Topic 1: Access Control
What is the name of the first mathematical model of a multi-level security policy used to
define the concept of a secure state, the modes of access, and rules for granting access?
A.
Clark and Wilson Model
B.
Harrison-Ruzzo-Ullman Model
C.
Rivest and Shamir Model
D.
Bell-LaPadula Model
Bell-LaPadula Model
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation
What is called the use of technologies such as fingerprint, retina, and iris scans to
authenticate the individuals requesting access to resources?
A.
Micrometrics
B.
Macrometrics
C.
Biometrics
D.
MicroBiometrics
Biometrics
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.
An attack initiated by an entity that is authorized to access system resources but uses them
in a way not approved by those who granted the authorization is known as a(n):
A.
active attack
B.
outside attack
C.
inside attack
D.
passive attack
inside attack
An inside attack is an attack initiated by an entity inside the security
perimeter, an entity that is authorized to access system resources but uses them in a way
not approved by those who granted the authorization whereas an outside attack is initiated
from outside the perimeter, by an unauthorized or illegitimate user of the system. An active
attack attempts to alter system resources to affect their operation and a passive attack
attempts to learn or make use of the information from the system but does not affect
system resources.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Which of following is not a service provided by AAA servers (Radius, TACACS and
DIAMETER)?
A.
Authentication
B.
Administration
C.
Accounting
D.
Authorization
Administration
Radius, TACACS and DIAMETER are classified as authentication,
authorization, and accounting (AAA) servers.
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33.
also see:
The term "AAA" is often used, describing cornerstone concepts [of the AIC triad] Authentication, Authorization, and Accountability. Left out of the AAA acronym is
Identification which is required before the three "A's" can follow. Identity is a claim,
Authentication proves an identity, Authorization describes the action you can perform on a
system once you have been identified and authenticated, and accountability holds users
accountable for their actions.
Reference: CISSP Study Guide, Conrad Misenar, Feldman p. 10-11, (c) 2010 Elsevier.
Controls provide accountability for individuals who are accessing sensitive information. This
accountability is accomplished:
A.
through access control mechanisms that require identification and authentication and
through the audit function.
B.
through logical or technical controls involving the restriction of access to systems and
the protection of information.
C.
through logical or technical controls but not involving the restriction of access to systems
and the protection of information.
D.
through access control mechanisms that do not require identification and authentication
and do not operate through the audit function.
through access control mechanisms that require identification and authentication and
through the audit function.
Controls provide accountability for individuals who are accessing sensitive
information. This accountability is accomplished through access control mechanisms that
require identification and authentication and through the audit function. These controls
must be in accordance with and accurately represent the organization's security policy.
Assurance procedures ensure that the control mechanisms correctly implement the
security policy for the entire life cycle of an information system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
Kerberos is vulnerable to replay in which of the following circumstances?
A.
When a private key is compromised within an allotted time window.
B.
When a public key is compromised within an allotted time window.
C.
When a ticket is compromised within an allotted time window.
D.
When the KSD is compromised within an allotted time window.
When a ticket is compromised within an allotted time window.
Replay can be accomplished on Kerberos if the compromised tickets are
used within an allotted time window.
The security depends on careful implementation:enforcing limited lifetimes for
authentication credentials minimizes the threat of of replayed credentials, the KDC must be
physically secured, and it should be hardened, not permitting any non-kerberos activities.
Reference:
Official ISC2 Guide to the CISSP, 2007 Edition, page 184
also see:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 42.
Which of the following attacks could capture network user passwords?
A.
Data diddling
B.
Sniffing
C.
IP Spoofing
D.
Smurfing
Sniffing
A network sniffer captures a copy every packet that traverses the network
segment the sniffer is connect to.
Sniffers are typically devices that can collect information from a communication medium,
such as a network. These devices can range from specialized equipment to basic
workstations with customized software.
A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing network device like a
hub or switch. A hub (which is designed to relay all traffic passing through it to all of its
ports) will automatically begin sending all the traffic on that network segment to the sniffing
device. On the other hand, a switch (which is designed to limit what traffic gets sent to
which port) will have to be specially configured to send all traffic to the port where the
sniffer is plugged in.
Another method for sniffing is to use a network tap—a device that literally splits a network
transmission into two identical streams; one going to the original network destination and
the other going to the sniffing device. Each of these methods has its advantages and
disadvantages, including cost, feasibility, and the desire to maintain the secrecy of the
sniffing activity.
The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if
the username/password are contained in a packet or packets traversing the segment the
sniffer is connected to, it will capture and display that information (and any other
information on that segment it can see). Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the
information is still captured and displayed, but it is in an unreadable format.
The following answers are incorrect:
Data diddling involves changing data before, as it is enterred into a computer, or after it is
extracted.
