• Home
  • Articles
  • [Jan-2024] ISC SSCP Official Cert Guide PDF [Q256-Q274]

[Jan-2024] ISC SSCP Official Cert Guide PDF [Q256-Q274]

Share

[Jan-2024] ISC SSCP Official Cert Guide PDF

Exam SSCP: System Security Certified Practitioner (SSCP) - Pass4guide


The SSCP certification is an excellent choice for IT professionals who are looking to specialize in network and systems security. The program is designed to provide a comprehensive understanding of the key concepts and best practices in information security, and it is recognized globally as a valuable credential. System Security Certified Practitioner (SSCP) certification is ideal for professionals working in roles such as network security engineer, systems administrator, security analyst, and security consultant.


ISC SSCP (System Security Certified Practitioner) Exam is a professional certification exam offered by the International Information System Security Certification Consortium (ISC). SSCP exam aims to test the knowledge and skills of individuals in the area of system security. The SSCP certification is recognized globally and is considered an important credential for professionals working in the field of information security.

 

NEW QUESTION # 256
Which of the following choices describe a Challenge-response tokens generation?

  • A. A workstation or system that generates a random login id that the user enters when prompted along with the proper PIN.
  • B. The authentication mechanism in the workstation or system does not determine if the owner should be authenticated.
  • C. A special hardware device that is used to generate ramdom text in a cryptography system.
  • D. A workstation or system that generates a random challenge string that the user enters into the token when prompted along with the proper PIN.

Answer: D

Explanation:
Section: Access Control
Explanation/Reference:
Challenge-response tokens are:
- A workstation or system generates a random challenge string and the owner enters the string into the token along with the proper PIN.
- The token generates a response that is then entered into the workstation or system.
- The authentication mechanism in the workstation or system then determines if the owner should be authenticated.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4:
Access Control (pages 136-137).


NEW QUESTION # 257
Which of the following statements pertaining to key management is incorrect?

  • A. Keys should be backed up or escrowed in case of emergencies.
  • B. A key's lifetime should correspond with the sensitivity of the data it is protecting.
  • C. When not using the full keyspace, the key should be extremely random.
  • D. The more a key is used, the shorter its lifetime should be.

Answer: C

Explanation:
Section: Cryptography
Explanation
Explanation/Reference:
A key should always be using the full spectrum of the keyspace and be extremely random. Other statements are correct.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April 2002 (page 6).


NEW QUESTION # 258
Why is Network File System (NFS) used?

  • A. It enables two different types of file systems to interoperate.
  • B. It enables two different types of file systems to emulate each other.
  • C. It enables two different types of file systems to share Sun applications.
  • D. It enables two different types of file systems to use IP/IPX.

Answer: A

Explanation:
Explanation/Reference:
Network File System (NFS) is a TCP/IP client/server application developed by Sun that enables different types of file systems to interoperate regardless of operating system or network architecture.
Source: KRUTZ, Ronald L & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 88.


NEW QUESTION # 259
A virus is considered to be "in the ______ " if it has been reported as replicating and causing harm to computers.

  • A. Jungle
  • B. Cage
  • C. Zoo
  • D. Fire
  • E. Wild

Answer: E


NEW QUESTION # 260
The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as?

  • A. Reliability
  • B. Availability
  • C. Integrity
  • D. Confidentiality

Answer: B

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
An company security program must:
1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability;
2) protect informationcommensurate with the level of risk and magnitude ofharmresulting fromloss, misuse, unauthorized access, or modification.
The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them.
The following are incorrect answers:
Confidentiality - The information requires protection from unauthorized disclosure and only the INTENDED recipient should have access to the meaning of the data either in storage or in transit.
Integrity - The information must be protected from unauthorized, unanticipated, or unintentional modification.
This includes, but is not limited to:
Authenticity -A third party must be able to verify that the content of a message has not been changed in transit.
Non-repudiation - The origin or the receipt of a specific message must be verifiable by a third party.
Accountability - A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
Reference used for this question:
RFC 2828
and
SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (page 5).


