Mike Chapple - (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests

49 When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?Role-based access controlRule-based access controlMandatory access control (MAC)Discretionary access control (DAC)

50 The U.S. government CAC is an example of what form of Type 2 authentication factor?A tokenA biometric identifierA smart cardA PIV

51 Donna is conducting an ongoing review of her organization’s identity and access management system and identifies a problem. She finds that when users change jobs, they never have the access rights associated with their old jobs removed. What term best describes this issue?Rights managementPrivilege creepTwo-person controlLeast privilege

52 Which objects and subjects have a label in a MAC model?Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.All objects have a label, and all subjects have a compartment.All objects and subjects have a label.All subjects have a label and all objects have a compartment.

53 Jack’s organization is a government agency that handles very sensitive information. They need to implement an access control system that allows administrators to set access rights but does not allow the delegation of those rights to other users. What is the best type of access control design for Jack’s organization?Discretionary access controlMandatory access controlDecentralized access controlRule-based access control

54 Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen’s best option to make sure that the users of the pass cards are who they are supposed to be?Add a reader that requires a PIN for passcard users.Add a camera system to the facility to observe who is accessing servers.Add a biometric factor.Replace the magnetic stripe keycards with smartcards.

55 What term is used to describe the default set of privileges assigned to a user when a new account is created?AggregationTransitivityBaselineEntitlement

56 Kathleen is implementing an access control system for her organization and builds the following array:Reviewers: update files, delete filesSubmitters: upload filesEditors: upload files, update filesArchivists: delete filesWhat type of access control system has Kathleen implemented?Role-based access controlTask-based access controlRule-based access controlDiscretionary access control

57 When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this?Knowledge-based authenticationDynamic knowledge-based authenticationOut-of-band identity proofingRisk-based identity proofing

58 In a zero-trust network architecture, what criterion is used to make trust decisions?Identity of a user or deviceIP addressNetwork segmentVLAN membership

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 3.0: Risk Identification, Monitoring, and Analysis3.1 Understand the risk management processRisk visibility and reporting (e.g., risk register, sharing threat intelligence/Indicators of Compromise (IOC), Common Vulnerability Scoring System (CVSS))Risk management concepts (e.g., impact assessments, threat modeling)Risk management frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST))Risk tolerance (e.g., appetite)Risk treatment (e.g., accept, transfer, mitigate, avoid, ignore)3.2 Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)3.3 Participate in security assessment and vulnerability management activitiesSecurity testingRisk review (e.g., internal, supplier, architecture)Vulnerability management lifecycle3.4 Operate and monitor security platforms (e.g., continuous monitoring)Source systems (e.g., applications, security appliances, network devices and hosts)Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)Log managementEvent aggregation and correlation3.5 Analyze monitoring resultsSecurity baselines and anomaliesVisualizations, metrics, and trends (e.g., notifications, dashboards, timelines)Event data analysisDocument and communicate findings (e.g., escalation)

1 HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?Risk mitigationRisk acceptanceRisk transferenceRisk avoidance

2 Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?Change logSystem logSecurity logApplication log

3 Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?A black boxA brute-force toolA fuzzerA static analysis tool

For questions 4–6, please refer to the following scenario.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

1 Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?10 percent25 percent50 percent75 percent

2 Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?0.00250.0050.010.015

3 Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?$25,000$50,000$250,000$500,000

4 Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable because of the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?Uninstall and reinstall the patch.Ask the information security team to flag the system as patched and not vulnerable.Update the version information in the web server’s configuration.Review the vulnerability report and use alternate remediation options.

5 Which NIST special publication covers the assessment of security and privacy controls?800-12800-53A800-34800-86

6 Selah’s team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?Full knowledgePartial knowledgeZero knowledgeSpecific knowledge