CISSP Cert Library Topic 7

environment that runs on top of the IT network. Platform as a Service (PaaS) is an Which of the following describes a computer processing architecture in which a language outgrowth compiler or pre-processor of Software breaks program as instructions a Service down into (SaaS), basic operations a software that can distribution model in which host be performed by the processor at the same time? A. NEXT Very-Long Instruction-Word Processor (VLIW) QUESTION B. Complex-Instruction-Set-Computer (CISC) C. Reduced-Instruction-Set-Computer (RISC) D. Super Scalar Processor Architecture (SCPA)

Answer : A Explanation: Very long instruction word (VLIW) describes a computer processing architecture in which a language compiler or pre-processor breaks program instruction down into basic operations that can be performed by the processor in parallel (that is, at the same time). These operations are put into a very long instruction word which the processor can then take apart without further analysis, handing each operation to an appropriate functional unit. The following answer are incorrect: The term "CISC" (complex instruction set computer or computing) refers to computers designed with a full set of computer instructions that were intended to provide needed capabilities in the most efficient way. Later, it was discovered that, by reducing the full set to only the most frequently used instructions, the computer would get more work done in a shorter amount of time for most applications. Intel's Pentium microprocessors are CISC microprocessors. The PowerPC microprocessor, used in IBM's RISC System/6000 workstation and Macintosh computers, is a RISC microprocessor. RISC takes each of the longer, more complex instructions from a CISC design and reduces it to multiple instructions that are shorter and faster to process. RISC technology has been a staple of mobile devices for decades, but it is now finally poised to take on a serious role in data center servers and server virtualization. The latest RISC processors support virtualization and will change the way computing resources scale to meet workload demands. A superscalar CPU architecture implements a form of parallelism called instruction level parallelism within a single processor. It therefore allows faster CPU throughput than would otherwise be possible at a given clock rate. A superscalar processor executes more than one instruction during a clock cycle by simultaneously dispatching multiple instructions to redundant functional units on the processor. Each functional unit is not a separate CPU core but an execution resource within a single CPU such as an arithmetic logic unit, a bit shifter, or a multiplier. Reference(s) Used for this question: http://whatis.techtarget.com/definition/0,,sid9_gci214395,00.html and http://searchcio-midmarket.techtarget.com/definition/CISC and http://en.wikipedia.org/wiki/Superscalar NEXT QUESTION

What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? A. A B. D C. E D. F

Answer : B Explanation: D or "minimal protection" is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level. A is incorrect. A or "Verified Protectection" is the highest trust level under the TCSEC. E is incorrect. The trust levels are A - D so "E" is not a valid trust level. F is incorrect. The trust levels are A - D so "F" is not a valid trust level. CBK, pp. 329 - 330 AIO3, pp. 302 - 306 NEXT QUESTION

Why do buffer overflows happen? What is the main cause? A. Because buffers can only hold so much data B. Because of improper parameter checking within the application C. Because they are an easy weakness to exploit D. Because of insufficient system memory

Answer : B Explanation: Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program. The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the introduction of interactive computing. It can result when a program fills up the assigned buffer of memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the programs execution path can be changed, or data can be written into areas used by the operating system itself. This can lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system. As explained by Gaurab, it can become very complex. At the time of input even if you are checking the length of the input, it has to be check against the buffer size. Consider a case where entry point of data is stored in Buffer1 of Application1 and then you copy it to Buffer2 within Application2 later on, if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2. A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam: It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security strengths and weaknesses of various application development processes. The following are incorrect answers: "Because buffers can only hold so much data" is incorrect. This is certainly true but is not the best answer because the finite size of the buffer is not the problem -- the problem is that the programmer did not check the size of the input before moving it into the buffer. "Because they are an easy weakness to exploit" is incorrect. This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the s NEXT QUESTION

Which division of the Orange Book deals with discretionary protection (need-to-know)? A. D B. C C. B D. A

Answer : B Explanation: C deals with discretionary protection. See metric below: TCSEC Metric The following are incorrect answers: D is incorrect. D deals with minimal security. B is incorrect. B deals with mandatory protection. A is incorrect. A deals with veri ed protection. Reference(s) used for this question: CBK, p. 329 - 330 and Shon Harris, Question All 1148 ( In Topic 7) (AIO), 6th Edition , page 392-393 CISSP One For competitive reasons, the customers of a large shipping company called the "Integrated International Secure Shipping Containers Corporation" (IISSCC) like to keep private the various cargos that they ship. IISSCC uses a secure database system based on the Bell- NEXT QUESTION LaPadula access control model to keep this information private. Different information in this database is classified at different levels. For example, the time and date a ship departs is labeled Unclassified, so customers can estimate when their cargos will arrive, but the contents of all shipping containers on the ship are labeled Top Secret to keep different shippers from viewing each other's cargos. An unscrupulous fruit shipper, the "Association of Private Fuit Exporters, Limited" (APFEL) wants to learn whether or not a competitor, the "Fruit Is Good Corporation" (FIGCO), is shipping pineapples on the ship "S.S. Cruise Pacific" (S.S. CP). APFEL can't simply read the top secret contents in the IISSCC database because of the access model. A smart APFEL worker, however, attempts to insert a false, unclassified record in the database that says that FIGCO is shipping pineapples on the S.S. CP, reasoning that if there is already a FIGCO-pineapple-SSCP record then the insertion attempt will fail. But the attempt does not fail, so APFEL can't be sure whether or not FIGCO is shipping pineapples on the S.S. CP. What is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information? What is a secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples? A. *-Property and Polymorphism B. Strong *-Property and Polyinstantiation C. Simple Security Property and Polymorphism D. Simple Security Property and Polyinstantiation }{ Answer : D Explanation: The Simple Security Property states that a subject at a given clearance may not read an object at a higher classification, so unclassified APFEL could not read FIGCO's top secret cargo information. Polyinstantiation permits a database to have two records that are identical except for their classifications (i.e., the primary key includes the classification). Thus, APFEL's new unclassified record did not collide with the real, top secret record, so APFEL was not able to learn about FIGs pineapples. The following answers are incorrect: *-Property and Polymorphism The *-property states that a subject at a given clearance must not write to any object at a lower classification, which is irrelevant here because APFEL was trying to read data with a higher classification. Polymorphism is a term that can refer to, among other things, viruses that can change their code to better hide from anti-virus programs or to objects of different types in an object- oriented program that are related by a common superclass and can, therefore, respond to a common set of methods in different ways. That's also irrelevant to this question. Strong *-Property and Polyinstantiation Half-right. The strong *-property limits a subject of a given clearance to writing only to objects with a matching classification. APFEL's attempt to y g g p p y j g g y j g p insert an unclassified record was consistent with this property, but that has nothing to do with preventing APFEL from reading top secret information. Simple Security Property and Polymorphism Also half-right. See above for why Polymorphism is wrong. The following reference(s) were/was used to create this question: HARRIS, Shon, CISSP All-in-one Exam Guide, Third Edition, McGraw-Hill/Osborne, 2005 Chapter 5: Security Models and Architecture (page 280) Chapter 11: Application and System Development (page 828) NEXT QUESTION

What does the * (star) property mean in the Bell-LaPadula model? A. No write up B. No read up C. No write down D. No read down

Answer : C Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243). NEXT QUESTION

The Orange Book states that "Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB [Trusted Computing Base]." This statement is the formal requirement for: A. Security Testing. B. Design Verification. C. System Integrity. D. System Architecture Specification.

Answer : C Explanation: This is a requirement starting as low as C1 within the TCSEC rating. The Orange book requires the following for System Integrity Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB. NOTE FROM CLEMENT: This is a question that confuses a lot of people because most people take for granted that the orange book with its associated Bell LaPadula model has nothing to do with integrity. However you have to be careful about the context in which the word integrity is being used. You can have Data Integrity and you can have System Integrity which are two completely different things. Yes, the Orange Book does not specifically address the Integrity requirements, however it has to run on top of systems that must meet some integrity requirements. This is part of what they call operational assurance which is defined as a level of confidence of a trusted systems architecture and implementation that enforces the systems security policy. It includes: System architecture Covert channel analysis System integrity Trusted recovery DATA INTEGRITY Data Integrity is very different from System Integrity. When you have integrity of the data, there are three goals: 1. Prevent authorized users from making unauthorized modifications 2. Preven unauthorized users from making modifications 3. Maintaining internal and external consistancy of the data Bell LaPadula which is based on the Orange Book address does not address Integrity, it addresses only Confidentiality. Biba address only the first goal of integrity. Clark-Wilson addresses the three goals of integrity. In the case of this question, there is a system integrity requirement within the TCB. As mentioned above here is an extract of the requirements: Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB. The following answers are incorrect: Security Testing. Is incorrect because Security Testing has no set of requirements in the Orange book. Design Verification. Is incorrect because the Orange book's requirements for Design Verification include: A formal model of the security policy must be clearly identified and documented, including a mathematical proof that the model is consistent with its axioms and is sufficient to support the security policy. System Architecture Specification. Is incorrect because there are no requirements for System Architecture Specification in the Orange book. The following reference(s) were used for this question: Trusted Computer Security Evaluation Criteria (TCSEC), DoD 5200.28-STD, page 15, 18, 25, 31, 40, 50. Harris, Shon (2012-10-25). CISSP All- in-One Exam Guide, 6th Edition, Security Architecture and Design, Page 392-397, for users with the Kindle Version see Kindle Locations 28504-28505. and DOD TCSEC - http://www.cerberussystems.com/INFOSEC/ NEXT QUESTION

Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection? A. C B. B C. A D. D

Answer : A Explanation: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197. Also: THE source for all TCSEC "level" questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt NEXT QUESTION

Which Orange Book evaluation level is described as "Structured Protection"? A. A1 B. B3 C. B2 D. B1

Answer : C Explanation: Level B2 is described as described as Structured Protection. The following answers are incorrect: A1. This is incorrect because level A1 is described as Verified Design. B3. This is incorrect because level B3 is described as Security Domains. B1. This is incorrect because level B1 is described as Labeled Security. NEXT QUESTION

Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in a system? A. Fail proof B. Fail soft C. Fail safe D. Fail Over

Answer : C Explanation: NOTE: This question is referring to a system which is Logical/Technical, so it is in the context of a system that you must choose the right answer. This is very important to read the question carefully and to identify the context whether it is in the Physical world or in the Technical/Logical world. RFC 2828 (Internet Security Glossary) defines fail safe as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system. A secure state means in the Logical/Technical world that no access would be granted or no packets would be allowed to flow through the system inspecting the packets such as a firewall for example. If the question would have made reference to a building or something specific to the Physical world then the answer would have been different. In the Physical World everything becomes open and full access would be granted. See the valid choices below for the Physical context. Fail-safe in the physical security world is when doors are unlocked automatically in case of emergency. Used in environment where humans work around. As human safety is prime concern during Fire or other hazards. The following were all wrong choices: Fail-secure in the physical security world is when doors are locked automatically in case of emergency. Can be in an area like Cash Locker Room provided there should be alternative manually operated exit door in case of emergency. Fail soft is selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system. Fail Over is a redundancy mechanism and does not apply to this question. According to the Official ISC2 Study Guide (OIG): Fault Tolerance is defined as built-in capability of a system to provide continued correct execution in the presence of a limited number of hardware or software faults. It means a system can operate in the presence of hardware component failures. A single component failure in a fault-tolerant system will not cause a system interruption because the alternate component will take over the task transparently. As the cost of components continues to drop, and the demand for system availability increases, many non-fault-tolerant systems have redundancy built-in at the subsystem level. As a result, many non-fault-tolerant systems can tolerate hardware faults - consequently, the line between a fault-tolerant system and a non-fault- tolerant system becomes increasingly blurred. According to Common Criteria: Fail Secure - Failure with preservation of secure state, which requires that the TSF (TOE security functions) preserve a secure state in the face of the identified failures. Acc. to The CISSP Prep Guide, Gold Ed.: Fail over - When one system/application fails, operations will automatically switch to the backup system. Fail safe - Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hard NEXT QUESTION

