SSCP : System Security Certified Practitioner (SSCP) : Part 35

SSCP : System Security Certified Practitioner (SSCP) : Part 35

1. There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

   • public keys
   • private keys
   • public-key certificates
   • private-key certificates

   Explanation:

   A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.

   The following answers are incorrect:

   public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key.
   private keys. Although a Kerberos ticket is not shared publicly, it is not a private key. Private keys are associated with Asymmetric crypto system which is not used by Kerberos. Kerberos uses only the Symmetric crypto system.
   private key certificates. This is a detractor. There is no such thing as a private key certificate.

2. The Orange Book is founded upon which security policy model?

   • The Biba Model
   • The Bell LaPadula Model
   • Clark-Wilson Model
   • TEMPEST
   Explanation:
   From the glossary of Computer Security Basics:
   The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, “A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving the system is secure. A system state is defined to be ‘secure’ if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode.”
   The Biba Model is an integrity model of computer security policy that describes a set of rules. In this model, a subject may not depend on any object or other subject that is less trusted than itself.
   The Clark Wilson Model is an integrity model for computer security policy designed for a commercial environment. It addresses such concepts as nondiscretionary access control, privilege separation, and least privilege. TEMPEST is a government program that prevents the compromising electrical and electromagnetic signals that emanate from computers and related equipment from being intercepted and deciphered.
   Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O’Reilly, 1991.
   Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).

3. Which of the following is true of two-factor authentication?

   • It uses the RSA public-key signature based on integers with large prime factors.
   • It requires two measurements of hand geometry.
   • It does not use single sign-on technology.
   • It relies on two independent proofs of identity.
   Explanation:

   The Answer: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on.

   The following answers are incorrect: It requires two measurements of hand geometry. Measuring hand geometry twice does not yield two independent proofs.

   It uses the RSA public-key signature based on integers with large prime factors. RSA encryption uses integers with exactly two prime factors, but the term “two-factor authentication” is not used in that context.

   It does not use single sign-on technology. This is a detractor.

   The following reference(s) were/was used to create this question:
   Shon Harris AIO v.3 p.129
   ISC2 OIG, 2007 p. 126

4. Which of the following is NOT a technique used to perform a penetration test?

   • traffic padding
   • scanning and probing
   • war dialing
   • sniffing
   Explanation:

   Traffic padding is a countermeasure to traffic analysis.

   Even if perfect cryptographic routines are used, the attacker can gain knowledge of the amount of traffic that was generated. The attacker might not know what Alice and Bob were talking about, but can know that they were talking and how much they talked. In certain circumstances this can be very bad. Consider for example when a military is organising a secret attack against another nation: it may suffice to alert the other nation for them to know merely that there is a lot of secret activity going on.

   As another example, when encrypting Voice Over IP streams that use variable bit rate encoding, the number of bits per unit of time is not obscured, and this can be exploited to guess spoken phrases.

   Padding messages is a way to make it harder to do traffic analysis. Normally, a number of random bits are appended to the end of the message with an indication at the end how much this random data is. The randomness should have a minimum value of 0, a maximum number of N and an even distribution between the two extremes. Note, that increasing 0 does not help, only increasing N helps, though that also means that a lower percentage of the channel will be used to transmit real data. Also note, that since the cryptographic routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a sporadic manner.

   The other answers are all techniques used to do Penetration Testing.

   References:

   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 233, 238.

   and
   https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_analysis

5. In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified. Such a model can be used to quickly summarize what permissions a subject has for various system objects.

   • Access Control Matrix model
   • Take-Grant model
   • Bell-LaPadula model
   • Biba model
   Explanation:

   An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system.

   This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).

   Capability Table
   A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

   Access control lists (ACLs)
   ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and they define what level of authorization is granted. Authorization can be specific to an individual, group, or role. ACLs map values from the access control matrix to the object.

   Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix.
   NOTE: Ensure you are familiar with the terms Capability and ACLs for the purpose of the exam.

   Resource(s) used for this question:

   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5264-5267). McGraw-Hill. Kindle Edition.
   or
   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Page 229
   and
   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1923-1925). Auerbach Publications. Kindle Edition.

6. Which of the following is NOT a system-sensing wireless proximity card?

   • magnetically striped card
   • passive device
   • field-powered device
   • transponder
   Explanation:
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 342.

7. Which of the following is NOT a type of motion detector?

   • Photoelectric sensor
   • Passive infrared sensors
   • Microwave Sensor.
   • Ultrasonic Sensor.
   Explanation:

   A photoelectric sensor does not “directly” sense motion there is a narrow beam that won’t set off the sensor unless the beam is broken. Photoelectric sensors, along with dry contact switches, are a type of perimeter intrusion detector.

