CISSP Exam Collection - Part 1

QUESTION 109 Which access control model is also called Non Discretionary Access Control (NDAC)? A. Lattice based access control B. Mandatory access control C. Role-based access control D. Label-based access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says "to distinguish it from the policy-based specifics of MAC"). Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC). Most of the CISSP books use the same acronym for both models but NIST tend to use a lowercase "u" in between R and B to differentiate the two models. You can certainly mimic MAC using RBAC but true MAC makes use of Labels which contains the sensitivity of the objects and the categories they belong to. No labels means MAC is not being used. One of the most fundamental data access control decisions an organization must make is the amount of control it will give system and data owners to specify the level of access users of that data will have. In every organization there is a balancing point between the access controls enforced by organization and system policy and the ability for information owners to determine who can have access based on specific business requirements. The process of translating that balance into a workable access control model can be defined by three general access frameworks: Discretionary access control Mandatory access control Nondiscretionary access control A role-based access control (RBAC) model bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. The determination of what roles have access to a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with MACs. Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities. Objects associated with a role will inherit privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles. There are several approaches to RBAC. As with many system controls, there are variations on how they can be applied within a computer system. There are four basic RBAC architectures: 1 Non-RBAC: Non-RBAC is simply a user-granted access to data or an application by traditional mapping, such as with ACLs. There are no formal "roles" associated with the mappings, other than any identified by the particular user. 2 Limited RBAC: Limited RBAC is achieved when users are mapped to roles within a single application rather than through an organization-wide role structure. Users in a limited RBAC system are also able to access non-RBAC-based applications or data. For example, a user may be assigned to multiple roles within several applications and, in addition, have direct access to another application or system independent of his or her assigned role. The key attribute of limited RBAC is that the role for that user is defined within an application and not necessarily based on the user's organizational job function. 3 Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to multiple applications or systems based on a user's specific role within the organization. That role is then applied to applications or systems that subscribe to the organization's role-based model. However, as the term "hybrid" suggests, there are instances where the subject may also be assigned to roles defined solely within specific applications, complimenting (or, perhaps, contradicting) the larger, more encompassing organizational role used by other systems. 4 Full RBAC: Full RBAC systems are controlled by roles defined by the organization's policy and access control infrastructure and then applied to applications and systems across the enterprise. The applications, systems, and associated data apply permissions based on that enterprise definition, and not one defined by a specific application or system. Be careful not to try to make MAC and DAC opposites of each other -- they are two different access control strategies with RBAC being a third strategy that was defined later to address some of the limitations of MAC and DAC. The other answers are not correct because: Mandatory access control is incorrect because though it is by definition not discretionary, it is not called "non-discretionary access control." MAC makes use of label to indicate the sensitivity of the object and it also makes use of categories to implement the need to know. Label-based access control is incorrect because this is not a name for a type of access control but simply a bogus detractor. Lattice based access control is not adequate either. A lattice is a series of levels and a subject will be granted an upper and lower bound within the series of levels. These levels could be sensitivity levels or they could be confidentiality levels or they could be integrity levels.Reference(s) used for this question: All in One, third edition, page 165 Ferraiolo, D., Kuhn, D. & Chandramouli, R. (2003). Role-Based Access Control, p. 18 Ferraiolo, D., Kuhn, D. (1992). Role-Based Access Controls. http://csrc.nist.gov/rbac/Role_Based_Access_Control-1992html Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 1557-1584). Auerbach Publications. Kindle Edition. Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 1474-1477). Auerbach Publications. Kindle Edition.

QUESTION 142 Which of the following is an example of discretionary access control? A. Identity-based access control B. Task-based access control C. Role-based access control D. Rule-based access control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: An identity-based access control is an example of discretionary access control that is based on an individual's identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non- discretionary access controls. Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action. Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC. BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES: MAC = Mandatory Access Control Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user's access but simply configure the proper level of access as dictated by the Data Owner. The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship. The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access. MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user belong to one of the categories attached to the object. If there is no clearance and no labels then IT IS NOT Mandatory Access Control. Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category. DAC = Discretionary Access Control DAC is also known as: Identity Based access control system. The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users.Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild wild west as there is no control on the dissimination of the information. RBAC = Role Based Access Control RBAC is a form of Non-Discretionary access control. Role Based access control usually maps directly with the different types of jobs performed by employees within a company. For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role. RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example. RBAC or RuBAC = Rule Based Access Control RuBAC is a form of Non-Discretionary access control. A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33 and NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf and http://itlaw.wikia.com/wiki/Identity-based_access_control

QUESTION 89 Which of the following is an issue with signature-based intrusion detection systems? A. Only previously identified attack signatures are detected. B. Signature databases must be augmented with inferential elements. C. It runs only on the windows operating system D. Hackers can circumvent signature evaluations.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: An issue with signature-based ID is that only attack signatures that are stored in their database are detected. New attacks without a signature would not be reported. They do require constant updates in order to maintain their effectiveness. Reference used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 26 In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place? A. Bell-LaPadula model B. Biba model C. Access Matrix model D. Take-Grant model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Details: The Answer: Bell-LaPadula model The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s. A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by programmers through programming code. So we have a policy that encompasses security goals, such as "each subject must be authenticated and authorized before accessing an object." The security model takes this requirement and provides the necessary mathematical formulas, relationships, and logic structure to be followed to accomplish this goal. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell- LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject's clearance is compared to the object's classification and then specific rules are applied to control how subject-to-object subject-to-object interactions can take place. Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw-Hill. Kindle Edition.

QUESTION 141 Which access control model would a lattice-based access control model be an example of? A. Mandatory access control. B. Discretionary access control. C. Non-discretionary access control. D. Rule-based access control.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files. FIRST: The Lattice A lattice is simply an access control tool usually used to implement Mandatory Access Control (MAC) and it could also be used to implement RBAC but this is not as common. The lattice model can be used for Integrity level or file permissions as well. The lattice has a least upper bound and greatest lower bound. It makes use of pair of elements such as the subject security clearance pairing with the object sensitivity label. SECOND: DAC (Discretionary Access Control) Let's get into Discretionary Access Control: It is an access control method where the owner (read the creator of the object) will decide who has access at his own discretion. As we all know, users are sometimes insane. They will share their files with other users based on their identity but nothing prevent the user from further sharing it with other users on the network. Very quickly you loose control on the flow of information and who has access to what. It is used in small and friendly environment where a low level of security is all that is required. THIRD: MAC (Mandatory Access Control)All of the following are forms of Mandatory Access Control: Mandatory Access control (MAC) (Implemented using the lattice) You must remember that MAC makes use of Security Clearance for the subject and also Labels will be assigned to the objects. The clearance of the Subject must dominate (be equal or higher) the clearance of the Object being accessed. The label attached to the object will indicate the sensitivity leval and the categories the object belongs to. The categories are used to implement the Need to Know. All of the following are forms of Non Discretionary Access Control: Role Based Access Control (RBAC) Rule Based Access Control (Think Firewall in this case) The official ISC2 book says that RBAC (synonymous with Non Discretionary Access Control) is a form of DAC but they are simply wrong. RBAC is a form of Non Discretionary Access Control. Non Discretionary DOES NOT equal mandatory access control as there is no labels and clearance involved. I hope this clarifies the whole drama related to what is what in the world of access control. In the same line of taught, you should be familiar with the difference between Explicit permission (the user has his own profile) versus Implicit (the user inherit permissions by being a member of a role for example). The following answers are incorrect: Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC) model, access is restricted based on the authorization granted to the users. It is identity based access control only. It does not make use of a lattice. Non-discretionary access control. Is incorrect because Non-discretionary Access Control (NDAC) uses the role-based access control method to determine access rights and permissions. It is often times used as a synonym to RBAC which is Role Based Access Control. The user inherit permission from the role when they are assigned into the role. This type of access could make use of a lattice but could also be implemented without the use of a lattice in some case. Mandatory Access Control was a better choice than this one, but RBAC could also make use of a lattice. The BEST answer was MAC. Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access Control (NDAC) access control mode. You have rules that are globally applied to all users. There is no such thing as a lattice being use in Rule-Based Access Control. References: AIOv3 Access Control (pages 161 - 168) AIOv3 Security Models and Architecture (pages 291 - 293)

QUESTION 30 What kind of certificate is used to validate a user identity? A. Public key certificate B. Attribute certificate C. Root certificate D. Code signing certificate

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity -- information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together. In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer touse a service or a resource that the issuer controls or has access to use. The permission can be delegated. Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process. A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others. In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as "update firmware", "access address book", "use radio interface", and the most basic one, "install and execute". When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers. Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors. HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540 http://en.wikipedia.org/wiki/Attribute_certificate http://en.wikipedia.org/wiki/Public_key_certificate

QUESTION 90 Which of the following is an IDS that acquires data and defines a "normal" usage profile for the network or host? A. Statistical Anomaly-Based ID B. Signature-Based ID C. dynamical anomaly-based ID D. inferential anomaly-based ID

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Statistical Anomaly-Based ID - With this method, an IDS acquires data and defines a "normal" usage profile for the network or host that is being monitored. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 119 Which of the following issues is not addressed by Kerberos? A. Availability B. Confidentiality C. Integrity D. Authentication

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The KDC (Kerberos Distribution Center) can be a single point of failure. Confidentiality is incorrect. Kerberos does ensure confidentiality, keeping communications private between systems over a network. Integrity is incorrect. Kerberos does ensure integrity. Authentication is incorrect. Kerberos does provide authentication. References: CBK pp 181-194

QUESTION 130 Which of the following statements pertaining to Kerberos is TRUE? A. Kerberos does not address availability B. Kerberos does not address integrity C. Kerberos does not make use of Symmetric Keys D. Kerberos cannot address confidentiality of information

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The question was asking for a TRUE statement and the only correct statement is "Kerberos does not address availability". Kerberos addresses the confidentiality and integrity of information. It does not directly address availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).

QUESTION 72 The authenticator within Kerberos provides a requested service to the client after validating which of the following? A. timestamp B. client public key C. client private key D. server public key

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The server also checks the authenticator and, if that timestamp is valid, it provides the requested service to the client. Even if the user principal is present in a ticket and only the application server can extract and possibly manage such information (since the ticket is encrypted with the secret key of the service), this is not enough to guarantee the authenticity of the client. An impostor could capture (remember the hypothesis of an open and insecure network) the ticket when it is sent by a legitimate client to the application server, and at an opportune time, send it to illegitimately obtain the service. On the other hand, including the IP addresses of the machine from where it is possible to use it is not very useful: it is known that in an open and insecure network addresses are easily falsified. To solve the problem, one has to exploit the fact that the client and server, at least during a session have the session key in common that only they know (also the KDC knows it since it generated it, but it is trusted by definition!!!). Thus the following strategy is applied: along with the request containing the ticket, the client adds another packet (the authenticator) where the user principal and time stamp (its at that time) are included and encrypts it with the session key; the server which must offer the service, upon receiving this request, unpacks the first ticket, extracts the session key and, if the user is actually who he/she says, the server is able to unencrypt the authenticator extracting the timestamp. If the latter differs from the server time by less than 2 minutes (but the tolerance can be configured) then the authentication is successful. This underlines the criticality of synchronization between machines belonging to the same realm. The Replay Attack A replay attack occurs when an intruder steals the packet and presents it to the service as if the intruder were the user. The user's credentials are there -- everything needed to access a resource. This is mitigated by the features of the "Authenticator," which is illustrated in the picture below. The Authenticator is created for the AS_REQ or the TGS_REQ and sends additional data, such as an encrypted IP list, the client's timestamp and the ticket lifetime. If a packet is replayed, the timestamp is checked. If the timestamp is earlier or the same as a previous authenticator, the packet is rejected because it's a replay. In addition, the time stamp in the Authenticator is compared to the server time. It must be within five minutes (by default in Windows). Kerberos Authenticator to prevent replay attacks The Authenticator mitigates the Possibility of a replay attack. If the time skew is greater than five minutes the packet is rejected. This limits the number of possible replay attacks. While it is technically possible to steal the packet and present it to the server before the valid packet gets there, it is very difficult to do. It's fairly well known that all computers in a Windows domain must have system times within five minutes of each other. This is due to the Kerberos requirement. Reference(s) used for this question: Redmond Magazine and http://kerberos.org/software/tutorial.html and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42

QUESTION 104 Which of the following is the WEAKEST authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above. The following answers are incorrect because : Passphrases is incorrect as it is more secure than a password because it is longer.One-time passwords is incorrect as the name states , it is good for only once and cannot be reused. Token devices is incorrect as this is also a password generator and is an one time password mechanism. Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 139 , 142

QUESTION 61 In Synchronous dynamic password tokens: A. The token generates a new password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key). B. The token generates a new non-unique password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key). C.The unique password is not entered into a system or workstation along with an owner's PIN. D. The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity verifies that the entered password is invalid and that it was entered during the invalid time window.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Synchronous dynamic password tokens: The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key). The unique password is entered into a system or workstation along with an owner's PIN. The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37

