SSCP : System Security Certified Practitioner (SSCP) : Part 34

SSCP : System Security Certified Practitioner (SSCP) : Part 34

1. Which of the following statements pertaining to RADIUS is incorrect:

   • A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains.
   • Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy.
   • Most RADIUS servers have built-in database connectivity for billing and reporting purposes.
   • Most RADIUS servers can work with DIAMETER servers.

   Explanation:

   This is the correct answer because it is FALSE.

   Diameter is an AAA protocol, AAA stands for authentication, authorization and accounting protocol for computer networks, and it is a successor to RADIUS.

   The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius).

   The main differences are as follows:

   Reliable transport protocols (TCP or SCTP, not UDP)
   The IETF is in the process of standardizing TCP Transport for RADIUS
   Network or transport layer security (IPsec or TLS)
   The IETF is in the process of standardizing Transport Layer Security for RADIUS
   Transition support for RADIUS, although Diameter is not fully compatible with RADIUS
   Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits)
   Client–server protocol, with exception of supporting some server-initiated messages as well
   Both stateful and stateless models can be used
   Dynamic discovery of peers (using DNS SRV and NAPTR)
   Capability negotiation
   Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539)
   Error notification
   Better roaming support
   More easily extended; new commands and attributes can be defined
   Aligned on 32-bit boundaries
   Basic support for user-sessions and accounting

   A Diameter Application is not a software application, but a protocol based on the Diameter base protocol (defined in RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs. Adding a new optional AVP does not require a new application.

   Examples of Diameter applications:

   Diameter Mobile IPv4 Application (MobileIP, RFC 4004)
   Diameter Network Access Server Application (NASREQ, RFC 4005)
   Diameter Extensible Authentication Protocol (EAP) Application (RFC 4072)
   Diameter Credit-Control Application (DCCA, RFC 4006)
   Diameter Session Initiation Protocol Application (RFC 4740)
   Various applications in the 3GPP IP Multimedia Subsystem

   All of the other choices presented are true. So Diameter is backwork compatible with Radius (to some extent) but the opposite is false.

   Reference(s) used for this question:

   TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 38.
   and
   https://secure.wikimedia.org/wikipedia/en/wiki/Diameter_%28protocol%29

2. How should a doorway of a manned facility with automatic locks be configured?

   • It should be configured to be fail-secure.
   • It should be configured to be fail-safe.
   • It should have a door delay cipher lock.
   • It should not allow piggybacking.
   Explanation:

   Access controls are meant to protect facilities and computers as well as people.

   In some situations, the objectives of physical access controls and the protection of people’s lives may come into conflict. In theses situations, a person’s life always takes precedence.

   Many physical security controls make entry into and out of a facility hard, if not impossible. However, special consideration needs to be taken when this could affect lives. In an information processing facility, different types of locks can be used and piggybacking should be prevented, but the issue here with automatic locks is that they can either be configured as fail-safe or fail-secure.

   Since there should only be one access door to an information processing facility, the automatic lock to the only door to a man-operated room must be configured to allow people out in case of emergency, hence to be fail-safe (sometimes called fail-open), meaning that upon fire alarm activation or electric power failure, the locking device unlocks. This is because the solenoid that maintains power to the lock to keep it in a locked state fails and thus opens or unlocks the electronic lock.

   Fail Secure works just the other way. The lock device is in a locked or secure state with no power applied. Upon authorized entry, a solinoid unlocks the lock temporarily. Thus in a Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure mode.

   Reference(s) used for this question:

   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 451). McGraw-Hill. Kindle Edition.
   and
   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20249-20251). Auerbach Publications. Kindle Edition.

3. Which of following is not a service provided by AAA servers (Radius, TACACS and DIAMETER)?

   • Authentication
   • Administration
   • Accounting
   • Authorization
   Explanation:

   Radius, TACACS and DIAMETER are classified as authentication, authorization, and accounting (AAA) servers.
   Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33.

   also see:
   The term “AAA” is often used, describing cornerstone concepts [of the AIC triad] Authentication, Authorization, and Accountability. Left out of the AAA acronym is Identification which is required before the three “A’s” can follow. Identity is a claim, Authentication proves an identity, Authorization describes the action you can perform on a system once you have been identified and authenticated, and accountability holds users accountable for their actions.
   Reference: CISSP Study Guide, Conrad Misenar, Feldman p. 10-11, (c) 2010 Elsevier.

