Security Architecture and Models Flashcards Preview

CISSP > Security Architecture and Models > Flashcards

Flashcards in Security Architecture and Models Deck (137)
Loading flashcards...
1
Q
What is it called when a computer uses more than one CPU in parallel to execute instructions? 
A. Multiprocessing 
B. Multitasking 
C. Multithreading 
D. Parallel running
A

Answer: A
Explanation:

2
Q

What is the main purpose of undertaking a parallel run of a new system?

A. Resolve any errors in the program and file interfaces B. Verify that the system provides required business functionality
C. Validate the operation of the new system against its predecessor
D. Provide a backup of the old system

A

Answer: B
Explanation:

3
Q
Which of the following provide network redundancy in a local network environment?  
A. Mirroring 
B. Shadowing 
C. Dual backbones 
D. Duplexing
A

Answer: C
Explanation:

4
Q
A server farm is an example of:
A. Server clustering 
B. Redundant servers 
C. Multiple servers 
D. Server fault tolerance
A

Answer: A

Explanation

5
Q
In which state must a computer system operate to process input/output instructions?    
A. User mode 
B. Stateful inspection 
C. Interprocess communication 
D. Supervisor mode
A

Answer: D
Explanation: A computer is in a supervisory state when it is executing these privileged instructions. (privileged instructions are executed by the system administrator or by an individual who is authorized to use those instructions.) . -Ronald Krutz The CISSP PREP Guide (gold edition) pg 254-255

6
Q

What should be the size of a Trusted Computer Base?
A. Small – in order to permit it to be implemented in all critical system components without using excessive resources.
B. Small – in order to facilitate the detailed analysis necessary to prove that it meets design requirements.
C. Large – in order to accommodate the implementation of future updates without incurring the time and expense of recertification.
D. Large – in order to enable it to protect the potentially large number of resources in a typical commercial system environment.

A

Answer: B
Explanation: “It must be small enough to be able to be tested and verified in a complete and comprehensive manner.” Shon Harris All-In-One CISSP Certification Guide pg. 232-233.

7
Q

Which one of the following are examples of security and controls that would be found in a “trusted” application system?
A. Data validation and reliability
B. Correction routines and reliability
C. File integrity routines and audit trail
D. Reconciliation routines and data labels

A

Answer: C
Explanation: I have no specific reference for this question but the major resources hammer that there needs to be methods to check the data for correctness.

8
Q
Which of the following is an operating system security architecture that provides flexible support for security policies?    
A. OSKit 
B. LOMAC 
C. SE Linux 
D. Flask
A

Answer: D
Explanation: Flask is an operating system security architecture that provides flexible support for security policies. The architecture was prototyped in the Fluke research operating system. Several of the Flask interfaces and components were then ported from the Fluke prototype to the OSKit. The Flask architecture is now being implemented in the Linux operating system (Security-Enhanced Linux) to transfer the technology to a larger developer and user community.

9
Q

Which of the following statements pertaining to the security kernel is incorrect?
A. It is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept.
B. It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof
C. It must be small enough to be able to be tested and verified in a complete and comprehensive manner
D. Is an access control concept, not an actual physical component

A

Answer: D
Explanation:

10
Q

What is a PRIMARY reason for designing the security kernel to be as small as possible?
A. The operating system cannot be easily penetrated by users.
B. Changes to the kernel are not required as frequently.
C. Due to its compactness, the kernel is easier to formally verify.
D. System performance and execution are enhanced.

A

Answer: C
Explanation: I disagree with the original answer which was B (changes to the kernel) and think it is C (Due to its compactness). However, use your best judgment based on knowledge and experience. Below is why I think it is C. “There are three main requirements of the security kernel: It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof. The reference monitor must be invoked for every access attempt and must be impossible to circumvent. Thus the reference monitor must be implemented in a complete and foolproof way. It must be small enough to be able to be tested and verified in a complete and comprehensive manner.” - Shon Harris All-in-one CISSP Certification Guide pg 232-233

11
Q
Which of the following implements the authorized access relationship between subjects and objects of a system?    
A. Security model 
B. Reference kernel 
C. Security kernel 
D. Information flow model
A

Answer: C
Explanation:

12
Q
The concept that all accesses must be meditated, protected from modification, and verifiable as correct is the concept of    
A. Secure model 
B. Security locking 
C. Security kernel 
D. Secure state
A

Answer: C
Explanation: A security kernel is defined as the hardware, firmware, and software elements of a trusted computing base that implements the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. Therefore, the reference monitor concept is an abstract machine that mediates all access of subjects to objects. The Security Kernel must: Mediate all accesses Be protected from modification Be verified as correct. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 262

13
Q
What is an error called that causes a system to be vulnerable because of the environment in which it is installed?  
A. Configuration error 
B. Environmental error 
C. Access validation error
D. Exceptional condition handling error
A

Answer: B
Explanation:

14
Q
Which of the following ensures that security is not breached when a system crash or other system failure occurs?  
A. trusted recovery 
B. hot swappable 
C. redundancy 
D. secure boot
A

Answer: A Explanation: “Trusted Recovery When an operating system or application crashes or freezes, it should not put the sytem in any time of secure state.” Pg 762 Shon Harris: All-In-One CISSP Certification Exam Guide

15
Q
What type of subsystem is an application program that operates outside the operating system and carries out functions for a group of users, maintains some common data for all users in the group, and protects the data from improper access by users in the group?    
A. Prevented subsystem 
B. Protected subsystem 
C. File subsystem 
D. Directory subsystem
A

Answer: B
Explanation:

16
Q

A ‘Pseudo flaw’ is which of the following?
A. An apparent loophole deliberately implanted in an operating system
B. An omission when generating Pseudo-code
C. Used for testing for bounds violations in application programming
D. A Normally generated page fault causing the system halt

A

Answer: A
Explanation:

17
Q
Which of the following yellow-book defined types of system recovery happens after a system fails in an uncrontrolled manner in response to a TCB or media failure and the system cannot be brought to a consistent state? 
A. Recovery restart 
B. System reboot 
C. Emergency system restart 
D. System Cold start
A

Answer: C
Reference: “Emergency system restart is done after a system fails in an uncontrolled manner in response to a TCB or media failure. In such cases, TCB and user objects on nonvolatile storage belonging to processes active at the time of TCB or media failure may be left in an inconsistent state. The system enters maintenance mode, recovery is performed automatically, and the system restarts with no user processes in progress after bringing up the system in a consistent state.”

