CISSP Cert Library Topic 8

What is a security policy? A. High level statements on management's expectations that must be met in regards to security B. A policy that defines authentication to the network. C. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements. D. A statement that focuses on the authorization process for a system

Answer : A Explanation: A statement on the expectations that must be met to be considered compliant. This is because a policy is a broad statement that management has approved of and stands behind to express the security expectations for the organization. The following answers are incorrect: A statement that focuses on the authorization process for a system is incorrect because although authorization might be an important element for meeting security policies, it is not the only focus. A policy that defines authentication to the network is incorrect because authentication to the network is only one aspect of an entire security concern. The policy must also focus on more than the network and more than on authentication. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements is incorrect due to the "explain in detail" portion. A policy is a statement, it does not deal with specifics. The following reference(s) were/was used to create this question: Shon Harris, Latest All in Once CISSP Exam Prep p227; also ISC2 Official Guide to the CISSP Exam, p82 NEXT QUESTION

What is used to protect programs from all unauthorized modification or executional interference? A. A protection domain p B. A security perimeter C. Security labels D. Abstraction

Answer : A Explanation: A protection domain consists of the execution and memory space assigned to each process. The purpose of establishing a protection domain is to protect programs from all unauthorized modification or executional interference. The security perimeter is the boundary that separates the Trusted Computing Base (TCB) from the remainder of the system. Security labels are assigned to resources to denote a type of classification. Abstraction is a way to protect resources in the fact that it involves viewing system components at a high level and ignoring its specific details, thus performing information hiding. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 193). NEXT QUESTION

What is a trusted shell? A. It means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". B. It means that it is a communications channel between the user, or program, and the kernel. C. It means that someone working in that shell can communicate with someone else in another trusted shell. D. It means that it won't let processes overwrite other processes' data.

Answer : A Explanation: A trusted shell means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". The following reference(s) were/was used to create this question: Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2008, chapter 5: Security Architecture and Design (page 323). NEXT QUESTION

Which of the following Confidentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users? A. Confidentiality B. Integrity C. Availability D. Accuracy

Answer : A Explanation: Confidentiality supports the principle of least privilege by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming ones identity through knowledge of confidential information obtained from various sources. An important measure to ensure confidentiality of information is data classification. This helps to determine who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practices that support maintaining the confidentiality of information. A sample control for protecting confidentiality is to encrypt information. Encryption of information limits the usability of the information in the event it is accessible to an unauthorized person. For your exam you should know the information below: Integrity Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored in files, databases, systems, and networks must be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices. Sample controls include management controls such as segregation of duties, approval checkpoints in the systems development life cycle, and implementation of testing practices that assist in providing information integrity. Well-formed transactions and security of the update programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification. Availability Availability is the principle that ensures that information is available and accessible to users when needed. The two primary areas affecting the availability of systems are: 1. Denial-of-Service attacks and 2. Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, tornado, blackout, hurricane, fire, and flood). In either case, the end user does not have access to information needed to conduct business. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the impact of the extended downtime becomes. The lack of appropriate security controls can increase the risk of viruses, destruction of data, external penetrations, or denial-of-servi NEXT QUESTION

Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean? g A. System functions are layered, and none of the functions in a given layer can access data outside that layer. B. Auditing processes and their memory addresses cannot be accessed by user processes. C. Only security processes are allowed to write to ring zero memory. D. It is a form of strong encryption cipher.

Answer : A Explanation: Data Hiding is protecting data so that it is only available to higher levels this is done and is also performed by layering, when the software in each layer maintains its own global data and does not directly reference data outside its layers. The following answers are incorrect: Auditing processes and their memory addresses cannot be accessed by user processes. Is incorrect because this does not offer data hiding. Only security processes are allowed to write to ring zero memory. This is incorrect, the security kernel would be responsible for this. It is a form of strong encryption cipher. Is incorrect because this does not conform to the definition of data hiding. NEXT QUESTION

Which of the following control is intended to discourage a potential attacker? A. Deterrent B. Preventive C. Corrective D. Recovery

Answer : A Explanation: Deterrent Control are intended to discourage a potential attacker For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a p p y p y pp y g g p g deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not supp NEXT QUESTION

Why does compiled code pose more of a security risk than interpreted code? A. Because malicious code can be embedded in compiled code and be difficult to detect. B. If the executed compiled code fails, there is a chance it will fail insecurely. C. Because compilers are not reliable. D. There is no risk difference between interpreted code and compiled code.

Answer : A Explanation: From a security standpoint, a compiled program is less desirable than an interpreted one because malicious code can be resident somewhere in the compiled code, and it is difficult to detect in a very large program. NEXT QUESTION

Which of the following is not classified as a "Security and Audit Frameworks and Methodologies" A. Bell LaPadula B. Committee of Sponsoring Organizations of the Treadway Commission (COSO) C. IT Infrastructure Library (ITIL) D. Control Objectives for Information and related Technology (COBIT)

Answer : A Explanation: From the official Guide, second edition: Bell LaPadula is a Security Model. "In general, most security models will focus on defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time." The remaining three listed would all be classifed as frameworks. "Multiple frameworks and methodologies have been created to support security, auditing, and risk assessment of implemented security controls. These resources are valuable to assist in the design and testing of a security program. The following frameworks and methodologies have each gained a degree of acceptance within the auditing or information security community and assist with information security and auditing. Although the origins of several of them were not specifically designed to support information security, many of the processes within these practices help security professionals identify and implement controls in support of confidentiality, integrity, and availability." The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) Chapter 3, Information Security Governance and Risk Management, Pages 514-516 NEXT QUESTION

Which International Organization for Standardization standard is commonly referred to as the 'common criteria'? A. 15408 B. 27001 C. 14000 D. 22002

Answer : A Explanation: From the official guide: "The publication of the Common Criteria as the ISO/IEC 15408 standard provided the first truly international product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certified under TCSEC, ITSEC and other criteria. It takes a very similar approach to ITSEC by providing a flexible set of functional and assurance requirements, and like ITSEC, it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing the general approach to product evaluation and providing mutual recognition of such evaluations all over the world." The following answers are incorrect: - 27001 ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard entitled: Information technology Security techniques Information security management systems Overview and vocabulary. - 14000 ISO 14000 is a family of standards related to environmental management that exists to help organizations (a) minimize how their operations (processes etc.) negatively affect the environment (i.e. cause adverse changes to air, water, or land); (b) comply with applicable laws, regulations, and other environmentally oriented requirements, and (c) continually improve in the above. ISO 14000 is similar to ISO 9000 quality management in that both pertain to the process of how a product is produced, rather than to the product itself. As with ISO 9000, certification is performed by third-party organizations rather than being awarded by ISO directly. The ISO 19011 audit standard applies when auditing for both 9000 and 14000 compliance at once. The requirements of ISO 14000 are an integral part of the European Unions environmental management scheme EMAS. EMASs structure and material requirements are more demanding, foremost concerning performance improvement, legal compliance and reporting duties. - 22002 ISO/TS 22002- Prerequisite programmes on food safetyPart 1: Food manufacturing The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press), Chapter 9, Security Architecture and Design and https://en.wikipedia.org/wiki/ISO_14000 and https://en.wikipedia.org/wiki/ISO/IEC_27000 and https://en.wikipedia.org/wiki/ISO_22000 NEXT QUESTION

An Architecture where there are more than two execution domains or privilege levels is called: A. Ring Architecture. B. Ring Layering C. Network Environment. D. Security Models

Answer : A Explanation: In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. Ring Architecture All of the other answers are incorrect because they are detractors. References: OIG CBK Security Architecture and Models (page 311) and https://en.wikipedia.org/wiki/Ring_%28computer_security%29 NEXT QUESTION

The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection? A. A and B B. B and C C. A, B, and C D. B and D

Answer : A Explanation: Level B is the first to require Mandatory Protection. Because the higher levels also inherit the requirements of all lower levels, level A also requires Mandatory Protection. The following answers are incorrect: B and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level. A, B, and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level. B and D. Is incorrect because Mandatory Protection is not required until level B, Level D is a lower level. One of the first accpted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D. The divisions and classes are: D Minimal protection C Discretionary protection C1 Discretionary Security Protection C2 Controlled Access Protection B Mandatory Protection B1 Labeled Security B2 Structured Protection B3 Security Domains A Verified Protection A1 Verified Design Wikipedia: "TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005." References: OIG CBK, Security Architecture and Design (pages 329 - 330) AIO, 3rd Edition, Security Models and Architecture (pages 302 - 306) AIO, 4th Edition, Security Architecture and Design, pp357-361. Wikipedia - http://en.wikipedia.org/wiki/TCSEC#Divisions_and_Classes DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm NSI reference for Orange book: http://nsi.org/Library/Compsec/orangebo.txt NEXT QUESTION

Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle? A. life cycle assurance B. operational assurance C. covert timing assurance D. covert storage assurance