4. Which authentication technique best protects against hijacking?

   • Static authentication
   • Continuous authentication
   • Robust authentication
   • Strong authentication
   Explanation:
   A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking. Static authentication is the type of authentication provided by traditional password schemes and the strength of the authentication is highly dependent on the difficulty of guessing passwords. The robust authentication mechanism relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, and it does not protect against hijacking. Strong authentication refers to a two-factor authentication (like something a user knows and something a user is).
   Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured Connections to External Networks (page 51).

5. Which of the following is not a security goal for remote access?

   • Reliable authentication of users and systems
   • Protection of confidential data
   • Easy to manage access control to systems and network resources
   • Automated login for remote users
   Explanation:
   An automated login function for remote users would imply a weak authentication, thus certainly not a security goal.
   Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).

6. What is considered the most important type of error to avoid for a biometric access control system?

   • Type I Error
   • Type II Error
   • Combined Error Rate
   • Crossover Error Rate
   Explanation:

   When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor.

   A Type I error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid company employee is rejected by the system and he cannot get access even thou it is a valid user.

   The Crossover Error Rate (CER) is the point at which the false rejection rate equals the false acceptance rate if your would create a graph of Type I and Type II errors. The lower the CER the better the device would be.

   The Combined Error Rate is a distracter and does not exist.
   Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 10).

7. How can an individual/person best be identified or authenticated to prevent local masquarading attacks?

   • UserId and password
   • Smart card and PIN code
   • Two-factor authentication
   • Biometrics
   Explanation:

   The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.

   Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.

   A UserId only provides for identification.

   A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.

   A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.

   Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.

   Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.

   As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and information, because unauthorized persons can (and do) obtain the cards and information.

   Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required. The authorized person does not lose physical characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten. This is why card access systems require systems and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost.

   NOTE FROM CLEMENT:
   This question has been generating lots of interest. The keyword in the question is: Individual (the person) and also the authenticated portion as well.

   I totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication. However the question is not asking what is the strongest mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology. When answering questions do not make assumptions to facts not presented in the question or answers.

   Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan. This is why it is the best method to authenticate the user.

   I think the reference is playing with semantics and that makes it a bit confusing. I have improved the question to make it a lot clearer and I have also improve the explanations attached with the question.

   The reference mentioned above refers to authenticating the identity for access. So the distinction is being made that there is identity and there is authentication. In the case of physical security the enrollment process is where the identity of the user would be validated and then the biometrics features provided by the user would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates. In the case of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes.

   Biometric can also be used for Identification purpose where you do a one to many match. You take a facial scan of someone within an airport and you attempt to match it with a large database of known criminal and terrorists. This is how you could use biometric for Identification.

   There are always THREE means of authentication, they are:

   Something you know (Type 1)
   Something you have (Type 2)
   Something you are (Type 3)

   Reference(s) used for this question:
   TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7).
   and
   Search Security at http://searchsecurity.techtarget.com/definition/masquerade

8. Which of the following questions is less likely to help in assessing physical and environmental protection?

   • Are entry codes changed periodically?
   • Are appropriate fire suppression and prevention devices installed and working?
   • Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information?
   • Is physical access to data transmission lines controlled?
   Explanation:
   Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical and environmental protection except for the one regarding processes that ensuring that unauthorized individuals cannot access information, which is more a production control.
   Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).

9. How would nonrepudiation be best classified as?

   • A preventive control
   • A logical control
   • A corrective control
   • A compensating control
   Explanation:
   Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.
   Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, December 2001, page 7.

10. Which of the following questions is less likely to help in assessing identification and authentication controls?

    • Is a current list maintained and approved of authorized users and their access?
    • Are passwords changed at least every ninety days or earlier if needed?
    • Are inactive user identifications disabled after a specified period of time?
    • Is there a process for reporting incidents?
    Explanation:
    Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control).
    Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to A-32).

11. Which of the following questions is less likely to help in assessing physical access controls?

    • Does management regularly review the list of persons with physical access to sensitive facilities?
    • Is the operating system configured to prevent circumvention of the security software and application controls?
    • Are keys or other access devices needed to enter the computer room and media library?
    • Are visitors to sensitive areas signed in and escorted?
    Explanation:
    Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical access controls except for the one regarding operating system configuration, which is a logical access control.
    Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).

12. Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection?

    • C
    • B
    • A
    • D
    Explanation:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197.
    Also: THE source for all TCSEC “level” questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

13. Which of the following division is defined in the TCSEC (Orange Book) as minimal protection?

    • Division D
    • Division C
    • Division B
    • Division A
    Explanation:

    The criteria are divided into four divisions: D, C, B, and A ordered in a hierarchical manner with the highest division (A) being reserved for systems providing the most comprehensive security.

    Each division represents a major improvement in the overall confidence one can place in the system for the protection of sensitive information.

    Within divisions C and B there are a number of subdivisions known as classes. The classes are also ordered in a hierarchical manner with systems representative of division C and lower classes of division B being characterized by the set of computer security mechanisms that they possess.

    Assurance of correct and complete design and implementation for these systems is gained mostly through testing of the security- relevant portions of the system. The security-relevant portions of a system are referred to throughout this document as the Trusted Computing Base (TCB).

    Systems representative of higher classes in division B and division A derive their security attributes more from their design and implementation structure. Increased assurance that the required features are operative, correct, and tamperproof under all circumstances is gained through progressively more rigorous analysis during the design process.

    TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:

    Division D – minimal security
    Division C – discretionary protection
    Division B – mandatory protection
    Division A – verified protection

    Reference: page 358 AIO V.5 Shon Harris

    also
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197.
    Also:
    THE source for all TCSEC “level” questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

14. In which of the following security models is the subject’s clearance compared to the object’s classification such that specific rules can be applied to control how the subject-to-object interactions take place?

    • Bell-LaPadula model
    • Biba model
    • Access Matrix model
    • Take-Grant model
    Explanation:

    The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.

    A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by programmers through programming code. So we have a policy that encompasses security goals, such as “each subject must be authenticated and authorized before accessing an object.” The security model takes this requirement and provides the necessary mathematical formulas, relationships, and logic structure to be followed to accomplish this goal.

    A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell-LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject’s clearance is compared to the object’s classification and then specific rules are applied to control how subject-to-object subject-to-object interactions can take place.

    Reference(s) used for this question:
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw-Hill. Kindle Edition.

15. Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?

    • B
    • A
    • C
    • D
    Explanation:

    B level is the first Mandatory Access Control Level.

    First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems. Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems. As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used.

    Reference used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17920-17926). Auerbach Publications. Kindle Edition.
    and
    THE source for all TCSEC “level” questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one)

16. Single Sign-on (SSO) is characterized by which of the following advantages?

    • Convenience
    • Convenience and centralized administration
    • Convenience and centralized data administration
    • Convenience and centralized network administration
    Explanation:

    Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface.

    The following answers are incorrect:

    Convenience – alone this is not the correct answer.

    Centralized Data or Network Administration – these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed with just an SSO.

    References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35.
    TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180.

17. The “vulnerability of a facility” to damage or attack may be assessed by all of the following except:

    • Inspection
    • History of losses
    • Security controls
    • security budget
    Explanation:
    Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni.

18. Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense ?

    • TCSEC
    • ITSEC
    • DIACAP
    • NIACAP
    Explanation:

    The Answer: TCSEC; The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications.

    Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005.

    References:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 197-199.

    Wikepedia
    http://en.wikipedia.org/wiki/TCSEC

19. Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

    • SESAME
    • RADIUS
    • KryptoKnight
    • TACACS+
    Explanation:

    Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.
    Reference:

    TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184.
    ISC OIG Second Edition, Access Controls, Page 111

20. The primary service provided by Kerberos is which of the following?

    • non-repudiation
    • confidentiality
    • authentication
    • authorization
    Explanation:

    The Answer: authentication. Kerberos is an authentication service. It can use single-factor or multi-factor authentication methods.

    The following answers are incorrect:

    non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation.
    confidentiality. Once the client is authenticated by Kerberos and obtains its session key and ticket, it may use them to assure confidentiality of its communication with a server; however, that is not a Kerberos service as such.
    authorization. Although Kerberos tickets may include some authorization information, the meaning of the authorization fields is not standardized in the Kerberos specifications, and authorization is not a primary Kerberos service.

    The following reference(s) were/was used to create this question:

    ISC2 OIG,2007 p. 179-184
    Shon Harris AIO v.3 152-155