SSCP : System Security Certified Practitioner (SSCP) : Part 51

SSCP : System Security Certified Practitioner (SSCP) : Part 51

1. Preservation of confidentiality within information systems requires that the information is not disclosed to:

   • Authorized person
   • Unauthorized persons or processes.
   • Unauthorized persons.
   • Authorized persons and processes

   Explanation:

   Confidentiality assures that the information is not disclosed to unauthorized persons or processes.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31.

2. Which of the following addresses a portion of the primary memory by specifying the actual address of the memory location?

   • direct addressing
   • Indirect addressing
   • implied addressing
   • indexed addressing
   Explanation:

   Absolute/Direct

   +——+—–+————————————–+
   | load | reg | address |
   +——+—–+————————————–+

   (Effective address = address as given in instruction)

   This requires space in an instruction for quite a large address. It is often available on CISC machines which have variable-length instructions, such as x86.

   Some RISC machines have a special Load Upper Literal instruction which places a 16-bit constant in the top half of a register. An OR literal instruction can be used to insert a 16-bit constant in the lower half of that register, so that a full 32-bit address can then be used via the register-indirect addressing mode, which itself is provided as “base-plus-offset” with an offset of 0.
   http://en.wikipedia.org/wiki/Addressing_mode (Very good coverage of the subject)

   also see:
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 186.
   also see:
   http://www.comsci.us/ic/notes/am.html

3. Which of the following is NOT true concerning Application Control?

   • It limits end users use of applications in such a way that only particular screens are visible.
   • Only specific records can be requested through the application controls
   • Particular usage of the application can be recorded for audit purposes
   • It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
   Explanation:
   Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, Auerbach.

4. Which of the following would be best suited to oversee the development of an information security policy?

   • System Administrators
   • End User
   • Security Officers
   • Security administrators
   Explanation:

   The security officer would be the best person to oversea the development of such policies.

   Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated appropriately to ensure that they can be understood by the end users. Policies that are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighth-grade reading level), will not be understood.

   Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue.

   While security officers may be responsible for the development of the security policies, the effort should be collaborative to ensure that the business issues are addressed.

   The security officers will get better corporate support by including other areas in policy development. This helps build buy-in by these areas as they take on a greater ownership of the final product. Consider including areas such as HR, legal, compliance, various IT areas and specific business area representatives who represent critical business units.

   When policies are developed solely within the IT department and then distributed without business input, they are likely to miss important business considerations. Once policy documents have been created, the basis for ensuring compliance is established. Depending on the organization, additional documentation may be necessary to support policy. This support may come in the form of additional controls described in standards, baselines, or procedures to help personnel with compliance. An important step after documentation is to make the most current version of the documents readily accessible to those who are expected to follow them. Many organizations place the documents on their intranets or in shared file folders to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample documents can make awareness more effective.

   For your exam you should know the information below:

   End User – The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.

   Executive Management/Senior Management – Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.

   Security Officer – The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidelines.

   Information Systems Security Professional- Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals. Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed in this role.

   Data/Information/Business/System Owners – A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.

   Data/Information Custodian/Steward – A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets.

   Information Systems Auditor- IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

   Business Continuity Planner – Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company’s objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the business areas and information technology personnel responsible for disaster recovery.

   Information Systems/ Technology Professionals- These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application.

   Security Administrator – A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.

   Network/Systems Administrator – A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.

   Physical Security – The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated.

   Security Analyst – The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are “in the weeds” and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.

   Administrative Assistants/Secretaries – This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals who desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or of providing unauthorized entry.

   Help Desk Administrator – As the name implies, the help desk is there to field questions from users that report system problems. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk is also often where the first indications of security issues and incidents will be seen. A help desk individual would contact the computer security incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control.

   Supervisor – The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees’ account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.

   Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens.

   The following answers are incorrect:

   Systems Administrator – A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.

   End User – The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.

   Security Administrator – A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.

   Following reference(s) were/was used to create this question:
   CISA review manual 2014 Page number 109
   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-Hill. Kindle Edition.

5. Which of the following is the MOST important aspect relating to employee termination?

   • The details of employee have been removed from active payroll files.
   • Company property provided to the employee has been returned.
   • User ID and passwords of the employee have been deleted.
   • The appropriate company staff are notified about the termination.
   Explanation:

   Even though Logical access to information by a terminated employee is possible if the ID and password of the terminated employee has not been deleted this is only one part of the termination procedures. If user ID is not disabled or deleted, it could be possible for the employee without physical access to visit the companies networks remotely and gain access to the information.

   Please note that this can also be seen in a different way: the most important thing to do could also be to inform others of the person’s termination, because even if user ID’s and passwords are deleted, a terminated individual could simply socially engineer their way back in by calling an individual he/she used to work with and ask them for access. He could intrude on the facility or use other weaknesses to gain access to information after he has been terminated.

