SSCP : System Security Certified Practitioner (SSCP) : Part 30

SSCP : System Security Certified Practitioner (SSCP) : Part 30

1. Which of the following are not Remote Access concerns?

   • Justification for remote access
   • Auditing of activities
   • Regular review of access privileges
   • Access badges

   Explanation:

   Access badges are more relevant to physical security rather than remote access.

   “Justification for remote access” is incorrect. Justification for remote access is a relevant concern.

   “Auditing of activities” is incorrect. Auditing of activites is an imporant aspect to assure that malicious or unauthorized activities are not occuring.

   “Regular review of access privileges” is incorrect. Regular review of remote accept privileges is an important management responsibility.

   References:
   AIO3, pp. 547 – 548

2. Which of the following security models does NOT concern itself with the flow of data?

   • The information flow model
   • The Biba model
   • The Bell-LaPadula model
   • The noninterference model
   Explanation:

   The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

   The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects.

   The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes.

   The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more trusted than lower levels. Access control us based on these integrity levels to assure that read/write operations do not decrease an object’s integrity.

   References:

   CBK, pp 325 – 326
   AIO3, pp. 290 – 291

3. What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions?

   • A
   • D
   • E
   • F
   Explanation:

   D or “minimal protection” is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level.

   A is incorrect. A or “Verified Protectection” is the highest trust level under the TCSEC.
   E is incorrect. The trust levels are A – D so “E” is not a valid trust level.
   F is incorrect. The trust levels are A – D so “F” is not a valid trust level.

   CBK, pp. 329 – 330
   AIO3, pp. 302 – 306

4. What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects?

   • Flow Model
   • Discretionary access control
   • Mandatory access control
   • Non-discretionary access control
   Explanation:

   As a security administrator you might configure user profiles so that users cannot change the system’s time, alter system configuration files, access a command prompt, or install unapproved applications. This type of access control is referred to as nondiscretionary, meaning that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the organization’s most critical assets.

   Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. Centralized access control is not an existing security model.
   Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category.

   Reference(s) used for this question:

   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill. Kindle Edition.
   and
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

5. Which type of password token involves time synchronization?

   • Static password tokens
   • Synchronous dynamic password tokens
   • Asynchronous dynamic password tokens
   • Challenge-response tokens
   Explanation:
   Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the password to be accepted.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).
   Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (page 136).

6. Smart cards are an example of which type of control?

   • Detective control
   • Administrative control
   • Technical control
   • Physical control
   Explanation:

   Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control.

   Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls” because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.

   Many types of technical controls enable a user to access a system and the resources within that system. A technical control may be a username and password combination, a Kerberos implementation, biometrics, public key infrastructure (PKI), RADIUS, TACACS +, or authentication using a smart card through a reader connected to a system. These technologies verify the user is who he says he is by using different types of authentication methods. Once a user is properly authenticated, he can be authorized and allowed access to network resources.

   Reference(s) used for this question:

   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 245). McGraw-Hill. Kindle Edition.
   and
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 32).

7. What security model is dependent on security labels?

   • Discretionary access control
   • Label-based access control
   • Mandatory access control
   • Non-discretionary access control
   Explanation:
   With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object. Label-based access control is not defined.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

8. Which of the following access control models introduces user security clearance and data classification?

   • Role-based access control
   • Discretionary access control
   • Non-discretionary access control
   • Mandatory access control
   Explanation:

   The mandatory access control model is based on a security label system. Users are given a security clearance and data is classified. The classification is stored in the security labels of the resources. Classification labels specify the level of trust a user must have to access a certain file.

   Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (Page 154).

9. Which of the following is NOT an advantage that TACACS+ has over TACACS?

   • Event logging
   • Use of two-factor password authentication
   • User has the ability to change his password
   • Ability for security tokens to be resynchronized
   Explanation:
   Although TACACS+ provides better audit trails, event logging is a service that is provided with TACACS.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 121).

10. Which of the following remote access authentication systems is the most robust?

    • TACACS+
    • RADIUS
    • PAP
    • TACACS
    Explanation:
    TACACS+ is a proprietary Cisco enhancement to TACACS and is more robust than RADIUS. PAP is not a remote access authentication system but a remote node security protocol.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 122).

11. Which of the following would be used to implement Mandatory Access Control (MAC)?

    • Clark-Wilson Access Control
    • Role-based access control
    • Lattice-based access control
    • User dictated access control
    Explanation:

    The lattice is a mechanism use to implement Mandatory Access Control (MAC)

    Under Mandatory Access Control (MAC) you have:
    Mandatory Access Control

    Under Non Discretionary Access Control (NDAC) you have:
    Rule-Based Access Control
    Role-Based Access Control

    Under Discretionary Access Control (DAC) you have:
    Discretionary Access Control

    The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more

    For example in the case of MAC, if we look at common government classifications, we have the following:

    TOP SECRET
    SECRET ———————–I am the user at secret
    CONFIDENTIAL
    SENSITIVE BUT UNCLASSIFIED
    UNCLASSIFIED

    If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED.

