[Free] New Updated (October) ISC SSCP Real Exam 161-170

Ensurepass

 

QUESTION 161

In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In general, the device that have the lowest value would be the most accurate. Which of the following would be used to compare accuracy of devices?

 

A.

the CER is used.

B.

the FRR is used

C.

the FAR is used

D.

the FER is used

 

Correct Answer: A

Explanation:

equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is
most accurate.

 

In the context of Biometric Authentication almost all types of detection permit a system’s sensitivity to be increased or decreased during an inspection process. If the system’s sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR).

 

Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used.

 

The following are used as performance metrics for biometric systems:

 

false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value.

 

false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected.

 

failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.

 

failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly.

 

template capacity: the maximum number of sets of data which can be stored in the system.

 

Reference(s) used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

Wikipedia at: https://en.wikipedia.org/wiki/Biometrics

 

 

QUESTION 162

An alternative to using passwords for authentication in logical or technical access control is:

 

A.

manage without passwords

B.

biometrics

C.

not there

D.

use of them for physical access control

 

Correct Answer: B

Explanation:

An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism-something you are.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 

 

QUESTION 163

What is the most critical characteristic of a biometric identifying system?

 

A.

Perceived intrusiveness

B.

Storage requirements

C.

Accuracy

D.

Scalability

 

Correct Answer: C

Explanation:

Accuracy is the most critical characteristic of a biometric identifying verification system.

 

Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II errors).

 

The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy.

 

Source: TIPTON, Harold F.& KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 9).

 

 

QUESTION 164

Which of the following is NOT part of the Kerberos authentication protocol?

 

A.

Symmetric key cryptography

B.

Authentication service (AS)

C.

Principals

D.

Public Key

 

Correct Answer: D

Explanation:

There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component.

 

The other answers are incorrect because :

 

Symmetric key cryptography is a part of Kerberos as the KDC holds all the users’ and services’ secret keys.

Authentication service (AS) : KDC (Key Distribution Center) provides an authentication service

 

Principals: Key Distribution Center provides services to principals , which can be users , applications or network services.

References: Shon Harris , AIO v3 , Chapter – 4: Access Control , Pages : 152-155.

 

 

QUESTION 165

Which of the following would be used to implement Mandatory Access Control (MAC)?

 

A.

Clark-Wilson Access Control

B.

Role-based access control

C.

Lattice-based access control

D.

User dictated access control

 

Correct Answer: C

Explanation:

The lattice is a mechanism use to implement Mandatory Access Control (MAC)

 

Under Mandatory Access Control (MAC) you have:

Mandatory Access Control

 

Under Non Discretionary Access Control (NDAC) you have:

Rule-Based Access Control

Role-Based Access Control

 

Under Discretionary Access Control (DAC) you have:

Discretionary Access Control

 

The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more

 

For example in the case of MAC, if we look at common government classifications, we have the following:

 

TOP SECRET

SECRET ———————–I am the user at secret CONFIDENTIAL

SENSITIVE BUT UNCLASSIFIED

UNCLASSIFIED

 

If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED.

 

However the lattice could also be used for Integrity Levels such as:

 

VERY HIGH

HIGH

MEDIUM ———-I am a user, process, application at the medium level LOW

VERY LOW

In the case of of Integrity levels you have to think about TRUST. Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model.

 

Last but not least the lattice could be use for file permissions:

 

RWX

RW ———User at this level

R

 

If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX.

 

Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes.

 

There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC also require a clearance that dominates the object.

 

You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03

 

Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing.

 

The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used.

 

References:

There is a great article on technet that talks about the lattice in VISTA:

http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx

 

also see:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html

 

 

 

QUESTION 166

What does it mean to say that sensitivity labels are “incomparable”?

 

A.

The number of classification in the two labels is different.

B.

Neither label contains all the classifications of the other.

C.

the number of categories in the two labels are different.

D.

Neither label contains all the categories of the other.

 

Correct Answer: D

Explanation:

If a category does not exist then you cannot compare it. Incomparable is when you have two disjointed sensitivity labels, that is a category in one of the labels is not in the other label. “Because neither label contains all the categories of the other, the labels can’t be compared. They’re said to be incomparable”

 

COMPARABILITY:

The label:

 

TOP SECRET [VENUS ALPHA]

 

is “higher” than either of the labels:

 

SECRET [VENUS ALPHA] TOP SECRET [VENUS]

But you can’t really say that the label:

 

TOP SECRET [VENUS]

is higher than the label:

 

SECRET [ALPHA]

Because neither label contains all the categories of the other, the labels can’t be compared. They’re said to be incomparable. In a mandatory access control system, you won’t be allowed access to a file whose label is incomparable to your clearance.

 

The Multilevel Security policy uses an ordering relationship between labels known as the dominance relationship. Intuitively, we think of a label that dominates another as being “higher” than the other. Similarly, we think of a label that is dominated by another as being “lower” than the other. The dominance relationship is used to determine permitted operations and information flows.

 

DOMINANCE

The dominance relationship is determined by the ordering of the Sensitivity/Clearance component of the label and the intersection of the set of Compartments.

 

Sample Sensitivity/Clearance ordering are:

 

Top Secret > Secret > Confidential > Unclassified

s3 > s2 > s1 > s0

 

Formally, for label one to dominate label 2 both of the following must be true:

 

The sensitivity/clearance of label one must be greater than or equal to the sensitivity/clearance of label two.

The intersection of the compartments of label one and label two must equal the compartments of label two.

 

Additionally:

Two labels are said to be equal if their sensitivity/clearance and set of compartments are exactly equal. Note that dominance includes equality. One label is said to strictly dominate the other if it dominates the other but is not equal to the other.

Two labels are said to be incomparable if each label has at least one compartment that is not included in the other’s set of compartments.

 

The dominance relationship will produce a partial ordering over all possible MLS labels, resulting in what is known as the MLS Security Lattice.

 

The following answers are incorrect:

 

The number of classification in the two labels is different. Is incorrect because the categories are what is being compared, not the classifications.

Neither label contains all the classifications of the other. Is incorrect because the categories are what is being compared, not the classifications.

The number of categories in the two labels is different. Is incorrect because it is possibe a category exists more than once in one sensitivity label and does exist in the other so they would be comparable.

 

Reference(s) used for this question:

 

OReilly – Computer Systems and Access Control (Chapter 3)

http://www.oreilly.com/catalog/csb/chapter/ch03.html

http://rubix.com/cms/mls_dom

 

 

QUESTION 167

Which of the following logical access exposures INVOLVES CHANGING data before, or as it is entered into the computer?

 

A.

Data diddling

B.

Salami techniques

C.

Trojan horses

D.

Viruses

 

Correct Answer: A

Explanation:

It involves changing data before , or as it is entered into the computer or in other words , it refers to the alteration of the existing data.

 

The other answers are incorrect because:

 

Salami techniques: A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed.

Trojan horses: A Trojan Horse is a program that is disguised as another program. Viruses:A Virus is a small application , or a string of code , that infects applications.

 

Reference:

Shon Harris , AIO v3

Chapter – 11: Appli
cation and System Development, Page : 875-880

Chapter – 10: Law, Investigation and Ethics , Page : 758-759

 

 

 

QUESTION 168

Which of the following is not a physical control for physical security?

 

A.

lighting

B.

fences

C.

training

D.

facility construction materials

 

Correct Answer: C

Explanation:

Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls include facility selection and construction, facility management, personnel controls, training, and emergency response and procedures.

 

From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403.

 

 

QUESTION 169

In biometrics, “one-to-many” search against database of stored biometric images is done in:

 

A.

Authentication

B.

Identification

C.

Identities

D.

Identity-based access control

 

Correct Answer: B

Explanation:

In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

 

 

QUESTION 170

What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?

 

A.

False Rejection Rate (FRR) or Type I Error

B.

False Acceptance Rate (FAR) or Type II Error

C.

Crossover Error Rate (CER)

D.

True Rejection Rate (TRR) or Type III Error

 

Correct Answer: A

Explanation:

The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

 

 

 

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.