SSCP Back to exams page. Take our SSCP training course here. 1. Who developed one of the first mathematical models of a multilevel-security computer system?a) Diffie and Hellmanb) Clark and Wilsonc) Bell and LaPadulad) Gasser and LipnerQuestion 1 of 50 2. Which of the following attacks could capture network user passwords?a) Data diddling b) Sniffingc) IP Spoofing d) SmurfingQuestion 2 of 50 3. Examples of types of physical access controls include all EXCEPT which of the following?a) Badgesb) Locksc) Guardsd) PasswordsQuestion 3 of 50 4. Which is the last line of defense in a physical security sense?a) People b) Interior barriers c) Exterior barriers d) Perimeter barriers Question 4 of 50 5. The end result of implementing the principle of least privilege means which of the following?a) Users would get access to only the info for which they have a need to know b) Users can access all systemsc) Users get new privileges added when they change positionsd) Authorization creepQuestion 5 of 50 6. Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette?a) Degaussingb) Parity Bit Manipulation c) Zeroizationd) Buffer overflow Question 6 of 50 7. Which of the following is true of two-factor authentication?a) It uses the RSA public-key signature based on integers with large prime factorsb) It requires two measurements of hand geometryc) It does not use single sign-on technologyd) It relies on two independent proofs of identityQuestion 7 of 50 8. The primary service provided by Kerberos is which of the following?a) Non-repudiation b) Confidentiality c) Authentication d) Authorization Question 8 of 50 9. In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified? Such a model can be used to quickly summarize what permissions a subject has for various system objects.a) Access Control Matrix model b) Take-Grant model c) Bell-LaPadula model d) Biba model Question 9 of 50 10. Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?a) SESAMEb) RADIUS c) KryptoKnightd) TACACS+ Question 10 of 50 11. Single Sign-on (SSO) is characterized by which of the following advantages?a) Convenienceb) Convenience and centralized administration c) Convenience and centralized data administration d) Convenience and centralized network administration Question 11 of 50 12. What kind of certificate is used to validate a user identity?a) Public key certificate b) Attribute certificate c) Root certificate d) Code signing certificate Question 12 of 50 13. Which of the following is not a physical control for physical security?a) Lighting b) Fencesc) Trainingd) Facility construction materials Question 13 of 50 14. Controlling access to information systems and associated networks is necessary for the preservation of their:a) Authenticity, confidentiality and availability b) Authenticity, confidentiality and availability c) Integrity and availabilityd) Authenticity,confidentiality, integrity and availabilityQuestion 14 of 50 15. Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of:a) Administrative controls b) Logical controls c) Technical controls d) Physical controls Question 15 of 50 16. To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:a) Access Rules b) Access Matrix c) Identification controls d) Access terminal Question 16 of 50 17. Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?a) Mandatory Access Control b) Discretionary Access Control c) Non-Discretionary Access Control d) Rule-based Access control Question 17 of 50 18. What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?a) Mandatory model b) Discretionary model c) Lattice model d) Rule model Question 18 of 50 19. Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/ software units. Such controls, also known as logical controls, represent which pairing?a) Preventive/Administrative Pairing b) Preventive/Technical Pairing c) Preventive/Physical Pairing d) Detective/Technical Pairing Question 19 of 50 20. What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?a) Micrometricsb) Macrometrics c) Biometricsd) MicroBiometricsQuestion 20 of 50 21. What are called user interfaces that limit the functions that can be selected by a user?a) Constrained user interfaces b) Limited user interfaces c) Mini user interfaces d) Unlimited user interfaces Question 21 of 50 22. The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:a) The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:b) Detective/technical c) Detective/physical d) Detective/administrative Question 22 of 50 23. The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:a) Preventive/physical b) Detective/technical c) Detective/physical d) Detective/administrative Question 23 of 50 24. What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?a) Authentication b) Identification c) Authorizationd) ConfidentialityQuestion 24 of 50 25. What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?a) Authenticationb) Identificationc) Integrityd) ConfidentialityQuestion 25 of 50 26. Which one of the following factors is NOT one on which Authentication is based?a) Type 1. Something you know, such as a PIN or password b) Type 2. Something you have, such as an ATM card or smart card c) Type 3. Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan d) Type 4. Something you are, such as a system administrator or security administrator Question 26 of 50 27. Which type of password provides maximum security because a new password is required for each new log-on?a) One-time or dynamic password b) Cognitive password c) Static password d) PassphraseQuestion 27 of 50 28. What is called a sequence of characters that is usually longer than the allotted number for a password?a) Passphraseb) Cognitive phrase c) Anticipated phrase d) Real phrase Question 28 of 50 29. Which of the following choices describe a Challenge-response tokens generation?a) A workstation or system that generates a random challenge string that the user enters into the token when prompted along with the proper PINb) A workstation or system that generates a random login id that the user enters when prompted along with the proper PINc) A special hardware device that is used to generate random text in a cryptography systemd) The authentication mechanism in the workstation or system does not determine if the owner should be authenticatedQuestion 29 of 50 30. What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?a) False Rejection Rate (FRR) or Type I Error b) False Acceptance Rate (FAR) or Type II Error c) Crossover Error Rate (CER) d) True Rejection Rate (TRR) or Type III Error A Question 30 of 50 31. Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?a) SESAMEb) Kerberosc) KryptoKnightd) NetSPQuestion 31 of 50 32. Kerberos is vulnerable to replay in which of the following circumstances?a) When a private key is compromised within an allotted time windowb) When a public key is compromised within an allotted time windowc) When a ticket is compromised within an allotted time window d) When the KSD is compromised within an allotted time windowQuestion 32 of 50 33. RADIUS incorporates which of the following services?a) Authentication server and PIN codesb) Authentication of clients and static passwords generationc) Authentication of clients and dynamic passwords generationd) Authentication server as well as support for Static and Dynamic passwordsQuestion 33 of 50 34. The Terminal Access Controller Access Control System (TACACS) employs which of the following?a) A user ID and static password for network access b) A user ID and dynamic password for network access c) A user ID and symmetric password for network access d) A user ID and asymmetric password for network access Question 34 of 50 35. Which of the following is the FIRST step in protecting data's confidentiality?a) Install a firewall b) Implement encryption c) Identify which information is sensitive d) Review all user access rights Question 35 of 50 36. Which of the following is the WEAKEST authentication mechanism?a) Passphrasesb) Passwords c) One-time passwords d) Token devices Question 36 of 50 37. Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity?a) Discretionary Access Control b) Mandatory Access Control c) Sensitive Access Control d) Role-based Access Control Question 37 of 50 38. Why do buffer overflows happen? What is the main cause?a) Because buffers can only hold so much data b) Because of insufficient system memory c) Because they are an easy weakness to exploit d) Because of improper parameter checking within the applicationQuestion 38 of 50 39. Which of the following are not Remote Access concerns?a) Justification for remote access b) Auditing of activities c) Regular review of access privileges d) Access badges Question 39 of 50 40. Which type of password token involves time synchronization?a) Static password tokens b) Synchronous dynamic password tokens c) Asynchronous dynamic password tokens d) Challenge-response tokens Question 40 of 50 41. Which of the following is most affected by denial-of-service (DOS) attacks?a) Confidentialityb) Integrityc) Accountabilityd) AvailabilityQuestion 41 of 50 42. What refers to legitimate users accessing networked services that would normally be restricted to them?a) Spoofingb) Piggybackingc) Eavesdroppingd) Logon abuse Question 42 of 50 43. In regards to information classification what is the main responsibility of information (data) owner?a) Determining the data sensitivity or classification level b) Running regular data backups c) Audit the data users d) Periodically check the validity and accuracy of the data Question 43 of 50 44. Which of the following is not a two-factor authentication mechanism?a) Something you have and something you knowb) Something you do and a passwordc) A smartcard and something you ared) Something you know and a passwordQuestion 44 of 50 45. Which of the following would be used to implement Mandatory Access Control (MAC)?a) Clark-Wilson Access Control b) Role-based access control c) Lattice-based access control d) User dictated access control Question 45 of 50 46. Which type of attack involves impersonating a user or a system?a) Smurfing attack b) Spoofing attack c) Spamming attack d) Sniffing attack Question 46 of 50 47. Which of the following is an example of a passive attack?a) Denying services to legitimate users b) Shoulder surfing c) Brute-force password cracking d) SmurfingQuestion 47 of 50 48. What is the main objective of proper separation of duties?a) To prevent employees from disclosing sensitive informationb) To ensure access controls are in placec) To ensure that no single individual can compromise a systemd) To ensure that audit trails are not tampered withQuestion 48 of 50 49. In the CIA triad, what does the letter A stand for?a) Auditabilityb) Accountabilityc) Availabilityd) AuthenticationQuestion 49 of 50 50. Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in a biometric authentication system, the system becomes increasingly selective and has the possibility of generating:a) Lower False Rejection Rate (FRR) b) Higher False Rejection Rate (FRR) c) Higher False Acceptance Rate (FAR) d) It will not affect either FAR or FRR Question 50 of 50 Loading...