Which Orange book security rating introduces the object reuse protection? A. C1 B. C2 C. B1 D. B2

Answer : D NEXT QUESTION

In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified. Such a model can be used to quickly summarize what permissions a subject has for various system objects. A. Access Control Matrix model B. Take-Grant model C. Bell-LaPadula model D. Biba model

Answer : A Explanation: An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs). Capability Table A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL. Access control lists (ACLs) ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and they define what level of authorization is granted. Authorization can be specific to an individual, group, or role. ACLs map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix. NOTE: Ensure you are familiar with the terms Capability and ACLs for the purpose of the exam. Resource(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5264-5267). McGraw-Hill. Kindle Edition. or Harris, Shon (2012-10-25). CISSP All-in- One Exam Guide, 6th Edition, Page 229 and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1923-1925). Auerbach Publications. Kindle Edition. NEXT QUESTION

In access control terms, the word "dominate" refers to which of the following? A. Higher or equal to access class g q B. Rights are superceded C. Valid need-to-know with read privileges D. A higher clearance level than other users

Answer : A Explanation: Higher or equal to access class. The reason is the term dominates refers to a subject being authorized to perform an operation if the access class of the subject is higher or dominates the access class of the object requested. This is the best answer for the term "dominates" in access control. If a subject wishes to access an object, his security clearance must be equal or higher than the object he's accessing. The following answers are incorrect: Rights are superceded is incorrect as it is not actually a valid condition. Valid need-to-know with read privileges is too specific to be dominates, and is usually what a user's label indicates. A higher clearance level than others. Although having a higher clearance level might be important to obtain access to the higher levels of data, it is not what the definition of "dominates" refers to in access control. The following reference(s) were/was used to create this question: Shon Harris latest "All in One CISSP Exam Prep" page 280. Topic 8, Security Assessment and Testing NEXT QUESTION Question 1180 ( Topic 8) What would you call a network security control deployed in line to detects, alerts, and takes action when a possible intrusion is detected. A. Application Based Instrusion Detection Systems (AIDS) B. Network Based Intrusion Detection System (NIDS) C. Intrusion Prevention System (IPS) D. Host Based Intrusion Detection System (HIDS) }{ Answer : C Explanation: IPS is a preventive and proactive mechanism whereas an IDS is detective and after the fact technology. The following answers are incorrect: HIDS, NIDS, AIDS are all type of Intrusion Detective Systems. HIDS: Host Based Intrusion Detection System HIDS is a software cluster that consists of an auditor for the file system, log file analyzers, an operating system monitor, and a monitor for software changes. HIDS are used to supplement NIDS. NIDS cannot make sense of encrypted traffic but the HIDS might be able to detect that suspicious activities are taking place after the decryption took place. NIDS: Network Based Intrusion Detection System NIDS software is used mostly for analyzing network activities. The NIDS will analyze ALL the traffic to identify any pattern that might indicate that an attack might be attempted. AIDS: Application BASED Instruction Detection System The most popular non-commercial AIDS tools are honeypots. A honeypot is network services emulation software that allows system administrators to monitor an intruder's actions. For Web applications, mod_security, an open source intrusion detection and prevention engine, is very popular AIDS software. Operating as an Apache Web server module, mod_security examines HTTP queries to protect Web applications from known and sometimes unknown attacks. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition page 260 from Access Control. NEXT QUESTION

Who first described the DoD multilevel military security policy in abstract, formal terms? A. David Bell and Leonard LaPadula B. Rivest, Shamir and Adleman C. Whitfield Diffie and Martin Hellman D. David Clark and David Wilson

Answer : A Explanation: It was David Bell and Leonard LaPadula who, in 1973, first described the DoD multilevel military security policy in abstract, formal terms. The Bell- LaPadula is a Mandatory Access Control (MAC) model concerned with confidentiality. Rivest, Shamir and Adleman (RSA) developed the RSA encryption algorithm. Whitfield Diffie and Martin Hellman published the Diffie-Hellman key agreement algorithm in 1976. David Clark and David Wilson developed the Clark-Wilson integrity model, more appropriate for security in commercial activities. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (pages 78,109). NEXT QUESTION

Which of the following answers BEST describes the Bell La-Padula model of storage and access control of classified information? A. No read up and No write down B. No write up, no read down C. No read over and no write up D. No reading from higher classification levels

Answer : A Explanation: The BellLaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another. In the world of Information Access Controls, there are multipl models, see some of them below: - Bell La-Padula Model: Works to restrict users from reading data from a higher classification to protect that data. This model is concerned with information security. - Biba Model: This model means that a user can't write information TO a higher level - Clark-Wilson Model: This model requires that all data access occur through controlled access programs. - Information Flow Model: This is concerned with the properties of information flow in both directions, not only in one direction. It requires that each piece of information has unique properties. - Noninterference Model: This model is intended to ensure that higher-level security functions don't interfere with lower-level operations in an attempt to isolate one from the other. Each are different and suited for different information processing environments. The following answers are incorrect: - No write up, no read down: Sorry but this is defines the Biba model of information integrity. - No read over, no write up: This is an incorrect answer. - No Reading from higher classification levels: This is incorrect but it is half correct in that data may not be written DOWN to a lower level of classification because it would create something called a spillage where data is leaked out of a more secure area into a less secure one. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17597-17600). Auerbach Publications. Kindle Edition. NEXT QUESTION

Which of the following is NOT a basic component of security architecture? A. Motherboard B. Central Processing Unit (CPU C. Storage Devices D. Peripherals (input/output devices)

Answer : A Explanation: The CPU, storage devices and peripherals each have specialized roles in the security archecture. The CPU, or microprocessor, is the brains behind a computer system and performs calculations as it solves problemes and performs system tasks. Storage devices provide both long- and short-term stoarge of information that the CPU has either processed or may process. Peripherals (scanners, printers, modems, etc) are devices that either input datra or receive the data output by the CPU. The motherboard is the main circuit board of a microcomputer and contains the connectors for attaching additional boards. Typically, the motherboard contains the CPU, BIOS, memory, mass storage interfaces, serial and parallel ports, expansion slots, and all the controllers required to control standard peripheral devices. Reference(s) used for this question: TIPTON, Harold F., The Official (ISC)2 Guide to the CISSP CBK (2007), page 308. NEXT QUESTION

Which of the following security models introduced the idea of mutual exclusivity which generates dynamically changing permissions? A. Biba B. Brewer & Nash C. Graham-Denning g D. Clark-Wilson

Answer : B Explanation: The Brewer and Nash model was constructed to provide information security access controls that can change dynamically. This security model, also known as the Chinese wall model, was designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an information flow model. In the Brewer and Nash Model no information can flow between the subjects and objects in a way that would create a conflict of interest. The following answers are incorrect: Graham-Denning https://en.wikipedia.org/wiki/Graham-Denning_model Biba https://en.wikipedia.org/wiki/Biba_model Clark-Wilson https://en.wikipedia.org/wiki/Clark-Wilson_model The following reference(s) were/was used to create this question: ISC2 Review V 8.00 . Mutual exclusivity is another way of saying prevent conflicts of interest and https://en.wikipedia.org/wiki/Brewer_and_Nash_model NEXT QUESTION

Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)? A. A subject is not allowed to read up. B. The *- property restriction can be escaped by temporarily downgrading a high level subject. C. A subject is not allowed to read down. D. It is restricted to confidentiality.

Answer : C Explanation: It is not a property of Bell LaPadula model. The other answers are incorrect because: A subject is not allowed to read up is a property of the 'simple security rule' of Bell LaPadula model. The *- property restriction can be escaped by temporarily downgrading a high level subject can be escaped by temporarily downgrading a high level subject or by identifying a set of trusted objects which are permitted to violate the *-property as long as it is not in the middle of an operation. It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of access control. Reference: Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture , Page:279- NEXT QUESTION

Which of the following are required for Life-Cycle Assurance? A. System Architecture and Design specification. B. Security Testing and Covert Channel Analysis. C. Security Testing and Trusted distribution. D. Configuration Management and Trusted Facility Management.

Answer : C Explanation: Security testing and trusted distribution are required for Life-Cycle Assurance. The following answers are incorrect: System Architecture and Design specification. Is incorrect because System Architecture is not requried for Life-Cycle Assurance. Security Testing and Covert Channel Analysis. Is incorrect because Covert Channel Analysis is not requried for Life-Cycle Assurance. Configuration Management and Trusted Facility Management. Is incorrect because Trusted Facility Management. is not requried for Life-Cycle Assurance. NEXT QUESTION

The biggest difference between System High Security Mode and Dedicated Security Mode is: A. The clearance required B. Object classification C. Subjects cannot access all objects D. Need-to-know

Answer : D Explanation: "Need to know" is correct. In Dedicated Security Mode the subject must have "need to know" for ALL the information contained within the system. With System High Security Mode the subject must have "need to know" for only the information they are trying to access. The following answers are incorrect: "The clearance required" It is incorrect because all the data on the system require the same clearance, but this is the same for both systems. "Object classification" It is incorrect because all the data on the system require the same classification level. Although the need-to-know is part of the object's label this is not the best answer. "Subjects cannot access all objects" It is incorrect because the more correct answer is need to know. Although because of need to know, certain subjects cannot access all objects, the best answer is need to know. The following reference(s) were/was used to create this question: ISC2 OIG p.841 and p.995 Shon Harris AIO, 4th Edition, p. 297 http://www.fas.org/irp/nsa/rainbow/tg004.htm NEXT QUESTION

Which of the following choices describe a condition when RAM and Secondary storage are used together? A. Primary storage B. Secondary storage C. Virtual storage D. Real storage

Answer : C Explanation: Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program. Most OSs have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections. The following are incorrect answers: Primary storage is incorrect. Primary storage refers to the combination of RAM, cache and the processor registers. Primary Storage The data waits for processing by the processors, it sits in a staging area called primary storage. Whether implemented as memory, cache, or registers (part of the CPU), and regardless of its location, primary storage stores data that has a high probability of being requested by the CPU, so it is usually faster than long-term, secondary storage. The location where data is stored is denoted by its physical memory address. This memory register identifier remains constant and is independent of the value stored there. Some examples of primary storage devices include random-access memory (RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory (ROM). RAM is volatile, that is, when the system shuts down, it flushes the data in RAM although recent research has shown that data may still be retrievable. Contrast this Secondary storage is incorrect. Secondary storage holds data not currently being used by the CPU and is used when data must be stored for an extended period of time using high- capacity, nonvolatile storage. Secondary storage includes disk, floppies, CD's, tape, etc. While secondary storage includes basically anything different from primary storage, virtual memory's use of secondary storage is usually confined to high-speed disk storage. Real storage is incorrect. Real storage is another word for primary storage and distinguishes physical memory from virtual memory. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17164-17171). Auerbach Publications. Kindle Edition. Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17196- 17201). Auerbach Publications. Kindle Edition. H NEXT QUESTION

Which of the following can be used as a covert channel? A. Storage and timing. B. Storage and low bits. C. Storage and permissions. D. Storage and classification.