Answer : A Explanation: Life-cycle Assurance - Requirements specified in the Orange Book are: security testing, design specification and testing, configuration management, and trusted distribution. Operational Assurance - Concentrates on the product's architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 219. Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide 3rd Edition, McGraw- Hill/Osborne, 2005 (pages 904, 961). NEXT QUESTION

Which of the following would best classify as a management control? A. Review of security controls B. Personnel security C. Physical and environmental protection D. Documentation

Answer : A Explanation: Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls. SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. SECURITY CONTROL BASELINE: The set of minimum security controls defined for a low- impact, moderate-impact,or high-impact information system. The following are incorrect answers: Personnel security, physical and environmental protection and documentation are forms of operational controls. Reference(s) used for this question: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf and FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf NEXT QUESTION

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Answer : A Explanation: Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: Identify assets and their value to the organization. Identify vulnerabilities and threats. Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insu NEXT QUESTION

Sensitivity labels are an example of what application control type? A. Preventive security controls B. Detective security controls C. Compensating administrative controls D. Preventive accuracy controls

Answer : A Explanation: Sensitivity labels are a preventive security application controls, such as are firewalls, reference monitors, traffic padding, encryption, data classification, one-time passwords, contingency planning, separation of development, application and test environments. The incorrect answers are: Detective security controls - Intrusion detection systems (IDS), monitoring activities, and audit trails. Compensating administrative controls - There no such application control. Preventive accuracy controls - data checks, forms, custom screens, validity checks, contingency planning, and backups. Sources: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 264). KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Application Controls, Figure 7.1 (page 360). NEXT QUESTION

Which of the following is NOT a basic component of security architecture? A. Motherboard B. Central Processing Unit (CPU C. Storage Devices D. Peripherals (input/output devices)

Answer : A Explanation: The CPU, storage devices and peripherals each have specialized roles in the security archecture. The CPU, or microprocessor, is the brains behind a computer system and performs calculations as it solves problemes and performs system tasks. Storage devices provide both long- and short-term stoarge of information that the CPU has either processed or may process. Peripherals (scanners, printers, modems, etc) are devices that either input datra or receive the data output by the CPU. The motherboard is the main circuit board of a microcomputer and contains the connectors for attaching additional boards. Typically, the motherboard contains the p g yp y, CPU, BIOS, memory, mass storage interfaces, serial and parallel ports, expansion slots, and all the controllers required to control standard peripheral devices. Reference(s) used for this question: TIPTON, Harold F., The Official (ISC)2 Guide to the CISSP CBK (2007), page 308. NEXT QUESTION

CobiT was developed from the COSO framework. Which of the choices below best describe the COSO's main objectives and purpose? A. COSO main purpose is to help ensure fraudulent financial reporting cannot take place in an organization B. COSO main purpose is to define a sound risk management approach within financial companies. C. COSO addresses corporate culture and policy development. D. COSO is risk management system used for the protection of federal systems.

Answer : A Explanation: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The COSO internal control model has been adopted as a framework by some organizations working toward SarbanesOxley Section 404 compliance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization. COBIT Control Objectives for Information and related Technology (COBIT)4 is published by the IT Governance Institute and integrates the following IT and risk frameworks: CobiT 4.1 Val IT 2.0 Risk IT IT Assurance Framework (ITAF) Business Model for Information Security (BMIS) The COBIT framework examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives. The framework provides an overall structure for information technology control and includes control objectives that can be utilized to determine effective security control objectives that are driven from the business needs. The Information Systems Audit and Control Association (ISACA) dedicates numerous resources to the support and understanding of COBIT. The following answers are incorrect: COSO main purpose if to define a sound risk management approach within financial companies. COSO addresses corporate culture and policy development. COSO is risk management system used for the protection of federal systems. The following reference(s) were/was used to create this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9791-9800). Auerbach Publications. Kindle Edition. NEXT QUESTION

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data? A. Limiting the local access of operations personnel B. Job rotation of operations personnel C. Management monitoring of audit logs D. Enforcing regular password changes

Answer : A Explanation: The questions specifically said: "within a different function" which eliminate Job Rotation as a choice. Management monitoring of audit logs is a detective control and it would not prevent collusion. Changing passwords regularly would not prevent such attack. This question validates if you understand the concept of separation of duties and least privilege. By having operators that have only the minimum access level they need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. NEXT QUESTION

The Reference Validation Mechanism that ensures the authorized access relationships between subjects and objects is implementing which of the following concept: A. The reference monitor. B. Discretionary Access Control. C. The Security Kernel. D. Mandatory Access Control.

Answer : A Explanation: The reference monitor concept is an abstract machine that ensures that all subjects have the necessary access rights before accessing objects. Therefore, the kernel will mediates all accesses to objects by subjects and will do so by validating through the reference monitor concept. The kernel does not decide whether or not the access will be granted, it will be the Reference Monitor which is a subset of the kernel that will say YES or NO. All access requests will be intercepted by the Kernel, validated through the reference monitor, and then access will either be denied or granted according to the request and the subject privileges within the system. 1. The reference monitor must be small enough to be full tested and valided 2. The Kernel must MEDIATE all access request from subjects to objects 3. The processes implementing the reference monitor must be protected 4. The reference monitor must be tamperproof The following answers are incorrect: The security kernel is the mechanism that actually enforces the rules of the reference monitor concept. The other answers are distractors. Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330 also see http://en.wikipedia.org/wiki/Reference_monitor NEXT QUESTION

What can be defined as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects j j from unauthorized access? y g p j A. The Reference Monitor B. The Security Kernel C. The Trusted Computing Base D. The Security Domain

Answer : A Explanation: The reference monitor refers to abstract machine that mediates all access to objects by subjects. This question is asking for the concept that governs access by subjects to objects, thus the reference monitor is the best answer. While the security kernel is similar in nature, it is what actually enforces the concepts outlined in the reference monitor. In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference monitor are: The reference validation mechanism must always be invoked (complete mediation). Without this property, it is possible for an attacker to bypass the mechanism and violate the security policy. The reference validation mechanism must be tamperproof (tamperproof). Without this property, an attacker can undermine the mechanism itself so that the security policy is not correctly enforced. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the policy is not enforced. For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of computer security it was intended to provide. The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and sufficient properties for any system making this security claim. According to Ross Anderson, the reference monitor concept was introduced by James Anderson in an influential 1972 paper. Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept. The reference monitor, as defined in AIO V5 (Harris) is: "an access control concept that refers to an abstract machine that mediates all access to objects by subjects." The security kernel, as defined in AIO V5 (Harris) is: "the hardware, firmware, and software elements of a trusted computing based (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modifica NEXT QUESTION

What does the simple security (ss) property mean in the Bell-LaPadula model? A. No read up B. No write down C. No read down D. No write up

Answer : A Explanation: The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). NEXT QUESTION

Pervasive Computing and Mobile Computing Devices have to sacrifice certain functions. Which statement concerning those devices is false. g A. In many cases, security services has been enhanced due to the lack of services available. B. These devices share common security concerns with other resource-constrained devices. C. In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. D. Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control.

Answer : A Explanation: This is a detailed oriented question to test if you are paying attention to both the question and answer. While the answer sounds legitimate, it is not truly the case in these types of devices. Just remember, even if you have one service running, that does not mean you are secure if the service itself has not been secured. From the official guide: "The number of small mobile devices has grown considerably in the past four or five years. Products vary from sophisticated mobile phones, such as third-generation (3G) handsets, to full-featured netbooks and personal digital assistants (PDAs). These devices share common security concerns with other resource-constrained devices. In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. Also, their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control." The following answers are incorrect: - These devices share common security concerns with other resource-constrained devices. - In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. - Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control. The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press), Chapter 9, Security Architecture and Design NEXT QUESTION

What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects? A. Disclosure of residual data. B. Unauthorized obtaining of a privileged execution state. C. Denial of service through a deadly embrace. D. Data leakage through covert channels.