   By notifying the appropriate company staff about the termination, they would in turn intitiate account termination, ask the employee to return company property, and all credentials would be withdrawn for the individual concerned. This answer is more complete than simply disabling account.

   It seems harsh and cold when this actually takes place , but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away, and all passwords on all systems changed.

   For your exam you should know the information below:

   Employee Termination Processes
   Employees join and leave organizations every day. The reasons vary widely, due to retirement,reduction in force, layoffs, termination with or without cause, relocation to another city, careeropportunities with other employers, or involuntary transfers. Terminations may be friendly or unfriendly and will need different levels of care as a result.

   Friendly Terminations
   Regular termination is when there is little or no evidence or reason to believe that the termination is not agreeable to both the company and the employee. A standard set of procedures, typically maintained by the human resources department, governs the dismissal of the terminated employee to ensure that company property is returned, and all access is removed. These procedures may include exit interviews and return of keys, identification cards, badges, tokens, and cryptographic keys. Other property, such as laptops, cable locks, credit cards, and phone cards, are also collected. The user manager notifies the security department of the termination to ensure that access is revoked for all platforms and facilities. Some facilities choose to immediately delete the accounts, while others choose to disable the accounts for a policy defined period, for example, 30 days, to account for changes or extensions in the final termination date. The termination process should include a conversation with the departing associate about their continued responsibility for confidentiality of information.

   Unfriendly Terminations
   Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid off,or when the organization has reason to believe that the individual has the means and intention to potentially cause harm to the system. Individuals with technical skills and higher levels of access, such as the systems administrators, computer programmers, database administrators, or any individual with elevated privileges, may present higher risk to the environment. These individuals could alter files, plant logic bombs to create system file damage at a future date, or remove sensitive information. Other disgruntled users could enter erroneous data into the system that may not be discovered for several months. In these situations, immediate termination of systems access is warranted at the time of termination or prior to notifying the employee of the termination. Managing the people aspect of security, from pre-employment to postemployment, is critical to ensure that trustworthy, competent resources are employed to further the business objectives that will protect company information. Each of these actions contributes to preventive, detective, or corrective personnel controls.

   The following answers are incorrect:
   The other options are less important.

   Following reference(s) were/was used to create this question:
   CISA review manual 2014 Page number 99
   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 129). McGraw-Hill. Kindle Edition.

6. Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model?

   • Prevention of the modification of information by unauthorized users.
   • Prevention of the unauthorized or unintentional modification of information by authorized users.
   • Preservation of the internal and external consistency.
   • Prevention of the modification of information by authorized users.
   Explanation:

   There is no need to prevent modification from authorized users. They are authorized and allowed to make the changes. On top of this, it is also NOT one of the goal of Integrity within Clark-Wilson.

   As it turns out, the Biba model addresses only the first of the three integrity goals which is Prevention of the modification of information by unauthorized users. Clark-Wilson addresses all three goals of integrity.

   The Clark–Wilson model improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment. In addition to preventing changes by unauthorized subjects, Clark and Wilson realized that high-integrity systems would also have to prevent undesirable changes by authorized subjects and to ensure that the system continued to behave consistently. It also recognized that it would need to ensure that there is constant mediation between every subject and every object if such integrity was going to be maintained.

   Integrity is addressed through the following three goals:

   1. Prevention of the modification of information by unauthorized users.
   2. Prevention of the unauthorized or unintentional modification of information by authorized users.
   3. Preservation of the internal and external consistency.

   The following reference(s) were used for this question:

   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17689-17694). Auerbach Publications. Kindle Edition.
   and
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31.

7. External consistency ensures that the data stored in the database is:

   • in-consistent with the real world.
   • remains consistant when sent from one system to another.
   • consistent with the logical world.
   • consistent with the real world.
   Explanation:
   External consistency ensures that the data stored in the database is consistent with the real world.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, page 33.

8. An effective information security policy should not have which of the following characteristic?

   • Include separation of duties
   • Be designed with a short- to mid-term focus
   • Be understandable and supported by all stakeholders
   • Specify areas of responsibility and authority
   Explanation:
   An effective information security policy should be designed with a long-term focus. All other characteristics apply.
   Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

9. Which of the following choice is NOT normally part of the questions that would be asked in regards to an organization’s information security policy?

   • Who is involved in establishing the security policy?
   • Where is the organization’s security policy defined?
   • What are the actions that need to be performed in case of a disaster?
   • Who is responsible for monitoring compliance to the organization’s security policy?
   Explanation:

   Actions to be performed in case of a disaster are not normally part of an information security policy but part of a Disaster Recovery Plan (DRP).

   Only personnel implicated in the plan should have a copy of the Disaster Recovery Plan whereas everyone should be aware of the contents of the organization’s information security policy.
   Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 398).