Answer : A Explanation: The Orange book requires protection against two types of covert channels, Timing and Storage. The following answers are incorrect: Storage and low bits. Is incorrect because, low bits would not be considered a covert channel. Storage and permissions. Is incorrect because, permissions would not be considered a covert channel. Storage and classification. Is incorrect because, classification would not be considered a covert channel. NEXT QUESTION

What does the Clark-Wilson security model focus on? A. Confidentiality B. Integrity C. Accountability D. Availability

Answer : B Explanation: The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

Which of the following addresses a portion of the primary memory by specifying the actual address of the memory location? A. direct addressing B. Indirect addressing C. implied addressing D. indexed addressing

Answer : A Explanation: +------+-----+--------------------------------------+ | load | reg | address | +------+-----+--------------------------------------+ (Effective address = address as given in instruction) This requires space in an instruction for quite a large address. It is often available on CISC machines which have variable-length instructions, such as x86. Some RISC machines have a special Load Upper Literal instruction which places a 16-bit constant in the top half of a register. An OR literal instruction can be used to insert a 16-bit constant in the lower half of that register, so that a full 32-bit address can then be used via the register-indirect addressing mode, which itself is provided as "base-plus-offset" with an offset of 0. http://en.wikipedia.org/wiki/Addressing_mode (Very good coverage of the subject) also see: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 186. also see: http://www.comsci.us/ic/notes/am.html NEXT QUESTION

What Cloud Deployment model consist of a cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)? Such deployment model may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. A. Private Cloud B. Public Cloud C. Hybrid Cloud y D. Community Cloud

Answer : A Explanation: A Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Other Cloud Deployment Models are: Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). The following reference(s) were/was used to create this question: NIST Special Publication 800-145 The NIST definition of Cloud Computing and also see NIST Special Publication 800-146 The Cloud Computing Synopsis and Recommendations NEXT QUESTION

What is used to protect programs from all unauthorized modification or executional interference? A. A protection domain B. A security perimeter C. Security labels D. Abstraction

Answer : A Explanation: A protection domain consists of the execution and memory space assigned to each process. The purpose of establishing a protection domain is to protect programs from all unauthorized modification or executional interference. The security perimeter is the boundary that separates the Trusted Computing Base (TCB) from the remainder of the system. Security labels are assigned to resources to denote a type of classification. Abstraction is a way to protect resources in the fact that it involves viewing system components at a high level and ignoring its specific details, thus performing information hiding. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 193). NEXT QUESTION

What is it called when a computer uses more than one CPU in parallel to execute instructions? A. Multiprocessing B. Multitasking C. Multithreading D. Parallel running

Answer : A Explanation: A system with multiple processors is called a multiprocessing system. Multitasking is incorrect. Multitasking involves sharing the processor amoung all ready processes. Though it appears to the user that multiple processes are executing at the same time, only one process is running at any point in time. Multithreading is incorrect. The developer can structure a program as a collection of independent threads to achieve better concurrency. For example, one thread of a program might be performing a calculation while another is waiting for additional input from the user. "Parallel running" is incorrect. This is not a real term and is just a distraction. References CBK, pp. 315-316 AIO3, pp. 234 239 NEXT QUESTION

What is a trusted shell? A. It means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". g , p B. It means that it is a communications channel between the user, or program, and the kernel. C. It means that someone working in that shell can communicate with someone else in another trusted shell. D. It means that it won't let processes overwrite other processes' data.

Answer : A Explanation: A trusted shell means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". The following reference(s) were/was used to create this question: Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2008, chapter 5: Security Architecture and Design (page 323). NEXT QUESTION

If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is MOST likely to exist? A. Disclosure of residual data. B. Unauthorized obtaining of a privileged execution state. C. Data leakage through covert channels. D. Denial of service through a deadly embrace.

Answer : A Explanation: Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the chance for the disclosure of residual data. Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process. Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions. In some cases, it is necessary to share these resources between various system applications. However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes. Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a problem with shared memory and resources. Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody's session if the security token/identify was maintained in that space. This is generally more malicious and intentional than accidental though. The MOST common issue would be Disclosure of residual data. The following answers are incorrect: Unauthorized obtaining of a privileged execution state. Is incorrect because this is not a problem with Object Reuse. Data leakage through covert channels. Is incorrect because it is not the best answer. A covert channel is a communication path. Data leakage would not be a problem created by Object Reuse. In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is defined as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC. Denial of service through a deadly embrace. Is incorrect because it is only a detractor. References: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4174-4179). Auerbach Publications. Kindle Edition. and https://www.fas.org/irp/nsa/rainbow/tg018.htm and http://en.wikipedia.org/wiki/Covert_channel NEXT QUESTION

Attributable data should be: A. always traced to individuals responsible for observing and recording the data B. sometimes traced to individuals responsible for observing and recording the data C. never traced to individuals responsible for observing and recording the data D. often traced to individuals responsible for observing and recording the data

Answer : A Explanation: As per FDA data should be attributable, original, accurate, contemporaneous and legible. In an automated system attributability could be achieved by a computer system designed to identify individuals responsible for any input. Source: U.S. Department of Health and Human Services, Food and Drug Administration, Guidance for Industry - Computerized Systems Used in Clinical Trials, April 1999, page 1. NEXT QUESTION

When referring to the Cloud Computing Service models. What would you call a service model where the consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment? A. Code as a Service (CaaS) ( ) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Infrastructure as a Service (IaaS)

Answer : B Explanation: The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Platform-as-a-Service (PaaS) is a model of service delivery whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed. Its main purpose is to reduce the cost and omplexity of buying, housing, and managing the underlying hardware and software components of the platform, including any needed program and database development tools. The development environment is typically special purpose, determined by the cloud provider and tailored to the design and architecture of its platform. The cloud consumer has control over applications and application environment settings of the latform. Security provisions are split between the cloud provider and the cloud consumer. The following answers are incorrect: Software-as-a-Service. Software-as-a- Service (SaaS) is a model of service delivery whereby one or more applications and the computational resources to run them are provided for use on demand as a turnkey service. Its main purpose is to reduce the total cost of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the cloud provider. The cloud consumer does not manage or control the underlying cloud infrastructure or individual applications, except for preference selections and limited administrative application settings. Infrastructure-as-a-Service. Infrastructure-as-a-Service (IaaS) is a model of service delivery whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on- demand service upon which a platform to develop and execute applications can be established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware and software infrastructure components, and instead obtain those resources as virtualized objects controllable via a service interface. The cloud consumer generally has broad freedom to choose the operating system and development environment to be hosted. Security provisions beyond the basic infrastructure are carried out mainly by the cloud consumer Code as a Service (CaaS) CaaS does not exist and is only a detractor. This is no such service model. Cloud Deployment Models NOTE: WHAT IS A CLOUD INFRASTRUCTURE? A cloud infrastructure is the collection of hardware and software that enables the ve essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstracti NEXT QUESTION

Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection? A. B B. A C. C D. D

Answer : A Explanation: B level is the first Mandatory Access Control Level. First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems. Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems. As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used. Reference used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17920-17926). Auerbach Publications. Kindle Edition. and THE source for all TCSEC "level" questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one) NEXT QUESTION

Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean? A. System functions are layered, and none of the functions in a given layer can access data outside that layer. B. Auditing processes and their memory addresses cannot be accessed by user processes. C. Only security processes are allowed to write to ring zero memory. D. It is a form of strong encryption cipher.

Answer : A Explanation: Data Hiding is protecting data so that it is only available to higher levels this is done and is also performed by layering, when the software in each layer p g p g y g p y y g, y maintains its own global data and does not directly reference data outside its layers. The following answers are incorrect: Auditing processes and their memory addresses cannot be accessed by user processes. Is incorrect because this does not offer data hiding. Only security processes are allowed to write to ring zero memory. This is incorrect, the security kernel would be responsible for this. It is a form of strong encryption cipher. Is incorrect because this does not conform to the definition of data hiding. NEXT QUESTION

Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A. B2 B. B1 C. A1 D. A2

Answer : A Explanation: For the purpose of the exam you must know what is being introduced at each of the TCSEC rating. There is a fantastic one page guide that shows clearly what is being introduced at each of the layers. You can download a copy of the guide at: https://www.freepracticetests.org/documents/tcsec.pdf You can also download a nice document that covers the modes of operations at: https://www.freepracticetests.org/documents/modesofoperation.pdf References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 220. and http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3.2) NEXT QUESTION

Which International Organization for Standardization standard is commonly referred to as the 'common criteria'? A. 15408 B. 27001 C. 14000 D. 22002

Answer : A Explanation: From the official guide: "The publication of the Common Criteria as the ISO/IEC 15408 standard provided the first truly international product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certified under TCSEC, ITSEC and other criteria. It takes a very similar approach to ITSEC by providing a flexible set of functional and assurance requirements, and like ITSEC, it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing the general approach to product evaluation and providing mutual recognition of such evaluations all over the world." The following answers are incorrect: - 27001 ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard entitled: Information technology Security techniques Information security management systems Overview and vocabulary. - 14000 ISO 14000 is a family of standards related to environmental management that exists to help organizations (a) minimize how their operations (processes etc.) negatively affect the environment (i.e. cause adverse changes to air, water, or land); (b) comply with applicable laws, regulations, and other environmentally oriented requirements, and (c) continually improve in the above. ISO 14000 is similar to ISO 9000 quality management in that both pertain to the process of how a product is produced, rather than to the product itself. As with ISO 9000, certification is performed by third-party organizations rather than being awarded by ISO directly. The ISO 19011 audit standard applies when auditing for both 9000 and 14000 compliance at once. The requirements of ISO 14000 are an integral part of the European Unions environmental management scheme EMAS. EMASs structure and material requirements are more demanding, foremost concerning performance improvement, legal compliance and reporting duties. - 22002 ISO/TS 22002- Prerequisite programmes on food safetyPart 1: Food manufacturing The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press), Chapter 9, Security Architecture and Design and https://en.wikipedia.org/wiki/ISO_14000 and https://en.wikipedia.org/wiki/ISO/IEC_27000 and https://en.wikipedia.org/wiki/ISO_22000 NEXT QUESTION

Which of the following cloud deployment model operates solely for an organization? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud

Answer : A Explanation: In Private cloud, the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. For your exam you should know below information about Cloud Computing deployment 505/1041 For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or o premises. Private Cloud Image Reference - http://www.in ectionpoint.co.uk/Portals/5/VMware- vCloud.jpg Community Cloud The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or o premises. Community Cloud Image Reference - http://cloudcomputingksu. les.wordpress.comcommunity- [8] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Public Cloud [8] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) hybrid cloud Image reference - http://www.virtualizationpractice.com/wp- content/uploadsHybrid-Cloud-Computing-Solution1.jpg The following answers are incorrect: Community cloud - The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or o premises. Public cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private NEXT QUESTION

What does the simple integrity axiom mean in the Biba model? A. No write down B. No read down C. No read up D. No write up

Answer : B Explanation: The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity (no read down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

Which of the following was the first mathematical model of a multilevel security policy used to define the concepts of a security state and mode of access, and to outline rules of access? A. Biba B. Bell-LaPadula C. Clark-Wilson D. State machine

Answer : B Explanation: This is a formal definition of the Bell-LaPadula model, which was created and implemented to protect confidential government and military information. In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classified information. The Bell- LaPadula model was developed to address these concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access, and outlined rules of access. Its development was funded by the U.S. government to provide a framework for computer systems that would be used to store and process sensitive information. The models main goal was to prevent secret information from being accessed in an unauthorized manner. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system , and the system processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell-LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subjects clearance is compared to the objects classification and then specific rules are applied to control how subject-to-object interactions can take place. The following answers are incorrect: Biba - The Biba model was developed after the Bell -LaPadula model. It is a state machine model similar to the Bell- LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels. Clark-Wilson - When an application uses the Clark -Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do t NEXT QUESTION

An Architecture where there are more than two execution domains or privilege levels is called: A. Ring Architecture. B. Ring Layering C. Network Environment. D. Security Models

Answer : A Explanation: In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. Ring Architecture All of the other answers are incorrect because they are detractors. References: OIG CBK Security Architecture and Models (page 311) and https://en.wikipedia.org/wiki/Ring_%28computer_security%29 NEXT QUESTION

Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense? p A. TCSEC B. ITSEC C. DIACAP D. NIACAP

Answer : A Explanation: Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005. References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 197-199. Wikepedia http://en.wikipedia.org/wiki/TCSEC NEXT QUESTION

Which Orange Book evaluation level is described as "Verified Design"? A. A1. B. B3. C. B2. D. B1.