Answer : A Explanation: This question is asking you to consider the effects of object reuse. Object reuse is "reassigning to subject media that previously contained information. Object reuse is a security concern because if insufficient measures were taken to erase the information on the media, the information may be disclosed to unauthorized personnel." This concept relates to Security Architecture and Design, because it is in level C2: Controlled Access Protection, of the Orange Book, where "The object reuse concept must be invoked, meaning that any medium holding data must not contain any remnants of information after it is release for another subject to use." REFERENCE: AIO Version 5 (Shon Harris), page 360 and TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. NEXT QUESTION

What does the Clark-Wilson security model focus on? A. Confidentiality B. Integrity C. Accountability D. Availability

Answer : B }{ Answer : B Explanation: The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

What is the main purpose of Corporate Security Policy? A. To transfer the responsibility for the information security to all users of the organization B. To communicate management's intentions in regards to information security C. To provide detailed steps for performing specific actions D. To provide a common framework for all development activities

Answer : B Explanation: A Corporate Security Policy is a high level document that indicates what are management`s intentions in regard to Information Security within the organization. It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc.. The organizations requirements for access control should be defined and documented in its security policies. Access rules and rights for each user or group of users should be clearly stated in an access policy statement. The access control policy should minimally consider: Statements of general security principles and their applicability to the organization Security requirements of individual enterprise applications, systems, and services Consistency between the access control and information classification policies of different systems and networks Contractual obligations or regulatory compliance regarding protection of assets Standards defining user access profiles for organizational roles Details regarding the management of the access control system As a Certified Information System Security Professional (CISSP) you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines. Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well. The following are incorrect answers: To transfer the responsibility for the information security to all users of the organization is bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with upper management. The keyworks ALL and USERS is also an indication that it is the wrong choice. To provide detailed steps for performing specific actions is also a bogus detractor. A step by step document is referred to as a procedure. It details how to accomplish a specific task. To provide a common framework for all development activities is also an invalid choice. Security Policies are not restricted only to development activities. Reference Used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition. NEXT QUESTION

NO: 87 What can best be described as a domain of trust that shares a single security policy and single management? A. The reference monitor B. A security domain C. The security kernel D. The security perimeter

Answer : B Explanation: A security domain is a domain of trust that shares a single security policy and single management. The term security domain just builds upon the definition of domain by adding the fact that resources within this logical structure (domain) are working under the same security policy and managed by the same group. So, a network administrator may put all of the accounting personnel, computers, and network resources in Domain 1 and all of the management personnel, computers, and network resources in Domain 2. These items fall into these individual containers because they not only carry out similar types of business functions, but also, and more importantly, have the same type of trust level. It is this common trust level that allows entities to be managed by one single security policy. The different domains are separated by logical boundaries, such as firewalls with ACLs, directory services making access decisions, and objects that have their own ACLs indicating which individuals and groups can carry out operations on them. All of these security mechanisms are examples of components that enforce the security policy for each domain. Domains can be architected in a hierarchical manner that dictates the relationship between the different domains and the ways in which subjects within the different domains can communicate. Subjects can access resources in domains of equal or lower trust levels. The following are incorrect answers: The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system. The reference monitor components must be small enough to test properly and be tamperproof. The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted. not every process and resource falls within the TCB, so some of these components fall outside of an imaginary boundary referred to as the security perimeter. A security perimeter is a boundary that divides the trusted from the untrusted. For the system to stay in a secure and trusted state, precise communication standards must be developed to ensure that when a component within the TCB needs to communicate with a component outside the TCB, the communication cannot expose the system to unexpected security compromises. This type of communication is handled and controlled through interfaces. Reference(s) use NEXT QUESTION

How should a doorway of a manned facility with automatic locks be configured? A. It should be configured to be fail-secure. B. It should be configured to be fail-safe. C. It should have a door delay cipher lock. D. It should not allow piggybacking.

Answer : B Explanation: Access controls are meant to protect facilities and computers as well as people. In some situations, the objectives of physical access controls and the protection of people's lives may come into conflict. In theses situations, a person's life always takes precedence. Many physical security controls make entry into and out of a facility hard, if not impossible. However, special consideration needs to be taken when this could affect lives. In an information processing facility, different types of locks can be used and piggybacking should be prevented, but the issue here with automatic locks is that they can either be configured as fail-safe or fail-secure. Since there should only be one access door to an information processing facility, the automatic lock to the only door to a man-operated room must be configured to allow people out in case of emergency, hence to be fail-safe (sometimes called fail-open), meaning that upon fire alarm activation or electric power failure, the locking device unlocks. This is because the solenoid that maintains power to the lock to keep it in a locked state fails and thus opens or unlocks the electronic lock. Fail Secure works just the other way. The lock device is in a locked or secure state with no power applied. Upon authorized entry, a solinoid unlocks the lock temporarily. Thus in a Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure mode. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 451). McGraw- Hill. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20249-20251). Auerbach Publications. Kindle Edition. NEXT QUESTION

What mechanism does a system use to compare the security labels of a subject and an object? A. Validation Module. B. Reference Monitor. C. Clearance Check. D. Security Module. y

Answer : B Explanation: Because the Reference Monitor is responsible for access control to the objects by the subjects it compares the security labels of a subject and an object. According to the OIG: The reference monitor is an access control concept referring to an abstract machine that mediates all accesses to objects by subjects based on information in an access control database. The reference monitor must mediate all access, be protected from modification, be verifiable as correct, and must always be invoked. The reference monitor, in accordance with the security policy, controls the checks that are made in the access control database. The following are incorrect: Validation Module. A Validation Module is typically found in application source code and is used to validate data being inputted. Clearance Check. Is a distractor, there is no such thing other than what someone would do when checking if someone is authorized to access a secure facility. Security Module. Is typically a general purpose module that prerforms a variety of security related functions. References: OIG CBK, Security Architecture and Design (page 324) AIO, 4th Edition, Security Architecture and Design, pp 328-328. Wikipedia - http://en.wikipedia.org/wiki/Reference_monitor NEXT QUESTION

The viewing of recorded events after the fact using a closed-circuit TV camera is considered a A. Preventative control. B. Detective control C. Compensating control D. Corrective control

Answer : B Explanation: Detective security controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection. Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution. When events are monitored, it is considered preventative whereas recording of events is considered detective in nature. Below you have explanations of other types of security controls from a nice guide produce by James Purcell (see reference below): Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example preventive controls follow: Policy Unauthorized network connections are prohibited. Firewall Blocks unauthorized network connections. Locked wiring closet Prevents unauthorized equipment from being physically plugged into a network switch. Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section. Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow: Procedure to clean a virus from an infected system A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address Note that in many cases the corrective security control is triggered by a detective security control. Recovery security controls are those controls that put a system back into y y gg y y y y p y production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape. Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline. Deterrent security controls are controls that discourage security violations. For instance, Unauthorized Access Prohibited signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access. Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical applicat NEXT QUESTION

Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and y y g y , impact of unintentional errors that are entering the system? A. Detective Controls B. Preventative Controls C. Corrective Controls D. Directive Controls

Answer : B Explanation: In the Operations Security domain, Preventative Controls are designed to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 217. NEXT QUESTION

Which of the following is most concerned with personnel security? A. Management controls B. Operational controls C. Technical controls D. Human resources controls

Answer : B Explanation: Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs. Since operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems), personnel security is considered a form of operational control. Operational controls are put in place to improve security of a particular system (or group of systems). They often require specialized expertise and often rely upon management activities as well as technical controls. Implementing dual control and making sure that you have more than one person that can perform a task would fall into this category as well. Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access of misuse, facilitate detection of security violations, and support security requirements for applications and data. Reference use for this question: NIST SP 800-53 Revision 4 http://dx.doi.org/106028/NIST.SP.800-53r4 You can get it as a word document by clicking HERE NIST SP 800-53 Revision 4 has superseded the document below: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Page A-18). NEXT QUESTION

Which type of security control is also known as "Logical" control? yp y g A. Physical B. Technical C. Administrative D. Risk

Answer : B Explanation: Physcial: This is a type of security control, but does not have an alternate name. Administrative: This is a type of security control, but doe not have an alternate name. Risk:This is not a type of security control. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition, Chapter 3, Page 57 NEXT QUESTION

Who should measure the effectiveness of Information System security related controls in an organization? A. The local security specialist B. The business manager C. The systems auditor D. The central security manager

Answer : C Explanation: It is the systems auditor that should lead the effort to ensure that the security controls are in place and effective. The audit would verify that the controls p y y p y comply with polices, procedures, laws, and regulations where applicable. The findings would provide these to senior management. The following answers are incorrect: the local security specialist. Is incorrect because an independent review should take place by a third party. The security specialist might offer mitigation strategies but it is the auditor that would ensure the effectiveness of the controls the business manager. Is incorrect because the business manager would be responsible that the controls are in place, but it is the auditor that would ensure the effectiveness of the controls the central security manager. Is incorrect because the central security manager would be responsible for implementing the controls, but it is the auditor that is responsibe for ensuring their effectiveness. NEXT QUESTION

Which of the following security control is intended to avoid an incident from occurring? A. Deterrent B. Preventive C. Corrective D. Recovery

Answer : B Explanation: Preventive controls are intended to avoid an incident from occurring For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not s NEXT QUESTION

Sam is the security Manager of an financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Answer : B Explanation: Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: Identify assets and their value to the organization. Identify vulnerabilities and threats. Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented ea NEXT QUESTION

Which of the following test makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems? A. Recovery testing B. Security testing C. Stress/volume testing g D. Interface testing

Answer : B Explanation: Security testing makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems. Recovery testing checks the system's ability to recover after a software or hardware failure. Stress/volume testing involves testing an application with large quantities of data in order to evaluate performance during peak hours. Interface testing evaluates the connection of two or more components that pass information from one area to another. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300). NEXT QUESTION

