Free Access to ISC.SSCP.v2023-01-01.q803 with Valid Practice Test (Page 142)

Question 701

Unclassified, Private, Confidential, Secret, Top Secret, and Internal Use Only are levels of

A.Security Classification
B.Data Classification
C.Object Classification
D.Change Control Classification

Question 702

Which of the following answers is described as a random value used in cryptographic algorithms to ensure that patterns are not created during the encryption process?

A.IV - Initialization Vector
B.Stream Cipher
C.OTP - One Time Pad
D.Ciphertext

Correct Answer: A

Explanation/Reference:
The basic power in cryptography is randomness. This uncertainty is why encrypted data is unusable to someone without the key to decrypt.
Initialization Vectors are a used with encryption keys to add an extra layer of randomness to encrypted data. If no IV is used the attacker can possibly break the keyspace because of patterns resulting in the encryption process. Implementation such as DES in Code Book Mode (CBC) would allow frequency analysis attack to take place.
In cryptography, an initialization vector (IV) or starting variable (SV)is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by so-called modes of operation. Randomization is also required for other primitives, such as universal hash functions and message authentication codes based thereon.
It is define by TechTarget as:
An initialization vector (IV) is an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session.
The use of an IV prevents repetition in data encryption, making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher. For example, a sequence might appear twice or more within the body of a message. If there are repeated sequences in encrypted data, an attacker could assume that the corresponding sequences in the message were also identical. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext.
The following answers are incorrect:
- Stream Cipher: This isn't correct. A stream cipher is a symmetric key cipher where plaintext digits are combined with pseudorandom key stream to product cipher text.
- OTP - One Time Pad: This isn't correct but OTP is made up of random values used as key material.
(Encryption key) It is considered by most to be unbreakable but must be changed with a new key after it is used which makes it impractical for common use.
- Ciphertext: Sorry, incorrect answer. Ciphertext is basically text that has been encrypted with key material (Encryption key)
The following reference(s) was used to create this question:
For more details on this TOPIC and other Qs of the Security+ CBK, subscribe to our Holistic Computer Based Tutorial (CBT) at http://www.cccure.tv
and
whatis.techtarget.com/definition/initialization-vector-IV
and
en.wikipedia.org/wiki/Initialization_vector

Question 703

All of the following can be considered essential business functions that should be identified when creating a Business Impact Analysis (BIA) except one. Which of the following would not be considered an essential element of the BIA but an important TOPIC to include within the BCP plan:

A.IT Network Support
B.Accounting
C.Public Relations
D.Purchasing

Question 704

In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session?

A.Both client and server
B.The client's browser
C.The web server
D.The merchant's Certificate Server

Question 705

How can an individual/person best be identified or authenticated to prevent local masquarading attacks?

A.UserId and password
B.Smart card and PIN code
C.Two-factor authentication
D.Biometrics

Correct Answer: D

The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.
Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the
cards are an expensive and recurring cost.
NOTE FROM CLEMENT:
This question has been generating lots of interest. The keyword in the question is:
Individual (the person) and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest
means of authentication. However the question is not asking what is the strongest mean of
authentication, it is asking what is the best way to identify the user (individual) behind the
technology. When answering questions do not make assumptions to facts not presented in
the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to
someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.
This is why it is the best method to authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have
improved the question to make it a lot clearer and I have also improve the explanations
attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the
distinction is being made that there is identity and there is authentication. In the case of
physical security the enrollment process is where the identity of the user would be validated
and then the biometrics features provided by the user would authenticate the user on a one
to one matching basis (for authentication) with the reference contained in the database of
biometrics templates. In the case of system access, the user might have to provide a
username, a pin, a passphrase, a smart card, and then provide his biometric attributes.
Biometric can also be used for Identification purpose where you do a one to many match.
You take a facial scan of someone within an airport and you attempt to match it with a large
database of known criminal and terrorists. This is how you could use biometric for
Identification.
There are always THREE means of authentication, they are:
Something you know (Type 1) Something you have (Type 2) Something you are (Type 3)
Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7). and Search Security at http://searchsecurity.techtarget.com/definition/masquerade

Question 701

Question 702

Question 703

Question 704

Question 705

Download PDF File