Security Architecture and Models

Question 1

QUESTION NO: 98 What is it called when a computer uses more than one CPU in parallel to execute instructions? A. Multiprocessing B. Multitasking C. Multithreading D. Parallel running

Answer 1

Answer: A

Question 2

QUESTION NO: 99 What is the main purpose of undertaking a parallel run of a new system? A. Resolve any errors in the program and file interfaces B. Verify that the system provides required business functionality C. Validate the operation of the new system against its predecessor D. Provide a backup of the old system

Answer 2

Answer: B

Question 3

QUESTION NO: 100 Which of the following provide network redundancy in a local network environment? A. Mirroring B. Shadowing C. Dual backbones D. Duplexing

Answer 3

Answer: C

Question 4

QUESTION NO: 101 A server farm is an example of: A. Server clustering B. Redundant servers C. Multiple servers D. Server fault tolerance

Answer 4

Answer: A

Question 5

QUESTION NO: 102 In which state must a computer system operate to process input/output instructions? A. User mode B. Stateful inspection C. Interprocess communication D. Supervisor mode

Answer 5

Answer: D Explanation: A computer is in a supervisory state when it is executing these privileged instructions. (privileged instructions are executed by the system administrator or by an individual who is authorized to use those instructions.)

Question 6

QUESTION NO: 103 What should be the size of a Trusted Computer Base? A. Small – in order to permit it to be implemented in all critical system components without using excessive resources. B. Small – in order to facilitate the detailed analysis necessary to prove that it meets design requirements. C. Large – in order to accommodate the implementation of future updates without incurring the time and expense of recertification. D. Large – in order to enable it to protect the potentially large number of resources in a typical commercial system environment.

Answer 6

Answer: B Explanation: “It must be small enough to be able to be tested and verified in a complete and comprehensive manner.”

Question 7

QUESTION NO: 104 Which one of the following are examples of security and controls that would be found in a “trusted” application system? A. Data validation and reliability B. Correction routines and reliability C. File integrity routines and audit trail D. Reconciliation routines and data labels

Answer 7

Answer: C Explanation: I have no specific reference for this question but the major resources hammer that there needs to be methods to check the data for correctness.

Question 8

QUESTION NO: 105 Which of the following is an operating system security architecture that provides flexible support for security policies? A. OSKit B. LOMAC C. SE Linux D. Flask

Answer 8

Answer: D Explanation: Flask is an operating system security architecture that provides flexible support for security policies. The architecture was prototyped in the Fluke research operating system. Several of the Flask interfaces and components were then ported from the Fluke prototype to the OSKit. The Flask architecture is now being implemented in the Linux operating system (Security-Enhanced Linux) to transfer the technology to a larger developer and user community.

Question 9

QUESTION NO: 106 Which of the following statements pertaining to the security kernel is incorrect? A. It is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept. B. It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof C. It must be small enough to be able to be tested and verified in a complete and comprehensive manner D. Is an access control concept, not an actual physical component

Answer 9

Answer: D

Question 10

QUESTION NO: 107 What is a PRIMARY reason for designing the security kernel to be as small as possible? A. The operating system cannot be easily penetrated by users. B. Changes to the kernel are not required as frequently. C. Due to its compactness, the kernel is easier to formally verify. D. System performance and execution are enhanced.

Answer 10

Answer: C Explanation: I disagree with the original answer which was B (changes to the kernel) and think it is C (Due to its compactness). However, use your best judgment based on knowledge and experience. Below is why I think it is C. “There are three main requirements of the security kernel:It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof. The reference monitor must be invoked for every access attempt and must be impossible to circumvent. Thus the reference monitor must be implemented in a complete and foolproof way. It must be small enough to be able to be tested and verified in a complete and comprehensive manner.”

Question 11

QUESTION NO: 108 Which of the following implements the authorized access relationship between subjects and objects of a system? A. Security model B. Reference kernel C. Security kernel D. Information flow model

Answer 11

Answer: C

Question 12

QUESTION NO: 109 The concept that all accesses must be meditated, protected from modification, and verifiable as correct is the concept of A. Secure model B. Security locking C. Security kernel D. Secure state

Answer 12

Answer: C Explanation: A security kernel is defined as the hardware, firmware, and software elements of a trusted computing base that implements the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. Therefore, the reference monitor concept is an abstract machine that mediates all access of subjects to objects. The Security Kernel must: Mediate all accesses Be protected from modification Be verified as correct.

Question 13

QUESTION NO: 110 What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Configuration error B. Environmental error C. Access validation error D. Exceptional condition handling error

Answer 13

Answer: B

Question 14

QUESTION NO: 111 Which of the following ensures that security is not breached when a system crash or other system failure occurs? A. trusted recovery B. hot swappable C. redundancy D. secure boot

Answer 14

Answer: A Explanation: “Trusted Recovery When an operating system or application crashes or freezes, it should not put the sytem in any time of secure state.”

Question 15

QUESTION NO: 112 What type of subsystem is an application program that operates outside the operating system and carries out functions for a group of users, maintains some common data for all users in the group, and protects the data from improper access by users in the group? A. Prevented subsystem B. Protected subsystem C. File subsystem D. Directory subsystem

Answer 15

Answer: B

Question 16

QUESTION NO: 113 A ‘Pseudo flaw’ is which of the following? A. An apparent loophole deliberately implanted in an operating system B. An omission when generating Pseudo-code C. Used for testing for bounds violations in application programming D. A Normally generated page fault causing the system halt

Answer 16

Answer: A

Question 17

QUESTION NO: 114 Which of the following yellow-book defined types of system recovery happens after a system fails in an uncrontrolled manner in response to a TCB or media failure and the system cannot be brought to a consistent state? A. Recovery restart B. System reboot C. Emergency system restart D. System Cold start

Answer 17

Answer: C Reference: “Emergency system restart is done after a system fails in an uncontrolled manner in response to a TCB or media failure. In such cases, TCB and user objects on nonvolatile storage belonging to processes active at the time of TCB or media failure may be left in an inconsistent state. The system enters maintenance mode, recovery is performed automatically, and the system restarts with no user processes in progress after bringing up the system in a consistent state.”

Question 18

QUESTION NO: 115 Which one of the following describes a reference monitor? A. Access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. B. Audit concept that refers to monitoring and recording of all accesses to objects by subjects. C. Identification concept that refers to the comparison of material supplied by a user with its reference profile. D. Network control concept that distributes the authorization of subject accesses to objects.