What does the Clark-Wilson security model focus on? A. Confidentiality B. Integrity C. Accountability D. Availability

Answer : B Explanation: The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

What is the appropriate role of the security analyst in the application system development or acquisition project? A. policeman B. control evaluator & consultant C. data owner D. application user

Answer : B Explanation: The correct answer is "control evaluator & consultant". During any system development or acquisition, the security staff should evaluate security controls and advise (or consult) on the strengths and weaknesses with those responsible for making the final decisions on the project. The other answers are not correct because: policeman - It is never a good idea for the security staff to be placed into this type of role (though it is sometimes unavoidable). During system development or acquisition, there should be no need of anyone filling the role of policeman. Data owner - In this case, the data owner would be the person asking for the new system to manage, control, and secure information they are responsible for. While it is possible the security staff could also be the data owner for such a project if they happen to have responsibility for the information, it is also possible someone else would fill this role. Therefore, the best answer remains "control evaluator & consultant" application user - Again, it is possible this could be the security staff, but it could also be many other people or groups. So this is not the best answer. Reference: Official ISC2 Guide page: 555 - 560 All in One Third Edition page: 832 846 NEXT QUESTION

Who can best decide what are the adequate technical security controls in a computer- based application system in regards to the protection of the data being used, the criticality of the data, and it's sensitivity level? A. System Auditor B. Data or Information Owner C. System Manager D. Data or Information user

Answer : B Explanation: The data or information owner also referred to as "Data Owner" would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner. The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem. The Official ISC2 Guide (OIG) says: IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness. Example: Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob's department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the "information/data custodians") and they set the file permissions for Sally's and Richard's user accounts so that Sally has read/write access, while Richard has only read access. So in short Bob will determine what controls are required, what is the sensitivily and criticality of the Data. Bob will communicate this to the custodians who will im NEXT QUESTION

Which type of security control is also known as "Logical" control? A. Physical B. Technical C. Administrative D. Risk

Answer : B Explanation: The following answers are incorrect: Physcial: This is a type of security control, but does not have an alternate name. Administrative: This is a type of security control, but doe not have an alternate name. Risk:This is not a type of security control. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition, Chapter 3, Page 57 NEXT QUESTION

What does the simple integrity axiom mean in the Biba model? A. No write down B. No read down C. No read up D. No write up

Answer : B Explanation: The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity (no read down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used? A. preventive, corrective, and administrative B. detective, corrective, and physical C. Physical, technical, and administrative D. Administrative, operational, and logical

Answer : C Explanation: Security is generally defined as the freedom from danger or as the condition of safety. Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the computer system itself against unauthorized use, modification, or denial of service. Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and system operations and administrative personnel work to achieve a satisfactory balance between security and productivity. Controls for providing information security can be physical, technical, or administrative. These three categories of controls can be further classified as either preventive or detective. Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred. Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept. Effective security awareness programs can help increase users level of tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems. Common detective controls include audit trails, intrusion detection methods, and checksums. Three other types of controls supplement preventive and detective controls. They are usually described as deterrent, corrective, and recovery. Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment). Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation. Execution of corrective controls could result in changes to existing physical, technical, and administrative controls. Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation. Deterrent, corrective, and recovery controls are considered to be special cases within the major categories of physical, technical, and administrative controls; they do not clearly belong in either preventive or detective categories. For example, it could be argued that deterrence is a form of prevention because it can cause an intruder to turn away; however, deterrence also involves detecting violations, which may be what the intruder fears most. Corrective controls, on the other hand, are not preventive or detective, but they are clearly linked with technical controls when antiviral software eradicates a virus or with admini NEXT QUESTION

What would BEST define a covert channel? A. An undocumented backdoor that has been left by a programmer in an operating system B. An open system port that should be closed. C. A communication channel that allows transfer of information in a manner that violates the system's security policy. D. A trojan horse.

Answer : C Explanation: A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: Oversight in the development of the product Improper implementation of access controls Existence of a shared resource between the two entities Installation of a Trojan horse The following answers are incorrect: An undocumented backdoor that has been left by a programmer in an operating system is incorrect because it is not a means by which unauthorized transfer of information takes place. Such backdoor is usually referred to as a Maintenance Hook. An open system port that should be closed is incorrect as it does not define a covert channel. A trojan horse is incorrect because it is a program that looks like a useful program but when you install it it would include a bonus such as a Worm, Backdoor, or some other malware without the installer knowing about it. Reference(s) used for this question: Shon Harris AIO v3 , Chapter-5 : Security Models & Architecture AIOv4 Security Architecture and Design (pages 343 - 344) AIOv5 Security Architecture and Design (pages 345 - 346) NEXT QUESTION

What is called a system that is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it? A. A fail safe system B. A fail soft system C. A fault-tolerant system D. A failover system

Answer : C Explanation: A fault-tolerant system is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it. In a fail-safe system, program execution is terminated, and the system is protected from being compromised when a hardware or software failure occurs and is detected. In a fail-soft system, when a hardware or software failure occurs and is detected, selected, non-critical processing is terminated. The term failover refers to switching to a duplicate "hot" backup component in real-time when a hardware or software failure occurs, enabling processing to continue. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 196). NEXT QUESTION

What is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept? A. The reference monitor B. Protection rings C. A security kernel D. A protection domain

Answer : C Explanation: A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 194). NEXT QUESTION

Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design? A. Development/acquisition B. Implementation C. Initiation D. Maintenance

Answer : C Explanation: A security policy is an important document to develop while designing an information system. The security policy begins with the organization's basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. The policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and assurance) the system should support, and these goals guide the procedures, standards and controls used in the IT security architecture design. The policy also should require definition of critical assets, the perceived threat, and security-related roles and responsibilities. Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800- 27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 6). NEXT QUESTION

In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm. A. virus. B. worm. C. Trojan horse. D. trapdoor.

Answer : C Explanation: A trojan horse is any code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it. A Trojan often also includes a trapdoor as a means to gain access to a computer system bypassing security controls. Wikipedia defines it as: A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in ancient Greece, because computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers. The following answers are incorrect: virus. Is incorrect because a Virus is a malicious program and is does not appear to be harmless, it's sole purpose is malicious intent often doing damage to a system. A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". worm. Is incorrect because a Worm is similiar to a Virus but does not require user intervention to execute. Rather than doing damage to the system, worms tend to self- propagate and devour the resources of a system. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. trapdoor. Is incorrect because a trapdoor is a means to bypass security by hiding an entry point into a system. Trojan Horses often have a trapdoor imbedded in them. References: http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 and http://en.wikipedia.org/wiki/Computer_virus and http://en.wikipedia.org/wiki/Computer_worm and http://en.wikipedia.org/wiki/Backdoor_%28computing%29 NEXT QUESTION

What is called the formal acceptance of the adequacy of a system's overall security by the management? A. Certification B. Acceptance C. Accreditation D. Evaluation

Answer : C Explanation: Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full. The following are incorrect answers: Certification is incorrect. Certification is the process of evaluating the security stance of the software or system against a selected set of standards or policies. Certification is the technical evaluation of a product. This may precede accreditation but is not a required precursor. Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or system has met a set of functional or service level criteria (the new payroll system has passed its acceptance test). Certification is the better tem in this context. Evaluation is incorrect. Evaluation is certainly a part of the certification process but it is not the best answer to the question. Reference(s) used for this question: The Official Study Guide to the CBK from ISC2, pages 559-560 AIO3, pp. 314 - 317 AIOv4 Security Architecture and Design (pages 369 - 372) AIOv5 Security Architecture and Design (pages 370 - 372) NEXT QUESTION

In the context of access control, locks, gates, guards are examples of which of the following? A. Administrative controls B. Technical controls C. Physical controls D. Logical controls

Answer : C Explanation: Administrative, technical and physical controls are categories of access control mechanisms. Logical and Technical controls are synonymous. So both of them could be eliminated as possible choices. Physical Controls: These are controls to protect the organizations people and physical environment, such as locks, gates, and guards. Physical controls may be called operational controls in some contexts. Physical security covers a broad spectrum of controls to protect the physical assets (primarily the people) in an organization. Physical Controls are sometimes referred to as operational controls in some risk management frameworks. These controls range from doors, locks, and windows to environment controls, construction standards, and guards. Typically, physical security is based on the notion of establishing security zones or concentric areas within a facility that require increased security as you get closer to the valuable assets inside the facility. Security zones are the physical representation of the defense-in-depth principle discussed earlier in this chapter. Typically, security zones are associated with rooms, offices, floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security controls within the facility must take into account the protection of the asset as well as the individuals working in that area. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle Edition. NEXT QUESTION

Which of the following computer design approaches is based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle? A. Pipelining B. Reduced Instruction Set Computers (RISC) C. Complex Instruction Set Computers (CISC) D. Scalar processors

Answer : C Explanation: Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction. It was based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle. Therefore, by packing more operations into an instruction, the number of fetches could be reduced. Pipelining involves overlapping the steps of different instructions to increase the performance in a computer. Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute. Scalar processors are processors that execute one instruction at a time. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 188). NEXT QUESTION

Which of the following control helps to identify an incidents activities and potentially an intruder? A. Deterrent B. Preventive C. Detective D. Compensating

Answer : C Explanation: Detective control helps identify an incidents activities and potentially an intruder For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a NEXT QUESTION

One of the following assertions is NOT a characteristic of Internet Protocol Security (IPsec) A. Data cannot be read by unauthorized parties B. The identity of all IPsec endpoints are confirmed by other endpoints C. Data is delivered in the exact order in which it is sent D. The number of packets being exchanged can be counted.

