SSCP

Back to exams page.

Take our SSCP training course here.

1. Who developed one of the first mathematical models of a multilevel-security computer system?

a) Diffie and Hellman

b) Clark and Wilson

c) Bell and LaPadula

d) Gasser and Lipner

Question 1 of 50

2. Which of the following attacks could capture network user passwords?

a) Data diddling

b) Sniffing

c) IP Spoofing

d) Smurfing

Question 2 of 50

3. Examples of types of physical access controls include all EXCEPT which of the following?

a) Badges

b) Locks

c) Guards

d) Passwords

Question 3 of 50

4. Which is the last line of defense in a physical security sense?

a) People

b) Interior barriers

c) Exterior barriers

d) Perimeter barriers

Question 4 of 50

5. The end result of implementing the principle of least privilege means which of the following?

a) Users would get access to only the info for which they have a need to know

b) Users can access all systems

c) Users get new privileges added when they change positions

d) Authorization creep

Question 5 of 50

6. Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette?

a) Degaussing

b) Parity Bit Manipulation

c) Zeroization

d) Buffer overflow

Question 6 of 50

7. Which of the following is true of two-factor authentication?

a) It uses the RSA public-key signature based on integers with large prime factors

b) It requires two measurements of hand geometry

c) It does not use single sign-on technology

d) It relies on two independent proofs of identity

Question 7 of 50

8. The primary service provided by Kerberos is which of the following?

a) Non-repudiation

b) Confidentiality

c) Authentication

d) Authorization

Question 8 of 50

9. In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified? Such a model can be used to quickly summarize what permissions a subject has for various system objects.

a) Access Control Matrix model

b) Take-Grant model

c) Bell-LaPadula model

d) Biba model

Question 9 of 50

10. Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

a) SESAME

b) RADIUS

c) KryptoKnight

d) TACACS+

Question 10 of 50

11. Single Sign-on (SSO) is characterized by which of the following advantages?

a) Convenience

b) Convenience and centralized administration

c) Convenience and centralized data administration

d) Convenience and centralized network administration

Question 11 of 50

12. What kind of certificate is used to validate a user identity?

a) Public key certificate

b) Attribute certificate

c) Root certificate

d) Code signing certificate

Question 12 of 50

13. Which of the following is not a physical control for physical security?

a) Lighting

b) Fences

c) Training

d) Facility construction materials

Question 13 of 50

14. Controlling access to information systems and associated networks is necessary for the preservation of their:

a) Authenticity, confidentiality and availability

b) Authenticity, confidentiality and availability

c) Integrity and availability

d) Authenticity,confidentiality, integrity and availability

Question 14 of 50

15. Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of:

a) Administrative controls

b) Logical controls

c) Technical controls

d) Physical controls

Question 15 of 50

16. To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:

a) Access Rules

b) Access Matrix

c) Identification controls

d) Access terminal

Question 16 of 50

17. Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?

a) Mandatory Access Control

b) Discretionary Access Control

c) Non-Discretionary Access Control

d) Rule-based Access control

Question 17 of 50

18. What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?

a) Mandatory model

b) Discretionary model

c) Lattice model

d) Rule model

Question 18 of 50

19. Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/ software units. Such controls, also known as logical controls, represent which pairing?

a) Preventive/Administrative Pairing

b) Preventive/Technical Pairing

c) Preventive/Physical Pairing

d) Detective/Technical Pairing

Question 19 of 50

20. What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?

a) Micrometrics

b) Macrometrics

c) Biometrics

d) MicroBiometrics

Question 20 of 50

21. What are called user interfaces that limit the functions that can be selected by a user?

a) Constrained user interfaces

b) Limited user interfaces

c) Mini user interfaces

d) Unlimited user interfaces

Question 21 of 50

22. The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:

a) The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:

b) Detective/technical

c) Detective/physical

d) Detective/administrative

Question 22 of 50

23. The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:

a) Preventive/physical

b) Detective/technical

c) Detective/physical

d) Detective/administrative

Question 23 of 50

24. What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?

a) Authentication

b) Identification

c) Authorization

d) Confidentiality

Question 24 of 50

25. What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?

a) Authentication

b) Identification

c) Integrity

d) Confidentiality

Question 25 of 50

26. Which one of the following factors is NOT one on which Authentication is based?

a) Type 1. Something you know, such as a PIN or password

b) Type 2. Something you have, such as an ATM card or smart card

c) Type 3. Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan

d) Type 4. Something you are, such as a system administrator or security administrator

