[Free] New Updated (October) ISC SSCP Real Exam 1-10

Ensurepass

 


QUESTION 1

Which access control model is also called Non Discretionary Access Control (NDAC)?

 

A.

Lattice based access control

B.

Mandatory access control

C.

Role-based access control

D.

Label-based access control

 

Correct Answer: C

Explanation:

RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says “to distinguish it from the policy-bas
ed specifics of MAC”). Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC). Most of the CISSP books use the same acronym for both models but NIST tend to use a lowercase “u” in between R and B to differentiate the two models.

 

You can certainly mimic MAC using RBAC but true MAC makes use of Labels which contains the sensitivity of the objects and the categories they belong to. No labels means MAC is not being used.

 

One of the most fundamental data access control decisions an organization must make is the amount of control it will give system and data owners to specify the level of access users of that data will have. In every organization there is a balancing point between the access controls enforced by organization and system policy and the ability for information owners to determine who can have access based on specific business requirements. The process of translating that balance into a workable access control model can be defined by three general access frameworks:

 

Discretionary access control

Mandatory access control

Nondiscretionary access control

 

A role-based access control (RBAC) model bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. The determination of what roles have access to a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with MACs.

 

Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities. Objects associated with a role will inherit privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles.

There are several approaches to RBAC. As with many system controls, there are variations on how they can be applied within a computer system.

 

There are four basic RBAC architectures:

 

1. Non-RBAC: Non-RBAC is simply a user-granted access to data or an application by traditional mapping, such as with ACLs. There are no formal “roles” associated with the mappings, other than any identified by the particular user.

 

2. Limited RBAC: Limited RBAC is achieved when users are mapped to roles within a single application rather than through an organization-wide role structure. Users in a limited RBAC system are also able to access non-RBAC-based applications or data. For example, a user may be assigned to multiple roles within several applications and, in addition, have direct access to another application or system independent of his or her assigned role. The key attribute of limited RBAC is that the role for that user is defined within an application and not necessarily based on the user’s organizational job function.

 

3. Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to multiple applications or systems based on a user’s specific role within the organization. That role is then applied to applications or systems that subscribe to the organization’s role-based model. However, as the term “hybrid” suggests, there are instances where the subject may also be assigned to roles defined solely within specific applications, complimenting (or, perhaps, contradicting) the larger, more encompassing organizational role used by other systems.

 

4. Full RBAC: Full RBAC systems are controlled by roles defined by the organization’s policy and access control infrastructure and then applied to applications and systems across the enterprise. The applications, systems, and associated data apply permissions based on that enterprise definition, and not one defined by a specific application or system. Be careful not to try to make MAC and DAC opposites of each other — they are two different access control strategies with RBAC being a third strategy that was defined later to address some of the limitations of MAC and DAC.

 

The other answers are not correct because:

 

Mandatory access control is incorrect because though it is by definition not discretionary, it is not called “non-discretionary access control.” MAC makes use of label to indicate the sensitivity of the object and it also makes use of categories to implement the need to know.

 

Label-based access control is incorrect because this is not a name for a type of access control but simply a bogus detractor.

Lattice based access control is not adequate either. A lattice is a series of levels and a subject will be granted an upper and lower bound within the series of levels. These levels could be sensitivity levels or they could be confidentiality levels or they could be integrity levels.

 

Reference(s) used for this question:

 

All in One, third edition, page 165.

Ferraiolo, D., Kuhn,

D.& Chandramouli, R. (2003). Role-Based Access Control, p. 18.

 

Ferraiolo, D., Kuhn,

D.(1992). Role-Based Access Controls. http://csrc.nist.gov/rbac/Role_Based_Access_Control-1992.html

 

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:

Access Control ((ISC)2 Press) (Kindle Locations 1557-1584). Auerbach Publications.Kindle Edition.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:

Access Control ((ISC)2 Press) (Kindle Locations 1474-1477). Auerbach Publications.Kindle Edition.

 

 

QUESTION 2

Which of the following statements pertaining to biometrics is FALSE?

 

A.

User can be authenticated based on behavior.

B.

User can be authenticated based on unique physical attributes.

C.

User can be authenticated by what he knows.

D.

A biometric system’s accuracy is determined by its crossover error rate (CER).

 

Correct Answer: C

Explanation:

As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example.

 

Please make a note of the negative ‘FALSE’ within the question. This question may seem tricky to some of you but you would be amazed at how many people cannot deal with negative questions. There will be a few negative questions within the real exam, just like this one the keyword NOT or FALSE will be in Uppercase to clearly indicate that it is negative.

 

Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of performing authentication (one to one matching) or identification (a one to many matching).

 

A biometric system scans an attribute or behavior of a person and compares it to a template store within an authentication server datbase, such template would be created in an earlier enrollment process. Because this system inspects the grooves of a person’s fingerprint, the pattern of someone’s retina, or the pitches of someone’s voice, it has to be extremely sensitive.

 

The system must perform accurate and repeatable measurements of anatomical or physiological characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must be calibrated so that these false positives and false negatives occur infrequently and the results are as accurate as possible.

