Which of the following statements pertaining to Kerberos is TRUE? A. Kerberos does not address availability B. Kerberos does not address integrity C. Kerberos does not make use of Symmetric Keys D. Kerberos cannot address confidentiality of information
Correct Answer: A
Explanation:
The question was asking for a TRUE statement and the only correct statement is “Kerberos does not address availability”.
Kerberos addresses the confidentiality and integrity of information. It does not directly address availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).
Which of the following statements pertaining to biometrics is false? A. Increased system sensitivity can cause a higher false rejection rate B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate. C. False acceptance rate is also known as Type II error. D. Biometrics are based on the Type 2 authentication mechanism.
Correct Answer: D
Explanation:
Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).
Which type of password token involves time synchronization? A. Static password tokens B. Synchronous dynamic password tokens C. Asynchronous dynamic password tokens D. Challenge-response tokens
Correct Answer: B
Explanation:
Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the password to be accepted. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37). Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (page 136).
What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects? A. Flow Model B. Discretionary access control C. Mandatory access control D. Non-discretionary access control
Correct Answer: D
Explanation:
As a security administrator you might configure user profiles so that users cannot change the system’s time, alter system configuration files, access a command prompt, or install unapproved applications. This type of access control is referred to as nondiscretionary, meaning that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the organization’s most critical assets.
Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. Centralized access control is not an existing security model. Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
What security model is dependent on security labels? A. Discretionary access control B. Label-based access control C. Mandatory access control D. Non-discretionary access control
Correct Answer: C
Explanation:
With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object. Label-based access control is not defined. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
Smart cards are an example of which type of control? A. Detective control B. Administrative control C. Technical control D. Physical control
Correct Answer: C
Explanation:
Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control.
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls” because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
Many types of technical controls enable a user to access a system and the resources within that system. A technical control may be a username and password combination, a Kerberos implementation, biometrics, public key infrastructure (PKI), RADIUS, TACACS +, or authentication using a smart card through a reader connected to a system. These technologies verify the user is who he says he is by using different types of authentication methods. Once a user is properly authenticated, he can be authorized and allowed access to network resources.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 245). McGraw-Hill. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 32).
Which of the following are not Remote Access concerns? A. Justification for remote access B. Auditing of activities C. Regular review of access privileges D. Access badges
Correct Answer: D
Explanation:
Access badges are more relevant to physical security rather than remote access.
“Justification for remote access” is incorrect. Justification for remote access is a relevant concern.
“Auditing of activities” is incorrect. Auditing of activites is an imporant aspect to assure that malicious or unauthorized activities are not occuring.
“Regular review of access privileges” is incorrect. Regular review of remote accept privileges is an important management responsibility.
References: AIO3, pp. 547 -548
Which division of the Orange Book deals with discretionary protection (need-to-know)? A. D B. C C. B D. A
Correct Answer: B
Explanation:
C deals with discretionary protection. See matric below:
TCSEC Matric
The following are incorrect answers:
D is incorrect. D deals with minimal security. B is incorrect. B deals with mandatory protection. A is incorrect. A deals with verified protection. Reference(s) used for this question: CBK, p. 329 – 330 and Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393
What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? A. A B. D C. E D. F
Correct Answer: B
Explanation:
D or “minimal protection” is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level.
A is incorrect. A or “Verified Protectection” is the highest trust level under the TCSEC. E is incorrect. The trust levels are A -D so “E” is not a valid trust level. F is incorrect. The trust levels are A -D so “F” is not a valid trust level.
CBK, pp. 329 -330 AIO3, pp. 302 -306
Which of the following security models does NOT concern itself with the flow of data? A. The information flow model B. The Biba model C. The Bell-LaPadula model D. The noninterference model
Correct Answer: D
Explanation:
The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.
The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects.
The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes.
The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more trusted than lower levels. Access control us based on these integrity levels to assure that read/write operations do not decrease an object’s integrity.
References:
CBK, pp 325 -326 AIO3, pp. 290 -291
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