18
Q

Which one of the following describes a reference monitor?
A. Access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.
B. Audit concept that refers to monitoring and recording of all accesses to objects by subjects.
C. Identification concept that refers to the comparison of material supplied by a user with its reference profile.
D. Network control concept that distributes the authorization of subject accesses to objects

A

Answer: A
Explanation: A reference monitor is a system component that enforces access controls on an object. Therefore, the reference monitor concept is an abstract machine that mediates all access of subjects to objects -Ronald Krutz The CISSP PREP Guide (gold edition) pg 262

19
Q
What can best be described as an abstract machine which must mediate all access to subjects to objects?  
A security domain
B. The reference monitor 
C. The security kernel 
D. The security perimeter
A

Answer: B
Reference: pg 882 Shon Harris: All-in-One CISSP Certification

20
Q
What is the PRIMARY component of a Trusted Computer Base?    
A. The computer hardware 
B. The security subsystem 
C. The operating system software 
D. The reference monitor
A

Answer: D
Explanation: “The security kernel is made up of hardware, software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. There are three main requirements of the security kernel: • It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof. • It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way. • It must be small enough to be able to be tested and verified in a complete and comprehensive manner. These are the requirements of the reference monitor; therefore, they are the requirements of the components that provide and enforce the reference monitor concept—the security kernel.” – Shon Harris, “CISSP All-in-One Exam Guide”, 3rd Ed, p

21
Q

Which of the following is best defined as a mode of system termination that automatically leaves
system processes and components in a secure state when a failure occurs or is detected in the system?
A. Fail proof
B. Fail soft
C. Fail safe
D. Fail resilient

A

Answer: C
Explanation:

22
Q

LOMAC uses what Access Control method to protect the integrity of processes and data?
A. Linux based EFS.
B. Low Water-Mark Mandatory Access Control.
C. Linux based NFS.
D. High Water-Mark Mandatory Access Control.

A

Answer: B
Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.

23
Q
On Linux, LOMAC is implemented as: 
A. Virtual addresses 
B. Registers 
C. Kernel built in functions 
D. Loadable kernel module
A

Answer: D
Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
“Security Kernel - The hardware, firmware, and software elements of a trusted computing base (TCB) that implements the reference monitor concept. It must mediate all accesses between subjects and objects, be protected from modification, and be verifiable as correct.” - Shon Harris All-in-one CISSP Certification Guide pg 355

24
Q

LOMAC is a security enhancement for what operating system?
A. Linux
B. Netware
C. Solaris

A

Answer: A
Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
ISC

25
Q
What was introduced for circumventing difficulties in classic approaches to computer security by limiting damages produced by malicious programs?    
A. Integrity-preserving 
B. Reference Monitor 
C. Integrity-monitoring 
D. Non-Interference
A

Answer: B
Explanation: “reference monitor … mediates all access subjects have to objects … protect the objects from unauthorized access and destructive modification” , Ibid p 273 Reference monitor is part of the TCB concept
Not D: “noninterference … is implemented to ensure that any actions that take place at a higher security level do not affect … actions that take place at a lower level”, Harris, 3rd Ed, p 290. It is part of the information flow model.

26
Q
A feature deliberately implemented in an operating system as a trap for intruders is called a:   
A. Trap door 
B. Trojan horse 
C. Pseudo flaw 
D. Logic bomb
A

Answer: C
Explanation:
“An apparent loophole deliberately implanted in an operating system program as a trap for intruders.” As defined by the Aqua Book NCSC-TG-004 a pseudo-flaw is an apparent loophole deliberately implanted in an operating system program as a trap for intruders. Answer from http://www.cccure.org

27
Q
Fault tolerance countermeasures are designed to combat threats to  
A. an uninterruptible power supply 
B. backup and retention capability 
C. design reliability 
D. data integrity
A

Answer: C
Explanation:

28
Q

A ‘Psuedo flaw’ is which of the following?
A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders
B. An omission when generating Psuedo-code
C. Used for testing for bounds violations in application programming
D. A normally generated page fault causing the system to halt

A

Answer: A
Explanation:

29
Q
QUESTION NO: 126  
What Distributed Computing Environment (DCE) component provides a mechanism to ensure that services are made available only to properly designated parties? 
A. Directory Service 
B. Remote Procedure Call Service 
C. Distributed File Service 
D. Authentication and Control Service
A

Answer: A
Explanation: A directory service has a hierarchical database of users, computers, printers, resources, and attributes of each. The directory is mainly used for lookup operations, which enable users to track down resources and other users…The administrator can then develop access control, security, and auditing policies that dictate who can access these objects, how the objects can be accessed, and audit each of these actions. - Shon Harris All-in-one CISSP Certification Guide pg 436-437

30
Q
What can be accomplished by storing on each subject a list of rights the subject has for every object?   
A. Object 
B. Capabilities 
C. Key ring 
D. Rights
A

Answer: B
Explanation: Capabilities are accomplished by storing on each subject a list of rights the subject has for every object. This effectively gives each user a key ring. To remove access to a particular object, every user (subject) that has access to it must be “touched”. A touch is an examination of a user’s rights to that object and potentially removal of rights. This brings back the problem of sweeping changes in access rights.

31
Q
In the Information Flow Model, what relates two versions of the same object? 
A. Flow 
B. State 
C. Transformation 
D. Successive points
A

Answer: A
Explanation: A flow is a type of dependency that relates two versions of the same object, and thus the transformation of one state of that object into another, at successive points in time.

32
Q
What is a security requirement that is unique to Compartmented Mode Workstations (CMW)?  
A. Sensitivity Labels 
B. Object Labels 
C. Information Labels 
D. Reference Monitors
A

Answer: C
Explanation:

33
Q

The Common Criteria (CC) represents requirements for IT security of a product or system under which distinct categories?
A. Functional and assurance
B. Protocol Profile (PP) and Security Target (ST)
C. Targets of Evaluation (TOE) and Protection Profile (PP)
D. Integrity and control

A

Answer: A
Explanation: “Like other evaluation criteria before it, Common Criteria works to answer two basic and general questions about products being evaluated: what does it do (functionality), and how sure are you of that (assurance)?” pg 232 Shon Harris CISSP All-In-One Certification Exam Guide

34
Q

What are the assurance designators used in the Common Criteria (CC)?
A. EAL 1, EAL 2, EAL 3, EAL 4, EAL 5, EAL 6, and EAL 7
B. A1, B1, B2, B3, C2, C1, and D
C. E0, E1, E2, E3, E4, E5, and E6
D. AD0, AD1, AD2, AD3, AD4, AD5, and AD6

A

Answer: A
Explanation: Original Answer was C. This is wrong in my view as the original answer confused ITSEC with the CC per the following The Common criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance level (EAL). EALs range from EA1 (functional testing to EA7 (detailed testing and formal design verification). -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266-267 Note that Shon Harris All-in-one CISSP Certification Guide uses EAL (not just EA). EALs are combinations of assurance components. They also can be conveniently compared to TSCEC and ITSEC. Like these security evaluation criteria, EALs are scaled with from EAL1 through EAL7. Other EALs exist, but EAL 7 is the highest with international recognition. - Roberta Bragg Cissp Certification Training Guide (que) pg 368 ITSEC separately evaluates functionality and assurance, and it includes 10 functionality classes (f), eight assurance levels (q), seven levels of correctness (e), and eight basic security functions in its criteria. ). -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266

35
Q

Which of the following uses protection profiles and security targets?