Answer : A Explanation: Level A1 is described as Verified Design. The following answers are incorrect: B3. This is incorrect because level B3 is described as Security Domains. B2. This is incorrect because level B2 is described as Structured Protection. B1. This is incorrect because level B1 is described as Labeled Security. NEXT QUESTION

The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection? A. A and B. B. B and C. C. A, B, and C. D. B and D.

Answer : A Explanation: Level B is the first to require Mandatory Protection. Because the higher levels also inherit the requirements of all lower levels, level A also requires Mandatory Protection. The following answers are incorrect: B and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level. A, B, and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level. B and D. Is incorrect because Mandatory Protection is not required until level B, Level D is a lower level. One of the first accpted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D. The divisions and classes are: D Minimal protection C Discretionary protection C1 Discretionary Security Protection C2 Controlled Access Protection B Mandatory Protection B1 Labeled Security B2 Structured Protection B3 Security Domains A Verified Protection A1 Verified Design Wikipedia: "TCSEC was replaced with the development of the Common Criteria international standard y g p p p originally published in 2005." References: OIG CBK, Security Architecture and Design (pages 329 - 330) AIO, 3rd Edition, Security Models and Architecture (pages 302 - 306) AIO, 4th Edition, Security Architecture and Design, pp357-361. Wikipedia - http://en.wikipedia.org/wiki/TCSEC#Divisions_and_Classes DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm NSI reference for Orange book: http://nsi.org/Library/Compsec/orangebo.txt NEXT QUESTION

Which of the following is a set of data processing elements that increases the performance in a computer by overlapping the steps of different instructions? A. pipelining B. complex-instruction-set-computer (CISC) C. reduced-instruction-set-computer (RISC) D. multitasking

Answer : A Explanation: Pipelining is a natural concept in everyday life, e.g. on an assembly line. Consider the assembly of a car: assume that certain steps in the assembly line are to install the engine, install the hood, and install the wheels (in that order, with arbitrary interstitial steps). A car on the assembly line can have only one of the three steps done at once. After the car has its engine installed, it moves on to having its hood installed, leaving the engine installation facilities available for the next car. The first car then moves on to wheel installation, the second car to hood installation, and a third car begins to have its engine installed. If engine installation takes 20 minutes, hood installation takes 5 minutes, and wheel installation takes 10 minutes, then finishing all three cars when only one car can be assembled at once would take 105 minutes. On the other hand, using the assembly line, the total time to complete all three is 75 minutes. At this point, additional cars will come off the assembly line at 20 minute increments. In computing, a pipeline is a set of data processing elements connected in series, so that the output of one element is the input of the next one. The elements of a pipeline are often executed in parallel or in time-sliced fashion; in that case, some amount of buffer storage is often inserted between elements. Pipelining is used in processors to allow overlapping execution of multiple instructions within the same circuitry. The circuitry is usually divided into stages, including instruction decoding, arithmetic, and register fetching stages, wherein each stage processes one instruction at a time. The following were not correct answers: CISC: is a CPU design where single instructions execute several low-level operations (such as a load from memory, an arithmetic operation, and a memory store) within a single instruction. RISC: is a CPU design based on simplified instructions that can provide higher performance as the simplicity enables much faster execution of each instruction. Multitasking: is a method where multiple tasks share common processing resources, such as a CPU, through a method of fast scheduling that gives the appearance of parallelism, but in reality only one task is being performed at any one time. Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 188-189. Also see http://en.wikipedia.org/wiki/Pipeline_(computing) NEXT QUESTION

You have been approached by one of your clients . They are interested in doing some security re-engineering . The client is looking at various information security models. It is a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications . Of primary concern to them, is the identification of potential covert channel. As an Information Security Professional , which model would you recommend to the client? A. Information Flow Model combined with Bell Lapadula B. Bell Lapadula C. Biba D. Information Flow Model

Answer : A Explanation: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice. Noninterference Models This could have been another good answer as it would help in minimizing the damage from covert channels. The goal of a noninterference model is to help ensure that high-level actions (inputs) do not determine what low-level user s can see (outputs ) . Most of the security models presented are secured by permitting restricted ows between high- and low-level users. The noninterference model maintains activities at different security levels to separate these levels from each other. In this way, it minimizes leakages that may happen through covert channels, because there is complete separation (noninterference) between security levels. Because a user at a higher security level has no way to interfere with the activities at a lower level, the lower-level user cannot get any information from the higher leve. The following answers are incorrect: Bell Lapadula The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The BellLaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In NEXT QUESTION

Which of the following models does NOT include data integrity or conflict of interest? A. Biba B. Clark-Wilson C. Bell-LaPadula D. Brewer-Nash

Answer : C Explanation: Bell LaPadula model (Bell 1975): The granularity of objects and subjects is not predefined, but the model prescribes simple access rights. Based on simple access restrictions the Bell LaPadula model enforces a discretionary access control policy enhanced with mandatory rules. Applications with rigid confidentiality requirements and without strong integrity requirements may properly be modeled. These simple rights combined with the mandatory rules of the policy considerably restrict the spectrum of applications which can be appropriately modeled. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Also check: Proceedings of the IFIP TC11 12th International Conference on Information Security, Samos (Greece), May 1996, On Security Models. NEXT QUESTION

In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service

Answer : A Explanation: Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. For your exam you should know below information about Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released p g p g ( g, , , g , pp , ) p yp with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Cloud Computing Image Reference http://osarena.net/wp- content/uploadscloud-computing3.jpg Cloud computing service model Cloud computing service models Image Reference http://www.esri.com/news/arcwatch/0110/graphics/feature2.jpg Software as a Service (SaaS) Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identi es two slightly di erent delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network- based access to a single copy of an application created speci cally for SaaS distribution. Provider gives users access to speci c application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created speci cally for SaaS distribution and use. Bene ts of the SaaS model include: easier administration automatic updates and patch management compatibility: All users will have the same version of software easier collaboration for the same reason 468/1041 All users will have the same version of software. easier collaboration, for the same reason global accessibility. Platform as a Service (PaaS) Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. Cloud providers deliver a computing platform,which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the raw IT network, PaaS is the software environment that runs on top of the IT network. Platform as a Service (PaaS) is an outgrowth of Software as a Service (SaaS), a NEXT QUESTION

Which of the following places the Orange Book classifications in order from most secure to least secure? A. A, B, C, D B. D, C, B, A C. D, B, A, C D. C, D, B, A

Answer : A Explanation: Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 289. Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 5: Security Models and Architecture (pages 251-255). And: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). NEXT QUESTION

In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place? A. Bell-LaPadula model B. Biba model C. Access Matrix model D. Take-Grant model

Answer : A Explanation: The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s. A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by programmers through programming code. So we have a policy that encompasses security goals, such as each subject must be authenticated and authorized before accessing an object. The security model takes this requirement and provides the necessary mathematical formulas, relationships, and logic structure to be followed to accomplish this goal. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell-LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subjects clearance is compared to the objects classification and then specific rules are applied to control how subject-to-object subject-to-object interactions can take place. Reference(s) used for this question: Harris, Shon (2012-10- 25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw- Hill. Kindle Edition. NEXT QUESTION

Which of the following statements pertaining to the trusted computing base (TCB) is false? A. Its enforcement of security policy is independent of parameters supplied by system administrators. B. It is defined in the Orange Book. C. It includes hardware, firmware and software. D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity.

Answer : A Explanation: The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within it and the correct input by system administrative personnel of parameters related to security policy. For example, if Jane only has a "CONFIDENTIAL" clearence, a system administrator could foil the correct operation of a TCB by providing input to the system that gave her a "SECRET" clearence. "It is defined in the Orange Book" is an incorrect choice. The TCB is defined in the Orange Book (TCSEC or Trusted Computer System Evaluation Criteria). "It includes hardware, firmware and software" is incorrect. The TCB does includes the combination of all hardware, firmware and software responsible for enforcing the security policy. "A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity" is incorrect. As the level of trust increases (D through A), the level of scrutiny required during evaluation increases as well. References: CBK, pp. 323 - 324, 329 - 330 AIO3, pp. 269 - 272, NEXT QUESTION

Which of the following division is defined in the TCSEC (Orange Book) as minimal protection? A. Division D B. Division C C. Division B D. Division A

Answer : A Explanation: The criteria are divided into four divisions: D, C, B, and A ordered in a hierarchical manner with the highest division (A) being reserved for systems providing the most comprehensive security. Each division represents a major improvement in the overall confidence one can place in the system for the protection of sensitive information. Within divisions C and B there are a number of subdivisions known as classes. The classes are also ordered in a hierarchical manner with systems representative of division C and lower classes of division B being characterized by the set of computer security mechanisms that they possess. Assurance of correct and complete design and implementation for these systems is gained mostly through testing of the security- relevant portions of the system. The security-relevant portions of a system are referred to throughout this document as the Trusted Computing Base (TCB). Systems representative of higher classes in division B and division A derive their security attributes more from their design and implementation structure. Increased assurance that the required features are operative, correct, and tamperproof under all circumstances is gained through progressively more rigorous analysis during the design process. TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels: Division D - minimal security Division C - discretionary protection Division B - mandatory protection Division A - verified protection Reference: page 358 AIO V.5 Shon Harris also Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197. Also: THE source for all TCSEC "level" questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt NEXT QUESTION

Which of the following is a true statement pertaining to memory addressing? g p g y g A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value. B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.

Answer : A Explanation: The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. A relative address is a logical address which incorporates the correct offset value. The following answers are incorrect: The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value. The following reference(s) were/was used to create this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 330). McGraw- Hill . Kindle Edition. NEXT QUESTION

The Reference Validation Mechanism that ensures the authorized access relationships between subjects and objects is implementing which of the following concept: A. The reference monitor. B. Discretionary Access Control. C. The Security Kernel. D. Mandatory Access Control.

