SSCP Free Practice Test

- (Topic 4)
Which of the following computer recovery sites is the least expensive and the most difficult to test?

1. A. non-mobile hot site
2. B. mobile hot site
3. C. warm site
4. D. cold site

Correct Answer: D
Is the least expensive because it is basically a structure with power and would be the most difficult to test because you would have to install all of the hardware infrastructure in order for it to be operational for the test.
The following answers are incorrect:
non-mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.
mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.
warm site. Is incorrect because it is more expensive then a cold site and easier to test because more of the infrastructure is in place.

- (Topic 5)
What can be defined as a digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate?

1. A. A public-key certificate
2. B. An attribute certificate
3. C. A digital certificate
4. D. A descriptive certificate

Correct Answer: B
The Internet Security Glossary (RFC2828) defines an attribute certificate as a digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. A public-key certificate binds a subject name to a public key value, along with information needed to perform certain cryptographic functions. Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

- (Topic 4)
Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?

1. A. A threat
2. B. A vulnerability
3. C. A risk
4. D. An exposure

Correct Answer: B
It is a software , hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software etc.
The following answers are incorrect because:
Threat: A threat is defined as a potential danger to information or systems. The threat is someone or something will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a 'Threat Agent'. A threat agent could be an intruder accessing the network through a port on the firewall , a process accessing data that violates the security policy.
Risk:A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
Exposure: An exposure is an instance of being exposed to losses from a threat agent. REFERENCES:
SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 3 : Security Management
Practices , Pages: 57-59

- (Topic 6)
Which layer of the DoD TCP/IP Model ensures error-free delivery and packet sequencing?

1. A. Internet layer
2. B. Network access layer
3. C. Host-to-host
4. D. Application layer

Correct Answer: C
This layer of the DoD Model is also sometimes called Transport in some books but the proper name is Host-to-Host as per the RFC document.
The host-to-host layer provides for reliable end-to-end communications, ensures the data's error-free delivery, handles the data's packet sequencing, and maintains the data's integrity.
It is comparable to the transport layer of the OSI model. Reference(s) used for this question: http://en.wikipedia.org/wiki/Internet_protocol_suite
and
http://technet.microsoft.com/en-us/library/cc786900(v=ws.10).aspx and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 85).

- (Topic 2)
The information security staff's participation in which of the following system development life cycle phases provides maximum benefit to the organization?

1. A. project initiation and planning phase
2. B. system design specifications phase
3. C. development and documentation phase
4. D. in parallel with every phase throughout the project

Correct Answer: D
The other answers are not correct because:
You are always looking for the "best" answer. While each of the answers listed here could be considered correct in that each of them require input from the security staff, the best answer is for that input to happen at all phases of the project.
Reference:
Official ISC2 Guide page: 556
All in One Third Edition page: 832 - 833