Answer 18

Answer: A Explanation: A reference monitor is a system component that enforces access controls on an object. Therefore, the reference monitor concept is an abstract machine that mediates all access of subjects to objects

Question 19

QUESTION NO: 116 What can best be described as an abstract machine which must mediate all access to subjects to objects? A. A security domain B. The reference monitor C. The security kernel D. The security perimeter

Answer 19

Answer: B

Question 20

QUESTION NO: 117 What is the PRIMARY component of a Trusted Computer Base? A. The computer hardware B. The security subsystem C. The operating system software D. The reference monitor

Answer 20

Answer: D Explanation: “The security kernel is made up of hardware, software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. There are three main requirements of the security kernel: • It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof. • It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way. • It must be small enough to be able to be tested and verified in a complete and comprehensive manner. These are the requirements of the reference monitor; therefore, they are the requirements of the components that provide and enforce the reference monitor concept—the security kernel.”

Question 21

QUESTION NO: 118 Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system? A. Fail proof B. Fail soft C. Fail safe D. Fail resilient

Answer 21

Answer: C

Question 22

QUESTION NO: 119 LOMAC uses what Access Control method to protect the integrity of processes and data? A. Linux based EFS. B. Low Water-Mark Mandatory Access Control. C. Linux based NFS. D. High Water-Mark Mandatory Access Control.

Answer 22

Answer: B Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.

Question 23

QUESTION NO: 120 On Linux, LOMAC is implemented as: A. Virtual addresses B. Registers C. Kernel built in functions D. Loadable kernel module

Answer 23

Answer: D Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use. “Security Kernel - The hardware, firmware, and software elements of a trusted computing base (TCB) that implements the reference monitor concept. It must mediate all accesses between subjects and objects, be protected from modification, and be verifiable as correct.”

Question 24

QUESTION NO: 121 LOMAC is a security enhancement for what operating system? A. Linux B. Netware C. Solaris

Answer 24

Answer: A Explanation: LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.

Question 25

QUESTION NO: 122 What was introduced for circumventing difficulties in classic approaches to computer security by limiting damages produced by malicious programs? A. Integrity-preserving B. Reference Monitor C. Integrity-monitoring D. Non-Interference

Answer 25

Answer: B Explanation: “reference monitor … mediates all access subjects have to objects … protect the objects from unauthorized access and destructive modification” , Ibid p 273 Reference monitor is part of the TCB concept Not D: “noninterference … is implemented to ensure that any actions that take place at a higher security level do not affect … actions that take place at a lower level”, Harris, 3rd Ed, p 290. It is part of the information flow model.

Question 26

QUESTION NO: 123 A feature deliberately implemented in an operating system as a trap for intruders is called a: A. Trap door B. Trojan horse C. Pseudo flaw D. Logic bomb

Answer 26

Answer: C Explanation: “An apparent loophole deliberately implanted in an operating system program as a trap for intruders.” As defined by the Aqua Book NCSC-TG-004 a pseudo-flaw is an apparent loophole deliberately implanted in an operating system program as a trap for intruders.

Question 27

QUESTION NO: 124 Fault tolerance countermeasures are designed to combat threats to A. an uninterruptible power supply B. backup and retention capability C. design reliability D. data integrity

Answer 27

Answer: C

Question 28

QUESTION NO: 125 A ‘Psuedo flaw’ is which of the following? A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders B. An omission when generating Psuedo-code C. Used for testing for bounds violations in application programming D. A normally generated page fault causing the system to halt

Answer 28

Answer: A

Question 29

QUESTION NO: 126 What Distributed Computing Environment (DCE) component provides a mechanism to ensure that services are made available only to properly designated parties? A. Directory Service B. Remote Procedure Call Service C. Distributed File Service D. Authentication and Control Service

Answer 29

Answer: A Explanation: A directory service has a hierarchical database of users, computers, printers, resources, and attributes of each. The directory is mainly used for lookup operations, which enable users to track down resources and other users…The administrator can then develop access control, security, and auditing policies that dictate who can access these objects, how the objects can be accessed, and audit each of these actions.

Question 30

QUESTION NO: 127 What can be accomplished by storing on each subject a list of rights the subject has for every object? A. Object B. Capabilities C. Key ring D. Rights

Answer 30

Answer: B Explanation: Capabilities are accomplished by storing on each subject a list of rights the subject has for every object. This effectively gives each user a key ring. To remove access to a particular object, every user (subject) that has access to it must be “touched”. A touch is an examination of a user’s rights to that object and potentially removal of rights. This brings back the problem of sweeping changes in access rights.

Question 31

QUESTION NO: 128 In the Information Flow Model, what relates two versions of the same object? A. Flow B. State C. Transformation D. Successive points

Answer 31

Answer: A Explanation: A flow is a type of dependency that relates two versions of the same object, and thus the transformation of one state of that object into another, at successive points in time.

Question 32

QUESTION NO: 129 What is a security requirement that is unique to Compartmented Mode Workstations (CMW)? A. Sensitivity Labels B. Object Labels C. Information Labels D. Reference Monitors

Answer 32

Answer: C

Question 33

QUESTION NO: 130 The Common Criteria (CC) represents requirements for IT security of a product or system under which distinct categories? A. Functional and assurance B. Protocol Profile (PP) and Security Target (ST) C. Targets of Evaluation (TOE) and Protection Profile (PP) D. Integrity and control

Answer 33

Answer: A Explanation: “Like other evaluation criteria before it, Common Criteria works to answer two basic and general questions about products being evaluated: what does it do (functionality), and how sure are you of that (assurance)?”

Question 34

QUESTION NO: 131 What are the assurance designators used in the Common Criteria (CC)? A. EAL 1, EAL 2, EAL 3, EAL 4, EAL 5, EAL 6, and EAL 7 B. A1, B1, B2, B3, C2, C1, and D C. E0, E1, E2, E3, E4, E5, and E6 D. AD0, AD1, AD2, AD3, AD4, AD5, and AD6

Answer 34

Answer: A Explanation: Original Answer was C. This is wrong in my view as the original answer confused ITSEC with the CC per the following The Common criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance level (EAL). EALs range from EA1 (functional testing to EA7 (detailed testing and formal design verification). -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266-267 Note that Shon Harris All-in-one CISSP Certification Guide uses EAL (not just EA). EALs are combinations of assurance components. They also can be conveniently compared to TSCEC and ITSEC. Like these security evaluation criteria, EALs are scaled with from EAL1 through EAL7. Other EALs exist, but EAL 7 is the highest with international recognition. - Roberta Bragg Cissp Certification Training Guide (que) pg 368 ITSEC separately evaluates functionality and assurance, and it includes 10 functionality classes (f), eight assurance levels (q), seven levels of correctness (e), and eight basic security functions in its criteria. ). -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266

Question 35

QUESTION NO: 132 Which of the following uses protection profiles and security targets? A. ITSEC B. TCSEC C. CTCPEC D. International Standard 15408

Answer 35

Answer: D Explanation: “For historical and continuity purposes, ISO has accepted the continued use of the term “Common Criteria” (CC) within this document, while recognizing the official ISO name for the new IS 15408 is “Evaluation Criteria for Information Technology Security.” “The Common Criteria define a Protection Profile (PP), which is an implementation-independent specification of the security requirements and protections of a product that could be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed testing and formal design verification). The Common Criteria TOE refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product. Also, the Common Criteria describe an intermediate grouping of security requirement components as a package.”