Answer : A Explanation: The reference monitor concept is an abstract machine that ensures that all subjects have the necessary access rights before accessing objects. Therefore, the kernel will mediates all accesses to objects by subjects and will do so by validating through the reference monitor concept. The kernel does not decide whether or not the access will be granted, it will be the Reference Monitor which is a subset of the kernel that will say YES or NO. All access requests will be intercepted by the Kernel, validated through the reference monitor, and then access will either be denied or granted according to the request and the subject privileges within the system. 1. The reference monitor must be small enough to be full tested and valided 2. The Kernel must MEDIATE all access request from subjects to objects 3. The processes implementing the reference monitor must be protected 4. The reference monitor must be tamperproof The following answers are incorrect: The security kernel is the mechanism that actually enforces the rules of the reference monitor concept. The other answers are distractors. Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330 also see http://en.wikipedia.org/wiki/Reference_monitor NEXT QUESTION

What can be defined as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects from unauthorized access? A. The Reference Monitor B. The Security Kernel C. The Trusted Computing Base D. The Security Domain

Answer : A Explanation: The reference monitor refers to abstract machine that mediates all access to objects by subjects. This question is asking for the concept that governs access by subjects to objects, thus the reference monitor is the best answer. While the security kernel is similar in nature, it is what actually enforces the concepts outlined in the reference monitor. In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference monitor are: The reference validation mechanism must always be invoked (complete mediation). Without this property, it is possible for an attacker to bypass the mechanism and violate the security policy. The reference validation mechanism must be tamperproof (tamperproof). Without this property, an attacker can undermine the mechanism itself so that the security policy is not correctly enforced. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the policy is not enforced. For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of computer security it was intended to provide. The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and sufficient properties for any system making this security claim. According to Ross Anderson, the reference monitor concept was introduced by James Anderson in an influential 1972 paper. Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept. The reference monitor, as defined in AIO V5 (Harris) is: "an access control concept that refers to an abstract machine that mediates all access to objects by subjects." The security kernel, as defined in AIO V5 (Harris) is: "the hardware, firmware, and software elements of a trusted computing based (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modifica NEXT QUESTION

What does the simple security (ss) property mean in the Bell-LaPadula model? A. No read up B. No write down C. No read down D. No write up

Answer : A Explanation: The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). NEXT QUESTION

Pervasive Computing and Mobile Computing Devices have to sacrifice certain functions. Which statement concerning those devices is false. A. In many cases, security services has been enhanced due to the lack of services available. B. These devices share common security concerns with other resource-constrained devices. C. In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. D. Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control.

Answer : A Explanation: This is a detailed oriented question to test if you are paying attention to both the question and answer. While the answer sounds legitimate, it is not truly the case in these types of devices. Just remember, even if you have one service running, that does not mean you are secure if the service itself has not been secured. From the official guide: "The number of small mobile devices has grown considerably in the past four or five years. Products vary from sophisticated mobile phones, such as third-generation (3G) handsets, to full-featured netbooks and personal digital assistants (PDAs). These devices share common security concerns with other resource-constrained devices. In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. Also, their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control." The following answers are incorrect: - These devices share common security concerns with other resource-constrained devices. - In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. - Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control. The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press), Chapter 9, Security Architecture and Design NEXT QUESTION

What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects? A. Disclosure of residual data. B. Unauthorized obtaining of a privileged execution state. C. Denial of service through a deadly embrace. D. Data leakage through covert channels.

Answer : A Explanation: This question is asking you to consider the effects of object reuse. Object reuse is "reassigning to subject media that previously contained information. Object reuse is a security concern because if insufficient measures were taken to erase the information on the media, the information may be disclosed to unauthorized personnel." This concept relates to Security Architecture and Design, because it is in level C2: Controlled Access Protection, of the Orange Book, where "The object reuse concept must be invoked, meaning that any medium holding data must not contain any remnants of information after it is release for another subject to use." REFERENCE: AIO Version 5 (Shon Harris), page 360 and TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. NEXT QUESTION

In Mandatory Access Control, sensitivity labels attached to object contain what information? A. The item's classification B. The item's classification and category set C. The item's category D. The items's need to know

Answer : B Explanation: A Sensitivity label must contain at least one classification and one category set. Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain at least one Classification and at least one Category. It is common in some environments for a single item to belong to multiple categories. The list of all the categories to which an item belongs is called a compartment set or category set. The following answers are incorrect: the item's classification. Is incorrect because you need a category set as well. the item's category. Is incorrect because category set and classification would be both be required. The item's need to know. Is incorrect because there is no such thing. The need to know is indicated by the catergories the object belongs to. This is NOT the best answer. Reference(s) used for this question: OIG CBK, Access Control (pages 186 - 188) AIO, 3rd Edition, Access Control (pages 162 - 163) AIO, 4th Edittion, Access Control, pp 212-214. Wikipedia - http://en.wikipedia.org/wiki/Mandatory_Access_Control NEXT QUESTION

What can best be described as a domain of trust that shares a single security policy and single management? A. The reference monitor B. A security domain C. The security kernel D. The security perimeter

Answer : B Explanation: A security domain is a domain of trust that shares a single security policy and single management. The term security domain just builds upon the definition of domain by adding the fact that resources within this logical structure (domain) are working under the same security policy and managed by the same group. So, a network administrator may put all of the accounting personnel, computers, and network resources in Domain 1 and all of the management personnel, computers, and network resources in Domain 2. These items fall into these individual containers because they not only carry out similar types of business functions, but also, and more importantly, have the same type of trust level. It is this common trust level that allows entities to be managed by one single security policy. The different domains are separated by logical boundaries, such as firewalls with ACLs, directory services making access decisions, and objects that have their own ACLs indicating which individuals and groups can carry out operations on them. All of these security mechanisms are examples of components that enforce the security policy for each domain. Domains can be architected in a hierarchical manner that dictates the relationship between the different domains and the ways in which subjects within the different domains can communicate. Subjects can access resources in domains of equal or lower trust levels. The following are incorrect answers: The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system. The reference monitor components must be small enough to test properly and be tamperproof. The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted. not every process and resource falls within the TCB, so some of these components fall outside of an imaginary boundary referred to as the security perimeter. A security perimeter is a boundary that divides the trusted from the untrusted. For the system to stay in a secure and trusted state, precise communication standards must be developed to ensure that when a component within the TCB needs to communicate with a component outside the TCB, the communication cannot expose the system to unexpected security compromises. This type of communication is handled and controlled through interfaces. Reference(s) use NEXT QUESTION

The Orange Book requires auditing mechanisms for any systems evaluated at which of the following levels? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.

Answer : B Explanation: All levels from C2 and above require Auditing mechanisms. C2: Controlled Access Protection: Identify individuals, auditing (especially of security related events which must be protected), object reuse concept, strict logon, decision making capability when subjects access objects. The following answers are incorrect: C1 and above. Is incorrect because auditing is not a requirement until level C2. C1 is a lower level. B1 and above. Is incorrect because auditing is a requirement of level C2. B1 is a higher level so would not address level C2. B2 and above. Is incorrect because auditing is a requirement of level C2. B2 is a higher level so would not address level C2. NEXT QUESTION

A channel within a computer system or network that is designed for the authorized transfer of information is identified as a(n)? A. Covert channel B. Overt channel C. Opened channel D. Closed channel

Answer : B Explanation: An overt channel is a path within a computer system or network that is designed for the authorized transfer of data. The opposite would be a covert channel which is an unauthorized path. A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. All of the other choices are bogus detractors. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 219. and Shon Harris, CISSP All In One (AIO), 6th Edition , page 380 and Harris, Shon (2012-10-25). CISSP All- in-One Exam Guide, 6th Edition (p. 378). McGraw- Hill. Kindle Edition. NEXT QUESTION

According to the Orange Book, which security level is the first to require a system to protect against covert timing channels? A. A1 B. B3 C. B2 D. B1

Answer : B Explanation: B1 does not address covert channels. B2 requires a system to protect against covert storage channels but does not address covert timing channels. B3 and A1 both address covert storage channels and covert timing channels and must perform a covert channel analysis for both types. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 6: Operations Security (page 220). Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). NEXT QUESTION

Which Orange book security rating introduces security labels? A. C2 B. B1 C. B2 D. B3

Answer : B Explanation: B1 is also called "Labeled Security" and each data object must have a classification label and each subject a clearence label. On each access attempt, the classification and clearence are checked to verify that the access is permissable. C2 is incorrect. C2 is also called "Controlled Access Protection" and only requires that subjects be individually identified and that security-related events are auditable. B2 is incorrect. B2 is also called "Structured Protection" and imposes additional controls on security policy and a more thorough review of system design and implementation. B3 is incorrect. B3 is also called "Security Domains" and and imposes more granularity in each protection mechanism. References: CBK, pp. 329 - 330 AIO3 pp.302 - 307 NEXT QUESTION

What mechanism does a system use to compare the security labels of a subject and an object? A. Validation Module. B. Reference Monitor. C. Clearance Check. D. Security Module.

Answer : B Explanation: Because the Reference Monitor is responsible for access control to the objects by the subjects it compares the security labels of a subject and an object. According to the OIG: The reference monitor is an access control concept referring to an abstract machine that mediates all accesses to objects by subjects based on information in an access control database. The reference monitor must mediate all access, be protected from modification, be verifiable as correct, and must always be invoked. The reference monitor, in accordance with the security policy, controls the checks that are made in the access control database. The following are incorrect: Validation Module. A Validation Module is typically found in application source code and is used to validate data being inputted. Clearance Check. Is a distractor, there is no such thing other than what someone would do when checking if someone is authorized to access a secure facility. Security Module. Is typically a general purpose module that prerforms a variety of security related functions. References: OIG CBK, Security Architecture and Design (page 324) AIO, 4th Edition, Security Architecture and Design, pp 328-328. Wikipedia - http://en.wikipedia.org/wiki/Reference_monitor NEXT QUESTION

Which of the following establishes the minimal national standards for certifying and accrediting national security systems? A. NIACAP B. DIACAP C. HIPAA D. TCSEC

Answer : B Explanation: DIACAP DITSCAP has been replaced by DIACAP (DoD Information Assurance Certification and Accreditation Process) effective Nov 2007 for C&A within the Department of Defense. The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system's life cycle. An interim version of the DIACAP was signed July 6, 2006 and superseded DITSCAP. The final version is titled Department of Defense Instruction 8510.01 and was signed on November 28, 2007. It supersedes the Interim DIACAP Guidance. NIACAP National Information Assurance Certification and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the Information Assurance (IA) and security posture of a system or site. HIPAA The HIPAA legislation had four primary objectives: (1) Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions, (2) Reduce healthcare fraud and abuse, (3) Enforce standards for health information and (4) Guarantee security and privacy of health information. TCSEC The TCSEC defines a hierarchy of various levels of security functionality and assurance criteria. Progression up the hierarchy involves the addition of security functionality and more stringent assurance criteria to enable users to place progressively more trust in the higher rated systems. REFERENCES: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 199. Additional references: National Security Telecommunications and Information Systems Security Committee, National Information Assurance Certification and Accreditation Process (NIACAP). And: U.S. Department of Defense, Defense Information Technology Security Certification and Accreditation Process (DITSCAP). And: FAGIN, Daniel (SANS Institute), HIPAA Security Standards v1.2d. And: IBM's Security Solutions Glossary. NEXT QUESTION

Which of the following is not a method to protect objects and the data within the objects? A. Layering B. Data mining C. Abstraction D. Data hiding