    However the lattice could also be used for Integrity Levels such as:

    VERY HIGH
    HIGH
    MEDIUM ———-I am a user, process, application at the medium level
    LOW
    VERY LOW
    In the case of of Integrity levels you have to think about TRUST. Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model.

    Last but not least the lattice could be use for file permissions:

    RWX
    RW ———User at this level
    R

    If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX.

    Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes.

    There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC also require a clearance that dominates the object.

    You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03

    Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing.

    The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used.

    References:
    There is a great article on technet that talks about the lattice in VISTA:
    http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx

    also see:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
    and
    http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html

12. Which type of attack involves impersonating a user or a system?

    • Smurfing attack
    • Spoofing attack
    • Spamming attack
    • Sniffing attack
    Explanation:
    A spoofing attack is when an attempt is made to gain access to a computer system by posing as an authorized user or system. Spamming refers to sending out or posting junk advertising and unsolicited mail. A smurf attack is a type of denial-of-service attack using PING and a spoofed address. Sniffing refers to observing packets passing on a network.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 77).

13. What does the simple security (ss) property mean in the Bell-LaPadula model?

    • No read up
    • No write down
    • No read down
    • No write up
    Explanation:
    The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up).
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

14. What does the (star) property mean in the Bell-LaPadula model?

    • No write up
    • No read up
    • No write down
    • No read down
    Explanation:
    The (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).
    Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243).

15. Which of the following is an example of a passive attack?

    • Denying services to legitimate users
    • Shoulder surfing
    • Brute-force password cracking
    • Smurfing
    Explanation:
    Shoulder surfing is a form of a passive attack involving stealing passwords, personal identification numbers or other confidential information by looking over someone’s shoulder. All other forms of attack are active attacks, where a threat makes a modification to the system in an attempt to take advantage of a vulnerability.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 63).

16. What does the Clark-Wilson security model focus on?

    • Confidentiality
    • Integrity
    • Accountability
    • Availability
    Explanation:
    The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

17. Which of the following access control models requires defining classification for objects?

    • Role-based access control
    • Discretionary access control
    • Identity-based access control
    • Mandatory access control
    Explanation:

    With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and classification of objects.

    The Following answers were incorrect:

    Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous.
    Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non Discretionary Access Control (NDAC).

    Tip:
    When you have two answers that are synonymous they are not the right choice for sure.

    There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of those items.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

18. In the context of access control, locks, gates, guards are examples of which of the following?

    • Administrative controls
    • Technical controls
    • Physical controls
    • Logical controls
    Explanation:

    Administrative, technical and physical controls are categories of access control mechanisms.

    Logical and Technical controls are synonymous. So both of them could be eliminated as possible choices.

    Physical Controls: These are controls to protect the organization’s people and physical environment, such as locks, gates, and guards. Physical controls may be called “operational controls” in some contexts.

    Physical security covers a broad spectrum of controls to protect the physical assets (primarily the people) in an organization. Physical Controls are sometimes referred to as “operational” controls in some risk management frameworks. These controls range from doors, locks, and windows to environment controls, construction standards, and guards. Typically, physical security is based on the notion of establishing security zones or concentric areas within a facility that require increased security as you get closer to the valuable assets inside the facility. Security zones are the physical representation of the defense-in-depth principle discussed earlier in this chapter. Typically, security zones are associated with rooms, offices, floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security controls within the facility must take into account the protection of the asset as well as the individuals working in that area.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle Edition.
    and
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle Edition.

19. Password management falls into which control category?

    • Compensating
    • Detective
    • Preventive
    • Technical
    Explanation:

    Password management is an example of preventive control.
    Proper passwords prevent unauthorized users from accessing a system.

    There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need.

    For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy, and a plethora of other controls. However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories.

    The seven main categories of access control are:

    1. Directive: Controls designed to specify acceptable rules of behavior within an organization
    2. Deterrent: Controls designed to discourage people from violating security directives
    3. Preventive: Controls implemented to prevent a security incident or information breach
    4. Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level
    5. Detective: Controls designed to signal a warning when a security control has been breached
    6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls
    7. Recovery: Controls implemented to restore conditions to normal after a security incident

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1156-1176). Auerbach Publications. Kindle Edition.

20. Which of the following access control models requires security clearance for subjects?

    • Identity-based access control
    • Role-based access control
    • Discretionary access control
    • Mandatory access control
    Explanation:

    With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of non-discretionary access control.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).