Question 36

QUESTION NO: 133 According to Common Criteria, what can be described as an intermediate combination of security requirement components? A. Protection profile (PP) B. Security target (ST) C. Package D. The Target of Evaluation (TOE)

Answer 36

Answer: C Explanation: “The Common Criteria define a Protection Profile (PP), which is an implementationindependent specification of the security requirements and protections of a product that should be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL.) EALs range from EA1 (functional testing() to EA7 (detailed testing and formal design verification). The Common Criteria TOE refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product. Also, the Common Criteria

Question 37

QUESTION NO: 134 The Common Criteria construct which allows prospective consumers or developers to create standardized sets of security requirements to meet there needs is A. a Protection Profile (PP). B. a Security Target (ST). C. an evaluation Assurance Level (EAL). D. a Security Functionality Component Catalog (SFCC).

Answer 37

Answer: A Explanation: Protection Profiles: The Common Criteria uses protection profiles to evaluate products. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating. The profile describes the environmental assumptions, the objectives, and functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. It also justifies the assurance level and requirements for the strength of each protection mechanism. The protection profile provides a means for the consumer, or others, to identify specific security needs;p this is the security problem to be conquered. EAL: An evaluation is carried out on a product and is assigned an evaluation assurance level (EAL) The thoroughness and stringent testing increases in detailed-oriented tasks as the levels increase. The Common Criteria has seven aassurance levels. The ranges go from EAL1, where the functionality testing takes place, to EAL7,where thorough testing is performed and the system is verified. Note:”The Common Criteria defines a Protection Profile (PP), which is an implementationindependent specification of the security requirements and protections of a product that could be built. The Common Criteria terminology for the degree of examination of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed testing and formal design verification). The Common Criteria TOE [target of evaluation] refers to the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT security product.”

Question 38

QUESTION NO: 135 The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? A. integrity and confidentiality B. confidentiality and availability C. integrity and availability D. none of the above

Answer 38

Answer: C Explanation: “ITSECTCSEC (Orange Book) E0D F1+E1C1 F2+E2C2 F3+E3B1 F4+E4B2 F5+E5B3 F5+E6A1 F6=Systems that provide high integrity F7=Systems that provide high availability F8=Systems that provide data integrity during communication F9=Systems that provide high confidentiality F10=Networks with high demands on confidentiality and integrity”

Question 39

QUESTION NO: 136 Which of the following was developed by the National Computer Security Center (NCSC)? A. TCSEC B. ITSEC C. DITSCAP D. NIACAP

Answer 39

Answer: A

Question 40

QUESTION NO: 137 The Trusted Computer Security Evaluation Criteria (TBSEC) provides A. a basis for assessing the effectiveness of security controls built into automatic data-processing system products B. a system analysis and penetration technique where specifications and document for the system are analyzed. C. a formal static transition model of computer security policy that describes a set of access control rules. D. a means of restricting access to objects based on the identity of subjects and groups to which they belong.

Answer 40

Answer: A Explanation: TBSEC provides guidelines to be used with evaluating a security product. The TBSEC guidelines address basic security functionality and allow evaluators to measure and rate the functionality of a system and how trustworthy it is. Functionality and assurance are combined and not separated, as in criteria developed later. TCSEC guidelines can be used for evaluating vendor products or by vendors to design necessary functionality into new products.

Question 41

QUESTION NO: 138 Which Orange Book evaluation level is described as “Verified Design”? A. A1 B. B3 C. B2 D. B1

Answer 41

Answer: A

Question 42

QUESTION NO: 139 Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection? A. B B. A C. C D. D

Answer 42

Answer: A

Question 43

QUESTION NO: 140 Which Orange Book security rating requires that formal techniques are used to prove the equivalence between the TCB specifications and the security policy model? A. B2 B. B3 C. A1 D. A2

Answer 43

Answer: C

Question 44

QUESTION NO: 141 According to the Orange Book, which security level is the first to require trusted recovery? A. A1 B. B2 C. B3 D. B1

Answer 44

Answer: C Explanation: “Trusted recovery is required only for B3 and A1 level systems.”

Question 45

QUESTION NO: 142 According to the Orange Book, which security level is the first to require a system to protect against covert timing channels? A. A1 B. B3 C. B2 D. B1

Answer 45

Answer: C

Question 46

QUESTION NO: 143 Which of the following is not an Orange Book-defined operational assurance requirement? A. System architecture B. Trusted facility management C. Configuration management D. Covert channel analysis

Answer 46

Answer: C Explanation: Systems Integrity is a part of operational assurance opposed to life cycle assurance. “The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery The life cycle assurance requirements specified in the Orange Book are as follows: Security testing Design specification and testing Configuration Management Trusted Distribution”

Question 47

QUESTION NO: 144 Which of the following is least likely to be found in the Orange Book? A. Security policy B. Documentation C. Accountability D. Networks and network components

Answer 47

Answer: D

Question 48

QUESTION NO: 145 According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator rules? A. A1 B. B1 C. B2 D. B3

Answer 48

Answer: C

Question 49

QUESTION NO: 146 Which of the following is not an Orange book-defined life cycle assurance requirement? A. Security testing B. Design specification and testing C. Trusted distribution D. System integrity

Answer 49

Answer: D Explanation: Systems Integrity is a part of operational assurance opposed to life cycle assurance. “The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery The life cycle assurance requirements specified in the Orange Book are as follows: Security testing Design specification and testing Configuration Management Trusted Distribution”

Question 50

QUESTION NO: 147 At what Trusted Computer Security Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (ITSEC) security level are database elements FIRST required to have security labels? A. A1/E6 B. B1/E3 C. B2/E4 D. C2/E2

Answer 50

Answer: B Explanation: “B1: Labeled Security Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject and object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement and the design specifications are reviewed and verified. It is intended for environments that require systems to handle classified data.”

