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.
Selected Answer: B
Question #: 122
Topic #: 1
Which access control model is also called Non Discretionary Access Control (NDAC)?
A. Lattice based access control
B. Mandatory access control
C. Role-based access control
D. Label-based access control
Selected Answer: B
Question #: 124
Topic #: 1
What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?
A. A capability table
B. An access control list
C. An access control matrix
D. A role-based matrix
Selected Answer: C
Question #: 124
Topic #: 5
Which of the following binds a subject name to a public key value?
A. A public-key certificate
B. A public key infrastructure
C. A secret key infrastructure
D. A private key certificate A
Selected Answer: A
Question #: 125
Topic #: 4
A copy of evidence or oral description of its contents; which is not as reliable as best evidence is what type of evidence?
A. Direct evidence
B. Circumstantial evidence
C. Hearsay evidence
D. Secondary evidence
Selected Answer: C
Question #: 125
Topic #: 5
What can be defined as a digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate?
A. A public-key certificate
B. An attribute certificate
C. A digital certificate
D. A descriptive certificate B
Selected Answer: B
Question #: 125
Topic #: 1
What is the difference between Access Control Lists (ACLs) and Capability Tables?
A. Access control lists are related/attached to a subject whereas capability tables are related/attached to an object.
B. Access control lists are related/attached to an object whereas capability tables are related/attached to a subject.
C. Capability tables are used for objects whereas access control lists are used for users.
D. They are basically the same.
Selected Answer: B
Question #: 128
Topic #: 2
Which of the following should NOT be performed by an operator?
A. Implementing the initial program load
B. Monitoring execution of the system
C. Data entry
D. Controlling job flow
Selected Answer: A
Question #: 129
Topic #: 6
Which of the following mechanisms was created to overcome the problem of collisions that occur on wired networks when traffic is simultaneously transmitted from different nodes?
A. Carrier sense multiple access with collision avoidance (CSMA/CA)
B. Carrier sense multiple access with collision detection (CSMA/CD)
C. Polling
D. Token-passing
Selected Answer: A
Question #: 129
Topic #: 1
How are memory cards and smart cards different?
A. Memory cards normally hold more memory than smart cards
B. Smart cards provide a two-factor authentication whereas memory cards don’t
C. Memory cards have no processing power
D. Only smart cards can be used for ATM cards
Selected Answer: D
Question #: 131
Topic #: 1
What is the main focus of the Bell-LaPadula security model?
A. Accountability
B. Integrity
C. Confidentiality
D. Availability
Selected Answer: C
Question #: 132
Topic #: 2
Which of the following choice is NOT normally part of the questions that would be asked in regards to an organization’s information security policy?
A. Who is involved in establishing the security policy?
B. Where is the organization’s security policy defined?
C. What are the actions that need to be performed in case of a disaster?
D. Who is responsible for monitoring compliance to the organization’s security policy? C
Selected Answer: C
Question #: 136
Topic #: 1
What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions?
A. A
B. D
C. E
D. F
Selected Answer: B
Question #: 136
Topic #: 4
The MOST common threat that impacts a business’s ability to function normally is:
A. Power Outage
B. Water Damage
C. Severe Weather
D. Labor Strike A
Selected Answer: A
Question #: 137
Topic #: 6
How would an IP spoofing attack be best classified?
A. Session hijacking attack
B. Passive attack
C. Fragmentation attack
D. Sniffing attack A
Selected Answer: A
Question #: 139
Topic #: 1
Smart cards are an example of which type of control?
A. Detective control
B. Administrative control
C. Technical control
D. Physical control
Selected Answer: C
Question #: 140
Topic #: 2
Which of the following statements pertaining to software testing approaches is correct?
A. A bottom-up approach allows interface errors to be detected earlier.
B. A top-down approach allows errors in critical modules to be detected earlier.
C. The test plan and results should be retained as part of the system’s permanent documentation.
D. Black box testing is predicated on a close examination of procedural detail.
Selected Answer: B
Question #: 141
Topic #: 1
What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects?
A. Flow Model
B. Discretionary access control
C. Mandatory access control
D. Non-discretionary access control
Selected Answer: C
Question #: 142
Topic #: 4
Why would a memory dump be admissible as evidence in court?
A. Because it is used to demonstrate the truth of the contents.
B. Because it is used to identify the state of the system.
C. Because the state of the memory cannot be used as evidence.
D. Because of the exclusionary rule.
Selected Answer: A
Question #: 143
Topic #: 2
Which of the following phases of a software development life cycle normally incorporates the security specifications, determines access controls, and evaluates encryption options?
