Читать книгу (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests - Mike Chapple - Страница 11

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

 Domain 3.0: Risk Identification, Monitoring, and Analysis3.1 Understand the risk management processRisk visibility and reporting (e.g., risk register, sharing threat intelligence/Indicators of Compromise (IOC), Common Vulnerability Scoring System (CVSS))Risk management concepts (e.g., impact assessments, threat modeling)Risk management frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST))Risk tolerance (e.g., appetite)Risk treatment (e.g., accept, transfer, mitigate, avoid, ignore)3.2 Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)3.3 Participate in security assessment and vulnerability management activitiesSecurity testingRisk review (e.g., internal, supplier, architecture)Vulnerability management lifecycle3.4 Operate and monitor security platforms (e.g., continuous monitoring)Source systems (e.g., applications, security appliances, network devices and hosts)Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)Log managementEvent aggregation and correlation3.5 Analyze monitoring resultsSecurity baselines and anomaliesVisualizations, metrics, and trends (e.g., notifications, dashboards, timelines)Event data analysisDocument and communicate findings (e.g., escalation)

1 HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?Risk mitigationRisk acceptanceRisk transferenceRisk avoidance

2 Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?Change logSystem logSecurity logApplication log

3 Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?A black boxA brute-force toolA fuzzerA static analysis tool

For questions 4–6, please refer to the following scenario.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

1 Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?10 percent25 percent50 percent75 percent

2 Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?0.00250.0050.010.015

3 Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?$25,000$50,000$250,000$500,000

4 Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable because of the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?Uninstall and reinstall the patch.Ask the information security team to flag the system as patched and not vulnerable.Update the version information in the web server’s configuration.Review the vulnerability report and use alternate remediation options.

5 Which NIST special publication covers the assessment of security and privacy controls?800-12800-53A800-34800-86

6 Selah’s team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?Full knowledgePartial knowledgeZero knowledgeSpecific knowledge

7 Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower?ImpactRPOMTOLikelihood

8 Jim uses a tool that scans a system for available services and then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information. What type of tool is Jim using?A port scannerA service validatorA vulnerability scannerA patch management tool

9 What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?Nonregression testingEvolution testingSmoke testingRegression testing

10 Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?Risk acceptanceRisk avoidanceRisk mitigationRisk transference

11 During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?zzufNiktoMetasploitsqlmap

12 When developing a business impact analysis, the team should first create a list of assets. What should happen next?Identify vulnerabilities in each asset.Determine the risks facing the asset.Develop a value for each asset.Identify threats facing each asset.

13 In this image, what issue may occur because of the log handling settings?Log data may be lost when the log is archived.Log data may be overwritten.Log data may not include needed information.Log data may fill the system disk.

14 What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?SyslogNetlogEventlogRemote Log Protocol (RLP)

15 Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server because of a missing patch in the company’s web application. In this scenario, what is the threat?Unpatched web applicationWeb defacementMalicious hackerOperating system

16 Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?Assign users to spot-check baseline compliance.Use Microsoft Group Policy.Create startup scripts to apply policy at system start.Periodically review the baselines with the data owner and system owners.

For questions 20–22, please refer to the following scenario.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.

1 Jennifer needs to ensure that all Windows systems provide identical logging information to the SIEM. How can she best ensure that all Windows desktops have the same log settings?Perform periodic configuration audits.Use Group Policy.Use Local Policy.Deploy a Windows syslog client.

2 During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?Enterprise wireless access pointsWindows desktop systemsLinux web serversEnterprise firewall devices

3 What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure?SyslogNTPLogsyncSNAP

4 Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?Perform yearly risk assessments.Hire a penetration testing company to regularly test organizational security.Identify and track key risk indicators.Monitor logs and events using a SIEM device.

5 Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain.What is the ARO of a flood in this area?10010.10.01

6 Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?Install a patch.Use a workaround fix.Update the banner or version number.Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.

7 Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?FTP scanningTelnet scanningSSH scanningHTTP scanning

8 Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers?Netflow recordsIDS logsAuthentication logsRFC logs

9 Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?NmapOpenVASMBSANessus

10 Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?The volume of log dataA lack of sufficient log sourcesData storage security requirementsNetwork bandwidth

Kara used nmap to perform a scan of a system under her control and received the results shown here. Refer to these results to answer questions 30 and 31.