10. Which of the following is not appropriate in addressing object reuse?

    • Degaussing magnetic tapes when they’re no longer needed.
    • Deleting files on disk before reusing the space.
    • Clearing memory blocks before they are allocated to a program or data.
    • Clearing buffered pages, documents, or screens from the local memory of a terminal or printer.
    Explanation:

    Object reuse requirements, applying to systems rated TCSEC C2 and above, are used to protect files, memory, and other objects in a trusted system from being accidentally accessed by users who are not authorized to access them. Deleting files on disk merely erases file headers in a directory structure. It does not clear data from the disk surface, thus making files still recoverable. All other options involve clearing used space, preventing any unauthorized access.

    Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O’Reilly, July 1992 (page 119).

11. Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?

    • Business and functional managers
    • IT Security practitioners
    • System and information owners
    • Chief information officer
    Explanation:
    The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper implementation of security requirements in their IT systems.
    Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 6).

12. Which of the following would best classify as a management control?

    • Review of security controls
    • Personnel security
    • Physical and environmental protection
    • Documentation
    Explanation:
    Management controls focus on the management of the IT security system and the management of risk for a system.
    They are techniques and concerns that are normally addressed by management.
    Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls.
    SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
    SECURITY CONTROL BASELINE: The set of minimum security controls defined for a low-impact, moderate-impact,or high-impact information system.
    The following are incorrect answers:
    Personnel security, physical and environmental protection and documentation are forms of operational controls.
    Reference(s) used for this question:
    http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
    and
    FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

13. Which of the following is not a form of passive attack?

    • Scavenging
    • Data diddling
    • Shoulder surfing
    • Sniffing
    Explanation:
    Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting confidentiality.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 645).

14. The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as?

    • Confidentiality
    • Availability
    • Integrity
    • Reliability
    Explanation:

    An company security program must:

    1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability;

    2) protect informationcommensurate with the level of risk and magnitude ofharmresulting fromloss, misuse, unauthorized access, or modification.

    The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them.

    The following are incorrect answers:

    Confidentiality – The information requires protection from unauthorized disclosure and only the INTENDED recipient should have access to the meaning of the data either in storage or in transit.

    Integrity – The information must be protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to:

    Authenticity –A third party must be able to verify that the content of a message has not been changed in transit.

    Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party.

    Accountability – A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

    Reference used for this question:

    RFC 2828
    and
    SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (page 5).

15. Which of the following is most concerned with personnel security?

    • Management controls
    • Operational controls
    • Technical controls
    • Human resources controls
    Explanation:

    Many important issues in computer security involve human users, designers, implementers, and managers.

    A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs. Since operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems), personnel security is considered a form of operational control.

    Operational controls are put in place to improve security of a particular system (or group of systems). They often require specialized expertise and often rely upon management activities as well as technical controls. Implementing dual control and making sure that you have more than one person that can perform a task would fall into this category as well.

    Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.

    Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access of misuse, facilitate detection of security violations, and support security requirements for applications and data.

    Reference use for this question:

    NIST SP 800-53 Revision 4 http://dx.doi.org/10.6028/NIST.SP.800-53r4
    You can get it as a word document by clicking HERE
    NIST SP 800-53 Revision 4 has superseded the document below:

    SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Page A-18).

16. A Security Kernel is defined as a strict implementation of a reference monitor mechanism responsible for enforcing a security policy. To be secure, the kernel must meet three basic conditions, what are they?

    • Confidentiality, Integrity, and Availability
    • Policy, mechanism, and assurance
    • Isolation, layering, and abstraction
    • Completeness, Isolation, and Verifiability
    Explanation:

    A security kernel is responsible for enforcing a security policy. It is a strict implementation of a reference monitor mechanism. The architecture of a kernel operating system is typically layered, and the kernel should be at the lowest and most primitive level.

    It is a small portion of the operating system through which all references to information and all changes to authorizations must pass. In theory, the kernel implements access control and information flow control between implemented objects according to the security policy.

    To be secure, the kernel must meet three basic conditions:

    completeness (all accesses to information must go through the kernel),
    isolation (the kernel itself must be protected from any type of unauthorized access),
    and verifiability (the kernel must be proven to meet design specifications).

    The reference monitor, as noted previously, is an abstraction, but there may be a reference validator, which usually runs inside the security kernel and is responsible for performing security access checks on objects, manipulating privileges, and generating any resulting security audit messages.

    A term associated with security kernels and the reference monitor is the trusted computing base (TCB). The TCB is the portion of a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects. The security capabilities of products for use in the TCB can be verified through various evaluation criteria, such as the earlier Trusted Computer System Evaluation Criteria (TCSEC) and the current Common Criteria standard.