A. Detailed design
B. Implementation
C. Product design
D. Software plans and requirements
Selected Answer: A
Question #: 143
Topic #: 1
Which of the following statements pertaining to biometrics is false?
A. Increased system sensitivity can cause a higher false rejection rate
B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate.
C. False acceptance rate is also known as Type II error.
D. Biometrics are based on the Type 2 authentication mechanism.
Selected Answer: D
Question #: 144
Topic #: 2
Which of the following is less likely to be included in the change control sub-phase of the maintenance phase of a software product?
A. Estimating the cost of the changes requested
B. Recreating and analyzing the problem
C. Determining the interface that is presented to the user
D. Establishing the priorities of requests
Selected Answer: A
Question #: 144
Topic #: 6
Which of the following IEEE standards defines the token ring media access method?
A. 802.3
B. 802.11
C. 802.5
D. 802.2
Selected Answer: C
Question #: 144
Topic #: 1
Which of the following statements pertaining to Kerberos is TRUE?
A. Kerberos does not address availability
B. Kerberos does not address integrity
C. Kerberos does not make use of Symmetric Keys
D. Kerberos cannot address confidentiality of information
Selected Answer: B
Question #: 145
Topic #: 1
Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines?
A. TACACS
B. Call-back
C. CHAP
D. RADIUS
Selected Answer: A
Question #: 146
Topic #: 4
When a possible intrusion into your organization’s information system has been detected, which of the following actions should be performed first?
A. Eliminate all means of intruder access.
B. Contain the intrusion.
C. Determine to what extent systems and data are compromised.
D. Communicate with relevant parties.
Selected Answer: C
Question #: 147
Topic #: 4
When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?
A. Back up the compromised systems.
B. Identify the attacks used to gain access.
C. Capture and record system information.
D. Isolate the compromised systems.
Selected Answer: B
Question #: 148
Topic #: 1
What refers to legitimate users accessing networked services that would normally be restricted to them?
A. Spoofing
B. Piggybacking
C. Eavesdropping
D. Logon abuse D
Selected Answer: D
Question #: 150
Topic #: 1
Which of the following is not a two-factor authentication mechanism?
A. Something you have and something you know.
B. Something you do and a password.
C. A smartcard and something you are.
D. Something you know and a password.
Selected Answer: D
Question #: 154
Topic #: 2
Which of the following rules is least likely to support the concept of least privilege?
A. The number of administrative accounts should be kept to a minimum.
B. Administrators should use regular accounts when performing routine operations like reading mail.
C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible.
D. Only data to and from critical systems and applications should be allowed through the firewall.
Selected Answer: B
Question #: 154
Topic #: 1
Which of the following access control models requires defining classification for objects?
A. Role-based access control
B. Discretionary access control
C. Identity-based access control
D. Mandatory access control
Selected Answer: D
Question #: 156
Topic #: 1
Which of the following statements pertaining to using Kerberos without any extension is false?
A. A client can be impersonated by password-guessing.
B. Kerberos is mostly a third-party authentication protocol.
C. Kerberos uses public key cryptography.
D. Kerberos provides robust authentication.
Selected Answer: C
Question #: 157
Topic #: 6
Which of the following remote access authentication systems is the most robust?
A. TACACS+
B. RADIUS
C. PAP
D. TACACS
Selected Answer: A
Question #: 157
Topic #: 1
Which of the following statements pertaining to Kerberos is false?
A. The Key Distribution Center represents a single point of failure.
B. Kerberos manages access permissions.
C. Kerberos uses a database to keep a copy of all users’ public keys.
D. Kerberos uses symmetric key cryptography.
Selected Answer: C
Question #: 159
Topic #: 2
Which of the following best defines add-on security?
A. Physical security complementing logical security measures.
B. Protection mechanisms implemented as an integral part of an information system.
C. Layer security.
D. Protection mechanisms implemented after an information system has become operational.
Selected Answer: D
Question #: 159
Topic #: 1
Which of the following is an example of discretionary access control?
A. Identity-based access control
B. Task-based access control
C. Role-based access control
D. Rule-based access control
Selected Answer: A
Question #: 162
Topic #: 1
Which of the following is NOT an advantage that TACACS+ has over TACACS?
A. Event logging
B. Use of two-factor password authentication
C. User has the ability to change his password
D. Ability for security tokens to be resynchronized
Selected Answer: C
Question #: 163
Topic #: 2
One purpose of a security awareness program is to modify:
A. employee’s attitudes and behaviors towards enterprise’s security posture
B. management’s approach towards enterprise’s security posture
C. attitudes of employees with sensitive data
D. corporate attitudes about safeguarding data
Selected Answer: A
