Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. 

A potential customer has called you into their office to discuss some access control issues they are having. They tell you that their developers have traditionally had access to administrator accounts on operational systems and that some other users with no system administrator responsibilities also have administrator access. The customer would like to limit the access each employee has to the system to only the access needed to accomplish the employee's job function. Your customer has just described what security concept?

  1. Least privilege

  2. Authentication

  3. Auditing

  4. Integrity

 answer a is correct. least privilege is the concept of only giving an individual the amount of access required for them to meet their job responsibilities. no excess access is permitted simply because it is not required. answer b is incorrect because authentication is a method for verifying an individual's identity through the use of several different mechanisms, including passwords, biometrics, and tokens. answer c is incorrect because auditing is the process of tracking actions on a system, including logins, logouts, commands executed, and transition to administrative level system accounts. answer d is incorrect because integrity deals specifically with maintaining the validity of information in a system.

2. 

Your company is having problems with users taking sensitive information home on disposable media such as floppy disks or CD-ROMs. Your boss tells you he is concerned about the possibility of sensitive corporate information falling into the wrong hands. From your security experience, you realize that your company has issues with which one of the following security fundamentals?

  1. Integrity

  2. Availability

  3. Non-repudiation

  4. Confidentiality

 answer d is correct. confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals. answer a is incorrect because integrity deals specifically with maintaining the validity of information in a system. answer b is incorrect because availability is the concept of keeping information and data available for use when it is needed to perform mission functions. answer c is incorrect because non-repudiation means that actions taken on the system can be proven, beyond doubt, to have been performed by a specific person.

3. 

You have been contracted by a large e-commerce company to help mitigate issues they are having with DDoS attacks. They tell you that at least once a week they get hit by DDOS attacks that take down their Web site, which is the primary point of origin for customer orders. Your customer has just described a problem with which concept?

  1. Confidentiality

  2. Accountability

  3. Availability

  4. Integrity

 answer c is correct. availability is having information available for use when it is needed in order to accomplish the organization's mission. since the company web site is the primary point of customer orders, any downtime of the web resources means lost revenue for the customer. answer a is incorrect because confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals. answer b is incorrect because accountability is the concept of ensuring users of an it system are held responsible for their actions on the system. answer d is incorrect because integrity deals specifically with maintaining the validity of information in a system.

4. 

Cheryl tells you that she has created the database file you will need for your new customer. She explains that you should be able to log in to the server and download the file from her home directory because she has changed the permissions on the file. You log in and download the file exactly as you expected. Cheryl has just demonstrated what method of access control?

  1. MAC

  2. DAC

  3. RBAC

  4. None of the above

 answer b is correct. dac allows users of an it system to set specific permissions for each file or object they own or have control over. cheryl changed the permissions for the database file she created to allow you to download the file. answer a is incorrect because mac is hard-coded into the operating system and cannot be altered.answer c is incorrect because rbac governs access permissions given to individuals based on their role in the system or the role of the group that individual belongs to.

5. 

You have just been hired as the new security manager at Corporation X. The company hired some contractors last year to help improve the company's security posture. They are now the proud new owners of a firewall. Your new manager seems concerned that the firewall might not actually fix all the security problems within the organization. You tell him that security is not a one step fix but instead is:

  1. A process based on the life cycle of information security that is composed of analysis, improvement and feedback that is constantly improving the security of the organization.

  2. A two-step process where you install not only a firewall, but also implement a good security policy.

  3. A step-by-step process outlined by the firewall vendor that includes firewall updates and the validity checking of firewall rules.

  4. Possible only through the use of a comprehensive security policy and enforced by a sizeable legal team.

 answer a is correct. improvement in security posture is seen through the use of a life cycle model where improvements are made for observed weaknesses and feedback is given for each solution. answer b is only partially correct since the implementation of a good firewall and a security policy will help an organization's security posture, but does not lend itself to consistent improvement. answer c is incorrect because a single product (such as a firewall) cannot solve all the security issues at any organization. answer d is incorrect because legal means are only sought after a security incident has occurred.

6. 