1 If Kara’s primary concern is preventing eavesdropping attacks, which port should she block?22804431433

2 If Kara’s primary concern is preventing administrative connections to the server, which port should she block?22804431433

3 During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?A Linux email serverA Windows SQL serverA Linux file serverA Windows workstation

4 After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?AcceptTransferReduceReject

5 What is the best way to provide accountability for the use of identities?LoggingAuthorizationDigital signaturesType 1 authentication

6 Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?PatchingReportingRemediationValidation

7 Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?Risk avoidanceRisk mitigationRisk transferenceRisk acceptance

8 During a log review, Danielle discovers a series of logs that show login failures.Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=aaaaaaaa Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=aaaaaaab Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=aaaaaaac Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=aaaaaaad Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=aaaaaaaeWhat type of attack has Danielle discovered?A pass-the-hash attackA brute-force attackA man-in-the-middle attackA dictionary attack

9 During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?They will not know if the backups succeeded or failed.The backups may not be properly logged.The backups may not be usable.The backup logs may not be properly reviewed.

For questions 39–41, please refer to the following scenario.

Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified.

1 Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?Auditing and logging are enabled.Role-based access control is used for specific operations.Data type and format checks are enabled.User input is tested against a whitelist.

2 Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?Information disclosureDenial of serviceTamperingRepudiation

3 Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?HashesDigital signaturesFilteringAuthorization controls

4 During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?Web serversFile serversWireless access pointsPrinters

5 Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown here. What tool is he using?Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.Vulnerability assessmentFuzzingReduction analysisData modeling

6 Which of the following is not a hazard associated with penetration testing?Application crashesDenial of serviceExploitation of vulnerabilitiesData corruption

7 Nmap is an example of what type of tool?Vulnerability scannerWeb application fuzzerNetwork design and layoutPort scanner

8 Which of the following is a method used to design new software tests and to ensure the quality of tests?Code auditingStatic code analysisRegression testingMutation testing

9 When a Windows system is rebooted, what type of log is generated?ErrorWarningInformationFailure audit

10 What is the first step that should occur before a penetration test is performed?Data gatheringPort scanningGetting permissionPlanning

11 Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?SpoofingRepudiationTamperingElevation of privilege

For questions 50–53, please refer to the following scenario.

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization’s intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation.

This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic.

1 At this point in the incident response process, what term best describes what has occurred in Ann’s organization?Security occurrenceSecurity incidentSecurity eventSecurity intrusion

2 Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port?DNSSSH/SCPSSL/TLSHTTP

3 As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?ReconnaissanceMalicious codeSystem penetrationDenial of service

4 Now that Ann understands that an attack has taken place that violates her organization’s security policy, what term best describes what has occurred in Ann’s organization?Security occurrenceSecurity incidentSecurity eventSecurity intrusion

5 During a log review, Saria discovers a series of logs that show login failures, as shown here:Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3 Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93 Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1 Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=OrangemonkeyWhat type of attack has Saria discovered?A brute-force attackA man-in-the-middle attackA dictionary attackA rainbow table attack

6 Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?ITILISO 27002CMMPMBOK Guide

7 Alex is using nmap to perform port scanning of a system, and he receives three different port status messages in the results. Match each of the numbered status messages with the appropriate lettered description. You should use each item exactly once.Status messageOpenClosedFilteredDescriptionThe port is accessible on the remote system, but no application is accepting connections on that port.The port is not accessible on the remote system.The port is accessible on the remote system, and an application is accepting connections on that port.

8 Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?Quantitative risk assessmentQualitative risk assessmentNeither quantitative nor qualitative risk assessmentCombination of quantitative and qualitative risk assessment

9 Angela wants to test a web browser’s handling of unexpected data using an automated tool. What tool should she choose?NmapzzufNessusNikto

10 Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?Audit loggingFlow loggingTrace loggingRoute logging

11 Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?Systems will be scanned for vulnerabilities.Systems will have known vulnerabilities exploited.Services will be probed for buffer overflow and other unknown flaws.Systems will be tested for zero-day exploits.

12 You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?Implement new security controls to reduce the risk level.Design a disaster recovery plan.Repeat the business impact assessment.Document your decision-making process.

For questions 62–64, please refer to the following scenario. During a port scan, Ben uses nmap’s default settings and sees the following results.

1 If Ben is conducting a penetration test, what should his next step be after receiving these results?Connect to the web server using a web browser.Connect via Telnet to test for vulnerable accounts.Identify interesting ports for further scanning.Use sqlmap against the open databases.