Spoofing is forging an address and inserting it into a packet to disguise the origin of the
communication - or causing a system to respond to the wrong address.
Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the
broadcast address on a gateway in order to cause a denial of service.
The following reference(s) were/was used to create this question:CISA Review manual 2014 Page number 321
Official ISC2 Guide to the CISSP 3rd edition Page Number 153
Which access control model would a lattice-based access control model be an example of?
A.
Mandatory access control.
.
B.
Discretionary access control
C.
Non-discretionary access control.
D.
Rule-based access control
Mandatory access control.
.
In a lattice model, there are pairs of elements that have the least upper
bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC)
model, users and data owners do not have as much freedom to determine who can access
files.
TIPS FROM CLEMENT
Mandatory Access Control is in place whenever you have permissions that are being
imposed on the subject and the subject cannot arbitrarily change them. When the
subject/owner of the file can change permissions at will, it is discretionary access control.Here is a breakdown largely based on explanations provided by Doug Landoll. I am
reproducing below using my own word and not exactly how Doug explained it:
FIRST: The Lattice
A lattice is simply an access control tool usually used to implement Mandatory Access
Control (MAC) and it could also be used to implement RBAC but this is not as common.
The lattice model can be used for Integrity level or file permissions as well. The lattice has
a least upper bound and greatest lower bound. It makes use of pair of elements such as
the subject security clearance pairing with the object sensitivity label. SECOND: DAC (Discretionary Access Control)
Let's get into Discretionary Access Control: It is an access control method where the owner
(read the creator of the object) will decide who has access at his own discretion. As we all
know, users are sometimes insane. They will share their files with other users based on
their identity but nothing prevent the user from further sharing it with other users on the
network. Very quickly you loose control on the flow of information and who has access to
what. It is used in small and friendly environment where a low level of security is all that is
required.
THIRD: MAC (Mandatory Access Control) All of the following are forms of Mandatory Access Control:
Mandatory Access control (MAC) (Implemented using the lattice)
You must remember that MAC makes use of Security Clearance for the subject and also
Labels will be assigned to the objects. The clearance of the Subject must dominate (be
equal or higher) the clearance of the Object being accessed. The label attached to the
object will indicate the sensitivity leval and the categories the object belongs to. The
categories are used to implement the Need to Know.
All of the following are forms of Non Discretionary Access Control:
Role Based Access Control (RBAC)
Rule Based Access Control (Think Firewall in this case) The official ISC2 book says that RBAC (synonymous with Non Discretionary Access
Control) is a form of DAC but they are simply wrong. RBAC is a form of Non Discretionary
Access Control. Non Discretionary DOES NOT equal mandatory access control as there is
no labels and clearance involved.
I hope this clarifies the whole drama related to what is what in the world of access control.
In the same line of taught, you should be familiar with the difference between Explicit
permission (the user has his own profile) versus Implicit (the user inherit permissions by
being a member of a role for example).
The following answers are incorrect:
Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC)
model, access is restricted based on the authorization granted to the users. It is identity
based access control only. It does not make use of a lattice. Non-discretionary access control. Is incorrect because Non-discretionary Access Control
(NDAC) uses the role-based access control method to determine access rights and
permissions. It is often times used as a synonym to RBAC which is Role Based Access
Control. The user inherit permission from the role when they are assigned into the role.
This type of access could make use of a lattice but could also be implemented without the
use of a lattice in some case. Mandatory Access Control was a better choice than this one,
but RBAC could also make use of a lattice. The BEST answer was MAC.
Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access Control (NDAC) access control mode. You have rules that are globally applied to all
users. There is no such thing as a lattice being use in Rule-Based Access Control.
References:
AIOv3 Access Control (pages 161 - 168)
AIOv3 Security Models and Architecture (page 291-293
Which of the following is implemented through scripts or smart agents that replays the
users multiple log-ins against authentication servers to verify a user's identity which permit
access to system services?
A.
Single Sign-On
B.
Dynamic Sign-On
C.
Smart cards
D.
Kerberos
Single Sign-On
SSO can be implemented by using scripts that replay the users multiple logins
against authentication servers to verify a user's identity and to permit access to system
services.
Single Sign on was the best answer in this case because it would include Kerberos.
When you have two good answers within the 4 choices presented you must select the
BEST one. The high level choice is always the best. When one choice would include the
other one that would be the best as well.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 40.
In biometrics, "one-to-many" search against database of stored biometric images is done
in:
A.
Authentication
B.
Identification
C.
Identities
D.
Identity-based access control
Identification
In biometrics, identification is a "one-to-many" search of an individual's
characteristics from a database of stored images.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.
Page 6 out of 105 Pages |
Previous |