Company Z uses an iterative process for implementing information security. An analysis of the current system is conducted to determine the current security needs of the system. A security plan is drawn up that defines the implementation of new solutions to address the needs. The plan is then implemented and the implementation is tested to ensure that it performs as expected. A feedback process then takes place to provide input on the process and solutions implemented. At this point, the process begins again. What process is Company Z using for security?

  1. The life cycle of information security

  2. Risk assessment process

  3. Change management process

  4. Quality assurance

 answer a is correct. the life cycle of information security is an ongoing, iterative process that strives to improve security at the organization over a stretch of time. answer b is incorrect because the risk assessment process is the evaluation of a system to determine need. although it addresses one step in the life cycle process, it fails to address the remaining steps. answer c is incorrect because the change management process is concerned with ensuring that operational systems are not impacted by changes to the system. it is not directly relevant to the life cycle process. answer d is incorrect because quality assurance ensures that all organizational obligations are met when performing duties or services.

7. 

You work for a large product development company that is currently engineering a product for a government agency. As part of this process, your manager has asked you to do an in-depth evaluation of the product to ensure it meets all functional and security requirements. This process is known as what?

  1. Accreditation

  2. Assurance

  3. Certification

  4. Acceptance

 answer c is correct. certification is the process of evaluating a system to ensure it meets all security and functional requirements. answer a is incorrect because accreditation is the designation of a system as `safe to use` based on a set of security guidelines that have been met. answer b is incorrect because assurance is a term used to define the level of confidence in a system. system controls, security characteristics, and the actual architecture and design of the system are all pieces of assurance. answer d is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. performance standards have been met and technical guidelines were followed correctly.

8. 

Your friend works on a government project where she has been developing a mission-specific security tool. She tells you about the system and how it was designed to promote trust in the system through the use of system controls, security characteristics, and secure architecture. Your friend has just described which security term?

  1. Assurance

  2. Accreditation

  3. Certification

  4. Acceptance

 answer a is correct. assurance defines the levels of trust or confidence a system has by its users based on the implementation of security components, system controls, and secure architectural design. answer b is incorrect because accreditation is the designation of a system as `safe to use` based on a set of security guidelines that have been met. answer c is incorrect because certification is the result of a process of in-depth evaluation (technical and non-technical) to determine if a system meets all required security guidelines. answer d is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. performance standards have been met and technical guidelines were followed correctly.

9. 

Your manager has decided that it makes sense to have security and quality assurance involved in the development process from the very beginning. The developers, however, are hesitant to relent because they say it will dramatically slow down the development process. Which of the following statements are justification for security involvement in the development process?

  1. It ensures that all policies, laws, and contractual obligations are met by the product.

  2. Security requirements can be defined at the beginning of the development process and tracked through to completion.

  3. Security and quality assurance practices help test and ensure processing integrity with the product. This helps avoid unintentional functionality that could sacrifice security.

  4. All of the above.

 answer d is correct. the involvement of security and quality assurance help ensure that obligations, such as legal and contractual, are met in the final product. security requirements can be defined along with all the other functional requirements to ensure that all the pieces work well together. processing integrity can also be better performed with the involvement of the security team to look for unexpected functionality or unseen security issues. each answer by itself is correct, but all of them are reasonable justification for the involvement of security and quality assurance in the development process.

10. 

Your customer is beginning a quality assurance component within their organization. Their goal is to create a system that will ensure that all obligations are met in the course of normal operations. They ask you to define areas that need to be considered during the quality assurance process. Which of the following most fits their goals for the quality assurance process?

  1. Contractual obligations, organizational policies, and employee availability

  2. Regulations and laws, organizational policies, and contractual obligations

  3. Employee availability, regulations and laws, and contractual obligations

  4. Contractual obligations, organizational policies, and digital signatures

 answer b is correct. the quality assurance process ensures that all regulations and laws are respected and adhered to, organizational policies are followed, and all contractual obligations, such as slas or qos agreements are met. answers a , c , and d are all missing one important piece of the quality assurance puzzle: employee availability does not make a difference to the quality assurance process nor does the use of digital signatures.

11. 

You work on the internal security team for a company that has been trying to improve their security posture. Over the last year you have had the opportunity to recommend solutions to security issues and implement fixes for the issues. Your manager now tells you it is time to test the security posture of the organization. Who is the appropriate entity for performing this testing?