Question 26 of 50

27. Which type of password provides maximum security because a new password is required for each new log-on?

a) One-time or dynamic password

b) Cognitive password

c) Static password

d) Passphrase

Question 27 of 50

28. What is called a sequence of characters that is usually longer than the allotted number for a password?

a) Passphrase

b) Cognitive phrase

c) Anticipated phrase

d) Real phrase

Question 28 of 50

29. Which of the following choices describe a Challenge-response tokens generation?

a) A workstation or system that generates a random challenge string that the user enters into the token when prompted along with the proper PIN

b) A workstation or system that generates a random login id that the user enters when prompted along with the proper PIN

c) A special hardware device that is used to generate random text in a cryptography system

d) The authentication mechanism in the workstation or system does not determine if the owner should be authenticated

Question 29 of 50

30. What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?

a) False Rejection Rate (FRR) or Type I Error

b) False Acceptance Rate (FAR) or Type II Error

c) Crossover Error Rate (CER)

d) True Rejection Rate (TRR) or Type III Error A

Question 30 of 50

31. Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?

a) SESAME

b) Kerberos

c) KryptoKnight

d) NetSP

Question 31 of 50

32. Kerberos is vulnerable to replay in which of the following circumstances?

a) When a private key is compromised within an allotted time window

b) When a public key is compromised within an allotted time window

c) When a ticket is compromised within an allotted time window

d) When the KSD is compromised within an allotted time window

Question 32 of 50

33. RADIUS incorporates which of the following services?

a) Authentication server and PIN codes

b) Authentication of clients and static passwords generation

c) Authentication of clients and dynamic passwords generation

d) Authentication server as well as support for Static and Dynamic passwords

Question 33 of 50

34. The Terminal Access Controller Access Control System (TACACS) employs which of the following?

a) A user ID and static password for network access

b) A user ID and dynamic password for network access

c) A user ID and symmetric password for network access

d) A user ID and asymmetric password for network access

Question 34 of 50

35. Which of the following is the FIRST step in protecting data's confidentiality?

a) Install a firewall

b) Implement encryption

c) Identify which information is sensitive

d) Review all user access rights

Question 35 of 50

36. Which of the following is the WEAKEST authentication mechanism?

a) Passphrases

b) Passwords

c) One-time passwords

d) Token devices

Question 36 of 50

37. Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity?

a) Discretionary Access Control

b) Mandatory Access Control

c) Sensitive Access Control

d) Role-based Access Control

Question 37 of 50

38. Why do buffer overflows happen? What is the main cause?

a) Because buffers can only hold so much data

b) Because of insufficient system memory

c) Because they are an easy weakness to exploit

d) Because of improper parameter checking within the application

Question 38 of 50

39. Which of the following are not Remote Access concerns?

a) Justification for remote access

b) Auditing of activities

c) Regular review of access privileges

d) Access badges

Question 39 of 50

40. Which type of password token involves time synchronization?

a) Static password tokens

b) Synchronous dynamic password tokens

c) Asynchronous dynamic password tokens

d) Challenge-response tokens

Question 40 of 50

41. Which of the following is most affected by denial-of-service (DOS) attacks?

a) Confidentiality

b) Integrity

c) Accountability

d) Availability

Question 41 of 50

42. What refers to legitimate users accessing networked services that would normally be restricted to them?

a) Spoofing

b) Piggybacking

c) Eavesdropping

d) Logon abuse

Question 42 of 50

43. In regards to information classification what is the main responsibility of information (data) owner?

a) Determining the data sensitivity or classification level

b) Running regular data backups

c) Audit the data users

d) Periodically check the validity and accuracy of the data

Question 43 of 50

44. Which of the following is not a two-factor authentication mechanism?

a) Something you have and something you know

b) Something you do and a password

c) A smartcard and something you are

d) Something you know and a password

Question 44 of 50

45. Which of the following would be used to implement Mandatory Access Control (MAC)?

a) Clark-Wilson Access Control

b) Role-based access control

c) Lattice-based access control

d) User dictated access control

Question 45 of 50

46. Which type of attack involves impersonating a user or a system?

a) Smurfing attack

b) Spoofing attack

c) Spamming attack

d) Sniffing attack

Question 46 of 50

47. Which of the following is an example of a passive attack?

a) Denying services to legitimate users

b) Shoulder surfing

c) Brute-force password cracking

d) Smurfing

Question 47 of 50

48. What is the main objective of proper separation of duties?

a) To prevent employees from disclosing sensitive information

b) To ensure access controls are in place

c) To ensure that no single individual can compromise a system

d) To ensure that audit trails are not tampered with

Question 48 of 50

49. In the CIA triad, what does the letter A stand for?

a) Auditability

b) Accountability

c) Availability

d) Authentication

Question 49 of 50

50. Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in a biometric authentication system, the system becomes increasingly selective and has the possibility of generating:

a) Lower False Rejection Rate (FRR)

b) Higher False Rejection Rate (FRR)

c) Higher False Acceptance Rate (FAR)

d) It will not affect either FAR or FRR

Question 50 of 50

ABOUT US

MOST POPULAR

Members

Newsletter

Secure Site