NEW QUESTION # 261
How are memory cards and smart cards different?

  • A. Memory cards have no processing power
  • B. Smart cards provide a two-factor authentication whereas memory cards don't
  • C. Only smart cards can be used for ATM cards
  • D. Memory cards normally hold more memory than smart cards

Answer: A

Explanation:
Explanation/Reference:
The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.
A memory card holds a user's authentication information, so that this user needs only type in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user is successfully authenticated.
A common example of a memory card is a swipe card used to provide entry to a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building.
Memory cards can also be used with computers, but they require a reader to process the information. The reader adds cost to the process, especially when one is needed for every computer. Additionally, the overhead of PIN and card generation adds additional overhead and complexity to the whole authentication process. However, a memory card provides a more secure authentication method than using only a password because the attacker would need to obtain the card and know the correct PIN.
Administrators and management need to weigh the costs and benefits of a memory card implementation as well as the security needs of the organization to determine if it is the right authentication mechanism for their environment.
One of the most prevalent weaknesses of memory cards is that data stored on the card are not protected.
Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart card, where security controls and logic are embedded in the integrated circuit, memory cards do not employ an inherent mechanism to protect the data from exposure.
Very little trust can be associated with confidentiality and integrity of information on the memory cards.
The following answers are incorrect:
"Smart cards provide two-factor authentication whereas memory cards don't" is incorrect. This is not necessarily true. A memory card can be combined with a pin or password to offer two factors authentication where something you have and something you know are used for factors.
"Memory cards normally hold more memory than smart cards" is incorrect. While a memory card may or may not have more memory than a smart card, this is certainly not the best answer to the question.
"Only smart cards can be used for ATM cards" is incorrect. This depends on the decisions made by the particular institution and is not the best answer to the question.
Reference(s) used for this question:
Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199 and also for people using the Kindle edition of the book you can look at Locations 4647-4650.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications. Kindle Edition.


NEW QUESTION # 262
Whose role is it to assign classification level to information?

  • A. Security Administrator
  • B. Auditor
  • C. User
  • D. Owner

Answer: D

Explanation:
The Data/Information Owner is ultimately responsible for the protection of the data. It is the Data/Information Owner that decides upon the classifications of that data they are responsible for.
The data owner decides upon the classification of the data he is responsible for and alters
that classification if the business need arises.
The following answers are incorrect:
Security Administrator. Is incorrect because this individual is responsible for ensuring that
the access right granted are correct and support the polices and directives that the
Data/Information Owner defines.
User. Is Incorrect because the user uses/access the data according to how the
Data/Information Owner defined their access.
Auditor. Is incorrect because the Auditor is responsible for ensuring that the access levels
are appropriate. The Auditor would verify that the Owner classified the data properly.
References:
CISSP All In One Third Edition, Shon Harris, Page 121


NEW QUESTION # 263
What is the appropriate role of the security analyst in the application system development or acquisition project?

  • A. policeman
  • B. control evaluator & consultant
  • C. data owner
  • D. application user

Answer: B

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
The correct answer is "control evaluator & consultant". During any system development or acquisition, the security staff should evaluate security controls and advise (or consult) on the strengths and weaknesses with those responsible for making the final decisions on the project.
The other answers are not correct because:
policeman - It is never a good idea for the security staff to be placed into this type of role (though it is sometimes unavoidable). During system development or acquisition, there should be no need of anyone filling the role of policeman.
data owner - In this case, the data owner would be the person asking for the new system to manage, control, and secure information they are responsible for. While it is possible the security staff could also be the data owner for such a project if they happen to have responsibility for the information, it is also possible someone else would fill this role. Therefore, the best answer remains "control evaluator & consultant".
application user - Again, it is possible this could be the security staff, but it could also be many other people or groups. So this is not the best answer.
Reference:
Official ISC2 Guide page: 555 - 560
All in One Third Edition page: 832 - 846


NEW QUESTION # 264
Complete the blanks. When using PKI, I digitally sign a message using my ______ key. The recipient verifies my signature using my ______ key.