QUESTION 100 Which of the following is the FIRST step in protecting data's confidentiality? A. Install a firewall B. Implement encryption C. Identify which information is sensitive D. Review all user access rights

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: In order to protect the confidentiality of the data. The following answers are incorrect because : Install a firewall is incorrect as this would come after the information has been identified for sensitivity levels. Implement encryption is also incorrect as this is one of the mechanisms to protect the data once it has been identified. Review all user access rights is also incorrect as this is also a protection mechanism for the identified information. Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126

QUESTION 140 Which of the following statements pertaining to using Kerberos without any extension is false? A. A client can be impersonated by password-guessing. B. Kerberos is mostly a third-party authentication protocol. C. Kerberos uses public key cryptography. D. Kerberos provides robust authentication.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network. Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. Here is a nice overview of HOW Kerberos is implement as described in RFC 4556: 1 Introduction The Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution Center (KDC) to negotiate shared session keys between clients and services and provide mutual authentication between them. The corner-stones of Kerberos V5 are the Ticket and the Authenticator. A Ticket encapsulates a symmetric key (the ticket session key) in an envelope (a public message) intended for a specific service. The contents of the Ticket are encrypted with a symmetric key shared between the service principal and the issuing KDC. The encrypted part of the Ticket contains the client principal name, among other items. An Authenticator is a record that can be shown to have been recently generated using the ticket session key in the associated Ticket. The ticket session key is known by the client who requested the ticket. The contents of the Authenticator are encrypted with the associated ticket session key. The encrypted part of an Authenticator contains a timestamp and the client principal name, among other items. As shown in Figure 1, below, the Kerberos V5 protocol consists of the following message exchanges between the client and the KDC, and the client and the application service: - The Authentication Service (AS) Exchange The client obtains an "initial" ticket from the Kerberos authentication server (AS), typically a Ticket Granting Ticket (TGT). The AS-REQ message and the AS-REP message are the request and the reply message, respectively, between the client and the AS. - The Ticket Granting Service (TGS) Exchange The client subsequently uses the TGT to authenticate and request a service ticket for a particular service, from the Kerberos ticket-granting server (TGS). The TGS-REQ message and the TGS-REP message are the request and the reply message respectively between the client and the TGS. - The Client/Server Authentication Protocol (AP) Exchange The client then makes a request with an AP-REQ message, consisting of a service ticket and an authenticator that certifies the client's possession of the ticket session key. The server may optionally reply with an AP-REP message. AP exchanges typically negotiate session-specific symmetric keys. Usually, the AS and TGS are integrated in a single device also knownas the KDC. +--------------+ +--------->| KDC | AS-REQ / +-------| | / / +--------------+ / / ^ | / |AS-REP / | | | / TGS-REQ + TGS-REP | | / / | | / / | | / +---------+ | | / / | | / / | | / / | v / v ++-------+------+ +-----------------+ | Client +------------>| Application | | | AP-REQ | Server | | |<------------| | +---------------+ AP-REP +-----------------+ Figure 1: The Message Exchanges in the Kerberos V5 Protocol In the AS exchange, the KDC reply contains the ticket session key, among other items, that is encrypted using a key (the AS reply key) shared between the client and the KDC. The AS reply key is typically derived from the client's password for human users. Therefore, for human users, the attack resistance strength of the Kerberos protocol is no stronger than the strength of their passwords. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 40). And HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 147-151). and http://www.ietf.org/rfc/rfc4556txt

QUESTION 143 Which of the following would be used to implement Mandatory Access Control (MAC)? A. Clark-Wilson Access Control B. Role-based access control C. Lattice-based access control D. User dictated access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The lattice is a mechanism use to implement Mandatory Access Control (MAC) Under Mandatory Access Control (MAC) you have: Mandatory Access Control Under-Non Discretionary Access Control (NDAC) you have: Rule-Based Access Control Role-Based Access Control Under Discretionary Access Control (DAC) you have: Discretionary Access Control The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more For example in the case of MAC, if we look at common government classifications, we have the following: TOP SECRET SECRET -----------------------I am the user at secret CONFIDENTIAL SENSITIVE BUT UNCLASSIFIED UNCLASSIFIED If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED. However the lattice could also be used for Integrity Levels such as: VERY HIGH HIGH MEDIUM ----------I am a user, process, application at the medium level LOW VERY LOW In the case of Integrity levels you have to think about TRUST. Of course if I take for example the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model. Last but not least the lattice could be use for file permissions:RWX RW ---------User at this level R If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under Linux and UNIX. Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes. There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC also require a clearance that dominates the object. You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing. The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used. References: There is a great article on technet that talks about the lattice in VISTA: http://blogs.technet.com/b/steriley/archive/2006/07/21/442870aspx also see: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33). and http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html

QUESTION 79 A database view is the results of which of the following operations? A. Join and Select. B. Join, Insert, and Project. C. Join, Project, and Create. D. Join, Project, and Select.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: 1 The formal description of how a relational database operates. 2 The mathematics which underpin SQL operations. A number of operations can be performed in relational algebra to build relations and operate on the data. Five operations are primitives (Select, Project, Union, Difference and Product) and the other operations can be defined in terms of those five. A View is defined from the operations of Join, Project, and Select. For the purpose of the exam you must remember the following terms from relational algebra and their SQL equivalent: Tuple = Row, Entry Attribute = Column Relation or Based relation = Table See the extract below from the ISC2 book: Each table, or relation, in the relational model consists of a set of attributes and a set of tuples (rows) or entries in the table. Attributes correspond to a column in a table. Attributes are unordered left to right, and thus are referenced by name and not by position. All data values in the relational model are atomic. Atomic values mean that at every row/column position in every table there is always exactly one data value and never a set of values. There are no links or pointers connecting tables; thus, the representation of relationships is contained as data in another table. A tuple of a table corresponds to a row in the table. Tuples are unordered top to bottom because a relation is a mathematical set and not a list. Also, because tuples are based on tables that are mathematical sets, there are no duplicate tuples in a table (sets in mathematics by definition do not include duplicate elements). The primary key is an attribute or set of attributes that uniquely identifies a specific instance of an entity. Each table in a database must have a primary key that is unique to that table. It is a subset of the candidate key. Reference used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12262-12269). Auerbach Publications. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 46 and http://db.grussell.org/slides/rel%20algebra%201ppt NOTE: SQL offers three classes of operators: select, project, and join. The select operator serves to shrink the table vertically by eliminating unwanted rows (tuples). The project operator serves to shrink the table horizontally by removing unwanted columns (attributes). And the join operator allows the dynamic linking of two tables that share a common column value. The join operation is achieved by stating the selection criteria for two tables and equating them with their common columns. Most commercial implementations of SQL do not support a project operation, instead projections are achieved by specifying the columns desired in the output. This is why the Project operator is not well known as it is fading away from most databases.

QUESTION 135 Which of the following access control models introduces user security clearance and data classification? A. Role-based access control B. Discretionary access control C. Non-discretionary access control D. Mandatory access control

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The mandatory access control model is based on a security label system. Users are given a security clearance and data is classified. The classification is stored in the security labels of the resources. Classification labels specify the level of trust a user must have to access a certain file. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (Page 154).

QUESTION 52 What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Authorization D. Confidentiality

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Identification is the act of a user professing an identity to a system, usually in the form of a log- on ID to the system. Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don't know, and they ask you who they're speaking to. When you say, "I'm Jason.", you've just identified yourself. In the information security world, this is analogous to entering a username. It's not analogous to entering a password. Entering a password is a method for verifying that you are who you identified yourself as. NOTE: The word "professing" used above means: "to say that you are, do, or feel something when other people doubt what you say". This is exactly what happen when you provide your identifier (identification), you claim to be someone but the system cannot take your word for it, you must further Authenticate to the system to prove who you claim to be. The following are incorrect answers: Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as "jsmith", it's most likely going to ask you for a password. You've claimed to be that person by entering the name into the username field (that's the identification part), but now you have to prove that you are really that person. Many systems use a password for this, which is based on "something you know", i.e. a secret between you and the system. Another form of authentication is presenting something you have, such as a driver's license, an RSA token, or a smart card. You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication. Once you've successfully authenticated, you have now done two things: you've claimed to be someone, and you've proven that you are that person. The only thing that's left is for the system to determine what you're allowed to do. Authorization: is what takes place after a person has been both identified and authenticated; it's the step determines what a person can then do on the system. An example in people terms would be someone knocking on your door at night. You say, "Who is it?", and wait for a response. They say, "It's John." in order to identify themselves. You ask them to back up into the light so you can see them through the peephole. They do so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house. If they had said they were someone you didn't want in your house (identification), and you then verified that it was that person (authentication), the authorization phase would not include access to the inside of the house. Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong people, while making sure that the right people can in fact get it. A good example is a credit card number while shopping online, the merchant needs it to clear the transaction but you do not want your informaiton exposed over the network, you would use a secure link such as SSL, TLS, or some tunneling tool to protect the information from prying eyes between point A and point B. Data encryption is a common method of ensuring confidentiality. The other parts of the CIA triad are listed below: Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. If an unexpected change occurs, a backup copy must be available to restore the affected data to its correct state. Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed, providing a certain measure of redundancy and failover, providing adequate communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service (DoS) attacks. Reference used for this question: http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA http://www.danielmiessler.com/blog/security-identification-authentication-and- authorization http://www.merriam-webster.com/dictionary/profess KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 131 Database views are NOT used to: A. Implement referential integrity B. Implement least privilege C. To implement content-dependent access restrictions D. Implement need-to-know

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A view is considered as a virtual table that is derived from other tables. It can be used to restrict access to certain information within the database, to hide attributes, and to implement content- dependent access restrictions. It does not implement referential integrity. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 46).

QUESTION 132 What IDS approach relies on a database of known attacks? A. Signature-based intrusion detection B. Statistical anomaly-based intrusion detection C. Behavior-based intrusion detection D. Network-based intrusion detection

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior- based). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 49).

QUESTION 107 Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Data owners decide who has access to resources based only on the identity of the person accessing the resource. The following answers are incorrect : Mandatory Access Control : users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users' wishes and access decisions are based on security labels. Sensitive Access Control : There is no such access control in the context of the above question. Role-based Access Control : uses a centrally administered set of controls to determine how subjects and objects interact , also called as non discretionary access control. In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users' wishes. This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies Reference : Shon Harris , AIO v3 , Chapter-4 : Access Control , Page : 163-165

QUESTION 110 Which access model is most appropriate for companies with a high employee turnover? A. Role-based access control B. Mandatory access control C. Lattice-based access control D. Discretionary access control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company. Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed appropriately. Mandatory access control is incorrect. While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees constantly leaving or joining the company. Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an abstract model of information flow is not an appropriate choice. CBK, pp. 324-325 Discretionary access control is incorrect. When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all the objects they own. Problems would also arise when the owner of an object leaves the company. The complexity of assuring that the permissions are added and removed correctly makes this the least desirable solution in this situation. References: Alll in One, third edition page 165 RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.

QUESTION 105 Which of the following statements pertaining to access control is false? A. Users should only access data on a need-to-know basis. B. If access is not explicitly denied, it should be implicitly allowed. C. Access rights should be granted based on the level of trust a company has on a subject. Access rights should be granted based on the level of trust a company has on a subject. D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 143).

QUESTION 150 Which type of control is concerned with restoring controls? A. Compensating controls B. Corrective controls C. Detective controls D. Preventive controls

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Corrective controls are concerned with remedying circumstances and restoring controls. Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example. Compensating controls are alternative controls, used to compensate weaknesses in other controls. Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 115 Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control? A. DAC B. MAC C. Access control matrix D. TACACS

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner. DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object. Access control matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. TACACS is incorrect. TACACS is a tool for performing user authentication. References: CBK, p. 187, Domain 2: Access Control. AIO3, Chapter 4, Access Control.

QUESTION 123 An Intrusion Detection System (IDS) is what type of control? A. A preventive control. B. A detective control. C. A recovery control. D. A directive control.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: These controls can be used to investigate what happen after the fact. Your IDS may collect information on where the attack came from, what port was use, and other details that could be used in the investigation steps. "Preventative control" is incorrect. Preventative controls preclude events or actions that might compromise a system or cause a policy violation. An intrusion prevention system would be an example of a preventative control. "Recovery control" is incorrect. Recover controls include processes used to return the system to a secure state after the occurrence of a security incident. Backups and redundant components are examples of recovery controls. "Directive controls" is incorrect. Directive controls are administrative instruments such as policies, procedures, guidelines, and aggreements. An acceptable use policy is an example of a directive control. References: CBK, pp. 646 647

QUESTION 128 Which type of password token involves time synchronization? A. Static password tokens B. Synchronous dynamic password tokens C. Asynchronous dynamic password tokens D. Challenge-response tokens

Correct Answer: B Section: Identity and Access ManagementExplanation Explanation/Reference: Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the password to be accepted. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (page 136).