A. ITSEC
B. TCSEC
C. CTCPEC
D. International Standard 15408

A

Answer: D
Explanation: “For historical and continuity purposes, ISO has accepted the continued use of the term “Common Criteria” (CC) within this document, while recognizing the official ISO name for the new IS 15408 is “Evaluation Criteria for Information Technology Security.” Pg. 552 Krutz: The CISSP Prep Guide: Gold Edition
“The Common Criteria define a Protection Profile (PP), which is an implementation-independent specification of the security requirements and protections of a product that could be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed testing and formal design verification). The Common Criteria TOE refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product. Also, the Common Criteria describe an intermediate grouping of security requirement components as a package.” Pg. 266-267 Krutz: The CISSP Prep Guide: Gold Edition

36
Q

According to Common Criteria, what can be described as an intermediate combination of security requirement components?

A. Protection profile (PP)
B. Security target (ST)
C. Package
D. The Target of Evaluation (TOE)

A

Answer: C
Explanation: “The Common Criteria define a Protection Profile (PP), which is an implementation independent specification of the security requirements and protections of a product that should be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL.) EALs range from EA1 (functional testing() to EA7 (detailed testing and formal design verification). The Common Criteria TOE refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product. Also, the Common Criteria describe an intermedicate grouping of security requirement components as a package.”
Pg. 266- 267 Krutz: The CISSP Prep Guide: Gold Edition

37
Q

The Common Criteria construct which allows prospective consumers or developers to create standardized sets of security requirements to meet there needs is

A. a Protection Profile (PP).
B. a Security Target (ST).
C. an evaluation Assurance Level (EAL).
D. a Security Functionality Component Catalog (SFCC).

A

Answer: A
Explanation: Protection Profiles: The Common Criteria uses protection profiles to evaluate products. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating. The profile describes the environmental assumptions, the objectives, and functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. It also justifies the assurance level and requirements for the strength of each protection mechanism. The protection profile provides a means for the consumer, or others, to identify specific security needs;p this is the security problem to be conquered.
EAL: An evaluation is carried out on a product and is assigned an evaluation assurance level (EAL) The thoroughness and stringent testing increases in detailed-oriented tasks as the levels increase. The Common Criteria has seven aassurance levels. The ranges go from EAL1, where the functionality testing takes place, to EAL7,where thorough testing is performed and the system is verified.
All-In-One CISSP Certification Exam Guide by Shon Harris pg. 262
Note:”The Common Criteria defines a Protection Profile (PP), which is an implementationindependent specification of the security requirements and protections of a product that could be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed testing and formal design verification). The Common Criteria TOE [target of evaluation] refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266-267

38
Q
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?  
A. integrity and confidentiality 
B. confidentiality and availability 
C. integrity and availability 
D. none of the above
A

Answer: C
Explanation: “ITSECTCSEC (Orange Book) E0D F1+E1C1 F2+E2C2 F3+E3B1 F4+E4B2 F5+E5B3 F5+E6A1 F6=Systems that provide high integrity F7=Systems that provide high availability F8=Systems that provide data integrity during communication F9=Systems that provide high confidentiality F10=Networks with high demands on confidentiality and integrity”
Pg. 230 Shon Harris: All-in-One CISSP Certification

39
Q

Which of the following was developed by the National Computer Security Center (NCSC)?

A. TCSEC
B. ITSEC
C. DITSCAP
D. NIACAP

A

Answer: A
Reference: pg 129 Hansche: Official (ISC)2 Guide to the CISSP Exam

40
Q

The Trusted Computer Security Evaluation Criteria (TBSEC) provides
A. a basis for assessing the effectiveness of security controls built into automatic data-processing system products
B. a system analysis and penetration technique where specifications and document for the system are analyzed.
C. a formal static transition model of computer security policy that describes a set of access control rules.
D. a means of restricting access to objects based on the identity of subjects and groups to which they belong.

A

Answer: A
Explanation: TBSEC provides guidelines to be used with evaluating a security product. The TBSEC guidelines address basic security functionality and allow evaluators to measure and rate the functionality of a system and how trustworthy it is. Functionality and assurance are combined and not separated, as in criteria developed later. TCSEC guidelines can be used for evaluating vendor products or by vendors to design necessary functionality into new products. CISSP Study Guide by Tittel pg. 413.

41
Q
Which Orange Book evaluation level is described as “Verified Design”?  
A. A1 
B. B3 
C. B2 
D. B1
A

Answer: A
Explanation:

42
Q
Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection?  
A. B 
B. A 
C. C 
D. D
A

Answer: A
Explanation:

43
Q
Which Orange Book security rating requires that formal techniques are used to prove the equivalence between the TCB specifications and the security policy model?  
A. B2 
B. B3 
C. A1 
D. A2
A

Answer: C
Reference: Pg 226 Shon Harris: All-in-One CISSP Certification

44
Q
According to the Orange Book, which security level is the first to require trusted recovery?  
A. A1 
B. B2 
C. B3 
D. B1
A

Answer: C
Explanation: “Trusted recovery is required only for B3 and A1 level systems.” Pg 305 Krutz: CISSP Prep Guide: Gold Edition

45
Q
According to the Orange Book, which security level is the first to require a system to protect against covert timing channels?  
A. A1 
B. B3 
C. B2 
D. B1
A

Answer: C
Explanation: http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

46
Q
Which of the following is not an Orange Book-defined operational assurance requirement?  
A. System architecture
B. Trusted facility management 
C. Configuration management 
D. Covert channel analysis
A

Answer: C
Explanation: Systems Integrity is a part of operational assurance opposed to life cycle assurance.
“The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery
The life cycle assurance requirements specified in the Orange Book are as follows: Security testing Design specification and testing Configuration Management Trusted Distribution”
Pg. 301 Krutz: The CISSP Prep Guide: Gold Edition.

47
Q
Which of the following is least likely to be found in the Orange Book?  
A. Security policy 
B. Documentation 
C. Accountability 
D. Networks and network components
A

Answer: D
Explanation:

48
Q
According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator rules?  
A. A1 
B. B1 
C. B2 
D. B3
A

Answer: C
Explanation:

49
Q
Which of the following is not an Orange book-defined life cycle assurance requirement?  
A. Security testing 
Design specification and testing 
C. Trusted distribution 
D. System integrity
A

Answer: D
Explanation: Systems Integrity is a part of operational assurance opposed to life cycle assurance.
“The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery
The life cycle assurance requirements specified in the Orange Book are as follows: Security testing Design specification and testing Configuration Management Trusted Distribution”
Pg. 301 Krutz: The CISSP Prep Guide: Gold Edition.