  • A. Private / Symmetric
  • B. Symmetric / Asymmetric
  • C. Public / Private
  • D. Private / Public

Answer: D

Explanation:
When we encrypt messages using our private keys which are only available
to us. The person who wants to read and decrypt the message need only have our public
keys to do so.
The whole point to PKI is to assure message integrity, authentication of the source, and to
provide secrecy with the digital encryption.
See below a nice walktrough of Digital Signature creation and verification from the Comodo
web site:
Digital Signatures apply the same functionality to an e-mail message or data file that a
handwritten signature does for a paper-based document. The Digital Signature vouches for
the origin and integrity of a message, document or other data file.
How do we create a Digital Signature?
The creation of a Digital Signature is a complex mathematical process. However as the
complexities of the process are computed by the computer, applying a Digital Signature is
no more difficult that creating a handwritten one!
The following text illustrates in general terms the processes behind the generation of a
Digital Signature:
1.Alice clicks 'sign' in her email application or selects which file is to be signed.
2.Alice's computer calculates the 'hash' (the message is applied to a publicly known mathematical hashing function that coverts the message into a long number referred to as the hash).
3.The hash is encrypted with Alice's Private Key (in this case it is known as the Signing Key) to create the Digital Signature.
4.The original message and its Digital Signature are transmitted to Bob.
5.Bob receives the signed message. It is identified as being signed, so his email application knows which actions need to be performed to verify it.
6.Bob's computer decrypts the Digital Signature using Alice's Public Key.
7.Bob's computer also calculates the hash of the original message (remember - the mathematical function used by Alice to do this is publicly known).
8.Bob's computer compares the hashes it has computed from the received message with the now decrypted hash received with Alice's message.
digital signature creation and verification C:\Users\MCS\Desktop\1.jpg

If the message has remained integral during its transit (i.e. it has not been tampered with), when compared the two hashes will be identical.
However, if the two hashes differ when compared then the integrity of the original message has been compromised. If the original message is tampered with it will result in Bob's computer calculating a different hash value. If a different hash value is created, then the original message will have been altered. As a result the verification of the Digital Signature will fail and Bob will be informed. Origin, Integrity, Non-Repudiation, and Preventing Men-In-The-Middle (MITM) attacks
Eve, who wants to impersonate Alice, cannot generate the same signature as Alice because she does not have Alice's Private Key (needed to sign the message digest). If instead, Eve decides to alter the content of the message while in transit, the tampered message will create a different message digest to the original message, and Bob's computer will be able to detect that. Additionally, Alice cannot deny sending the message as it has been signed using her Private Key, thus ensuring non-repudiation.
creating and validating a digital signature C:\Users\MCS\Desktop\1.jpg

Due to the recent Global adoption of Digital Signature law, Alice may now sign a transaction, message or piece of digital data, and so long as it is verified successfully it is a legally permissible means of proof that Alice has made the transaction or written the message.
The following answers are incorrect:
-Public / Private: This is the opposite of the right answer.
-Symmetric / Asymmetric: Not quite. Sorry. This form of crypto is asymmetric so you were almost on target.
-Private / Symmetric: Well, you got half of it right but Symmetric is wrong.
The following reference(s) was used to create this question:
The CCCure Holistic Security+ CBT, you can subscribe at: http://www.cccure.tv
and
http://www.comodo.com/resources/small-business/digital-certificates3.php


NEW QUESTION # 265
Logical or technical controls involve the restriction of access to systems and the protection of information.
Which of the following statements pertaining to these types of controls is correct?

  • A. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols.
  • B. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
  • C. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision.
  • D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.

