Download ISC.SSCP.PracticeTest.2018-10-15.499q.vcex

The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318. AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. "A capacity table" is incorrect. This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you. "An access control list" is incorrect. "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188  Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself. "A capability table" is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL." Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself. References:CBK pp. 191-192, 317-318 AIO3, p. 169

MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object.  Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it.  The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner. DAC is incorrect.  In DAC, the data owner is responsible for controlling access to the object. Access control matrix is incorrect.  The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. TACACS is incorrect.  TACACS is a tool for performing user authentication. References:CBK, p. 187, Domain 2: Access Control.AIO3, Chapter 4, Access Control.

In the lattice model, users are assigned security clearences and the data is classified.  Access decisions are made based on the clearence of the user and the classification of the object.  Lattice-based access control is an essential ingredient of formal security models such as Bell-LaPadula, Biba, Chinese Wall, etc.  The bounds concept comes from the formal definition of a lattice as a "partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound."  To see the application, consider a file classified as "SECRET" and a user Joe with a security clearence of "TOP SECRET."  Under Bell-LaPadula, Joe's "least upper bound" access to the file is "READ" and his least lower bound is "NO WRITE" (star property). Role-based access control is incorrect.  Under RBAC, the access is controlled by the permissions assigned to a role and the specific role assigned to the user. Biba access control is incorrect.  The Biba integrity model is based on a lattice structure but the context of the question disqualiifes it as the best answer. Content-dependent access control is incorrect.  In content dependent access control, the actual content of the information determines access as enforced by the arbiter. References:CBK, pp. 324-325. AIO3, pp. 291-293.  See aprticularly Figure 5-19 on p. 293 for an illustration of bounds in action.

The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information. A memory card holds a user’s authentication information, so that this user needs only type in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user is successfully authenticated. A common example of a memory card is a swipe card used to provide entry to a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building. Memory cards can also be used with computers, but they require a reader to process the information. The reader adds cost to the process, especially when one is needed for every computer. Additionally, the overhead of PIN and card generation adds additional overhead and complexity to the whole authentication process. However, a memory card provides a more secure authentication method than using only a password because the attacker would need to obtain the card and know the correct PIN. Administrators and management need to weigh the costs and benefits of a memory card implementation as well as the security needs of the organization to determine if it is the right authentication mechanism for their environment. One of the most prevalent weaknesses of memory cards is that data stored on the card are not protected. Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart card, where security controls and logic are embedded in the integrated circuit, memory cards do not employ an inherent mechanism to protect the data from exposure. Very little trust can be associated with confidentiality and integrity of information on the memory cards. The following answers are incorrect:"Smart cards provide two-factor authentication whereas memory cards don't" is incorrect.  This is not necessarily true.  A memory card can be combined with a pin or password to offer two factors authentication where something you have and something you know are used for factors. "Memory cards normally hold more memory than smart cards" is incorrect. While a memory card may or may not have more memory than a smart card, this is certainly not the best answer to the question. "Only smart cards can be used for ATM cards" is incorrect.  This depends on the decisions made by the particular institution and is not the best answer to the question. Reference(s) used for this question:Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199  and also for people using the Kindle edition of the book you can look at Locations 4647-4650. Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications. Kindle Edition.

Buffer Overflow attack takes advantage of improper parameter checking within the application.  This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program. The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the introduction of interactive computing. It can result when a program fills up the assigned buffer of memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the program’s execution path can be changed, or data can be written into areas used by the operating system itself. This can lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system. As explained by Gaurab,  it can become very complex.  At the time of input even if you are checking the length of the input, it has to be check against the buffer size.  Consider a case where entry point of data is stored in Buffer1 of Application1 and then you copy it to Buffer2 within Application2 later on,  if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2.   A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam:It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security strengths and weaknesses of various application development processes. The following are incorrect answers:"Because buffers can only hold so much data" is incorrect.  This is certainly true but is not the best answer because the finite size of the buffer is not the problem -- the problem is that the programmer did not check the size of the input before moving it into the buffer. "Because they are an easy weakness to exploit" is incorrect.  This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the size of the user input. "Because of insufficient system memory" is incorrect.  This is irrelevant to the occurrence of a buffer overflow.   Reference(s) used for this question:Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.

The Bell-LaPadula model is a formal model dealing with confidentiality. The Bell–LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications.   It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy.  The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.  In this formal model, the entities in an information system are divided into subjects and objects.  The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The Bell–LaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties:    The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).     The -property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also known as the Confinement property.     The Discretionary Security Property - use of an access matrix to specify the discretionary access control. The following are incorrect answers:Accountability is incorrect. Accountability requires that actions be traceable to the user that performed them and is not addressed by the Bell-LaPadula model. Integrity is incorrect. Integrity is addressed in the Biba model rather than Bell-Lapadula. Availability is incorrect. Availability is concerned with assuring that data/services are available to authorized users as specified in service level objectives and is not addressed by the Bell-Lapadula model. References:CBK, pp. 325-326 AIO3, pp. 279 - 284 AIOv4 Security Architecture and Design (pages 333 - 336) AIOv5 Security Architecture and Design (pages 336 - 338) Wikipedia at https://en.wikipedia.org/wiki/Bell-La_Padula_model

Bell–LaPadula Confidentiality Model10 The Bell–LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems.  Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another. When the strong star property is not being used it means that both the property and the Simple Security Property rules would be applied.  The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example.  The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example. You must remember:  The model tells you about are NOT allowed to do.  Anything else would be allowed.  For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information.  In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance.The following are incorrect answers because they are all FALSE:"It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell-LaPadula model. "It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model. Reference(s) used for this question:Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.

In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. Clark–Wilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification. Integrity goals of Clark–Wilson model:    Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).     Separation of duties prevents authorized users from making improper modifications.     Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.  The following are incorrect answers:The Biba model is incorrect.  The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object. The Bell-LaPdaula model is incorrect.  The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object. The information flow model is incorrect.  The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level.  It is similar in framework to the Bell-LaPadula model. References:ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287 AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at:   https://en.wikipedia.org/wiki/Clark-Wilson_model

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see.  This is in contrast to other security models that control information flows between differing levels of users,  By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.     The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.     It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.     The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know. The following are incorrect answers:The Bell-LaPadula model is incorrect.  The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects. The information flow model is incorrect.  The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes.  Information will be allowed to flow only in accordance with the security policy. The Clark-Wilson model is incorrect.  The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet - interface - object). References:CBK, pp 325 - 326 AIO3, pp. 290 - 291 AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterference_Models

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see.  This is in contrast to other security models that control information flows between differing levels of users,  By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel. The Bell-LaPadula model is incorrect.  The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects. The information flow model is incorrect.  The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. The Biba model is incorrect.  The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more trusted than lower levels.  Access control us based on these integrity levels to assure that read/write operations do not decrease an object's integrity. References:CBK, pp 325 - 326 AIO3, pp. 290 - 291