QUESTION 125 What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system? A. Accountability controls B. Mandatory access controls C. Assurance procedures D. Administrative controls

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Controls provide accountability for individuals accessing information. Assurance procedures ensure that access control mechanisms correctly implement the security policy for the entire life cycle of an information system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 102 Which of the following statements pertaining to biometrics is FALSE? A. User can be authenticated based on behavior. B. User can be authenticated based on unique physical attributes. C. User can be authenticated by what he knows. D. A biometric system's accuracy is determined by its crossover error rate (CER).

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example. Please make a note of the negative 'FALSE' within the question. This question may seem tricky to some of you but you would be amazed at how many people cannot deal with negative questions. There will be a few negative questions within the real exam, just like this one the keyword NOT or FALSE will be in Uppercase to clearly indicate that it is negative. Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of performing authentication (one to one matching) or identification (a one to many matching). A biometric system scans an attribute or behavior of a person and compares it to a template store within an authentication server datbase, such template would be created in an earlier enrollment process. Because this system inspects the grooves of a person's fingerprint, the pattern of someone's retina, or the pitches of someone's voice, it has to be extremely sensitive. The system must perform accurate and repeatable measurements of anatomical or physiological characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must be calibrated so that these false positives and false negatives occur infrequently and the results are as accurate as possible. There are two types of failures in biometric identification: False Rejection also called False Rejection Rate (FRR) -- The system fail to recognize a legitimate user. While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate users who are refused access because the scanner does not recognize them. False Acceptance or False Acceptance Rate (FAR) -- This is an erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user. Physiological Examples:Unique Physical Attributes: Fingerprint (Most commonly accepted) Hand Geometry Retina Scan (Most accurate but most intrusive) Iris Scan Vascular Scan Behavioral Examples: Repeated Actions Keystroke Dynamics (Dwell time (the time a key is pressed) and Flight time (the time between "key up" and the next "key down"). Signature Dynamics (Stroke and pressure points) EXAM TIP: Retina scan devices are the most accurate but also the most invasive biometrics system available today. The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security option. Unfortunately, the cost of the proprietary hardware as well the stigma of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations. Remember for the exam that fingerprints are the most commonly accepted type of biometrics system. The other answers are incorrect: 'Users can be authenticated based on behavior.' is incorrect as this choice is TRUE as it pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of users. 'User can be authenticated based on unique physical attributes.' is also incorrect as this choice is also TRUE as it pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of users. 'A biometric system's accuracy is determined by its crossover error rate (CER)' is also incorrect as this is TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.

QUESTION 139 Which of the following statements pertaining to Kerberos is true? A. Kerberos uses public key cryptography. B. Kerberos uses X.509 certificates. C. Kerberos is a credential-based authentication system. D. Kerberos was developed by Microsoft.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Kerberos is a trusted, credential-based, third-party authentication protocol that was developed at MIT and that uses symmetric (secret) key cryptography to authenticate clients to other entities on a network for access to services. It does not use X.509 certificates, which are used in public key cryptography. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 40).

QUESTION 122 Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information flow model

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The ClarkWilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. ClarkWilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification. Integrity goals of ClarkWilson model: Prevent unauthorized users from making modification (Only this one is addressed by the Biba model). Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other. The following are incorrect answers: The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object. The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object. The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model. References: ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287 AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model

QUESTION 149 Which type of control is concerned with avoiding occurrences of risks? A. Deterrent controls B. Detective controls C. Preventive controls D. Compensating controls

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of compensatingcontrol. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 145 What does the * (star) property mean in the Bell-LaPadula model? A. No write up B. No read up C. No write down D. No read down

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243).

QUESTION 148 Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity. The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. The model's enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities. The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark- Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a "safe" CDI. In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world) Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity. References: HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344). and http://en.wikipedia.org/wiki/Clark-Wilson_model

QUESTION 116 What is the primary goal of setting up a honey pot? A. To lure hackers into attacking unused systems B. To entrap and track down possible hackers C. To set up a sacrificial lamb on the network D. To know when certain types of attacks are in progress and to learn about attack techniques so the network can be fortified.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The primary purpose of a honeypot is to study the attack methods of an attacker for the purposes of understanding their methods and improving defenses. "To lure hackers into attacking unused systems" is incorrect. Honeypots can serve as decoys but their primary purpose is to study the behaviors of attackers. "To entrap and track down possible hackers" is incorrect. There are a host of legal issues around enticement vs entrapment but a good general rule is that entrapment is generally prohibited and evidence gathered in a scenario that could be considered as "entrapping" an attacker would not be admissible in a court of law. "To set up a sacrificial lamb on the network" is incorrect. While a honeypot is a sort of sacrificial lamb and may attract attacks that might have been directed against production systems, its real purpose is to study the methods of attackers with the goals of better understanding and improving network defenses. References: AIO3, p. 213

QUESTION 106 Which of the following is NOT part of the Kerberos authentication protocol? A. Symmetric key cryptography B. Authentication service (AS) C. Principals D. Public Key

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component. The other answers are incorrect because : Symmetric key cryptography is a part of Kerberos as the KDC holds all the users' and services' secret keys. Authentication service (AS) : KDC (Key Distribution Center) provides an authentication service Principals : Key Distribution Center provides services to principals , which can be users , applications or network services. References : Shon Harris , AIO v3 , Chapter - 4: Access Control , Pages : 152-155

QUESTION 136 Which of the following access control models requires security clearance for subjects? A. Identity-based access control B. Role-based access control C. Discretionary access control D. Mandatory access control

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of non-discretionary access control. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2:Access control systems (page 33).

QUESTION 56 Which type of password provides maximum security because a new password is required for each new log-on? A. One-time or dynamic password B. Congnitive password C. Static password D. Passphrase

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: "One-time password" provides maximum security because a new password is required for each new log-on. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 15 What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed. B. The security administrator's workload would increase. C. The users' password would be too hard to remember. D. User access rights would be increased.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for. The following answers are incorrect: The security administrator's workload would increase. Is incorrect because the security administrator's workload would decrease and not increase. The admin would not be responsible for maintaining multiple user accounts just the one. The users' password would be too hard to remember. Is incorrect because the users would have less passwords to remember. User access rights would be increased. Is incorrect because the user access rights would not be any different than if they had to log into systems manually.

QUESTION 53 What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time? A. Authentication B. Identification C. Integrity D. Confidentiality

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Authentication is verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 35 To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up: A. Access Rules B. Access Matrix C. Identification controls D. Access terminal

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three access control models: Mandatory, Discretionary, and Non-Discretionary. An access matrix is one of the means used to implement access control. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33 Answer:

QUESTION 34 Controlling access to information systems and associated networks is necessary for the preservation of their: A. Authenticity, confidentiality and availability B. Confidentiality, integrity, and availability. C. integrity and availability. D. authenticity,confidentiality, integrity and availability.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31

QUESTION 49 What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Authorization D. Confidentiality

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Identification is the act of a user professing an identity to a system, usually in the form of a log- on ID to the system. Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don't know, and they ask you who they're speaking to. When you say, "I'm Jason.", you've just identified yourself. In the information security world, this is analogous to entering a username. It's not analogous to entering a password. Entering a password is a method for verifying that you are who you identified yourself as. NOTE: The word "professing" used above means: "to say that you are, do, or feel something when other people doubt what you say". This is exactly what happen when you provide your identifier (identification), you claim to be someone but the system cannot take your word for it, you must further Authenticate to the system to prove who you claim to be. The following are incorrect answers: Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as "jsmith", it's most likely going to ask you for a password. You've claimed to be that person by entering the name into the username field (that's the identification part), but now you have to prove that you are really that person.Many systems use a password for this, which is based on "something you know", i.e. a secret between you and the system. Another form of authentication is presenting something you have, such as a driver's license, an RSA token, or a smart card. You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication. Once you've successfully authenticated, you have now done two things: you've claimed to be someone, and you've proven that you are that person. The only thing that's left is for the system to determine what you're allowed to do. Authorization: is what takes place after a person has been both identified and authenticated; it's the step determines what a person can then do on the system. An example in people terms would be someone knocking on your door at night. You say, "Who is it?", and wait for a response. They say, "It's John." in order to identify themselves. You ask them to back up into the light so you can see them through the peephole. They do so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house. If they had said they were someone you didn't want in your house (identification), and you then verified that it was that person (authentication), the authorization phase would not include access to the inside of the house. Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong people, while making sure that the right people can in fact get it. A good example is a credit card number while shopping online, the merchant needs it to clear the transaction but you do not want your information exposed over the network, you would use a secure link such as SSL, TLS, or some tunneling tool to protect the information from prying eyes between point A and point B. Data encryption is a common method of ensuring confidentiality. The other parts of the CIA triad are listed below: Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. If an unexpected change occurs, a backup copy must be available to restore the affected data to its correct state. Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed, providing a certain measure of redundancy and failover, providing adequate communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service (DoS) attacks. Reference used for this question: http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization http://www.merriam-webster.com/dictionary/profess KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 68 Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access? A. Smart cards B. Single Sign-On (SSO) C. Symmetric Ciphers D. Public Key Infrastructure (PKI)

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39

QUESTION 45 The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The detective/technical control measures are intended to reveal the violations of security policy using technical means. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 32 In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering 2 questions : A. what was the sex of a person and his age B. what part of body to be used and how to accomplish identification that is viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already taking place. Unique physical attributes or behavior of a person are used for that purpose. From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Page 7

QUESTION 94 Which of the following pairings uses technology to enforce access control policies? A. Preventive/Administrative B. Preventive/Technical C. Preventive/Physical D. Detective/Administrative

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The preventive/technical pairing uses technology to enforce access control policies. TECHNICAL CONTROLS Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Technical controls are sometimes referred to as logical controls. Preventive Technical Controls Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include: Access control software. Antivirus software. Library control systems. Passwords. Smart cards. Encryption. Dial-up access control and callback systems. Preventive Physical Controls Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters. Examples of these controls include: Backup files and documentation. Fences.Security guards. Badge systems. Double door systems. Locks and keys. Backup power. Biometric access controls. Site selection. Fire extinguishers. Preventive Administrative Controls Preventive administrative controls are personnel-oriented techniques for controlling people's behavior to ensure the confidentiality, integrity, and availability of computing data and programs. Examples of preventive administrative controls include: Security awareness and technical training. Separation of duties. Procedures for recruiting and terminating employees. Security policies and procedures. Supervision. Disaster recovery, contingency, and emergency plans. User registration for computer access. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34

QUESTION 25 There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following? A. public keys B. private keys C. public-key certificates D. private-key certificates

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key. The following answers are incorrect: public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key. private keys. Although a Kerberos ticket is not shared publicly, it is not a private key. Private keys are associated with Asymmetric crypto system which is not used by Kerberos. Kerberos uses only the Symmetric crypto system. private key certificates. This is a detractor. There is no such thing as a private key certificate.

QUESTION 16 Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system. The following answers are incorrect: Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography. Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark- Wilson model came later, 1987 Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model

QUESTION 36 Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control? A. Discretionary Access Control (DAC) B. Mandatory Access control (MAC) C. Non-Discretionary Access Control (NDAC) D. Lattice-based Access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action. Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC. IT IS NOT ALWAYS BLACK OR WHITE The different access control models are not totally exclusive of each others. MAC is making use of Rules to be implemented. However with MAC you have requirements above and beyond having simple access rules. The subject would get formal approval from management, the subject must have the proper security clearance, objects must have labels/sensitivity levels attached to them, subjects must have the proper security clearance. If all of this is in place then you have MAC. BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES: MAC = Mandatory Access Control Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user's access but simply configure the proper level of access as dictated by the Data Owner. The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship. The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access. MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user belong to one of the categories attached to the object.If there is no clearance and no labels then IT IS NOT Mandatory Access Control. Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category. NISTR-7316 Says: Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up." Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the "*-property" (pronounced "star property") or "no write down." The *-property is required to maintain system security in an automated environment. A variation on this rule called the "strict *- property" requires that information can be written at, but not above, the subject's clearance level. Multilevel security models such as the Bell-La Padula Confidentiality and Biba Integrity models are used to formally specify this kind of MAC policy. DAC = Discretionary Access Control DAC is also known as: Identity Based access control system. The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users. Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild west as there is no control on the dissemination of the information. RBAC = Role Based Access Control RBAC is a form of Non-Discretionary access control. Role Based access control usually maps directly with the different types of jobs performed by employees within a company. For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role. RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example. RBAC or RuBAC = Rule Based Access Control RuBAC is a form of Non-Discretionary access control. A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall. NOTE FROM CLEMENT: Lot of people tend to confuse MAC and Rule Based Access Control. Mandatory Access Control must make use of LABELS. If there is only rules and no label, it cannot be Mandatory Access Control. This is why they call it Non Discretionary Access control (NDAC). There are even books out there that are WRONG on this subject. Books are sometimes opiniated and not strictly based on facts. In MAC subjects must have clearance to access sensitive objects. Objects have labels that contain the classification to indicate the sensitivity of the object and the label also has categories to enforce the need to know. Today the best example of rule based access control would be a firewall. All rules are imposed globally to any user attempting to connect through the device. This is NOT the case with MAC. I strongly recommend you read carefully the following document: NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf It is one of the best Access Control Study document to prepare for the exam. Usually I tell people not to worry about the hundreds of NIST documents and other reference. This document is an exception. Take some time to read it. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33 And NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf And Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 651-652). Elsevier Science (reference). Kindle Edition.