Answer: B

Explanation:
Section: Access Control
Explanation/Reference:
Logical or technical controls involve the restriction of access to systems and the protection of information.
Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.


NEW QUESTION # 266
A Packet Filtering Firewall system is considered a:

  • A. second generation firewall.
  • B. first generation firewall.
  • C. third generation firewall.
  • D. fourth generation firewall.

Answer: B

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL's. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context of the communication and inspects every single packet one by one without understanding the context of the connection.
"Second generation firewall" is incorrect. The second generation of firewall were Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit-level proxy firewall. The application level proxy is very smart and understand the inner structure of the protocol itself. The Circui-Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to the net. Today a great example of this would be the SOCKS protocol.
"Third generation firewall" is incorrect. The third generation firewall is the Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.
"Fourth generation firewall" is incorrect. The fourth generation firewall is the dynamic packet filtering firewall.
References:
CBK, p. 464
AIO3, pp. 482 - 484
Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/ scf4ch3.htm for a general discussion of the different generations.


NEW QUESTION # 267
Which of the following statements pertaining to biometrics is FALSE?

  • A. User can be authenticated based on unique physical attributes.
  • B. A biometric system's accuracy is determined by its crossover error rate (CER).
  • C. User can be authenticated based on behavior.
  • D. User can be authenticated by what he knows.

Answer: D

Explanation:
Explanation/Reference:
As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example.
Please make a note of the negative 'FALSE' within the question. This question may seem tricky to some of you but you would be amazed at how many people cannot deal with negative questions. There will be a few negative questions within the real exam, just like this one the keyword NOT or FALSE will be in Uppercase to clearly indicate that it is negative.
Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of performing authentication (one to one matching) or identification (a one to many matching).
A biometric system scans an attribute or behavior of a person and compares it to a template store within an authentication server datbase, such template would be created in an earlier enrollment process.
Because this system inspects the grooves of a person's fingerprint, the pattern of someone's retina, or the pitches of someone's voice, it has to be extremely sensitive.
The system must perform accurate and repeatable measurements of anatomical or physiological characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must be calibrated so that these false positives and false negatives occur infrequently and the results are as accurate as possible.
There are two types of failures in biometric identification:
False Rejection also called False Rejection Rate (FRR) - The system fail to recognize a legitimate user.
While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate users who are refused access because the scanner does not recognize them.
False Acceptance or False Acceptance Rate (FAR) - This is an erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user.
Physiological Examples:
Unique Physical Attributes:
Fingerprint (Most commonly accepted)
Hand Geometry
Retina Scan (Most accurate but most intrusive)
Iris Scan
Vascular Scan
Behavioral Examples:
Repeated Actions
Keystroke Dynamics
(Dwell time (the time a key is pressed) and Flight time (the time between "key up" and the next "key down").
Signature Dynamics
(Stroke and pressure points)
EXAM TIP:
Retina scan devices are the most accurate but also the most invasive biometrics system available today.
The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security option. Unfortunately, the cost of the proprietary hardware as well the stigma of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations.
Remember for the exam that fingerprints are the most commonly accepted type of biometrics system.
The other answers are incorrect:
'Users can be authenticated based on behavior.' is incorrect as this choice is TRUE as it pertains to BIOMETRICS.
Biometrics systems makes use of unique physical characteristics or behavior of users.
'User can be authenticated based on unique physical attributes.' is also incorrect as this choice is also TRUE as it pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of users.
'A biometric system's accuracy is determined by its crossover error rate (CER)' is also incorrect as this is TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.


NEW QUESTION # 268
The Diffie-Hellman algorithm is primarily used to provide which of the following?