 

There are two types of failures in biometric identification:

 

False Rejection also called False Rejection Rate (FRR) — The system fail to recognize a legitimate user. While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate users who are refused access because the scanner does not recognize them.

 

False Acceptance or False Acceptance Rate (FAR) — This is an erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user.

 

Physiological Examples:

 

Unique Physical Attributes:

 

Fingerprint (Most commonly accepted)

Hand Geometry

Retina Scan (Most accurate but most intrusive)

Iris Scan

Vascular Scan

 

Behavioral Examples:

 

Repeated Actions

Keystroke Dynamics

(Dwell time (the time a key is pressed) and Flight time (the time between “key up” and the next “key down”).

Signature Dynamics

(Stroke and pressure points)

 

EXAM TIP:

Retina scan devices are the most accurate but also the most invasive biometrics system available today. The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security option. Unfortunately, the cost of the proprietary hardware as well the stigma of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations.

 

Remember for the exam that fingerprints are the most commonly accepted type of biometrics system.

 

The other answers are incorrect:

‘Users can be authenticated based on behavior.’ is incorrect as this choice is TRUE as it pertains to BIOMETRICS.

Biometrics systems makes use of unique physical characteristics or behavior of users.

 

‘User can be authenticated based on unique physical attributes.’ is also incorrect as this choice is also TRUE as it pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of users.

 

‘A biometric system’s accuracy is determined by its crossover error rate (CER)’ is also incorrect as this is TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system.

 

Reference(s) used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition.

and

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.

 

 

QUESTION 3

Which of the following biometric parameters are better suited for authentication use over a long period of time?

 

A.

Iris pattern

B.

Voice pattern

C.

Signature dynamics

D.

Retina pattern

 

Correct Answer: A

Explanation:

The iris pattern is considered lifelong. Unique features of the iris are:

freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long period of time without needing re-enrollment. Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause).

 

 

 

 

 

QUESTION 4

In addition to the accuracy of the biometric systems, there are other factors that must also be considered:

 

A.

These factors include the enrollment time and the throughput rate, but not acceptability.

B.

These factors do not include the enrollment time, the throughput rate, and acceptability.

C.

These factors include the enrollment time, the throughput rate, and acceptability.

D.

These factors include the enrollment time, but not the throughput rate, neither the acceptability.

 

Correct Answer: C

Explanation:

In addition to the accuracy of the biometric systems, there are other factors that must also be considered.

 

These factors include the enrollment time, the throughput rate, and acceptability.

 

Enrollment time is the time it takes to initially “register” with a system by providing samples of the biometric characteristic to be evaluated. An acceptable enrollment time is around two minutes.

 

For example, in fingerprint systems, the actual fingerprint is stored and requires approximately 250kb per finger for a high quality image. This level of information is required for one-to-many searches in forensics applications on very large databases.

 

In finger-scan technology, a full fingerprint is not stored-the features extracted from this fingerprint are stored using a small template that requires approximately 500 to 1000 bytes of storage. The original fingerprint cannot be reconstructed from this template.

 

Updates of the enrollment information may be required because some biometric characteristics, such as voice and signature, may change with time.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37 & 38.

 

 

QUESTION 5

Why should batch files and scripts be stored in a protected area?

 

A.

Because of the least privilege concept.

B.

Because they cannot be accessed by operators.

C.

Because they may contain credentials.

D.

Because of the need-to-know concept.

 

Correct Answer: C

Explanation:

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully. Operators might need access to batch files and scripts. The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks. The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information required to perform official tasks or services.

Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3)

 

 

 

 

QUESTION 6

Which of the following questions is less likely to help in assessing physical access controls?

 

A.

Does management regularly review the list of persons with physical access to sensitive facilities?

B.

Is the operating system configured to prevent circumvention of the security software and application controls?

C.

Are keys or other access devices needed to enter the computer room and media library?

D.

Are visitors to sensitive areas signed in and escorted?

 

Correct Answer: B

Explanation:

Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical access controls except for the one regarding operating system configuration, which is a logical access control.

Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).

 

 

QUESTION 7

Which of the following is NOT a compensating measure for access violations?

 

A.

Backups

B.

Business continuity planning

C.

Insurance

D.

Security awareness

 

Correct Answer: D

Explanation:

Security awareness is a preventive measure, not a compensating measure for access violations.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 50).

 

 

QUESTION 8

Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are important elements for which of the following?

 

A.

Accountability of biometrics systems

B.

Acceptability of biometrics systems

C.

Availability of biometrics systems

D.

Adaptability of biometrics systems

 

Correct Answer: B

Explanation:

Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.

 

 

 

QUESTION 9

Which type of control is concerned with restoring controls?

 

A.

Compensating controls

B.

Corrective controls

C.

Detective controls

D.

Preventive controls

 

Correct Answer: B

Explanation:

Corrective controls are concerned with remedying circumstances and restoring controls.

 

Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example.

 

Compensating controls are alternative controls, used to compensate weaknesses in other controls.

Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 10

What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?

 

A.

Mandatory model

B.

Discretionary model

C.

Lattice model

D.

Rule model

 

Correct Answer: C

Explanation:

In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values.

 

Reference(s) used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.