QUESTION 63 Which of the following is true of biometrics? A. It is used for identification in physical controls and it is not used in logical controls. B. It is used for authentication in physical controls and for identification in logical controls. C. It is used for identification in physical controls and for authentication in logical controls. D. Biometrics has not role in logical controls.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: When used in physical control biometric Identification is performed by doing a one to many match. When you submit your biometric template a search is done through a database of templates until the matching one is found. At that point your identity is revealed and if you are a valid employee access is granted. When used in logical controls the biometric template is used to either confirm or deny someone identity. For example if I access a system and I pretend to be user Nathalie then I would provide my biometric template to confirm that I really am who I pretend to be. Biometric is one of the three authentication factor (somethin you are) that can be use. The other two are something you know and something you have. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 66 What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. Failure to enroll rate (FTE or FER)

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.Equal error rate or crossover error rate (EER or CER) It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. The other choices were all wrong answers: The following are used as performance metrics for biometric systems: False accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. This is when an impostor would be accepted by the system false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. This is when a valid company employee would be rejected by the system Failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38 And https://en.wikipedia.org/wiki/Biometrics

QUESTION 47 External consistency ensures that the data stored in the database is: A. in-consistent with the real world. B. remains consistant when sent from one system to another. C. consistent with the logical world. D. consistent with the real world.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: External consistency ensures that the data stored in the database is consistent with the real world. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, page 33

QUESTION 112 What can be defined as a list of subjects along with their access rights that are authorized to access a specific object? A. A capability table B. An access control list C. An access control matrix D. A role-based matrixCorrect

Answer: B Section: Identity and Access Management Explanation Explanation/Reference: "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 A capability table is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192 The distinction that makes this an incorrect choice is that access is based on posession of a capability by the subject. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL." An access control matrix is incorrect. The access control matrix is a way of describing the rules for an access control strategy. The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318 AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool for thinking about the access control to be applied to a set of objects. The results of the analysis could then be implemented using RBAC. References: CBK, Domain 2: Access Control. AIO3, Chapter 4: Access Control

QUESTION 99 When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED? A. Type I error B. Type II error C. Type III error D. Crossover error

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: When the biometric system accepts impostors who should have been rejected , it is called a Type II error or False Acceptance Rate or False Accept Rate. Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification. Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other types of identity verification processes. A biometric system can make authentication decisions based on an individual's behavior, as in signature dynamics, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because physical attributes typically don't change much, absent some disfiguring injury, and are harder to impersonate. When a biometric system rejects an authorized individual, it is called a Type I error (False Rejection Rate (FRR) or False Reject Rate (FRR)). When the system accepts impostors who should be rejected, it is called a Type II error (False Acceptance Rate (FAR) or False Accept Rate (FAR)). Type II errors are the most dangerous and thus the most important to avoid. The goal is to obtain low numbers for each type of error, but When comparing different biometric systems, many different variables are used, but one of the most important metrics is the crossover error rate (CER). The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and Failed Rejection Rate (FRR). Both are expressed as percentages. The FAR is the rate at which attempts by unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It measures the rate at which authorized users are denied access. The relationship between FRR (Type I) and FAR (Type II) is depicted in the graphic below . As one rate increases, the other decreases. The Cross-over Error Rate (CER) is sometimes considered a good indicator of the overall accuracy of a biometric system. This is the point at which the FRR and the FAR have the same value. Solutions with a lower CER are typically more accurate. See graphic below from Biometria showing this relationship. The Cross-over Error Rate (CER) is also called the Equal Error Rate (EER), the two are synonymous. Cross Over Error Rate The other answers are incorrect: Type I error is also called as False Rejection Rate where a valid user is rejected by the system. Type III error : there is no such error type in biometric system. Crossover error rate stated in percentage , represents the point at which false rejection equals the false acceptance rate.Reference(s) used for this question: http://www.biometria.sk/en/principles-of-biometrics.html and Shon Harris, CISSP All In One (AIO), 6th Edition , Chapter 3, Access Control, Page 188-189 and Tech Republic, Reduce Multi_Factor Authentication Cost

QUESTION 82 Which of the following monitors network traffic in real time? A. network-based IDS B. host-based IDS C. application-based IDS D. firewall-based IDS

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: This type of IDS is called a network-based IDS because monitors network traffic in real time. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 86 Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful? A. host-based IDS B. firewall-based IDS C. bastion-based IDS D. server-based IDS

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 7 A confidential number used as an authentication factor to verify a user's identity is called a: A. PIN B. User ID C. Password D. Challenge

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: PIN Stands for Personal Identification Number, as the name states it is a combination of numbers. The following answers are incorrect: User ID This is incorrect because a Userid is not required to be a number and a Userid is only used to establish identity not verify it. Password. This is incorrect because a password is not required to be a number, it could be any combination of characters. Challenge. This is incorrect because a challenge is not defined as a number, it could be anything.

QUESTION 83 A host-based IDS is resident on which of the following? A. On each of the critical hosts B. decentralized hosts C. central hosts D. bastion hosts

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack on the host and to determine if the attack was successful. All critical serves should have a Host Based Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make sense or detect pattern of attacks within encrypted traffic. A HIDS might be able to detect such attack after the traffic has been decrypted on the host. This is why critical servers should have both NIDS and HIDS. FROM WIKIPEDIA: A HIDS will monitor all or part of the dynamic behavior and of the state of a computer system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources and assure that (say) a word-processor hasn\'t suddenly and inexplicably started modifying the system password-database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, or elsewhere; and check that the contents of these appear as expected. One can think of a HIDS as an agent that monitors whether anything/anyone - internal or external - has circumvented the security policy that the operating system tries to enforce. http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

QUESTION 84 Which of the following usually provides reliable, real-time information without consuming network or host resources? A. network-based IDS B. host-based IDS C. application-based IDS D. firewall-based IDS

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A network-based IDS usually provides reliable, real-time information without consuming network or host resources. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 58 What is called a sequence of characters that is usually longer than the allotted number for a password? A. passphrase B.cognitive phrase C. anticipated phrase D. Real phrase

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A passphrase is a sequence of characters that is usually longer than the allotted number for a password. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, page 37

QUESTION 81 Which of the following is used to monitor network traffic or to monitor host audit logs in real time to determine violations of system security policy that have taken place? A. Intrusion Detection System B. Compliance Validation System C. Intrusion Management System (IMS) D. Compliance Monitoring System

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization's system security policy have taken place. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 37 The type of discretionary access control (DAC) that is based on an individual's identity is also called: A. Identity-based Access control B. Rule-based Access control C. Non-Discretionary Access Control D. Lattice-based Access control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. DAC is good for low level security environment. The owner of the file decides who has access to the file. If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header and/or in an access control matrix within the operating system. Ownership might also be granted to a specific individual. For example, a manager for a certain department might be made the owner of the files and resources within her department. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unitmanagers , are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 220). McGraw-Hill . Kindle Edition.

QUESTION 43 What are called user interfaces that limit the functions that can be selected by a user? A. Constrained user interfaces B. Limited user interfaces C. Mini user interfaces D. Unlimited user interfaces

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces. This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack and system failure by restricting the processing options that are available to the user. On an ATM machine, if a user does not have a checking account with the bank he or she will not be shown the "Withdraw money from checking" option. Likewise, an information system might have an "Add/Remove Users" menu option for administrators, but if a normal, non- administrative user logs in he or she will not even see that menu option. By not even identifying potential options for non-qualifying users, the system limits the potentially harmful execution of unauthorized system or application commands. Many database management systems have the concept of "views." A database view is an extract of the data stored in the database that is filtered based on predefined user or system criteria. This permits multiple users to access the same database while only having the ability to access data they need (or are allowed to have) and not data for another user. The use of database views is another example of a constrained user interface. The following were incorrect answers: All of the other choices presented were bogus answers. The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1989-2002). Auerbach Publications. Kindle Edition.

QUESTION 27 Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support? A. SESAME B. RADIUS C. KryptoKnight D. TACACS+

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support. Reference: TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184 ISC OIG Second Edition, Access Controls, Page 111

QUESTION 11 Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. One-time password mechanism. D. Challenge response mechanism.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP. NOTE FROM CLEMENT: The term MOBILE in this case is synonymous with Road Warriors where a user is constantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well. The following answers are incorrect: Mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user Challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users.

QUESTION 93 Which of the following is most appropriate to notify an external user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing. This is a tricky question, the keyword in the question is External user. There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous user. Internal users should always have a written agreement first, then logon banners serve as a constant reminder. Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner. References used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50 and Shon Harris, CISSP All-in-one, 5th edition, pg 873

QUESTION 85 The fact that a network-based IDS reviews packets payload and headers enable which of the following? A. Detection of denial of service B. Detection of all viruses C. Detection of data corruption D. Detection of all password guessing attacks

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected. This question is an easy question if you go through the process of elimination. When you see an answer containing the keyword: ALL It is something a give away that it is not the proper answer. On the real exam you may encounter a few question where the use of the work ALL renders the choice invalid. Pay close attention to such keyword. The following are incorrect answers: Even though most IDSs can detect some viruses and some password guessing attacks, they cannot detect ALL viruses or ALL password guessing attacks. Therefore these two answers are only detractors. Unless the IDS knows the valid values for a certain dataset, it can NOT detect data corruption. Reference used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 77 Which of the following protects a password from eavesdroppers and supports the encryption of communication? A. Challenge Handshake Authentication Protocol (CHAP) B. Challenge Handshake Identification Protocol (CHIP) C. Challenge Handshake Encryption Protocol (CHEP) D. Challenge Handshake Substitution Protocol (CHSP)

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password. The authentication is successful if the client's response is the one that the server expected. Reference: Page 450, OIG 2007 CHAP protects the password from eavesdroppers and supports the encryption of communication. Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44

QUESTION 4 Which of the following is needed for System Accountability? A. Audit mechanisms. B. Documented design as laid out in the Common Criteria. C. Authorization. D. Formal verification of system design.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. Accountability is the ability to identify users and to be able to track user actions. The following answers are incorrect: Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability. Authorization. Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions. Formal verification of system design. Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability. References: OIG CBK Glossary (page 778)

QUESTION 73 Which of the following is addressed by Kerberos? A. Confidentiality and Integrity B. Authentication and Availability C. Validation and Integrity D. Auditability and Integrity

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42 and https://www.ietf.org/rfc/rfc4120txt and http://learn-networking.com/network-security/how-kerberos-authentication-works

QUESTION 69 Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations? A. Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access to. B. The initial logon process is cumbersome to discourage potential intruders. C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. All the other answers are incorrect as they are distractors.

QUESTION 88 Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)? A. signature-based IDS B. statistical anomaly-based IDS C. event-based IDS D. inferent-based IDS

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 20 The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B Data Encryption Standard. C. Kerberos D. Tempest

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary. The Data Encryption Standard (DES) is a cryptographic algorithm. National Information Security Glossary. TEMPEST is related to limiting the electromagnetic emanations from electronic equipment. Reference: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 520028-STD. December 1985 (also available here).