   All of the other answers are valid types of motion detectors types.
   The content below on the different types of sensors is from Wikepedia:
   Indoor Sensors

   These types of sensors are designed for indoor use. Outdoor use would not be advised due to false alarm vulnerability and weather durability.Passive infrared detectors

   

   Passive Infrared Sensor
   The passive infrared detector (PIR) is one of the most common detectors found in household and small business environments because it offers affordable and reliable functionality. The term passive means the detector is able to function without the need to generate and radiate its own energy (unlike ultrasonic and microwave volumetric intrusion detectors that are “active” in operation). PIRs are able to distinguish if an infrared emitting object is present by first learning the ambient temperature of the monitored space and then detecting a change in the temperature caused by the presence of an object. Using the principle of differentiation, which is a check of presence or nonpresence, PIRs verify if an intruder or object is actually there. Creating individual zones of detection where each zone comprises one or more layers can achieve differentiation. Between the zones there are areas of no sensitivity (dead zones) that are used by the sensor for comparison.

   Ultrasonic detectors
   Using frequencies between 15 kHz and 75 kHz, these active detectors transmit ultrasonic sound waves that are inaudible to humans. The Doppler shift principle is the underlying method of operation, in which a change in frequency is detected due to object motion. This is caused when a moving object changes the frequency of sound waves around it. Two conditions must occur to successfully detect a Doppler shift event:

   There must be motion of an object either towards or away from the receiver.
   The motion of the object must cause a change in the ultrasonic frequency to the receiver relative to the transmitting frequency.

   The ultrasonic detector operates by the transmitter emitting an ultrasonic signal into the area to be protected. The sound waves are reflected by solid objects (such as the surrounding floor, walls and ceiling) and then detected by the receiver. Because ultrasonic waves are transmitted through air, then hard-surfaced objects tend to reflect most of the ultrasonic energy, while soft surfaces tend to absorb most energy.

   When the surfaces are stationary, the frequency of the waves detected by the receiver will be equal to the transmitted frequency. However, a change in frequency will occur as a result of the Doppler principle, when a person or object is moving towards or away from the detector. Such an event initiates an alarm signal. This technology is considered obsolete by many alarm professionals, and is not actively installed.
   Microwave detectors
   This device emits microwaves from a transmitter and detects any reflected microwaves or reduction in beam intensity using a receiver. The transmitter and receiver are usually combined inside a single housing (monostatic) for indoor applications, and separate housings (bistatic) for outdoor applications. To reduce false alarms this type of detector is usually combined with a passive infrared detector or “Dualtec” alarm.

   Microwave detectors respond to a Doppler shift in the frequency of the reflected energy, by a phase shift, or by a sudden reduction of the level of received energy. Any of these effects may indicate motion of an intruder.
   Photo-electric beams
   Photoelectric beam systems detect the presence of an intruder by transmitting visible or infrared light beams across an area, where these beams may be obstructed. To improve the detection surface area, the beams are often employed in stacks of two or more. However, if an intruder is aware of the technology’s presence, it can be avoided. The technology can be an effective long-range detection system, if installed in stacks of three or more where the transmitters and receivers are staggered to create a fence-like barrier. Systems are available for both internal and external applications. To prevent a clandestine attack using a secondary light source being used to hold the detector in a ‘sealed’ condition whilst an intruder passes through, most systems use and detect a modulated light source.

   Glass break detectors
   The glass break detector may be used for internal perimeter building protection. When glass breaks it generates sound in a wide band of frequencies. These can range from infrasonic, which is below 20 hertz (Hz) and can not be heard by the human ear, through the audio band from 20 Hz to 20 kHz which humans can hear, right up to ultrasonic, which is above 20 kHz and again cannot be heard. Glass break acoustic detectors are mounted in close proximity to the glass panes and listen for sound frequencies associated with glass breaking. Seismic glass break detectors are different in that they are installed on the glass pane. When glass breaks it produces specific shock frequencies which travel through the glass and often through the window frame and the surrounding walls and ceiling. Typically, the most intense frequencies generated are between 3 and 5 kHz, depending on the type of glass and the presence of a plastic interlayer. Seismic glass break detectors “feel” these shock frequencies and in turn generate an alarm condition.

   The more primitive detection method involves gluing a thin strip of conducting foil on the inside of the glass and putting low-power electrical current through it. Breaking the glass is practically guaranteed to tear the foil and break the circuit.
   Smoke, heat, and carbon monoxide detectors

   Heat Detection System
   Most systems may also be equipped with smoke, heat, and/or carbon monoxide detectors. These are also known as 24 hour zones (which are on at all times). Smoke detectors and heat detectors protect from the risk of fire and carbon monoxide detectors protect from the risk of carbon monoxide. Although an intruder alarm panel may also have these detectors connected, it may not meet all the local fire code requirements of a fire alarm system.