Answer : B Explanation: Data mining is used to reveal hidden relationships, patterns and trends by running queries on large data stores. Data mining is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusions about past, current, or future behavior. Data mining is typically used by large organizations with large databases of customer or consumer behavior. Retail and credit companies will use data mining to identify buying patterns or trends in geographies, age groups, products, or services. Data mining is essentially the statistical analysis of general information in the absence of specific data. The following are incorrect answers: They are incorrect as they all apply to Protecting Objects and the data within them. Layering, abstraction and data hiding are related concepts that can work together to produce modular software that implements an organizations security policies and is more reliable in operation. Layering is incorrect. Layering assigns specific functions to each layer and communication between layers is only possible through well-defined interfaces. This helps preclude tampering in violation of security policy. In computer programming, layering is the organization of programming into separate functional components that interact in some sequential and hierarchical way, with each layer usually having an interface only to the layer above it and the layer below it. Abstraction is incorrect. Abstraction "hides" the particulars of how an object functions or stores information and requires the object to be manipulated through well- defined interfaces that can be designed to enforce security policy. Abstraction involves the removal of characteristics from an entity in order to easily represent its essential properties. Data hiding is incorrect. Data hiding conceals the details of information storage and manipulation within an object by only exposing well defined interfaces to the information rather than the information itslef. For example, the details of how passwords are stored could be hidden inside a password object with exposed interfaces such as check_password, set_password, etc. When a password needs to be verified, the test password is passed to the check_password method and a boolean (true/false) result is returned to indicate if the password is correct without revealing any details of how/where the real passwords are stored. Data hiding maintains activities at different security levels to separate these levels from each other. The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 27535-27540). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4269-4273). Auerbach Publications. Kindle Edition. NEXT QUESTION

Common Criteria has assurance level from EAL 1 to EAL 7 regarding the depth of design and testing. Which of following assure the Target of Evaluation (or TOE) is methodically designed, tested and reviewed? A. EAL 3 B. EAL 4 C. EAL 5 D. EAL 6

Answer : B Explanation: EAL 1 : functionally tested EAL 2 : structurally tested EAL 3 : methodically tested and checked EAL 4 : methodically designed, tested and reviewed EAL 5 : semifomally designed and tested EAL 6 : semifomally verified design and tested EAL 7 : fomally verified design and tested. Source: Common Criteria Version 2.1, Part 2 page 53 through 67. Additional source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd Edition, McGraw- Hill/Osborne, 2005, page 312. NEXT QUESTION

Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)? A. The National Computer Security Center (NCSC) B. The National Institute of Standards and Technology (NIST) C. The National Security Agency (NSA) D. The American National Standards Institute (ANSI)

Answer : B Explanation: FIPS publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996, Public Law 104-106, and the FISMA Act of 2002. The following answers are incorrect because : The National Computer Security Center (NCSC) was established in 1981 within NSA to help support and drive NSAs DoD computer security responsibilities. The National Security Agency (NSA) is incorrect because NSA does not publish FIPS and is the agency officially responsible for security within the US government. The American National Standards Institute (ANSI) is also incorrect as ANSI does not publish FIPS and is an organization that defines coding standards and signaling schemes in the United States and represents the United States in ISO and the International Telecommunication Union (ITU). Reference : Shon Harris AIO v3 , Appendix B : Who's Who NEXT QUESTION

The Orange Book is founded upon which security policy model? A. The Biba Model B. The Bell LaPadula Model C. Clark-Wilson Model D. TEMPEST

Answer : B Explanation: From the glossary of Computer Security Basics: The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, "A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving the system is secure. A system state is defined to be 'secure' if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode." The Biba Model is an integrity model of computer security policy that describes a set of rules. In this model, a subject may not depend on any object or other subject that is less trusted than itself. The Clark Wilson Model is an integrity model for computer security policy designed for a commercial environment. It addresses such concepts as nondiscretionary access control, privilege separation, and least privilege. TEMPEST is a government program that prevents the compromising electrical and electromagnetic signals that emanate from computers and related equipment from being intercepted and deciphered. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991. Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). NEXT QUESTION

Which of the following cloud deployment model can be shared by several organizations? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud

Answer : B Explanation: In Community cloud, the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. Private Cloud Image Reference - http://www.in ectionpoint.co.uk/Portals/5/VMware- vCloud.jpg Community Cloud The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or o premises. Community Cloud Image Reference - http://cloudcomputingksu. les.wordpress.comcommunity- [8] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Public Cloud [8] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) hybrid cloud Image reference - http://www.virtualizationpractice.com/wp- content/uploadsHybrid-Cloud-Computing-Solution1.jpg The following answers are incorrect: Private cloud - The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or o premises. Public cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) Question 1114 ( Topic 7) that remain un The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? g NEXT QUESTION g A. integrity and confidentiality. B. confidentiality and availability. C. integrity and availability. D. none of the above. }{ Answer : C Explanation: TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals. The following answers are incorrect: integrity and confidentiality. Is incorrect because TCSEC addressed confidentiality. confidentiality and availability. Is incorrect because TCSEC addressed confidentiality. none of the above. Is incorrect because ITSEC added integrity and availability as security goals. NEXT QUESTION

Which of the following describes a logical form of separation used by secure computing systems? A. Processes use different levels of security for input and output devices. B. Processes are constrained so that each cannot access objects outside its permitted domain. C. Processes conceal data and computations to inhibit access by outside processes. D. Processes are granted access based on granularity of controlled objects.

Answer : B Explanation: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. NEXT QUESTION

Which of the following Orange Book ratings represents the highest level of trust? A. B1 B. B2 C. F6 D. C2

Answer : B Explanation: Trusted Computer System Evaluation Criteria First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems. Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems. As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used. The trust levels run from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. The order from the least secure to the most secure is: D, C1, C2, B1, B2, B3, A1. See the one page resume at the link provided below. B1 is incorrect. The trust levels runs from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. F6 is incorrect. The Orange Book only defines levels A - D and there is no level F. C2 is incorrect. The trust levels runs from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. See our one page diagram on the TCSEC at: Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17919-17925). Auerbach Publications. Kindle Edition. NEXT QUESTION

What would BEST define a covert channel? A. An undocumented backdoor that has been left by a programmer in an operating system B. An open system port that should be closed. C. A communication channel that allows transfer of information in a manner that violates the system's security policy. D. A trojan horse.

Answer : C Explanation: A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: Oversight in the development of the product Improper implementation of access controls Existence of a shared resource between the two entities Installation of a Trojan horse The following answers are incorrect: An undocumented backdoor that has been left by a programmer in an operating system is incorrect because it is not a means by which unauthorized transfer of information takes place. Such backdoor is usually referred to as a Maintenance Hook. An open system port that should be closed is incorrect as it does not define a covert channel. A trojan horse is incorrect because it is a program that looks like a useful program but when you install it it would include a bonus such as a Worm, Backdoor, or some other malware without the installer knowing about it. Reference(s) used for this question: Shon Harris AIO v3 , Chapter-5 : Security Models & Architecture AIOv4 Security Architecture and Design (pages 343 - 344) AIOv5 Security Architecture and Design (pages 345 - 346) NEXT QUESTION

What is called a system that is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it? A. A fail safe system B. A fail soft system C. A fault-tolerant system D. A failover system

Answer : C Explanation: A fault-tolerant system is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it. In a fail-safe system, program execution is terminated, and the system is protected from being compromised when a hardware or software failure occurs and is detected. In a fail-soft system, when a hardware or software failure occurs and is detected, selected, non-critical processing is terminated. The term failover refers to switching to a duplicate "hot" backup component in real-time when a hardware or software failure occurs, enabling processing to continue. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 196). NEXT QUESTION

What is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept? A. The reference monitor B. Protection rings C. A security kernel D. A protection domain

Answer : C Explanation: A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 194). NEXT QUESTION

What is called the formal acceptance of the adequacy of a system's overall security by the management? A. Certification B. Acceptance C. Accreditation D. Evaluation

Answer : C Explanation: Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full. The following are incorrect answers: Certification is incorrect. Certification is the process of evaluating the security stance of the software or system against a selected set of standards or policies. Certification is the technical evaluation of a product. This may precede accreditation but is not a required precursor. Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or system has met a set of functional or service level criteria (the new payroll system has passed its acceptance test). Certification is the better tem in this context. Evaluation is incorrect. Evaluation is certainly a part of the certification process but it is not the best answer to the question. Reference(s) used for this question: The Official Study Guide to the CBK from ISC2, pages 559-560 AIO3, pp. 314 - 317 AIOv4 Security Architecture and Design (pages 369 - 372) AIOv5 Security Architecture and Design (pages 370 - 372) NEXT QUESTION

According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator roles? A. A1 B. B1 C. B2 D. B3

Answer : C Explanation: B2 security level requires that systems must support separate operator and system administrator roles. At B3 and A1, systems must clearly identify the functions of the security administrator to perform the security-related functions. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 6: Operations Security (page 220). Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). y ( g ), ( ) NEXT QUESTION

Which of the following computer design approaches is based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle? A. Pipelining B. Reduced Instruction Set Computers (RISC) C. Complex Instruction Set Computers (CISC) D. Scalar processors

Answer : C Explanation: Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction. It was based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle. Therefore, by packing more operations into an instruction, the number of fetches could be reduced. Pipelining involves overlapping the steps of different instructions to increase the performance in a computer. Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute. Scalar processors are processors that execute one instruction at a time. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 188). NEXT QUESTION

Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner.

Answer : C Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi- level security system. The following answers are incorrect: Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography. Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark-Wilson model came later, 1987. Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model. NEXT QUESTION

Which of the following cloud deployment model is provisioned for open use by the general public? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud

Answer : C Explanation: In Public cloud, the cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. Private Cloud Image Reference - http://www.inflectionpoint.co.uk/Portals/5/VMware-vCloud.jpg Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Community Cloud Image Reference - http://cloudcomputingksu.files.wordpress.comcommunity- [8] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Public Cloud [8] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) hybrid cloud Image reference - http://www.virtualizationpractice.com/wp- content/uploadsHybrid-Cloud-Computing-Solution1.jpg The following answers are incorrect: Private cloud - The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. Community cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Hybrid cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application NEXT QUESTION

What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values? A. Mandatory model B. Discretionary model C. Lattice model D. Rule model

Answer : C Explanation: In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34. NEXT QUESTION

Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information flow model

Answer : C Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The ClarkWilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. ClarkWilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification. Integrity goals of ClarkWilson model: Prevent unauthorized users from making modification (Only this one is addressed by the Biba model). Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other. The following are incorrect answers: The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object. The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object. The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model. References: ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287 AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model NEXT QUESTION

If an internal database holds a number of printers in every department and this equals the total number of printers for the whole organization recorded elsewhere in the database, it is an example of: A. External consistency of the information system. B. Differential consistency of the information system. C. Internal consistency of the information system. D. Referential consistency of the information system.

Answer : C Explanation: Internal consistency ensures that internal data is consistent, the subtotals match the total number of units in the data base. Internal Consistency, External Consistency, Well formed transactions are all terms related to the Clark-Wilson Model. The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: Users Active agents Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify Constrained data items (CDIs) Can be manipulated only by TPs Unconstrained data items (UDIs) Can be manipulated by users via primitive read and write operations Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality Although this list may look overwhelming, it is really quite straightforward. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. Well Formed Transactions A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $ 10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. The following answers are incorrect: External consistency of the information system. Extern NEXT QUESTION

At what Orange Book evaluation levels are design specification and verification first required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.