Question 51

QUESTION NO: 148 Which of the following statements pertaining to the Trusted Computer System Evaluation Criteria (TCSEC) is incorrect? A. With TCSEC, functionality and assurance are evaluated separately. B. TCSEC provides a means to evaluate the trustworthiness of an information system C. The Orange Book does not cover networks and communications D. Database management systems are not covered by the TCSEC

Answer 51

Answer: A

Question 52

QUESTION NO: 149 Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A. B2 B. B1 C. A1 D. A2

Answer 52

Answer: A

Question 53

QUESTION NO: 150 Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions? A. C2 B. B1 C. B2 D. B3

Answer 53

Answer: D Explanation: B1: Labeled Security Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject and object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement and the design specifications are reviewed and verified. It is intended for environments that require systems to handle classified data. B2: Structured Protection The security policy is clearly defined and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means there are no trapdoors. A trusted path means that the subject is communicating directly with the application or operating system. There is no way to circumvent or compromise this communication channel. There is a separation of operator and administration functions within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The environment that would require B2 systems could process sensitive data that require a higher degree of security. This environment would require systems that are relatively resistant to penetration and compromise. (A trusted path means that the user can be sure that he is talking to a genuine copy of the operating system.) B3: Security Domains In this class, more granularity is provided in each protection mechanism, and the programming code that is not necessary to support the security policy is exclude. The design and implementation should not provide too much complexity because as the complexity of a system increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus, the overall security can be threatened. The reference monitor components must be small enough to test properly and be tamperproof. The security administrator role is clearly defined, and the system must be able to recover from failures without it security level being compromised. When the system starts up and loads it operating system and components, it must be done in an initial secure state to ensure that any weakness of the system cannot be taken advantage of in this slice of time. “

Question 54

QUESTION NO: 151 Which of the following statements pertaining to the trusted computing base (TCB) is false? A. It addresses the level of security a system provides B. It originates from the Orange Book C. It includes hardware, firmware, and software D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity

Answer 54

Answer: A

Question 55

QUESTION NO: 152 Which of the following is not an Orange book-defined operational assurance requirement? A. System architecture B. Trusted facility management C. Configuration management D. Covert channel analysis

Answer 55

Answer: C Explanation: Configuration management is a part of life cycle assurance opposed to operational assurance. “The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery The life cycle assurance requirements specified in the Orange Book are as follows: Security testing Design specification and testing Configuration Management Trusted Distribution”

Question 56

QUESTION NO: 153 Which of the following focuses on the basic features and architecture of a system? A. operational assurance B. life cycle assurance C. covert channel assurance D. level A1

Answer 56

Answer: A Explanation: “The operational assurance requirements specified in the Orange Book are as follows: System Architecture System integrity Covert channel analysis Trusted facility management Trusted recovery”

Question 57

QUESTION NO: 154 Which level(s) must protect against both covert storage and covert timing channels? A. B3 and A1 B. B2, B3 and A1 C. A1 D. B1, B2, B3 and A1

Answer 57

Answer: A

Question 58

QUESTION NO: 155 According to the Orange Book, trusted facility management is not required for which of the following security levels? A. B1 B. B2 C. B3 D. A1

Answer 58

Answer: A Explanation: B1 does not provide trusted facility management, the next highest level that does is B2. “Trusted facility management is defined as the assignment of a specific individual to administer the security-related functions of a system. Although trusted facility management is an assurance requirement only for highly secure systems (B2, B3, and A1), many systems evaluated at lower security levels re structured to try to meet this requirement.”

Question 59

QUESTION NO: 156 Which factor is critical in all systems to protect data integrity? A. Data classification B. Information ownership C. Change control D. System design

Answer 59

Answer: A Explanation: A Integrity is dependent on confidentiality, which relies on data classification. Also Biba integrity model relies on data classification. “There are numerous countermeasures to ensure confidentiality against possible threats. These include the use of encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training. Confidentiality and integrity are dependent upon each other. Without object integrity, confidentiality cannon be maintained. Other concepts, conditions, and aspects of confidentiality include sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, and isolation.” Pg 145 Tittel: CISSP Study Guide. “Biba Integrity Model Integrity is usually characterized by the three following goals: 1.)The data is protected from modification by unauthorized users. 2.)The data is protected from unauthorized modification by authorized users. 3.)The data is internally and externally consistent; the data held in a database must balance internally and correspond to the external, real world situation.”

Question 60

QUESTION NO: 157 Which of the following is not a common integrity goal? A. Prevent unauthorized users from making modifications B. Maintain internal and external consistency C. Prevent authorized users from making improper modifications D. Prevent paths that could lead to inappropriate disclosure

Answer 60

Answer: D

Question 61

QUESTION NO: 158 Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information flow model

Answer 61

Answer: C Explanation: “The Clark-Wilson model is also an integrity-protecting model. The Clark-Wilson model was developed after Biba and approaches integrity protection from a different perspective. Rather than employing a lattice structure, it uses a three-part relationship of subject/program/object known as a triple. Subjects do not have direct access to objects. Objects can be access only through programs.”

Question 62

QUESTION NO: 159 To ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed.These rules are: A. Processing rules and enforcement rules. B. Integrity-bouncing rules. C. Certification rules and enforcement rules. D. Certification rules and general rules.

Answer 62

Answer: C Explanation: To ensure that integrity is attained and preserved, Clark and Wilson assert, certain integrity-monitoring and integrity-preserving rules are needed. Integrity-monitoring rules are called certification rules, and integrity-preserving rules are called enforcement rules.

Question 63

QUESTION NO: 160 What can be defined as a formal security model for the integrity of subjects and objects in a system? A. Biba B. Bell LaPadulaLattice C. Lattice D. Info Flow

Answer 63

Answer: A Explanation: The Handbook of Information System Management, 1999 Edition, ISBN: 0849399742 presents the following definition: In studying the two properties of the Bell-LaPadula model, Biba discovered a plausible notion of integrity, which he defined as prevention of unauthorized modification. The resulting Biba integrity model states that maintenance of integrity requires that data not flow from a receptacle of given integrity to a receptacle of higher integrity. For example, if a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data. SANS glossary at http://www.sans.org/newlook/resources/glossary.htm define it as: Formal security model for the integrity of subjects and objects in a system.

Question 64

QUESTION NO: 161 The Clark Wilson model has its emphasis on: A. Security B. Integrity C. Accountability D. Confidentiality

Answer 64

Answer: B Explanation: This model attempts to capture security requirements of commercial applications. ‘Military’ and ‘Commercial’ are shorthand for different ways of using computers. This model has emphasis on integrity: Internal consistency: properties of the internal state of a system External consistency: relation of the internal state of a system to the outside world

Question 65

QUESTION NO: 162 What does * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up

Answer 65

Answer: D Explanation: “Biba has two integrity axioms:

Question 66

QUESTION NO: 163 Which access control model states that for integrity to be maintained data must not flow from a receptacle of given integrity to a receptacle of higher integrity? A. Lattice Model B. Bell-LaPadula Model C. Biba Model D. Take-Grant Model

Answer 66

Answer: C Explanation: If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a higher integrity level.