QUESTION 80 Which of the following is used to create and modify the structure of your tables and other objects in the database? A. SQL Data Definition Language (DDL) B. SQL Data Manipulation Language (DML) C. SQL Data Relational Language (DRL) D. SQL Data Identification Language (DIL)

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables). Data Definition Language The Data Definition Language (DDL) is used to create and destroy databases and database objects. These commands will primarily be used by database administrators during the setup and removal phases of a database project. Let's take a look at the structure and usage of four basic DDL commands: CREATE Installing a database management system (DBMS) on a computer allows you to create and manage many independent databases. For example, you may want to maintain a database of customer contacts for your sales department and a personnel database for your HR department.The CREATE command can be used to establish each of these databases on your platform. For example, the command: CREATE DATABASE employees creates an empty database named "employees" on your DBMS. After creating the database, your next step is to create tables that will contain data. (If this doesn't make sense, you might want to read the article Microsoft Access Fundamentals for an overview of tables and databases.) Another variant of the CREATE command can be used for this purpose. The command: CREATE TABLE personal_info (first_name char(20) not null, last_name char(20) not null, employee_id int not null) establishes a table titled "personal_info" in the current database. In our example, the table contains three attributes: first_name, last_name and employee_id. Don't worry about the other information included in the command -- we'll cover that in a future article. USE The USE command allows you to specify the database you wish to work with within your DBMS. For example, if we're currently working in the sales database and want to issue some commands that will affect the employees database, we would preface them with the following SQL command: USE employees It's important to always be conscious of the database you are working in before issuing SQL commands that manipulate data. ALTER Once you've created a table within a database, you may wish to modify the definition of it. The ALTER command allows you to make changes to the structure of a table without deleting and recreating it. Take a look at the following command: ALTER TABLE personal_info ADD salary money null This example adds a new attribute to the personal_info table -- an employee's salary. The "money" argument specifies that an employee's salary will be stored using a dollars and cents format. Finally, the "null" keyword tells the database that it's OK for this field to contain no value for any given employee. DROP The final command of the Data Definition Language, DROP, allows us to remove entire database objects from our DBMS. For example, if we want to permanently remove the personal_info table that we created, we'd use the following command: DROP TABLE personal_info Similarly, the command below would be used to remove the entire employees database: DROP DATABASE employees Use this command with care! Remember that the DROP command removes entire data structures from your database. If you want to remove individual records, use the DELETE command of the Data Manipulation Language. That's the Data Definition Language in a nutshell. Data Manipulation Language The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. Let's take a brief look at the basic DML commands: The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. Let's take a brief look at the basic DML commands: INSERT The INSERT command in SQL is used to add records to an existing table. Returning to the personal_info example from the previous section, let's imagine that our HR department needs to add a new employee to their database. They could use a command similar to the one shown below: INSERT INTO personal_info values('bart','simpson',12345,$45000) Note that there are four values specified for the record. These correspond to the table attributes in the order they were defined: first_name, last_name, employee_id, and salary. SELECT The SELECT command is the most commonly used command in SQL. It allows database users to retrieve the specific information they desire from an operational database. Let's take a look at a few examples, again using the personal_info table from our employees database. The command shown below retrieves all of the information contained within the personal_info table. Note that the asterisk is used as a wildcard in SQL. This literally means "Select everything from the personal_info table." SELECT * FROM personal_info Alternatively, users may want to limit the attributes that are retrieved from the database. For example, the Human Resources department may require a list of the last names of all employees in the company. The following SQL command would retrieve only that information: SELECT last_name FROM personal_info Finally, the WHERE clause can be used to limit the records that are retrieved to those that meet specified criteria. The CEO might be interested in reviewing the personnel records of all highly paid employees. The following command retrieves all of the data contained within personal_info for records that have a salary value greater than $50,000: SELECT * FROM personal_info WHERE salary > $50000UPDATE The UPDATE command can be used to modify information contained within a table, either in bulk or individually. Each year, our company gives all employees a 3% cost-of-living increase in their salary. The following SQL command could be used to quickly apply this to all of the employees stored in the database: UPDATE personal_info SET salary = salary * 103 On the other hand, our new employee Bart Simpson has demonstrated performance above and beyond the call of duty. Management wishes to recognize his stellar accomplishments with a $5,000 raise. The WHERE clause could be used to single out Bart for this raise: UPDATE personal_info SET salary = salary + $5000 WHERE employee_id = 12345 DELETE Finally, let's take a look at the DELETE command. You'll find that the syntax of this command is similar to that of the other DML commands. Unfortunately, our latest corporate earnings report didn't quite meet expectations and poor Bart has been laid off. The DELETE command with a WHERE clause can be used to remove his record from the personal_info table: DELETE FROM personal_info WHERE employee_id = 12345 JOIN Statements Now that you've learned the basics of SQL, it's time to move on to one of the most powerful concepts the language has to offer the JOIN statement. Quite simply, these statements allow you to combine data in multiple tables to quickly and efficiently process large quantities of data. These statements are where the true power of a database resides. We'll first explore the use of a basic JOIN operation to combine data from two tables. In future installments, we'll explore the use of outer and inner joins to achieve added power. We'll continue with our example using the PERSONAL_INFO table, but first we'll need to add an additional table to the mix. Let's assume we have a table called DISCIPLINARY_ACTION that was created with the following statement: CREATE TABLE disciplinary_action (action_id int not null, employee_id int not null, comments char(500)) This table contains the results of disciplinary actions on company employees. You'll notice that it doesn't contain any information about the employee other than the employee number. It's then easy to imagine many scenarios where we might want to combine information from the DISCIPLINARY_ACTION and PERSONAL_INFO tables. Assume we've been tasked with creating a report that lists the disciplinary actions taken against all employees with a salary greater than $40,000 The use of a JOIN operation in this case is quite straightforward. We can retrieve this information using the following command: SELECT personal_info.first_name, personal_info.last_name, disciplinary_action.comments FROM personal_info, disciplinary_action WHERE personal_info.employee_id = disciplinary_action.employee_id AND personal_info.salary > 40000 As you can see, we simply specified the two tables that we wished to join in the FROM clause and then included a statement in the WHERE clause to limit the results to records that had matching employee IDs and met our criteria of a salary greater than $40,000 Another term you must be familiar with as a security mechanism in Databases is: VIEW What is a view? In database theory, a view is a virtual or logical table composed of the result set of a query. Unlike ordinary tables (base tables) in a relational database, a view is not part of the physical schema: it is a dynamic, virtual table computed or collated from data in the database. Changing the data in a table alters the data shown in the view. The result of a view is stored in a permanent table whereas the result of a query is displayed in a temporary table. Views can provide advantages over tables; They can subset the data contained in a table They can join and simplify multiple tables into a single virtual table Views can act as aggregated tables, where aggregated data (sum, average etc.) are calculated and presented as part of the data Views can hide the complexity of data, for example a view could appear as Sales2000 or Sales2001, transparently partitioning the actual underlying table Views take very little space to store; only the definition is stored, not a copy of all the data they present Depending on the SQL engine used, views can provide extra security. Limit the exposure to which a table or tables are exposed to outer world Just like functions (in programming) provide abstraction, views can be used to create abstraction. Also, just like functions, views can be nested, thus one view can aggregate data from other views. Without the use of views it would be much harder to normalise databases above second normal form. Views can make it easier to create lossless join decomposition. Rows available through a view are not sorted. A view is a relational table, and the relational model states that a table is a set of rows. Since sets are not sorted - per definition - the rows in a view are not ordered either. Therefore, an ORDER BY clause in the view definition is meaningless and the SQL standard (SQL:2003) does not allow this for the subselect in a CREATE VIEW statement. The following reference(s) were used for this question: The text above is from About.Com at: http://databases.about.com/ The definition of views above is from: http://en.wikipedia.org/wiki/View_%28database%29KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 47 http://www.tomjewett.com/dbdesign/dbdesign.php?page=ddldml.php

QUESTION 87 What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)? A. It can be very invasive to the host operating system B. Monitors all processes and activities on the host system only C. Virtually eliminates limits associated with encryption D. They have an increased level of visibility and control compared to NIDS

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing. HIDS versus NIDS A host-based IDS (HIDS) can be installed on individual workstations and/ or servers to watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way. So, whereas the NIDS understands and monitors the network traffic, a HIDS's universe is limited to the computer itself. A HIDS does not understand or review network traffic, and a NIDS does not "look in" and monitor a system's activity. Each has its own job and stays out of the other's way. The ISC2 official study book defines an IDS as: An intrusion detection system (IDS) is a technology that alerts organizations to adverse or unwanted activity. An IDS can be implemented as part of a network device, such as a router, switch, or firewall, or it can be a dedicated IDS device monitoring traffic as it traverses the network. When used in this way, it is referred to as a network IDS, or NIDS. IDS can also be used on individual host systems to monitor and report on file, disk, and process activity on that host. When used in this way it is referred to as a host-based IDS, or HIDS. An IDS is informative by nature and provides real-time information when suspicious activities are identified. It is primarily a detective device and, acting in this traditional role, is not used to directly prevent the suspected attack. What about IPS? In contrast, an intrusion prevention system (IPS), is a technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. An IPS permits a predetermined set of functions and actions to occur on a network or system; anything that is not permitted is considered unwanted activity and blocked. IPS is engineered specifically to respond in real time to an event at the system or network layer. By proactively enforcing policy, IPS can thwart not only attackers, but also authorized users attempting to perform an action that is not within policy. Fundamentally, IPS is considered an access control and policy enforcement technology, whereas IDS is considered network monitoring and audit technology. The following answers were incorrect: All of the other answer were advantages and not drawback of using HIDS TIP FOR THE EXAM: Be familiar with the differences that exists between an HIDS, NIDS, and IPS. Know that IDS's are mostly detective but IPS are preventive. IPS's are considered anaccess control and policy enforcement technology, whereas IDS's are considered network monitoring and audit technology. Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5817- 5822). McGraw-Hill. Kindle Edition. and Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press), Domain1, Page 180-188 or on the kindle version look for Kindle Locations 3199-3203 Auerbach Publications.

QUESTION 91 Which of the following is most relevant to determining the maximum effective cost of access control? A. the value of information that is protected. B. management's perceptions regarding data importance. C.budget planning related to base versus incremental spending. D. the cost to replace lost data.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The cost of access control must be commensurate with the value of the information that is being protected. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 64 What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Rejection Rate (TRR) or Type III Error

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 21 The end result of implementing the principle of least privilege means which of the following? A. Users would get access to only the info for which they have a need to know B. Users can access all systems. C. Users get new privileges added when they change positions. D. Authorization creep.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems. The following answers are incorrect: Users can access all systems. Although the principle of least privilege limits what access and systems users have authorization to, not all users would have a need to know to access all of the systems. The best answer is still Users would get access to only the info for which they have a need to know as some of the users may not have a need to access a system. Users get new privileges when they change positions. Although true that a user may indeed require new privileges, this is not a given fact and in actuality a user may require less privileges for a new position. The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked. Authorization creep. Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep. The following reference(s) were/was used to create this question: ISC2 OIG 2007 p.101,123 Shon Harris AIO v3 p148, 902-903

QUESTION 78 Which of the following represents the columns of the table in a relational database? A. attributes B. relation C. record retention D. records or tuples

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The rows of the table represent records or tuples and the columns of the table represent the attributes.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 45

QUESTION 144 What does the simple security (ss) property mean in the Bell-LaPadula model? A. No read up B. No write down C. No read down D. No write up

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

QUESTION 60 Which of the following would be true about Static password tokens? A. The owner identity is authenticated by the token B. The owner will never be authenticated by the token. C.The owner will authenticate himself to the system. D. The token does not authenticates the token owner but the system.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Tokens are electronic devices or cards that supply a user's password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system will normally log a user in but a dynamic system the user will often have to log themselves in. Static Password Tokens: The owner identity is authenticated by the token. This is done by the person who issues the token to the owner (normally the employer). The owner of the token is now authenticated by "something you have". The token authenticates the identity of the owner to the information system. An example of this occurring is when an employee swipes his or her smart card over an electronic lock to gain access to a store room. Synchronous Dynamic Password Tokens: This system is a lot more complex then the static token password. The synchronous dynamic password tokens generate new passwords at certain time intervals that are synched with the main system. The password is generated on a small device similar to a pager or a calculator that can often be attached to the user's key ring. Each password is only valid for a certain time period, typing in the wrong password in the wrong time period will invalidate the authentication. The time factor can also be the systems downfall. If a clock on the system or the password token device becomes out of synch, a user can have troubles authenticating themselves to the system. Asynchronous Dynamic Password Tokens: The clock synching problem is eliminated with asynchronous dynamic password tokens. This system works on the same principal as the synchronous one but it does not have a time frame. A lot of big companies use this system especially for employee's who may work from home on the companies VPN (Virtual private Network). Challenge Response Tokens: This is an interesting system. A user will be sent special "challenge" strings at either random or timed intervals. The user inputs this challenge string into their token device and the device will respond by generating a challenge response. The user then types this response into the system and if it is correct they are authenticated. Reference(s) used for this question: http://www.informit.com/guides/content.aspx?g=security&seqNum=146 and KRUTZ, Ronald L. & VINES, Russel D The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37

QUESTION 55 The act of requiring two of the three factors to be used in the authentication process refers to: A. Two-Factor Authentication B. One-Factor Authentication C. Bi-Factor Authentication D. Double Authentication

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Two-Factor Authentication refers to the act of requiring two of the three factors to be used in the authentication process. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 137 Which of the following would describe a type of biometric error refers to as false rejection rate? A. Type I error B. Type II error C. Type III error D. CER error

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: When a biometric system rejects an authorized individual, it is called a Type I error. When a system accepts impostors who should be rejected (false positive), it is called a Type II error. The Crossover Error Rate (CER), stated in a percentage, represents the point at which false rejection (Type I) rate equals the false acceptance (Type II) rate. Type III error is not defined and simply a distracter in this case. Some people get trick on this one because they are thinking about Authentication Factors where Biometric is a type III authentication factor. Beware not to mix authentication factor with biometric errors. The 3 authentication factors are: Type 1 Something you know Type 2 Something you have Type 3 Something you are Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (page 128). and https://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/

QUESTION 39 Which of the following control pairings include: organizational policies and procedures, pre- employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34

QUESTION 70 Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services? A. Single Sign-On B. Dynamic Sign-On C. Smart cards D. Kerberos

Correct Answer: A Section: Identity and Access Management ExplanationExplanation/Reference: SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user's identity and to permit access to system services. Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must select the BEST one. The high level choice is always the best. When one choice would include the other one that would be the best as well. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40

QUESTION 97 Access Control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Control C. Mandatory Access Control D. Lattice Based Access Control

Correct Answer: A Section: Identity and Access ManagementExplanation Explanation/Reference: Access Control Techniques Discretionary Access Control Mandatory Access Control Lattice Based Access Control Rule-Based Access Control Role-Based Access Control Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 13

QUESTION 8 Individual accountability does not include which of the following? A. unique identifiers B. policies & procedures C. access rules D. audit trails

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determing accountability. The following answers are incorrect: Unique identifiers. Is incorrect because Accountability would include unique identifiers so that you can identify the individual. Access rules. Is incorrect because Accountability would include access rules to define access violations. Audit trails. Is incorrect because Accountability would include audit trails to be able to trace violations or attempted violations.