50
Q
At what Trusted Computer Security Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (ITSEC) security level are database elements FIRST required to have security labels?    
A. A1/E6 
B. B1/E3 
C. B2/E4 
D. C2/E2
A

Answer: B
Explanation: “B1: Labeled Security Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject and object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement and the design specifications are reviewed and verified. It is intended for environments that require systems to handle
classified data.”
“ pg. 224-226 Shon Harris: All-In-One CISSP Certification Exam Guide

51
Q

Which of the following statements pertaining to the Trusted Computer System Evaluation Criteria (TCSEC) is incorrect?
A. With TCSEC, functionality and assurance are evaluated separately.
B. TCSEC provides a means to evaluate the trustworthiness of an information system
C. The Orange Book does not cover networks and communications
D. Database management systems are not covered by the TCSEC

A

Answer: A
Explanation:

52
Q
Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles?  
A. B2 
B. B1 
C. A1 
D. A2
A

Answer: A Reference: pg 129 Hansche: Official (ISC)2 Guide to the CISSP Exam

53
Q

Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions?

A. C2
B. B1
C. B2
D. B3

A

Answer: D
Explanation: B1: Labeled Security Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject and object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement and the design specifications are reviewed and verified. It is intended for environments that require systems to handle classified data.
B2: Structured Protection The security policy is clearly defined and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means there are no trapdoors. A trusted path means that the subject is communicating directly with the application or operating system. There is no way to circumvent or compromise this communication channel. There is a separation of operator and administration functions within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The environment that would require B2 systems could process sensitive data that require a higher degree of security. This environment would require systems that are relatively resistant to penetration and compromise. (A trusted path means that the user can be sure that he is talking to a genuine copy of the operating system.)
B3: Security Domains In this class, more granularity is provided in each protection mechanism, and the programming code that is not necessary to support the security policy is exclude. The design and implementation should not provide too much complexity because as the complexity of a system increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus, the overall security can be threatened. The reference monitor components must be small enough to test properly and be tamperproof. The security administrator role is clearly defined, and the system must be able to recover from failures without it security level being compromised. When the system starts up and loads it operating system and components, it must be done in an initial secure state to ensure that any weakness of the system cannot be taken advantage of in this slice of time. “ pg. 226 Shon Harris: All-In-One CISSP Certification Exam Guide
ISC

54
Q

Which of the following statements pertaining to the trusted computing base (TCB) is false?
A. It addresses the level of security a system provides
B. It originates from the Orange Book
C. It includes hardware, firmware, and software
D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity

A

Answer: A
Explanation:

55
Q
Which of the following is not an Orange book-defined operational assurance requirement?  
A. System architecture 
B. Trusted facility management 
C. Configuration management 
D. Covert channel analysis
A

Answer: C
Explanation: Configuration management is a part of life cycle assurance opposed to operational assurance.
“The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery
The life cycle assurance requirements specified in the Orange Book are as follows: Security testing
Design specification and testing Configuration Management Trusted Distribution”
Pg. 301 Krutz: The CISSP Prep Guide: Gold Edition.

56
Q
Which of the following focuses on the basic features and architecture of a system?  
A. operational assurance 
B. life cycle assurance 
C. covert channel assurance 
D. level A1
A

Answer: A
Explanation: “The operational assurance requirements specified in the Orange Book are as follows:
System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery”
Pg. 301 Krutz: The CISSP Prep Guide: Gold Edition

57
Q
Which level(s) must protect against both covert storage and covert timing channels?  
A. B3 and A1 
B. B2, B3 and A1 
C. A1 
D. B1, B2, B3 and A1
A

Answer: A
Reference: pg 302 Krutz: CISSP Prep Guide: Gold Edition

58
Q
According to the Orange Book, trusted facility management is not required for which of the following security levels?  
A. B1 
B. B2 
C. B3 
D. A1
A

Answer: A
Explanation: B1 does not provide trusted facility management, the next highest level that does is B2.
“Trusted facility management is defined as the assignment of a specific individual to administer the security-related functions of a system. Although trusted facility management is an assurance requirement only for highly secure systems (B2, B3, and A1), many systems evaluated at lower security levels re structured to try to meet this requirement.” Pg. 302 Krutz: The CISSP Prep Guide: Gold Edition

59
Q
Which factor is critical in all systems to protect data integrity?    
A. Data classification 
B. Information ownership 
C. Change control 
D. System design
A

Answer: A Explanation: A Integrity is dependent on confidentiality, which relies on data classification. Also Biba integrity model relies on data classification. “There are numerous countermeasures to ensure confidentiality against possible threats. These include the use of encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.
Confidentiality and integrity are dependent upon each other. Without object integrity, confidentiality cannon be maintained. Other concepts, conditions, and aspects of confidentiality include sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, and isolation.” Pg 145 Tittel: CISSP Study Guide.

“Biba Integrity Model
Integrity is usually characterized by the three following goals: 1.)The data is protected from modification by unauthorized users. 2.)The data is protected from unauthorized modification by authorized users. 3.)The data is internally and externally consistent; the data held in a database must balance internally and correspond to the external, real world situation.”
Pg. 277 Krutz: The CISSP Prep Guide: Gold Edition.

60
Q

Which of the following is not a common integrity goal?
A. Prevent unauthorized users from making modifications
B. Maintain internal and external consistency
C. Prevent authorized users from making improper modifications
D. Prevent paths that could lead to inappropriate disclosure

A

Answer: D
Explanation:

61
Q
Which security model introduces access to objects only through programs?
A. The Biba model 
B. The Bell-LaPadula model 
C. The Clark-Wilson model 
D. The information flow model
A

Answer: C
Explanation: “The Clark-Wilson model is also an integrity-protecting model. The Clark-Wilson model was developed after Biba and approaches integrity protection from a different perspective. Rather than employing a lattice structure, it uses a three-part relationship of subject/program/object known as a triple. Subjects do not have direct access to objects. Objects can be access only through programs.” Pg 347 Tittel: CISSP Study Guide

62
Q

To ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed.These rules are:
A. Processing rules and enforcement rules.
B. Integrity-bouncing rules.
C. Certification rules and enforcement rules.
D. Certification rules and general rules.

A

Answer: C
Explanation: To ensure that integrity is attained and preserved, Clark and Wilson assert, certain integrity-monitoring and integrity-preserving rules are needed. Integrity-monitoring rules are called certification rules, and integrity-preserving rules are called enforcement rules.

63
Q
What can be defined as a formal security model for the integrity of subjects and objects in a system? 
A. Biba 
B. Bell LaPadula Lattice 
C. Lattice 
D. Info Flow
A

Answer: A
Explanation: The Handbook of Information System Management, 1999 Edition, ISBN: 0849399742 presents the following definition: In studying the two properties of the Bell-LaPadula model, Biba discovered a plausible notion of integrity, which he defined as prevention of unauthorized modification. The resulting Biba integrity model states that maintenance of integrity requires that data not flow from a receptacle of given integrity to a receptacle of higher integrity. For example, if a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data. SANS glossary at http://www.sans.org/newlook/resources/glossary.htm define it as: Formal security model for the integrity of subjects and objects in a system.

