Flydumps ISC CISSP exam questions and answers in PDF are prepared by our expert, Moreover,they are based on the recommended syllabus covering all the ISC CISSP exam objectives.You will find them to be very helpful and precise in the subject matter since all the ISC https://www.lead4pass.com/cissp.html exam content is regularly updated and has been checked for accuracy by our team of Microsoft expert professionals.
In which of the following security models is the subject’s clearance compared to the object’s classification such that specific rules can be applied to control how the subject-to-object interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model
Correct Answer: A Explanation
The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different
clearances use the system and the system processes data with different classifications.
Developed by the US Military in the 1970s.
A security model maps the abstract goals of the policy to information system terms by specifying explicit
data structures and techniques necessary to enforce the security policy. A security model is usually
represented in mathematics and analytical ideas, which are mapped to system specifications and then
developed by programmers through programming code. So we have a policy that encompasses security
goals, such as “each subject must be authenticated and authorized before accessing an object.” The
security model takes this requirement and provides the necessary mathematical formulas, relationships,
and logic structure to be followed to accomplish this goal.
A system that employs the Bell-LaPadula model is called a multilevel security system because users with
different clearances use the system, and the system processes data at different classification levels. The
level at which information is classified determines the handling procedures that should be used. The Bell-
LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A
matrix and security levels are used to determine if subjects can access different objects. The subject’s
clearance is compared to the object’s classification and then specific rules are applied to control how
subject-to-object subject-to- object interactions can take place.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw-Hill. Kindle Edition.
Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?
D. TACACS+ Correct Answer: A
Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to
address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of
secret keys and provides additional access control support.
TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184
ISC OIG Second Edition, Access Controls, Page 111
Single Sign-on (SSO) is characterized by which of the following advantages?
B. Convenience and centralized administration
C. Convenience and centralized data administration
D. Convenience and centralized network administration Correct Answer: B
Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface.
The following answers are incorrect:
Convenience – alone this is not the correct answer.
Centralized Data or Network Administration – these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed with just an SSO.
References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35
TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180
What is the primary role of smartcards in a PKI?
A. Transparent renewal of user keys
B. Easy distribution of the certificates between the users
C. Fast hardware encryption of the raw data
D. Tamper resistant, mobile storage and application of private keys of the users
Correct Answer: D Explanation
Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139;
SNYDER, J., What is a SMART CARD?.
Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance Security
Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.
Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.
It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including: · physical attack of various forms (microprobing, drills, files, solvents, etc.) · freezing the device · applying out-of-spec voltages or power surges · applying unusual clock signals · inducing software errors using radiation · measuring the precise time and power requirements of certain operations (see power analysis)
Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for “cold zeroisation”, the ability to zeroise itself even after its power supply has been crippled.
Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should “fail gracefully” by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.
What kind of certificate is used to validate a user identity?
A. Public key certificate
B. Attribute certificate
C. Root certificate
D. Code signing certificate
Correct Answer: A Explanation
In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The permission can be delegated.
Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.
A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others. In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as “update firmware”, “access address book”, “use radio interface”, and the most basic one, “install and execute”. When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of- band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers.
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher’s identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540
FLYDUMPS has updated the latest version of ISC CISSP exam, which is a hot exam of Microsoft certification. FLYDUMPS provides you everything that you need to pass your ISC CISSP certification exam. Passcert also provides you the ISC https://www.lead4pass.com/cissp.html exam objectives with there detailed and verified answer relevant to your certification.With our ISC CISSP practice test, you can be rest assured that you will pass your ISC CISSP Exam on Your First Try.