{"id":168,"date":"2021-01-17T05:28:38","date_gmt":"2021-01-16T17:55:02","guid":{"rendered":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0160\/"},"modified":"2021-01-17T05:43:53","modified_gmt":"2021-01-17T05:43:53","slug":"systems-security-certified-practitioner-sscp-question0160","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0160\/","title":{"rendered":"Systems Security Certified Practitioner &#8211; SSCP &#8211; Question0160"},"content":{"rendered":"<div class=\"question\">Which of the following would be used to implement Mandatory Access Control (MAC)? <br \/><strong><br \/>A.<\/strong> Clark-Wilson Access Control <br \/><strong>B.<\/strong> Role-based access control <br \/><strong>C.<\/strong> Lattice-based access control <br \/><strong>D.<\/strong> User dictated access control<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>C<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nThe lattice is a mechanism use to implement Mandatory Access Control (MAC)<br \/>\nUnder Mandatory Access Control (MAC) you have: Mandatory Access Control<br \/>\nUnder Non Discretionary Access Control (NDAC) you have: Rule-Based Access Control Role-Based Access Control<br \/>\nUnder Discretionary Access Control (DAC) you have: Discretionary Access Control<br \/>\nThe Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more<br \/>\nFor example in the case of MAC, if we look at common government classifications, we have the following:<br \/>\nTOP SECRET<br \/>\nSECRET &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;I am the user at secret<br \/>\nCONFIDENTIAL SENSITIVE BUT UNCLASSIFIED<br \/>\nUNCLASSIFIED<br \/>\nIf you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED.<br \/>\nHowever the lattice could also be used for Integrity Levels such as:<br \/>\nVERY HIGH<br \/>\nHIGH<br \/>\nMEDIUM &#8212;&#8212;&#8212;-I am a user, process, application at the medium level<br \/>\nLOW<br \/>\nVERY LOW<br \/>\nIn the case of of Integrity levels you have to think about TRUST. Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model.<br \/>\nLast but not least the lattice could be use for file permissions:<br \/>\nRWX<br \/>\nRW &#8212;&#8212;&#8212;User at this level<br \/>\nR<br \/>\nIf I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX.<br \/>\nMany people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes.<br \/>\nThere is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC also require a clearance that dominates the object.<br \/>\nYou can get more info about RBAC at:<a href=\"http:\/\/csrc.nist.gov\/groups\/SNS\/rbac\/faq.html#03\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/csrc.nist.gov\/groups\/SNS\/rbac\/faq.html#03<\/a><br \/>\nAlso note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing.<br \/>\nThe proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used.<br \/>\nReferences: There is a great article on technet that talks about the lattice in VISTA: <a href=\"http:\/\/blogs.technet.com\/b\/steriley\/archive\/2006\/07\/21\/442870.aspx\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/blogs.technet.com\/b\/steriley\/archive\/2006\/07\/21\/442870.aspx<\/a> also see: KRUTZ, Ronald L. &#038; VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley &#038; Sons, 2001, Chapter 2: Access control systems (page 33). and <a href=\"http:\/\/www.microsoft-watch.com\/content\/vista\/gaging_vistas_integrity.html\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.microsoft-watch.com\/content\/vista\/gaging_vistas_integrit&#8230;<\/a><\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Which of the following would be used to implement Mandatory Access Control (MAC)? A. Clark-Wilson Access Control B. Role-based access control C. Lattice-based access control D. User dictated access control Show Answer Hide Answer Correct Answer: C Explanation: The lattice is a mechanism use to implement Mandatory Access Control (MAC) Under Mandatory Access Control (MAC) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1078,163,3],"class_list":["post-168","post","type-post","status-publish","format-standard","hentry","category-systems-security-certified-practitioner-sscp","tag-choices","tag-question-0160","tag-systems-security-certified-practitioner-sscp"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/comments?post=168"}],"version-history":[{"count":1,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/168\/revisions"}],"predecessor-version":[{"id":1244,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/168\/revisions\/1244"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/media?parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/categories?post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/tags?post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}