Answer : C Explanation: Level B1 is the first to require design specification and verification and this would also be a requirement for all higher levels. The following answers are incorrect: C1 and above. Is incorrect because design specification and verification is not a requirement until level B1. C1 is a lower level. C2 and above. Is incorrect because design specification and verification is not a requirement until level B1. C2 is a lower level. B2 and above. Is incorrect because design specification and verification is a requirement of level B1. B2 is a higher level so would not address level B1. NEXT QUESTION

Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model

Answer : C Explanation: The Clark Wilson integrity model addresses the three following integrity goals: 1) data is protected from modification by unauthorized users; 2) data is protected from unauthorized modification by authorized users; and 3) data is internally and externally consistent. It also defines a Constrained Data Item (CDI), an Integrity Verification Procedure (IVP), a Transformation Procedure (TP) and an Unconstrained Data item. The Bell-LaPadula and Take-Grant models are not integrity models. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 205). NEXT QUESTION

What is the purpose of Trusted Distribution? A. To ensure that messages sent from a central office to remote locations are free from tampering. B. To prevent the sniffing of data as it travels through an untrusted network enroute to a trusted network. C. To ensure that the Trusted Computing Base is not tampered with during shipment or installation. D. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack.

Answer : C Explanation: One of the first accepted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D. Design specification and verification is a formal model of the security policy supported through the life-cycle of the system. Trusted Distribution is ensuring nothing has been tampered with not even the documentation, this is part of the Life- Cycle Assurance Requirements (See below) Life-cycle Assurance Requirments - Security Testing - Design Specification and verification - Configuration Management - Trusted system distribution The following answers are incorrect: To ensure that messages sent from a central office to remote locations are free from tampering. This is incorrect because it does not deal with the Trusted Computing Base. To prevent the sniffing of data as it travels through an untrusted network enroute to a trusted network. This is incorrect because it does not deal with the Trusted Computing Base. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack. This is incorrect because it does not deal with ensuring the Trusted Computing Base has not been tampered with. References: NIST http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt NEXT QUESTION

Which of the following cloud computing service model provides a way to rent operating systems, storage and network capacity over the Internet? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service

Answer : C Explanation: Platform as a Service (PaaS) is a way to rent operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. For your exam you should know below information about Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Cloud Computing Image Reference http://osarena.net/wp- content/uploadscloud-computing3.jpg Cloud computing service models: Cloud computing service models Image Reference http://www.esri.com/news/arcwatch/0110/graphics/feature2.jpg Software as a Service (SaaS) Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identi es two slightly di erent delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network- based access to a single copy of an application created speci cally for SaaS distribution. Provider gives users access to speci c application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created speci cally for SaaS distribution and use. Bene ts of the SaaS model include: easier administration automatic updates and patch management compatibility: All users will have the same version of software. easier collaboration, for the same reason global accessibility. Platform as a Service (PaaS) Platform as a Service (PaaS) is a way to rent operating systems storage and network capacity over the Internet The service rent operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. Cloud providers deliver a computing platform,which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the raw IT network, PaaS is the software

In the Bell-LaPadula model, the Star-property is also called: A. The simple security property B. The confidentiality property C. The confinement property D. The tranquility property

Answer : C Explanation: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system satisfies the security objectives of the model. The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read- up). The *-property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The *-property is also known as the Confinement property. The Discretionary Security Property - use an access control matrix to specify the discretionary access control. The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the *-property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." Compare the Biba model, the Clark-Wilson model and the Chinese Wall. With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up). Strong * Property The Strong * Property is an alternative to the *-Property in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual *-Property is not present, only a write-to-same le NEXT QUESTION

What is the main focus of the Bell-LaPadula security model? A. Accountability B. Integrity C. Confidentiality D. Availability

Answer : C Explanation: The Bell-LaPadula model is a formal model dealing with confidentiality. The BellLaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The BellLaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The BellLaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). The -property (read "star"- property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also known as the Confinement property. The Discretionary Security Property - use of an access matrix to specify the discretionary access control. The following are incorrect answers: Accountability is incorrect. Accountability requires that actions be traceable to the user that performed them and is not addressed by the Bell-LaPadula model. Integrity is incorrect. Integrity is addressed in the Biba model rather than Bell-Lapadula. Availability is incorrect. Availability is concerned with assuring that data/services are available to authori NEXT QUESTION

What does the * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up

Answer : D Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model

Answer : C Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity. The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. The models enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities. The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark-Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a safe CDI. In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world) Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity. References: HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344). and http://en.wikipedia.org/wiki/Clark-Wilson_model NEXT QUESTION

Covert Channel Analysis is first introduced at what level of the TCSEC rating? A. C2 and above. B. B1 and above. C. B2 and above. D. B3 and above.

Answer : C Explanation: The Orange Book first introduce a requirement for Covert Channel Analysis at level B2 and all levels above B2 would also require this. The AIO defines a Covert Channel as a communications path that enables a process to transmit information in a way that violates the systems security policy. It is a communication channel that allows two cooperating processes to transfer information in such a way that it violates the systems security policy. Even though there are protection mechanisms in place, if unauthorized information can be transferred using a signaling mechanism via entities or objects not normally considered to be able to communicate, then a covert channel may exist. The following answers are incorrect: C2 and above. Is incorrect because, the Orange book requires Covert Channel Analysis only starting at level B2 and above, level C2 is lower than B2 and it would not require covert channel analysis. B1 and above. Is incorrect because, the Orange book requires Covert Channel Analysis only at level B2 and above, level B1 is lower than B2 and it would not require covert channel analysis. B3 and above. Is incorrect because, the Orange book first requires Covert Channel Analysis at level B2. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13347-13350). Auerbach Publications. Kindle Edition. and NIST http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt NEXT QUESTION

Which security model uses an access control triple and also require separation of duty? A. DAC B. Lattice C. Clark-Wilson D. Bell-LaPadula

Answer : C Explanation: The following answers are incorrect: DAC Bell-LaPadula Lattice The following reference(s) were/was used to create this question: Separation of duty is necessarily determined by conditions external to the computer system. The Clark-Wilson scheme includes as a requirement maintenance of separation of duty as expressed in the access control triples. Enforcement is on a per-user basis, using the user ID from the access control triple. NEXT QUESTION

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level? A. The Bell-LaPadula model B. The information flow model C. The noninterference model D. The Clark-Wilson model

Answer : C Explanation: The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel. The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level. The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know. The following are incorrect answers: The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects. The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy. The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well- formed transactions and usage of an access triple (subjet - interface - object). References: CBK, pp 325 - 326 AIO3, pp. 290 - 291 AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterf erence_Models NEXT QUESTION

Which of the following components are considered part of the Trusted Computing Base? A. trusted hardware and firmware B. trusted hardware and software C. trusted hardware, software and firmware D. trusted computer operators and system managers

Answer : C Explanation: The trusted computing base (TCB) is a collection of all the hardware, software, and firmware components within a system that provide some type of security and enforce the systems security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and firmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Some components and mechanisms have direct responsibilities in supporting the security policy, such as firmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let processes overwrite other processes data. Then there are components that do not enforce the security policy but must behave properly and not violate the trust of a system. Examples of the ways in which a component could violate the systems security policy include an application that is allowed to make a direct call to a piece of hardware instead of using the proper system calls through the operating system, a process that is allowed to read data outside of its approved memory space, or a piece of software that does not properly release resources after use. To assist with the evaluation of secure products, TCSEC introduced the idea of the Trusted Computing Base (TCB) into product evaluation. In essence, TCSEC starts with the principle that there are some functions that simply must be working correctly for security to be possible and consistently enforced in a computing system. For example, the ability to define subjects and objects and the ability to distinguish between them is so fundamental that no system could be secure without it. The TCB then are these fundamental controls implemented in a given system, whether that is in hardware, software, or firmware. Each of the TCSEC levels describes a different set of fundamental functions that must be in place to be certified to that level. The link below will take you to a one page document that describes the high-level requirements that any TCB would need to meet to achieve each division or class (essentially a subdivision) of the TCSEC rating. See details at: https://www.freepracticetests.org/documents/TCB.pdf Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (pp. 359-360). McGraw-Hill. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17936-17943). Auerbach Publications. Kindle Edition. NEXT QUESTION

Which Orange book security rating is the FIRST to be concerned with covert channels? A. A1 B. B3 C. B2 D. B1

Answer : C Explanation: This class ("Structured Protection") requires more stringent authentication mechanisms and well-defined interfaces between layers. Subjects and devices require labels and the system must not allow covert channels. A1 is incorrect. A1 is also called "Verified Design" and requires formal verification of the design and specifications. B3 is incorrect. B3 is also called "Security Domains" and imposes more granularity in each protection mechanism. B1 is incorrect. B1 is also called "Labeled Security" and each data object must have a classification label and each subject a clearance label. On each access attempt, the classification and clearance are checked to verify that the access is permissible. EXAM TIP: The CBK only discusses the TCSEC in a very minimal fashion and the details are presented in a much more completely in the Shon Harris, All In One book. Folk wisdom has it that this reflects the CBK/security industry migration away from the TCSEC to the CC but the wise candidate will develop at least some familiarity with the TCSEC. There are still questions on TCSEC showing up randomly on the exam. NOTE FROM CLEMENT: As of today (April 2014) subjects such as the TCSEC are still proclaimed to be on the exam. Do make sure that you take some time to review the TCSEC ratings. You can download a nice one page resume of the TCSEC rating at the following link: https://www.freepracticetests.org/documents/tcsec.pdf Do study this one page document and get familiar with what is being introduced at each of the TCSEC levels. Good questions might be for example: 1. At what level are labels introduced? 2. At what level is the Security Administrator role defined? 3. At what level are covert channel first introduced? 4. At what level do you use formal methods? References: The Official ISC2 CBK study guide, pages 329 - 330. AIO3, pp. 302 - 306 AIOv4 Security Architecture and Design (pages 357 - 361) AIOv5 Security Architecture and Design (pages 358 - 362) NEXT QUESTION

The steps of an access control model should follow which logical flow: A. Authorization, Identification, authentication B. Identification, accountability, authorization C. Identification, authentication, authorization D. Authentication, Authorization, Identification

Answer : C Reference: HARRIS, Shon, CISSP All In One Exam Guide. Chapter 4, pages 126-127. A very excellent discussion on this topic stating the steps and explaining the processess of those steps is paraphrased (hopefully coherently) here: A user can identify themselves with a userid or account number. To be authenticated, a user usually provides a second piece of the credential set, like a password, passphase, cryptographic key, anatomical attribute, a token or a Personal Identification Number, or PIN. Once the user provides credentials and is properly identified, the system needs to determine it the user has the necessary rights and privileges to do so. If the user DOES have those rights and privileges, he is authorized access. NEXT QUESTION

Which of the following is best defined as an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards? A. Certification B. Declaration C. Audit D. Accreditation

Answer : D Explanation: Accreditation: is an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. It is usually based on a technical certification of the system's security mechanisms. Certification: Technical evaluation (usually made in support of an accreditation action) of an information system\'s security features and other safeguards to establish the extent to which the system\'s design and implementation meet specified security requirements. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000. NEXT QUESTION

Configuration Management controls what? A. Auditing of changes to the Trusted Computing Base. B. Control of changes to the Trusted Computing Base. C. Changes in the configuration access to the Trusted Computing Base. D. Auditing and controlling any changes to the Trusted Computing Base.