QUESTION 9 Which of the following exemplifies proper separation of duties? A. Operators are not permitted modify the system time. B. Programmers are permitted to use the system console. C. Console operators are permitted to mount tapes and disks. D. Tape operators are permitted to use the system console.

Correct Answer: ASection: Identity and Access Management Explanation Explanation/Reference: This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators. AIO defines Separation of Duties as a security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself. The following answers are incorrect: Programmers are permitted to use the system console. Is incorrect because programmers should not be permitted to use the system console, this task should be performed by operators. Allowing programmers access to the system console could allow fraud to occur so this is not an example of Separation of Duties.. Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able to mount tapes and disks so this is not an example of Separation of Duties. Tape operators are permitted to use the system console. Is incorrect because operators should be able to use the system console so this is not an example of Separation of Duties. References: OIG CBK Access Control (page 98 - 101) AIOv3 Access Control (page 182)

QUESTION 22 Which of the following is the most reliable authentication method for remote access? A. Variable callback system B. Synchronous token C. Fixed callback system D. Combination of callback and caller ID

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame. The following answers are incorrect: Variable callback system. Although variable callback systems are more flexible than fixed callback systems, the system assumes the identity of the individual unless two-factor authentication is also implemented. By itself, this method might allow an attacker access as a trusted user. Fixed callback system. Authentication provides assurance that someone or something is who or what he/it is supposed to be. Callback systems authenticate a person, but anyone can pretend to be that person. They are tied to a specific place and phone number, which can be spoofed by implementing call-forwarding. Combination of callback and Caller ID. The caller ID and callback functionality provides greater confidence and auditability of the caller's identity. By disconnecting and calling back only authorized phone numbers, the system has a greater confidence in the location of the call. However, unless combined with strong authentication, any individual at the location could obtain access. The following reference(s) were/was used to create this question: Shon Harris AIO v3 p. 140, 548 ISC2 OIG 2007 p. 152-153, 126-127

QUESTION 17 Which of the following attacks could capture network user passwords? A. Data diddling B. Sniffing C. IP Spoofing D. Smurfing

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to. Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with customized software. A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub (which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is designed to limit what traffic gets sent to which port) will have to be specially configured to send all traffic to the port where the sniffer is plugged in. Another method for sniffing is to use a network tap--a device that literally splits a network transmission into two identical streams; one going to the original network destination and the other going to the sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility, and the desire to maintain the secrecy of the sniffing activity. The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/password are contained in a packet or packets traversing the segment the sniffer is connected to, it will capture and display that information (and any other information on that segment it can see). Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still captured and displayed, but it is in an unreadable format. The following answers are incorrect: Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted. Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication - or causing a system to respond to the wrong address. Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service. The following reference(s) were/was used to create this question: CISA Review manual 2014 Page number 321 Official ISC2 Guide to the CISSP 3rd edition Page Number 153

QUESTION 67 Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are important elements for which of the following? A. Accountability of biometrics systems B. Acceptability of biometrics systems C. Availability of biometrics systems D. Adaptability of biometrics systems

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39

QUESTION 108 Which of the following access control models is based on sensitivity labels? A. Discretionary access control B. Mandatory access control C. Rule-based access control D. Role-based access control

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Access decisions are made based on the clearance of the subject and the sensitivity label of the object. Example: Eve has a "Secret" security clearance and is able to access the "Mugwump Missile Design Profile" because its sensitivity label is "Secret." She is denied access to the "Presidential Toilet Tissue Formula" because its sensitivity label is "Top Secret." The other answers are not correct because: Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner. For example, Joe owns the "Secret Chili Recipe" and grants read access to Charles. Role Based Access Control is incorrect because in RBAC access decsions are made based on the role held by the user. For example, Jane has the role "Auditor" and that role includes read permission on the "System Audit Log." Rule Based Access Control is incorrect because it is a form of MAC. A good example would be a Firewall where rules are defined and apply to anyone connecting through the firewall. References: All in One third edition, page 164 Official ISC2 Guide page 187

QUESTION 120 Why do buffer overflows happen? What is the main cause? A. Because buffers can only hold so much data B. Because of improper parameter checking within the application C. Because they are an easy weakness to exploit D. Because of insufficient system memory

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the classic form of buffer overflow and occurs because theprogrammer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program. The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the introduction of interactive computing. It can result when a program fills up the assigned buffer of memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the program's execution path can be changed, or data can be written into areas used by the operating system itself. This can lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system. As explained by Gaurab, it can become very complex. At the time of input even if you are checking the length of the input, it has to be check against the buffer size. Consider a case where entry point of data is stored in Buffer1 of Application1 and then you copy it to Buffer2 within Application2 later on, if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2 A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam: It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security strengths and weaknesses of various application development processes. The following are incorrect answers: "Because buffers can only hold so much data" is incorrect. This is certainly true but is not the best answer because the finite size of the buffer is not the problem -- the problem is that the programmer did not check the size of the input before moving it into the buffer. "Because they are an easy weakness to exploit" is incorrect. This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the size of the user input. "Because of insufficient system memory" is incorrect. This is irrelevant to the occurrence of a buffer overflow. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.

QUESTION 113 What is the difference between Access Control Lists (ACLs) and Capability Tables? A. Access control lists are related/attached to a subject whereas capability tables are related/attached to an object. B. Access control lists are related/attached to an object whereas capability tables are related/attached to a subject. C. Capability tables are used for objects whereas access control lists are used for users. D. They are basically the same.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object. It is a row within the matrix. To put it another way, A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL. CLEMENT NOTE: If we wish to express this very simply: Capabilities are attached to a subject and it describe what access the subject has to each of the objects on the row that matches with the subject within the matrix. It is a row within the matrix. ACL's are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix. The following are incorrect answers: "Access control lists are subject-based whereas capability tables are object-based" is incorrect. "Capability tables are used for objects whereas access control lists are used for users" is incorrect. "They are basically the same" is incorrect. References used for this question: CBK, pp. 191 - 192 AIO3 p. 169

QUESTION 28 Single Sign-on (SSO) is characterized by which of the following advantages? A. Convenience B. Convenience and centralized administration C. Convenience and centralized data administration D. Convenience and centralized network administration

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface. The following answers are incorrect: Convenience - alone this is not the correct answer. Centralized Data or Network Administration - these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed with just an SSO. References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35 TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180

QUESTION 31 The following is NOT a security characteristic we need to consider while choosing a biometric identification systems: A. data acquisition process B. cost C. enrollment process D. speed and user interface

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Cost is a factor when considering Biometrics but it is not a security characteristic. All the other answers are incorrect because they are security characteristics related to Biometrics. Data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process. Enrollment process can cause a security concern because the enrollment process has to be quick and efficient. This process captures data for authentication. Speed and user interface can cause a security concern because this also impacts the users acceptance rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices or otherwise attempt to circumvent them. References: OIG Access Control (Biometrics) (pgs 165-167) From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6 ** in process of correction **

QUESTION 13 Kerberos can prevent which one of the following attacks? A. Tunneling attack. B. Playback (replay) attack. C. Destructive attack. D. Process attack.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of attacks. The following answers are incorrect: Tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access low-level systems. Kerberos cannot totally prevent these types of attacks. Destructive attack. This is incorrect because depending on the type of destructive attack, Kerberos cannot prevent someone from physically destroying a server. Process attack. This is incorrect because with Kerberos cannot prevent an authorized individuals from running processes

QUESTION 62 In biometrics, "one-to-many" search against database of stored biometric images is done in: A. Authentication B. Identification C. Identities D. Identity-based access control

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In biometrics, identification is a "one-to-many" search of an individual's characteristics from a database of stored images. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 118 Which access control model provides upper and lower bounds of access capabilities for a subject? A. Role-based access control B. Lattice-based access control C. Biba access control D. Content-dependent access control

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In the lattice model, users are assigned security clearences and the data is classified. Access decisions are made based on the clearence of the user and the classification of the object. Lattice-based access control is an essential ingredient of formal security models such as Bell- LaPadula, Biba, Chinese Wall, etc. The bounds concept comes from the formal definition of a lattice as a "partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound." To see the application, consider a file classified as "SECRET" and a user Joe with a security clearence of "TOP SECRET." Under Bell-LaPadula, Joe's "least upper bound" access to the file is "READ" and his least lower bound is "NO WRITE" (star property). Role-based access control is incorrect. Under RBAC, the access is controlled by the permissions assigned to a role and the specific role assigned to the user. Biba access control is incorrect. The Biba integrity model is based on a lattice structure but the context of the question disqualiifes it as the best answer. Content-dependent access control is incorrect. In content dependent access control, the actual content of the information determines access as enforced by the arbiter. References: CBK, pp. 324-325 AIO3, pp. 291-293 See aprticularly Figure 5-19 on p. 293 for an illustration of bounds in action.

QUESTION 5 What is Kerberos? A. A three-headed dog from the egyptian mythology. B. A trusted third-party authentication protocol. C. A security model. D. A remote authentication dial in user server.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Is correct because that is exactly what Kerberos is. The following answers are incorrect: A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with Information Security and not the Egyptian mythology but the Greek Mythology. A security model. Is incorrect because Kerberos is an authentication protocol and not just a security model. A remote authentication dial in user server. Is incorrect because Kerberos is not a remote authentication dial in user server that would be called RADIUS.

QUESTION 71 Which of the following is NOT true of the Kerberos protocol? A. Only a single login is required per session. B. The initial authentication steps are done using public key algorithm. C. The KDC is aware of all systems in the network and is trusted by all of them D. It performs mutual authentication

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics: It is secure: it never sends a password unless it is encrypted. Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins. The concept depends on a trusted third party a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them. It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client. Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS a ticket is a time-limited cryptographic message giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up a KDC. Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 "The Kerberos Network Authorization Service (V5)". Kerberos Authentication Step by Step Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT). Step 2: The Authorization Server verifies the user's access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user's password and sends a message back to the user workstation. The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to use the TGT to request a service ticket. · Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2 · Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message contains two copies of a server session key one encrypted with the client password, and one encrypted by the service password. · Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described does not include the authorization performed by the Intel AMT device, as described later. · Step 6: If mutual authentication is required, then the server will reply with a server authentication message. The Kerberos server knows "secrets" (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These "secrets" are used to encrypt all of the messages shown in the figure above. To prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client's clock and server's clock. If the difference between a client's clock and the server's clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic. The maximum difference is usually set to five minutes. Note that if a client application wishes to use a service that is "Kerberized" (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses. For more information about Kerberos, see http://web.mit.edu/kerberos/www/. References: Introduction to Kerberos Authentication from Intel and http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1353 and http://www.ietf.org/rfc/rfc4120txt

QUESTION 40 Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/ software units. Such controls, also known as logical controls, represent which pairing? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Technical Pairing

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34

QUESTION 75 Like the Kerberos protocol, SESAME is also subject to which of the following? A. timeslot replay B. password guessing C. symmetric key guessing D. asymmetric key guessing

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Sesame is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA- style Privilege Attribute Service. The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public Key authentication. When using Symmetric Key authentication as in Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be. The Symmetric key being used is based on the password used by the user when he logged on the system. If the user has a simple password it could be guessed or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong password discipline. The Basic Mechanism in Sesame for strong authentication is as follow: The user sends a request for authentication to the Authentication Server as in Kerberos, except that SESAME is making use of public key cryptography for authentication where the client will present his digital certificate and the request will be signed using a digital signature. The signature is communicated to the authentication server through the preauthentication fields. Upon receipt of this request, the authentication server will verifies the certificate, then validate the signature, and if all is fine the AS will issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage attribute server (PAS) when access to a resource is needed. Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key cryptography is used, public key data is transported in preauthentication data fields to help establish identity. Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute Certificates (PAC), which contain the subject's identity, access capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from the trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access. Reference(s) used for this question: http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 43

QUESTION 2 In Mandatory Access Control, sensitivity labels attached to object contain what information? A. The item's classification B. The item's classification and category set C. The item's category D. The items's need to know

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The following is the correct answer: the item's classification and category set. A Sensitivity label must contain at least one classification and one category set. Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain at least one Classification and at least one Category. It is common in some environments for a single item to belong to multiple categories. The list of all the categories to which an item belongs is called a compartment set or category set. The following answers are incorrect: The item's classification. Is incorrect because you need a category set as well. The item's category. Is incorrect because category set and classification would be both be required. The item's need to know. Is incorrect because there is no such thing. The need to know is indicated by the catergories the object belongs to. This is NOT the best answer. Reference(s) used for this question: OIG CBK, Access Control (pages 186 - 188) AIO, 3rd Edition, Access Control (pages 162 - 163) AIO, 4th Edition, Access Control, pp 212-214 Wikipedia - http://en.wikipedia.org/wiki/Mandatory_Access_Control

QUESTION 101 Which of the following best ensures accountability of users for the actions taken within a system or domain? A. Identification B. Authentication C. Authorization D. Credentials

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources. References: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126).