Question 67

QUESTION NO: 164 Which one of the following is a KEY responsibility for the “Custodian of Data”? A. Data content and backup B. Integrity and security of data C. Authentication of user access D. Classification of data elements

Answer 67

Answer: B Explanation: Custodian - Preserves the information’s CIA (chart)

Question 68

QUESTION NO: 165 Which one of the following is true about information that is designated with the highest of confidentiality in a private sector organization? A. It is limited to named individuals and creates an audit trail. B. It is restricted to those in the department of origin for the information. C. It is available to anyone in the organization whose work relates to the subject and requires authorization for each access. D. It is classified only by the information security officer and restricted to those who have made formal requests for access.

Answer 68

Answer: C

Question 69

QUESTION NO: 166 Related to information security, confidentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster

Answer 69

Answer: B

Question 70

QUESTION NO: 167 What is the main concern of the Bell-LaPadula security model? A. Accountability B. Integrity C. Confidentiality D. Availability

Answer 70

Answer: C Explanation: “An important thing to note is that the Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses confidentiality only. This model does not address integrity of the data the system maintains – only who can and cannot access the data.”

Question 71

QUESTION NO: 168 Which of the following are the limitations of the Bell-LaPadula model? A. No policies for changing access data control. B. All of the choices. C. Contains covert channels. D. Static in nature.

Answer 71

Answer: B Explanation: Limitations of the BLP model: Have no policies for changing access data control Intended for systems with static security levels Contains covert channels: a low subject can detect the existence of a high object when it is denied access. Sometimes it is not enough to hide the content of an object; also their existence may have to be hidden. Restricted to confidentiality

Question 72

QUESTION NO: 169 Which of the following is a state machine model capturing confidentiality aspects of access control? A. Clarke Wilson B. Bell-LaPadula C. Chinese Wall D. Lattice

Answer 72

Answer: B Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

Question 73

QUESTION NO: 170 With the BLP model, access permissions are defined through: A. Filter rules B. Security labels C. Access

Answer 73

Answer: C Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

Question 74

QUESTION NO: 171 With the BLP model, security policies prevent information flowing downwards from a: A. Low security level B. High security level C. Medium security level D. Neutral security level

Answer 74

Answer: B Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

Question 75

QUESTION NO: 172 When will BLP consider the information flow that occurs? A. When a subject alters on object. B. When a subject accesses an object. C. When a subject observer an object. D. All of the choices.

Answer 75

Answer: D Explanation: Bell-LaPadula is a state machine model capturing confidentiality aspects of access control. Access permissions are defined through an Access Control matrix and through a partial ordering of security levels. Security policies prevent information flowing downwards from a high security level to a low security level. BLP only considers the information flow that occurs when a subject observes or alters an object.

Question 76

QUESTION NO: 173 In the Bell-LaPadula model, the Star-property is also called: A. The simple security property B. The confidentiality property C. The confinement property D. The tranquility property

Answer 76

Answer: C

Question 77

QUESTION NO: 174 The Lattice Based Access Control model was developed MAINLY to deal with: A. Affinity B. None of the choices. C. Confidentiality D. Integrity

Answer 77

Answer: C Explanation: Page 349 of Harris’ 5th edition references Bell-LaPadula model in the Lattice Based example. Bell-LaPadula is Confidentiality focused, not integrity focused.

Question 78

QUESTION NO: 175 With the Lattice Based Access Control model, a security class is also called a: A. Control factor B. Security label C. Mandatory number D. Serial ID

Answer 78

Answer: B Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

Question 79

QUESTION NO: 176 Under the Lattice Based Access Control model, a container of information is a(n): A. Object B. Model C. Label

Answer 79

Answer: A Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

Question 80

QUESTION NO: 177 What Access Control model was developed to deal mainly with information flow in computer systems? A. Lattice Based B. Integrity Based C. Flow Based D. Area Based

Answer 80

Answer: A Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

Question 81

QUESTION NO: 178 The Lattice Based Access Control model was developed to deal mainly with ___________ in computer systems. A. Access control B. Information flow C. Message routes D. Encryption

Answer 81

Answer: B Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

Question 82

QUESTION NO: 179 In the Lattice Based Access Control model, controls are applied to: A. Scripts B. Objects C. Models D. Factors

Answer 82

Answer: B Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.

Question 83

QUESTION NO: 180 Access control techniques do not include: A. Rule-Based Access Controls B. Role-Based Access Controls C. Mandatory Access Controls D. Random Number Based Access Control

Answer 83

Answer: D

Question 84

QUESTION NO: 181 An access control policy for a bank teller is an example of the implementation of which of the following? A. rule-based policy B. identity-based policy C. user-based policy D. role-based policy

Answer 84

Answer: D

Question 85

QUESTION NO: 182 Access control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Controls C. Mandatory Access Controls D. Lattice Based Access Controls

Answer 85

Answer: A Explanation: “Mandatory Access Control. The authorization of a subject’s access to an object depends upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object.” “Rule-based access control is a type of mandatory access control because rules determine this access, rather than the identity of the subjects and objects alone.” “Discretionary Access Control. The subject has authority, within certain limitations, to specify what objects are accessible.” “When a user with certain limitations has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control.” “An identity-based access control is a type of a discretionary access control based on an individual’s identity.” “In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.” “Non-discretionary Access Control. A Central authority determines what subjects can have access to certain objects based on the organizational security policy.” “The access controls might be based on the individuals role in the organization (role-based) or the subject’s responsibilities and duties (task-based).” “[Lattice-based] In this type of control, a lattice model is applied. “Access control can be characterized as context-dependent or content dependent.”

Question 86

QUESTION NO: 183 What is called a type of access control where a central authority determines what subjects can have access to certain objects, based on the organizational security policy? A. Mandatory Access Control B. Discretionary Access Control C. Non-discretionary Access Control D. Rule-based access control

Answer 86

Answer: C Explanation: Non-Discretionary Access Control. A central authority determines what subjects can have access to certain objects based on organizational security policy. The access controls may be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based).

Question 87

QUESTION NO: 184 In non-discretionary access control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on: A. the society’s role in the organization B. the individual’s role in the organization C. the group-dynamics as they relate to the individual’s role in the organization D. the group-dynamics as they relate to the master-slave role in the organization

Answer 87

Answer: B Explanation: Non-Discretionary Access Control. A central authority determines what subjects can have access to certain objects based on organizational security policy. The access controls may be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based).

