SSCP Notes

Question 0

What is AIC security triad?

Answer 0

Availability, Integrity, and Confidentiality

Question 1

Three primary goals of Information Security?

Answer 1

• Preventing loss of availability
• The loss of integrity
• The loss of confidentiality for systems and data

Question 2

Organization protect against loss of availability using?

Answer 2

• Backups
• Redundant disks
• Redundant servers
• Redundant connections
• redundant sites

Question 3

Redundant sites are know as:

Answer 3

• Hot site - Ready at a moments notice
• Cold site - An empty building with electricity, and running water
• Warm site - a cross between a cold site and hot site.

Question 4

Fault-tolerant and redundant technologies ensure

Answer 4

that availability is not lost even if a system suffers a failure.

Question 5

Integrity

Answer 5

Prevents any unauthorized or unwanted modification of data. It ensures that data is correct and current.

Question 6

A hash

Answer 6

is simply a number created by performing a mathematical algorithm against a file or message. As long as the the file or message stay the same, the hash (the number) will always be the same.

Question 7

Message Digest version 5 (MD5)

Answer 7

Is a commonly used hashing algorithm. It creates a fixed-size 128-bit number (represented as 32 hexadecimal characters) from any message or file.

Question 8

An audit log

Answer 8

Tracks changes to a resource, including what was changed, who changed it, and when. This creates an audit trail.

Question 9

You protect against the loss of confidentiality by

Answer 9

Ensuring that data is not disclosed to unauthorized users.

Question 10

Access controls

Answer 10

Are implemented to control or restrict access to resources.

Question 11

Encryption

Answer 11

Provides another layer of protection for confidentiality.

Question 12

Confidentiality

Answer 12

Works when secure encryption algorithms are implemented and sound security practice are followed.

Question 13

Security controls

Answer 13

Attempt to reduce risk by either reducing vulnerabilities or the impact of a threat.

Question 14

One benefit of of a defense-in-depth strategy

Answer 14

That even if a single control fails, other controls still provided protection.

Question 15

A defense-in depth strategy

Answer 15

Provides a layered approached to security.

Question 16

The AAA of security

Answer 16

Authentication - system verifies the credentials.

Authorization - Based on who the user is, authorization is granted to different resources.

Accounting Logging tracks activity of a user through monitoring. Audit logs create an audit trail.

Question 17

If a system can identify individual users, track their actions, and monitor their behavior, It provides

Answer 17

Accountability.

Question 18

Nonrepudiation

Answer 18

Ensures that a party cannot believably deny (or repudiate) taking an action. Nonrepudiation is enforced through audit logging and with digital signatures.

Question 19

The principle of least privilege

Answer 19

This means that you grant users access to what they need to perform their job, and no more.

Question 20

Separation of duties

Answer 20

It ensures that no single person has complete control over a process. It significantly reduces the risk of fraud within an organization.

Question 21

Many companies also use ________ and __________ to reduce the risk of collusion.

Answer 21

Job rotation and Mandatory vacations.

Question 22

Due Diligence

Answer 22

Refers to the investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. An organization has an obligation to exercise due diligence to discover risks associated with large purchases.

Question 23

Due Care

Answer 23

is the practice of implementing security policies and practices to protect resources. It ensures that a certain level of protection is applied to protect against losses from known risks.

Question 24

Management decides what risks to mitigate, and the risk that remain is

Answer 24

Residual risk.

Question 25

Organizations have a requirement to exercise due care to protect

Answer 25

PII.

Question 26

Identifcation

Answer 26

Occurs when a user professes, or claim, an identity by presenting the identity to a system.

Question 27

Authentication

Answer 27

Is the process of a user proving an identity that he or she has claimed.

Question 28

Identification and Authentication

Answer 28

Are the two primary controls used by most access control systems.

Question 29

Three Factors of Authentication

Answer 29

• Something you know
• Something you have
• something you are

Question 30

Something you know

Answer 30

This includes knowledge, such as passwords, personal Identification numbers (PINs), your mother’s maiden name, or even personal information such as the name of your first pet.

Question 31

Something you have

Answer 31

This includes items such as proximity cards, smart cards, hardware tokens, and identification badges.

Question 32

Something you are

Answer 32

This includes the use of biometrics to authenticate an individual based on fingerprints, retina scans, and other facial characteristics, keystroke dynamics, and hadwriting.

Question 33

A password Audit

Answer 33

Ensures that passwords are strong (never blank), are of a minimum length, and have been changed within a given period of time. (such as 90 days).