  1. You should perform the security testing because your team has the most intimate knowledge of the system and the security solutions you have implemented.

  2. Any third-party entity with the appropriate security experience and background to perform security assessments. This provides an objective third-party opinion on the security within the organization that is not hampered by tunnel vision.

  3. Whatever vendor supplied the firewall or intrusion detection solutions for the company should also provide this assessment activity.

  4. No real assessment is necessary at this point because the security concerns have been resolved through the implementation of various security solutions. What is really needed is a review of where the process is at in the information security life cycle.

 answer b is correct. an objective third party with no connections to the organization could potentially provide better insight into solutions and problems within the organization. answer a is incorrect because there is often a conflict of interest when the internal security team provides testing of their own security solutions. answer c is incorrect because many vendors who sell and implement security devices may or may not have the adequate experience to perform the necessary testing. answer d is incorrect because the security testing must occur, even though reviews of the information security life cycle may also occur simultaneously.

12. 

Company X is considering having a risk assessment performed against their organization. You have been called in as a potential contractor to perform the work. Upper management has a vague understanding of what a risk assessment consists of, but asks you to tell them more about the first general step in your risk assessment process. Which of the following procedures will you begin describing to them?

  1. Recommend solutions to mitigate assessment findings and improve the organization's security posture.

  2. Identify risks to the critical systems based on your prior security experience.

  3. Identify the critical information types within the organization and the critical systems that store, process, and transmit that information.

  4. Identify the costs associated with possible solutions to security problems within the organization.

 answer c is correct. each risk assessment begins with an understanding of those information resources that are critical for an organization to complete its mission. answers a , b , and d are incorrect because even though they are all parts of the risk assessment process, they are not the first step. each one depends on an understanding of how the organization completes its mission and what information types are critical to that process. once you understand these critical information types and the systems associated with them, you can better identify risks to that information and make reasonable recommendations for mitigation of those risks.

13. 

Company X decided to let you perform the risk assessment and now you have arrived at the point in the process where you must recommend suitable solutions. The customer seems intent on spending large sums of money to prevent any loss in the system. In some cases, they are willing to spend more than the asset may be worth to the organization. What concept do you discuss with the customer?

  1. The customer needs to understand that there is an acceptable level of loss for each information asset within the organization. The level of acceptable loss needs to be determined by the customer. Beyond that, the organization should not spend more to protect an asset than the asset is actually worth.

  2. The pick and spend concept should be explained so that the customer understands that the more money and resources expended in the protection of an asset, the more secure that asset will remain.

  3. Information resources can never be fully protected so the customer does not need to spend much money in order to give the maximum amount of protection. Consider the least expensive product line to save budget dollars and still get the job done.

  4. You should only give input to the customer when requested by the customer. The customer knows their system better than you and can better come up with quality security solutions.

 answer a is correct. the acceptable level of loss sets customer expectations about how much damage to the system is acceptable before a mitigating solution should kick in. this also helps determine the amount of financial resources that must be spent to protect each asset. no asset should have protective measures in place that cost more than the asset is worth to the organization. answer b is incorrect because you cannot necessarily spend more money to buy the ultimate security solution. answer c is only partially correct because there is no such thing as 100 percent security. but settling on the least expensive security solution does not mean the customer will be protected at all. answer d is incorrect because it suggests that you should defer all decisions to the customer because this is their information system and they know it better than you. although it may be true that they have a better understanding of the system, they will not normally have your level of security expertise. they have hired you for your knowledge and you should provide them with information that enables the customer to make wise security solution decisions.

14. 

The concept of secure architecture is intended to protect processes and data within a system from other processes and data in the system. One of the primary components is actually a virtual machine within the system that controls access to every object within the system. This ensures that system objects, processes, files, memory segments, and peripherals are protected. What is the name of this component?

  1. Reference monitor

  2. Hardware segmentation

  3. High security mode

  4. Data hiding

 answer a is correct. the reference monitor is a virtual machine within a system that controls access to every object on the system every time access is requested. it will allow access to an object only if it determines that the subject (individual, process, and so on) trying to access the object is allowed. answer b is incorrect because, although it is also a component of secure architecture, it deals primarily with the protection of each memory allocation within the system. answer c is incorrect because high security mode is also a component of a secure architecture, but it ensures that processes at different levels of sensitivity or classification do not interact or contaminate each other. answer d is incorrect because data hiding is the process of keeping sensitive data used by system processes away from processes run by less privileged users of the system.

15. 

A colleague from another branch in the same company calls you up and starts explaining how his department is implementing certain access security into their system. The idea is to limit the amount of information each individual is responsible for or is allowed to have access to within the processing cycle. He believes this will help secure the organization because no single person will know everything about the processes in the system and hence, cannot reveal that information. Your colleague has just explained what security concept?

  1. Separation of duties

  2. Least privilege

  3. Change control

  4. Account tracking

 answer a is correct. separation of duties deals specifically with limiting the amount of information about an entire process chain that any individual knows or has access to. this prevents the unauthorized disclosure of information about the entire processing chain or the data contained within. answer b is incorrect because least privilege states that each individual should only have as much system access as they require to perform their job duties. answer c is incorrect because change control helps ensure that system changes do not impact operational systems or other components. answer d is incorrect because account tracking is used to ensure that all accounts issued on the system are correct and that they are removed once the employee leaves the organization.

Answers

1. 

þ Answer A is correct. Least privilege is the concept of only giving an individual the amount of access required for them to meet their job responsibilities. No excess access is permitted simply because it is not required.

ý Answer B is incorrect because authentication is a method for verifying an individual's identity through the use of several different mechanisms, including passwords, biometrics, and tokens. Answer C is incorrect because auditing is the process of tracking actions on a system, including logins, logouts, commands executed, and transition to administrative level system accounts. Answer D is incorrect because integrity deals specifically with maintaining the validity of information in a system.

2. 

þ Answer D is correct. Confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals.

ý Answer A is incorrect because integrity deals specifically with maintaining the validity of information in a system. Answer B is incorrect because availability is the concept of keeping information and data available for use when it is needed to perform mission functions. Answer C is incorrect because non-repudiation means that actions taken on the system can be proven, beyond doubt, to have been performed by a specific person.

3. 

þ Answer C is correct. Availability is having information available for use when it is needed in order to accomplish the organization's mission. Since the company Web site is the primary point of customer orders, any downtime of the Web resources means lost revenue for the customer.

ý Answer A is incorrect because confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals. Answer B is incorrect because accountability is the concept of ensuring users of an IT system are held responsible for their actions on the system. Answer D is incorrect because integrity deals specifically with maintaining the validity of information in a system.

4. 

þ Answer B is correct. DAC allows users of an IT system to set specific permissions for each file or object they own or have control over. Cheryl changed the permissions for the database file she created to allow you to download the file.

ý Answer A is incorrect because MAC is hard-coded into the operating system and cannot be altered. Answer C is incorrect because RBAC governs access permissions given to individuals based on their role in the system or the role of the group that individual belongs to.

5. 

þ Answer A is correct. Improvement in security posture is seen through the use of a life cycle model where improvements are made for observed weaknesses and feedback is given for each solution.

ý Answer B is only partially correct since the implementation of a good firewall and a security policy will help an organization's security posture, but does not lend itself to consistent improvement. Answer C is incorrect because a single product (such as a firewall) cannot solve all the security issues at any organization. Answer D is incorrect because legal means are only sought after a security incident has occurred.

6. 

þ Answer A is correct. The life cycle of information security is an ongoing, iterative process that strives to improve security at the organization over a stretch of time.

ý Answer B is incorrect because the risk assessment process is the evaluation of a system to determine need. Although it addresses one step in the life cycle process, it fails to address the remaining steps. Answer C is incorrect because the change management process is concerned with ensuring that operational systems are not impacted by changes to the system. It is not directly relevant to the life cycle process. Answer D is incorrect because quality assurance ensures that all organizational obligations are met when performing duties or services.

7. 

þ Answer C is correct. Certification is the process of evaluating a system to ensure it meets all security and functional requirements.

