SSCP : System Security Certified Practitioner (SSCP) : Part 54

SSCP : System Security Certified Practitioner (SSCP) : Part 54

1. When considering an IT System Development Life-cycle, security should be:

   • Mostly considered during the initiation phase.
   • Mostly considered during the development phase.
   • Treated as an integral part of the overall system design.
   • Added once the design is completed.

   Explanation:

   Security must be considered in information system design. Experience has shown it is very difficult to implement security measures properly and successfully after a system has been developed, so it should be integrated fully into the system life-cycle process. This includes establishing security policies, understanding the resulting security requirements, participating in the evaluation of security products, and finally in the engineering, design, implementation, and disposal of the system.

   Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 7).

2. Risk reduction in a system development life-cycle should be applied:

   • Mostly to the initiation phase.
   • Mostly to the development phase.
   • Mostly to the disposal phase.
   • Equally to all phases.
   Explanation:

   Risk is defined as the combination of the probability that a particular threat source will exploit, or trigger, a particular information system vulnerability and the resulting mission impact should this occur. Previously, risk avoidance was a common IT security goal. That changed as the nature of the risk became better understood. Today, it is recognized that elimination of all risk is not cost-effective. A cost-benefit analysis should be conducted for each proposed control. In some cases, the benefits of a more secure system may not justify the direct and indirect costs. Benefits include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence. Direct costs include the cost of purchasing and installing a given technology; indirect costs include decreased system performance and additional training. The goal is to enhance mission/business capabilities by managing mission/business risk to an acceptable level.

   Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 8).

3. Which of the following security mode of operation does NOT require all users to have the clearance for all information processed on the system?

   • Compartmented security mode
   • Multilevel security mode
   • System-high security mode
   • Dedicated security mode
   Explanation:

   The multilevel security mode permits two or more classification levels of information to be processed at the same time when all the users do not have the clearance of formal approval to access all the information being processed by the system.

   In dedicated security mode, all users have the clearance or authorization and need-to-know to all data processed within the system.

   In system-high security mode, all users have a security clearance or authorization to access the information but not necessarily a need-to-know for all the information processed on the system (only some of the data).

   In compartmented security mode, all users have the clearance to access all the information processed by the system, but might not have the need-to-know and formal access approval.

   Generally, Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification.

   The mode of operation is determined by:

   The type of users who will be directly or indirectly accessing the system.
   The type of data, including classification levels, compartments, and categories, that are processed on the system.
   The type of levels of users, their need to know, and formal access approvals that the users will have.

   Dedicated security mode
   In this mode of operation, all users must have:

   Signed NDA for ALL information on the system.
   Proper clearance for ALL information on the system.
   Formal access approval for ALL information on the system.
   A valid need to know for ALL information on the system.

   All users can access ALL data.
   System high security mode

   In this mode of operation, all users must have:

   Signed NDA for ALL information on the system.
   Proper clearance for ALL information on the system.
   Formal access approval for ALL information on the system.
   A valid need to know for SOME information on the system.

   All users can access SOME data, based on their need to know.

   Compartmented security mode
   In this mode of operation, all users must have:

   Signed NDA for ALL information on the system.
   Proper clearance for ALL information on the system.
   Formal access approval for SOME information they will access on the system.
   A valid need to know for SOME information on the system.

   All users can access SOME data, based on their need to know and formal access approval.

   Multilevel security mode
   In this mode of operation, all users must have:

   Signed NDA for ALL information on the system.
   Proper clearance for SOME information on the system.
   Formal access approval for SOME information on the system.
   A valid need to know for SOME information on the system.

   All users can access SOME data, based on their need to know, clearance and formal access approval.

   REFERENCES:

   WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April 2002 (page 6).
   and
   http://en.wikipedia.org/wiki/Security_Modes

4. What prevents a process from accessing another process’ data?

   • Memory segmentation
   • Process isolation
   • The reference monitor
   • Data hiding
   Explanation:

   Process isolation is where each process has its own distinct address space for its application code and data. In this way, it is possible to prevent each process from accessing another process’ data. This prevents data leakage, or modification to the data while it is in memory. Memory segmentation is a virtual memory management mechanism. The reference monitor is an abstract machine that mediates all accesses to objects by subjects. Data hiding, also known as information hiding, is a mechanism that makes information available at one processing level is not available at another level.

   Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

5. Which of the following statements pertaining to the security kernel is incorrect?

   • The security kernel is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept.
   • The security kernel must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof.
   • The security kernel must be small enough to be able to be tested and verified in a complete and comprehensive manner.
   • The security kernel is an access control concept, not an actual physical component.
   Explanation:

   The reference monitor, not the security kernel is an access control concept.

   The security kernel is made up of software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems.

   There are three main requirements of the security kernel:

   • It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.
   • It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.
   • It must be small enough to be able to be tested and verified in a complete and comprehensive manner.

   The following answers are incorrect:
   The security kernel is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept. Is incorrect because this is the definition of the security kernel.

   The security kernel must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof. Is incorrect because this is one of the three requirements that make up the security kernel.

   The security kernel must be small enough to be able to be tested and verified in a complete and comprehensive manner. Is incorrect because this is one of the three requirements that make up the security kernel.

6. Which of the following best corresponds to the type of memory addressing where the address location that is specified in the program instruction contains the address of the final desired location?

   • Direct addressing
   • Indirect addressing
   • Indexed addressing
   • Program addressing
   Explanation:

   Indirect addressing is when the address location that is specified in the program instruction contains the address of the final desired location. Direct addressing is when a portion of primary memory is accessed by specifying the actual address of the memory location. Indexed addressing is when the contents of the address defined in the program’s instruction is added to that of an index register. Program addressing is not a defined memory addressing mode.

   Source: WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April 2002 (page 2).

7. In an organization, an Information Technology security function should:

   • Be a function within the information systems function of an organization.
   • Report directly to a specialized business unit such as legal, corporate security or insurance.
   • Be lead by a Chief Security Officer and report directly to the CEO.
   • Be independent but report to the Information Systems function.
   Explanation:
   In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else’s problem.
   Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999. 

8. IT security measures should:

   • Be complex
   • Be tailored to meet organizational security goals.
   • Make sure that every asset of the organization is well protected.
   • Not be developed in a layered fashion.
   Explanation:

   In general, IT security measures are tailored according to an organization’s unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security-related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used – implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.

   The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.

   Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system’s security posture even more.

   The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.

   Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).

9. Who is responsible for initiating corrective measures and capabilities used when there are security violations?

   • Information systems auditor
   • Security administrator
   • Management
   • Data owners
   Explanation:

   Management is responsible for protecting all assets that are directly or indirectly under their control.

   They must ensure that employees understand their obligations to protect the company’s assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations.
   Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.

10. What can best be defined as high-level statements, beliefs, goals and objectives?

    • Standards
    • Policies
    • Guidelines
    • Procedures
    Explanation:
    Policies are high-level statements, beliefs, goals and objectives and the general means for their attainment for a specific subject area. Standards are mandatory activities, action, rules or regulations designed to provide policies with the support structure and specific direction they require to be effective. Guidelines are more general statements of how to achieve the policies objectives by providing a framework within which to implement procedures. Procedures spell out the specific steps of how the policy and supporting standards and how guidelines will be implemented.
    Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999. 

11. During which phase of an IT system life cycle are security requirements developed?

    • Operation
    • Initiation
    • Functional design analysis and Planning
    • Implementation
    Explanation:

    The software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering software systems, and the models and methodologies that people use to develop these systems.

    The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:

    This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include:

    • Conduct the risk assessment and use the results to supplement the baseline security controls;
    • Analyze security requirements;
    • Perform functional and security testing;
    • Prepare initial documents for system certification and accreditation; and
    • Design security architecture.

    Reviewing this publication you may want to pick development/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware/software components then you would also develop the security controls for these. The Shon Harris reference below is correct as well.

    Shon Harris’ Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently:

    Project initiation
    Functional design analysis and planning
    System design specifications
    Software development
    Installation
    Maintenance support
    Revision and replacement

    According to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase.
    SDLC POSITIONING FROM NIST 800-64

    

    SDLC Positioning in the enterprise
    Information system security processes and activities provide valuable input into managing IT systems and their development, enabling risk identification, planning and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above). The most effective way to implement risk management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA) processes to establish insight into the agency’s vital business operations, their supporting assets, and existing interdependencies and relationships.

    With critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services they provide and assess the consequences of their disruption. By identifying these systems, an agency can manage security effectively by establishing priorities. This positions the security office to facilitate the IT program’s cost-effective performance as well as articulate its business impact and value to the agency.

    SDLC OVERVIEW FROM NIST 800-64
    SDLC Overview from NIST 800-64 Revision 2

    

    NIST 800-64 Revision 2 is one publication within the NISTstandards that I would recommend you look at for more details about the SDLC. It describe in great details what activities would take place and they have a nice diagram for each of the phases of the SDLC. You will find a copy at:

    http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

    DISCUSSION:
    Different sources present slightly different info as far as the phases names are concerned.

    People sometimes gets confused with some of the NIST standards. For example NIST 800-64 Security Considerations in the Information System Development Life Cycle has slightly different names, the activities mostly remains the same.

    NIST clearly specifies that Security requirements would be considered throughout ALL of the phases. The keyword here is considered, if a question is about which phase they would be developed than Functional Design Analysis would be the correct choice.

    Within the NIST standard they use different phase, howeverr under the second phase you will see that they talk specifically about Security Functional requirements analysis which confirms it is not at the initiation stage so it become easier to come out with the answer to this question. Here is what is stated:

    The security functional requirements analysis considers the system security environment, including the enterprise information security policy and the enterprise security architecture. The analysis should address all requirements for confidentiality, integrity, and availability of information, and should include a review of all legal, functional, and other security requirements contained in applicable laws, regulations, and guidance.

    At the initiation step you would NOT have enough detailed yet to produce the Security Requirements. You are mostly brainstorming on all of the issues listed but you do not develop them all at that stage.

    By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start.

    NIST says:
    NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-64, Security Considerations in the Information System Development Life Cycle, by Tim Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their planning for every phase of the system life cycle, and to select, acquire, and use appropriate and cost-effective security controls.

    I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for this exam.

    References:

    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth Edition, Page 956
    and
    NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
    and
    http://www.mks.com/resources/resource-pages/software-development-life-cycle-sdlc-system-development

12. Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design?

    • Development/acquisition
    • Implementation
    • Initiation
    • Maintenance
    Explanation:

    A security policy is an important document to develop while designing an information system. The security policy begins with the organization’s basic commitment to information security formulated as a general policy statement.

    The policy is then applied to all aspects of the system design or security solution. The policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and assurance) the system should support, and these goals guide the procedures, standards and controls used in the IT security architecture design.

    The policy also should require definition of critical assets, the perceived threat, and security-related roles and responsibilities.

    Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 6).

13. Which of the following does not address Database Management Systems (DBMS) Security?

    • Perturbation
    • Cell suppression
    • Padded cells
    • Partitioning
    Explanation:

    Padded cells complement Intrusion Detection Systems (IDSs) and are not related to DBMS security. Padded cells are simulated environments to which IDSs seamlessly transfer detected attackers and are designed to convince an attacker that the attack is going according to the plan. Cell suppression is a technique used against inference attacks by not revealing information in the case where a statistical query produces a very small result set. Perturbation also addresses inference attacks but involves making minor modifications to the results to a query. Partitioning involves splitting a database into two or more physical or logical parts; especially relevant for multilevel secure databases.

    Source: LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002.

14. Which of the following security modes of operation involves the highest risk?

    • Compartmented Security Mode
    • Multilevel Security Mode
    • System-High Security Mode
    • Dedicated Security Mode
    Explanation:

    In multilevel mode, two or more classification levels of data exist, some people are not cleared for all the data on the system.

    Risk is higher because sensitive data could be made available to someone not validated as being capable of maintaining secrecy of that data (i.e., not cleared for it).

    In other security modes, all users have the necessary clearance for all data on the system.
    Source: LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002.