CCCure Flashcards
Which backup method usually resets the archive bit on the files after they have been backed up?
Incremental
Government agencies create standards, which are usually applied to companies and individuals within those companies. What category of law deals with regulatory standards that regulate performance and conduct?
Administrative / regulatory law
The copyright law (“original works of authorship”) protects the right of the owner in all of the following except?
- The public distribution of the idea
- Reproduction of the idea
- The idea itself
- Display of the idea
- The idea itself
A copyright covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, and computer programs. In most countries, once the work or property is completed or is in a tangible form, the copyright protection is automatically assumed.
Copyright protection is weaker than patent protection, but the duration of protection is considerably longer (e.g., a minimum of 50 years after the creator’s death or 70 years under U.S. copyright protection).
Although individual countries may have slight variations in their domestic copyright laws, as long as the country is a member of the international Berne Convention 4, the protection afforded will be at least at a minimum level, as dictated by the convention; unfortunately, not all countries are members.
In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource, as does trade secret law. It protects the expression of the idea of the resource instead of the resource itself. A copyright is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Computer programs and manuals are just two examples of items protected under the Federal Copyright Act. The item is covered under copyright law once the program or manual has been written. Although including a warning and the copyright symbol (©) is not required, doing so is encouraged so others cannot claim innocence after copying another’s work. The protection does not extend to any method of operations, process, concept, or procedure, but it does protect against unauthorized copying and distribution of a protected work. It protects the form of expression rather than the subject matter.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 1663
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 22391-22397). Auerbach Publications. Kindle Edition.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 1000). McGraw-Hill. Kindle Edition.
Which of the following was designed to support multiple network types over the same serial link?
- Ethernet
- PPTP
- SLIP
- PPP
PPP
The Point-to-Point Protocol (PPP) was designed to support multiple network types over the same serial link, just as Ethernet supports multiple network types over the same LAN. PPP replaces the earlier Serial Line Internet Protocol (SLIP) that only supports IP over a serial link. PPTP is a tunneling protocol.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14952
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a Security Viewpoint.
Which of the following is a true statement pertaining to memory addressing?
- The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
- The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value.
- The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value.
- The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.
The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. A relative address is a logical address which incorporates the
correct offset value.
The following reference(s) was/were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 7605
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 330). McGraw-Hill . Kindle Edition.
There are many known weaknesses within a behavior Intrusion Detection System (IDS). Which of the following is NOT a limitation of a behavior IDS?
- Detect Zero day attack
- Backdoor into application
- Application level vulnerability.
- Weakness in the identification and authentication scheme.
The correct answer is: Detect Zero day attack
Detecting zero day attack is an advantage of IDS system making use of behavior or heuristic detection.
It is important to read carefully the question. The word “NOT” was the key word.
Intrusion Detection System are somewhat limited in scope, they do not address the following:
Weakness in the policy definition Application-level vulnerability Backdoor within application Weakness in identification and authentication schemes
Also, you should know the information below for your CISA exam:
An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.
Broad category of IDS include:
- Network Based IDS
- Host Based IDS
Network Based IDS
They identify attack within the monitored network and issue a warning to the operator.
If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
Network Based IDS are blinded when dealing with encrypted traffic
Host Based IDS
They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
They can monitor traffic after it is decrypted and they supplement the Network Based IDS.
Types of IDS includes:
Statistical Based IDS – These system need a comprehensive definition of the known and expected behavior of system
Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality.
Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.
Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control ?
Discretionary Access Control (DAC)
Mandatory Access control (MAC)
Lattice-based Access control
Non-Discretionary Access Control (NDAC)
The correct answer is: Non-Discretionary Access Control (NDAC)
Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.
In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.
Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.