    Many of these security terms—reference monitor, security kernel, TCB—are defined loosely by vendors for purposes of marketing literature. Thus, it is necessary for security professionals to read the small print and between the lines to fully understand what the vendor is offering in regard to security features.

    TIP FOR THE EXAM:
    The terms Security Kernel and Reference monitor are synonymous but at different levels.
    As it was explained by Diego:

    While the Reference monitor is the concept, the Security kernel is the implementation of such concept (via hardware, software and firmware means).

    The two terms are the same thing, but on different levels: one is conceptual, one is “technical”

    The following are incorrect answers:
    Confidentiality, Integrity, and Availability
    Policy, mechanism, and assurance
    Isolation, layering, and abstraction

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13858-13875). Auerbach Publications. Kindle Edition.

17. What can best be defined as the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities, such as evaluation criteria?

    • Acceptance testing
    • Evaluation
    • Certification
    • Accreditation
    Explanation:

    Evaluation as a general term is described as the process of independently assessing a system against a standard of comparison, such as evaluation criteria. Evaluation criterias are defined as a benchmark, standard, or yardstick against which accomplishment, conformance, performance, and suitability of an individual, hardware, software, product, or plan, as well as of risk-reward ratio is measured.

    What is computer security evaluation?
    Computer security evaluation is the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities. The Security Target determines the scope of the evaluation. It includes a claimed level of Assurance that determines how rigorous the evaluation is.

    Criteria
    Criteria are the “standards” against which security evaluation is carried out. They define several degrees of rigour for the testing and the levels of assurance that each confers. They also define the formal requirements needed for a product (or system) to meet each Assurance level.

    TCSEC
    The US Department of Defense published the first criteria in 1983 as the Trusted Computer Security Evaluation Criteria (TCSEC), more popularly known as the “Orange Book”. The current issue is dated 1985. The US Federal Criteria were drafted in the early 1990s as a possible replacement but were never formally adopted.

    ITSEC
    During the 1980s, the United Kingdom, Germany, France and the Netherlands produced versions of their own national criteria. These were harmonised and published as the Information Technology Security Evaluation Criteria (ITSEC). The current issue, Version 1.2, was published by the European Commission in June 1991. In September 1993, it was followed by the IT Security Evaluation Manual (ITSEM) which specifies the methodology to be followed when carrying out ITSEC evaluations.

    Common Criteria
    The Common Criteria represents the outcome of international efforts to align and develop the existing European and North American criteria. The Common Criteria project harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC) into the Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems and for stating security requirements in a standardised way. Increasingly it is replacing national and regional criteria with a worldwide set accepted by the International Standards Organisation (ISO15408).

    The following answer were not applicable:

    Certification is the process of performing a comprehensive analysis of the security features and safeguards of a system to establish the extent to which the security requirements are satisfied. Shon Harris states in her book that Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation.

    Wikipedia describes it as: Certification is a comprehensive evaluation of the technical and non-technical security controls (safeguards) of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements

    Accreditation is the official management decision to operate a system. Accreditation is the formal declaration by a senior agency official (Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA)) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural security controls (safeguards).
    Acceptance testing refers to user testing of a system before accepting delivery.

    Reference(s) used for this question:

    HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.
    and
    https://en.wikipedia.org/wiki/Certification_and_Accreditation
    and
    http://www.businessdictionary.com/definition/evaluation-criteria.html
    and
    http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/secevalcriteria.shtml

18. A trusted system does NOT involve which of the following?

    • Enforcement of a security policy.
    • Sufficiency and effectiveness of mechanisms to be able to enforce a security policy.
    • Assurance that the security policy can be enforced in an efficient and reliable manner.
    • Independently-verifiable evidence that the security policy-enforcing mechanisms are sufficient and effective.
    Explanation:
    A trusted system is one that meets its intended security requirements. It involves sufficiency and effectiveness, not necessarily efficiency, in enforcing a security policy. Put succinctly, trusted systems have (1) policy, (2) mechanism, and (3) assurance.
    Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. 

19. What can be described as an imaginary line that separates the trusted components of the TCB from those elements that are NOT trusted?

    • The security kernel
    • The reference monitor
    • The security perimeter
    • The reference perimeter
    Explanation:

    The security perimeter is the imaginary line that separates the trusted components of the kernel and the Trusted Computing Base (TCB) from those elements that are not trusted. The reference monitor is an abstract machine that mediates all accesses to objects by subjects. The security kernel can be software, firmware or hardware components in a trusted system and is the actual instantiation of the reference monitor. The reference perimeter is not defined and is a distracter.

    Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

20. What is the main issue with media reuse?

    • Degaussing
    • Data remanence
    • Media destruction
    • Purging
    Explanation:
    The main issue with media reuse is data remanence, where residual information still resides on a media that has been erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.
    Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 5).