QUESTION 65 What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication system? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III Error

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The percentage of invalid subjects that are falsely accepted is called the False Acceptance Rate (FAR) or Type II Error. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38 And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 127-128).

QUESTION 59 Which best describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic passwords? A. Tickets B. Tokens C. Token passing networks D. Coupons

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Tokens; Tokens in the form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37

QUESTION 33 In biometric identification systems, the parts of the body conveniently available for identification are: A. neck and mouth B. hands, face, and eyes C. feet and hair D. voice and neck

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference:Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes. From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Page 7

QUESTION 117 Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks? A. Monitoring and auditing for such activity B. Require user authentication C. Making sure only necessary phone numbers are made public D. Using completely different numbers for voice and data accesses

Correct Answer: B Section: Identity and Access Management ExplanationExplanation/Reference: Knowlege of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized access over a modem line. "Monitoring and auditing for such activity" is incorrect. While monitoring and auditing can assist in detecting a wardialing attack, they do not defend against a successful wardialing attack. "Making sure that only necessary phone numbers are made public" is incorrect. Since a wardialing attack blindly calls all numbers in a range, whether certain numbers in the range are public or not is irrelevant. "Using completely different numbers for voice and data accesses" is incorrect. Using different number ranges for voice and data access might help prevent an attacker from stumbling across the data lines while wardialing the public voice number range but this is not an adequate countermeaure. References: CBK, p. 214 AIO3, p. 534-535

QUESTION 92 Which of the following is NOT a factor related to Access Control? A. integrity B. authenticity C. confidentiality D. availability

Correct Answer: B Section: Identity and Access ManagementExplanation Explanation/Reference: These factors cover the integrity, confidentiality, and availability components of information system security. Integrity is important in access control as it relates to ensuring only authorized subjects can make changes to objects. Authenticity is different from authentication. Authenticity pertains to something being authentic, not necessarily having a direct correlation to access control. Confidentiality is pertinent to access control in that the access to sensitive information is controlled to protect confidentiality. vailability is protected by access controls in that if an attacket attempts to disrupt availability they would first need access. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 6 Kerberos depends upon what encryption method? A. Public Key cryptography. B. Secret Key cryptography. C. El Gamal cryptography. D. Blowfish cryptography.

Correct Answer: BSection: Identity and Access Management Explanation Explanation/Reference: Kerberos depends on Secret Keys or Symmetric Key cryptography. Kerberos a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys. This question asked specifically about encryption methods. Encryption methods can be SYMMETRIC (or secret key) in which encryption and decryption keys are the same, or ASYMMETRIC (aka 'Public Key') in which encryption and decryption keys differ. 'Public Key' methods must be asymmetric, to the extent that the decryption key CANNOT be easily derived from the encryption key. Symmetric keys, however, usually encrypt more efficiently, so they lend themselves to encrypting large amounts of data. Asymmetric encryption is often limited to ONLY encrypting a symmetric key and other information that is needed in order to decrypt a data stream, and the remainder of the encrypted data uses the symmetric key method for performance reasons. This does not in any way diminish the security nor the ability to use a public key to encrypt the data, since the symmetric key method is likely to be even MORE secure than the asymmetric method. For symmetric key ciphers, there are basically two types: BLOCK CIPHERS, in which a fixed length block is encrypted, and STREAM CIPHERS, in which the data is encrypted one 'data unit' (typically 1 byte) at a time, in the same order it was received in. The following answers are incorrect: Public Key cryptography. Is incorrect because Kerberos depends on Secret Keys or Symmetric Key cryptography and not Public Key or Asymmetric Key cryptography. El Gamal cryptography. Is incorrect because El Gamal is an Asymmetric Key encryption algorithm. Blowfish cryptography. Is incorrect because Blowfish is a Symmetric Key encryption algorithm. References: OIG CBK Access Control (pages 181 - 184) AIOv3 Access Control (pages 151 - 155) Wikipedia http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 ; http://en.wikipedia.org/wiki/El_Gamal http://www.mrp3com/encrypt.html

QUESTION 51 A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A Mandatory Access Control. B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the 'central authority' that determines access rights. Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as: "MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which seems to indicate there could be two good answers to this question. However if you read the NISTR document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC policy. So MAC is a form of NDAC policy. Within the same document it is also mentioned: "In general, all access control policies other than DAC are grouped in the category of non- discretionary accesscontrol (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action." Under NDAC you have two choices: Rule Based Access control and Role Base Access Control MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC. It is a subset of NDAC. This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look closely if one of the choices would be higher level or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because MAC is falling under NDAC through the use of Rule Based Access Control. The following are incorrect answers: MANDATORY ACCESS CONTROL In Mandatory Access Control the labels of the object and the clearance of the subject determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than the object being accessed. The need for a MAC mechanism arises when the security policy of a system dictates that: 1 Protection decisions must not be decided by the object owner. 2 The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner). Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up." Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the "*- property" (pronounced "star property") or "no write down." The *-property is required to maintain system security in an automated environment. DISCRETIONARY ACCESS CONTROL In Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, not one central authority. DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who is authorized to control the object's access. For example, it is generally used to limit a user's access to a file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the file. DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons: First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann's file to an object that Bob controls. Bob may now grant any other user access to the copy of Ann's file without Ann's knowledge. Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann's files. When investigating the problem, the audit files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows: · Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system. · No restrictions apply to the usage of information when the user has received it. · The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization's security requirements. ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have the capabilities to implement a DAC policy. RULE BASED ACCESS CONTROL In Rule-based Access Control a central authority could in fact determine what subjects can have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer. RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. "Rule-based access" is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control encompasses a broad range of systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well. RuBAC meets the business needs as well as the technical needs of controlling service access. It allows business rules to be applied to access control--for example, customers who have overdue balances may be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role- based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation to the data and the application's function. In addition, individuals within each group have different job responsibilities that may be identified using several types of attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance. References used for this question: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf And AIO v3 p162-167 and OIG (2007) p.186-191 Also KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 48 A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control_ C. Non-Discretionary Access Control D. Rule-based Access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the 'central authority' that determines access rights. Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as: "MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which seems to indicate there could be two good answers to this question. However if you read the NISTR document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC policy. So MAC is a form of NDAC policy. Within the same document it is also mentioned: "In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action." Under NDAC you have two choices: Rule Based Access control and Role Base Access Control MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC. It is a subset of NDAC. This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look closely if one of the choices would be higher level or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because MAC is falling under NDAC through the use of Rule Based Access Control. The following are incorrect answers: MANDATORY ACCESS CONTROL In Mandatory Access Control the labels of the object and the clearance of the subject determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than the object being accessed. The need for a MAC mechanism arises when the security policy of a system dictates that: 1 Protection decisions must not be decided by the object owner. 2 The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner). Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up." Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the "*- property" (pronounced "star property") or "no write down." The *-property is required to maintain system security in an automated environment. DISCRETIONARY ACCESS CONTROLIn Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, not one central authority. DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who is authorized to control the object's access. For example, it is generally used to limit a user's access to a file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the file. DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons: First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann's file to an object that Bob controls. Bob may now grant any other user access to the copy of Ann's file without Ann's knowledge. Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann's files. When investigating the problem, the audit files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows: · Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system. · No restrictions apply to the usage of information when the user has received it. · The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization's security requirements. ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have the capabilities to implement a DAC policy. RULE BASED ACCESS CONTROL In Rule-based Access Control a central authority could in fact determine what subjects can have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer. RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. "Rule-based access" is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control encompasses a broad range of systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well. RuBAC meets the business needs as well as the technical needs of controlling service access. It allows business rules to be applied to access control--for example, customers who have overdue balances may be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role- based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation to the data and the application's function. In addition, individuals within each group have different job responsibilities that may be identified using several types of attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance. References used for this question: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf And AIO v3 p162-167 and OIG (2007) p.186-191 Also KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 96 Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It does not permit management to: A. specify what users can do B. specify which resources they can access C. specify how to restrain hackers D. specify what operations they can perform on a system.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. Specifying HOW to restrain hackers is not directly linked to access control. Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 12

QUESTION 46 The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 103 Which of the following biometric devices offers the LOWEST CER? A. Keystroke dynamics B. Voice verification C. Iris scan D. Fingerprint

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics. Reference : Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131 Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometric-selection- body-parts-online_139

QUESTION 98 Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)? A. A subject is not allowed to read up. B. The *- property restriction can be escaped by temporarily downgrading a high level subject. C. A subject is not allowed to read down. D. It is restricted to confidentiality.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: It is not a property of Bell LaPadula model. The other answers are incorrect because: A subject is not allowed to read up is a property of the 'simple security rule' of Bell LaPadula model. The *- property restriction can be escaped by temporarily downgrading a high level subject can be escaped by temporarily downgrading a high level subject or by identifying a set of trusted objects which are permitted to violate the *-property as long as it is not in the middle of an operation. It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of access control. Reference: Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture , Page:279-282

QUESTION 3 Which of the following is true about Kerberos? A. It utilizes public key cryptography. B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers.D. It is a second party authentication system.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys. The following answers are incorrect: It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric ciphers). It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption and decryption of the keys. It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and not the system you are accessing. References: MIT http://web.mit.edu/kerberos/ Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 OIG CBK Access Control (pages 181 - 184) AIOv3 Access Control (pages 151 - 155)

QUESTION 124 Smart cards are an example of which type of control? A. Detective control B. Administrative control C. Technical control D. Physical control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control. Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Many types of technical controls enable a user to access a system and the resources within that system. A technical control may be a username and password combination, a Kerberos implementation, biometrics, public key infrastructure (PKI), RADIUS, TACACS +, or authentication using a smart card through a reader connected to a system. These technologies verify the user is who he says he is by using different types of authentication methods. Once a user is properly authenticated, he can be authorized and allowed access to network resources.Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 245). McGraw-Hill. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 32).