  • A. Key Agreement
  • B. Integrity
  • C. Confidentiality
  • D. Non-repudiation

Answer: A

Explanation:
Section: Cryptography
Explanation/Reference:
Diffie and Hellman describe a means for two parties to agree upon a shared secret in such a way that the secret will be unavailable to eavesdroppers. This secret may then be converted into cryptographic keying material for other (symmetric) algorithms. A large number of minor variants of this process exist. See RFC
2631 Diffie-Hellman Key Agreement Method for more details.
In 1976, Diffie and Hellman were the first to introduce the notion of public key cryptography, requiring a system allowing the exchange of secret keys over non-secure channels. The Diffie-Hellman algorithm is used for key exchange between two parties communicating with each other, it cannot be used for encrypting and decrypting messages, or digital signature.
Diffie and Hellman sought to address the issue of having to exchange keys via courier and other unsecure means. Their efforts were the FIRST asymmetric key agreement algorithm. Since the Diffie-Hellman algorithm cannot be used for encrypting and decrypting it cannot provide confidentiality nor integrity. This algorithm also does not provide for digital signature functionality and thus non-repudiation is not a choice.
NOTE: The DH algorithm is susceptible to man-in-the-middle attacks.
KEY AGREEMENT VERSUS KEY EXCHANGE
A key exchange can be done multiple way. It can be done in person, I can generate a key and then encrypt the key to get it securely to you by encrypting it with your public key. A Key Agreement protocol is done over a public medium such as the internet using a mathematical formula to come out with a common value on both sides of the communication link, without the ennemy being able to know what the common agreement is.
The following answers were incorrect:
All of the other choices were not correct choices
Reference(s) used for this question:
Shon Harris, CISSP All In One (AIO), 6th edition . Chapter 7, Cryptography, Page 812.
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
http://www.google.com/patents?vid=4200770


NEW QUESTION # 269
What is used to bind a document to its creation at a particular time?

  • A. Network Time Protocol (NTP)
  • B. Certification Authority (CA)
  • C. Digital Signature
  • D. Digital Timestamp

Answer: D

Explanation:
While a digital signature binds a document to the possessor of a particular key, a digital timestamp binds a document to its creation at a particular time.
Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. Security here means that no one - not even the owner of the document - should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised.
The administrative aspect involves setting up a publicly available, trusted timestamp management infrastructure to collect, process and renew timestamps or to make use of a commercially available time stamping service.
A modern example of using a Digital Timestamp is the case of an industrial research organization that may later need to prove, for patent purposes, that they made a particular discovery on a particular date; since magnetic media can be altered easily, this may be a nontrivial issue. One possible solution is for a researcher to compute and record in a hardcopy laboratory notebook a cryptographic hash of the relevant data file. In the future, should there be a need to prove the version of this file retrieved from a backup tape has not been altered, the hash function could be recomputed and compared with the hash value recorded in that paper notebook.
According to the RFC 3161 standard, a trusted timestamp is a timestamp issued by a trusted third party (TTP) acting as a Time Stamping Authority (TSA). It is used to prove the existence of certain data before a certain point (e.g. contracts, research data, medical records,...) without the possibility that the owner can backdate the timestamps. Multiple TSAs can be used to increase reliability and reduce vulnerability.
The newer ANSI ASC X9.95 Standard for trusted timestamps augments the RFC 3161 standard with data-level security requirements to ensure data integrity against a reliable time source that is provable to any third party. This standard has been applied to authenticating digitally signed data for regulatory compliance, financial transactions, and legal evidence.

Digital TimeStamp
The following are incorrect answers:
Network Time Protocol (NTP) is used to achieve high accuracy time synchronization for
computers across a network.
A Certification Authority (CA) is the entity responsible for the issuance of digital certificates.
A Digital Signature provides integrity and authentication but does not bind a document to a
specific time it was created.
Reference used for this question:
http://en.m.wikipedia.org/wiki/File:Trusted_timestamping.gif
and
http://en.wikipedia.org/wiki/Trusted_timestamping


NEW QUESTION # 270
Which of the following is not a logical control when implementing logical access security?

  • A. userids.
  • B. passwords.
  • C. access profiles.
  • D. employee badges.