Question 88

QUESTION NO: 185 This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges

Answer 88

Answer: D

Question 89

QUESTION NO: 186 The default level of security established for access controls should be A. All access B. Update access C. Read access D. No access

Answer 89

Answer: D Explanation: “Need to Know and the Principle of Least Privilege are two standard axioms of highsecurity environments. A user must have a need-to-know to gain access to data or resources. Even if that ser has an equal or greater security classification than the requested information, if they do not have a need-to-know, they are denied access. A need-to-know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks. The principle of least privilege is the notion that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.”

Question 90

QUESTION NO: 187 Access Control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Control C. Mandatory Access Control D. Lattice Based Access Controls

Answer 90

Answer: A

Question 91

QUESTION NO: 188 Which of the following is a type of mandatory access control? A. Rule-based access control B. Role-based access control C. User-directed access control D. Lattice-based access control

Answer 91

Answer: A

Question 92

QUESTION NO: 189 A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access Control

Answer 92

Answer: C

Question 93

QUESTION NO: 190 What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects? A. A capacity table B. An access control list C. An access control matrix D. A capability table

Answer 93

Answer: C

Question 94

QUESTION NO: 191 What access control methodology facilitates frequent changes to data permissions? A. Rule-based B. List-based C. Role-based D. Ticket-based

Answer 94

Answer: A Explanation: RBAC - This type of model provides access to resources based on the role the users holds within the company or the tasks that user has been assigned. - Shon Harris All-in-one CISSP Certification Guide pg 937 Rule-based access control is a type of mandatory access control because rules determine this access (such as the correspondence of clearances labels to classification labels), rather than the identity of the subjects and objects alone.

Question 95

QUESTION NO: 192 Which of the following is a means of restricting access to objects based on the identity of the subject to which they belong? A. Mandatory access control B. Group access control C. Discretionary access control D. User access control

Answer 95

Answer: C Explanation: The question does not ask about the identity of the accessing subject, the question refers to the subject to which the object belongs (ie the owner). The owner setting the access rights is the definition of DAC. “DAC systems grant or deny access based on the identity of the subject.

Question 96

QUESTION NO: 193 What is the method of coordinating access to resources based on the listening of permitted IP addresses? A. MAC B. ACL C. DAC D. None of the choices.

Answer 96

Answer: B Explanation: The definition of ACL: A method of coordinating access to resources based on the listing of permitted (or denied) users, network addresses or groups for each resource.

Question 97

QUESTION NO: 194 What control is based on a specific profile for each user? A. Lattice based access control. B. Directory based access control. C. Rule based access control. D. ID based access control.

Answer 97

Answer: D Explanation: The correct answer should be ID based access control. Rule based isn’t necessarily identity based.

Question 98

QUESTION NO: 195 In a very large environment, which of the following is an administrative burden? A. Rule based access control. B. Directory based access control. C. Lattice based access control D. ID bases access control

Answer 98

Answer: D

Question 99

QUESTION NO: 196 Which of the following is a feature of the Rule based access control? A. The use of profile. B. The use of information flow label. C. The use of data flow diagram. D. The use of token.

Answer 99

Answer: A Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.

Question 100

QUESTION NO: 197 What is an access control model? A. A formal description of access control ID specification. B. A formal description of security policy. C. A formal description of a sensibility label. D. None of the choices.

Answer 100

Answer: B Explanation: What is an access control model? It is a formal description of a security policy. What is a security policy? A security policy captures the security requirements of an enterprise or describes the steps that have to be taken to achieve security. Security models are used in security evaluation, sometimes as proofs of security.

Question 101

QUESTION NO: 198 Which of the following is true about MAC? A. It is more flexible than DAC. B. It is more secure than DAC. C. It is less secure than DAC. D. It is more scalable than DAC.

Answer 101

Answer: B Explanation: Mandatory controls are access controls that are based on a policy that the user, and more importantly the processes running with that user’s privileges, is not allowed to violate. An example of this is “Top Secret” data is configured so that regardless of what the user does, the data cannot be transmitted to someone who does not have “Top Secret” status. Thus no “trojan horse” program could ever do what the user is not allowed to do anyway. The restrictions of mandatory controls are (at least in normal mode) also applied to the user who in a discretionary system would be “root”, or the superuser.

Question 102

QUESTION NO: 199 Which of the following is true regarding a secure access model? A. Secure information cannot flow to a more secure user. B. Secure information cannot flow to a less secure user. C. Secure information can flow to a less secure user. D. None of the choices.

Answer 102

Answer: B Explanation: Access restrictions such as access control lists and capabilities sometimes are not enough. In some cases, information needs to be tightened further, sometimes by an authority higher than the owner of the information. For example, the owner of a top-secret document in a government office might deem the information available to many users, but his manager might know the information should be restricted further than that. In this case, the flow of information needs to be controlled – secure information cannot flow to a less secure user.

Question 103

QUESTION NO: 200 In the Information Flow Model, what acts as a type of dependency? A. State B. Successive points C. Transformation D. Flow

Answer 103

Answer: D Explanation: A flow is a type of dependency that relates two versions of the same object, and thus the transformation of one state of that object into another, at successive points in time.

Question 104

QUESTION NO: 201 A firewall can be classified as a: A. Directory based access control. B. Rule based access control. C. Lattice based access control. D. ID based access control.

Answer 104

Answer: B Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.

Question 105

QUESTION NO: 202 Which of the following are the two most well known access control models? A. Lattice and Biba B. Bell LaPadula and Biba C. Bell LaPadula and Chinese war D. Bell LaPadula and Info Flow

Answer 105

Answer: B Explanation: The two most well known models are Bell&LaPadula [1973] and Biba[1977]. Both were designed in and for military environments.

Question 106

QUESTION NO: 203 What security model implies a central authority that determines what subjects can have access to A. Centralized access control B. Discretionary access control C. Mandatory access control D. Non-discretionary access control

Answer 106

Answer: D Explanation: A role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administrated set of controls to determine how subjects and objects interact. – Shon Harris, “CISSP All-in-One Exam Guide”, 3rd Ed, p 165.