Answer : C Explanation: IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side depending which route was taken by the packet. Internet Protocol Security (IPsec) has emerged as the most commonly used network layer security control for protecting communications. IPsec is a framework of open standards for ensuring private communications over IP networks. Depending on how IPsec is implemented and configured, it can provide any combination of the following types of protection: Confidentiality. IPsec can ensure that data cannot be read by unauthorized parties. This is accomplished by encrypting data using a cryptographic algorithm and a secret key a value known only to the two parties exchanging data. The data can only be decrypted by someone who has the secret key. Integrity. IPsec can determine if data has been changed (intentionally or unintentionally) during transit. The integrity of data can be assured by generating a message authentication code (MAC) value, which is a cryptographic checksum of the data. If the data is altered and the MAC is recalculated, the old and new MACs will differ. Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it wishes to communicate, ensuring that the network traffic and data is being sent from the expected host. Replay Protection. The same data is not delivered multiple times, and data is not delivered grossly out of order. However, IPsec does not ensure that data is delivered in the exact order in which it is sent. Traffic Analysis Protection. A person monitoring network traffic does not know which parties are communicating, how often communications are occurring, or how much data is being exchanged. However, the number of packets being exchanged can be counted. Access Control. IPsec endpoints can perform filtering to ensure that only authorized IPsec users can access particular network resources. IPsec endpoints can also allow or block certain types of network traffic, such as allowing Web server access but denying file sharing. The following are incorrect answers because they are all features provided by IPSEC: "Data cannot be read by unauthorized parties" is wrong because IPsec provides confidentiality through the usage of the Encapsulating Security Protocol (ESP), once encrypted the data cannot be read by unauthorized parties because they have access only to the ciphertext. This is accomplished by encrypting data using a cryptographic algorithm and a session key, a value known only to the two parties exchanging data. The data can only be decrypted by someone who has a copy of the session key. "The identity of all IPsec endpoints are confirmed by other endpoints" is wrong because IPsec provides peer authentication: Each IPsec endpoint confirms the identity of the other IPsec e NEXT QUESTION

Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information flow model

Answer : C Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The ClarkWilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. ClarkWilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification. Integrity goals of ClarkWilson model: Prevent unauthorized users from making modification (Only this one is addressed by the Biba model). Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other. The following are incorrect answers: The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object. The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object. The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model. References: ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287 AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model NEXT QUESTION

If an internal database holds a number of printers in every department and this equals the total number of printers for the whole organization recorded elsewhere in the database, it is an example of: A. External consistency of the information system. B. Differential consistency of the information system. y y C. Internal consistency of the information system. D. Referential consistency of the information system.

Answer : C Explanation: Internal consistency ensures that internal data is consistent, the subtotals match the total number of units in the data base. Internal Consistency, External Consistency, Well formed transactions are all terms related to the Clark-Wilson Model. The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: Users Active agents Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify Constrained data items (CDIs) Can be manipulated only by TPs Unconstrained data items (UDIs) Can be manipulated by users via primitive read and write operations Integrity verification procedures (IVPs) Check the consistency of CDIs with external reality Although this list may look overwhelming, it is really quite straightforward. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. Well Formed Transactions A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $ 10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. The following answers are incorrect: External consistency of the information system. Extern NEXT QUESTION

What is the purpose of Trusted Distribution? A. To ensure that messages sent from a central office to remote locations are free from tampering. B. To prevent the sniffing of data as it travels through an untrusted network enroute to a trusted network. C. To ensure that the Trusted Computing Base is not tampered with during shipment or installation. D. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack.

Answer : C Explanation: One of the first accepted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D. Design specification and verification is a formal model of the security policy supported through the life-cycle of the system. Trusted Distribution is ensuring nothing has been tampered with not even the documentation, this is part of the Life- Cycle Assurance Requirements (See below) Life-cycle Assurance Requirments - Security Testing - Design Specification and verification - Configuration Management - Trusted system distribution The following answers are incorrect: To ensure that messages sent from a central office to remote locations are free from tampering. This is incorrect because it does not deal with the Trusted Computing Base. To prevent the sniffing of data as it travels through an untrusted network enroute to a trusted network. This is incorrect because it does not deal with the Trusted Computing Base. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack. This is incorrect because it does not deal with ensuring the Trusted Computing Base has not been tampered with. References: NIST http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt NEXT QUESTION

Password management falls into which control category? A. Compensating B. Detective C. Preventive D. Technical

Answer : C Explanation: Password management is an example of preventive control. Proper passwords prevent unauthorized users from accessing a system. There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need. For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy, and a plethora of other controls. However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories. The seven main categories of access control are: 1 Directive: Controls designed to specify acceptable rules of behavior within an organization 2 Deterrent: Controls designed to discourage people from violating security directives 3 Preventive: Controls implemented to prevent a security incident or information breach 4 Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5 Detective: Controls designed to signal a warning when a security control has been breached 6 Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7 Recovery: Controls implemented to restore conditions to normal after a security incident Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1156-1176). Auerbach Publications. Kindle Edition. NEXT QUESTION

Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines

Answer : C Explanation: Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks." Standards is incorrect. Standards are a "Mandatory statement of minimum requirements that support some part of a policy, the standards in this case is your own company standards and not standards such as the ISO standards" Guidelines is incorrect. "Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions." Baselines is incorrect. Baselines "are a minimum acceptable level of security. This minimum is implemented using specific rules necessary to implement the security controls in support of the policy and standards." For example, requiring a password of at leat 8 character would be an example. Requiring all users to have a minimum of an antivirus, a personal firewall, and an anti spyware tool could be another example. References: CBK, pp. 12 - 16. Note especially the discussion of the "hammer policy" on pp. 16-17 for the differences between policy, standard, guideline and procedure. AIO3, pp. 88-93. NEXT QUESTION

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Answer : C Explanation: Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: Identify assets and their value to the organization. Identify vulnerabilities and threats. Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance f NEXT QUESTION

What kind of encryption is realized in the S/MIME-standard? A. Asymmetric encryption scheme B. Password based encryption scheme C. Public key based, hybrid encryption scheme D. Elliptic curve based encryption

Answer : C Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633. How S/MIME works The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it possible to encrypt the content of messages but does not encrypt the communication. The various sections of an electronic message, encoded according to the MIME standard, are each encrypted using a session key. The session key is inserted in each section's header, and is encrypted using the recipient's public key. Only the recipient can open the message's body, using his private key, which guarantees the confidentiality and integrity of the received message. In addition, the message's signature is encrypted with the sender's private key. Anyone intercepting the communication can read the content of the message's signature, but this ensures the recipient of the sender's identity, since only the sender is capable of encrypting a message (with his private key) that can be decrypted with his public key. Reference(s) used for this question: http://en.kioskea.net/contents/139- cryptography-s-mime RFC 2630: Cryptographic Message Syntax; OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 570; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co. NEXT QUESTION

What kind of encryption is realized in the S/MIME-standard? A. Asymmetric encryption scheme B. Password based encryption scheme C. Public key based, hybrid encryption scheme D. Elliptic curve based encryption

Answer : C Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633. How S/MIME works The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it possible to encrypt the content of messages but does not encrypt the communication. The various sections of an electronic message, encoded according to the MIME standard, are each encrypted using a session key. The session key is inserted in each section's header, and is encrypted using the recipient's public key. Only the recipient can open the message's body, using his private key, which guarantees the confidentiality and integrity of the received message. In addition, the message's signature is encrypted with the sender's private key. Anyone intercepting the communication can read the content of the message's signature, but this ensures the recipient of the sender's identity, since only the sender is capable of encrypting a message (with his private key) that can be decrypted with his public key. Reference(s) used for this question: http://en.kioskea.net/contents/139- cryptography-s-mime RFC 2630: Cryptographic Message Syntax; OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 570; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co. Topic 9, Mix Questions Set 1 NEXT QUESTION

Which of the following are required for Life-Cycle Assurance? A. System Architecture and Design specification. B. Security Testing and Covert Channel Analysis. C. Security Testing and Trusted distribution. D. Configuration Management and Trusted Facility Management.