   Other types of volumetric sensors could be:

   Active Infrared
   Passive Infrared/Microware combined
   Radar
   Accoustical Sensor/Audio
   Vibration Sensor (seismic)
   Air Turbulence

8. What is the primary role of smartcards in a PKI?

   • Transparent renewal of user keys
   • Easy distribution of the certificates between the users
   • Fast hardware encryption of the raw data
   • Tamper resistant, mobile storage and application of private keys of the users
   Explanation:

   Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 139;

   SNYDER, J., What is a SMART CARD?.

   Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance
   Security

   Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.

   Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.
   It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:

   physical attack of various forms (microprobing, drills, files, solvents, etc.)
   freezing the device
   applying out-of-spec voltages or power surges
   applying unusual clock signals
   inducing software errors using radiation
   measuring the precise time and power requirements of certain operations (see power analysis)

   Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for “cold zeroisation”, the ability to zeroise itself even after its power supply has been crippled.

   Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should “fail gracefully” by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

9. Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control ?

   • Discretionary Access Control (DAC)
   • Mandatory Access control (MAC)
   • Non-Discretionary Access Control (NDAC)
   • Lattice-based Access control
   Explanation:

   Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.

   In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.

   Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.

   IT IS NOT ALWAYS BLACK OR WHITE
   The different access control models are not totally exclusive of each others. MAC is making use of Rules to be implemented. However with MAC you have requirements above and beyond having simple access rules. The subject would get formal approval from management, the subject must have the proper security clearance, objects must have labels/sensitivity levels attached to them, subjects must have the proper security clearance. If all of this is in place then you have MAC.

   BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES:

   MAC = Mandatory Access Control
   Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user’s access but simply configure the proper level of access as dictated by the Data Owner.

   The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship.

   The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access.

   MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user belong to one of the categories attached to the object.

   If there is no clearance and no labels then IT IS NOT Mandatory Access Control.

   Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category.

   NISTR-7316 Says:
   Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the “simple security rule,” or “no read up.” Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the “*-property” (pronounced “star property”) or “no write down.” The *-property is required to maintain system security in an automated environment. A variation on this rule called the “strict *-property” requires that information can be written at, but not above, the subject’s clearance level. Multilevel security models such as the Bell-La Padula Confidentiality and Biba Integrity models are used to formally specify this kind of MAC policy.

   DAC = Discretionary Access Control

   DAC is also known as: Identity Based access control system.
   The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users.

   Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone’s else file can further share the file with other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild wild west as there is no control on the dissimination of the information.

   RBAC = Role Based Access Control

   RBAC is a form of Non-Discretionary access control.
   Role Based access control usually maps directly with the different types of jobs performed by employees within a company.

   For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role.

   RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example.

   RBAC or RuBAC = Rule Based Access Control
   RuBAC is a form of Non-Discretionary access control.

   A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall.

   NOTE FROM CLEMENT:
   Lot of people tend to confuse MAC and Rule Based Access Control.

   Mandatory Access Control must make use of LABELS. If there is only rules and no label, it cannot be Mandatory Access Control. This is why they call it Non Discretionary Access control (NDAC).

   There are even books out there that are WRONG on this subject. Books are sometimes opiniated and not strictly based on facts.

   In MAC subjects must have clearance to access sensitive objects. Objects have labels that contain the classification to indicate the sensitivity of the object and the label also has categories to enforce the need to know.

   Today the best example of rule based access control would be a firewall. All rules are imposed globally to any user attempting to connect through the device. This is NOT the case with MAC.

   I strongly recommend you read carefully the following document:

   NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf

   It is one of the best Access Control Study document to prepare for the exam. Usually I tell people not to worry about the hundreds of NIST documents and other reference. This document is an exception. Take some time to read it.

   Reference(s) used for this question:
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
   and
   NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf
   and
   Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 651-652). Elsevier Science (reference). Kindle Edition.

10. The type of discretionary access control (DAC) that is based on an individual’s identity is also called:

    • Identity-based Access control
    • Rule-based Access control
    • Non-Discretionary Access Control
    • Lattice-based Access control
    Explanation:

    An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual’s identity.

    DAC is good for low level security environment. The owner of the file decides who has access to the file.

    If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header and/or in an access control matrix within the operating system.

    Ownership might also be granted to a specific individual. For example, a manager for a certain department might be made the owner of the files and resources within her department. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources.

    This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit managers , are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not.

