[Free] New Updated (October) ISC SSCP Real Exam 121-130

Ensurepass

 

QUESTION 121

When submitting a passphrase for authentication, the passphrase is converted into …

 

A.

a virtual password by the system

B.

a new passphrase by the system

C.

a new passphrase by the encryption technology

D.

a real password by the system which can be used forever

 

Correct Answer: A

Explanation:

Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes.

 

Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use.

 

Obviously, the more times a password is used, the more chance there is of it being compromised.

 

It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password.

 

Reference(s) used for this question:

 

http://www.itl.nist.gov/fipspubs/fip112.htm

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

 

 

 

 

 

 

QUESTION 122

What does the (star) property mean in the Bell-LaPadula model?

 

A.

No write up

B.

No read up

C.

No write down

D.

No read down

 

Correct Answer: C

Explanation:

The (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243).

 

 

QUESTION 123

What does the simple integrity axiom mean in the Biba model?

 < /b>

A.

No write down

B.

No read down

C.

No read up

D.

No write up

 

Correct Answer: B

Explanation:

The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity (no read down).

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

 

 

QUESTION 124

Which of the following pairings uses technology to enforce access control policies?

 

A.

Preventive/Administrative

B.

Preventive/Technical

C.

Preventive/Physical

D.

Detective/Administrative

 

Correct Answer: B

Explanation:

The preventive/technical pairing uses technology to enforce access control policies.

 

TECHNICAL CONTROLS

Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Technical controls are sometimes referred to as logical controls.

 

Preventive Technical Controls

Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include:

 

Access control software.

Antivirus software.

Library control systems.

Passwords.

Smart cards.

Encryption.

Dial-up access control and callback systems.

 

Preventive Physical Controls

Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters.

Examples of these controls include:

Backup files and documentation.

Fences.

Security guards.

Badge systems.

Double door systems.

Locks and keys.

Backup power.

Biometric access controls.

Site selection.

Fire extinguishers.

 

Preventive Administrative Controls

Preventive administrative controls are personnel-oriented techniques for controlling people’s behavior to ensure the confidentiality, integrity, and availability of computing data and programs. Examples of preventive administrative controls include:

Security awareness and technical training.

Separation of duties.

Procedures for recruiting and terminating employees.

Security policies and procedures.

Supervision.

Disaster recovery, contingency, and emergency plans.

User registration for computer access.

 

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

 

 

QUESTION 125

In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because:

 

A.

people need not use discretion

B.

the access controls are based on the individual’s role or title within the organization.

C.

the access controls are not based on the individual’s role or title within the organization

D.

the access controls are often based on the individual’s role or title within the organization

 

Correct Answer: B

Explanation:

In an organization where there are frequent personnel changes, non- discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual’s role or title within the organization. You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role.

 

These access permissions defined within the role do not need to be changed whenever a new person takes over the role.

 

Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall.

 

This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam.

Reading it twice if needed is recommended.

 

Shon Harris in her book list the following ways of managing RBAC:

 

Role-based access control can be managed in the following ways:

 

Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used)

 

Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles)

 

Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles.

 

Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted)

 

NIST defines RBAC as:

Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

 

Reference(s) used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill.

http://csrc.nist.gov/groups/SNS/rbac/

 

 

 

 

 

 

QUESTION 126

Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access?

 

A.

Smart cards

B.

Single Sign-On (SSO)

C.

Symmetric Ciphers

D.

Public Key Infrastructure (PKI)

 

Correct Answer: B

Explanation:

The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.

 

 

QUESTION 127

Which one of the following authentication mechanisms creates a problem for mobile users?

 

A.

Mechanisms based on IP addresses

B.

Mechanism with reusable passwords

C.

one-time password mechanism.

D.

challenge response mechanism.

 

Correct Answer: A

Explanation:

Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.

 

NOTE FROM CLEMENT:

The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well.

 

The following answers are incorrect:

 

mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval.

 

one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user.

 

challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users.

 

 

QUESTION 128

Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette?

 

A.

Degaussing

B.

Parity Bit Manipulation

C.

Zeroization

D.

Buffer overflow

 

Correct Answer: A

Explanation:

A “Degausser (Otherwise known as a Bulk Eraser) has the main function of reducing to near zero the magnetic flux stored in the magnetized medium. Flux density is measured in Gauss or Tesla. The operation is speedier than overwriting and done in one short operation. This is achieved by subjecting the subject in bulk to a series of fields of alternating polarity and gradually decreasing strength.

 

The following answers are incorrect:Parity Bit Manipulation. Parity has to do with disk lerror detection, not data removal. A bit or series of bits appended to a character or block of characters to ensure that the information received is the same as the infromation that was sent.

 

Zeroization. Zeroization involves overwrting data to sanitize it. It is time-consuming and not foolproof. The potential of restoration of data does exist with this method. Buffer overflow. This is a detractor. Although many Operating Systems use a disk buffer to temporarily hold data read from disk, its primary purpose has no connection to data removal. An overflow goes outside the constraints defined for the buffer and is a method used by an attacker to attempt access to a system.

 

The following reference(s) were/was used to create this question:

 

Shon Harris AIO v3. pg 908

Reference: What is degaussing.

 

 

QUESTION 129

Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?

 

A.

DAC

B.

MAC

C.

Access control matrix

D.

TACACS

 

Correct Answer: B

Explanation:

MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users — for example, user Joe (SECRET clearance) cannot reclassify the “Presidential Doughnut Recipe” from “SECRET” to “CONFIDENTIAL” so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.

 

DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.

 

Access control matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL’s, capability tables, etc.

 

TACACS is incorrect. TACACS is a tool for performing user authentication.

 

References:

CBK, p. 187, Domain 2: Access Control.

AIO3, Chapter 4, Access Control.

 

 

QUESTION 130

Which security model is based on the military classification of data and people with clearances?

 

A.

Brewer-Nash model

B.

Clark-Wilson model

C.

Bell-LaPadula model

D.

Biba model

 

Correct Answer: C

Explanation:

The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity.

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.

Free VCE & PDF File for ISC SSCP R
eal Exam


Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.