Question 107

QUESTION NO: 204 Which of the following is best known for capturing security requirements of commercial applications? A. Lattice B. Biba C. Bell LaPadula D. Clark and Wilson

Answer 107

Answer: D Explanation: This model attempts to capture security requirements of commercial applications. ‘Military’ and ‘Commercial’ are shorthand for different ways of using computers. This model has emphasis on integrity: Internal consistency: properties of the internal state of a system External consistency: relation of the internal state of a system to the outside world

Question 108

QUESTION NO: 205 Which of the following is a straightforward approach that provides access rights to subjects for objects? A. Access Matrix model B. Take-Grant Model C. Bell-LaPadula Model D. Biba Model

Answer 108

Answer: A Explanation: “The access matrix is a straightforward approach that provides access rights to subjects for objects. Access rights are of the type read, write, and execute. A subject is an active entity that is seeking rights to a resource or object. A subject can be a person, a program, or a process. An object is a passive entity, such as a file or a storage resource.” Pg 272 Krutz: CISSP Prep Guide: Gold Edition.

Question 109

QUESTION NO: 206 What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values? A. Mandatory model B. Discretionary model C. Lattice model D. Rule model

Answer 109

Answer: C Explanation: Lattice-based access control provides an upper bound and lower bound of access capabilities for every subject and object relationship.

Question 110

QUESTION NO: 207 Which access control would a lattice-based access control be an example of? A. Mandatory access control B. Discretionary access control C. Non-discretionary access control D. Rule-based access control

Answer 110

Answer: A

Question 111

QUESTION NO: 208 Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie Hillman B. Clark and Wilson C. Bell and LaPadula D. Gasser and Lipner

Answer 111

Answer: C

Question 112

QUESTION NO: 209 Which of the following was the first mathematical model of multilevel security policy? A. Biba B. Take-Grant C. Bell-La Padula D. Clark Wilson

Answer 112

Answer: C Explanation: “In the 1970’s, the US military used time-sharing mainframe systems and was concerned about these systems and leakage of classified information. The Bell-LaPadula model was developed to address these concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access and outline rules of access.”

Question 113

QUESTION NO: 210 Which security model allows the data custodian to grant access privileges to other users? A. Mandatory B. Bell-LaPadula C. Discretionary D. Clark-Wilson

Answer 113

Answer: C Explanation: “ Discretionary Access Control. The subject has authority, within certain limitations, to specify what objects are accessible.”

Question 114

QUESTION NO: 211 What is one issue NOT addressed by the Bell-LaPadula model? A. Information flow control B. Security levels C. Covert channels D. Access modes

Answer 114

Answer: C Explanation: As with any model, the Bell-LaPadula model has some weaknesses. These are the major ones. The model considers normal channels of the information exchange and does not address covert channels.

Question 115

QUESTION NO: 212 Which one of the following access control models associates every resource and every user of a resource with one of an ordered set of classes? A. Take-Grant model B. Biba model C. Lattice model D. Clark-Wilson model

Answer 115

Answer: C Explanation: With a lattice model you first have to define a set of security classes that can be assigned to users or objects…After you have defined set of security classes, you define a set flow operations showing when information can flow from one class to another - Roberta Bragg Cissp Certification Training Guide (que) pg 23

Question 116

QUESTION NO: 213 What scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples? A. Bella B. Lattice C. Clark-Wilson D. Bell-LaPadula

Answer 116

Answer: C Explanation: Separation of duty is necessarily determined by conditions external to the computer system. The Clark-Wilson scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples. Enforcement is on a per-user basis, using the user ID from the access control triple.

Question 117

QUESTION NO: 214 The access matrix model consists of which of the following parts? (Choose all that apply) A. A function that returns an objects type. B. A list of subjects. C. A list of objects.

Answer 117

Answer: A,B,C Explanation: The access matrix model consists of four major parts: A list of objects A list of subjects A function T that returns an object’s type The matrix itself, with the objects making the columns and the subjects making the rows Note: This question seems to confuse access control matrix, Harris, 3rd Ed, p 169 with access control types, Ibid, p 188ff “An access control matrix is a table of subjects and objects indicating what actions … subjects can take upon … objects”, Harris, 3rd Ed, p 169. It would be right if item “A” was “a function that returned an access right”

Question 118

QUESTION NO: 215 The access matrix model has which of the following common implementations? A. Access control lists and capabilities. B. Access control lists. C. Capabilities. D. Access control list and availability.

Answer 118

Answer: A Explanation: The two most used implementations are access control lists and capabilities. Access control lists are achieved by placing on each object a list of users and their associated rights to that object.

Question 119

QUESTION NO: 216 The lattice-based model aims at protecting against: A. Illegal attributes. B. None of the choices. C. Illegal information flow among the entities. D. Illegal access rights

Answer 119

Answer: C Explanation: The lattice-based model aims at protecting against illegal information flow among the entities. One security class is given to each entity in the system. A flow relation among the security classes is defined to denote that information in one class can flow into another class.

Question 120

QUESTION NO: 217 Which of the following are the components of the Chinese wall model? A. Conflict of interest. B. All of the choices. C. Subject D. Company Datasets.

Answer 120

Answer: B Explanation: The model has the following component: COMPONENT EXAMPLE Subject Analyst Object Data item for a single client Company Datasets Give for each company its own company dataset Conflict of interest classes Give for each object companies that have a conflict of interest Labels Company dataset + conflict of interest class Sanitized information No access restriction

Question 121

QUESTION NO: 218 Enforcing minimum privileges for general system users can be easily achieved through the use of: A. TSTEC B. RBAC C. TBAC D. IPSEC

Answer 121

Answer: B Explanation: Ensuring least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn’t be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC, enforced minimum privileges for general system users can be easily achieved.

Question 122

QUESTION NO: 219 What is necessary for a subject to have write access to an object in a Multi-Level Security Policy? A. The subject’s sensitivity label must dominate the object’s sensitivity label B. The subject’s sensitivity label subordinates the object’s sensitivity label C. The subject’s sensitivity label is subordinated by the object’s sensitivity label D. The subject’s sensitivity label is dominated by the object’s sensitivity label

Answer 122

Answer: A Explanation: The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label. With a Multi-level security policy you have information that has different sensitivity labels. In order to read an object the subject’s sensitivity label must be equal to or greater than that of the object. So it would be considered to dominate it, no read up. The following answers are incorrect: The subject’s sensitivity label subordinates the object’s sensitivity label. Is incorrect because if the subject’s sensitivity label subordinates the object’s sensitivity label that would mean it is lower and the subject should not have read access to the object. The subject’s sensitivity label is subordinated by the object’s sensitivity label. Is incorrect because the this would not allow for read access if the sensitivity lables were equal. So the subject’s sensitivity label is not subordinated by the object’s sensitivity label, the subject’s label must dominate the object’s label. Remember dominate means equal to or greater than where subordinate means less than. The subject’s sensitivity label is dominated by the object’s sensitivity label. Is incorrect because if the object’s sensitivity label dominates the subject’s sensitivity label then the subject should not have access, it is the subject that must dominate the object and not the other way around. Remember dominate means equal to or greater than so this would mean that the object’s sensitivity label is equal to or greater than the subject. According to the OIG, Multi-level security is defined as a class of system-containing information with different sensitivities that simultaneously permits access by users with different security clearances and need-to-know, but prevents users from obtaining access to information for which they lack authorization. The Subject’s sensitivity label must be equal to or greater than the object’s sensitivity label in order for the subject to have read access to it, no read up.