Question 34

A password policy

Answer 34

Often identifies requirements for strong passwords, the minimum amount of time before a password should be changed, and how passwords are audited.

Question 35

A proximity card

Answer 35

includes data electronically embedded within the card.

Question 36

Requiring something you have (the smart card) with somnething you know (the pin)is

Answer 36

Two-factor Authentication (or multifactor authentication) and is more secure than just one or the other.

Question 37

Something you are

Answer 37

Fingerprints, Retinal and iris scans, Face recognition,Voice Recognition, Keystroke dynamics and Handwriting analysis.

Question 38

False Reject Rate (FRR)

Answer 38

Also called type 1 error, refers to the percentage of times a biometric system falsely rejects a known user and instead indicates.

Question 39

False accept Rate (FAR) (also called type 2 error) refers to

Answer 39

the percentage of times a biometric system falsely identifies an unknown user as a know user.

Question 40

Crossover Error Rate (CER)

Answer 40

The CER identifies the point where the FAR and FRR of a biometric system are equal or cross over each on the chart. A lower CER indicates a better-performing biometric system.

Question 41

Systems with Low CERs are more accurate than systems with high

Answer 41

CERs

Question 42

When two factors are require, it’s also called

Answer 42

Two-factor authentication. Multifactor authentication is more secure than any single authentication type used by itself.

Question 43

Single sign-on (SSO)

Answer 43

A user authenticates once and then the system uses the same credentials when the user accesses any resource in the organization. Some example of SSO included Kerberos and federated access system.

Question 44

Kerberos

Answer 44

Is a vendor-neutral authentication protocol. It uses a complex process of issuing tickets to authenticated accounts and then uses the tickets to access resources. Kerberos uses symmetric encryption to protect the confidentiality of the Kerberos transmission.

Question 45

Since the Kerberos server issues different types of tickets used for authentication, it is also known as a

Answer 45

ticket-granting server.

Question 46

Identification

Answer 46

Occurs when a user professes, or claims, an identify, or claims, an identity by presenting the identity to a system

Question 47

Authentication

Answer 47

Is the process of a user proving an identity that he or she has claimed.

Question 48

Identification and authentication

Answer 48

Are the two primary controls use by most access control systems.

Question 49

Kerberos requires a database of accounts and time synchronization for all systems. It uses symmetric encryption to encrypt tickets in a secure format between systems.

Answer 49

The Kerberos Authentication server and ticket granting server can be single server performing two functions or two server.

Question 50

Federated access

Answer 50

Provides SSO to different operating systems or network. A federated databased provides central central SSO authentication.

Question 51

Secure European system for applications in a multivendor Environment (SESAME)

Answer 51

It is used in European countries and is an alternative to Kerberos.

Question 52

KryptoKnight

Answer 52

IBM created KryptoKnight as an alternative to Kerberos. It does not have has a much network overhead as Kerberos.

Question 53

Kerberos, SESAME, and KryptoKnight

Answer 53

Each provide SSO capabilities. With SSO, users only have to log on once and then use the same credentials to access multiple resources.

Question 54

Offline Authentication

Answer 54

Allows users who have logged in to the system at one time to still log in even when they are disconnected from a network.

Question 55

One-time Passwords

Answer 55

are passwords created to be used only once.

Question 56

One-time passwords

Answer 56

Are especially useful when passwords are transmitted across untrusted networks such as the internet.

Question 57

Token-based Passwords

Answer 57

Is an example of a one-time password.

Question 58

Because the token is synchronized with a server based on time

Answer 58

It is a synchronous one-time password.

Question 59

Multifactor authentication

Answer 59

The user must have something and know something.

Question 60

OPIE

Answer 60

Is based on S/Key, one-time password system used on some unix systems. The goal of both OPIE and S/Key

Question 61

OPIE is based on S/Key

Answer 61

A one-time password system used on some unix systems.

Question 62

The goal of of both OPIE and S/Key

Answer 62

Is to generate a password known to both a client and server and used in a single session.

Question 63

Access Control

Answer 63

Provides A mechanism to restrict or control access to Resources.

Question 64

Subject

Answer 64

Access a Resourse

Question 65

Logical Access Control

Answer 65

Are those that are implemented with technologies and often use Access control list (ACL).

Question 66

Security Kernel

Answer 66

Is the central part of the operating systems that controls access to the system’s resources.

Question 67

In the DAC model

Answer 67

Users have ownership of the data and can exercise full control over it, including assigning permissions to others.