[Free] New Updated (October) ISC SSCP Real Exam 61-70

Ensurepass

 

QUESTION 61

Which of the following protects a password from eavesdroppers and supports the encryption of communication?

 

A.

Challenge Handshake Authentication Protocol (CHAP)

B.

Challenge Handshake Identification Protocol (CHIP)

C.

Challenge Handshake Encryption Protocol (CHEP)

D.

Challenge Handshake Substitution Protocol (CHSP)

 

Correct Answer: A

Explanation:

CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.

 

The authentication is successful if the client’s response is the one that the server expected.

 

Reference: Page 450, OIG 2007.

 

CHAP protects the password from eavesdroppers and supports the encryption of communication.

 

Reference:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.

 

 

QUESTION 62

Which security model introduces access to objects only through programs?

 

A.

The Biba model

B.

The Bell-LaPadula model

C.

The Clark-Wilson model

D.

The information flow model

 

Correct Answer: C

Explanation:

In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The Clarkilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

 

The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

 

Clark-Wilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification.

 

Integrity goals of Clark-Wilson model:

 

Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).

 

Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.

 

The following are incorrect answers:

 

The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object.

 

The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object.

 

The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model.

 

References:

ISC2 Official Study Guide, Pages 325 – 327

AIO3, pp. 284 – 287

AIOv4 Security Architecture and Design (pages 338 – 342) AIOv5 Security Architecture and Design (pages 341 – 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model

 

 

QUESTION 63

Which of the following is addressed by Kerberos?

 

A.

Confidentiality and Integrity

B.

Authentication and Availability

C.

Validation and Integrity

D.

Auditability and Integrity

 

Correct Answer: A

Explanation:

Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability.

 

Reference(s) used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42.

https://www.ietf.org/rfc/rfc4120.txt

http://learn-networking.com/network-security/how-kerberos-authentication-works

 

 

QUESTION 64

Kerberos is vulnerable to replay in which of the following circumstances?

 

A.

When a private key is compromised within an allotted time window.

B.

When a public key is compromised within an allotted time window.

C.

When a ticket is compromised within an allotted time window.

D.

When the KSD is compromised within an allotted time window.

 

Correct Answer: C

Explanation:

Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window.

 

The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting an
y non-kerberos activities.

 

Reference:

Official ISC2 Guide to the CISSP, 2007 Edition, page 184

 

also see:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42.

 

 

QUESTION 65

Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity?

 

A.

Discretionary Access Control

B.

Mandatory Access Control

C.

Sensitive Access Control

D.

Role-based Access Control

Correct Answer: A

Explanation:

Data owners decide who has access to resources based only on the identity of the person accessing the resource.

 

The following answers are incorrect:

 

Mandatory Access Control: users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users’ wishes and access decisions are based on security labels.

Sensitive Access Control: There is no such access control in the context of the above question.

Role-based Access Control: uses a centrally administered set of controls to determine how subjects and objects interact , also called as non discretionary access control.

 

In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users’ wishes. This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.

 

Reference:

Shon Harris , AIO v3 , Chapter-4: Access Control , Page: 163-165

 

 

QUESTION 66

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?

 

A.

The Bell-LaPadula model

B.

The information flow model

C.

The noninterference model

D.

The Clark-Wilson model

 

Correct Answer: C

Explanation:

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

 

The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subj
ect knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level. The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.

 

The following are incorrect answers:

The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects.

 

The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy.

 

The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well- formed transactions and usage of an access triple (subjet – interface – object).

 

References:

CBK, pp 325 – 326

AIO3, pp. 290 – 291

AIOv4 Security Architecture and Design (page 345)

AIOv5 Security Architecture and Design (pages 347 – 348)

https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterf erence_Models

 

 

QUESTION 67

Which of the following is the LEAST user accepted biometric device?

 

A.

Fingerprint

B.

Iris scan

C.

Retina scan

D.

Voice verification

 

Correct Answer: C

Explanation:

The biometric device that is least user accepted is the retina scan, where a system scans the blood-vessel pattern on the backside of the eyeball. When using this device, an individual has to place their eye up to a device, and may require a puff of air to be blown into the eye. The iris scan only needs for an individual to glance at a camera that could be placed above a door.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 4: Access Control (page 131).

 

 

QUESTION 68

Crime Prevention Through Environmental Design (CPTED) is a discipline that:

 

A.

Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.

B.

Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior.

C.

Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior.

D.

Outlines how the proper design of the administrative control environment can reduce crime by directly affecting human behavior.

 

Correct Answer: A

Explanation:

Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime prevention through proper facility contruction and environmental components and procedures.

 

CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and traffic circulation patterns. It looks
at microenvironments, such as offices and rest-rooms, and macroenvironments, like campuses and cities.

 

Reference(s) used for this question:

 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 435). McGraw- Hill. Kindle Edition.

CPTED Guide Book

 

 

QUESTION 69

Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied?

 

A.

The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed.

B.

The pair of elements is the subject and object, and the subject has an upper bound lower then the upper bound of the object being accessed.

C.

The pair of elements is the subject and object, and the subject has no special upper or lower bound needed within the lattice.

D.

The pair of elements is the subject and object, and the subject has no access rights in relation to an object.

 

Correct Answer: A

Explanation:

To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed.

 

WIKIPEDIA has a great explanation as well:

 

In computer security, lattice-based access control (LBAC) is a complex access control based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.

 

Reference(s) used for this question:

 

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

http://en.wikipedia.org/wiki/Lattice-based_access_control

 

 

 

 

 

QUESTION 70

Sensitivity labels are an example of what application control type?

 

A.

Preventive security controls

B.

Detective security controls

C.

Compensating administrative controls

D.

Preventive accuracy controls

 

Correct Answer: A

Explanation:

Sensitivity labels are a preventive security application controls, such as are firewalls, reference monitors, traffic padding, encryption, data classification, one-time passwords, contingency planning, separation of development, application and test environments.

 

The incorrect answers are:

 

Detective security controls – Intrusion detection systems (IDS), monitoring activities, and audit trails.

 

Compensating administrative controls – There no such application control.

 

Preventive accuracy controls – data checks, forms, custom screens, validity checks, contingency planning, and backups.

 

Sources:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 264).

KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Application Controls, Figure 7.1 (page 360).

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.