64
Q
The Clark Wilson model has its emphasis on:   
A. Security 
B. Integrity 
C. Accountability
D. Confidentiality
A

Answer: B
Explanation: This model attempts to capture security requirements of commercial applications. ‘Military’ and ‘Commercial’ are shorthand for different ways of using computers. This model has emphasis on integrity: Internal consistency: properties of the internal state of a system External consistency: relation of the internal state of a system to the outside world

65
Q
What does * (star) integrity axiom mean in the Biba model?  
A. No read up 
B. No write down 
C. No read down 
D. No write up
A

Answer: D
Explanation: “Biba has two integrity axioms:

66
Q
Which access control model states that for integrity to be maintained data must not flow from a receptacle of given integrity to a receptacle of higher integrity?    
A. Lattice Model 
B. Bell-LaPadula Model 
C. Biba Model 
D. Take-Grant Model
A

Answer: C
Explanation: If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a higher integrity level. - Shon Harris All-in-one CISSP Certification Guide pg 244

67
Q
Which one of the following is a KEY responsibility for the “Custodian of Data”? 
A. Data content and backup 
B. Integrity and security of data 
C. Authentication of user access 
D. Classification of data elements
A

Answer: B
Explanation: Custodian - Preserves the information’s CIA (chart) -Ronald Krutz The CISSP PREP Guide (gold edition) pg 15

68
Q

Which one of the following is true about information that is designated with the highest of confidentiality in a private sector organization?
A. It is limited to named individuals and creates an audit trail.
B. It is restricted to those in the department of origin for the information.
C. It is available to anyone in the organization whose work relates to the subject and requires authorization for each access.
D. It is classified only by the information security officer and restricted to those who have made formal requests for access.

A

Answer: C
Explanation:

69
Q
Related to information security, confidentiality is the opposite of which of the following?  
A. closure 
B. disclosure 
C. disposal 
D. disaster
A

Answer: B
Explanation:

70
Q
What is the main concern of the Bell-LaPadula security model?  
A. Accountability 
B. Integrity 
C. Confidentiality 
D. Availability
A

Answer: C
Explanation: “An important thing to note is that the Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses confidentiality only. This model does not address integrity of the data the system maintains – only who can and cannot access the data.” Pg 214 Shon Harris: All-in-One CISSP Certification

71
Q

Which of the following are the limitations of the Bell-LaPadula model?
A. No policies for changing access data control.
B. All of the choices.
C. Contains covert channels.
D. Static in nature.

A

Answer: B
Explanation: Limitations of the BLP model: Have no policies for changing access data control Intended for systems with static security levels Contains covert channels: a low subject can detect the existence of a high object when it is denied access. Sometimes it is not enough to hide the content of an object; also their existence may have to be hidden. Restricted to confidentiality

72
Q
Which of the following is a state machine model capturing confidentiality aspects of access control?    
A. Clarke Wilson 
B. Bell-LaPadula 
C. Chinese Wall 
D. Lattice
A

Answer: B
Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

73
Q
With the BLP model, access permissions are defined through:    
A. Filter rules 
B. Security labels 
C. Access Control matrix 
D. Profiles
A

Answer: C
Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object

74
Q
With the BLP model, security policies prevent information flowing downwards from a:    
A. Low security level 
B. High security level 
C. Medium security level 
D. Neutral security level
A

Answer: B
Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

75
Q
When will BLP consider the information flow that occurs?    
A. When a subject alters on object. 
B. When a subject accesses an object. 
C. When a subject observer an object. 
D. All of the choices.
A

Answer: D
Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

76
Q
In the Bell-LaPadula model, the Star-property is also called:  
A. The simple security property 
B. The confidentiality property 
C. The confinement property 
D. The tranquility property
A

Answer: C
Explanation:

77
Q
The Lattice Based Access Control model was developed MAINLY to deal with:    
A. Affinity 
B. None of the choices. 
C. Confidentiality 
D. Integrity
A

Answer: C
Explanation: Page 349 of Harris’ 5th edition references Bell-LaPadula model in the Lattice Based example. Bell-LaPadula is Confidentiality focused, not integrity focused.

78
Q
With the Lattice Based Access Control model, a security class is also called a: 
A. Control factor 
B. Security label 
C. Mandatory number 
D. Serial ID
A

Answer: B
Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

79
Q

Under the Lattice Based Access Control model, a container of information is a(n):
A. Object
B. Model
C. Label

A

Answer:
A Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

80
Q
What Access Control model was developed to deal mainly with information flow in computer systems?    
A. Lattice Based 
B. Integrity Based 
C. Flow Based 
D. Area Based
A

Answer: A
Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

81
Q
The Lattice Based Access Control model was developed to deal mainly with \_\_\_\_\_\_\_\_\_\_\_ in computer systems.    
A. Access control 
B. Information flow 
C. Message routes 
D. Encryption
A

Answer: B
Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

82
Q
In the Lattice Based Access Control model, controls are applied to:   
A. Scripts 
B. Objects 
C. Models 
D. Factors
A

Answer: B
Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

83
Q
Access control techniques do not include:  
A. Rule-Based Access Controls 
B. Role-Based Access Controls 
C. Mandatory Access Controls 
D. Random Number Based Access Control
A

Answer: D
Explanation:

84
Q
An access control policy for a bank teller is an example of the implementation of which of the following?  
A. rule-based policy 
B. identity-based policy 
C. user-based policy 
D. role-based policy
A

Answer: D
Explanation:

85
Q
Access control techniques do not include which of the following choices?  
A. Relevant Access Controls 
B. Discretionary Access Controls 
C. Mandatory Access Controls 
D. Lattice Based Access Controls
A

Answer: A
Explanation: “Mandatory Access Control. The authorization of a subject’s access to an object depends upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object.” “Rule-based access control is a type of mandatory access control because rules determine this access, rather than the identity of the subjects and objects alone.”
“Discretionary Access Control. The subject has authority, within certain limitations, to specify what objects are accessible.” “When a user with certain limitations has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control.” “An identity-based access control is a type of a discretionary access control based on an individual’s identity.” “In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.”
“Non-discretionary Access Control. A Central authority determines what subjects can have access to certain objects based on the organizational security policy.” “The access controls might be based on the individuals role in the organization (role-based) or the subject’s responsibilities and duties (task-based).” “[Lattice-based] In this type of control, a lattice model is applied.
“Access control can be characterized as context-dependent or content dependent.”
Pg. 45-46 Krutz: The CISSP Prep Guide: Gold Edition

86
Q
What is called a type of access control where a central authority determines what subjects can have access to certain objects, based on the organizational security policy?  
A. Mandatory Access Control 
B. Discretionary Access Control 
C. Non-discretionary Access Control 
D. Rule-based access control
A

Answer: C
Explanation: Non-Discretionary Access Control. A central authority determines what subjects can have access to certain objects based on organizational security policy. The access controls may be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based). Pg. 33 Krutz: The CISSP Prep Guide.