IT IS NOT ALWAYS BLACK OR WHITE
The different access control models are not totally exclusive of each others. MAC is making use of Rules to be implemented. However with MAC you have requirements above and beyond having simple access rules. The subject would get formal approval from management, the subject must have the proper security clearance, objects must have labels/sensitivity levels attached to them, subjects must have the proper security clearance. If all of this is in place then you have MAC.
BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES:
MAC = Mandatory Access Control
Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user‚„¢s access but simply configure the proper level of access as dictated by the Data Owner.
The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship.
The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access.
MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user belong to one of the categories attached to the object.
If there is no clearance and no labels then IT IS NOT Mandatory Access Control.
Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category.
NISTR-7316 Says:
Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the ‚“simple security rule,‚ or ‚“no read up.‚ Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the ‚“*-property‚ (pronounced ‚“star property‚) or ‚“no write down.‚ The *-property is required to maintain system security in an automated environment. A variation on this rule called the ‚“strict *-property‚ requires that information can be written at, but not above, the subject‚„¢s clearance level. Multilevel security models such as the Bell-La Padula Confidentiality and Biba Integrity models are used to formally specify this kind of MAC policy.
DAC = Discretionary Access Control
DAC is also known as: Identity Based access control system.
The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users.
Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone’s else file can further share the file with other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild wild west as there is no control on the dissimination of the information.
RBAC = Role Based Access Control
RBAC is a form of Non-Discretionary access control.
Role Based access control usually maps directly with the different types of jobs performed by employees within a company.
For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role.
RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example.
RBAC or RuBAC = Rule Based Access Control
RuBAC is a form of Non-Discretionary access control.
A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall.
The following reference(s) were used to create this question:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition Page 598 & 599 or Kindle Location 15990.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 18381
The following answers are incorrect:
Discretionary Access Control (DAC)
Mandatory Access control (MAC)
Lattice-based Access control
Which access control model has a central authority that determines to what objects the subjects have access to, based on role or on the organizational security policy?
Discretionary Access
Rule Based Access Control
Non-Discretionary Access Control
Mandatory Access Control
Non-Discretionary Access Control
Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RBAC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already.
Nondiscretionary access control, is also based on the assignment of permissions to read, write, and execute files on a system. However, unlike discretionary access control, which allows the file owner to specify those permissions, nondiscretionary access control requires the administrator of a system to define and tightly control the access rules for files in the system.
Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.
For your exam you should know the information below:
Discretionary and Mandatory Access Controls
One of the most fundamental data access control decisions an organization must make is the amount of control it will give system and data owners to specify the level of access users of that data will have. In every organization there is a balancing point between the access controls enforced by organization and system policy and the ability for information owners to determine who can have access based on specific business requirements. The process of translating that
balance into a workable access control model can be defined by three general access frameworks:
Discretionary access control
Mandatory access control
Nondiscretionary access control
Discretionary Access Controls (DACs)
Controls placed on data by the owner of the data. The owner determines who has access to the data and what privileges they have. Discretionary controls represent a very early form of access control and were widely employed in VAX, VMS, UNIX, and other minicomputers in universities and other organizations prior to the evolution of personal computers. Today, DACs are widely employed to allow users to manage their own data and the security of that information, and nearly every mainstream operating system, from Microsoft and Apple to mobile operating systems and Linux supports DAC. The advantage of a DAC-based system is that it is primarily user-centric. The data owner has the power to determine who can (and cannot) access that data based on the business requirements and constraints affecting that
owner. While the owner never has the ability to ignore or contradict the organization s access control policies, he or she has the ability to interpret those policies to fit the specific needs of his or her system and his or her users.
Mandatory Access Controls (MACs)
Controls determined by the system and based primarily on organization policy. The system applies controls based on the clearance of a user and the classification of an object or data. With DACs the user is free to apply controls at their discretion, not based on the overall value or classification of the data. In contrast, MAC requires the system itself to manage access controls in accordance with the organization s security policies. MACs are typically used for systems and data that are highly sensitive and where system owners do not want to allow users to potentially contradict or bypass organizationally mandated access controls. Assigning the security controls of an object based on its classification and the clearance of subjects provides for a secure system that accommodates multilayered information processing.