Answer: D

Explanation:
Explanation/Reference:
Employee badges are considered Physical so would not be a logical control.
The following answers are incorrect:
userids. Is incorrect because userids are a type of logical control.
access profiles. Is incorrect because access profiles are a type of logical control.
passwords. Is incorrect because passwords are a type of logical control.


NEW QUESTION # 271
Which of the following is NOT a technical control?

  • A. Intrusion Detection Systems
  • B. Monitoring for physical intrusion
  • C. Password and resource management
  • D. Identification and authentication methods

Answer: B

Explanation:
It is considered to be a 'Physical Control'
There are three broad categories of access control: administrative, technical, and physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories:
Administrative Controls Policy and procedures
-A backup policy would be in place
Personnel controls Supervisory structure Security-awareness training Testing Physical Controls Network segregation Perimeter security Computer controls Work area separation
Data backups (actual storage of the media, i:e Offsite Storage Facility)
Cabling Technical Controls System access Network architecture Network access Encryption and protocols Control zone Auditing Backup (Actual software doing the backups)
The following answers are incorrect :
Password and resource management is considered to be a logical or technical control.
Identification and authentication methods is considered to be a logical or technical control.
Intrusion Detection Systems is considered to be a logical or technical control.
Reference : Shon Harris , AIO v3 , Chapter - 4 : Access Control , Page : 180 - 185


NEW QUESTION # 272
Which of the following would be used to implement Mandatory Access Control (MAC)?

  • A. Role-based access control
  • B. User dictated access control
  • C. Lattice-based access control
  • D. Clark-Wilson Access Control

Answer: C

Explanation:
Explanation/Reference:
The lattice is a mechanism use to implement Mandatory Access Control (MAC) Under Mandatory Access Control (MAC) you have:
Mandatory Access Control
Under Non Discretionary Access Control (NDAC) you have:
Rule-Based Access Control
Role-Based Access Control
Under Discretionary Access Control (DAC) you have:
Discretionary Access Control
The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound.
The lattice can be used for MAC, DAC, Integrity level, File Permission, and more For example in the case of MAC, if we look at common government classifications, we have the following:
TOP SECRET
SECRET -----------------------I am the user at secret
CONFIDENTIAL
SENSITIVE BUT UNCLASSIFIED
UNCLASSIFIED
If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED.
However the lattice could also be used for Integrity Levels such as:
VERY HIGH
HIGH
MEDIUM ----------I am a user, process, application at the medium level
LOW
VERY LOW
In the case of of Integrity levels you have to think about TRUST. Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model.
Last but not least the lattice could be use for file permissions:
RWX
RW ---------User at this level
R
If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX.
Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes.
There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories.
MAC also require a clearance that dominates the object.
You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing.
The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used.
References:
There is a great article on technet that talks about the lattice in VISTA:
http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx
also see:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
and
http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html


NEW QUESTION # 273
Which of the following statements pertaining to IPSec is incorrect?

  • A. IPSec protects against man-in-the-middle attacks.
  • B. IPSec provides confidentiality and integrity to information transferred over IP networks through transport layer encryption and authentication.
  • C. IPSec can help in protecting networks from some of the IP network attacks.
  • D. IPSec protects against spoofing.

Answer: B

Explanation:
Explanation/Reference:
IPSec provides confidentiality and integrity to information transferred over IP networks through network (not transport) layer encryption and authentication. All other statements are correct.
Source: TIPTON, Harold F & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 6, Extranet Access Control Issues (page 110).


NEW QUESTION # 274
......


Duration of Time

The total availability of time for the exam SSCP is 03 Hours. At this time candidates have to attempt all the given questions.

 

Free SSCP Exam Dumps to Improve Exam Score: https://prepcram.pass4guide.com/SSCP-dumps-questions.html

Related Articles

more
ISC SSCP Certification Practice Exam