(ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests

(ISC)²®

SSCP Systems Security

Certified Practitioner

Official Practice Tests

Mike Chapple

David Seidl

Technical Editor: Scott Pike

Production Manager: Kathleen Wisor

Copy Editor: Kim Wimpsett

Editorial Manager: Pete Gaughan

Associate Publisher: Jim Minatel

Book Designer: Judy Fung and Bill Gibson

Proofreader: Nancy Carrasco

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: ©Jeremy Woodhouse/Getty Images, Inc.

Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-54305-3

ISBN: 978-1-119-54299-5 (ebk.)

ISBN: 978-1-119-54309-1 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2018957472

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)² is a registered trademark and SSCP is a registered certification mark of International Information Systems Security Certificate Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Acknowledgments

The authors would like to thank the many people who made this book possible. First, Ricky Chapple and Matthew Chapple provided crucial assistance in formatting and laying out the chapters for this book. Without their help, we would never have completed this project on schedule.

We also owe our thanks to a large supporting team from the publishing world. Jim Minatel at Wiley Publishing helped us extend the Sybex security certification franchise to include this new title and gain important support from the International Information Systems Security Consortium (ISC)². Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Scott Pike, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. Benji served as the project editor and managed the project smoothly. Many other people we’ll never meet worked behind the scenes to make this book a success.

About the Authors

Mike Chapple, Ph.D., Security+, CISSP, CISA, PenTest+, CySA+, is associate teaching professor of IT, analytics, and operations at the University of Notre Dame. He is also academic director of the university’s master’s program in business analytics.

Mike is a cybersecurity professional with more than 20 years of experience in the field. Prior to his current role, Mike served as the senior director for IT service delivery at Notre Dame, where he oversaw the university’s cybersecurity program, cloud computing efforts, and other areas. Mike also previously served as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force.

Mike is a frequent contributor to several magazines and websites and is the author or coauthor of more than 25 books including CISSP Official (ISC)² Study Guide, CISSP Official (ISC)² Practice Tests, CompTIA CySA+ Study Guide, and CompTIA CySA+ Practice Tests, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.

Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications at his website, certmike.com.

David Seidl is the Vice President for Information Technology and CIO at Miami University of Ohio. During his more than 23 years in information technology, he has served in a variety of leadership, technical, and information security roles, including leading the University of Notre Dame’s Campus Technology Services operations and infrastructure division as well as heading up Notre Dame’s information security team as Notre Dame’s director of information security.

He has written books on security certification and cyberwarfare, including co-authoring CompTIA CySA+ Study Guide: Exam CS0-001, CompTIA CySA+ Practice Tests: Exam CS0-001, and CISSP Official (ISC)² Practice Tests, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett.

David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, GCIH, CySA+, and PenTest+ certifications.

CONTENTS

Introduction

SSCP Certification

Taking the SSCP Exam

Work Experience Requirement

Recertification Requirements

Using This Book to Practice

Using the Online Practice Tests

Chapter 1 Access Controls (Domain 1)

Chapter 2 Security Operations and Administration (Domain 2)

Chapter 3 Risk Identification, Monitoring, and Analysis (Domain 3)

Chapter 4 Incident Response and Recovery (Domain 4)

Chapter 5 Cryptography (Domain 5)

Chapter 6 Network and Communications Security (Domain 6)

Chapter 7 Systems and Application Security (Domain 7)

Chapter 8 Practice Test 1

Chapter 9 Practice Test 2

Appendix Answers to Review Questions

Chapter 1: Access Controls (Domain 1)

Chapter 2: Security Operations and Administration (Domain 2)

Chapter 3: Risk Identification, Monitoring, and Analysis (Domain 3)

Chapter 4: Incident Response and Recovery (Domain 4)

Chapter 5: Cryptography (Domain 5)

Chapter 6: Network and Communications Security (Domain 6)

Chapter 7: Systems and Application Security (Domain 7)

Chapter 8: Practice Test 1

Chapter 9: Practice Test 2

Index

Advert

End User License Agreement

Introduction

SSCP Official (ISC)² Practice Tests is a companion volume to the SSCP (ISC)² Systems Security Certified Practitioner Official Study Guide. If you’re looking to test your knowledge before you take the SSCP exam, this book will help you by providing a combination of practice questions that cover the SSCP Common Body of Knowledge and easy-to-understand explanations of both right and wrong answers.

If you’re just starting to prepare for the SSCP exam, we highly recommend that you use the SSCP (ISC)² Certified Information Systems Security Professional Official Study Guide to help you learn about each of the domains covered by the SSCP exam. Once you’re ready to test your knowledge, use this book to help find places where you may need to study more, or to practice for the exam itself.