MAC is based on cooperative interaction between the system and the information owner. The system s decision controls access and the owner provides the need-to-know control. Not everyone who is cleared should have access, only those cleared and with a need to know. Even if the owner determines a user has the need to know, the system must ascertain that the user is cleared or no access will be allowed. To accomplish this, data need to be labeled as to its classification, allowing specific controls to be applied based on that classification.
As demonstrated in Figure 1.8, access permissions are applied to an object based on the level of clearance given to a subject. The example provided represents only a few of the possible permissions that can be assigned to an object. For example, list is a permission seen in common operating systems that permits users to only list the files in a directory, not read, delete, modify, or execute those files.
The following answers are incorrect:
Discretionary Access control is for environment with very low level of security. There is no control on the dissemination of the information. A user who has access to a file can copy the file or further share it with other users.
Rule Based Access Control is when you have ONE set of rules applied uniformly to all users. A good example would be a firewall at the edge of your network. A single rule based is applied against any packets received from the internet.
Mandatory Access Control is a very rigid type of access control. The subject must dominate the object and the subject must have a Need To Know to access the information. Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK).
What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values?
Lattice Model
Rule Based model
Discretionary model
Rule model
lattice model.
In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values.
The following reference(s) were used to create this question:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition Page 602 or Kindle Location 16073.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 7942
The following answers are incorrect:
If risk is defined as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets” then risk has all of the following elements EXCEPT?
Probabilities of the threats
Controls addressing the threats
Threats to and vulnerabilities of processes and/or assets
An impact on assets based on threats and vulnerabilities
Controls addressing the threats
Threats, impact and probabilities are all elements of risk. Controls are developed to address the risk and hence are not, of themselves, an element of risk.
For your exam you should know the information below:
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users‚„¢ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.
A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.
The following answers are incorrect:
The other options presented are elements of RISK.
The following reference(s) were used to create this question:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition Page 605 or Kindle Location 16163.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 3227
Risk analysis is MOST useful when applied during which phase of the system development process?
Project initiation and planning
Functional Requirements definition
System design specification
Development and implementation
Project initiation and Planning
In most projects the conditions for failure are established at the beginning of the project. Thus risk management should be established at the commencement of the project with a risk assessment during project initiation.
As it is clearly stated in the ISC2 book: Security should be included at the first phase of development and throughout all of the phases of the system development life cycle. This is a key concept to understand for the purpose for the exam.
The most useful time is to undertake it at project initiation, although it is often valuable to update the current risk analysis at later stages.
Attempting to retrofit security after the SDLC is completed would cost a lot more money and might be impossible in some cases. Look at the family of browsers we use today, for the past 8 years they always claim that it is the most secure version that has been released and within days vulnerabilities will be found.
Risks should be monitored throughout the SDLC of the project and reassessed when appropriate.
The phases of the SDLC can very from one source to another one. It could be as simple as Concept, Design, and Implementation. It could also be expanded to include more phases such as this list proposed within the ISC2 Official Study book:
Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation)
And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)
The following reference(s) were used to create this question:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition Page 844 or Kindle Location 22040.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Which access control model would be the best example of a lattice-based access control model?
Rule-Based Access Control
Non-discretionary access control
Discretionary access control
Mandatory access control
Mandatory access control.
In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files.
TIPS FROM CLEMENT
This topic has been greatly discussed in my classes and on the www.cccure.org forums.
Mandatory Access Control is in place whenever you have permissions that are being imposed on the subject and the subject cannot arbitrarily change them. When the subject/owner of the file can change permissions at will, it is discretionary access control.