QUESTION 38 Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy? A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already. Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category. Discretionary Access control is for environment with very low level of security. There is no control on the dissemination of the information. A user who has access to a file can copy the file or further share it with other users. Rule Based Access Control is when you have ONE set of rules applied uniformly to all users. A good example would be a firewall at the edge of your network. A single rule based is applied against any packets received from the internet. Mandatory Access Control is a very rigid type of access control. The subject must dominate the object and the subject must have a Need To Know to access the information. Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 74 Kerberos is vulnerable to replay in which of the following circumstances? A. When a private key is compromised within an allotted time window. B. When a public key is compromised within an allotted time window.C. When a ticket is compromised within an allotted time window. D. When the KSD is compromised within an allotted time window.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-kerberos activities. Reference: Official ISC2 Guide to the CISSP, 2007 Edition, page 184 also see: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42

QUESTION 41 What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources? A. Micrometrics B. Macrometrics C. Biometrics D. MicroBiometrics

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 57 What is called a password that is the same for each log-on session? A. "one-time password" B. "two-time password" C. static password D. dynamic password

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 42 What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback systems B. Callback forward systems C. Callback systems D. Sendback forward systems

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 114 What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects? A. A capacity table B. An access control list C. An access control matrix D. A capability table

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318 AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. "A capacity table" is incorrect.This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you. "An access control list" is incorrect. "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself. "A capability table" is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192 To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL." Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself. References: CBK pp. 191-192, 317-318 AIO3, p. 169

QUESTION 111 In a security context what are database views used for? A. To ensure referential integrity B. To allow easier access to data in a database C. To restrict user access to data in a database D. To provide audit trails

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The use of a database view allows sensitive information to be hidden from unauthorized users. For example, the employee table might contain employee name, address, office extension and sensitive information such as social security number, etc. A view of the table could be constructed and assigned to the switchboard operator that only included the name and office extension. To ensure referential integrity is incorrect. Referential integrity states that for each foriegn key value in a database table, there must be another table that contains a record with that value as its primary key (CBK, p. 607). For example, consider a record in the line-items table of an order management database -- this table contains a foreign key of part-number from the parts-master table. Referential integrity states that for each part-number value in the line-items table, there must be a matching record with that same value in the parts-master table. Referential integrity helps avoids consistency problems that could occur when, for example, a part-number was deleted from parts-master that still appeared on records in the line-items table. To allow easier access to the database is incorrect. While views can be used for this purpose by, for example, combining information from several tables in a single view, this is not the best answer for the use of views in a security context. To provide audit trails is incorrect. Since a view only affects what columns of a table are shown, this has nothing to do with providing an audit trail. References: CBK, p. 632 AIOv3, p.168

QUESTION 126 What security model is dependent on security labels? A. Discretionary access control B. Label-based access control C. Mandatory access control D. Non-discretionary access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and the classification or sensitivity of the object. Label-based access control is not defined. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 24 The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation. confidentiality. Once the client is authenticated by Kerberos and obtains its session key and ticket, it may use them to assure confidentiality of its communication with a server; however, that is not a Kerberos service as such. authorization. Although Kerberos tickets may include some authorization information, the meaning of the authorization fields is not standardized in the Kerberos specifications, and authorization is not a primary Kerberos service. The following reference(s) were/was used to create this question: ISC2 OIG,2007 p. 179-184 Shon Harris AIO v.3 152-155

QUESTION 1 A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is: A. Concern that the laser beam may cause eye damage. B. The iris pattern changes as a person grows older. C. There is a relatively high rate of false accepts. D. The optical unit must be positioned so that the sun does not shine into the aperture.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Because the optical unit utilizes a camera and infrared light to create the images, sun light can impact the aperture so it must not be positioned in direct light of any type. Because the subject does not need to have direct contact with the optical reader, direct light can impact the reader. An Iris recognition is a form of biometrics that is based on the uniqueness of a subject's iris. A camera like device records the patterns of the iris creating what is known as Iriscode. It is the unique patterns of the iris that allow it to be one of the most accurate forms of biometric identification of an individual. Unlike other types of biometics, the iris rarely changes over time. Fingerprints can change over time due to scaring and manual labor, voice patterns can change due to a variety of causes, hand geometry can also change as well. But barring surgery or an accident it is not usual for an iris to change. The subject has a high-resoulution image taken of their iris and this is then converted to Iriscode. The current standard for the Iriscode was developed by John Daugman. When the subject attempts to be authenticated an infrared light is used to capture the iris image and this image is then compared to the Iriscode. If there is a match the subject's identity is confirmed. The subject does not need to have direct contact with the optical reader so it is a less invasive means of authentication then retinal scanning would be. Reference(s) used for this question: AIO, 3rd edition, Access Control, p 134 AIO, 4th edition, Access Control, p 182 Wikipedia - http://en.wikipedia.org/wiki/Iris_recognition The following answers are incorrect: Concern that the laser beam may cause eye damage. The optical readers do not use laser so, concern that the laser beam may cause eye damage is not an issue. The iris pattern changes as a person grows older. The question asked about the physical installation of the scanner, so this was not the best answer. If the question would have been about long term problems then it could have been the best choice. Recent research has shown that Irises actually do change over time: http:// www.nature.com/news/ageing-eyes-hinder- biometric-scans-110722 There is a relatively high rate of false accepts. Since the advent of the Iriscode there is a very low rate of false accepts, in fact the algorithm used has never had a false match. This all depends on the quality of the equipment used but because of the uniqueness of the iris even when comparing identical twins, iris patterns are unique.

QUESTION 76 RADIUS incorporates which of the following services? A. Authentication server and PIN codes. B. Authentication of clients and static passwords generation. C. Authentication of clients and dynamic passwords generation. D. Authentication server as well as support for Static and Dynamic passwords.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: According to RFC 2865: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. RADIUS authentication is based on provisions of simple username/password credentials. These credentials are encrypted by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page RADIUS incorporates an authentication server and can make usesof both dynamic and static passwords. Since it uses the PAP and CHAP protocols, it also incluses static passwords. RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138 The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service. The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access. Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password. Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active attacks. RADIUS: Key Features and Benefits Features Benefits RADIUS supports dynamic passwords and challenge/response passwords. Improved system security due to the fact that passwords are not static. It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms. RADIUS allows the user to have a single user ID and password for all computers in a network. Improved usability due to the fact that the user has to remember only one login combination. RADIUS is able to: Prevent RADIUS users from logging in via login (or ftp). Require them to log in via login (or ftp) Require them to login to a specific network access server (NAS); Control access by time of day. Provides very granular control over the types of logins allowed, on a per-user basis. The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable. RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices. Stratus Technology Product Brief http://www.stratus.com/products/vos/openvos/radius.htm Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 44 Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46

QUESTION 44 Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 127 What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects? A. Flow Model B. Discretionary access control C. Mandatory access control D. Non-discretionary access control

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: As a security administrator you might configure user profiles so that users cannot change the system's time, alter system configuration files, access a command prompt, or install unapproved applications. This type of access control is referred to as nondiscretionary, meaning that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the organization's most critical assets. Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. Centralized access control is not an existing security model. Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 50 Which one of the following factors is NOT one on which Authentication is based? A. Type 1 Something you know, such as a PIN or password B. Type 2 Something you have, such as an ATM card or smart card C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan D. Type 4 Something you are, such as a system administrator or security administrator

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Authentication is based on the following three factor types: Type 1 Something you know, such as a PIN or password Type 2 Something you have, such as an ATM card or smart card Type 3 Something you are (Unique physical characteristic), such as a fingerprint or retina scan Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 132-133).

QUESTION 54 Which one of the following factors is NOT one on which Authentication is based? A. Type 1 Something you know, such as a PIN or password B. Type 2 Something you have, such as an ATM card or smart card C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan D. Type 4 Something you are, such as a system administrator or security administrator

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Authentication is based on the following three factor types: Type 1. Something you know, such as a PIN or password Type 2. Something you have, such as an ATM card or smart card Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina scan Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 132-133).

QUESTION 129 Which of the following statements pertaining to biometrics is false? A. Increased system sensitivity can cause a higher false rejection rate B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate. C. False acceptance rate is also known as Type II error. D. Biometrics are based on the Type 2 authentication mechanism.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).

QUESTION 121 Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property? A. It allows "read up." B. It addresses covert channels. C. It addresses management of access controls. D. It allows "write up."

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: BellLaPadula Confidentiality Model10 The BellLaPadula model is perhaps the most well- known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another. When the strong star property is not being used it means that both the * property and the Simple Security Property rules would be applied. The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example. The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example. You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance. The following are incorrect answers because they are all FALSE: "It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell- LaPadula model. "It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.

QUESTION 147 What is the Biba security model concerned with? A. Confidentiality B. Reliability C. Availability D. Integrity

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when subjects can read data at lower levels. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244).

QUESTION 18 Which of the following would constitute the best example of a password to use for access to a system by a network administrator? A. holiday B. Christmas12 C. Jenny D. GyN19Za!

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks. All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The addition of a number to the end of a common word only marginally strengthens it because a common password attack would also check combinations of words: Christmas23 Christmas123 etc...

QUESTION 14 In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. Manager B. Group Leader C. Security Manager D. Data Owner

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file. The following answers are incorrect: Manager is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people. IMPORTANT NOTE: The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the classification and need to know is on the specific set of data. The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other subjects based on their identity.

QUESTION 95 In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in? A. Recovery B. Containment C. Triage D. Analysis and tracking

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident. Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production Containment is incorrect as containment is about reducing the potential impact of an incident. Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives Reference: Official Guide to the CISSP CBK, pages 700-704

QUESTION 23 Which of the following is true of two-factor authentication? A. It uses the RSA public-key signature based on integers with large prime factors. B. It requires two measurements of hand geometry. C. It does not use single sign-on technology. D. It relies on two independent proofs of identity.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on. The following answers are incorrect: It requires two measurements of hand geometry. Measuring hand geometry twice does not yield two independent proofs. It uses the RSA public-key signature based on integers with large prime factors. RSA encryption uses integers with exactly two prime factors, but the term "two- factor authentication" is not used in that context. It does not use single sign-on technology. This is a detractor. The following reference(s) were/was used to create this question: Shon Harris AIO v.3 p.129 ISC2 OIG, 2007 p. 126

QUESTION 29 What is the primary role of smartcards in a PKI? A. Transparent renewal of user keys B. Easy distribution of the certificates between the users C. Fast hardware encryption of the raw data D. Tamper resistant, mobile storage and application of private keys of the users

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139; SNYDER, J., What is a SMART CARD?. Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance Security Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures. Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip. It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including: physical attack of various forms (microprobing, drills, files, solvents, etc.) freezing the device applying out-of-spec voltages or power surges applying unusual clock signals inducing software errors using radiation measuring the precise time and power requirements of certain operations (see power analysis) Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled. Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

QUESTION 134 Which of the following is not a two-factor authentication mechanism? A. Something you have and something you know. B. Something you do and a password. C. A smartcard and something you are. D. Something you know and a password.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, thereby something you know and a password does not constitute a two-factor authentication as both are in the same category of factors. A two-factor (strong) authentication relies on two different kinds of authentication factors out of a list of three possible choice: something you know (e.g. a PIN or password), something you have (e.g. a smart card, token, magnetic card), something you are is mostly Biometrics (e.g. a fingerprint) or something you do (e.g. signature dynamics). TIP FROM CLEMENT: On the real exam you can expect to see synonyms and sometimes sub-categories under the main categories. People are familiar with Pin, Passphrase, Password as subset of Something you know. However, when people see choices such as Something you do or Something you are they immediately get confused and they do not think of them as subset of Biometrics where you have Biometric implementation based on behavior and physilogical attributes. So something you do falls under the Something you are category as a subset. Something your do would be signing your name or typing text on your keyboard for example. Strong authentication is simply when you make use of two factors that are within two different categories. Reference(s) used for this question: Shon Harris, CISSP All In One, Fifth Edition, pages 158-159

QUESTION 146 What does the * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up).Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

QUESTION 10 An access control policy for a bank teller is an example of the implementation of which of the following? A. Rule-based policy B. Identity-based policy C. User-based policy D. Role-based policy

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The position of a bank teller is a specific role within the bank, so you would implement a role- based policy. The following answers are incorrect: Rule-based policy. Is incorrect because this is based on rules and not the role of a of a bank teller so this would not be applicable for a specific role within an organization. Identity-based policy. Is incorrect because this is based on the identity of an individual and not the role of a bank teller so this would not be applicable for a specific role within an organization. User-based policy. Is incorrect because this would be based on the user and not the role of a bank teller so this would not be not be applicable for a specific role within an organization.

QUESTION 19 What physical characteristic does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light reflected by the retina C. The pattern of light receptors at the back of the eye D. The pattern of blood vessels at the back of the eye

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina's four cell layers. The following answers are incorrect: The amount of light reaching the retina The amount of light reaching the retina is not used in the biometric scan of the retina. The amount of light reflected by the retina The amount of light reflected by the retina is not used in the biometric scan of the retina. The pattern of light receptors at the back of the eye This is a distractor The following reference(s) were/was used to create this question: Reference: Retina Scan Technology. ISC2 Official Guide to the CBK, 2007 (Page 161)

QUESTION 133 What refers to legitimate users accessing networked services that would normally be restricted to them? A. Spoofing B. Piggybacking C. Eavesdropping D. Logon abuse

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 74).

QUESTION 138 Which of the following access control models requires defining classification for objects? A. Role-based access control B. Discretionary access control C. Identity-based access control D. Mandatory access control

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and classification of objects. The Following answers were incorrect: Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous. Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non Discretionary Access Control (NDAC). Tip: When you have two answers that are synonymous they are not the right choice for sure. There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of those items. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 12 Organizations should consider which of the following first before allowing external access to their LANs via the Internet? A. Plan for implementing workstation locking mechanisms. B. Plan for protecting the modem pool. C. Plan for providing the user with his account usage information. D. Plan for considering proper authentication options.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference:Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access control. The following answers are incorrect: Plan for implementing workstation locking mechanisms. This is incorrect because locking the workstations have no impact on the LAN or Internet access. Plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact on the LAN or Internet access, it just protects the modem. Plan for providing the user with his account usage information. This is incorrect because the question asks what should be done first. While important your primary concern should be focused on security.