Since this is a companion to the SSCP Study Guide, this book is designed to be similar to taking the SSCP exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into 9 chapters: 7 domain-centric chapters covering each domain, and 2 chapters that contain full-length practice tests to simulate taking the exam itself.

SSCP Certification

The SSCP certification is offered by the International Information System Security Certification Consortium, or (ISC)², a global nonprofit. The mission of (ISC)² is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. They achieve this mission by delivering the world’s leading information security certification program. The SSCP is the entry-level credential in this series and is accompanied by several other (ISC)² programs:

Certified Information Systems Security Professional (CISSP)

Certified Authorization Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

Certified Cyber Forensic Professional (CCFP)

HealthCare Information Security Privacy Practitioner (HCISPP)

Certified Cloud Security Professional (CCSP)

There are also three advanced CISSP certifications for those who wish to move on from the base credential to demonstrate advanced expertise in a domain of information security:

Information Systems Security Architecture Professional (CISSP-ISSAP)

Information Systems Security Engineering Professional (CISSP-ISSEP)

Information Systems Security Management Professional (CISSP-ISSMP)

The SSCP certification covers seven domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession. They include:

Access Controls

Security Operations and Administration

Risk Identification, Monitoring, and Analysis

Incident Response and Recovery

Cryptography

Network and Communications Security

Systems and Application Security

Complete details on the SSCP Common Body of Knowledge (CBK) are contained in the Candidate Information Bulletin (CIB). The CIB, which includes a full outline of exam topics, can be found on the ISC² website at www.isc2.org.

Taking the SSCP Exam

The SSCP exam is a 3-hour exam that consists of 125 questions covering the seven domains. Passing requires achieving a score of at least 700 out of 1,000 points. It’s important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily. That said, as you work through these practice exams, you might want to use 70 percent as a yardstick to help you get a sense of whether you’re ready to sit for the actual exam. When you’re ready, you can schedule an exam via links provided on the (ISC)² website—tests are offered in locations throughout the world.

The questions on the SSCP exam are all multiple choice questions with four answer options. You will be asked to select the one correct answer for each question. Watch out for questions that ask you to exercise judgement—these are commonly used on (ISC)² exams. You might be asked to identify the best option or select the least expensive approach. These questions require that you use professional judgement to come to the correct answer.

Computer-Based Testing Environment

Almost all SSCP exams are now administered in a computer-based testing (CBT) format. You’ll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, Japanese, and Brazilian Portuguese.

You’ll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you’d like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center: https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx.

When you sit down to take the exam, you’ll be seated at a computer that has the exam software already loaded and running. It’s a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from Pearson at: http://www.vue.com/athena/athena.asp.

Exam Retake Policy

If you don’t pass the SSCP exam, you shouldn’t panic. Many individuals don’t reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you’ll have the benefit of familiarity with the CBT environment and SSCP exam format. You’ll also have time to study up on the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you’re not successful on that attempt, you must then wait 90 days before your third attempt and 180 days before your fourth attempt. You may not take the exam more than three times in a single calendar year.

Work Experience Requirement

Candidates who wish to earn the SSCP credential must not only pass the exam but also demonstrate that they have at least one year of work experience in the information security field. Your work experience must cover activities in at least one of the seven domains of the SSCP program and must be paid employment.

You may be eligible to waive the work experience requirement based on your educational achievements. If you hold a bachelor’s or master’s degree in cybersecurity, you may be eligible for a degree waiver that covers one of those years. For more information see https://www.isc2.org/Certifications/SSCP/experience-requirements#.

If you haven’t yet completed your work experience requirement, you may still attempt the SSCP exam. Individuals who pass the exam are designated Associates of (ISC)² and have two years to complete the work experience requirement.

Recertification Requirements

Once you’ve earned your SSCP credential, you’ll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the SSCP exam. Currently, the annual maintenance fees for the SSCP credential are $85 per year.

The SSCP CPE requirement mandates earning at least 20 CPE credits each year toward the 60-credit three-year requirement. (ISC)² provides an online portal where certificants may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

Using This Book to Practice

This book is composed of 9 chapters. Each of the first seven chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine if you’re ready for the SSCP exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time, and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you’re ready, take the second practice exam to make sure you’ve covered all of the material and are ready to attempt the SSCP exam.

Using the Online Practice Tests

All of the questions in this book are also available in Sybex’s online practice test tool. To get access to this online format, go to www.wiley.com/go/sybextestprep and start by registering your book. You’ll receive a pin code and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.