ý Answer A is incorrect because accreditation is the designation of a system as "safe to use" based on a set of security guidelines that have been met. Answer B is incorrect because assurance is a term used to define the level of confidence in a system. System controls, security characteristics, and the actual architecture and design of the system are all pieces of assurance. Answer D is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly.

8. 

þ Answer A is correct. Assurance defines the levels of trust or confidence a system has by its users based on the implementation of security components, system controls, and secure architectural design.

ý Answer B is incorrect because accreditation is the designation of a system as "safe to use" based on a set of security guidelines that have been met. Answer C is incorrect because certification is the result of a process of in-depth evaluation (technical and non-technical) to determine if a system meets all required security guidelines. Answer D is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly.

9. 

þ Answer D is correct. The involvement of security and quality assurance help ensure that obligations, such as legal and contractual, are met in the final product. Security requirements can be defined along with all the other functional requirements to ensure that all the pieces work well together. Processing integrity can also be better performed with the involvement of the security team to look for unexpected functionality or unseen security issues.

ý Each answer by itself is correct, but all of them are reasonable justification for the involvement of security and quality assurance in the development process.

10. 

þ Answer B is correct. The quality assurance process ensures that all regulations and laws are respected and adhered to, organizational policies are followed, and all contractual obligations, such as SLAs or QoS agreements are met.

ý Answers A, C, and D are all missing one important piece of the quality assurance puzzle: Employee availability does not make a difference to the quality assurance process nor does the use of digital signatures.

11. 

þ Answer B is correct. An objective third party with no connections to the organization could potentially provide better insight into solutions and problems within the organization.

ý Answer A is incorrect because there is often a conflict of interest when the internal security team provides testing of their own security solutions. Answer C is incorrect because many vendors who sell and implement security devices may or may not have the adequate experience to perform the necessary testing. Answer D is incorrect because the security testing must occur, even though reviews of the information security life cycle may also occur simultaneously.

12. 

þ Answer C is correct. Each risk assessment begins with an understanding of those information resources that are critical for an organization to complete its mission.

ý Answers A, B, and D are incorrect because even though they are all parts of the risk assessment process, they are not the first step. Each one depends on an understanding of how the organization completes its mission and what information types are critical to that process. Once you understand these critical information types and the systems associated with them, you can better identify risks to that information and make reasonable recommendations for mitigation of those risks.

13. 

þ Answer A is correct. The acceptable level of loss sets customer expectations about how much damage to the system is acceptable before a mitigating solution should kick in. This also helps determine the amount of financial resources that must be spent to protect each asset. No asset should have protective measures in place that cost more than the asset is worth to the organization.

ý Answer B is incorrect because you cannot necessarily spend more money to buy the ultimate security solution. Answer C is only partially correct because there is no such thing as 100 percent security. But settling on the least expensive security solution does not mean the customer will be protected at all. Answer D is incorrect because it suggests that you should defer all decisions to the customer because this is their information system and they know it better than you. Although it may be true that they have a better understanding of the system, they will not normally have your level of security expertise. They have hired you for your knowledge and you should provide them with information that enables the customer to make wise security solution decisions.

14. 

þ Answer A is correct. The reference monitor is a virtual machine within a system that controls access to every object on the system every time access is requested. It will allow access to an object only if it determines that the subject (individual, process, and so on) trying to access the object is allowed.

ý Answer B is incorrect because, although it is also a component of secure architecture, it deals primarily with the protection of each memory allocation within the system. Answer C is incorrect because high security mode is also a component of a secure architecture, but it ensures that processes at different levels of sensitivity or classification do not interact or contaminate each other. Answer D is incorrect because data hiding is the process of keeping sensitive data used by system processes away from processes run by less privileged users of the system.

15. 

þ Answer A is correct. Separation of duties deals specifically with limiting the amount of information about an entire process chain that any individual knows or has access to. This prevents the unauthorized disclosure of information about the entire processing chain or the data contained within.

ý Answer B is incorrect because least privilege states that each individual should only have as much system access as they require to perform their job duties. Answer C is incorrect because change control helps ensure that system changes do not impact operational systems or other components. Answer D is incorrect because account tracking is used to ensure that all accounts issued on the system are correct and that they are removed once the employee leaves the organization.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net