2 Based on the scan results, what operating system (OS) was the system that was scanned most likely running?Windows DesktopLinuxNetwork deviceWindows Server

3 Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?Ben did not test UDP services.Ben did not discover ports outside the “well-known ports.”Ben did not perform OS fingerprinting.Ben tested only a limited number of ports.

4 What is the formula used to determine risk?Risk = Threat * VulnerabilityRisk = Threat / VulnerabilityRisk = Asset * ThreatRisk = Asset / Threat

5 A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob’s role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob’s best route to quickly identify vulnerable systems?Immediately run Nessus against all of the servers to identify which systems are vulnerable.Review the CVE database to find the vulnerability information and patch information.Create a custom IDS or IPS signature.Identify affected versions and check systems for that version number using an automated scanner.

6 During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?Inconsistent log formattingModified logsInconsistent timestampsMultiple log sources

7 What is the final step of a quantitative risk analysis?Determine asset value.Assess the annualized rate of occurrence.Derive the annualized loss expectancy.Conduct a cost/benefit analysis.

8 Carrie is analyzing the application logs for her web-based application and comes across the following string:../../../../../../../../../etc/passwdWhat type of attack was likely attempted against Carrie’s application?Command injectionSession hijackingDirectory traversalBrute force

9 Allie is responsible for reviewing authentication logs on her organization’s network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?SamplingRandom selectionClippingStatistical analysis

10 Isaac wants to be able to describe the severity of a vulnerability to his team. What standard could he use to easily describe vulnerabilities using a numerical score?CVSSATT&CKMITRESAML

11 Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?QuantitativeQualitativeAnnualized loss expectancyReduction

12 What type of vulnerabilities will not be found by a vulnerability scanner?Local vulnerabilitiesService vulnerabilitiesZero-day vulnerabilitiesVulnerabilities that require authentication

13 Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?Path disclosureLocal file inclusionRace conditionBuffer overflow

14 Jim has been contracted to conduct a gray box penetration test, and his clients have provided him with the following information about their networks so that he can scan them:Data center: 10.10.10.0/24Sales: 10.10.11.0/24Billing: 10.10.12.0/24Wireless: 192.168.0.0/16What problem will Jim encounter if he is contracted to conduct a scan from offsite?The IP ranges are too large to scan efficiently.The IP addresses provided cannot be scanned.The IP ranges overlap and will cause scanning issues.The IP addresses provided are RFC 1918 addresses.

15 Naomi wants to put a system in place that will allow her team to aggregate and correlate event information from a variety of systems and devices in her organization. She then wants to automate the investigation process using workflows with the correlated data. What type of system should she put in place?A NASAn IPSA SOARAn MDR

16 Murali wants to determine if SQL injection attacks are being attempted against his web application. Which of the following potential source systems will not be useful when identifying SQL injection?Application logsWAF logsNetwork switch logsDatabase logs

17 Li has completed the discovery of assets across her organization’s network. What is the most likely next step in her vulnerability management lifecycle?Prioritizing the assetsApplying patches to any vulnerable systemsTesting the vulnerabilities using proof-of-concept exploitsIdentifying all vulnerabilities that have not been patched since the last scan

18 Diego’s organization has applied controls to all risks that it has prioritized. It would not be cost effective to remediate or prevent the remaining risks, and he needs to determine what to do with them. What risk response option is most appropriate to this scenario?Transferring the risksIgnoring the risksReviewing for possible new mitigationsAccepting the risks

19 Kathleen’s organization has a mature risk assessment process with strong sponsorship from leadership, but also has very low tolerance for risk. Which of the following is most likely to be true about their process for handling risks?They are likely to accept many risks.They are likely to spend resources to mitigate as many risks as possible.They are likely to ignore as many risks as possible.They are likely to spend as few resources as possible to mitigate risks.

20 Megan is reviewing her organization’s risks and identifies a single point of failure due to the fiber-optic cable connection to a local fiber ring that her organization built and maintains. What type of risk does this describe?An intrinsic riskAn architecture riskA supplier riskA contractual risk

21 Unusual outbound network traffic, irregularities in geographic or time-based login information, privileged users account activity changes, and unexpected traffic on nonstandard ports are all common examples of what?Vulnerability scanning artifactsSQL injection log entriesIndicators of CompromiseKey performance indicators

22 Susan wants to use her SIEM to deliver notifications when events occur. Which of the following should she ensure is set to prevent responders from ignoring the notifications?An automated daily email with dashboard informationA required login when notifications are sentAutomated timeline creation for incident dataAppropriate thresholds for notification