Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.
1 As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?Separation of dutiesLeast privilegeAggregationSeparation of privileges
2 As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?Segregation of dutiesAggregationTwo-person controlDefense in depth
3 Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?Need to knowLeast privilegeSeparation of dutiesTwo-person control
4 Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?Least privilegeTwo-person controlJob rotationSeparation of duties
5 Which of the following is not true about the (ISC)2 code of ethics?Adherence to the code is a condition of certification.Failure to comply with the code may result in revocation of certification.The code applies to all members of the information security profession.Members who observe a breach of the code are required to report the possible violation.
6 Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?Need to knowLeast privilegeTwo-person controlTransitive trust
7 Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?EspionageConfidentiality breachSabotageIntegrity breach
8 Which one of the following is not a canon of the (ISC)2 code of ethics?Protect society, the common good, necessary public trust and confidence, and the infrastructure.Promptly report security vulnerabilities to relevant authorities.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.
9 When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?Least privilegeSeparation of dutiesJob rotationSecurity through obscurity
10 Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?Security guidelinesSecurity policyBaseline configurationRunning configuration
11 Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?Unit testingAcceptance testingRegression testingVulnerability testing
12 Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives?Defense in depthSecurity through obscurityLeast privilegeSeparation of duties
13 What technology asset management practice would an organization use to ensure that systems meet baseline security standards?Change managementPatch managementConfiguration managementIdentity management
14 The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment?Review the logs and require digital signatures for each log.Require authentication for all actions taken and capture logs centrally.Log the use of administrative credentials and encrypt log data in transit.Require authorization and capture logs centrally.
15 Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft?Implementation/assessmentOperation/maintenanceInventory and licensingProcess, planning, design, and initiation
16 Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?GNU Public LicenseFreewareOpen sourcePublic domain
17 When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded?Trojan horseSocial engineeringPhishingWhaling
Chapter 2 Access Controls (Domain 2)
THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 2.0: Access Controls2.1 Implement and maintain authentication methodsSingle/multi-factor authentication (MFA)Single sign-on (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID Connect)Device authenticationFederated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))2.2 Support internetwork trust architecturesTrust relationships (e.g., 1-way, 2-way, transitive, zero)Internet, intranet, and extranetThird-party connections2.3 Participate in the identity management lifecycleAuthorizationProofingProvisioning/de-provisioningMaintenanceEntitlementIdentity and access management (IAM) systems2.4 Understand and apply access controlsMandatoryDiscretionaryRole-based (e.g., attribute-, subject-, object-based)Rule-based
1 Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario?Multifactor authenticationDevice authenticationPassword authenticationNo authentication
2 Norma is helping her organization create a specialized third-party network connection for a set of vendors needing to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building?InternetIntranetOutranetExtranet
3 Which one of the following is an example of a nondiscretionary access control system?File ACLsMACDACVisitor list
4 Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?IP addressMAC addressDigital certificatePassword
5 Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk?VPNFirewallContent filterProxy server
6 When Ben lists the files on a Linux system, he sees the set of attributes shown here.The letters rwx indicate different levels of what?IdentificationAuthorizationAuthenticationAccountability
7 Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?PasswordRetinal scanUsernameToken
8 Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?Credentials and need to knowClearance and need to knowPassword and clearancePassword and biometric