Question 123

QUESTION NO: 220 Which of the following security modes of operation involved the highest risk? A. Compartmented Security Mode B. Multilevel Security Mode C. System-High Security Mode D. Dedicated Security Mode

Answer 123

Answer: B Explanation: “Security Modes In a secure environment, information systems are configured to process information in one of four security modes. These modes are set out by the Department of Defense as follows: Systems running compartmental security mode may process two or more types of compartmented information. All system users must have an appropriate clearance to access all information processed by the system but do not necessarily have a need to know all of the information in the system. Compartments are subcategories or compartments within the different classification levels and extreme care is taken to preserve the information within the different compartments. The system may be classified at the Secret level but contain five different compartments, all classified Secret. If a user has only the need to know about two of the five different compartments to do their job, that user can access the system but can only access the two compartments. Compartmented systems are usually dedicated systems for each specific compartment to prevent the chance of any errors, because compartmentalization is the most secret of all the secrets. Systems running in the dedicated security mode are authorized to process only a specific classification level at a time, and all system users must have clearance and a need to know that information. Systems running in multilevel security mode are authorized to process information at more than one level of security even when all system users do not have appropriate clearances or a need to know for all information processed by the system. Systems running in system-high security mode are authorized to process only information that all system users are cleared to read and to have a valid need to know. These systems are not trusted to maintain separation between security levels, and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed by the system.”

Question 124

QUESTION NO: 221 Controlled Security Mode is also known as: A. Multilevel Security Mode B. Partitioned Security Mode C. Dedicated Security Mode D. System-high Security Mode

Answer 124

Answer: A

Question 125

QUESTION NO: 222 The unauthorized mixing of data of one sensitivity level and need-to-know with data of a lower sensitivity level, or different need-to-know, is called data A. Contamination B. Seepage C. Aggregation D. Commingling

Answer 125

Answer: A Explanation: WOW if you are reading these comments then you know I have disagreed with a bunch of the original answers! Well here is another. The original was Seepage. I think it is Contamination. “The intermixing of data at different sensitivity and need-to-know levels. The lower-level data is said to be contaminated by the higher-level data; thus contaminating (higher-level) data might not receive the required level of protection” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 890

Question 126

QUESTION NO: 223 Which one of the following should be employed to protect data against undetected corruption? A. Non-repudiation B. Encryption C. Authentication D. Integrity

Answer 126

Answer: D

Question 127

QUESTION NO: 224 Which of the following is a communication path that is not protected by the system’s normal security mechanisms? A. A trusted path B. A protection domain C. A covert channel D. A maintenance hook

Answer 127

Answer: C

Question 128

QUESTION NO: 225 A channel within a computer system or network that is designed for the authorized transfer of information is identified as a(n)? A. Covert channel B. Overt channel C. Opened channel D. Closed channel

Answer 128

Answer: B Explanation: “An overt channel is a channel of communication that was developed specifically for communication purposes. Processes should be communicating through overt channels, not covert channels.”

Question 129

QUESTION NO: 226 Covert channel is a communication channel that can be used for: A. Hardening the system. B. Violating the security policy. C. Protecting the DMZ. D. Strengthening the security policy.

Answer 129

Answer: B Explanation: Covert channel is a communication channel that allows transfer of information in a manner that violates the system’s security policy.

Question 130

QUESTION NO: 227 What is an indirect way to transmit information with no explicit reading of confidential information? A. Covert channels B. Backdoor C. Timing channels D. Overt channels

Answer 130

Answer: A Explanation: Covert channels: indirect ways for transmitting information with no explicit reading of confidential information. This kind of difficulties induced some researchers to re-think from scratch the whole problem of guaranteeing security in computer systems.

Question 131

QUESTION NO: 228 Which one of the following describes a covert timing channel? A. Modulated to carry an unintended information signal that can only be detected by special, sensitive receivers. B. Used by a supervisor to monitor the productivity of a user without their knowledge. C. Provides the timing trigger to activate a malicious program disguised as a legitimate function. D. Allows one process to signal information to another by modulating its own use of system resources.

Answer 131

Answer: D Explanation: A covert channel in which one process signals information to another by modulating its own use of system resources (for example, CPU time) in such a way that this manipulation affects the real response time observed by the second process. - Shon Harris All-in-one CISSP Certification Guide pg 929

Question 132

QUESTION NO: 229 Covert channel analysis is required for A. Systems processing Top Secret or classified information. B. A Trusted Computer Base with a level of trust B2 or above. C. A system that can be monitored in a supervisor state. D. Systems that use exposed communication links.

Answer 132

Answer: B Explanation: Table 6.6 Standards Comparison B2 Structured Protection (covert channel, device labels, subject sensitivity labels, trusted path, trusted facility management, configuration management) F4+E4 EAL5

Question 133

QUESTION NO: 230 In multi-processing systems, which one of the following lacks mandatory controls and is NORMALLY AVOIDED for communication? A. Storage channels B. Covert channels C. Timing channels D. Object channels

Answer 133

Answer: B Explanation: Covert channel - A communication path that enables a process to transmit information in a way that violates the system’s security policy. - Shon Harris All-in-one CISSP Certification Guide pg 929

Question 134

QUESTION NO: 231 What security risk does a covert channel create? A. A process can signal information to another process. B. It bypasses the reference monitor functions. C. A user can send data to another user. D. Data can be disclosed by inference.

Answer 134

Answer: B Explanation: The risk is not that a process can signal another process. The risk is that the signaling bypasses the reference monitor functions (ie the communication is not screened by the security kernel that implements the reference monitor).

Question 135

QUESTION NO: 232 What is the essential difference between a self-audit and an independent audit? A. Tools used B. Results C. Objectivity D. Competence

Answer 135

Answer: C

Question 136

QUESTION NO: 233 What is called the formal acceptance of the adequacy of a system’s overall security by the management? A. Certification B. Acceptance C. Accreditation D. Evaluation

Answer 136

Answer: C

Question 137

QUESTION NO: 234 FIPS-140 is a standard for the security of: A. Cryptographic service providers B. Smartcards C. Hardware and software cryptographic modules D. Hardware security modules

Answer 137

Answer: C