Answer : C Explanation: Security testing and trusted distribution are required for Life-Cycle Assurance. The following answers are incorrect: System Architecture and Design specification. Is incorrect because System Architecture is not requried for Life-Cycle Assurance. Security Testing and Covert Channel Analysis. Is incorrect because Covert Channel Analysis is not requried for Life-Cycle Assurance. Configuration Management and Trusted Facility Management. Is incorrect because Trusted Facility Management. is not requried for Life-Cycle Assurance. NEXT QUESTION

What does the * (star) property mean in the Bell-LaPadula model? A. No write up p B. No read up C. No write down D. No read down

Answer : C Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243). NEXT QUESTION

What does the * (star) property mean in the Bell-LaPadula model? A. No write up B. No read up C. No write down D. No read down

Answer : C Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 243). NEXT QUESTION

What is the main focus of the Bell-LaPadula security model? A. Accountability B. Integrity C. Confidentiality D. Availability

Answer : C Explanation: The Bell-LaPadula model is a formal model dealing with confidentiality. The BellLaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The BellLaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The BellLaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). The -property (read "star"- property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also known as the Confinement property. The Discretionary Security Property - use of an access matrix to specify the discretionary access control. The following are incorrect answers: Accountability is incorrect. Accountability requires that actions be traceable to the user that performed them and is not addressed by the Bell-LaPadula model. Integrity is incorrect. Integrity is addressed in the Biba model rather than Bell-Lapadula. Availability is incorrect. Availability is concerned with assuring that data/services are available to authori NEXT QUESTION

Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model

Answer : C Explanation: The Clark Wilson integrity model addresses the three following integrity goals: 1) data is protected from modification by unauthorized users; 2) data is protected from unauthorized modification by authorized users; and 3) data is internally and externally consistent. It also defines a Constrained Data Item (CDI), an Integrity Verification Procedure (IVP), a Transformation Procedure (TP) and an Unconstrained Data item. The Bell-LaPadula and Take-Grant models are not integrity models. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 205). NEXT QUESTION

Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model

Answer : C Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This p p , p p q p p prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity. The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. The models enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities. The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark-Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a safe CDI. In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world) Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity. References: HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344). and http://en.wikipedia.org/wiki/Clark-Wilson_model NEXT QUESTION

Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model

Answer : C Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity. The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. The models enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities. The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark-Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a safe CDI. In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world) Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity. References: HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344). and http://en.wikipedia.org/wiki/Clark-Wilson_model NEXT QUESTION

The environment that must be protected includes all personnel, equipment, data, communication devices, power supply and wiring. The necessary level of protection depends on the value of the data, the computer systems, and the company assets within the facility. The value of these items can be determined by what type of analysis? A. Critical-channel analysis B. Covert channel analysis C. Critical-path analysis D. Critical-conduit analysis

Answer : C Explanation: The effectiveness of security controls is measured by the probability of detection at the point where there is enough time for a response team to interrupt an adversary. The critical path is the adversary path with the lowest probability of interruption. An adversary path is an ordered sequence of actions against an asset that could result in it being compromised. Adversaries could normally be expected to take the easiest and most direct route. Early detection of unauthorised access enables a quicker response. Ideally interception should occur before access to the asset, but this depends on the asset and the security objectives. Interruption may not be required if tamper evidence is the objective for protecting the asset. See example below: Critical Path Analysis Physical Security THE CISSP EXAM AND PHYSICAL SECURITY Information security depends on the security and management of the physical space in which computer systems operate. The CISSP exam's Common Body of Knowledge addresses the challenges of securing the physical space, its systems and the people who work within it by use of administrative, technical and physical controls. The following topics are covered: Facilities management: The administrative processes that govern the maintenance and protection of the physical operations space, from site selection through emergency response. Risks, issues and protection strategies: Risk identification and the selection of security protection components. Perimeter security: Typical physical protection controls. Facilities management Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical information system environment. Facilities management responsibilities include site selection and physical security planning (i.e. facility construction, design and layout, fire and water damage protection, antitheft mechanisms, intrusion detection and security procedures.) Protections must extend to both people and assets. The necessary level of protection depends on the value of the assets and data. As an exam candidate your must learn the concept of critical-path analysis as a means of determining a component's business function criticality relative to the cost of operation and replacement. Furthermore, students need to gain an understanding of the optimal location and physical attributes of a secure facility. Among the topics covered in this domain are site inspection, location, accessibility and obscurity, considering the area crime rate, and the likelihood of natural hazards such as floods or earthquakes. EXAM TIP: This topic could be either from a Physical Security perspective or from a Logical Security Perspective. From a logical perspective it is define as: An analysis that defines relationships between mission critical applications. This type of analysis is performed to show what must happen to stay in business. Reference(s) used for this questi NEXT QUESTION

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level? A. The Bell-LaPadula model B. The information flow model C. The noninterference model D. The Clark-Wilson model

Answer : C Explanation: The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel. The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level. The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know. The following are incorrect answers: The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects. The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy. The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well- formed transactions and usage of an access triple (subjet - interface - object). References: CBK, pp 325 - 326 AIO3, pp. 290 - 291 AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterf erence_Models NEXT QUESTION

How are memory cards and smart cards different? A. Memory cards normally hold more memory than smart cards B. Smart cards provide a two-factor authentication whereas memory cards don't C. Memory cards have no processing power D. Only smart cards can be used for ATM cards

Answer : C Explanation: The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information. A memory card holds a users authentication information, so that this user needs only type in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user is successfully authenticated. A common example of a memory card is a swipe card used to provide entry to a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building. Memory cards can also be used with computers, but they require a reader to process the information. The reader adds cost to the process, especially when one is needed for every computer. Additionally, the overhead of PIN and card generation adds additional overhead and complexity to the whole authentication process. However, a memory card provides a more secure authentication method than using only a password because the attacker would need to obtain the card and know the correct PIN. Administrators and management need to weigh the costs and benefits of a memory card implementation as well as the security needs of the organization to determine if it is the right authentication mechanism for their environment. One of the most prevalent weaknesses of memory cards is that data stored on the card are not protected. Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart card, where security controls and logic are embedded in the integrated circuit, memory cards do not employ an inherent mechanism to protect the data from exposure. Very little trust can be associated with confidentiality and integrity of information on the memory cards. The following answers are incorrect: "Smart cards provide two-factor authentication whereas memory cards don't" is incorrect. This is not necessarily true. A memory card can be combined with a pin or password to offer two factors authentication where something you have and something you know are used for factors. "Memory cards normally hold more memory than smart cards" is incorrect. While a memory card may or may not have more memory than a smart card, this is certainly not the best answer to the question. "Only smart cards can be used for ATM cards" is incorrect. This depends on the decisions made by the particular institution and is not the best answer to the question. Reference(s) used for this question: Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199 and also for people using the Kindle edition of the book you can look at Locations 4647-4650 Schneiter, Andrew (2013-04-15). Official (ISC)2 NEXT QUESTION

In order to enable users to perform tasks and duties without having to go through extra steps it is important that the security controls and mechanisms that are in place have a degree of? A. Complexity B. Non-transparency C. Transparency D. Simplicity

Answer : C Explanation: The security controls and mechanisms that are in place must have a degree of transparency. This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them. If the controls are too obvious, an attacker can figure out how to compromise them more easily. Security (more specifically, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work flow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user. For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area. In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then specifically requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the specific resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on predefined need, not user preference. When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work flow as little as possible. The following answers were incorrect: All of the other detractors were incorrect. Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th edition. Operations Security, Page 1239-1240 Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25278-25 NEXT QUESTION

Which of the following would be best suited to oversee the development of an information security policy? A. System Administrators B. End User C. Security Officers D. Security administrators

Answer : C Explanation: The security officer would be the best person to oversea the development of such policies. Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated appropriately to ensure that they can be understood by the end users. Policies that are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighth-grade reading level), will not be understood. Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue. While security officers may be responsible for the development of the security policies, the effort should be collaborative to ensure that the business issues are addressed. The security officers will get better corporate support by including other areas in policy development. This helps build buy-in by these areas as they take on a greater ownership of the final product. Consider including areas such as HR, legal, compliance, various IT areas and specific business area representatives who represent critical business units. When policies are developed solely within the IT department and then distributed without business input, they are likely to miss important business considerations. Once policy documents have been created, the basis for ensuring compliance is established. Depending on the organization, additional documentation may be necessary to support policy. This support may come in the form of additional controls described in standards, baselines, or procedures to help personnel with compliance. An important step after documentation is to make the most current version of the documents readily accessible to those who are expected to follow them. Many organizations place the documents on their intranets or in shared file folders to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample documents can make awareness more effective. For your exam you should know the information below: End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated. Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know. Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, a NEXT QUESTION