87
Q

In non-discretionary access control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based
A. the society’s role in the organization
B. the individual’s role in the organization
C. the group-dynamics as they relate to the individual’s role in the organization
D. the group-dynamics as they relate to the master-slave role in the organization

A

Answer: B
Explanation: Non-Discretionary Access Control. A central authority determines what subjects can have access to certain objects based on organizational security policy. The access controls may be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based). Pg. 33 Krutz: The CISSP Prep Guide.

88
Q

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. What best describes this scenario?

A. Excessive Rights
B. Excessive Access
C. Excessive Permissions
D. Excessive Privileges

A

Answer: D Ex
planation:

89
Q
The default level of security established for access controls should be    
A. All access 
B. Update access 
C. Read access 
D. No access  
Answer: D
A

Explanation: “Need to Know and the Principle of Least Privilege are two standard axioms of highsecurity environments. A user must have a need-to-know to gain access to data or resources. Even if that ser has an equal or greater security classification than the requested information, if they do not have a need-to-know, they are denied access. A need-to-know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is the notion that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.” Pg 399 Tittel: CISSP Study Guide

90
Q
Access Control techniques do not include which of the following choices?  
A. Relevant Access Controls 
B. Discretionary Access Control 
C. Mandatory Access Control 
D. Lattice Based Access Controls
A

Answer: A
Explanation:

91
Q
Which of the following is a type of mandatory access control?  
A. Rule-based access control 
B. Role-based access control 
C. User-directed access control 
D. Lattice-based access control
A

Answer: A
Reference: pg 46 Krutz: CISSP Prep Guide: Gold Edition

92
Q
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:  
A. Mandatory Access Control 
B. Discretionary Access Control 
C. Non-Discretionary Access Control 
D. Rule-based Access Control
A

Answer: C
Reference: pg 46 Krutz: CISSP Prep Guide: Gold Edition

93
Q
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?  
A. A capacity table 
B. An access control list 
C. An access control matrix 
D. A capability table
A

Answer: C
Explanation:

94
Q
What access control methodology facilitates frequent changes to data permissions?    
A. Rule-based 
B. List-based 
C. Role-based 
D. Ticket-based
A

Answer: A
Explanation: RBAC - This type of model provides access to resources based on the role the users holds within the company or the tasks that user has been assigned. - Shon Harris All-in-one CISSP Certification Guide pg 937 Rule-based access control is a type of mandatory access control because rules determine this access (such as the correspondence of clearances labels to classification labels), rather than the identity of the subjects and objects alone. . -Ronald Krutz The CISSP PREP Guide (gold edition) pg 45-46

95
Q

QUESTION NO: 192
Which of the following is a means of restricting access to objects based on the identity of the subject to which they belong?

A. Mandatory access control
B. Group access control
C. Discretionary access control
D. User access control

A

Answer: C
Explanation: The question does not ask about the identity of the accessing subject, the question refers to the subject to which the object belongs (ie the owner).
The owner setting the access rights is the definition of DAC. “DAC systems grant or deny access based on the identity of the subject. ….” Harris, 3rd Ed, p 163

96
Q

What is the method of coordinating access to resources based on the listening of permitted IP addresses?

A

Answer: B
Explanation: The definition of ACL: A method of coordinating access to resources based on the listing of permitted (or denied) users, network addresses or groups for each resource.

97
Q

What control is based on a specific profile for each user?
A. Lattice based access control.
B. Directory based access control.
C. Rule based access control.
D. ID based access control.
Answer: D
Explanation: The correct answer should be ID based access control. Rule based isn’t necessarily identity based.

A

Answer: D
Explanation: The correct answer should be ID based access control. Rule based isn’t necessarily identity

98
Q
In a very large environment, which of the following is an administrative burden?    
A. Rule based access control. 
. Directory based access control. 
C. Lattice based access control 
D. ID bases access control
A

Answer: D
Explanation:

99
Q
Which of the following is a feature of the Rule based access control?    
A. The use of profile. 
B. The use of information flow label. 
C. The use of data flow diagram. 
D. The use of token.
A

Answer: A
Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.

100
Q

What is an access control model?
A. A formal description of access control ID specification.
A formal description of security policy.
C. A formal description of a sensibility label.
D. None of the choices.

A

Answer: B
Explanation: What is an access control model? It is a formal description of a security policy. What is a security policy? A security policy captures the security requirements of an enterprise or describes the steps that have to be taken to achieve security. Security models are used in security evaluation, sometimes as proofs of security.

101
Q
Which of the following is true about MAC?    
A. It is more flexible than DAC. 
B. It is more secure than DAC. 
C. It is less secure than DAC. 
D. It is more scalable than DAC.
A

Answer: B
Explanation: Mandatory controls are access controls that are based on a policy that the user, and more importantly the processes running with that user’s privileges, is not allowed to violate. An example of this is “Top Secret” data is configured so that regardless of what the user does, the data cannot be transmitted to someone who does not have “Top Secret” status. Thus no “trojan horse” program could ever do what the user is not allowed to do anyway. The restrictions of mandatory controls are (at least in normal mode) also applied to the user who in a discretionary system would be “root”, or the superuser.

102
Q

Which of the following is true regarding a secure access model?
A. Secure information cannot flow to a more secure user.
B. Secure information cannot flow to a less secure user.
C. Secure information can flow to a less secure user.
D. None of the choices.

A

Answer: B
Explanation: Access restrictions such as access control lists and capabilities sometimes are not enough. In some cases, information needs to be tightened further, sometimes by an authority higher than the owner of the information. For example, the owner of a top-secret document in a government office might deem the information available to many users, but his manager might know the information should be restricted further than that. In this case, the flow of information needs to be controlled – secure information cannot flow to a less secure user.

103
Q
In the Information Flow Model, what acts as a type of dependency?   
A. State 
B. Successive points 
C. Transformation 
D. Flow
A

Answer:
D Explanation: A flow is a type of dependency that relates two versions of the same object, and thus the transformation of one state of that object into another, at successive points in time.

104
Q
A firewall can be classified as a: 
A. Directory based access control. 
B. Rule based access control. 
C. Lattice based access control. 
D. ID based access control.
A

Answer: B
Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.

105
Q
Which of the following are the two most well known access control models?    
A. Lattice and Biba 
B. Bell LaPadula and Biba 
C. Bell LaPadula and Chinese war
D. Bell LaPadula and Info Flow
A

Answer: B
Explanation: The two most well known models are Bell&LaPadula [1973] and Biba[1977]. Both were designed in and for military environments.

106
Q

What security model implies a central authority that determines what subjects can have access to
A. Centralized access control
B. Discretionary access control
C. Mandatory access control
D. Non-discretionary access control
Answer: D
Explanation: A role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administrated set of controls to determine how subjects and objects interact. – Shon Harris, “CISSP All-in-One Exam Guide”, 3rd Ed, p 165.