    Reference(s) used for this question:
    Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 220). McGraw-Hill . Kindle Edition.

11. Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of:

    • Administrative controls
    • Logical controls
    • Technical controls
    • Physical controls
    Explanation:

    Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are all examples of Physical Security.

    Reference(s) used for this question:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

12. To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:

    • Access Rules
    • Access Matrix
    • Identification controls
    • Access terminal
    Explanation:

    Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules.

    These rules can be classified into three access control models: Mandatory, Discretionary, and Non-Discretionary.

    An access matrix is one of the means used to implement access control.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

13. Which of the following control pairing places emphasis on “soft” mechanisms that support the access control objectives?

    • Preventive/Technical Pairing
    • Preventive/Administrative Pairing
    • Preventive/Physical Pairing
    • Detective/Administrative Pairing
    Explanation:

    Soft Control is another way of referring to Administrative control.

    Technical and Physical controls are NOT soft control, so any choice listing them was not the best answer.

    Preventative/Technical is incorrect because although access control can be technical control, it is commonly not referred to as a “soft” control

    Preventative/Administrative is correct because access controls are preventative in nature. it is always best to prevent a negative event, however there are times where controls might fail and you cannot prevent everything. Administrative controls are roles, responsibilities, policies, etc which are usually paper based. In the administrative category you would find audit, monitoring, and security awareness as well.

    Preventative/Physical pairing is incorrect because Access controls with an emphasis on “soft” mechanisms conflict with the basic concept of physical controls, physical controls are usually tangible objects such as fences, gates, door locks, sensors, etc…

    Detective/Administrative Pairing is incorrect because access control is a preventative control used to control access, not to detect violations to access.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

14. Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?

    • Preventive/Administrative Pairing
    • Preventive/Technical Pairing
    • Preventive/Physical Pairing
    • Detective/Administrative Pairing
    Explanation:
    The Answer: Preventive/Administrative Pairing: These mechanisms include organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

15. Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?

    • Mandatory Access Control
    • Discretionary Access Control
    • Non-Discretionary Access Control
    • Rule-based Access control
    Explanation:

    Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already.

    Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.

    Discretionary Access control is for environment with very low level of security. There is no control on the dissemination of the information. A user who has access to a file can copy the file or further share it with other users.

    Rule Based Access Control is when you have ONE set of rules applied uniformly to all users. A good example would be a firewall at the edge of your network. A single rule based is applied against any packets received from the internet.

    Mandatory Access Control is a very rigid type of access control. The subject must dominate the object and the subject must have a Need To Know to access the information. Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK).

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

16. What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?

    • Mandatory model
    • Discretionary model
    • Lattice model
    • Rule model
    Explanation:

    In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

17. Crime Prevention Through Environmental Design (CPTED) is a discipline that:

    • Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.
    • Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior.
    • Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior.
    • Outlines how the proper design of the administrative control environment can reduce crime by directly affecting human behavior.
    Explanation:

    Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime prevention through proper facility contruction and environmental components and procedures.

    CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and traffic circulation patterns. It looks at microenvironments, such as offices and rest-rooms, and macroenvironments, like campuses and cities.

    Reference(s) used for this question:

    Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 435). McGraw-Hill. Kindle Edition.
    and
    CPTED Guide Book

18. The following is NOT a security characteristic we need to consider while choosing a biometric identification systems:

    • data acquisition process
    • cost
    • enrollment process
    • speed and user interface
    Explanation:

    Cost is a factor when considering Biometrics but it is not a security characteristic.

    All the other answers are incorrect because they are security characteristics related to Biometrics.

    data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process.

    enrollment process can cause a security concern because the enrollment process has to be quick and efficient. This process captures data for authentication.

    speed and user interface can cause a security concern because this also impacts the users acceptance rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices or otherwise attempt to circumvent them.

    References:
    OIG Access Control (Biometrics) (pgs 165-167)

    From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6.
    in process of correction

19. What kind of certificate is used to validate a user identity?

    • Public key certificate
    • Attribute certificate
    • Root certificate
    • Code signing certificate
    Explanation:

    In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

    In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.

    In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The permission can be delegated.

    Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.

    A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others.

    In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as “update firmware”, “access address book”, “use radio interface”, and the most basic one, “install and execute”. When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers.

    Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher’s identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.

    References:

    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540.
    http://en.wikipedia.org/wiki/Attribute_certificate
    http://en.wikipedia.org/wiki/Public_key_certificate

20. Which of the following is not a physical control for physical security?

    • lighting
    • fences
    • training
    • facility construction materials
    Explanation:

    Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls include facility selection and construction, facility management, personnel controls, training, and emergency response and procedures.

    From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403.