During which phase of an IT system life cycle are security requirements developed? A. Operation B. Initiation C. Functional design analysis and Planning D. Implementation

Answer : C Explanation: The software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering software systems, and the models and methodologies that people use to develop these systems. The NIST SP 800-64 revision 2 has within the description section of para 3.2.1: This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include: Conduct the risk assessment and use the results to supplement the baseline security controls; Analyze security requirements; Perform functional and security testing; Prepare initial documents for system pp y ; y y q ; y g; p y certification and accreditation; and Design security architecture. Reviewing this publication you may want to pick development/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware/software components then you would also develop the security controls for these. The Shon Harris reference below is correct as well. Shon Harris' Book (All- in-One CISSP Certification Exam Guide) divides the SDLC differently: - Project initiation - Functional design analysis and planning - System design specifications - Software development - Installation - Maintenance support - Revision and replacement According to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase. SDLC POSITIONING FROM NIST 800-64 SDLC Positioning in the enterprise Information system security processes and activities provide valuable input into managing IT systems and their development, enabling risk identification, planning and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above). The most effective way to implement risk management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA) processes to establish insight into the agencys vital business operations, their supporting assets, and existing interdependencies and relationships. With critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services they provide and assess the consequences of their disruption. By identi NEXT QUESTION

Which Orange book security rating is the FIRST to be concerned with covert channels? A. A1 B. B3 C. B2 D. B1

Answer : C Explanation: This class ("Structured Protection") requires more stringent authentication mechanisms and well-defined interfaces between layers. Subjects and devices require labels and the system must not allow covert channels. A1 is incorrect. A1 is also called "Verified Design" and requires formal verification of the design and specifications. B3 is incorrect. B3 is also called "Security Domains" and imposes more granularity in each protection mechanism. B1 is incorrect. B1 is also called "Labeled Security" and each data object must have a classification label and each subject a clearance label. On each access attempt, the classification and clearance are checked to verify that the access is permissible. EXAM TIP: The CBK only discusses the TCSEC in a very minimal fashion and the details are presented in a much more completely in the Shon Harris, All In One book. Folk wisdom has it that this reflects the CBK/security industry migration away from the TCSEC to the CC but the wise candidate will develop at least some familiarity with the TCSEC. There are still questions on TCSEC showing up randomly on the exam. NOTE FROM CLEMENT: As of today (April 2014) subjects such as the TCSEC are still proclaimed to be on the exam. Do make sure that you take some time to review the TCSEC ratings. You can download a nice one page resume of the TCSEC rating at the following link: https://www.freepracticetests.org/documents/tcsec.pdf Do study this one page document and get familiar with what is being introduced at each of the TCSEC levels. Good questions might be for example: 1. At what level are labels introduced? 2. At what level is the Security Administrator role defined? 3. At what level are covert channel first introduced? 4. At what level do you use formal methods? References: The Official ISC2 CBK study guide, pages 329 - 330. AIO3, pp. 302 - 306 AIOv4 Security Architecture and Design (pages 357 - 361) AIOv5 Security Architecture and Design (pages 358 - 362) NEXT QUESTION

The Orange Book states that "Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB [Trusted Computing Base]." This statement is the formal requirement for: A. Security Testing. B. Design Verification. C. System Integrity. D. System Architecture Specification.

Answer : C Explanation: This is a requirement starting as low as C1 within the TCSEC rating. The Orange book requires the following for System Integrity Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB. NOTE FROM CLEMENT: This is a question that confuses a lot of people because most people take for granted that the orange book with its associated Bell LaPadula model has nothing to do with integrity. However you have to be careful about the context in which the word integrity is being used. You can have Data Integrity and you can have System Integrity which are two completely different things. Yes, the Orange Book does not specifically address the Integrity requirements, however it has to run on top of systems that must meet some integrity requirements. This is part of what they call operational assurance which is defined as a level of confidence of a trusted systems architecture and implementation that enforces the systems security policy. It includes: System architecture Covert channel analysis System integrity Trusted recovery DATA INTEGRITY Data Integrity is very different from System Integrity. When you have integrity of the data, there are three goals: 1. Prevent authorized users from making unauthorized modifications 2. Preven unauthorized users from making modifications 3. Maintaining internal and external consistancy of the data Bell LaPadula which is based on the Orange Book address does not address Integrity, it addresses only Confidentiality. Biba address only the first goal of integrity. Clark-Wilson addresses the three goals of integrity. In the case of this question, there is a system integrity requirement within the TCB. As mentioned above here is an extract of the requirements: Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware q p p y p and firmware elements of the TCB. The following answers are incorrect: Security Testing. Is incorrect because Security Testing has no set of requirements in the Orange book. Design Verification. Is incorrect because the Orange book's requirements for Design Verification include: A formal model of the security policy must be clearly identified and documented, including a mathematical proof that the model is consistent with its axioms and is sufficient to support the security policy. System Architecture Specification. Is incorrect because there are no requirements for System Architecture Specification in the Orange book. The following reference(s) were used for this question: Trusted Computer Security Evaluation Criteria (TCSEC), DoD 5200.28-STD, page 15, 18, 25, 31, 40, 50. Harris, Shon (2012-10-25). CISSP All- in-One Exam Guide, 6th Edition, Security Architecture and Design, Page 392-397, for users with the Kindle Version see Kindle Locations 28504-28505. and DOD TCSEC - http://www.cerberussystems.com/INFOSEC/ NEXT QUESTION

You have been tasked to develop an effective information classification program. Which one of the following steps should be performed first? A. Establish procedures for periodically reviewing the classification and ownership B. Specify the security controls required for each classification level C. Identify the data custodian who will be responsible for maintaining the security level of data D. Specify the criteria that will determine how data is classified

Answer : D Explanation: According to the AIO 3rd edition, these are the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data is classified. 3. Have the data owner indicate the classification of the data she is responsible for. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, that are required for each classification level. 6. Document any exceptions to the previous classification issues. 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate termination procedures for declassifying the data. 10. Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels. Domain: Information security and risk management Reference: AIO 3rd edition page 50 NEXT QUESTION

Which of the following is related to physical security and is not considered a technical control? A. Access control Mechanisms B. Intrusion Detection Systems C. Firewalls D. Locks

Answer : D Explanation: All of the above are considered technical controls except for locks, which are physical controls. Administrative, Technical, and Physical Security Controls Administrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization's sensitive information. For example, policy might dictate (and procedures indicate how) that human resources conduct background checks on employees with access to sensitive information. Requiring that information be classified and the process to classify and review information classifications is another example of an administrative control. The organization security awareness program is an administrative control used to make employees cognizant of their security roles and responsibilities. Note that administrative security controls in the form of a policy can be enforced or verified with technical or physical security controls. For instance, security policy may state that computers without antivirus software cannot connect to the network, but a technical control, such as network access control software, will check for antivirus software when a computer tries to attach to the network. Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information. Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems. Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrative policy allowing only authorized employees access to the data center do little good without some kind of physical access control. From the GIAC.ORG website NEXT QUESTION

At which of the basic phases of the System Development Life Cycle are security requirements formalized? A. Disposal B. System Design Specifications C. Development and Implementation D. Functional Requirements Definition

Answer : D Explanation: During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet end-user needs. The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security requirements should be formalized. The Development Life Cycle is a project management tool that can be used to plan, execute, and control a software development project usually called the Systems Development Life Cycle (SDLC). The SDLC is a process that includes systems analysts, software engineers, programmers, and end users in the project design and development. Because there is no industry-wide SDLC, an organization can use any one, or a combination of SDLC methods. The SDLC simply provides a framework for the phases of a software development project from defining the functional requirements to implementation. Regardless of the method used, the SDLC outlines the essential phases, which can be shown together or as separate elements. The model chosen should be based on the project. For example, some models work better with long-term, complex projects, while others are more suited for short-term projects. The key element is that a formalized SDLC is utilized. The number of phases can range from three basic phases (concept, design, and implement) on up. The basic phases of SDLC are: Project initiation and planning Functional requirements definition System design specifications Development and implementation Documentation and common program controls Testing and evaluation control, (certification and accreditation) Transition to production (implementation) The system life cycle (SLC) extends beyond the SDLC to include two additional phases: Operations and maintenance support (post-installation) Revisions and system replacement System Design Specifications This phase includes all activities related to designing the system and software. In this phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are designed, generally based on the overall security architecture for the company. Development and Implementation During this phase, the source code is generated, test scenarios and test cases are developed, unit and integration testing is conducted, and the program and system are documented for maintenance and for turnover to acceptance testing and production. As well as general care for software quality, reliability, and consistency of p g p g q y, y, y operation, particular care should be taken to ensure that the code is analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks. Documentation and Common Program Controls These are controls used wh NEXT QUESTION

NO: 33 Who is responsible for providing reports to the senior management on the effectiveness of the security controls? A. Information systems security professionals B. Data owners C. Data custodians D. Information systems auditors