Here is a breakdown largely based on explanations provided by Doug Landoll (see forum archive on www.cccure.org). I am reproducing below using my own word and not exactly how Doug explained it:
FIRST: The Lattice
A lattice is simply an access control tool usually used to implement Mandatory Access Control (MAC) and it could also be used to implement RBAC but this is not as common. The lattice model can be used for Integrity level or file permissions as well. The lattice has a least upper bound and greatest lower bound. It makes use of pair of elements such as the subject security clearance pairing with the object sensitivity label. The pairing could also be a file and its permissions or it could be a process and its integrity level for examples.
SECOND: DAC (Discretionary Access Control)
Let’s get into Discretionary Access Control: It is an access control method where the owner (read the creator of the object) will decide who has access at his own discretion. As we all know, users are sometimes insane. They will share their files with other users based on their identity but nothing prevent the person they share the file with from further sharing it with other users on the network. Very quickly you lose control on the flow of information and who has access to what. It is used in small and friendly environment where a low level of security is all that is required.
THIRD: MAC (Mandatory Access Control)
All of the following are forms of Mandatory Access Control:
Mandatory Access control (MAC) (Implemented using the lattice)
You must remember that MAC makes use of Security Clearance for the subject and also Labels will be assigned to the objects. The clearance of the Subject must dominate (be equal or higher) the clearance of the Object being accessed. The label attached to the object will indicate the sensitivity leval and the categories the object belongs to. The categories are used to implement the Need to Know.
All of the following are forms of Non Discretionary Access Control:
Role Based Access Control (RBAC)
Rule Based Access Control (Think Firewall in this case)
The official ISC2 book says that RBAC (synonymous with Non Discretionary Access Control) is a form of DAC but they are simply wrong. RBAC is a form of Non Discretionary Access Control. Non Discretionary DOES NOT equal mandatory access control as there is no labels and clearance involved.
I hope this clarifies the whole drama related to what is what in the world of access control.
In the same line of taught, you should be familiar with the difference between Explicit permission (the user has his own profile) versus Implicit (the user inherit permissions by being a member of a role for example).
The following answers are incorrect:
Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC) model, access is restricted based on the authorization granted to the users by the owner of the file which is the creator of the file under DAC. It is identity based access control only. It does not make use of a lattice.
Non-discretionary access control. Is incorrect because Non-discretionary Access Control (NDAC) uses the Role-Based Access Control method (RBAC) or the Rule-Based Access Control (RuBAC) to determine access rights and permissions.
Role-Based Access Control method (RBAC) is when the user inherit permission from the role when they are assigned into the role. This type of access could make use of a lattice but could also be implemented without the use of a lattice in some case. Mandatory Access Control was a better choice than this one, but RBAC could also make use of a lattice. The BEST answer was MAC.
Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access Control (NDAC) access control mode. You have rules that are globally applied to all users. There is no such thing as a lattice being use in Rule-Based Access Control.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 18394
CISSP All-in-One Exam Guide, 6th Edition Page number 381
Official ISc2 Guide 2013 Page Number 637
Which of the following services is NOT provided by the digital signature standard (DSS)?
Encryption
Authentication
Integrity
Digital signature
Encryption
DSS provides Integrity, digital signature and Authentication, but does not provide Encryption.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 11073
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 160).
In Discretionary Access Control the subject has authority, within certain limitations,
but he is not permitted to specify what objects can be accessible and so we need to get an independent third party to specify what objects can be accessible.
to specify on a aggregate basis without understanding what objects can be accessible.
to specify in full detail what objects can be accessible.
to specify what objects can be accessible.
to specify what objects can be accessible.
With Discretionary Access Control, the subject has authority, within certain limitations, to specify what objects can be accessible.
For example, access control lists can be used. This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access.
When a user, within certain limitations, has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control. In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 18415
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
and
HARRIS, Shon, All-In-One CISSP Certification Exam Guide 5th Edition, McGraw-Hill/Osborne, 2010, Chapter 4: Access Control (page 210-211).
The following answers are incorrect: