ISC2 sscp practice test

Systems Security Certified Practitioner Exam

Question 1

Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?

  • A. Web Applications
  • B. Intrusion Detection Systems
  • C. Firewalls
  • D. DNS Servers


XSS or Cross-Site Scripting is a threat to web applications where malicious code is placed on a
website that attacks the use using their existing authenticated session status.
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected
into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an
attacker uses a web application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and
occur anywhere a web application uses input from a user in the output it generates without
validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end users browser
has no way to know that the script should not be trusted, and will execute the script. Because it
thinks the script came from a trusted source, the malicious script can access any cookies, session
tokens, or other sensitive information retained by your browser and used with that site. These scripts
can even rewrite the content of the HTML page.
Configure your IPS - Intrusion Prevention System to detect and suppress this traffic.
Input Validation on the web application to normalize inputted data.
Set web apps to bind session cookies to the IP Address of the legitimate user and only permit that IP
Address to use that cookie.
See the XSS (Cross Site Scripting) Prevention Cheat Sheet
See the Abridged XSS Prevention Cheat Sheet
See the DOM based XSS Prevention Cheat Sheet
See the OWASP Development Guide article on Phishing.
See the OWASP Development Guide article on Data Validation.
The following answers are incorrect:
Intrusion Detection Systems: Sorry. IDS Systems aren't usually the target of XSS attacks but a
properly-configured IDS/IPS can "detect and report on malicious string and suppress the TCP
connection in an attempt to mitigate the threat.
Firewalls: Sorry. Firewalls aren't usually the target of XSS attacks.
DNS Servers: Same as above, DNS Servers aren't usually targeted in XSS attacks but they play a key
role in the domain name resolution in the XSS attack process.
The following reference(s) was used to create this question;
CCCure Holistic Security+ CBT and Curriculum
Questions & Answers PDF


Question 2

What is malware that can spread itself over open network connections?

  • A. Worm 725/728 Questions & Answers PDF P-
  • B. Rootkit
  • C. Adware
  • D. Logic Bomb


Computer worms are also known as Network Mobile Code, or a virus-like bit of code that can
replicate itself over a network, infecting adjacent computers.
A computer worm is a standalone malware computer program that replicates itself in order to spread
to other computers. Often, it uses a computer network to spread itself, relying on security failures on
the target computer to access it. Unlike a computer virus, it does not need to attach itself to an
existing program. Worms almost always cause at least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted
A notable example is the SQL Slammer computer worm that spread globally in ten minutes on
January 25, 2003. I myself came to work that day as a software tester and found all my SQL servers
infected and actively trying to infect other computers on the test network.
A patch had been released a year prior by Microsoft and if systems were not patched and exposed to
a 376 byte UDP packet from an infected host then system would become compromised.
Ordinarily, infected computers are not to be trusted and must be rebuilt from scratch but the
vulnerability could be mitigated by replacing a single vulnerable dll called sqlsort.dll.
Replacing that with the patched version completely disabled the worm which really illustrates to us
the importance of actively patching our systems against such network mobile code.
The following answers are incorrect:
- Rootkit: Sorry, this isn't correct because a rootkit isn't ordinarily classified as network mobile code
like a worm is. This isn't to say that a rootkit couldn't be included in a worm, just that a rootkit isn't
usually classified like a worm. A rootkit is a stealthy type of software, typically malicious, designed to
hide the existence of certain processes or programs from normal methods of detection and enable
continued privileged access to a computer. The term rootkit is a concatenation of "root" (the
traditional name of the privileged account on Unix operating systems) and the word "kit" (which
refers to the software components that implement the tool). The term "rootkit" has negative
connotations through its association with malware.
- Adware: Incorrect answer. Sorry but adware isn't usually classified as a worm. Adware, or
advertising-supported software, is any software package which automatically renders
advertisements in order to generate revenue for its author. The advertisements may be in the user
interface of the software or on a screen presented to the user during the installation process. The
functions may be designed to analyze which Internet sites the user visits and to present advertising
pertinent to the types of goods or services featured there. The term is sometimes used to refer to
software that displays unwanted advertisements.
- Logic Bomb: Logic bombs like adware or rootkits could be spread by worms if they exploit the right
service and gain root or admin access on a computer.
The following reference(s) was used to create this question;
The CCCure
CompTIA Holistic Security+ Tutorial and CBT
Questions & Answers PDF


Question 3

Java is not:

  • A. Object-oriented.
  • B. Distributed.
  • C. Architecture Specific.
  • D. Multithreaded.


JAVA was developed so that the same program could be executed on multiple hardware and
operating system platforms, it is not Architecture Specific.
The following answers are incorrect:
Object-oriented. Is not correct because JAVA is object-oriented. It should use the object-oriented
programming methodology.
Distributed. Is incorrect because JAVA was developed to be able to be distrubuted, run on multiple
computer systems over a network.
Multithreaded. Is incorrect because JAVA is multi-threaded that is calls to subroutines as is the case
with object-oriented programming.
A virus is a program that can replicate itself on a system but not necessarily spread itself by network


Question 4

What best describes a scenario when an employee has been shaving off pennies from multiple
accounts and depositing the funds into his own bank account?

  • A. Data fiddling
  • B. Data diddling
  • C. Salami techniques
  • D. Trojan horses


Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page


Question 5

Crackers today are MOST often motivated by their desire to:

  • A. Help the community in securing their networks.
  • B. Seeing how far their skills will take them.
  • C. Getting recognition for their actions.
  • D. Gaining Money or Financial Gains.


A few years ago the best choice for this question would have been seeing how far their skills can take
them. Today this has changed greatly, most crimes committed are financially motivated.
Profit is the most widespread motive behind all cybercrimes and, indeed, most crimes- everyone
wants to make money. Hacking for money or for free services includes a smorgasbord of crimes such
as embezzlement, corporate espionage and being a hacker for hire. Scams are easier to undertake
but the likelihood of success is much lower. Money-seekers come from any lifestyle but those with
persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy
make better hacks for hire.
"White hats" are the security specialists (as opposed to Black Hats) interested in helping the
community in securing their networks. They will test systems and network with the owner
A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization
before they attempt to comprise the security mechanisms in place.
"Grey Hats" are people who sometimes work as a White hat and other times they will work as a
"Black Hat", they have not made up their mind yet as to which side they prefer to be.
The following are incorrect answers:
All the other choices could be possible reasons but the best one today is really for financial gains.
References used for this question;
Questions & Answers PDF


Question 6

What do the ILOVEYOU and Melissa virus attacks have in common?

  • A. They are both denial-of-service (DOS) attacks.
  • B. They have nothing in common.
  • C. They are both masquerading attacks.
  • D. They are both social engineering attacks. 723/728 Questions & Answers PDF P-


While a masquerading attack can be considered a type of social engineering, the Melissa and
ILOVEYOU viruses are examples of masquerading attacks, even if it may cause some kind of denial of
service due to the web server being flooded with messages. In this case, the receiver confidently
opens a message coming from a trusted individual, only to find that the message was sent using the
trusted party's identity.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
Chapter 10: Law, Investigation, and Ethics (page 650).


Question 7

Which of the following computer crime is MORE often associated with INSIDERS?

  • A. IP spoofing
  • B. Password sniffing
  • C. Data diddling
  • D. Denial of service (DOS)


It refers to the alteration of the existing data , most often seen before it is entered into an
application.This type of crime is extremely common and can be prevented by using appropriate
access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who
have access to data before it is processed.
The other answers are incorrect because :
IP Spoofing is not correct as the questions asks about the crime associated with the insiders. Spoofing
is generally accomplished from the outside.
Password sniffing is also not the BEST answer as it requires a lot of technical knowledge in
understanding the encryption and decryption process.
Denial of service (DOS) is also incorrect as most Denial of service attacks occur over the internet.
Reference : Shon Harris , AIO v3 , Chapter-10 : Law , Investigation & Ethics , Page : 758-760.


Question 8

The high availability of multiple all-inclusive, easy-to-use hacking tools that do NOT require much
technical knowledge has brought a growth in the number of which type of attackers?

  • A. Black hats 722/728 Questions & Answers PDF P-
  • B. White hats
  • C. Script kiddies
  • D. Phreakers


As script kiddies are low to moderately skilled hackers using available scripts and tools to easily
launch attacks against victims.
The other answers are incorrect because :
Black hats is incorrect as they are malicious , skilled hackers.
White hats is incorrect as they are security professionals.
Phreakers is incorrect as they are telephone/PBX (private branch exchange) hackers.
Reference : Shon Harris AIO v3 , Chapter 12: Operations security , Page : 830


Question 9

Which virus category has the capability of changing its own code, making it harder to detect by anti-
virus software?

  • A. Stealth viruses
  • B. Polymorphic viruses
  • C. Trojan horses
  • D. Logic bombs


A polymorphic virus has the capability of changing its own code, enabling it to have many different
variants, making it harder to detect by anti-virus software. The particularity of a stealth virus is that it
tries to hide its presence after infecting a system. A Trojan horse is a set of unauthorized instructions
that are added to or replacing a legitimate program. A logic bomb is a set of instructions that is
initiated when a specific event occurs.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 11: Application and System Development (page 786).


Question 10

Virus scanning and content inspection of SMIME encrypted e-mail without doing any further
processing is:

  • A. Not possible
  • B. Only possible with key recovery scheme of all user keys
  • C. It is possible only if X509 Version 3 certificates are used
  • D. It is possible only by "brute force" decryption


Content security measures presumes that the content is available in cleartext on the central mail
Encrypted emails have to be decrypted before it can be filtered (e.g. to detect viruses), so you need
the decryption key on the central "crypto mail server".
There are several ways for such key management, e.g. by message or key recovery methods.
However, that would certainly require further processing in order to achieve such goal.

To page 2