Answer : D Explanation: IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness." "Information systems security professionals" is incorrect. Security professionals develop the security policies and supporting baselines, etc. "Data owners" is incorrect. Data owners have overall responsibility for information assets and assign the appropriate classification for the asset as well as ensure that the asset is protected with the proper controls. "Data custodians" is incorrect. Data custodians care for an information asset on behalf of the data owner. References; CBK, pp. 38 - 42. AIO3. pp. 99 104 NEXT QUESTION

Which of the following statements pertaining to protection rings is false? A. They provide strict boundaries and definitions on what the processes that work within each ring can access. B. Programs operating in inner rings are usually referred to as existing in a privileged mode. C. They support the CIA triad requirements of multitasking operating systems. D. They provide users with a direct access to peripherals

Answer : D Explanation: In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. "They provide strict boundaries and definitions on what the processes that work within each ring can access" is incorrect. This is in fact one of the characteristics of a ring protection system. "Programs operating in inner rings are usually referred to as existing in a privileged mode" is incorrect. This is in fact one of the characteristics of a ring protection system. "They support the CIA triad requirements of multitasking operating systems" is incorrect. This is in fact one of the characteristics of a ring protection system. Reference(s) used for this question: CBK, pp. 310-311 AIO3, pp. 253-256 AIOv4 Security Architecture and Design (pages 308 - 310) AIOv5 Security Architecture and Design (pages 309 - 312) NEXT QUESTION

STION NO: 42 Which of the following security control is intended to bring environment back to regular operation? A. Deterrent B. Preventive C. Corrective D. Recovery

Answer : D Explanation: Recovery controls are intended to bring the environment back to regular operations For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a s NEXT QUESTION

Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Answer : D Explanation: Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: Identify assets and their value to the organization. Identify vulnerabilities and threats. Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example present NEXT QUESTION

The "vulnerability of a facility" to damage or attack may be assessed by all of the following except: A. Inspection B. History of losses C. Security controls D. security budget

Answer : D Explanation: Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni. NEXT QUESTION

What is NOT included in a data dictionary? A. Data Element Definitions B. Schema Objects C. Reference Keys D. Structured Query Language

Answer : D Explanation: Structured Query Language (SQL) is a standard programming language used to allow clients to interact with a database. Although SQL can be used to p Q y g g ( Q ) p g g g g g Q access the data dictionary, it is NOT a part of the data dictionary. A data dictionary, or metadata repository, as defined in the IBM Dictionary of Computing, is a "centralized repository of information about data such as meaning, relationships to other data, origin, usage, and format." The term may have one of several closely related meanings pertaining to databases and database management systems (DBMS): a document describing a database or collection of databases an integral component of a DBMS that is required to determine its structure a piece of middleware that extends or supplants the native data dictionary of a DBMS METADATA & DATA DICTIONARY In addition to facilitating the effective retrieving of information, metadata can also manage restricted access to information. Metadata can serve as a gatekeeper function to filter access and thus provide security controls. One specialized form of metadata is the data dictionary, a central repository of information regarding the various databases that may be used within an enterprise. The data dictionary does not provide direct control of the databases, or access control functions, but does give the administrator a full picture of the various bodies of information around the company, potentially including the sensitivity and classification of material held in different objects. Therefore, the data dictionary can be used in risk management and direction of protective resources. A data dictionary is a central collection of data element definitions, schema objects, and reference keys. The schema objects can contain tables, views, indexes, procedures, functions, and triggers. A data dictionary can contain the default values for columns, integrity information, the names of users, the privileges and roles for users, and auditing information. It is a tool used to centrally manage parts of a database by controlling data about the data (referred to as metadata) within the database. It provides a cross-reference between groups of data elements and the databases. The database management software creates and reads the data dictionary to ascertain what schema objects exist and checks to see if specific users have the proper access rights to view them The following answers were incorrect: All of the other options were included within the data dictionary, only SQL is NOT part of the Data Dictionary. The following reference(s) were/was used to create this question: Harris, Shon (2012-10-25). CISSP All-in- One Exam Guide, 6th Edition , Software Development, Page 1178. For kindle users see Kindle Locations 23951-23957. Corporate; (Isc) (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press), Software Development Security, Page 667. For Kindle users see Kindle Locations 5950-5954. http://en.wikipedia.org/wiki/Data_dictionary NEXT QUESTION

What does the * (star) integrity axiom mean in the Biba model? A. No read up p B. No write down C. No read down D. No write up

Answer : D Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

What does the * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up

Answer : D Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up). Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205). NEXT QUESTION

Which of the following statements relating to the Biba security model is FALSE? A. It is a state machine model. B. A subject is not allowed to write up. C. Integrity levels are assigned to subjects and objects. D. Programs serve as an intermediate layer between subjects and objects.

Answer : D Explanation: The Biba model was developed after the Bell-LaPadula model. It is a state machine model and is very similar to the Bell-LaPadula model but the rules are 100% the opposite of Bell-LaPadula. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data was only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. The Biba model uses a lattice of integrity levels instead of a lattice of confidentiality levels like Bel-LaPadula. If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a higher integrity level. Biba has two main rules to provide this type of protection: *-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as "no read down"). Extra Information on clark-wilson model to understand the concepts: The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: Users Active agents Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify Constrained data items (CDIs) Can be manipulated only by TPs Unconstrained data items (UDIs) Can be manipulated by users via primitive read and write operations Integrity verification procedures (IVPs) Run periodically to check the consistency of CDIs with external reality The other answers are incorrect: It is a state machine model: Biba model is a state machine model and addresses the integrity of data within applications. A subject is not allowed to write up is a part of integrity axiom in the Biba model. Integrity levels are assigned to subjects and objects is also a characteristic of Biba model as it addresses integrity. Reference(s) used g y g y g j j g y () for this question: Shon Harris , AIO v3 , Chapter-5 : Security Models and Architecture , Page : 282 - 284 Reference: AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) NEXT QUESTION

Which of the following is NOT an example of corrective control? A. OS Upgrade B. Backup and restore C. Contingency planning D. System Monitoring

Answer : D Explanation: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not corrective control. System Monitoring is a detective control and not a corrective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a NEXT QUESTION

Which of the following is NOT an example of a detective control? A. System Monitor B. IDS C. Monitor detector D. Backup data restore

Answer : D Explanation: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not detective control. Backup data restore is a corrective control and not a detective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls g p , p y g p Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find NEXT QUESTION

Which of the following is NOT an example of a detective control? A. System Monitor B. IDS C. Monitor detector D. Backup data restore

Answer : D Explanation: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not detective control. Backup data restore is a corrective control and not a detective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find NEXT QUESTION

Which of the following is NOT an example of preventive control? A. Physical access control like locks and door B. User login screen which allows only authorize user to access website C. Encrypt the data so that only authorize user can view the same D. Duplicate checking of a calculations

Answer : D Explanation: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not preventive. Duplicate checking of a calculation is a detective control and not a preventive control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is NEXT QUESTION

Which of the following groups represents the leading source of computer crime losses? A. Hackers B. Industrial saboteurs C. Foreign intelligence officers D. Employees

Answer : D Explanation: There are some conflicting figures as to which group is a bigger threat hackers or employees. Employees are still considered to the leading source of computer crime losses. Employees often have an easier time gaining access to systems or source code then ousiders or other means of creating computer crimes. A word of caution is necessary: although the media has tended to portray the threat of cybercrime as existing almost exclusively from the outside, external to a company, reality paints a much different picture. Often the greatest risk of cybercrime comes from the inside, namely, criminal insiders. Information security professionals must be particularly sensitive to the phenomena of the criminal or dangerous insider, as these individuals usually operate under the radar, inside of the primarily outward/external facing security controls, thus significantly increasing the impact of their crimes while leaving few, if any, audit trails to follow and evidence for prosecution. Some of the large scale crimes committed agains bank lately has shown that Internal Threats are the worst and they are more common that one would think. The definition of what a hacker is can vary greatly from one country to another but in some of the states in the USA a hacker is defined as Someone who is using resources in a way that is not authorized. A recent case in Ohio involved an internal employee who was spending most of his day on dating website looking for the love of his life. The employee was taken to court for hacking the company resources. The following answers are incorrect: hackers. Is incorrect because while hackers represent a very large problem and both the frequency of attacks and overall losses have grown hackers are considered to be a small segment of combined computer fraudsters. industrial saboteurs. Is incorrect because industrial saboteurs tend to go after trade secrets. While the loss to the organization can be great, they still fall short when compared to the losses created by employees. Often it is an employee that was involved in industrial sabotage. foreign intelligence officers. Is incorrect because the losses tend to be national secrets. You really can't put t cost on this and the number of frequency and occurances of this is less than that of employee related losses. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 22327-22331). Auerbach Publications. Kindle Edition. NEXT QUESTION