Answer : D Explanation: All of these are components of Configuration Management. The following answers are incorrect: Auditing of changes to the Trusted Computing Base. Is incorrect because it refers only to auditing the changes, but nothing about controlling them. Control of changes to the Trusted Computing Base. Is incorrect because it refers only to controlling the changes, but nothing about ensuring the changes will not lead to a weakness or fault in the system. Changes in the configuration access to the Trusted Computing Base. Is incorrect because this does not refer to controlling the changes or ensuring the changes will not lead to a weakness or fault in the system. NEXT QUESTION

As per the Orange Book, what are two types of system assurance? A. Operational Assurance and Architectural Assurance. B. Design Assurance and Implementation Assurance. C. Architectural Assurance and Implementation Assurance. D. Operational Assurance and Life-Cycle Assurance.

Answer : D Explanation: Are the two types of assurance mentioned in the Orange book. The following answers are incorrect: Operational Assurance and Architectural Assurance. p yp g g p Is incorrect because Architectural Assurance is not a type of assurance mentioned in the Orange book. Design Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book. Architectural Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book. NEXT QUESTION

Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property? A. It allows "read up." B. It addresses covert channels. C. It addresses management of access controls. D. It allows "write up."

Answer : D Explanation: BellLaPadula Confidentiality Model10 The BellLaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another. When the strong star property is not being used it means that both the * property and the Simple Security Property rules would be applied. The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example. The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example. You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance. The following are incorrect answers because they are all FALSE: "It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell- LaPadula model. "It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition. NEXT QUESTION

What are the components of an object's sensitivity label? A. A Classification Set and a single Compartment. B. A single classification and a single compartment. C. A Classification Set and user credentials. D. A single classification and a Compartment Set.

Answer : D Explanation: Both are the components of a sensitivity label. The following are incorrect: A Classification Set and a single Compartment. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not a "single compartment" but a Compartment Set. A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a "single compartment" but a Compartment Set. A Classification Set and user credentials. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not "user credential" but a Compartment Set. The user would have their own sensitivity label. NEXT QUESTION

What does it mean to say that sensitivity labels are "incomparable"? A. The number of classification in the two labels is different. B. Neither label contains all the classifications of the other. C. the number of categories in the two labels are different. D. Neither label contains all the categories of the other.

Answer : D Explanation: If a category does not exist then you cannot compare it. Incomparable is when you have two disjointed sensitivity labels, that is a category in one of the labels is not in the other label. "Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable" COMPARABILITY: The label: TOP SECRET [VENUS ALPHA] is "higher" than either of the labels: SECRET [VENUS ALPHA] TOP SECRET [VENUS] But you can't really say that the label: TOP SECRET [VENUS] is higher than the label: SECRET [ALPHA] Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable. In a mandatory access control system, you won't be allowed access to a file whose label is incomparable to your clearance. The Multilevel Security policy uses an ordering relationship between labels known as the dominance relationship. Intuitively, we think of a label that dominates another as being "higher" than the other. Similarly, we think of a label that is dominated by another as being "lower" than the other. The dominance relationship is used to determine permitted operations and information flows. DOMINANCE The dominance relationship is determined by the ordering of the Sensitivity/Clearance component of the label and the intersection of the set of Compartments. Sample Sensitivity/Clearance ordering are: Top Secret > Secret > Confidential > Unclassified s3 > s2 > s1 > s0 Formally, for label one to dominate label 2 both of the following must be true: The sensitivity/clearance of label one must be greater than or equal to the sensitivity/clearance of label two. The intersection of the compartments of label one and label two must equal the compartments of label two. Additionally: Two labels are said to be equal if their sensitivity/clearance and set of compartments are exactly equal. Note that dominance includes equality. One label is said to strictly dominate the other if it dominates the other but is not equal to the other. Two labels are said to be incomparable if each label has at least one compartment that is not included in the other's set of compartments. The dominance relationship will produce a partial ordering over all possible MLS labels, resulting in what is known as the MLS Security Lattice. The following answers are incorrect: The number of classification in the two labels is different. Is incorrect because the categories are what is being compared, not the classifications. Neither label contains all the classifications of the other. Is incorrect because the categories are what is being compared, not the classifications. the number of categories in the two labels is different. Is incorrect because it is possibe a category exists more than once in one sensitivity label and does exist in the other so they would be comparable. Reference(s) used for this question: OReilly - Computer Systems and Access Control (Chapter 3) http://www.oreilly.com/catalog/csb/c NEXT QUESTION

Which of the following cloud deployment model is formed by the composition of two or more cloud deployment mode? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud

Answer : D Explanation: In Hybrid cloud, the cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. Private Cloud Image Reference - http://www.inflectionpoint.co.uk/Portals/5/VMware-vCloud.jpg Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Community Cloud Image Reference - http://cloudcomputingksu.files.wordpress.comcommunity- [8] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Public Cloud [8] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) hybrid cloud Image reference - http://www.virtualizationpractice.com/wp- content/uploadsHybrid-Cloud-Computing-Solution1.jpg The following answers are incorrect: Private cloud - The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned,managed, and operated by the organization, a third party, or some combination of them,and it may exist on or off premises. Community cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission,security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud - The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some c NEXT QUESTION

Which of the following statements pertaining to protection rings is false? A. They provide strict boundaries and definitions on what the processes that work within each ring can access. B. Programs operating in inner rings are usually referred to as existing in a privileged mode. C. They support the CIA triad requirements of multitasking operating systems. D. They provide users with a direct access to peripherals

Answer : D Explanation: In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. "They provide strict boundaries and definitions on what the processes that work within each ring can access" is incorrect. This is in fact one of the characteristics of a ring protection system. "Programs operating in inner rings are usually referred to as existing in a privileged mode" is incorrect. This is in fact one of the characteristics of a ring protection system. "They support the CIA triad requirements of multitasking operating systems" is incorrect. This is in fact one of the characteristics of a ring protection system. Reference(s) used for this question: CBK, pp. 310-311 AIO3, pp. 253-256 AIOv4 Security Architecture and Design (pages 308 - 310) AIOv5 Security Architecture and Design (pages 309 - 312) NEXT QUESTION

Which of the following cloud computing service model is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service

Answer : D Explanation: Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis. For your exam you should know below information about Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Cloud Computing Image Reference http://osarena.net/wp- content/uploadscloud-computing3.jpg Cloud computing service models: Cloud computing service models Image Reference http://www.esri.com/news/arcwatch/0110/graphics/feature2.jpg Software as a Service (SaaS) Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identi es two slightly di erent delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network- based access to a single copy of an application created speci cally for SaaS distribution. Provider gives users access to speci c application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created speci cally for SaaS distribution and use. Bene ts of the SaaS model include: easier administration automatic updates and patch management compatibility: All users will have the same version of software. easier collaboration, for the same reason global accessibility. Platform as a Service (PaaS) Platform as a Service (PaaS) is a way to rent hardware operating systems storage and network capacity over the Internet The 460/1041 rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. Cloud providers deliver a computing platform,which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the raw IT network, PaaS is the software environment that runs on top of the IT network. Platform as a Service (PaaS) is an outgrowth of Software Question ( Topic 7) NEXT 1074 QUESTION Which of the following describes a technique in which a number of processor units are employed in a single computer system to increase the performance of the system in its application environment above the performance of a single processor of the same kind? A. Multitasking B. Multiprogramming C. Pipelining D. Multiprocessing }{ Answer : D Explanation: Multiprocessing is an organizational technique in which a number of processor units are employed in a single computer system to increase the performance of the system in its application environment above the performance of a single processor of the same kind. In order to cooperate on a single application or class of applications, the processors share a common resource. Usually this resource is primary memory, and the multiprocessor is called a primary memory multiprocessor. A system in which each processor has a private (local) main memory and shares secondary (global) memory with the others is a secondary memory multiprocessor, sometimes called a multicomputer system because of the looser coupling between processors. The more common multiprocessor systems incorporate only processors of the same type and performance and thus are called homogeneous multiprocessors; however, heterogeneous multiprocessors are also employed. A special case is the attached processor, in which a second processor module is attached to a first processor in a closely coupled fashion so that the first can perform input/output and operating system functions, enabling the attached processor to concentrate on the application workload. The following were incorrect answers: Multiprogramming: The interleaved execution of two or more programs by a computer, in which the central processing unit executes a few instructions from each program in succession. Multitasking: The concurrent operation by one central processing unit of two or more processes. Pipelining: A procedure for processing instructions in a computer program more rapidly, in which each instruction is divided into numerous small stages, and a population of instructions are in various stages at any given time. One instruction does not have to wait for the previous one to complete all of the stages before it gets into the pipeline. It would be similiar to an assembly chain in the real world. References: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. http://www.answers.com/topic/multiprocessing? cat=technology http://www.answers.com/multitasking?cat=biz-fin http://www.answers.com/pipelining?cat=technology NEXT QUESTION

At which of the Orange Book evaluation levels is configuration management required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.

Answer : D Explanation: Level B2 is the first level to require configuration management and this would also be a requirement for all higher levels. The following answers are incorrect: C1 and above. Is incorrect because configuration management is not a requirement until level B2. C1 is a lower level. C2 and above. Is incorrect because configuration management is not a requirement until level B2. C2 is a lower level. B1 and above. Is incorrect because configuration management is not a requirement until level B2. B1 is a lower level. NEXT QUESTION

What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access? A. Clark and Wilson Model B. Harrison-Ruzzo-Ullman Model C. Rivest and Shamir Model D. Bell-LaPadula Model

Answer : D Explanation: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. NEXT QUESTION

Which of the following statements relating to the Biba security model is FALSE? A. It is a state machine model. B. A subject is not allowed to write up. C. Integrity levels are assigned to subjects and objects. D. Programs serve as an intermediate layer between subjects and objects.

Answer : D Explanation: The Biba model was developed after the Bell-LaPadula model. It is a state machine model and is very similar to the Bell-LaPadula model but the rules are 100% the opposite of Bell-LaPadula. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data was only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. The Biba model uses a lattice of integrity levels instead of a lattice of confidentiality levels like Bel-LaPadula. If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a higher integrity level. Biba has two main rules to provide this type of protection: *-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as "no read down"). Extra Information on clark-wilson model to understand the concepts: The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: Users Active agents Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify Constrained data items (CDIs) Can be manipulated only by TPs Unconstrained data items (UDIs) Can be manipulated by users via primitive read and write operations Integrity verification procedures (IVPs) Run periodically to check the consistency of CDIs with external reality The other answers are incorrect: It is a state machine model: Biba model is a state machine model and addresses the integrity of data within applications. A subject is not allowed to write up is a part of integrity axiom in the Biba model. Integrity levels are assigned to subjects and objects is also a characteristic of Biba model as it addresses integrity. Reference(s) used for this question: Shon Harris , AIO v3 , Chapter-5 : Security Models and Architecture , Page : 282 - 284 Reference: AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) NEXT QUESTION

What is the Biba security model concerned with? A. Confidentiality B. Reliability C. Availability D. Integrity

Answer : D Explanation: The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when subjects can read data at lower levels. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244). NEXT QUESTION

Which of the following security models does NOT concern itself with the flow of data? A. The information flow model B. The Biba model C. The Bell-LaPadula model D. The noninterference model

Answer : D Explanation: The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel. The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects. The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more trusted than lower levels. Access control us based on these integrity levels to assure that read/write operations do not decrease an object's integrity. References: CBK, pp 325 - 326 AIO3, pp. 290 - 291 NEXT QUESTION