A

Answer: D
Explanation: A role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administrated set of controls to determine how subjects and objects interact. – Shon Harris, “CISSP All-in-One Exam Guide”, 3rd Ed, p 165.

107
Q
Which of the following is best known for capturing security requirements of commercial applications?    
A. Lattice 
B. Biba 
C. Bell LaPadula 
D. Clark and Wilson
A

Answer: D
Explanation: This model attempts to capture security requirements of commercial applications. ‘Military’ and ‘Commercial’ are shorthand for different ways of using computers. This model has emphasis on integrity: Internal consistency: properties of the internal state of a system External consistency: relation of the internal state of a system to the outside world

108
Q

Which of the following is a straightforward approach that provides access rights to subjects for objects

A. Access Matrix model
B. Take-Grant Model
C. Bell-LaPadula Model
D. Biba Model

A

Answer: A
Explanation: “The access matrix is a straightforward approach that provides access rights to subjects for objects. Access rights are of the type read, write, and execute. A subject is an active entity that is seeking rights to a resource or object. A subject can be a person, a program, or a process. An object is a passive entity, such as a file or a storage resource.” Pg 272 Krutz: CISSP Prep Guide: Gold Edition.

109
Q
What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?  
A. Mandatory model 
B. Discretionary model 
C. Lattice model 
D. Rule model
A

Answer: C
Explanation: Lattice-based access control provides an upper bound and lower bound of access capabilities for every subject and object relationship. Pg 156 Shon Harris All-In-One CISSP Certification Exam Guide

110
Q
Which access control would a lattice-based access control be an example of?  
A. Mandatory access control 
B. Discretionary access control 
C. Non-discretionary access control 
D. Rule-based access control
A

Answer: A
Explanation:

111
Q
Who developed one of the first mathematical models of a multilevel-security computer system?  
A. Diffie Hillman 
B. Clark and Wilson 
C. Bell and LaPadula 
D. Gasser and Lipner
A

Answer: C
Explanation:

112
Q
Which of the following was the first mathematical model of multilevel security policy?    
A. Biba 
B. Take-Grant 
C. Bell-La Padula 
D. Clark Wilson
A

Answer: C
Explanation: “In the 1970’s, the US military used time-sharing mainframe systems and was concerned about these systems and leakage of classified information. The Bell-LaPadula model was developed to address these concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access and outline rules of access.” Pg 212 Shon Harris: All-in-One CISSP Certification

113
Q
Which security model allows the data custodian to grant access privileges to other users?    
A. Mandatory 
B. Bell-LaPadula 
C. Discretionary 
D. Clark-Wilson
A

Answer: C
Explanation: “ Discretionary Access Control. The subject has authority, within certain limitations, to specify what objects are accessible.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 46

114
Q
What is one issue NOT addressed by the Bell-LaPadula model?    
A. Information flow control 
B. Security levels 
C. Covert channels 
D. Access modes
A

Answer: C
Explanation: As with any model, the Bell-LaPadula model has some weaknesses. These are the major ones. The model considers normal channels of the information exchange and does not address covert channels. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 275-276

115
Q
Which one of the following access control models associates every resource and every user of a resource with one of an ordered set of classes?
A. Take-Grant model 
B. Biba model 
C. Lattice model 
D. Clark-Wilson model
A
Answer: C 
Explanation: With a lattice model you first have to define a set of security classes that can be assigned to users or objects...After you have defined set of security classes, you define a set flow operations showing when information can flow from one class to another - Roberta Bragg Cissp Certification Training Guide (que) pg 23
116
Q
What scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples?    
A. Bella 
B. Lattice 
C. Clark-Wilson 
D. Bell-LaPadula
A

Answer: C
Explanation: Separation of duty is necessarily determined by conditions external to the computer system. The Clark-Wilson scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples. Enforcement is on a per-user basis, using the user ID from the access control triple.

117
Q

The access matrix model consists of which of the following parts? (Choose all that apply)
A. A function that returns an objects type.
B. A list of subjects.
C. A list of objects.

A

Answer: A,B,C
Explanation: The access matrix model consists of four major parts: A list of objects A list of subjects A function T that returns an object’s type The matrix itself, with the objects making the columns and the subjects making the rows
Note: This question seems to confuse access control matrix, Harris, 3rd Ed, p 169 with access control types, Ibid, p 188ff
“An access control matrix is a table of subjects and objects indicating what actions … subjects can take upon … objects”, Harris, 3rd Ed, p 169. It would be right if item “A” was “a function that returned an access right”

118
Q

The access matrix model has which of the following common implementations?
A. Access control lists and capabilities.
B. Access control lists.
C. Capabilities.
D. Access control list and availability.

A

Answer: A
Explanation: The two most used implementations are access control lists and capabilities. Access control lists are achieved by placing on each object a list of users and their associated rights to that object.

119
Q

The lattice-based model aims at protecting against:
A. Illegal attributes.
B. None of the choices.
C. Illegal information flow among the entities.
D. Illegal access rights

A
Answer: C 
Explanation:  The lattice-based model aims at protecting against illegal information flow among the entities. One security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class can flow into another class.
120
Q
Which of the following are the components of the Chinese wall model?    
A. Conflict of interest. 
B. All of the choices. 
C. Subject 
D. Company Datasets.
A
Answer: B 
Explanation:  The model has the following component: COMPONENT EXAMPLE Subject Analyst Object Data item for a single client Company Datasets Give for each company its own company dataset Conflict of interest classes Give for each object companies that have a conflict of interest Labels Company dataset + conflict of interest class Sanitized information No access restriction
121
Q
Enforcing minimum privileges for general system users can be easily achieved through the use of: 
A. TSTEC 
B. RBAC 
C. TBAC 
D. IPSEC
A

Answer: B
Explanation: Ensuring least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn’t be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC, enforced minimum privileges for general system users can be easily achieved.

122
Q

What is necessary for a subject to have write access to an object in a Multi-Level Security Policy?
A. The subject’s sensitivity label must dominate the object’s sensitivity label
B. The subject’s sensitivity label subordinates the object’s sensitivity label
C. The subject’s sensitivity label is subordinated by the object’s sensitivity label
D. The subject’s sensitivity label is dominated by the object’s sensitivity label
Answer: A
Explanation: The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label.

A

Answer: A
Explanation: The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label. With a Multi-level security policy you have information that has different sensitivity labels. In order to read an object the subject’s sensitivity label must be equal to or greater than that of the object. So it would be considered to dominate it, no read up.
The following answers are incorrect:
The subject’s sensitivity label subordinates the object’s sensitivity label. Is incorrect because if the subject’s sensitivity label subordinates the object’s sensitivity label that would mean it is lower and the subject should not have read access to the object.
The subject’s sensitivity label is subordinated by the object’s sensitivity label. Is incorrect because the this would not allow for read access if the sensitivity lables were equal. So the subject’s sensitivity label is not subordinated by the object’s sensitivity label, the subject’s label must dominate the object’s label. Remember dominate means equal to or greater than where subordinate means less than.
The subject’s sensitivity label is dominated by the object’s sensitivity label. Is incorrect because if the object’s sensitivity label dominates the subject’s sensitivity label then the subject should not have access, it is the subject that must dominate the object and not the other way around. Remember dominate means equal to or greater than so this would mean that the object’s sensitivity label is equal to or greater than the subject.
According to the OIG, Multi-level security is defined as a class of system-containing information with different sensitivities that simultaneously permits access by users with different security clearances and need-to-know, but prevents users from obtaining access to information for which they lack authorization. The Subject’s sensitivity label must be equal to or greater than the object’s sensitivity label in order for the subject to have read access to it, no read up.