Do you need more? If you are not seeing passing grades on these practice tests, look for the all new (ISC)² SSCP Systems Security Certified Practitioner Official Study Guide, 2nd Edition by Michael S. Wills and Wesley E. Phillips, Jr. (ISBN: 978-1-119-54294-0) available early 2019. This book is an excellent resource to master any SSCP topics causing problems. This book maps every official exam objective to the corresponding chapter in the book to help track exam prep objective-by-objective, challenging review questions in each chapter to prepare for exam day, and online test prep materials with flashcards and additional practice tests.

Chapter 1

Access Controls (Domain 1)

THIS CHAPTER COVERS THE FOLLOWING SSCP EXAM OBJECTIVES:

1.1 Implement and maintain authentication methods

Single/multifactor authentication

Single sign-on

Device authentication

Federated access

1.2 Support internetwork trust architectures

Trust relationships (e.g., 1-way, 2-way, transitive)

Extranet

Third party connections

1.3 Participate in the identity management lifecycle

Authorization

Proofing

Provisioning/de-provisioning

Maintenance

Entitlement

Identity and access management (IAM) systems

1.4 Implement access controls

Mandatory

Non-discretionary

Discretionary

Role-based

Attribute-based

Subject-based

Object-based

Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario?

Multifactor authentication

Device authentication

Password authentication

No authentication

Norma is helping her organization create a specialized network designed for vendors that need to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building?

Internet

Intranet

Outranet

Extranet

Which one of the following is an example of a nondiscretionary access control system?

File ACLs

MAC

DAC

Visitor list

Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?

IP address

MAC address

Digital certificate

Password

Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk?

VPN

Firewall

Content filter

Proxy server

When Ben lists the files on a Linux system, he sees the set of attributes shown here.

The letters rwx indicate different levels of what?

Identification

Authorization

Authentication

Accountability

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

Password

Retinal scan

Username

Token

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

Credentials and need to know

Clearance and need to know

Password and clearance

Password and biometric scan

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Use the following chart to answer questions 9–11 about the organization’s adoption of the technology.

Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?

The FRR crossover

The FAR point

The CER

The CFR

At point B, what problem is likely to occur?

False acceptance will be very high.

False rejection will be very high.

False rejection will be very low.

False acceptance will be very low.

What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?

Adjust the sensitivity of the biometric devices.

Assess other biometric systems to compare them.

Move the CER.

Adjust the FRR settings in software.

When a subject claims an identity, what process is occurring?

Login

Identification

Authorization

Token presentation

Files, databases, computers, programs, processes, devices, and media are all examples of what?

Subjects

Objects

File stores

Users

MAC models use three types of environments. Which of the following is not a mandatory access control design?

Hierarchical

Bracketed

Compartmentalized

Hybrid

Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement?

Mandatory access controls

Single sign-on

Multifactor authentication

Automated deprovisioning

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m. What type of access control system would be Susan’s best choice?

ABAC

Rule-based access control (RBAC)

DAC

MAC

What is the primary advantage of decentralized access control?

It provides better redundancy.

It provides control of access to people closer to the resources.

It is less expensive.

It provides more granular control of access.

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?

An access control list

An implicit denial list

A capability table

A rights management matrix

Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?

Kerberos

LDAP

OpenID

SESAME

Ben uses a software-based token that changes its code every minute. What type of token is he using?

Asynchronous

Smart card

Synchronous

Static

How does single sign-on increase security?

It decreases the number of accounts required for a subject.

It helps decrease the likelihood that users will write down their passwords.

It provides logging for each system that it is connected to.

It provides better encryption for authentication data.

Which of the following multifactor authentication technologies provides both low management overhead and flexibility?

Biometrics

Software tokens

Synchronous hardware tokens

Asynchronous hardware tokens

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Informing other employees of the termination

Retrieving the employee’s photo ID

Calculating the final paycheck

Revoking electronic access rights

Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?

Set up a two-way transitive trust.

Set up a one-way transitive trust.

Set up a one-way nontransitive trust.

Set up a two-way nontransitive trust.

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as Which of the following streets did you live on in 2007? What process is Susan’s organization using?

Identity proofing

Password verification

Authenticating with Type 2 authentication factor

Out-of-band identity proofing

Lauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur?

A credential management system

A strong password policy

Separation of duties

Single sign-on

What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains?

Transitive trust

Inheritable trust

Nontransitive trust

Noninheritable trust

Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process?

Adam

File server

Server administrator

Adam’s supervisor

After 10 years working in her organization, Cassandra is moving