SSCP Free Practice Test

- (Topic 6)
Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length?

1. A. Fiber Optic cable
2. B. Coaxial cable
3. C. Twisted Pair cable
4. D. Axial cable

Correct Answer: A
Fiber Optic cable is immune to the effects of electromagnetic interference
(EMI) and therefore has a much longer effective usable length (up to two kilometers in some cases).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 72.

- (Topic 2)
Why does compiled code pose more of a security risk than interpreted code?

1. A. Because malicious code can be embedded in compiled code and be difficult to detect.
2. B. If the executed compiled code fails, there is a chance it will fail insecurely.
3. C. Because compilers are not reliable.
4. D. There is no risk difference between interpreted code and compiled code.

Correct Answer: A
From a security standpoint, a compiled program is less desirable than an interpreted one because malicious code can be
resident somewhere in the compiled code, and it is difficult to detect in a very large program.

- (Topic 1)
Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property?

1. A. It allows "read up."
2. B. It addresses covert channels.
3. C. It addresses management of access controls.
4. D. It allows "write up."

Correct Answer: D
Bell–LaPadula Confidentiality Model10 The Bell–LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another.
When the strong star property is not being used it means that both the property and the
Simple Security Property rules would be applied.
The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example.
The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example.
You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance.
The following are incorrect answers because they are all FALSE:
"It allows read up" is incorrect. The "simple security" property forbids read up.
"It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell- LaPadula model.
"It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.

- (Topic 6)
One of the following statements about the differences between PPTP and L2TP is NOT true

1. A. PPTP can run only on top of IP networks.
2. B. PPTP is an encryption protocol and L2TP is not.
3. C. L2TP works well with all firewalls and network devices that perform NAT.
4. D. L2TP supports AAA servers

Correct Answer: C
L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT.
"PPTP can run only on top of IP networks." is correct as PPTP encapsulates datagrams into an IP packet, allowing PPTP to route many network protocols across an IP network.
"PPTP is an encryption protocol and L2TP is not." is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MSCHAP or EAP-TLS.
"L2TP supports AAA servers" is correct as L2TP supports TACACS+ and RADIUS. NOTE:
L2TP does work over NAT. It is possible to use a tunneled mode that wraps every packet
into a UDP packet. Port 4500 is used for this purpose. However this is not true of PPTP and it is not true as well that it works well with all firewalls and NAT devices.
References:
All in One Third Edition page 545
Official Guide to the CISSP Exam page 124-126

- (Topic 4)
In which of the following phases of system development life cycle (SDLC) is contingency planning most important?

1. A. Initiation
2. B. Development/acquisition
3. C. Implementation
4. D. Operation/maintenance

Correct Answer: A
Contingency planning requirements should be considered at every phase of SDLC, but most importantly when a new IT system is being conceived. In the initiation phase, system requirements are identified and matched to their related operational processes, allowing determination of the system's appropriate recovery priority.
Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 12).
and
The Official ISC2 Guide to the CBK, Second Edition, Application Security, page 180-185