123
Q
Which of the following security modes of operation involved the highest risk?  
A. Compartmented Security Mode 
B. Multilevel Security Mode 
C. System-High Security Mode 
D. Dedicated Security Mode
A

Answer: B
Explanation: “Security Modes
In a secure environment, information systems are configured to process information in one of four security modes. These modes are set out by the Department of Defense as follows:
Systems running compartmental security mode may process two or more types of compartmented information. All system users must have an appropriate clearance to access all information processed by the system but do not necessarily have a need to know all of the information in the system. Compartments are subcategories or compartments within the different classification levels and extreme care is taken to preserve the information within the different compartments. The system may be classified at the Secret level but contain five different compartments, all classified Secret. If a user has only the need to know about two of the five different compartments to do their job, that user can access the system but can only access the two compartments. Compartmented systems are usually dedicated systems for each specific compartment to prevent the chance of any errors, because compartmentalization is the most secret of all the secrets.
Systems running in the dedicated security mode are authorized to process only a specific classification level at a time, and all system users must have clearance and a need to know that information.
Systems running in multilevel security mode are authorized to process information at more than one level of security even when all system users do not have appropriate clearances or a need to know for all information processed by the system.
Systems running in system-high security mode are authorized to process only information that all system users are cleared to read and to have a valid need to know. These systems are not trusted to maintain separation between security levels, and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed by the system.”
Pg. 234 Tittel: CISSP Study Guide

124
Q
Controlled Security Mode is also known as:  
A. Multilevel Security Mode 
B. Partitioned Security Mode 
C. Dedicated Security Mode 
D. System-high Security Mode
A

Answer: A
Reference: pg 264 Krutz: CISSP Prep Guide: Gold Edition

125
Q
The unauthorized mixing of data of one sensitivity level and need-to-know with data of a lower sensitivity level, or different need-to-know, is called data   
A. Contamination 
B. Seepage 
C. Aggregation 
D. Commingling
A

Answer: A
Explanation: WOW if you are reading these comments then you know I have disagreed with a bunch of the original answers! Well here is another. The original was Seepage. I think it is Contamination. “The intermixing of data at different sensitivity and need-to-know levels. The lower-level data is said to be contaminated by the higher-level data; thus contaminating (higher-level) data might not receive the required level of protection” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 890

126
Q
Which one of the following should be employed to protect data against undetected corruption?   
A. Non-repudiation 
B. Encryption 
C. Authentication 
D. Integrity
A

Answer: D
Explanation:

127
Q
Which of the following is a communication path that is not protected by the system’s normal security mechanisms?  
A. A trusted path 
B. A protection domain 
C. A covert channel 
D. A maintenance hook
A

Answer: C
Explanation:

128
Q
A channel within a computer system or network that is designed for the authorized transfer of information is identified as a(n)?  
A. Covert channel 
B. Overt channel 
C. Opened channel 
D. Closed channel
A

Answer: B
Explanation: “An overt channel is a channel of communication that was developed specifically for communication purposes. Processes should be communicating through overt channels, not covert channels.” Pg 237 Shon Harris: All-In-One CISSP Certification Guide.

129
Q
Covert channel is a communication channel that can be used for: 
A. Hardening the system. 
B. Violating the security policy. 
C. Protecting the DMZ. 
D. Strengthening the security policy.
A

Answer: B
Explanation: Covert channel is a communication channel that allows transfer of information in a manner that violates the system’s security policy.

130
Q
What is an indirect way to transmit information with no explicit reading of confidential information?    
A. Covert channels 
B. Backdoor 
C. Timing channels 
D. Overt channels
A

Answer: A
Explanation: Covert channels: indirect ways for transmitting information with no explicit reading of confidential information. This kind of difficulties induced some researchers to re-think from scratch the whole problem of guaranteeing security in computer systems

131
Q

Which one of the following describes a covert timing channel?
A. Modulated to carry an unintended information signal that can only be detected by special, sensitive receivers.
B. Used by a supervisor to monitor the productivity of a user without their knowledge.
C. Provides the timing trigger to activate a malicious program disguised as a legitimate function.
D. Allows one process to signal information to another by modulating its own use of system resources.

A

Answer: D
Explanation: A covert channel in which one process signals information to another by modulating its own use of system resources (for example, CPU time) in such a way that this manipulation affects the real response time observed by the second process. - Shon Harris All-in-one CISSP Certification Guide pg 929

132
Q

Covert channel analysis is required for
A. Systems processing Top Secret or classified information.
B. A Trusted Computer Base with a level of trust B2 or above.
C. A system that can be monitored in a supervisor state. D. Systems that use exposed communication links.

A

Answer: B
Explanation: Table 6.6 Standards Comparison B2 Structured Protection (covert channel, device labels, subject sensitivity labels, trusted path, trusted facility management, configuration management) F4+E4 EAL5 - Roberta Bragg CISSP Certification Training Guide (que) pg 370

133
Q
In multi-processing systems, which one of the following lacks mandatory controls and is NORMALLY AVOIDED for communication?    
A. Storage channels 
B. Covert channels 
C. Timing channels 
D. Object channels
A

Answer: B
Explanation: Covert channel - A communication path that enables a process to transmit information in a way that violates the system’s security policy. - Shon Harris All-in-one CISSP Certification Guide pg 929

134
Q

What security risk does a covert channel create?
A. A process can signal information to another process.
B. It bypasses the reference monitor functions.
C. A user can send data to another user.
D. Data can be disclosed by inference.

A

Answer: B
Explanation: The risk is not that a process can signal another process. The risk is that the signaling bypasses the reference monitor functions (ie the communication is not screened by the security kernel that implements the reference monitor).

135
Q
What is the essential difference between a self-audit and an independent audit?  
A. Tools used 
B. Results 
C. Objectivity 
D. Competence
A

Answer: C
Explanation:

136
Q
What is called the formal acceptance of the adequacy of a system’s overall security by the management?  
A. Certification 
B. Acceptance 
C. Accreditation 
D. Evaluation
A

Answer: C
Explanation:

137
Q

FIPS-140 is a standard for the security of:
A. Cryptographic service providers
B. Smartcards
C. Hardware and software cryptographic modules
D. Hardware security modules

A

Answer: C
Explanation: