Vendor: ISC

Exam Code: CISSP

Exam Name: Certified Information Systems Security

Professional

Version: Demo
Question Set 1

QUESTION 1
A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris
pattern within a biometric system is:

A. Concern that the laser beam may cause eye damage.

B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.

Correct Answer: D
Explanation

Explanation/Reference:
Because the optical unit utilizes a camera and infrared light to create the images, sun light can impact the
aperture so it must not be positioned in direct light of any type. Because the subject does not need to have
direct contact with the optical reader, direct light can impact the reader. An Iris recognition is a form of
biometrics that is based on the uniqueness of a subject's iris. A camera like device records the patterns of
the iris creating what is known as Iriscode. It is the unique patterns of the iris that allow it to be one of the
most accurate forms of biometric identification of an individual. Unlike other types of biometics, the iris
rarely changes over time. Fingerprints can change over time due to scaring and manual labor, voice
patterns can change due to a variety of causes, hand geometry can also change as well. But barring
surgery or an accident it is not usual for an iris to change. The subject has a high-resoulution image taken
of their iris and this is then converted to Iriscode. The current standard for the Iriscode was developed by
John Daugman. When the subject attempts to be authenticated an infrared light is used to capture the iris
image and this image is then compared to the Iriscode. If there is a match the subject's identity is
confirmed. The subject does not need to have direct contact with the optical reader so it is a less invasive
means of authentication then retinal scanning would be.

Reference(s) used for this question:

AIO, 3rd edition, Access Control, p 134
AIO, 4th edition, Access Control, p 182
Wikipedia - http://en.wikipedia.org/wiki/Iris_recognition

The following answers are incorrect:

Concern that the laser beam may cause eye damage. The optical readers do not use laser so, concern
that the laser beam may cause eye damage is not an issue.

The iris pattern changes as a person grows older. The question asked about the physical installation of the
scanner, so this was not the best answer. If the question would have been about long term problems then
it could have been the best choice. Recent research has shown that Irises actually do change over time:
http://www.nature.com/news/ageing-eyes-hinder- biometric-scans-110722

There is a relatively high rate of false accepts. Since the advent of the Iriscode there is a very low rate of
false accepts, in fact the algorithm used has never had a false match. This all depends on the quality of the
equipment used but because of the uniqueness of the iris even when comparing identical twins, iris
patterns are unique.

QUESTION 2
In Mandatory Access Control, sensitivity labels attached to object contain what information?

A. The item's classification

B. The item's classification and category set
C. The item's category
D. The items's need to know

Correct Answer: B
Explanation

Explanation/Reference:
The following is the correct answer: the item's classification and category set.

A Sensitivity label must contain at least one classification and one category set.

Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must
contain at least one Classification and at least one Category. It is common in some environments for a
single item to belong to multiple categories. The list of all the categories to which an item belongs is called
a compartment set or category set.

The following answers are incorrect:

The item's classification. Is incorrect because you need a category set as well. The item's category. Is
incorrect because category set and classification would be both be required.

The item's need to know. Is incorrect because there is no such thing. The need to know is indicated by the
catergories the object belongs to. This is NOT the best answer.

Reference(s) used for this question:

OIG CBK, Access Control (pages 186 - 188)
AIO, 3rd Edition, Access Control (pages 162 - 163)
AIO, 4th Edition, Access Control, pp 212-214
Wikipedia - http://en.wikipedia.org/wiki/Mandatory_Access_Control

QUESTION 3
Which of the following is true about Kerberos?

A. It utilizes public key cryptography.

B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.

Correct Answer: C
Explanation

Explanation/Reference:
Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It
was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and
owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys.

The following answers are incorrect:

It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric
ciphers).

It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because
the passwords are not exchanged but used for encryption and decryption of the keys.

It is a second party authentication system. Is incorrect because Kerberos is a third party authentication
system, you authenticate to the third party (Kerberos) and not the system you are accessing.

References:
MIT http://web.mit.edu/kerberos/
Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 OIG CBK Access Control (pages 181 -
184)
AIOv3 Access Control (pages 151 - 155)

QUESTION 4
Which of the following is needed for System Accountability?

A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.
Correct Answer: A
Explanation

Explanation/Reference:
Is a means of being able to track user actions. Through the use of audit logs and other tools the user
actions are recorded and can be used at a later date to verify what actions were performed.

Accountability is the ability to identify users and to be able to track user actions.

The following answers are incorrect:

Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an
international standard to evaluate trust and would not be a factor in System Accountability.

Authorization. Is incorrect because Authorization is granting access to subjects, just because you have
authorization does not hold the subject accountable for their actions.

Formal verification of system design. Is incorrect because all you have done is to verify the system design
and have not taken any steps toward system accountability.

References:
OIG CBK Glossary (page 778)

QUESTION 5
What is Kerberos?

A. A three-headed dog from the egyptian mythology.

B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.

Correct Answer: B
Explanation

Explanation/Reference:
Is correct because that is exactly what Kerberos is.

The following answers are incorrect:

A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with Information
Security and not the Egyptian mythology but the Greek Mythology.

A security model. Is incorrect because Kerberos is an authentication protocol and not just a security model.

A remote authentication dial in user server. Is incorrect because Kerberos is not a remote authentication
dial in user server that would be called RADIUS.

QUESTION 6
Kerberos depends upon what encryption method?

A. Public Key cryptography.

B. Secret Key cryptography.
C. El Gamal cryptography.
D. Blowfish cryptography.

Correct Answer: B
Explanation

Explanation/Reference:
Kerberos depends on Secret Keys or Symmetric Key cryptography.

Kerberos a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It
is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The
password is used to encrypt and decrypt the keys.

This question asked specifically about encryption methods. Encryption methods can be SYMMETRIC (or
secret key) in which encryption and decryption keys are the same, or ASYMMETRIC (aka 'Public Key') in
which encryption and decryption keys differ.

'Public Key' methods must be asymmetric, to the extent that the decryption key CANNOT be easily derived
from the encryption key. Symmetric keys, however, usually encrypt more efficiently, so they lend
themselves to encrypting large amounts of data. Asymmetric encryption is often limited to ONLY
encrypting a symmetric key and other information that is needed in order to decrypt a data stream, and the
remainder of the encrypted data uses the symmetric key method for performance reasons. This does not in
any way diminish the security nor the ability to use a public key to encrypt the data, since the symmetric
key method is likely to be even MORE secure than the asymmetric method.
For symmetric key ciphers, there are basically two types: BLOCK CIPHERS, in which a fixed length block
is encrypted, and STREAM CIPHERS, in which the data is encrypted one 'data unit' (typically 1 byte) at a
time, in the same order it was received in.

The following answers are incorrect:

Public Key cryptography. Is incorrect because Kerberos depends on Secret Keys or Symmetric Key
cryptography and not Public Key or Asymmetric Key cryptography.

El Gamal cryptography. Is incorrect because El Gamal is an Asymmetric Key encryption algorithm.

Blowfish cryptography. Is incorrect because Blowfish is a Symmetric Key encryption algorithm.

References:
OIG CBK Access Control (pages 181 - 184)
AIOv3 Access Control (pages 151 - 155)
Wikipedia http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 ; http://en.wikipedia.org/wiki/El_Gamal
http://www.mrp3com/encrypt.html

QUESTION 7
A confidential number used as an authentication factor to verify a user's identity is called a:

A. PIN
B. User ID
C. Password
D. Challenge

Correct Answer: A
Explanation

Explanation/Reference:
PIN Stands for Personal Identification Number, as the name states it is a combination of numbers.

The following answers are incorrect:

User ID This is incorrect because a Userid is not required to be a number and a Userid is only used to
establish identity not verify it.

Password. This is incorrect because a password is not required to be a number, it could be any
combination of characters.
Challenge. This is incorrect because a challenge is not defined as a number, it could be anything.

QUESTION 8
Individual accountability does not include which of the following?

A. unique identifiers
B. policies & procedures
C. access rules
D. audit trails

Correct Answer: B
Explanation

Explanation/Reference:
Accountability would not include policies & procedures because while important on an effective security
program they cannot be used in determing accountability.

The following answers are incorrect:

Unique identifiers. Is incorrect because Accountability would include unique identifiers so that you can
identify the individual.

Access rules. Is incorrect because Accountability would include access rules to define access violations.

Audit trails. Is incorrect because Accountability would include audit trails to be able to trace violations or
attempted violations.

QUESTION 9
Which of the following exemplifies proper separation of duties?

A. Operators are not permitted modify the system time.

B. Programmers are permitted to use the system console.
C. Console operators are permitted to mount tapes and disks.
D. Tape operators are permitted to use the system console.

Correct Answer: A
Explanation

Explanation/Reference:
This is an example of Separation of Duties because operators are prevented from modifying the system
time which could lead to fraud. Tasks of this nature should be performed by they system administrators.
AIO defines Separation of Duties as a security principle that splits up a critical task among two or more
individuals to ensure that one person cannot complete a risky task by himself.

The following answers are incorrect:

Programmers are permitted to use the system console. Is incorrect because programmers should not be
permitted to use the system console, this task should be performed by operators. Allowing programmers
access to the system console could allow fraud to occur so this is not an example of Separation of Duties..

Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able
to mount tapes and disks so this is not an example of Separation of Duties.

Tape operators are permitted to use the system console. Is incorrect because operators should be able to
use the system console so this is not an example of Separation of Duties.

References:
OIG CBK Access Control (page 98 - 101)
AIOv3 Access Control (page 182)

QUESTION 10
An access control policy for a bank teller is an example of the implementation of which of the following?

A. Rule-based policy
B. Identity-based policy
C. User-based policy
D. Role-based policy

Correct Answer: D
Explanation

Explanation/Reference:
The position of a bank teller is a specific role within the bank, so you would implement a role- based policy.

The following answers are incorrect:

Rule-based policy. Is incorrect because this is based on rules and not the role of a of a bank teller so this
would not be applicable for a specific role within an organization.

Identity-based policy. Is incorrect because this is based on the identity of an individual and not the role of a
bank teller so this would not be applicable for a specific role within an organization. User-based policy. Is
incorrect because this would be based on the user and not the role of a bank teller so this would not be not
be applicable for a specific role within an organization.

QUESTION 11
Which one of the following authentication mechanisms creates a problem for mobile users?

A. Mechanisms based on IP addresses

B. Mechanism with reusable passwords
C. One-time password mechanism.
D. Challenge response mechanism.

Correct Answer: A
Explanation

Explanation/Reference:
Anything based on a fixed IP address would be a problem for mobile users because their location and its
associated IP address can change from one time to the next. Many providers will assign a new IP every
time the device would be restarted. For example an insurance adjuster using a laptop to file claims online.
He goes to a different client each time and the address changes every time he connects to the ISP.

NOTE FROM CLEMENT:

The term MOBILE in this case is synonymous with Road Warriors where a user is constantly traveling and
changing location. With smartphone today that may not be an issue but it would be an issue for laptops or
WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this
question is more applicable to devices that are not cellular devices but in some cases this issue could
affect cellular devices as well.

The following answers are incorrect:

Mechanism with reusable password. This is incorrect because reusable password mechanism would not
present a problem for mobile users. They are the least secure and change only at specific interval one-time
password mechanism. This is incorrect because a one-time password mechanism would not present a
problem for mobile users. Many are based on a clock and not on the IP address of the user Challenge
response mechanism. This is incorrect because challenge response mechanism would not present a
problem for mobile users.

QUESTION 12
Organizations should consider which of the following first before allowing external access to their LANs via
the Internet?

A. Plan for implementing workstation locking mechanisms.

B. Plan for protecting the modem pool.
C. Plan for providing the user with his account usage information.
D. Plan for considering proper authentication options.

Correct Answer: D
Explanation

Explanation/Reference:
Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms
are to be used, this would include how you are going to authenticate individuals that may access your
network externally through access control.

The following answers are incorrect:

Plan for implementing workstation locking mechanisms. This is incorrect because locking the workstations
have no impact on the LAN or Internet access.

Plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact on
the LAN or Internet access, it just protects the modem.

Plan for providing the user with his account usage information. This is incorrect because the question asks
what should be done first. While important your primary concern should be focused on security.

QUESTION 13
Kerberos can prevent which one of the following attacks?

A. Tunneling attack.
B. Playback (replay) attack.
C. Destructive attack.
D. Process attack.

Correct Answer: B
Explanation

Explanation/Reference:
Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent these types of
attacks.

The following answers are incorrect:

Tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access
low-level systems. Kerberos cannot totally prevent these types of attacks. Destructive attack. This is
incorrect because depending on the type of destructive attack, Kerberos cannot prevent someone from
physically destroying a server.

Process attack. This is incorrect because with Kerberos cannot prevent an authorized individuals from
running processes

QUESTION 14
In discretionary access environments, which of the following entities is authorized to grant information
access to other people?

A. Manager
B. Group Leader
C. Security Manager
D. Data Owner

Correct Answer: D
Explanation

Explanation/Reference:
In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the
owner and has full control over the file including the ability to set permissions for that file.

The following answers are incorrect:

Manager is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that
is authorized to grant information access to other people group leader. Is incorrect because in
Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant
information access to other people security manager. Is incorrect because in Discretionary Access Control
(DAC) environments it is the owner/user that is authorized to grant information access to other people.

IMPORTANT NOTE:

The term Data Owner is also used within Classifications as well. Under the subject of classification the
Data Owner is a person from management who has been entrusted with a data set that belongs to the
company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the
financial data for a company. As such the CFO would determine the classification of the financial data and
who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the
classification and need to know is on the specific set of data.
The term Data Owner under DAC simply means whoever created the file and as the creator of the file the
owner has full access and can grant access to other subjects based on their identity.

QUESTION 15
What is the main concern with single sign-on?

A. Maximum unauthorized access would be possible if a password is disclosed.

B. The security administrator's workload would increase.
C. The users' password would be too hard to remember.
D. User access rights would be increased.

Correct Answer: A
Explanation

Explanation/Reference:
A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the
intruder would have access to all the systems that the user was authorized for.

The following answers are incorrect:

The security administrator's workload would increase. Is incorrect because the security administrator's
workload would decrease and not increase. The admin would not be responsible for maintaining multiple
user accounts just the one.

The users' password would be too hard to remember. Is incorrect because the users would have less
passwords to remember.

User access rights would be increased. Is incorrect because the user access rights would not be any
different than if they had to log into systems manually.

QUESTION 16
Who developed one of the first mathematical models of a multilevel-security computer system?

A. Diffie and Hellman.

B. Clark and Wilson.
C. Bell and LaPadula.
D. Gasser and Lipner.

Correct Answer: C
Explanation

Explanation/Reference:
In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system.

The following answers are incorrect:

Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography.
Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark- Wilson
model came later, 1987
Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model
QUESTION 17
Which of the following attacks could capture network user passwords?

A. Data diddling
B. Sniffing
C. IP Spoofing
D. Smurfing

Correct Answer: B
Explanation

Explanation/Reference:
A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect
to.
Sniffers are typically devices that can collect information from a communication medium, such as a
network. These devices can range from specialized equipment to basic workstations with customized
software.

A sniffer can collect information about most, if not all, attributes of the communication. The most common
method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub (which is
designed to relay all traffic passing through it to all of its ports) will automatically begin sending all the
traffic on that network segment to the sniffing device. On the other hand, a switch (which is designed to
limit what traffic gets sent to which port) will have to be specially configured to send all traffic to the port
where the sniffer is plugged in.

Another method for sniffing is to use a network tap--a device that literally splits a network transmission into
two identical streams; one going to the original network destination and the other going to the sniffing
device. Each of these methods has its advantages and disadvantages, including cost, feasibility, and the
desire to maintain the secrecy of the sniffing activity.

The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/
password are contained in a packet or packets traversing the segment the sniffer is connected to, it will
capture and display that information (and any other information on that segment it can see).

Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still
captured and displayed, but it is in an unreadable format.
The following answers are incorrect:
Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted.
Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication - or
causing a system to respond to the wrong address. Smurfing would refer to the smurf attack, where an
attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of
service. The following reference(s) were/was used to create this question:

CISA Review manual 2014 Page number 321

Official ISC2 Guide to the CISSP 3rd edition Page Number 153

QUESTION 18
Which of the following would constitute the best example of a password to use for access to a system by a
network administrator?

A. holiday
B. Christmas12
C. Jenny
D. GyN19Za!

Correct Answer: D
Explanation

Explanation/Reference:
GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters,
alphabetic and numeric characters, and a special character making it less vulnerable to password attacks.
All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks.
Passwords should not be common words or names. The addition of a number to the end of a common
word only marginally strengthens it because a common password attack would also check combinations of
words:
Christmas23
Christmas123 etc...

QUESTION 19
What physical characteristic does a retinal scan biometric device measure?

A. The amount of light reaching the retina

B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye

Correct Answer: D
Explanation

Explanation/Reference:
The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light
and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood
vessels used for biometric identification are located along the neural retina, the outermost of retina's four
cell layers.

The following answers are incorrect:

The amount of light reaching the retina
The amount of light reaching the retina is not used in the biometric scan of the retina.
The amount of light reflected by the retina
The amount of light reflected by the retina is not used in the biometric scan of the retina.

The pattern of light receptors at the back of the eye

This is a distractor
The following reference(s) were/was used to create this question:
Reference: Retina Scan Technology.
ISC2 Official Guide to the CBK, 2007 (Page 161)

QUESTION 20
The Computer Security Policy Model the Orange Book is based on is which of the following?

A. Bell-LaPadula
B. Data Encryption Standard
C. Kerberos
D. Tempest

Correct Answer: A
Explanation

Explanation/Reference:
The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book
Glossary.
The Data Encryption Standard (DES) is a cryptographic algorithm. National Information Security Glossary.
TEMPEST is related to limiting the electromagnetic emanations from electronic equipment. Reference:
U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 520028-
STD. December 1985 (also available here).

QUESTION 21
The end result of implementing the principle of least privilege means which of the following?

A. Users would get access to only the info for which they have a need to know
B. Users can access all systems.
C. Users get new privileges added when they change positions.
D. Authorization creep.

Correct Answer: A
Explanation

Explanation/Reference:
The principle of least privilege refers to allowing users to have only the access they need and not anything
more. Thus, certain users may have no need to access any of the files on specific systems.

The following answers are incorrect:

Users can access all systems. Although the principle of least privilege limits what access and systems
users have authorization to, not all users would have a need to know to access all of the systems. The best
answer is still Users would get access to only the info for which they have a need to know as some of the
users may not have a need to access a system.

Users get new privileges when they change positions. Although true that a user may indeed require new
privileges, this is not a given fact and in actuality a user may require less privileges for a new position. The
principle of least privilege would require that the rights required for the position be closely evaluated and
where possible rights revoked.

Authorization creep. Authorization creep occurs when users are given additional rights with new positions
and responsibilities. The principle of least privilege should actually prevent authorization creep.

The following reference(s) were/was used to create this question:

ISC2 OIG 2007 p.101,123

Shon Harris AIO v3 p148, 902-903

QUESTION 22
Which of the following is the most reliable authentication method for remote access?

A. Variable callback system

B. Synchronous token
C. Fixed callback system
D. Combination of callback and caller ID

Correct Answer: B
Explanation

Explanation/Reference:
A Synchronous token generates a one-time password that is only valid for a short period of time. Once the
password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

The following answers are incorrect:

Variable callback system. Although variable callback systems are more flexible than fixed callback
systems, the system assumes the identity of the individual unless two-factor authentication is also
implemented. By itself, this method might allow an attacker access as a trusted user.

Fixed callback system. Authentication provides assurance that someone or something is who or what he/it
is supposed to be. Callback systems authenticate a person, but anyone can pretend to be that person.
They are tied to a specific place and phone number, which can be spoofed by implementing call-
forwarding.

Combination of callback and Caller ID. The caller ID and callback functionality provides greater confidence
and auditability of the caller's identity. By disconnecting and calling back only authorized phone numbers,
the system has a greater confidence in the location of the call. However, unless combined with strong
authentication, any individual at the location could obtain access.

The following reference(s) were/was used to create this question:

Shon Harris AIO v3 p. 140, 548
ISC2 OIG 2007 p. 152-153, 126-127

QUESTION 23
Which of the following is true of two-factor authentication?

A. It uses the RSA public-key signature based on integers with large prime factors.
B. It requires two measurements of hand geometry.
C. It does not use single sign-on technology.
D. It relies on two independent proofs of identity.

Correct Answer: D
Explanation

Explanation/Reference:
It relies on two independent proofs of identity. Two-factor authentication refers to using two independent
proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a
password). Two-factor authentication may be used with single sign-on. The following answers are
incorrect: It requires two measurements of hand geometry. Measuring hand geometry twice does not yield
two independent proofs.

It uses the RSA public-key signature based on integers with large prime factors. RSA encryption uses
integers with exactly two prime factors, but the term "two-factor authentication" is not used in that context.

It does not use single sign-on technology. This is a detractor.

The following reference(s) were/was used to create this question:

Shon Harris AIO v.3 p.129

ISC2 OIG, 2007 p. 126

QUESTION 24
The primary service provided by Kerberos is which of the following?

A. non-repudiation
B. confidentiality
C. authentication
D. authorization

Correct Answer: C
Explanation

Explanation/Reference:
non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-
repudiation.

confidentiality. Once the client is authenticated by Kerberos and obtains its session key and ticket, it may
use them to assure confidentiality of its communication with a server; however, that is not a Kerberos
service as such.

authorization. Although Kerberos tickets may include some authorization information, the meaning of the
authorization fields is not standardized in the Kerberos specifications, and authorization is not a primary
Kerberos service.

The following reference(s) were/was used to create this question:

ISC2 OIG,2007 p. 179-184

Shon Harris AIO v.3 152-155

QUESTION 25
There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we
compare them side by side, Kerberos tickets correspond most closely to which of the following?

A. public keys
B. private keys
C. public-key certificates
D. private-key certificates

Correct Answer: C
Explanation

Explanation/Reference:
A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the
service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the
key.

The following answers are incorrect:

public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key.

private keys. Although a Kerberos ticket is not shared publicly, it is not a private key. Private keys are
associated with Asymmetric crypto system which is not used by Kerberos. Kerberos uses only the
Symmetric crypto system.

private key certificates. This is a detractor. There is no such thing as a private key certificate.

QUESTION 26
In which of the following security models is the subject's clearance compared to the object's classification
such that specific rules can be applied to control how the subject-to-object interactions take place?

A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model

Correct Answer: A
Explanation

Explanation/Reference:
Details:
The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different
clearances use the system and the system processes data with different classifications.
Developed by the US Military in the 1970s.

A security model maps the abstract goals of the policy to information system terms by specifying explicit
data structures and techniques necessary to enforce the security policy. A security model is usually
represented in mathematics and analytical ideas, which are mapped to system specifications and then
developed by programmers through programming code. So we have a policy that encompasses security
goals, such as "each subject must be authenticated and authorized before accessing an object." The
security model takes this requirement and provides the necessary mathematical formulas, relationships,
and logic structure to be followed to accomplish this goal.

A system that employs the Bell-LaPadula model is called a multilevel security system because users with
different clearances use the system, and the system processes data at different classification levels. The
level at which information is classified determines the handling procedures that should be used. The Bell-
LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A
matrix and security levels are used to determine if subjects can access different objects. The subject's
clearance is compared to the object's classification and then specific rules are applied to control how
subject-to-object subject-to- object interactions can take place.
Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw-Hill.
Kindle Edition.

QUESTION 27
Which of the following was developed to address some of the weaknesses in Kerberos and uses public
key cryptography for the distribution of secret keys and provides additional access control support?

A. SESAME
B. RADIUS
C. KryptoKnight
D. TACACS+

Correct Answer: A
Explanation

Explanation/Reference:
Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to
address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of
secret keys and provides additional access control support.
Reference:

TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184

ISC OIG Second Edition, Access Controls, Page 111

QUESTION 28
Single Sign-on (SSO) is characterized by which of the following advantages?

A. Convenience
B. Convenience and centralized administration
C. Convenience and centralized data administration
D. Convenience and centralized network administration

Correct Answer: B
Explanation

Explanation/Reference:
Convenience -Using single sign-on users have to type their passwords only once when they first log in to
access all the network resources; and Centralized Administration as some single sign-on systems are built
around a unified server administration system. This allows a single administrator to add and delete
accounts across the entire network from one user interface.

The following answers are incorrect:

Convenience - alone this is not the correct answer.

Centralized Data or Network Administration - these are thrown in to mislead the student. Neither are a
benefit to SSO, as these specifically should not be allowed with just an SSO.

References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th
Edition, Volume 1, page 35

TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180

QUESTION 29
What is the primary role of smartcards in a PKI?

A. Transparent renewal of user keys

B. Easy distribution of the certificates between the users
C. Fast hardware encryption of the raw data
D. Tamper resistant, mobile storage and application of private keys of the users

Correct Answer: D
Explanation

Explanation/Reference:
Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne,
page 139;

SNYDER, J., What is a SMART CARD?.

Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance Security

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as
private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information,
the chips are designed so that the information is not accessible through external means and can be
accessed only by the embedded software, which should contain the appropriate security measures.

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips
used in smartcards, as well as the Clipper chip.

It has been argued that it is very difficult to make simple electronic devices secure against tampering,
because numerous attacks are possible, including:
· physical attack of various forms (microprobing, drills, files, solvents, etc.) · freezing the device
· applying out-of-spec voltages or power surges
· applying unusual clock signals
· inducing software errors using radiation
· measuring the precise time and power requirements of certain operations (see power analysis)

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if
they detect penetration of their security encapsulation or out-of-specification environmental parameters. A
chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has
been crippled.

Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and
perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to
totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important
elements in protecting a system is overall system design. In particular, tamper-resistant systems should
"fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this
manner, the attacker can be practically restricted to attacks that cost less than the expected return from
compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks
have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems
may be invulnerable in practice.

QUESTION 30
What kind of certificate is used to validate a user identity?

A. Public key certificate

B. Attribute certificate
C. Root certificate
D. Code signing certificate

Correct Answer: A
Explanation

Explanation/Reference:
In cryptography, a public key certificate (or identity certificate) is an electronic document which
incorporates a digital signature to bind together a public key with an identity -- information such as the
name of a person or an organization, their address, and so forth. The certificate can be used to verify that
a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a
web of trust scheme, the signature is of either the user (a self-signed certificate) or other users
("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer
that the identity information and the public key belong together.

In computer security, an authorization certificate (also known as an attribute certificate) is a digital

document that describes a written permission from the issuer to use a service or a resource that the issuer
controls or has access to use. The permission can be delegated.

Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can
be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be
trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not
last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa
can be a simpler process.

A real life example of this can be found in the mobile software deployments by large service providers and
are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and
others.
In each of these systems a mobile communications service provider may customize the mobile terminal
client distribution (ie. the mobile phone operating system or application environment) to include one or
more root certificates each associated with a set of capabilities or permissions such as "update firmware",
"access address book", "use radio interface", and the most basic one, "install and execute". When a
developer wishes to enable distribution and execution in one of these controlled environments they must
acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they
usually have their identity verified using out-of- band mechanisms such as a combination of phone call,
validation of their legal entity through government and commercial databases, etc., similar to the high
assurance SSL certificate vetting process, though often there are additional specific requirements imposed
on would-be developers/publishers.

Once the identity has been validated they are issued an identity certificate they can use to sign their
software; generally the software signed by the developer or publisher's identity certificate is not distributed
but rather it is submitted to processor to possibly test or profile the content before generating an
authorization certificate which is unique to the particular software release. That certificate is then used with
an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution.
There are many advantages to separating the identity and authorization certificates especially relating to
risk mitigation of new content being accepted into the system and key management as well as recovery
from errant software which can be used as attack vectors.

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540

http://en.wikipedia.org/wiki/Attribute_certificate
http://en.wikipedia.org/wiki/Public_key_certificate

QUESTION 31
The following is NOT a security characteristic we need to consider while choosing a biometric identification
systems:

A. data acquisition process

B. cost
C. enrollment process
D. speed and user interface

Correct Answer: B
Explanation

Explanation/Reference:
Cost is a factor when considering Biometrics but it is not a security characteristic. All the other answers are
incorrect because they are security characteristics related to Biometrics.

Data acquisition process can cause a security concern because if the process is not fast and efficient it
can discourage individuals from using the process.

Enrollment process can cause a security concern because the enrollment process has to be quick and
efficient. This process captures data for authentication.

Speed and user interface can cause a security concern because this also impacts the users acceptance
rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices
or otherwise attempt to circumvent them.

References:

OIG Access Control (Biometrics) (pgs 165-167)

From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition,
Volume 1, Pages 5-6

** in process of correction **

QUESTION 32
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification
could only be based on physical attributes of a person. This raised the necessity of answering 2 questions
:

A. what was the sex of a person and his age

B. what part of body to be used and how to accomplish identification that is viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits

Correct Answer: B
Explanation

Explanation/Reference:
Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is
already taking place. Unique physical attributes or behavior of a person are used for that purpose.
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition,
Volume 1, Page 7

QUESTION 33
In biometric identification systems, the parts of the body conveniently available for identification are:

A. neck and mouth

B. hands, face, and eyes
C. feet and hair
D. voice and neck

Correct Answer: B
Explanation

Explanation/Reference:
Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are
already under way. Because most identity authentication takes place when a people are fully clothed (neck
to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes.

From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition,
Volume 1, Page 7

QUESTION 34
Controlling access to information systems and associated networks is necessary for the preservation of
their:

A. Authenticity, confidentiality and availability

B. Confidentiality, integrity, and availability.
C. integrity and availability.
D. authenticity,confidentiality, integrity and availability.

Correct Answer: B
Explanation

Explanation/Reference:
Controlling access to information systems and associated networks is necessary for the preservation of
their confidentiality, integrity and availability.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 31

QUESTION 35
To control access by a subject (an active entity such as individual or process) to an object (a passive entity
such as a file) involves setting up:

A. Access Rules
B. Access Matrix
C. Identification controls
D. Access terminal

Correct Answer: A
Explanation

Explanation/Reference:
Controlling access by a subject (an active entity such as individual or process) to an object (a passive
entity such as a file) involves setting up access rules.

These rules can be classified into three access control models: Mandatory, Discretionary, and Non-
Discretionary.

An access matrix is one of the means used to implement access control.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 33

Answer:

QUESTION 36
Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what
category of access control?

A. Discretionary Access Control (DAC)

B. Mandatory Access control (MAC)
C. Non-Discretionary Access Control (NDAC)
D. Lattice-based Access control

Correct Answer: C
Explanation

Explanation/Reference:
Rule-based access control is a type of non-discretionary access control because this access is determined
by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of
the users or subjects.

In general, all access control policies other than DAC are grouped in the category of non- discretionary
access control (NDAC). As the name implies, policies in this category have rules that are not established at
the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users,
but only through administrative action.

Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non
Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.
IT IS NOT ALWAYS BLACK OR WHITE

The different access control models are not totally exclusive of each others. MAC is making use of Rules to
be implemented. However with MAC you have requirements above and beyond having simple access
rules. The subject would get formal approval from management, the subject must have the proper security
clearance, objects must have labels/sensitivity levels attached to them, subjects must have the proper
security clearance. If all of this is in place then you have MAC.

BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES:

MAC = Mandatory Access Control

Under a mandatory access control environment, the system or security administrator will define what
permissions subjects have on objects. The administrator does not dictate user's access but simply
configure the proper level of access as dictated by the Data Owner.

The MAC system will look at the Security Clearance of the subject and compare it with the object
sensitivity level or classification level. This is what is called the dominance relationship.

The subject must DOMINATE the object sensitivity level. Which means that the subject must have a
security clearance equal or higher than the object he is attempting to access.

MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the
classification of the object as well as categories that are used to impose the need to know (NTK) principle.
Even thou a user has a security clearance of Secret it does not mean he would be able to access any
Secret documents within the system. He would be allowed to access only Secret document for which he
has a Need To Know, formal approval, and object where the user belong to one of the categories attached
to the object.

If there is no clearance and no labels then IT IS NOT Mandatory Access Control.

Many of the other models can mimic MAC but none of them have labels and a dominance relationship so
they are NOT in the MAC category.

NISTR-7316 Says:

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC
policy; for example, a user who is running a process at the Secret classification should not be allowed to
read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up."
Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file
with a label of Confidential. This rule is called the "*-property" (pronounced "star property") or "no write
down." The *-property is required to maintain system security in an automated environment. A variation on
this rule called the "strict *-property" requires that information can be written at, but not above, the subject's
clearance level. Multilevel security models such as the Bell-La Padula Confidentiality and Biba Integrity
models are used to formally specify this kind of MAC policy.

DAC = Discretionary Access Control

DAC is also known as: Identity Based access control system.

The owner of an object is define as the person who created the object. As such the owner has the
discretion to grant access to other users on the network. Access will be granted based solely on the
identity of those users.

Such system is good for low level of security. One of the major problem is the fact that a user who has
access to someone's else file can further share the file with other users without the knowledge or
permission of the owner of the file. Very quickly this could become the wild west as there is no control on
the dissemination of the information.

RBAC = Role Based Access Control

RBAC is a form of Non-Discretionary access control.

Role Based access control usually maps directly with the different types of jobs performed by employees
within a company.

For example there might be 5 security administrator within your company. Instead of creating each of their
profile one by one, you would simply create a role and assign the administrators to the role. Once an
administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role.

RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as
a very large help desk for example.

RBAC or RuBAC = Rule Based Access Control

RuBAC is a form of Non-Discretionary access control.

A good example of a Rule Based access control device would be a Firewall. A single set of rules is
imposed to all users attempting to connect through the firewall.

NOTE FROM CLEMENT:

Lot of people tend to confuse MAC and Rule Based Access Control.

Mandatory Access Control must make use of LABELS. If there is only rules and no label, it cannot be
Mandatory Access Control. This is why they call it Non Discretionary Access control (NDAC).

There are even books out there that are WRONG on this subject. Books are sometimes opiniated and not
strictly based on facts.

In MAC subjects must have clearance to access sensitive objects. Objects have labels that contain the
classification to indicate the sensitivity of the object and the label also has categories to enforce the need
to know.

Today the best example of rule based access control would be a firewall. All rules are imposed globally to
any user attempting to connect through the device. This is NOT the case with MAC.

I strongly recommend you read carefully the following document:

NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf

It is one of the best Access Control Study document to prepare for the exam. Usually I tell people not to
worry about the hundreds of NIST documents and other reference. This document is an exception. Take
some time to read it.
Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 33

And

NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf

And

Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 651-
652). Elsevier Science (reference). Kindle Edition.

QUESTION 37
The type of discretionary access control (DAC) that is based on an individual's identity is also called:

A. Identity-based Access control

B. Rule-based Access control
C. Non-Discretionary Access Control
D. Lattice-based Access control

Correct Answer: A
Explanation

Explanation/Reference:
An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an
individual's identity.

DAC is good for low level security environment. The owner of the file decides who has access to the file.

If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header and/
or in an access control matrix within the operating system.

Ownership might also be granted to a specific individual. For example, a manager for a certain department
might be made the owner of the files and resources within her department. A system that uses
discretionary access control (DAC) enables the owner of the resource to specify which subjects can
access specific resources.

This model is called discretionary because the control of access is based on the discretion of the owner.
Many times department managers, or business unit managers , are the owners of the data within their
specific department. Being the owner, they can specify who should have access and who should not.

Reference(s) used for this question:

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 220). McGraw-Hill .
Kindle Edition.

QUESTION 38
Which access control type has a central authority that determine to what objects the subjects have access
to and it is based on role or on the organizational security policy?

A. Mandatory Access Control

B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Correct Answer: C
Explanation

Explanation/Reference:
Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access
Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was
covered under NDAC already.

Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.

Discretionary Access control is for environment with very low level of security. There is no control on the
dissemination of the information. A user who has access to a file can copy the file or further share it with
other users.

Rule Based Access Control is when you have ONE set of rules applied uniformly to all users. A good
example would be a firewall at the edge of your network. A single rule based is applied against any
packets received from the internet.

Mandatory Access Control is a very rigid type of access control. The subject must dominate the object and
the subject must have a Need To Know to access the information. Objects have labels that indicate the
sensitivity (classification) and there is also categories to enforce the Need To Know (NTK).

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 39
Which of the following control pairings include: organizational policies and procedures, pre- employment
background checks, strict hiring practices, employment agreements, employee termination procedures,
vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training,
behavior awareness, and sign-up procedures to obtain access to information systems and networks?

A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing

Correct Answer: A
Explanation

Explanation/Reference:
organizational policies and procedures, pre-employment background checks, strict hiring practices,
employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling,
labeling of sensitive materials, increased supervision, security awareness training, behavior awareness,
and sign-up procedures to obtain access to information systems and networks.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 34

QUESTION 40
Technical controls such as encryption and access control can be built into the operating system, be
software applications, or can be supplemental hardware/software units. Such controls, also known as
logical controls, represent which pairing?

A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing

Correct Answer: B
Explanation

Explanation/Reference:
Preventive/Technical controls are also known as logical controls and can be built into the operating
system, be software applications, or can be supplemental hardware/software units. Source: KRUTZ,
Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
2001, John Wiley & Sons, Page 34

QUESTION 41
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the
individuals requesting access to resources?

A. Micrometrics
B. Macrometrics
C. Biometrics
D. MicroBiometrics

Correct Answer: C
Explanation

Explanation/Reference:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 42
What is called the access protection system that limits connections by calling back the number of a
previously authorized location?

A. Sendback systems
B. Callback forward systems
C. Callback systems
D. Sendback forward systems

Correct Answer: C
Explanation

Explanation/Reference:
The Answer: Call back Systems; Callback systems provide access protection by calling back the number
of a previously authorized location, but this control can be compromised by call forwarding.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 43
What are called user interfaces that limit the functions that can be selected by a user?

A. Constrained user interfaces

B. Limited user interfaces
C. Mini user interfaces
D. Unlimited user interfaces

Correct Answer: A
Explanation

Explanation/Reference:
Another method for controlling access is by restricting users to specific functions based on their role in the
system. This is typically implemented by limiting available menus, data views, encryption, or by physically
constraining the user interfaces.

This is common on devices such as an automated teller machine (ATM). The advantage of a constrained
user interface is that it limits potential avenues of attack and system failure by restricting the processing
options that are available to the user.

On an ATM machine, if a user does not have a checking account with the bank he or she will not be shown
the "Withdraw money from checking" option. Likewise, an information system might have an "Add/Remove
Users" menu option for administrators, but if a normal, non- administrative user logs in he or she will not
even see that menu option. By not even identifying potential options for non-qualifying users, the system
limits the potentially harmful execution of unauthorized system or application commands.
Many database management systems have the concept of "views." A database view is an extract of the
data stored in the database that is filtered based on predefined user or system criteria. This permits
multiple users to access the same database while only having the ability to access data they need (or are
allowed to have) and not data for another user. The use of database views is another example of a
constrained user interface.

The following were incorrect answers:

All of the other choices presented were bogus answers.

The following reference(s) were used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 1989-2002). Auerbach Publications. Kindle Edition.

QUESTION 44
Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated
with:

A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Correct Answer: D
Explanation
Explanation/Reference:
Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of
audit records.
Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 35

QUESTION 45
The control measures that are intended to reveal the violations of security policy using software and
hardware are associated with:

A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Correct Answer: B
Explanation

Explanation/Reference:
The detective/technical control measures are intended to reveal the violations of security policy using
technical means.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 46
The controls that usually require a human to evaluate the input from sensors or cameras to determine if a
real threat exists are associated with:

A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Correct Answer: C
Explanation

Explanation/Reference:
Detective/physical controls usually require a human to evaluate the input from sensors or cameras to
determine if a real threat exists.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 47
External consistency ensures that the data stored in the database is:

A. in-consistent with the real world.

B. remains consistant when sent from one system to another.
C. consistent with the logical world.
D. consistent with the real world.

Correct Answer: D
Explanation

Explanation/Reference:
External consistency ensures that the data stored in the database is consistent with the real world. Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, page 33
QUESTION 48
A central authority determines what subjects can have access to certain objects based on the
organizational security policy is called:

A. Mandatory Access Control

B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Correct Answer: C
Explanation

Explanation/Reference:
A central authority determines what subjects can have access to certain objects based on the
organizational security policy.

The key focal point of this question is the 'central authority' that determines access rights.

Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as:
"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which
seems to indicate there could be two good answers to this question.

However if you read the NISTR document mentioned in the references below, it is also mentioned that:
MAC is the most mentioned NDAC policy. So MAC is a form of NDAC policy.

Within the same document it is also mentioned: "In general, all access control policies other than DAC are
grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this
category have rules that are not established at the discretion of the user. Non-discretionary policies
establish controls that cannot be changed by users, but only through administrative action."

Under NDAC you have two choices:

Rule Based Access control and Role Base Access Control

MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC.
It is a subset of NDAC.

This question is representative of what you can expect on the real exam where you have more than once
choice that seems to be right. However, you have to look closely if one of the choices would be higher level
or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because
MAC is falling under NDAC through the use of Rule Based Access Control.

The following are incorrect answers:

MANDATORY ACCESS CONTROL

In Mandatory Access Control the labels of the object and the clearance of the subject determines access
rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the
label to the object, the system does the determination of access rights automatically by comparing the
Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than
the object being accessed.

The need for a MAC mechanism arises when the security policy of a system dictates that:
1 Protection decisions must not be decided by the object owner. 2 The system must enforce the protection
decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner).

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC
policy; for example, a user who is running a process at the Secret classification should not be allowed to
read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up."

Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file
with a label of Confidential. This rule is called the "*-property" (pronounced "star property") or "no write
down." The *-property is required to maintain system security in an automated environment.
DISCRETIONARY ACCESS CONTROL

In Discretionary Access Control the rights are determined by many different entities, each of the persons
who have created files and they are the owner of that file, not one central authority.

DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who
is authorized to control the object's access. For example, it is generally used to limit a user's access to a
file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by
the owner may have some combination of read, write, execute, and other permissions to the file.

DAC policy tends to be very flexible and is widely used in the commercial and government sectors.
However, DAC is known to be inherently weak for two reasons:

First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing
stops Bob from copying the contents of Ann's file to an object that Bob controls. Bob may now grant any
other user access to the copy of Ann's file without Ann's knowledge. Second, DAC policy is vulnerable to
Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example,
write a program for Ann that, on the surface, performs some useful function, while at the same time
destroys the contents of Ann's files. When investigating the problem, the audit files would indicate that Ann
destroyed her own files.
Thus, formally, the drawbacks of DAC are as follows:
· Discretionary Access Control (DAC) Information can be copied from one object to another; therefore,
there is no real assurance on the flow of information in a system. · No restrictions apply to the usage of
information when the user has received it. · The privileges for accessing objects are decided by the owner
of the object, rather than through a system-wide policy that reflects the organization's security
requirements.

ACLs and owner/group/other access control mechanisms are by far the most common mechanism for
implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have
the capabilities to implement a DAC policy.

RULE BASED ACCESS CONTROL

In Rule-based Access Control a central authority could in fact determine what subjects can have access
when assigning the rules for access. However, the rules actually determine the access and so this is not
the most correct answer.

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information
based on pre determined and configured rules. It is important to note that there is no commonly
understood definition or formally defined standard for rule-based access control as there is for DAC, MAC,
and RBAC. "Rule-based access" is a generic term applied to systems that allow some form of
organization-defined rules, and therefore rule-based access control encompasses a broad range of
systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system
intercepts every access request and compares the rules with the rights of the user to make an access
decision. Most of the rule-based access control relies on a security label system, which dynamically
composes a set of rules defined by a security policy. Security labels are attached to all objects, including
files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well.
RuBAC meets the business needs as well as the technical needs of controlling service access. It allows
business rules to be applied to access control--for example, customers who have overdue balances may
be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The
rules can be established by any attributes of a system related to the users such as domain, host, protocol,
network, or IP addresses. For example, suppose that a user wants to access an object in another network
on the other side of a router. The router employs RuBAC with the rule composed by the network
addresses, domain, and protocol to decide whether or not the user can be granted access. If employees
change their roles within the organization, their existing authentication credentials remain in effect and do
not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules
can be applied to people as well as to devices. Rule-based access control can be combined with role-
based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of
access control systems have rule- based policy engines in addition to a role-based policy engine and
certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of
software users are product engineers and quality engineers. Both groups usually have access to the same
data, but they have different roles to perform in relation to the data and the application's function. In
addition, individuals within each group have different job responsibilities that may be identified using
several types of attributes such as developing programs and testing areas. Thus, the access decisions can
be made in real time by a scripted policy that regulates the access between the groups of product
engineers and quality engineers, and each individual within these groups. Rules can either replace or
complement role-based access control. However, the creation of rules and security policies is also a
complex process, so each organization will need to strike the appropriate balance.

References used for this question:

http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf

And

AIO v3 p162-167 and OIG (2007) p.186-191

Also

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 33

QUESTION 49
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?

A. Authentication
B. Identification
C. Authorization
D. Confidentiality

Correct Answer: B
Explanation

Explanation/Reference:
Identification is the act of a user professing an identity to a system, usually in the form of a log- on ID to the
system.
Identification is nothing more than claiming you are somebody. You identify yourself when you speak to
someone on the phone that you don't know, and they ask you who they're speaking to. When you say, "I'm
Jason.", you've just identified yourself.

In the information security world, this is analogous to entering a username. It's not analogous to entering a
password. Entering a password is a method for verifying that you are who you identified yourself as.

NOTE: The word "professing" used above means: "to say that you are, do, or feel something when other
people doubt what you say". This is exactly what happen when you provide your identifier (identification),
you claim to be someone but the system cannot take your word for it, you must further Authenticate to the
system to prove who you claim to be.

The following are incorrect answers:

Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith
by logging into a computer system as "jsmith", it's most likely going to ask you for a password. You've
claimed to be that person by entering the name into the username field (that's the identification part), but
now you have to prove that you are really that person.

Many systems use a password for this, which is based on "something you know", i.e. a secret between you
and the system.

Another form of authentication is presenting something you have, such as a driver's license, an RSA token,
or a smart card.

You can also authenticate via something you are. This is the foundation for biometrics. When you do this,
you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based
authentication.

Once you've successfully authenticated, you have now done two things: you've claimed to be someone,
and you've proven that you are that person. The only thing that's left is for the system to determine what
you're allowed to do.
Authorization: is what takes place after a person has been both identified and authenticated; it's the step
determines what a person can then do on the system.

An example in people terms would be someone knocking on your door at night. You say, "Who is it?", and
wait for a response. They say, "It's John." in order to identify themselves. You ask them to back up into the
light so you can see them through the peephole. They do so, and you authenticate them based on what
they look like (biometric). At that point you decide they can come inside the house.

If they had said they were someone you didn't want in your house (identification), and you then verified that
it was that person (authentication), the authorization phase would not include access to the inside of the
house.

Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong
people, while making sure that the right people can in fact get it. A good example is a credit card number
while shopping online, the merchant needs it to clear the transaction but you do not want your information
exposed over the network, you would use a secure link such as SSL, TLS, or some tunneling tool to
protect the information from prying eyes between point A and point B. Data encryption is a common
method of ensuring confidentiality.

The other parts of the CIA triad are listed below:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life
cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered
by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in
place to detect any changes in data that might occur as a result of non-human-caused events such as an
electromagnetic pulse (EMP) or server crash. If an unexpected change occurs, a backup copy must be
available to restore the affected data to its correct state.

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs
immediately when needed, providing a certain measure of redundancy and failover, providing adequate
communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency
backup power systems, keeping current with all necessary system upgrades, and guarding against
malicious actions such as denial-of-service (DoS) attacks.

Reference used for this question:

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization

http://www.merriam-webster.com/dictionary/profess

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 36

QUESTION 50
Which one of the following factors is NOT one on which Authentication is based?

A. Type 1 Something you know, such as a PIN or password

B. Type 2 Something you have, such as an ATM card or smart card
C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such as a
fingerprint or retina scan
D. Type 4 Something you are, such as a system administrator or security administrator

Correct Answer: D
Explanation

Explanation/Reference:
Authentication is based on the following three factor types:
Type 1 Something you know, such as a PIN or password
Type 2 Something you have, such as an ATM card or smart card Type 3 Something you are (Unique
physical characteristic), such as a fingerprint or retina scan
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4:
Access Control (pages 132-133).

QUESTION 51
A central authority determines what subjects can have access to certain objects based on the
organizational security policy is called:

A. Mandatory Access Control

B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Correct Answer: C
Explanation

Explanation/Reference:
A central authority determines what subjects can have access to certain objects based on the
organizational security policy.

The key focal point of this question is the 'central authority' that determines access rights.

Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as:
"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which
seems to indicate there could be two good answers to this question. However if you read the NISTR
document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC
policy. So MAC is a form of NDAC policy.

Within the same document it is also mentioned: "In general, all access control policies other than DAC are
grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this
category have rules that are not established at the discretion of the user. Non-discretionary policies
establish controls that cannot be changed by users, but only through administrative action."

Under NDAC you have two choices:

Rule Based Access control and Role Base Access Control

MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC.
It is a subset of NDAC.

This question is representative of what you can expect on the real exam where you have more than once
choice that seems to be right. However, you have to look closely if one of the choices would be higher level
or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because
MAC is falling under NDAC through the use of Rule Based Access Control.

The following are incorrect answers:

MANDATORY ACCESS CONTROL

In Mandatory Access Control the labels of the object and the clearance of the subject determines access
rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the
label to the object, the system does the determination of access rights automatically by comparing the
Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than
the object being accessed.

The need for a MAC mechanism arises when the security policy of a system dictates that:
1 Protection decisions must not be decided by the object owner. 2 The system must enforce the protection
decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner).

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC
policy; for example, a user who is running a process at the Secret classification should not be allowed to
read a file with a label of Top Secret. This is known as the "simple security rule," or "no read up."
Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file
with a label of Confidential. This rule is called the "*-property" (pronounced "star property") or "no write
down." The *-property is required to maintain system security in an automated environment.

DISCRETIONARY ACCESS CONTROL

In Discretionary Access Control the rights are determined by many different entities, each of the persons
who have created files and they are the owner of that file, not one central authority.

DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who
is authorized to control the object's access. For example, it is generally used to limit a user's access to a
file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by
the owner may have some combination of read, write, execute, and other permissions to the file.

DAC policy tends to be very flexible and is widely used in the commercial and government sectors.
However, DAC is known to be inherently weak for two reasons:

First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing
stops Bob from copying the contents of Ann's file to an object that Bob controls. Bob may now grant any
other user access to the copy of Ann's file without Ann's knowledge.

Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the
invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful
function, while at the same time destroys the contents of Ann's files. When investigating the problem, the
audit files would indicate that Ann destroyed her own files.
Thus, formally, the drawbacks of DAC are as follows:

Discretionary Access Control (DAC) Information can be copied from one object to another; therefore,
there is no real assurance on the flow of information in a system.
No restrictions apply to the usage of information when the user has received it.
The privileges for accessing objects are decided by the owner of the object, rather than through a
system-wide policy that reflects the organization's security requirements.

ACLs and owner/group/other access control mechanisms are by far the most common mechanism for
implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have
the capabilities to implement a DAC policy.

RULE BASED ACCESS CONTROL

In Rule-based Access Control a central authority could in fact determine what subjects can have access
when assigning the rules for access. However, the rules actually determine the access and so this is not
the most correct answer.

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information
based on pre determined and configured rules. It is important to note that there is no commonly
understood definition or formally defined standard for rule-based access control as there is for DAC, MAC,
and RBAC. "Rule-based access" is a generic term applied to systems that allow some form of
organization-defined rules, and therefore rule-based access control encompasses a broad range of
systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system
intercepts every access request and compares the rules with the rights of the user to make an access
decision. Most of the rule-based access control relies on a security label system, which dynamically
composes a set of rules defined by a security policy. Security labels are attached to all objects, including
files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well.
RuBAC meets the business needs as well as the technical needs of controlling service access. It allows
business rules to be applied to access control--for example, customers who have overdue balances may
be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The
rules can be established by any attributes of a system related to the users such as domain, host, protocol,
network, or IP addresses. For example, suppose that a user wants to access an object in another network
on the other side of a router. The router employs RuBAC with the rule composed by the network
addresses, domain, and protocol to decide whether or not the user can be granted access. If employees
change their roles within the organization, their existing authentication credentials remain in effect and do
not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules
can be applied to people as well as to devices. Rule-based access control can be combined with role-
based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of
access control systems have rule- based policy engines in addition to a role-based policy engine and
certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of
software users are product engineers and quality engineers. Both groups usually have access to the same
data, but they have different roles to perform in relation to the data and the application's function. In
addition, individuals within each group have different job responsibilities that may be identified using
several types of attributes such as developing programs and testing areas. Thus, the access decisions can
be made in real time by a scripted policy that regulates the access between the groups of product
engineers and quality engineers, and each individual within these groups. Rules can either replace or
complement role-based access control. However, the creation of rules and security policies is also a
complex process, so each organization will need to strike the appropriate balance.

References used for this question:

http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf

And

AIO v3 p162-167 and OIG (2007) p.186-191

Also

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 33

QUESTION 52
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?

A. Authentication
B. Identification
C. Authorization
D. Confidentiality

Correct Answer: B
Explanation

Explanation/Reference:
Identification is the act of a user professing an identity to a system, usually in the form of a log- on ID to the
system.

Identification is nothing more than claiming you are somebody. You identify yourself when you speak to
someone on the phone that you don't know, and they ask you who they're speaking to. When you say, "I'm
Jason.", you've just identified yourself.

In the information security world, this is analogous to entering a username. It's not analogous to entering a
password. Entering a password is a method for verifying that you are who you identified yourself as.

NOTE: The word "professing" used above means: "to say that you are, do, or feel something when other
people doubt what you say". This is exactly what happen when you provide your identifier (identification),
you claim to be someone but the system cannot take your word for it, you must further Authenticate to the
system to prove who you claim to be.

The following are incorrect answers:

Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith
by logging into a computer system as "jsmith", it's most likely going to ask you for a password. You've
claimed to be that person by entering the name into the username field (that's the identification part), but
now you have to prove that you are really that person.

Many systems use a password for this, which is based on "something you know", i.e. a secret between you
and the system.

Another form of authentication is presenting something you have, such as a driver's license, an RSA token,
or a smart card.

You can also authenticate via something you are. This is the foundation for biometrics. When you do this,
you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based
authentication.
Once you've successfully authenticated, you have now done two things: you've claimed to be someone,
and you've proven that you are that person. The only thing that's left is for the system to determine what
you're allowed to do.

Authorization: is what takes place after a person has been both identified and authenticated; it's the step
determines what a person can then do on the system.

An example in people terms would be someone knocking on your door at night. You say, "Who is it?", and
wait for a response. They say, "It's John." in order to identify themselves. You ask them to back up into the
light so you can see them through the peephole. They do so, and you authenticate them based on what
they look like (biometric). At that point you decide they can come inside the house.

If they had said they were someone you didn't want in your house (identification), and you then verified that
it was that person (authentication), the authorization phase would not include access to the inside of the
house.

Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong
people, while making sure that the right people can in fact get it. A good example is a credit card number
while shopping online, the merchant needs it to clear the transaction but you do not want your informaiton
exposed over the network, you would use a secure link such as SSL, TLS, or some tunneling tool to
protect the information from prying eyes between point A and point B. Data encryption is a common
method of ensuring confidentiality.

The other parts of the CIA triad are listed below:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life
cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered
by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in
place to detect any changes in data that might occur as a result of non-human-caused events such as an
electromagnetic pulse (EMP) or server crash. If an unexpected change occurs, a backup copy must be
available to restore the affected data to its correct state.

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs
immediately when needed, providing a certain measure of redundancy and failover, providing adequate
communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency
backup power systems, keeping current with all necessary system upgrades, and guarding against
malicious actions such as denial-of-service (DoS) attacks.

Reference used for this question:

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization

http://www.merriam-webster.com/dictionary/profess

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 36

QUESTION 53
What is called the verification that the user's claimed identity is valid and is usually implemented through a
user password at log-on time?

A. Authentication
B. Identification
C. Integrity
D. Confidentiality

Correct Answer: A
Explanation

Explanation/Reference:
Authentication is verification that the user's claimed identity is valid and is usually implemented through a
user password at log-on time.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 54
Which one of the following factors is NOT one on which Authentication is based?

A. Type 1 Something you know, such as a PIN or password

B. Type 2 Something you have, such as an ATM card or smart card
C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such as a
fingerprint or retina scan
D. Type 4 Something you are, such as a system administrator or security administrator

Correct Answer: D
Explanation

Explanation/Reference:
Authentication is based on the following three factor types:
Type 1. Something you know, such as a PIN or password
Type 2. Something you have, such as an ATM card or smart card Type 3. Something you are (Unique
physical characteristic), such as a fingerprint or retina scan

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36. Also: HARRIS, Shon, All-In-One CISSP
Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 132-133).

QUESTION 55
The act of requiring two of the three factors to be used in the authentication process refers to:

A. Two-Factor Authentication
B. One-Factor Authentication
C. Bi-Factor Authentication
D. Double Authentication

Correct Answer: A
Explanation

Explanation/Reference:
Two-Factor Authentication refers to the act of requiring two of the three factors to be used in the
authentication process.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 56
Which type of password provides maximum security because a new password is required for each new
log-on?

A. One-time or dynamic password

B. Congnitive password
C. Static password
D. Passphrase

Correct Answer: A
Explanation

Explanation/Reference:
"One-time password" provides maximum security because a new password is required for each new log-
on.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 57
What is called a password that is the same for each log-on session?

A. "one-time password"
B. "two-time password"
C. static password
D. dynamic password

Correct Answer: C
Explanation

Explanation/Reference:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 36

QUESTION 58
What is called a sequence of characters that is usually longer than the allotted number for a password?

A. passphrase
B. cognitive phrase
C. anticipated phrase
D. Real phrase

Correct Answer: A
Explanation

Explanation/Reference:
A passphrase is a sequence of characters that is usually longer than the allotted number for a password.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, page 37

QUESTION 59
Which best describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic
passwords?

A. Tickets
B. Tokens
C. Token passing networks
D. Coupons

Correct Answer: B
Explanation

Explanation/Reference:
Tokens; Tokens in the form of credit card-size memory cards or smart cards, or those resembling small
calculators, are used to supply static and dynamic passwords.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 37

QUESTION 60
Which of the following would be true about Static password tokens?

A. The owner identity is authenticated by the token

B. The owner will never be authenticated by the token.
C. The owner will authenticate himself to the system.
D. The token does not authenticates the token owner but the system.
Correct Answer: A
Explanation

Explanation/Reference:
Tokens are electronic devices or cards that supply a user's password for them. A token system can be
used to supply either a static or a dynamic password. There is a big difference between the static and
dynamic systems, a static system will normally log a user in but a dynamic system the user will often have
to log themselves in.

Static Password Tokens:

The owner identity is authenticated by the token. This is done by the person who issues the token to the
owner (normally the employer). The owner of the token is now authenticated by "something you have". The
token authenticates the identity of the owner to the information system. An example of this occurring is
when an employee swipes his or her smart card over an electronic lock to gain access to a store room.

Synchronous Dynamic Password Tokens:

This system is a lot more complex then the static token password. The synchronous dynamic password
tokens generate new passwords at certain time intervals that are synched with the main system. The
password is generated on a small device similar to a pager or a calculator that can often be attached to the
user's key ring. Each password is only valid for a certain time period, typing in the wrong password in the
wrong time period will invalidate the authentication. The time factor can also be the systems downfall. If a
clock on the system or the password token device becomes out of synch, a user can have troubles
authenticating themselves to the system.

Asynchronous Dynamic Password Tokens:

The clock synching problem is eliminated with asynchronous dynamic password tokens. This system
works on the same principal as the synchronous one but it does not have a time frame. A lot of big
companies use this system especially for employee's who may work from home on the companies VPN
(Virtual private Network).

Challenge Response Tokens:

This is an interesting system. A user will be sent special "challenge" strings at either random or timed
intervals. The user inputs this challenge string into their token device and the device will respond by
generating a challenge response. The user then types this response into the system and if it is correct they
are authenticated.

Reference(s) used for this question:

http://www.informit.com/guides/content.aspx?g=security&seqNum=146

and

KRUTZ, Ronald L. & VINES, Russel D

The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons,
Page 37

QUESTION 61
In Synchronous dynamic password tokens:

A. The token generates a new password value at fixed time intervals (this password could be based on
the time of day encrypted with a secret key).
B. The token generates a new non-unique password value at fixed time intervals (this password could be
based on the time of day encrypted with a secret key).
C. The unique password is not entered into a system or workstation along with an owner's PIN.
D. The authentication entity in a system or workstation knows an owner's secret key and PIN, and the
entity verifies that the entered password is invalid and that it was entered during the invalid time
window.

Correct Answer: B
Explanation

Explanation/Reference:
Synchronous dynamic password tokens:
The token generates a new password value at fixed time intervals (this password could be the time of day
encrypted with a secret key).
The unique password is entered into a system or workstation along with an owner's PIN. The
authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity
verifies that the entered password is valid and that it was entered during the valid time window.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 37

QUESTION 62
In biometrics, "one-to-many" search against database of stored biometric images is done in:

A. Authentication
B. Identification
C. Identities
D. Identity-based access control

Correct Answer: B
Explanation

Explanation/Reference:
In biometrics, identification is a "one-to-many" search of an individual's characteristics from a database of
stored images.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 63
Which of the following is true of biometrics?

A. It is used for identification in physical controls and it is not used in logical controls.
B. It is used for authentication in physical controls and for identification in logical controls.
C. It is used for identification in physical controls and for authentication in logical controls.
D. Biometrics has not role in logical controls.

Correct Answer: C
Explanation

Explanation/Reference:
When used in physical control biometric Identification is performed by doing a one to many match. When
you submit your biometric template a search is done through a database of templates until the matching
one is found. At that point your identity is revealed and if you are a valid employee access is granted.

When used in logical controls the biometric template is used to either confirm or deny someone identity.
For example if I access a system and I pretend to be user Nathalie then I would provide my biometric
template to confirm that I really am who I pretend to be. Biometric is one of the three authentication factor
(somethin you are) that can be use. The other two are something you know and something you have.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 64
What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication
system?

A. False Rejection Rate (FRR) or Type I Error

B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Rejection Rate (TRR) or Type III Error

Correct Answer: A
Explanation

Explanation/Reference:
The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type
I Error.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 65
What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication
system?

A. False Rejection Rate (FRR) or Type I Error

B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III Error

Correct Answer: B
Explanation

Explanation/Reference:
The percentage of invalid subjects that are falsely accepted is called the False Acceptance Rate (FAR) or
Type II Error.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 38 And: HARRIS, Shon, All-In-One CISSP
Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 127-128).

QUESTION 66
What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?

A. False Rejection Rate (FRR) or Type I Error

B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. Failure to enroll rate (FTE or FER)

Correct Answer: C
Explanation

Explanation/Reference:
The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the
Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two
terms could be used.

Equal error rate or crossover error rate (EER or CER)

It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the
accuracy of devices with different ROC curves. In general, the device with the lowest EER is most
accurate.

The other choices were all wrong answers:

The following are used as performance metrics for biometric systems:

False accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the
input pattern to a non-matching template in the database. It measures the percent of invalid inputs which
are incorrectly accepted. This is when an impostor would be accepted by the system false reject rate or
false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the
input pattern and a matching template in the database. It measures the percent of valid inputs which are
incorrectly rejected. This is when a valid company employee would be rejected by the system Failure to
enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful.
This is most commonly caused by low quality inputs.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 38
And
https://en.wikipedia.org/wiki/Biometrics

QUESTION 67
Considerations of privacy, invasiveness, and psychological and physical comfort when using the system
are important elements for which of the following?

A. Accountability of biometrics systems

B. Acceptability of biometrics systems
C. Availability of biometrics systems
D. Adaptability of biometrics systems

Correct Answer: B
Explanation

Explanation/Reference:
Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort
when using the system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 39

QUESTION 68
Which of the following offers advantages such as the ability to use stronger passwords, easier password
administration, one set of credential, and faster resource access?

A. Smart cards
B. Single Sign-On (SSO)
C. Symmetric Ciphers
D. Public Key Infrastructure (PKI)

Correct Answer: B
Explanation

Explanation/Reference:
The advantages of SSO include having the ability to use stronger passwords, easier administration as far
as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to
access resources. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39

QUESTION 69
Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations?

A. Once an individual obtains access to the system through the initial log-on, they have access to all
resources within the environment that the account has access to.
B. The initial logon process is cumbersome to discourage potential intruders.
C. Once a user obtains access to the system through the initial log-on, they only need to logon to some
applications.
D. Once a user obtains access to the system through the initial log-on, he has to logout from all other
systems

Correct Answer: A
Explanation
Explanation/Reference:
Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate
once and would have access to all primary and secondary network domains. The individual would not be
required to re-authenticate when they needed additional resources. The security issue that this creates is if
a fraudster is able to compromise those credential they too would have access to all the resources that
account has access to. All the other answers are incorrect as they are distractors.

QUESTION 70
Which of the following is implemented through scripts or smart agents that replays the users multiple log-
ins against authentication servers to verify a user's identity which permit access to system services?

A. Single Sign-On
B. Dynamic Sign-On
C. Smart cards
D. Kerberos

Correct Answer: A
Explanation

Explanation/Reference:
SSO can be implemented by using scripts that replay the users multiple log-ins against authentication
servers to verify a user's identity and to permit access to system services. Single Sign on was the best
answer in this case because it would include Kerberos. When you have two good answers within the 4
choices presented you must select the BEST one. The high level choice is always the best. When one
choice would include the other one that would be the best as well.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 40

QUESTION 71
Which of the following is NOT true of the Kerberos protocol?

A. Only a single login is required per session.

B. The initial authentication steps are done using public key algorithm.
C. The KDC is aware of all systems in the network and is trusted by all of them
D. It performs mutual authentication

Correct Answer: B
Explanation

Explanation/Reference:
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/
server applications by using secret-key cryptography. It has the following characteristics:

It is secure: it never sends a password unless it is encrypted.

Only a single login is required per session. Credentials defined at login are then passed between
resources without the need for additional logins.

The concept depends on a trusted third party a Key Distribution Center (KDC). The KDC is aware of
all systems in the network and is trusted by all of them.

It performs mutual authentication, where a client proves its identity to a server and a server proves its
identity to the client.

Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a
service has to receive a ticket from the TGS a ticket is a time-limited cryptographic message giving it
access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two
servers combined make up a KDC.
Within the Windows environment, Active Directory performs the functions of the KDC. The following figure
shows the sequence of events required for a client to gain access to a service using Kerberos
authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120
"The Kerberos Network Authorization Service (V5)".
Kerberos Authentication Step by Step

Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a
message to the Authorization Server requesting a ticket granting ticket (TGT).

Step 2: The Authorization Server verifies the user's access rights in the user database and creates a
TGT and session key. The Authorization Sever encrypts the results using a key derived from the user's
password and sends a message back to the user workstation.

The workstation prompts the user for a password and uses the password to decrypt the incoming
message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.

Step 3: When the user wants access to a service, the workstation client application sends a request to
the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves
his identity by sending an authenticator encrypted with the session key received in Step 2

Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the
requested server. The ticket contains the client name and optionally the client IP address. It also
contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The
returned message contains two copies of a server session key one encrypted with the client password,
and one encrypted by the service password.

Step 5: The client application now sends a service request to the server containing the ticket received
in Step 4 and an authenticator. The service authenticates the request by decrypting the session key.
The server verifies that the ticket and authenticator match, and then grants access to the service. This
step as described does not include the authorization performed by the Intel AMT device, as described
later.

Step 6: If mutual authentication is required, then the server will reply with a server authentication
message.

The Kerberos server knows "secrets" (encrypted passwords) for all clients and servers under its control, or
it is in contact with other secure servers that have this information. These "secrets" are used to encrypt all
of the messages shown in the figure above.

To prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition. For timestamps to
work properly, the clocks of the client and the server need to be in synch as much as possible. In other
words, both computers need to be set to the same time and date. Since the clocks of two computers are
often out of synch, administrators can establish a policy to establish the maximum acceptable difference to
Kerberos between a client's clock and server's clock. If the difference between a client's clock and the
server's clock is less than the maximum time difference specified in this policy, any timestamp used in a
session between the two computers will be considered authentic. The maximum difference is usually set to
five minutes.

Note that if a client application wishes to use a service that is "Kerberized" (the service is configured to
perform Kerberos authentication), the client must also be Kerberized so that it expects to support the
necessary message responses.
For more information about Kerberos, see http://web.mit.edu/kerberos/www/.

References:
Introduction to Kerberos Authentication from Intel
and
http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1353 and
http://www.ietf.org/rfc/rfc4120txt

QUESTION 72
The authenticator within Kerberos provides a requested service to the client after validating which of the
following?
A. timestamp
B. client public key
C. client private key
D. server public key

Correct Answer: A
Explanation

Explanation/Reference:
The server also checks the authenticator and, if that timestamp is valid, it provides the requested service to
the client.

Even if the user principal is present in a ticket and only the application server can extract and possibly
manage such information (since the ticket is encrypted with the secret key of the service), this is not
enough to guarantee the authenticity of the client.

An impostor could capture (remember the hypothesis of an open and insecure network) the ticket when it
is sent by a legitimate client to the application server, and at an opportune time, send it to illegitimately
obtain the service.
On the other hand, including the IP addresses of the machine from where it is possible to use it is not very
useful: it is known that in an open and insecure network addresses are easily falsified. To solve the
problem, one has to exploit the fact that the client and server, at least during a session have the session
key in common that only they know (also the KDC knows it since it generated it, but it is trusted by
definition!!!).

Thus the following strategy is applied: along with the request containing the ticket, the client adds another
packet (the authenticator) where the user principal and time stamp (its at that time) are included and
encrypts it with the session key; the server which must offer the service, upon receiving this request,
unpacks the first ticket, extracts the session key and, if the user is actually who he/she says, the server is
able to unencrypt the authenticator extracting the timestamp.

If the latter differs from the server time by less than 2 minutes (but the tolerance can be configured) then
the authentication is successful. This underlines the criticality of synchronization between machines
belonging to the same realm.

The Replay Attack

A replay attack occurs when an intruder steals the packet and presents it to the service as if the intruder
were the user. The user's credentials are there -- everything needed to access a resource. This is
mitigated by the features of the "Authenticator," which is illustrated in the picture below.

The Authenticator is created for the AS_REQ or the TGS_REQ and sends additional data, such as an
encrypted IP list, the client's timestamp and the ticket lifetime. If a packet is replayed, the timestamp is
checked. If the timestamp is earlier or the same as a previous authenticator, the packet is rejected
because it's a replay. In addition, the time stamp in the Authenticator is compared to the server time. It
must be within five minutes (by default in Windows).
Kerberos Authenticator to prevent replay attacks

The Authenticator mitigates the Possibility of a replay attack.

If the time skew is greater than five minutes the packet is rejected. This limits the number of possible
replay attacks. While it is technically possible to steal the packet and present it to the server before the
valid packet gets there, it is very difficult to do.

It's fairly well known that all computers in a Windows domain must have system times within five minutes of
each other. This is due to the Kerberos requirement.

Reference(s) used for this question:

Redmond Magazine
and
http://kerberos.org/software/tutorial.html
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 42
QUESTION 73
Which of the following is addressed by Kerberos?

A. Confidentiality and Integrity

B. Authentication and Availability
C. Validation and Integrity
D. Auditability and Integrity

Correct Answer: A
Explanation

Explanation/Reference:
Kerberos addresses the confidentiality and integrity of information. It also addresses primarily
authentication but does not directly address availability.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 42
and
https://www.ietf.org/rfc/rfc4120txt
and
http://learn-networking.com/network-security/how-kerberos-authentication-works

QUESTION 74
Kerberos is vulnerable to replay in which of the following circumstances?

A. When a private key is compromised within an allotted time window.

B. When a public key is compromised within an allotted time window.
C. When a ticket is compromised within an allotted time window.
D. When the KSD is compromised within an allotted time window.

Correct Answer: C
Explanation

Explanation/Reference:
Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time
window.
The security depends on careful implementation:enforcing limited lifetimes for authentication credentials
minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be
hardened, not permitting any non-kerberos activities.

Reference:
Official ISC2 Guide to the CISSP, 2007 Edition, page 184 also see:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 42

QUESTION 75
Like the Kerberos protocol, SESAME is also subject to which of the following?

A. timeslot replay
B. password guessing
C. symmetric key guessing
D. asymmetric key guessing

Correct Answer: B
Explanation

Explanation/Reference:
Sesame is an authentication and access control protocol, that also supports communication confidentiality
and integrity. It provides public key based authentication along with the Kerberos style authentication, that
uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security
extensions like public key based authentication and an ECMA- style Privilege Attribute Service.

The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public
Key authentication. When using Symmetric Key authentication as in Kerberos, SESAME is also vulnerable
to password guessing just like Kerberos would be. The Symmetric key being used is based on the
password used by the user when he logged on the system. If the user has a simple password it could be
guessed or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong
password discipline.

The Basic Mechanism in Sesame for strong authentication is as follow:

The user sends a request for authentication to the Authentication Server as in Kerberos, except that
SESAME is making use of public key cryptography for authentication where the client will present his
digital certificate and the request will be signed using a digital signature. The signature is communicated to
the authentication server through the preauthentication fields. Upon receipt of this request, the
authentication server will verifies the certificate, then validate the signature, and if all is fine the AS will
issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage
attribute server (PAS) when access to a resource is needed.

Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key
cryptography is used, public key data is transported in preauthentication data fields to help establish
identity.
Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute
Certificates (PAC), which contain the subject's identity, access capabilities for the object, access time
period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from
the trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS
holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the
authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC
for the user to present to the resource he is trying to access.

Reference(s) used for this question:

http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 43

QUESTION 76
RADIUS incorporates which of the following services?

A. Authentication server and PIN codes.

B. Authentication of clients and static passwords generation.
C. Authentication of clients and dynamic passwords generation.
D. Authentication server as well as support for Static and Dynamic passwords.

Correct Answer: D
Explanation

Explanation/Reference:
According to RFC 2865:

A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user
information to
designated RADIUS servers, and then acting on the response which is returned.

RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then
returning all
configuration information necessary for the client to deliver service to the user.

RADIUS authentication is based on provisions of simple username/password credentials. These

credentials are encrypted
by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page RADIUS
incorporates an authentication server and can make uses of both dynamic and static passwords.
Since it uses the PAP and CHAP protocols, it also incluses static passwords.

RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration

information between a Network Access Server and a shared Authentication Server. RADIUS features and
functions are described primarily in the IETF (International Engineering Task Force) document RFC2138

The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service.

The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of
authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need
to possess both a user ID and a hardware or software token to gain access.

Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or
8-digit access number that is synchronized with the security server. To gain entry into the system, the user
must generate both this one-time number and provide his or her user ID and password.

Although protocols such as RADIUS cannot protect against theft of an authenticated session via some
realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect
against a wide range of active attacks.
RADIUS: Key Features and Benefits
Features Benefits

RADIUS supports dynamic passwords and challenge/response passwords.

Improved system security due to the fact that passwords are not static. It is much more difficult for a bogus
host to spoof users into giving up their passwords or password-generation algorithms.
RADIUS allows the user to have a single user ID and password for all computers in a network.

Improved usability due to the fact that the user has to remember only one login combination.

RADIUS is able to:

Prevent RADIUS users from logging in via login (or ftp).

Require them to log in via login (or ftp)
Require them to login to a specific network access server (NAS); Control access by time of day.

Provides very granular control over the types of logins allowed, on a per-user basis.

The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS
server is site-configurable.

RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or
devices.

Stratus Technology Product Brief

http://www.stratus.com/products/vos/openvos/radius.htm

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Pages 43, 44

Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc.,
pages 45-46

QUESTION 77
Which of the following protects a password from eavesdroppers and supports the encryption of
communication?

A. Challenge Handshake Authentication Protocol (CHAP)

B. Challenge Handshake Identification Protocol (CHIP)
C. Challenge Handshake Encryption Protocol (CHEP)
D. Challenge Handshake Substitution Protocol (CHSP)
Correct Answer: A
Explanation

Explanation/Reference:
CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which
includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the
nonce and the password.

The authentication is successful if the client's response is the one that the server expected.

Reference: Page 450, OIG 2007

CHAP protects the password from eavesdroppers and supports the encryption of communication.

Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 44

QUESTION 78
Which of the following represents the columns of the table in a relational database?

A. attributes
B. relation
C. record retention
D. records or tuples

Correct Answer: A
Explanation

Explanation/Reference:
The rows of the table represent records or tuples and the columns of the table represent the attributes.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 45

QUESTION 79
A database view is the results of which of the following operations?

A. Join and Select.

B. Join, Insert, and Project.
C. Join, Project, and Create.
D. Join, Project, and Select.

Correct Answer: D
Explanation

Explanation/Reference:
1 The formal description of how a relational database operates.
2 The mathematics which underpin SQL operations.
A number of operations can be performed in relational algebra to build relations and operate on the data.

Five operations are primitives (Select, Project, Union, Difference and Product) and the other operations
can be defined in terms of those five. A View is defined from the operations of Join, Project, and Select.

For the purpose of the exam you must remember the following terms from relational algebra and their SQL
equivalent:

Tuple = Row, Entry

Attribute = Column

Relation or Based relation = Table

See the extract below from the ISC2 book:
Each table, or relation, in the relational model consists of a set of attributes and a set of tuples (rows) or
entries in the table. Attributes correspond to a column in a table. Attributes are unordered left to right, and
thus are referenced by name and not by position. All data values in the relational model are atomic. Atomic
values mean that at every row/column position in every table there is always exactly one data value and
never a set of values. There are no links or pointers connecting tables; thus, the representation of
relationships is contained as data in another table.

A tuple of a table corresponds to a row in the table. Tuples are unordered top to bottom because a relation
is a mathematical set and not a list. Also, because tuples are based on tables that are mathematical sets,
there are no duplicate tuples in a table (sets in mathematics by definition do not include duplicate
elements).

The primary key is an attribute or set of attributes that uniquely identifies a specific instance of an entity.
Each table in a database must have a primary key that is unique to that table. It is a subset of the
candidate key.

Reference used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 12262-12269). Auerbach Publications. Kindle Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 46
and
http://db.grussell.org/slides/rel%20algebra%201ppt

NOTE:
SQL offers three classes of operators: select, project, and join. The select operator serves to shrink the
table vertically by eliminating unwanted rows (tuples). The project operator serves to shrink the table
horizontally by removing unwanted columns (attributes).

And the join operator allows the dynamic linking of two tables that share a common column value. The join
operation is achieved by stating the selection criteria for two tables and equating them with their common
columns.

Most commercial implementations of SQL do not support a project operation, instead projections are
achieved by specifying the columns desired in the output. This is why the Project operator is not well
known as it is fading away from most databases.

QUESTION 80
Which of the following is used to create and modify the structure of your tables and other objects in the
database?

A. SQL Data Definition Language (DDL)

B. SQL Data Manipulation Language (DML)
C. SQL Data Relational Language (DRL)
D. SQL Data Identification Language (DIL)

Correct Answer: A
Explanation

Explanation/Reference:
The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations
(tables).
Data Definition Language

The Data Definition Language (DDL) is used to create and destroy databases and database objects.
These commands will primarily be used by database administrators during the setup and removal phases
of a database project. Let's take a look at the structure and usage of four basic DDL commands:

CREATE
Installing a database management system (DBMS) on a computer allows you to create and manage many
independent databases. For example, you may want to maintain a database of customer contacts for your
sales department and a personnel database for your HR department.

The CREATE command can be used to establish each of these databases on your platform. For example,
the command:

CREATE DATABASE employees

creates an empty database named "employees" on your DBMS. After creating the database, your next
step is to create tables that will contain data. (If this doesn't make sense, you might want to read the article
Microsoft Access Fundamentals for an overview of tables and databases.) Another variant of the CREATE
command can be used for this purpose. The command:

CREATE TABLE personal_info (first_name char(20) not null, last_name char(20) not null, employee_id int
not null)

establishes a table titled "personal_info" in the current database. In our example, the table contains three
attributes: first_name, last_name and employee_id. Don't worry about the other information included in the
command -- we'll cover that in a future article.

USE
The USE command allows you to specify the database you wish to work with within your DBMS. For
example, if we're currently working in the sales database and want to issue some commands that will
affect the employees database, we would preface them with the following SQL command:

USE employees

It's important to always be conscious of the database you are working in before issuing SQL commands
that manipulate data.

ALTER
Once you've created a table within a database, you may wish to modify the definition of it. The ALTER
command allows you to make changes to the structure of a table without deleting and recreating it. Take a
look at the following command:

ALTER TABLE personal_info

ADD salary money null
This example adds a new attribute to the personal_info table -- an employee's salary. The "money"
argument specifies that an employee's salary will be stored using a dollars and cents format. Finally, the
"null" keyword tells the database that it's OK for this field to contain no value for any given employee.

DROP
The final command of the Data Definition Language, DROP, allows us to remove entire database objects
from our DBMS. For example, if we want to permanently remove the personal_info table that we created,
we'd use the following command:

DROP TABLE personal_info

Similarly, the command below would be used to remove the entire employees database:

DROP DATABASE employees

Use this command with care! Remember that the DROP command removes entire data structures from
your database. If you want to remove individual records, use the DELETE command of the Data
Manipulation Language.

That's the Data Definition Language in a nutshell.

Data Manipulation Language

The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These
commands will be used by all database users during the routine operation of the database. Let's take a
brief look at the basic DML commands:

The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These
commands will be used by all database users during the routine operation of the database. Let's take a
brief look at the basic DML commands:
INSERT
The INSERT command in SQL is used to add records to an existing table. Returning to the personal_info
example from the previous section, let's imagine that our HR department needs to add a new employee to
their database. They could use a command similar to the one shown below:

INSERT INTO personal_info

values('bart','simpson',12345,$45000)

Note that there are four values specified for the record. These correspond to the table attributes in the
order they were defined: first_name, last_name, employee_id, and salary.
SELECT
The SELECT command is the most commonly used command in SQL. It allows database users to retrieve
the specific information they desire from an operational database. Let's take a look at a few examples,
again using the personal_info table from our employees database.

The command shown below retrieves all of the information contained within the personal_info table. Note
that the asterisk is used as a wildcard in SQL. This literally means "Select everything from the
personal_info table."

SELECT *
FROM personal_info

Alternatively, users may want to limit the attributes that are retrieved from the database. For example, the
Human Resources department may require a list of the last names of all employees in the company. The
following SQL command would retrieve only that information:

SELECT last_name
FROM personal_info

Finally, the WHERE clause can be used to limit the records that are retrieved to those that meet specified
criteria. The CEO might be interested in reviewing the personnel records of all highly paid employees. The
following command retrieves all of the data contained within personal_info for records that have a salary
value greater than $50,000:

SELECT *
FROM personal_info
WHERE salary > $50000

UPDATE
The UPDATE command can be used to modify information contained within a table, either in bulk or
individually. Each year, our company gives all employees a 3% cost-of-living increase in their salary. The
following SQL command could be used to quickly apply this to all of the employees stored in the database:

UPDATE personal_info
SET salary = salary * 103

On the other hand, our new employee Bart Simpson has demonstrated performance above and beyond
the call of duty. Management wishes to recognize his stellar accomplishments with a $5,000 raise. The
WHERE clause could be used to single out Bart for this raise:
UPDATE personal_info
SET salary = salary + $5000
WHERE employee_id = 12345

DELETE

Finally, let's take a look at the DELETE command. You'll find that the syntax of this command is similar to
that of the other DML commands. Unfortunately, our latest corporate earnings report didn't quite meet
expectations and poor Bart has been laid off. The DELETE command with a WHERE clause can be used
to remove his record from the personal_info table:

DELETE FROM personal_info

WHERE employee_id = 12345
JOIN Statements
Now that you've learned the basics of SQL, it's time to move on to one of the most powerful concepts the
language has to offer the JOIN statement. Quite simply, these statements allow you to combine data in
multiple tables to quickly and efficiently process large quantities of data. These statements are where the
true power of a database resides.

We'll first explore the use of a basic JOIN operation to combine data from two tables. In future installments,
we'll explore the use of outer and inner joins to achieve added power.

We'll continue with our example using the PERSONAL_INFO table, but first we'll need to add an additional
table to the mix. Let's assume we have a table called DISCIPLINARY_ACTION that was created with the
following statement:

CREATE TABLE disciplinary_action (action_id int not null, employee_id int not null, comments char(500))

This table contains the results of disciplinary actions on company employees. You'll notice that it doesn't
contain any information about the employee other than the employee number. It's then easy to imagine
many scenarios where we might want to combine information from the DISCIPLINARY_ACTION and
PERSONAL_INFO tables.

Assume we've been tasked with creating a report that lists the disciplinary actions taken against all
employees with a salary greater than $40,000 The use of a JOIN operation in this case is quite
straightforward. We can retrieve this information using the following command:

SELECT personal_info.first_name, personal_info.last_name, disciplinary_action.comments FROM

personal_info, disciplinary_action
WHERE personal_info.employee_id = disciplinary_action.employee_id AND personal_info.salary > 40000

As you can see, we simply specified the two tables that we wished to join in the FROM clause and then
included a statement in the WHERE clause to limit the results to records that had matching employee IDs
and met our criteria of a salary greater than $40,000

Another term you must be familiar with as a security mechanism in Databases is: VIEW

What is a view?

In database theory, a view is a virtual or logical table composed of the result set of a query. Unlike ordinary
tables (base tables) in a relational database, a view is not part of the physical schema: it is a dynamic,
virtual table computed or collated from data in the database. Changing the data in a table alters the data
shown in the view.

The result of a view is stored in a permanent table whereas the result of a query is displayed in a
temporary table.

Views can provide advantages over tables;

They can subset the data contained in a table

They can join and simplify multiple tables into a single virtual table Views can act as aggregated tables,
where aggregated data (sum, average etc.) are calculated and presented as part of the data
Views can hide the complexity of data, for example a view could appear as Sales2000 or Sales2001,
transparently partitioning the actual underlying table Views take very little space to store; only the definition
is stored, not a copy of all the data they present
Depending on the SQL engine used, views can provide extra security. Limit the exposure to which a table
or tables are exposed to outer world

Just like functions (in programming) provide abstraction, views can be used to create abstraction. Also, just
like functions, views can be nested, thus one view can aggregate data from other views. Without the use of
views it would be much harder to normalise databases above second normal form. Views can make it
easier to create lossless join decomposition.

Rows available through a view are not sorted. A view is a relational table, and the relational model states
that a table is a set of rows. Since sets are not sorted - per definition - the rows in a view are not ordered
either. Therefore, an ORDER BY clause in the view definition is meaningless and the SQL standard
(SQL:2003) does not allow this for the subselect in a CREATE VIEW statement.
The following reference(s) were used for this question:

The text above is from About.Com at: http://databases.about.com/

The definition of views above is from: http://en.wikipedia.org/wiki/View_%28database%29

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 47

http://www.tomjewett.com/dbdesign/dbdesign.php?page=ddldml.php

QUESTION 81
Which of the following is used to monitor network traffic or to monitor host audit logs in real time to
determine violations of system security policy that have taken place?

A. Intrusion Detection System

B. Compliance Validation System
C. Intrusion Management System (IMS)
D. Compliance Monitoring System

Correct Answer: A
Explanation

Explanation/Reference:
An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host
audit logs in order to determine if any violations of an organization's system security policy have taken
place.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 82
Which of the following monitors network traffic in real time?

A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS

Correct Answer: A
Explanation

Explanation/Reference:
This type of IDS is called a network-based IDS because monitors network traffic in real time. Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 48

QUESTION 83
A host-based IDS is resident on which of the following?

A. On each of the critical hosts

B. decentralized hosts
C. central hosts
D. bastion hosts

Correct Answer: A
Explanation

Explanation/Reference:
A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack
on the host and to determine if the attack was successful. All critical serves should have a Host Based
Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make
sense or detect pattern of attacks within encrypted traffic. A HIDS might be able to detect such attack after
the traffic has been decrypted on the host. This is why critical servers should have both NIDS and HIDS.

FROM WIKIPEDIA:

A HIDS will monitor all or part of the dynamic behavior and of the state of a computer system. Much as a
NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what
resources and assure that (say) a word-processor hasn\'t suddenly and inexplicably started modifying the
system password-database. Similarly a HIDS might look at the state of a system, its stored information,
whether in RAM, in the file-system, or elsewhere; and check that the contents of these appear as
expected.

One can think of a HIDS as an agent that monitors whether anything/anyone - internal or external - has
circumvented the security policy that the operating system tries to enforce. http://en.wikipedia.org/wiki/
Host-based_intrusion_detection_system

QUESTION 84
Which of the following usually provides reliable, real-time information without consuming network or host
resources?

A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS

Correct Answer: A
Explanation

Explanation/Reference:
A network-based IDS usually provides reliable, real-time information without consuming network or host
resources.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 85
The fact that a network-based IDS reviews packets payload and headers enable which of the following?

A. Detection of denial of service

B. Detection of all viruses
C. Detection of data corruption
D. Detection of all password guessing attacks

Correct Answer: A
Explanation

Explanation/Reference:
Because a network-based IDS reviews packets and headers, denial of service attacks can also be
detected.

This question is an easy question if you go through the process of elimination. When you see an answer
containing the keyword: ALL It is something a give away that it is not the proper answer. On the real exam
you may encounter a few question where the use of the work ALL renders the choice invalid. Pay close
attention to such keyword.

The following are incorrect answers:

Even though most IDSs can detect some viruses and some password guessing attacks, they cannot detect
ALL viruses or ALL password guessing attacks. Therefore these two answers are only detractors.
Unless the IDS knows the valid values for a certain dataset, it can NOT detect data corruption.

Reference used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 48

QUESTION 86
Which of the following reviews system and event logs to detect attacks on the host and determine if the
attack was successful?

A. host-based IDS
B. firewall-based IDS
C. bastion-based IDS
D. server-based IDS

Correct Answer: A
Explanation

Explanation/Reference:
A host-based IDS can review the system and event logs in order to detect an attack on the host and to
determine if the attack was successful.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 48

QUESTION 87
What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)?

A. It can be very invasive to the host operating system

B. Monitors all processes and activities on the host system only
C. Virtually eliminates limits associated with encryption
D. They have an increased level of visibility and control compared to NIDS

Correct Answer: A
Explanation

Explanation/Reference:
The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very
invasive to the host operating system. HIDS must have the capability to monitor all processes and activities
on the host system and this can sometimes interfere with normal system processing.

HIDS versus NIDS

A host-based IDS (HIDS) can be installed on individual workstations and/ or servers to watch for
inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files,
reconfigure important settings, or put the system at risk in any other way. So, whereas the NIDS
understands and monitors the network traffic, a HIDS's universe is limited to the computer itself. A HIDS
does not understand or review network traffic, and a NIDS does not "look in" and monitor a system's
activity. Each has its own job and stays out of the other's way.

The ISC2 official study book defines an IDS as:

An intrusion detection system (IDS) is a technology that alerts organizations to adverse or unwanted
activity. An IDS can be implemented as part of a network device, such as a router, switch, or firewall, or it
can be a dedicated IDS device monitoring traffic as it traverses the network. When used in this way, it is
referred to as a network IDS, or NIDS. IDS can also be used on individual host systems to monitor and
report on file, disk, and process activity on that host. When used in this way it is referred to as a host-
based IDS, or HIDS.

An IDS is informative by nature and provides real-time information when suspicious activities are identified.
It is primarily a detective device and, acting in this traditional role, is not used to directly prevent the
suspected attack.
What about IPS?

In contrast, an intrusion prevention system (IPS), is a technology that monitors activity like an IDS but will
automatically take proactive preventative action if it detects unacceptable activity. An IPS permits a
predetermined set of functions and actions to occur on a network or system; anything that is not permitted
is considered unwanted activity and blocked. IPS is engineered specifically to respond in real time to an
event at the system or network layer. By proactively enforcing policy, IPS can thwart not only attackers, but
also authorized users attempting to perform an action that is not within policy. Fundamentally, IPS is
considered an access control and policy enforcement technology, whereas IDS is considered network
monitoring and audit technology.

The following answers were incorrect:

All of the other answer were advantages and not drawback of using HIDS

TIP FOR THE EXAM:

Be familiar with the differences that exists between an HIDS, NIDS, and IPS. Know that IDS's are mostly
detective but IPS are preventive. IPS's are considered an access control and policy enforcement
technology, whereas IDS's are considered network monitoring and audit technology.

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5817- 5822).
McGraw-Hill. Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press), Domain1, Page 180-188 or on the kindle version look for Kindle Locations
3199-3203 Auerbach Publications.

QUESTION 88
Attributes that characterize an attack are stored for reference using which of the following Intrusion
Detection System (IDS)?

A. signature-based IDS
B. statistical anomaly-based IDS
C. event-based IDS
D. inferent-based IDS

Correct Answer: A
Explanation

Explanation/Reference:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 89
Which of the following is an issue with signature-based intrusion detection systems?

A. Only previously identified attack signatures are detected.

B. Signature databases must be augmented with inferential elements.
C. It runs only on the windows operating system
D. Hackers can circumvent signature evaluations.

Correct Answer: A
Explanation

Explanation/Reference:
An issue with signature-based ID is that only attack signatures that are stored in their database are
detected.
New attacks without a signature would not be reported. They do require constant updates in order to
maintain their effectiveness.
Reference used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 49

QUESTION 90
Which of the following is an IDS that acquires data and defines a "normal" usage profile for the network or
host?

A. Statistical Anomaly-Based ID
B. Signature-Based ID
C. dynamical anomaly-based ID
D. inferential anomaly-based ID

Correct Answer: A
Explanation

Explanation/Reference:
Statistical Anomaly-Based ID - With this method, an IDS acquires data and defines a "normal" usage
profile for the network or host that is being monitored. Source: KRUTZ, Ronald L. & VINES, Russel D., The
CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 91
Which of the following is most relevant to determining the maximum effective cost of access control?

A. the value of information that is protected.

B. management's perceptions regarding data importance.
C. budget planning related to base versus incremental spending.
D. the cost to replace lost data.

Correct Answer: A
Explanation

Explanation/Reference:
The cost of access control must be commensurate with the value of the information that is being protected.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 92
Which of the following is NOT a factor related to Access Control?

A. integrity
B. authenticity
C. confidentiality
D. availability

Correct Answer: B
Explanation

Explanation/Reference:
These factors cover the integrity, confidentiality, and availability components of information system
security.

Integrity is important in access control as it relates to ensuring only authorized subjects can make changes
to objects.

Authenticity is different from authentication. Authenticity pertains to something being authentic, not
necessarily having a direct correlation to access control.

Confidentiality is pertinent to access control in that the access to sensitive information is controlled to
protect confidentiality.
vailability is protected by access controls in that if an attacket attempts to disrupt availability they would first
need access.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 49

QUESTION 93
Which of the following is most appropriate to notify an external user that session monitoring is being
conducted?

A. Logon Banners
B. Wall poster
C. Employee Handbook
D. Written agreement

Correct Answer: A
Explanation

Explanation/Reference:
Banners at the log-on time should be used to notify external users of any monitoring that is being
conducted. A good banner will give you a better legal stand and also makes it obvious the user was
warned about who should access the system and if it is an unauthorized user then he is fully aware of
trespassing.

This is a tricky question, the keyword in the question is External user.

There are two possible answers based on how the question is presented, this question could either apply
to internal users or ANY anonymous user.

Internal users should always have a written agreement first, then logon banners serve as a constant
reminder.
Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only
notification system is the use of a logon banner.

References used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 50

and
Shon Harris, CISSP All-in-one, 5th edition, pg 873

QUESTION 94
Which of the following pairings uses technology to enforce access control policies?

A. Preventive/Administrative
B. Preventive/Technical
C. Preventive/Physical
D. Detective/Administrative

Correct Answer: B
Explanation

Explanation/Reference:
The preventive/technical pairing uses technology to enforce access control policies.

TECHNICAL CONTROLS

Technical security involves the use of safeguards incorporated in computer hardware, operations or
applications software, communications hardware and software, and related devices. Technical controls are
sometimes referred to as logical controls.
Preventive Technical Controls

Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote
access to computing resources. Examples of these controls include:

Access control software.

Antivirus software.
Library control systems.
Passwords.
Smart cards.
Encryption.
Dial-up access control and callback systems.

Preventive Physical Controls

Preventive physical controls are employed to prevent unauthorized personnel from entering computing
facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input
data media) and to help protect against natural disasters. Examples of these controls include:
Backup files and documentation.
Fences.
Security guards.
Badge systems.
Double door systems.
Locks and keys.
Backup power.
Biometric access controls.
Site selection.
Fire extinguishers.

Preventive Administrative Controls

Preventive administrative controls are personnel-oriented techniques for controlling people's behavior to
ensure the confidentiality, integrity, and availability of computing data and programs. Examples of
preventive administrative controls include:
Security awareness and technical training.
Separation of duties.
Procedures for recruiting and terminating employees.
Security policies and procedures.
Supervision.
Disaster recovery, contingency, and emergency plans.
User registration for computer access.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 34

QUESTION 95
In the course of responding to and handling an incident, you work on determining the root cause of the
incident. In which step are you in?

A. Recovery
B. Containment
C. Triage
D. Analysis and tracking

Correct Answer: D
Explanation

Explanation/Reference:
In this step, your main objective is to examine and analyze what has occurred and focus on determining
the root cause of the incident.

Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into
production
Containment is incorrect as containment is about reducing the potential impact of an incident. Triage is
incorrect as triage is about determining the seriousness of the incident and filtering out false positives

Reference:
Official Guide to the CISSP CBK, pages 700-704

QUESTION 96
Access control is the collection of mechanisms that permits managers of a system to exercise a directing
or restraining influence over the behavior, use, and content of a system. It does not permit management to:

A. specify what users can do

B. specify which resources they can access
C. specify how to restrain hackers
D. specify what operations they can perform on a system.

Correct Answer: C
Explanation

Explanation/Reference:
Access control is the collection of mechanisms that permits managers of a system to exercise a directing
or restraining influence over the behavior, use, and content of a system. It permits management to specify
what users can do, which resources they can access, and what operations they can perform on a system.
Specifying HOW to restrain hackers is not directly linked to access control.
Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open
Study Group Study Guide for Domain 1, Page 12

QUESTION 97
Access Control techniques do not include which of the following choices?

A. Relevant Access Controls

B. Discretionary Access Control
C. Mandatory Access Control
D. Lattice Based Access Control

Correct Answer: A
Explanation

Explanation/Reference:
Access Control Techniques
Discretionary Access Control
Mandatory Access Control
Lattice Based Access Control
Rule-Based Access Control
Role-Based Access Control
Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open
Study Group Study Guide for Domain 1, Page 13

QUESTION 98
Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the
Strong Star property is not being used)?

A. A subject is not allowed to read up.

B. The *- property restriction can be escaped by temporarily downgrading a high level subject.
C. A subject is not allowed to read down.
D. It is restricted to confidentiality.

Correct Answer: C
Explanation
Explanation/Reference:
It is not a property of Bell LaPadula model.
The other answers are incorrect because:
A subject is not allowed to read up is a property of the 'simple security rule' of Bell LaPadula model.

The *- property restriction can be escaped by temporarily downgrading a high level subject can be
escaped by temporarily downgrading a high level subject or by identifying a set of trusted objects which are
permitted to violate the *-property as long as it is not in the middle of an operation.
It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of
access control.
Reference: Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture , Page:279-282

QUESTION 99
When a biometric system is used, which error type deals with the possibility of GRANTING access to
impostors who should be REJECTED?

A. Type I error
B. Type II error
C. Type III error
D. Crossover error

Correct Answer: B
Explanation

Explanation/Reference:
When the biometric system accepts impostors who should have been rejected , it is called a Type II error
or False Acceptance Rate or False Accept Rate.

Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is
one of the most effective and accurate methods of verifying identification.

Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other
types of identity verification processes. A biometric system can make authentication decisions based on an
individual's behavior, as in signature dynamics, but these can change over time and possibly be forged.

Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide
more accuracy, because physical attributes typically don't change much, absent some disfiguring injury,
and are harder to impersonate.

When a biometric system rejects an authorized individual, it is called a Type I error (False Rejection Rate
(FRR) or False Reject Rate (FRR)).

When the system accepts impostors who should be rejected, it is called a Type II error (False Acceptance
Rate (FAR) or False Accept Rate (FAR)). Type II errors are the most dangerous and thus the most
important to avoid.

The goal is to obtain low numbers for each type of error, but When comparing different biometric systems,
many different variables are used, but one of the most important metrics is the crossover error rate (CER).

The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and Failed
Rejection Rate (FRR). Both are expressed as percentages. The FAR is the rate at which attempts by
unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It measures the rate at
which authorized users are denied access. The relationship between FRR (Type I) and FAR (Type II) is
depicted in the graphic below . As one rate increases, the other decreases. The Cross-over Error Rate
(CER) is sometimes considered a good indicator of the overall accuracy of a biometric system. This is the
point at which the FRR and the FAR have the same value. Solutions with a lower CER are typically more
accurate.

See graphic below from Biometria showing this relationship. The Cross-over Error Rate (CER) is also
called the Equal Error Rate (EER), the two are synonymous.

Cross Over Error Rate

The other answers are incorrect:
Type I error is also called as False Rejection Rate where a valid user is rejected by the system. Type III
error : there is no such error type in biometric system. Crossover error rate stated in percentage ,
represents the point at which false rejection equals the false acceptance rate.

Reference(s) used for this question:

http://www.biometria.sk/en/principles-of-biometrics.html and Shon Harris, CISSP All In One (AIO), 6th
Edition , Chapter 3, Access Control, Page 188-189 and Tech Republic, Reduce Multi_Factor
Authentication Cost

QUESTION 100
Which of the following is the FIRST step in protecting data's confidentiality?

A. Install a firewall
B. Implement encryption
C. Identify which information is sensitive
D. Review all user access rights

Correct Answer: C
Explanation

Explanation/Reference:
In order to protect the confidentiality of the data.

The following answers are incorrect because :

Install a firewall is incorrect as this would come after the information has been identified for sensitivity
levels.
Implement encryption is also incorrect as this is one of the mechanisms to protect the data once it has
been identified.
Review all user access rights is also incorrect as this is also a protection mechanism for the identified
information.
Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126

QUESTION 101
Which of the following best ensures accountability of users for the actions taken within a system or
domain?

A. Identification
B. Authentication
C. Authorization
D. Credentials

Correct Answer: B
Explanation

Explanation/Reference:
The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification
alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is
authorized access to resources.

References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4:
Access Control (page 126).

QUESTION 102
Which of the following statements pertaining to biometrics is FALSE?

A. User can be authenticated based on behavior.

B. User can be authenticated based on unique physical attributes.
C. User can be authenticated by what he knows.
D. A biometric system's accuracy is determined by its crossover error rate (CER).

Correct Answer: C
Explanation

Explanation/Reference:
As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three
basic way authentication can be performed and it is not related to Biometrics. Example of something you
know would be a password or PIN for example.

Please make a note of the negative 'FALSE' within the question. This question may seem tricky to some of
you but you would be amazed at how many people cannot deal with negative questions. There will be a
few negative questions within the real exam, just like this one the keyword NOT or FALSE will be in
Uppercase to clearly indicate that it is negative. Biometrics verifies an individual's identity by analyzing a
unique personal attribute or behavior, which is one of the most effective and accurate methods of
performing authentication (one to one matching) or identification (a one to many matching).

A biometric system scans an attribute or behavior of a person and compares it to a template store within
an authentication server datbase, such template would be created in an earlier enrollment process.
Because this system inspects the grooves of a person's fingerprint, the pattern of someone's retina, or the
pitches of someone's voice, it has to be extremely sensitive.

The system must perform accurate and repeatable measurements of anatomical or physiological
characteristics. This type of sensitivity can easily cause false positives or false negatives. The system must
be calibrated so that these false positives and false negatives occur infrequently and the results are as
accurate as possible.

There are two types of failures in biometric identification:

False Rejection also called False Rejection Rate (FRR) -- The system fail to recognize a legitimate user.
While it could be argued that this has the effect of keeping the protected area extra secure, it is an
intolerable frustration to legitimate users who are refused access because the scanner does not recognize
them.
False Acceptance or False Acceptance Rate (FAR) -- This is an erroneous recognition, either by confusing
one user with another or by accepting an imposter as a legitimate user.

Physiological Examples:
Unique Physical Attributes:
Fingerprint (Most commonly accepted)
Hand Geometry
Retina Scan (Most accurate but most intrusive)
Iris Scan
Vascular Scan

Behavioral Examples:
Repeated Actions
Keystroke Dynamics
(Dwell time (the time a key is pressed) and Flight time (the time between "key up" and the next "key
down").
Signature Dynamics
(Stroke and pressure points)

EXAM TIP:
Retina scan devices are the most accurate but also the most invasive biometrics system available today.
The continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a
great long-term, high-security option. Unfortunately, the cost of the proprietary hardware as well the stigma
of users thinking it is potentially harmful to the eye makes retinal scanning a bad fit for most situations.

Remember for the exam that fingerprints are the most commonly accepted type of biometrics system.

The other answers are incorrect:

'Users can be authenticated based on behavior.' is incorrect as this choice is TRUE as it pertains to
BIOMETRICS.
Biometrics systems makes use of unique physical characteristics or behavior of users. 'User can be
authenticated based on unique physical attributes.' is also incorrect as this choice is also TRUE as it
pertains to BIOMETRICS. Biometrics systems makes use of unique physical characteristics or behavior of
users.
'A biometric system's accuracy is determined by its crossover error rate (CER)' is also incorrect as this is
TRUE as it also pertains to BIOMETRICS. The CER is the point at which the false rejection rates and the
false acceptance rates are equal. The smaller the value of the CER, the more accurate the system.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 25353-25356). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 25297-25303). Auerbach Publications. Kindle Edition.

QUESTION 103
Which of the following biometric devices offers the LOWEST CER?

A. Keystroke dynamics
B. Voice verification
C. Iris scan
D. Fingerprint

Correct Answer: C
Explanation

Explanation/Reference:
From most effective (lowest CER) to least effective (highest CER) are:

Iris scan, fingerprint, voice verification, keystroke dynamics. Reference : Shon Harris Aio v3 , Chapter-4 :
Access Control , Page : 131 Also see: http://www.sans.org/reading_room/whitepapers/authentication/
biometric-selection- body-parts-online_139

QUESTION 104
Which of the following is the WEAKEST authentication mechanism?

A. Passphrases
B. Passwords
C. One-time passwords
D. Token devices

Correct Answer: B
Explanation

Explanation/Reference:
Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST
answer out of the choices listed above.

The following answers are incorrect because :

Passphrases is incorrect as it is more secure than a password because it is longer. One-time passwords is
incorrect as the name states , it is good for only once and cannot be reused.
Token devices is incorrect as this is also a password generator and is an one time password mechanism.
Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 139 , 142

QUESTION 105
Which of the following statements pertaining to access control is false?

A. Users should only access data on a need-to-know basis.

B. If access is not explicitly denied, it should be implicitly allowed.
C. Access rights should be granted based on the level of trust a company has on a subject.
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.
Correct Answer: B
Explanation

Explanation/Reference:
Access control mechanisms should default to no access to provide the necessary level of security and
ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter
4: Access Control (page 143).

QUESTION 106
Which of the following is NOT part of the Kerberos authentication protocol?

A. Symmetric key cryptography

B. Authentication service (AS)
C. Principals
D. Public Key

Correct Answer: D
Explanation

Explanation/Reference:
There is no such component within kerberos environment. Kerberos uses only symmetric encryption and
does not make use of any public key component.

The other answers are incorrect because :

Symmetric key cryptography is a part of Kerberos as the KDC holds all the users' and services' secret
keys.
Authentication service (AS) : KDC (Key Distribution Center) provides an authentication service

Principals : Key Distribution Center provides services to principals , which can be users , applications or
network services.
References : Shon Harris , AIO v3 , Chapter - 4: Access Control , Pages : 152-155

QUESTION 107
Which access control model enables the OWNER of the resource to specify what subjects can access
specific resources based on their identity?

A. Discretionary Access Control

B. Mandatory Access Control
C. Sensitive Access Control
D. Role-based Access Control

Correct Answer: A
Explanation

Explanation/Reference:
Data owners decide who has access to resources based only on the identity of the person accessing the
resource.

The following answers are incorrect :

Mandatory Access Control : users and data owners do not have as much freedom to determine who can
access files. The operating system makes the final decision and can override the users' wishes and access
decisions are based on security labels. Sensitive Access Control : There is no such access control in the
context of the above question.

Role-based Access Control : uses a centrally administered set of controls to determine how subjects and
objects interact , also called as non discretionary access control.

In a mandatory access control (MAC) model, users and data owners do not have as much freedom to
determine who can access files. The operating system makes the final decision and can override the
users' wishes. This model is much more structured and strict and is based on a security label system.
Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in
the same way. The clearance and classification data is stored in the security labels, which are bound to the
specific subjects and objects. When the system makes a decision about fulfilling a request to access an
object, it is based on the clearance of the subject, the classification of the object, and the security policy of
the system. The rules for how subjects access objects are made by the security officer, configured by the
administrator, enforced by the operating system, and supported by security technologies Reference : Shon
Harris , AIO v3 , Chapter-4 : Access Control , Page : 163-165

QUESTION 108
Which of the following access control models is based on sensitivity labels?

A. Discretionary access control

B. Mandatory access control
C. Rule-based access control
D. Role-based access control

Correct Answer: B
Explanation

Explanation/Reference:
Access decisions are made based on the clearance of the subject and the sensitivity label of the object.

Example: Eve has a "Secret" security clearance and is able to access the "Mugwump Missile Design
Profile" because its sensitivity label is "Secret." She is denied access to the "Presidential Toilet Tissue
Formula" because its sensitivity label is "Top Secret."

The other answers are not correct because:

Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner.
For example, Joe owns the "Secret Chili Recipe" and grants read access to Charles. Role Based Access
Control is incorrect because in RBAC access decsions are made based on the role held by the user. For
example, Jane has the role "Auditor" and that role includes read permission on the "System Audit Log."
Rule Based Access Control is incorrect because it is a form of MAC. A good example would be a Firewall
where rules are defined and apply to anyone connecting through the firewall.

References:
All in One third edition, page 164
Official ISC2 Guide page 187

QUESTION 109
Which access control model is also called Non Discretionary Access Control (NDAC)?

A. Lattice based access control

B. Mandatory access control
C. Role-based access control
D. Label-based access control

Correct Answer: C
Explanation

Explanation/Reference:
RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says "to distinguish
it from the policy-based specifics of MAC"). Another model that fits within the NDAC category is Rule-
Based Access Control (RuBAC or RBAC). Most of the CISSP books use the same acronym for both
models but NIST tend to use a lowercase "u" in between R and B to differentiate the two models.

You can certainly mimic MAC using RBAC but true MAC makes use of Labels which contains the
sensitivity of the objects and the categories they belong to. No labels means MAC is not being used.

One of the most fundamental data access control decisions an organization must make is the amount of
control it will give system and data owners to specify the level of access users of that data will have. In
every organization there is a balancing point between the access controls enforced by organization and
system policy and the ability for information owners to determine who can have access based on specific
business requirements. The process of translating that balance into a workable access control model can
be defined by three general access frameworks:
Discretionary access control
Mandatory access control
Nondiscretionary access control

A role-based access control (RBAC) model bases the access control authorizations on the roles (or
functions) that the user is assigned within an organization. The determination of what roles have access to
a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with
MACs.

Access control decisions are based on job function, previously defined and governed by policy, and each
role (job function) will have its own access capabilities. Objects associated with a role will inherit privileges
assigned to that role. This is also true for groups of users, allowing administrators to simplify access
control strategies by assigning users to groups and groups to roles.

There are several approaches to RBAC. As with many system controls, there are variations on how they
can be applied within a computer system.

There are four basic RBAC architectures:

1 Non-RBAC: Non-RBAC is simply a user-granted access to data or an application by traditional mapping,
such as with ACLs. There are no formal "roles" associated with the mappings, other than any identified by
the particular user.

2 Limited RBAC: Limited RBAC is achieved when users are mapped to roles within a single application
rather than through an organization-wide role structure. Users in a limited RBAC system are also able to
access non-RBAC-based applications or data. For example, a user may be assigned to multiple roles
within several applications and, in addition, have direct access to another application or system
independent of his or her assigned role. The key attribute of limited RBAC is that the role for that user is
defined within an application and not necessarily based on the user's organizational job function.

3 Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to multiple applications or
systems based on a user's specific role within the organization. That role is then applied to applications or
systems that subscribe to the organization's role-based model. However, as the term "hybrid" suggests,
there are instances where the subject may also be assigned to roles defined solely within specific
applications, complimenting (or, perhaps, contradicting) the larger, more encompassing organizational role
used by other systems. 4 Full RBAC: Full RBAC systems are controlled by roles defined by the
organization's policy and access control infrastructure and then applied to applications and systems across
the enterprise. The applications, systems, and associated data apply permissions based on that enterprise
definition, and not one defined by a specific application or system.

Be careful not to try to make MAC and DAC opposites of each other -- they are two different access control
strategies with RBAC being a third strategy that was defined later to address some of the limitations of
MAC and DAC.

The other answers are not correct because:

Mandatory access control is incorrect because though it is by definition not discretionary, it is not called
"non-discretionary access control." MAC makes use of label to indicate the sensitivity of the object and it
also makes use of categories to implement the need to know.

Label-based access control is incorrect because this is not a name for a type of access control but simply
a bogus detractor.

Lattice based access control is not adequate either. A lattice is a series of levels and a subject will be
granted an upper and lower bound within the series of levels. These levels could be sensitivity levels or
they could be confidentiality levels or they could be integrity levels.

Reference(s) used for this question:

All in One, third edition, page 165

Ferraiolo, D., Kuhn, D. & Chandramouli, R. (2003). Role-Based Access Control, p. 18

Ferraiolo, D., Kuhn, D. (1992). Role-Based Access Controls. http://csrc.nist.gov/rbac/

Role_Based_Access_Control-1992html

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 1557-1584). Auerbach Publications. Kindle Edition.

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 1474-1477). Auerbach Publications. Kindle Edition.

QUESTION 110
Which access model is most appropriate for companies with a high employee turnover?

A. Role-based access control

B. Mandatory access control
C. Lattice-based access control
D. Discretionary access control

Correct Answer: A
Explanation

Explanation/Reference:
The underlying problem for a company with a lot of turnover is assuring that new employees are assigned
the correct access permissions and that those permissions are removed when they leave the company.
Selecting the best answer requires one to think about the access control options in the context of a
company with a lot of flux in the employee population. RBAC simplifies the task of assigning permissions
because the permissions are assigned to roles which do not change based on who belongs to them. As
employees join the company, it is simply a matter of assigning them to the appropriate roles and their
permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles
they have been assigned to. When they leave the company or change jobs, their role assignment is
revoked/changed appropriately.

Mandatory access control is incorrect. While controlling access based on the clearence level of employees
and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best
choice when RBAC is an option and you are looking for the best solution for a high number of employees
constantly leaving or joining the company.

Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in
formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an abstract
model of information flow is not an appropriate choice. CBK, pp. 324-325

Discretionary access control is incorrect. When an employee joins or leaves the company, the object
owner must grant or revoke access for that employee on all the objects they own. Problems would also
arise when the owner of an object leaves the company. The complexity of assuring that the permissions
are added and removed correctly makes this the least desirable solution in this situation.

References:
Alll in One, third edition page 165
RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.

QUESTION 111
In a security context what are database views used for?

A. To ensure referential integrity

B. To allow easier access to data in a database
C. To restrict user access to data in a database
D. To provide audit trails

Correct Answer: C
Explanation
Explanation/Reference:
The use of a database view allows sensitive information to be hidden from unauthorized users. For
example, the employee table might contain employee name, address, office extension and sensitive
information such as social security number, etc. A view of the table could be constructed and assigned to
the switchboard operator that only included the name and office extension.

To ensure referential integrity is incorrect. Referential integrity states that for each foriegn key value in a
database table, there must be another table that contains a record with that value as its primary key (CBK,
p. 607). For example, consider a record in the line-items table of an order management database -- this
table contains a foreign key of part-number from the parts-master table. Referential integrity states that for
each part-number value in the line-items table, there must be a matching record with that same value in
the parts-master table. Referential integrity helps avoids consistency problems that could occur when, for
example, a part-number was deleted from parts-master that still appeared on records in the line-items
table.

To allow easier access to the database is incorrect. While views can be used for this purpose by, for
example, combining information from several tables in a single view, this is not the best answer for the use
of views in a security context.

To provide audit trails is incorrect. Since a view only affects what columns of a table are shown, this has
nothing to do with providing an audit trail.

References:
CBK, p. 632
AIOv3, p.168

QUESTION 112
What can be defined as a list of subjects along with their access rights that are authorized to access a
specific object?

A. A capability table
B. An access control list
C. An access control matrix
D. A role-based matrix

Correct Answer: B
Explanation

Explanation/Reference:
"It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188

A capability table is incorrect. "Capability tables are used to track, manage and apply controls based on the
object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access
rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for
the object." CBK, pp. 191-192 The distinction that makes this an incorrect choice is that access is based
on posession of a capability by the subject. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy
table is different from an ACL because the subject is bound to the capability table, whereas the object is
bound to the ACL."

An access control matrix is incorrect. The access control matrix is a way of describing the rules for an
access control strategy. The matrix lists the users, groups and roles down the left side and the resources
and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate
the type of access. CBK pp 317 - 318

AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject
possesses pertaining to specific objects.

In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a
population of objects. This access control can be applied using rules, ACL's, capability tables, etc.

A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool for thinking
about the access control to be applied to a set of objects. The results of the analysis could then be
implemented using RBAC.

References:
CBK, Domain 2: Access Control.
AIO3, Chapter 4: Access Control

QUESTION 113
What is the difference between Access Control Lists (ACLs) and Capability Tables?

A. Access control lists are related/attached to a subject whereas capability tables are related/attached to
an object.
B. Access control lists are related/attached to an object whereas capability tables are related/attached to a
subject.
C. Capability tables are used for objects whereas access control lists are used for users.
D. They are basically the same.

Correct Answer: B
Explanation

Explanation/Reference:
Capability tables are used to track, manage and apply controls based on the object and rights, or
capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a
subject, and permits access based on the user's posession of a capability (or ticket) for the object. It is a
row within the matrix.
To put it another way, A capabiltiy table is different from an ACL because the subject is bound to the
capability table, whereas the object is bound to the ACL.

CLEMENT NOTE:

If we wish to express this very simply:

Capabilities are attached to a subject and it describe what access the subject has to each of the objects on
the row that matches with the subject within the matrix. It is a row within the matrix.

ACL's are attached to objects, it describe who has access to the object and what type of access they have.
It is a column within the matrix.

The following are incorrect answers:

"Access control lists are subject-based whereas capability tables are object-based" is incorrect. "Capability
tables are used for objects whereas access control lists are used for users" is incorrect.

"They are basically the same" is incorrect.

References used for this question:

CBK, pp. 191 - 192
AIO3 p. 169

QUESTION 114
What can be defined as a table of subjects and objects indicating what actions individual subjects can take
upon individual objects?

A. A capacity table
B. An access control list
C. An access control matrix
D. A capability table

Correct Answer: C
Explanation

Explanation/Reference:
The matrix lists the users, groups and roles down the left side and the resources and functions across the
top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK
pp 317 - 318

AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject
possesses pertaining to specific objects.
In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a
population of objects. This access control can be applied using rules, ACL's, capability tables, etc.

"A capacity table" is incorrect.

This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you.

"An access control list" is incorrect.

"It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access
control lists (ACL) could be used to implement the rules identified by an access control matrix but is
different from the matrix itself.

"A capability table" is incorrect.

"Capability tables are used to track, manage and apply controls based on the object and rights, or
capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a
subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK,
pp. 191-192 To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL
because the subject is bound to the capability table, whereas the object is bound to the ACL."
Again, a capability table could be used to implement the rules identified by an access control matrix but is
different from the matrix itself.

References:
CBK pp. 191-192, 317-318
AIO3, p. 169

QUESTION 115
Which access control model is best suited in an environment where a high security level is required and
where it is desired that only the administrator grants access control?

A. DAC
B. MAC
C. Access control matrix
D. TACACS

Correct Answer: B
Explanation

Explanation/Reference:
MAC provides high security by regulating access based on the clearance of individual users and sensitivity
labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for
example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from
"SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The
administrator is ultimately responsible for configuring this protection in accordance with security policy and
directives from the Data Owner.

DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object. Access control
matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a
population of subjects to a population of objects. This access control can be applied using rules, ACL's,
capability tables, etc. TACACS is incorrect. TACACS is a tool for performing user authentication.

References:
CBK, p. 187, Domain 2: Access Control.
AIO3, Chapter 4, Access Control.

QUESTION 116
What is the primary goal of setting up a honey pot?

A. To lure hackers into attacking unused systems

B. To entrap and track down possible hackers
C. To set up a sacrificial lamb on the network
D. To know when certain types of attacks are in progress and to learn about attack techniques so the
network can be fortified.

Correct Answer: D
Explanation

Explanation/Reference:
The primary purpose of a honeypot is to study the attack methods of an attacker for the purposes of
understanding their methods and improving defenses.

"To lure hackers into attacking unused systems" is incorrect. Honeypots can serve as decoys but their
primary purpose is to study the behaviors of attackers.

"To entrap and track down possible hackers" is incorrect. There are a host of legal issues around
enticement vs entrapment but a good general rule is that entrapment is generally prohibited and evidence
gathered in a scenario that could be considered as "entrapping" an attacker would not be admissible in a
court of law.
"To set up a sacrificial lamb on the network" is incorrect. While a honeypot is a sort of sacrificial lamb and
may attract attacks that might have been directed against production systems, its real purpose is to study
the methods of attackers with the goals of better understanding and improving network defenses.
References:
AIO3, p. 213

QUESTION 117
Which of the following countermeasures would be the most appropriate to prevent possible intrusion or
damage from wardialing attacks?

A. Monitoring and auditing for such activity

B. Require user authentication
C. Making sure only necessary phone numbers are made public
D. Using completely different numbers for voice and data accesses

Correct Answer: B
Explanation

Explanation/Reference:
Knowlege of modem numbers is a poor access control method as an attacker can discover modem
numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted
will help in avoiding unauthorized access over a modem line. "Monitoring and auditing for such activity" is
incorrect. While monitoring and auditing can assist in detecting a wardialing attack, they do not defend
against a successful wardialing attack. "Making sure that only necessary phone numbers are made public"
is incorrect. Since a wardialing attack blindly calls all numbers in a range, whether certain numbers in the
range are public or not is irrelevant.
"Using completely different numbers for voice and data accesses" is incorrect. Using different number
ranges for voice and data access might help prevent an attacker from stumbling across the data lines while
wardialing the public voice number range but this is not an adequate countermeaure.

References:
CBK, p. 214
AIO3, p. 534-535

QUESTION 118
Which access control model provides upper and lower bounds of access capabilities for a subject?

A. Role-based access control

B. Lattice-based access control
C. Biba access control
D. Content-dependent access control
Correct Answer: B
Explanation

Explanation/Reference:
In the lattice model, users are assigned security clearences and the data is classified. Access decisions
are made based on the clearence of the user and the classification of the object. Lattice-based access
control is an essential ingredient of formal security models such as Bell- LaPadula, Biba, Chinese Wall,
etc.
The bounds concept comes from the formal definition of a lattice as a "partially ordered set for which every
pair of elements has a greatest lower bound and a least upper bound." To see the application, consider a
file classified as "SECRET" and a user Joe with a security clearence of "TOP SECRET." Under Bell-
LaPadula, Joe's "least upper bound" access to the file is "READ" and his least lower bound is "NO WRITE"
(star property). Role-based access control is incorrect. Under RBAC, the access is controlled by the
permissions assigned to a role and the specific role assigned to the user. Biba access control is incorrect.
The Biba integrity model is based on a lattice structure but the context of the question disqualiifes it as the
best answer. Content-dependent access control is incorrect. In content dependent access control, the
actual content of the information determines access as enforced by the arbiter.

References:
CBK, pp. 324-325
AIO3, pp. 291-293 See aprticularly Figure 5-19 on p. 293 for an illustration of bounds in action.

QUESTION 119
How are memory cards and smart cards different?

A. Memory cards normally hold more memory than smart cards

B. Smart cards provide a two-factor authentication whereas memory cards don't
C. Memory cards have no processing power
D. Only smart cards can be used for ATM cards

Correct Answer: C
Explanation

Explanation/Reference:
The main difference between memory cards and smart cards is their capacity to process information. A
memory card holds information but cannot process information. A smart card holds information and has the
necessary hardware and software to actually process that information.
A memory card holds a user's authentication information, so that this user needs only type in a user ID or
PIN and presents the memory card to the system. If the entered information and the stored information
match and are approved by an authentication service, the user is successfully authenticated.
A common example of a memory card is a swipe card used to provide entry to a building. The user enters
a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader
flashes green and the individual can open the door and enter the building.
Memory cards can also be used with computers, but they require a reader to process the information. The
reader adds cost to the process, especially when one is needed for every computer. Additionally, the
overhead of PIN and card generation adds additional overhead and complexity to the whole authentication
process. However, a memory card provides a more secure authentication method than using only a
password because the attacker would need to obtain the card and know the correct PIN.
Administrators and management need to weigh the costs and benefits of a memory card implementation
as well as the security needs of the organization to determine if it is the right authentication mechanism for
their environment.
One of the most prevalent weaknesses of memory cards is that data stored on the card are not protected.
Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart
card, where security controls and logic are embedded in the integrated circuit, memory cards do not
employ an inherent mechanism to protect the data from exposure. Very little trust can be associated with
confidentiality and integrity of information on the memory cards.

The following answers are incorrect:

"Smart cards provide two-factor authentication whereas memory cards don't" is incorrect. This is not
necessarily true. A memory card can be combined with a pin or password to offer two factors
authentication where something you have and something you know are used for factors. "Memory cards
normally hold more memory than smart cards" is incorrect. While a memory card may or may not have
more memory than a smart card, this is certainly not the best answer to the question.
"Only smart cards can be used for ATM cards" is incorrect. This depends on the decisions made by the
particular institution and is not the best answer to the question.

Reference(s) used for this question:

Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199 and also for people using the Kindle
edition of the book you can look at Locations 4647-4650 Schneiter, Andrew (2013-04-15). Official (ISC)2
Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications. Kindle Edition.

QUESTION 120
Which of the following issues is not addressed by Kerberos?

A. Availability
B. Confidentiality
C. Integrity
D. Authentication

Correct Answer: A
Explanation

Explanation/Reference:
The KDC (Kerberos Distribution Center) can be a single point of failure. Confidentiality is incorrect.
Kerberos does ensure confidentiality, keeping communications private between systems over a network.
Integrity is incorrect. Kerberos does ensure integrity. Authentication is incorrect. Kerberos does provide
authentication.

References:
CBK pp 181-194

QUESTION 121
Why do buffer overflows happen? What is the main cause?

A. Because buffers can only hold so much data

B. Because of improper parameter checking within the application
C. Because they are an easy weakness to exploit
D. Because of insufficient system memory

Correct Answer: B
Explanation

Explanation/Reference:
Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the
classic form of buffer overflow and occurs because the programmer accepts whatever input the user
supplies without checking to make sure that the length of the input is less than the size of the buffer in the
program.
The buffer overflow problem is one of the oldest and most common problems in software development and
programming, dating back to the introduction of interactive computing. It can result when a program fills up
the assigned buffer of memory with more data than its buffer can hold. When the program begins to write
beyond the end of the buffer, the program's execution path can be changed, or data can be written into
areas used by the operating system itself. This can lead to the insertion of malicious code that can be used
to gain administrative privileges on the program or system.
As explained by Gaurab, it can become very complex. At the time of input even if you are checking the
length of the input, it has to be check against the buffer size. Consider a case where entry point of data is
stored in Buffer1 of Application1 and then you copy it to Buffer2 within Application2 later on, if you are just
checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in
Buffer2 of Application2

A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam:
It should be noted that the CISSP is not required to be an expert programmer or know the inner workings
of developing application software code, like the FORTRAN programming language, or how to develop
Web applet code using Java. It is not even necessary that the CISSP know detailed security-specific
coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)
cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP
may be the person responsible for ensuring that security is included in such developments, the CISSP
should know the basic procedures and concepts involved during the design and development of software
programming. That is, in order for the CISSP to monitor the software development process and verify that
security is included, the CISSP must understand the fundamental concepts of programming developments
and the security strengths and weaknesses of various application development processes.

The following are incorrect answers:

"Because buffers can only hold so much data" is incorrect. This is certainly true but is not the best answer
because the finite size of the buffer is not the problem -- the problem is that the programmer did not check
the size of the input before moving it into the buffer.

"Because they are an easy weakness to exploit" is incorrect. This answer is sometimes true but is not the
best answer because the root cause of the buffer overflow is that the programmer did not check the size of
the user input.

"Because of insufficient system memory" is incorrect. This is irrelevant to the occurrence of a buffer
overflow.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.

QUESTION 122
What is the main focus of the Bell-LaPadula security model?

A. Accountability
B. Integrity
C. Confidentiality
D. Availability

Correct Answer: C
Explanation

Explanation/Reference:
The Bell-LaPadula model is a formal model dealing with confidentiality. The BellLaPadula Model
(abbreviated BLP) is a state machine model used for enforcing access control in government and military
applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong
guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security
(MLS) policy. The model is a formal state transition model of computer security policy that describes a set
of access control rules which use security labels on objects and clearances for subjects. Security labels
range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or
"Public"). The BellLaPadula model focuses on data confidentiality and controlled access to classified
information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.
In this formal model, the entities in an information system are divided into subjects and objects.
The notion of a "secure state" is defined, and it is proven that each state transition preserves security by
moving from secure state to secure state, thereby inductively proving that the system satisfies the security
objectives of the model. The BellLaPadula model is built on the concept of a state machine with a set of
allowable states in a computer network system. The transition from one state to another state is defined by
transition functions.

A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in
accordance with a security policy. To determine whether a specific access mode is allowed, the clearance
of a subject is compared to the classification of the object (more precisely, to the combination of
classification and set of compartments, making up the security level) to determine if the subject is
authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a
lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control
(DAC) rule with three security properties:

The Simple Security Property - a subject at a given security level may not read an object at a higher
security level (no read-up).
The -property (read "star"-property) - a subject at a given security level must not write to any object at a
lower security level (no write-down). The -property is also known as the Confinement property.
The Discretionary Security Property - use of an access matrix to specify the discretionary access control.

The following are incorrect answers:

Accountability is incorrect. Accountability requires that actions be traceable to the user that performed
them and is not addressed by the Bell-LaPadula model. Integrity is incorrect. Integrity is addressed in the
Biba model rather than Bell-Lapadula. Availability is incorrect. Availability is concerned with assuring that
data/services are available to authorized users as specified in service level objectives and is not
addressed by the Bell- Lapadula model.

References:

CBK, pp. 325-326

AIO3, pp. 279 - 284
AIOv4 Security Architecture and Design (pages 333 - 336) AIOv5 Security Architecture and Design (pages
336 - 338)

Wikipedia at https://en.wikipedia.org/wiki/Bell-La_Padula_model

QUESTION 123
Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of
the strong star property?

A. It allows "read up."

B. It addresses covert channels.
C. It addresses management of access controls.
D. It allows "write up."

Correct Answer: A
Explanation

Explanation/Reference:
BellLaPadula Confidentiality Model10 The BellLaPadula model is perhaps the most well- known and
significant security model, in addition to being one of the oldest models used in the creation of modern
secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was
inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality
could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves
from one state (one point in time) to another. When the strong star property is not being used it means that
both the * property and the Simple Security Property rules would be applied.
The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would
compromise the confidentiality of the information if someone at the secret layer would write the object
down to a confidential container for example. The Simple Security Property rule states that the subject
cannot read up which means that a subject at the secret layer would not be able to access objects at Top
Secret for example. You must remember: The model tells you about are NOT allowed to do. Anything else
would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does
not compromise the security of the information. In fact it would upgrade it to the point that you could lock
yourself out of your own information if you have only a secret security clearance. The following are
incorrect answers because they are all FALSE:
"It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert
channels" is incorrect. Covert channels are not addressed by the Bell- LaPadula model.
"It addresses management of access controls" is incorrect. Management of access controls are beyond
the scope of the Bell-LaPadula model.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.

QUESTION 124
Which security model introduces access to objects only through programs?

A. The Biba model

B. The Bell-LaPadula model
C. The Clark-Wilson model
D. The information flow model

Correct Answer: C
Explanation

Explanation/Reference:
In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access
them through programs (well -formed transactions). The ClarkWilson integrity model provides a foundation
for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is
maintained by preventing corruption of data items in a system due to either error or malicious intent. An
integrity policy describes how the data items in the system should be kept valid from one state of the
system to the next and specifies the capabilities of various principals in the system. The model defines
enforcement rules and certification rules. ClarkWilson is more clearly applicable to business and industry
processes in which the integrity of the information content is paramount at any level of classification.

Integrity goals of ClarkWilson model:

Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).
Separation of duties prevents authorized users from making improper modifications. Well formed
transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out
to transfer the data from one consistent state to the other.
The following are incorrect answers:
The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects
based on a comparison of the security level of the subject to that of the object. The Bell-LaPdaula model is
incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based
on a comparison of the clearence level of the subject to the classification level of the object.
The information flow model is incorrect. The information flow model uses a lattice where objects are
labelled with security classes and information can flow either upward or at the same level. It is similar in
framework to the Bell-LaPadula model.

References:
ISC2 Official Study Guide, Pages 325 - 327
AIO3, pp. 284 - 287
AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages
341 - 344)

Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model

QUESTION 125
An Intrusion Detection System (IDS) is what type of control?

A. A preventive control.
B. A detective control.
C. A recovery control.
D. A directive control.

Correct Answer: B
Explanation

Explanation/Reference:
These controls can be used to investigate what happen after the fact. Your IDS may collect information on
where the attack came from, what port was use, and other details that could be used in the investigation
steps.
"Preventative control" is incorrect. Preventative controls preclude events or actions that might compromise
a system or cause a policy violation. An intrusion prevention system would be an example of a
preventative control.

"Recovery control" is incorrect. Recover controls include processes used to return the system to a secure
state after the occurrence of a security incident. Backups and redundant components are examples of
recovery controls.
"Directive controls" is incorrect. Directive controls are administrative instruments such as policies,
procedures, guidelines, and aggreements. An acceptable use policy is an example of a directive control.
References:
CBK, pp. 646 647

QUESTION 126
Smart cards are an example of which type of control?

A. Detective control
B. Administrative control
C. Technical control
D. Physical control

Correct Answer: C
Explanation

Explanation/Reference:
Logical or technical controls involve the restriction of access to systems and the protection of information.
Smart cards and encryption are examples of these types of control.

Controls are put into place to reduce the risk an organization faces, and they come in three main flavors:
administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls"
because they are more management-oriented. Examples of administrative controls are security
documentation, risk management, personnel security, and training. Technical controls (also called logical
controls) are software or hardware components, as in firewalls, IDS, encryption, identification and
authentication mechanisms. And physical controls are items put into place to protect facility, personnel,
and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Many types
of technical controls enable a user to access a system and the resources within that system. A technical
control may be a username and password combination, a Kerberos implementation, biometrics, public key
infrastructure (PKI), RADIUS, TACACS +, or authentication using a smart card through a reader connected
to a system. These technologies verify the user is who he says he is by using different types of
authentication methods. Once a user is properly authenticated, he can be authorized and allowed access
to network resources.

Reference(s) used for this question:

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 245). McGraw-Hill.
Kindle Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 32).

QUESTION 127
What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of
an information system?

A. Accountability controls
B. Mandatory access controls
C. Assurance procedures
D. Administrative controls

Correct Answer: C
Explanation

Explanation/Reference:
Controls provide accountability for individuals accessing information. Assurance procedures ensure that
access control mechanisms correctly implement the security policy for the entire life cycle of an information
system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
QUESTION 128
What security model is dependent on security labels?

A. Discretionary access control

B. Label-based access control
C. Mandatory access control
D. Non-discretionary access control

Correct Answer: C
Explanation

Explanation/Reference:
With mandatory access control (MAC), the authorization of a subject's access to an object is dependant
upon labels, which indicate the subject's clearance, and the classification or sensitivity of the object. Label-
based access control is not defined. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep
Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access
control systems (page 33).

QUESTION 129
What security model implies a central authority that define rules and sometimes global rules, dictating what
subjects can have access to what objects?

A. Flow Model
B. Discretionary access control
C. Mandatory access control
D. Non-discretionary access control

Correct Answer: D
Explanation

Explanation/Reference:
As a security administrator you might configure user profiles so that users cannot change the system's
time, alter system configuration files, access a command prompt, or install unapproved applications. This
type of access control is referred to as nondiscretionary, meaning that access decisions are not made at
the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity
(usually a security administrator) with the goal of protecting the organization's most critical assets.

Non-discretionary access control is when a central authority determines what subjects can have access to
what objects based on the organizational security policy. Centralized access control is not an existing
security model.
Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into
this category.

Reference(s) used for this question:

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill.
Kindle Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 130
Which type of password token involves time synchronization?

A. Static password tokens

B. Synchronous dynamic password tokens
C. Asynchronous dynamic password tokens
D. Challenge-response tokens

Correct Answer: B
Explanation
Explanation/Reference:
Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so
the server and token need to be synchronized for the password to be accepted. Source: KRUTZ, Ronald L.
& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John
Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).
Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002,
chapter 4: Access Control (page 136).

QUESTION 131
Which of the following statements pertaining to biometrics is false?

A. Increased system sensitivity can cause a higher false rejection rate

B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate.
C. False acceptance rate is also known as Type II error.
D. Biometrics are based on the Type 2 authentication mechanism.

Correct Answer: D
Explanation

Explanation/Reference:
Authentication is based on three factor types: type 1 is something you know, type 2 is something you have
and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).

QUESTION 132
Which of the following statements pertaining to Kerberos is TRUE?

A. Kerberos does not address availability

B. Kerberos does not address integrity
C. Kerberos does not make use of Symmetric Keys
D. Kerberos cannot address confidentiality of information

Correct Answer: A
Explanation

Explanation/Reference:
The question was asking for a TRUE statement and the only correct statement is "Kerberos does not
address availability".
Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).

QUESTION 133
Database views are NOT used to:

A. Implement referential integrity

B. Implement least privilege
C. To implement content-dependent access restrictions
D. Implement need-to-know

Correct Answer: A
Explanation

Explanation/Reference:
A view is considered as a virtual table that is derived from other tables. It can be used to restrict access to
certain information within the database, to hide attributes, and to implement content- dependent access
restrictions. It does not implement referential integrity. Source: KRUTZ, Ronald L. & VINES, Russel D., The
CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter
2: Access control systems (page 46).

QUESTION 134
What IDS approach relies on a database of known attacks?

A. Signature-based intrusion detection

B. Statistical anomaly-based intrusion detection
C. Behavior-based intrusion detection
D. Network-based intrusion detection

Correct Answer: A
Explanation

Explanation/Reference:
A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack
signatures that are stored in a database are detected. Network-based intrusion detection can either be
signature-based or statistical anomaly-based (also called behavior-based). Source: KRUTZ, Ronald L. &
VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley
& Sons, 2001, Chapter 2: Access control systems (page 49).

QUESTION 135
What refers to legitimate users accessing networked services that would normally be restricted to them?

A. Spoofing
B. Piggybacking
C. Eavesdropping
D. Logon abuse

Correct Answer: D
Explanation

Explanation/Reference:
Unauthorized access of restricted network services by the circumvention of security access controls is
known as logon abuse. This type of abuse refers to users who may be internal to the network but access
resources they would not normally be allowed. Source: KRUTZ, Ronald L. & VINES, Russel D., The
CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter
3: Telecommunications and Network Security (page 74).

QUESTION 136
Which of the following is not a two-factor authentication mechanism?

A. Something you have and something you know.

B. Something you do and a password.
C. A smartcard and something you are.
D. Something you know and a password.

Correct Answer: D
Explanation

Explanation/Reference:
Something you know and a password fits within only one of the three ways authentication could be done. A
password is an example of something you know, thereby something you know and a password does not
constitute a two-factor authentication as both are in the same category of factors.
A two-factor (strong) authentication relies on two different kinds of authentication factors out of a list of
three possible choice:
something you know (e.g. a PIN or password),
something you have (e.g. a smart card, token, magnetic card), something you are is mostly Biometrics
(e.g. a fingerprint) or something you do (e.g. signature dynamics).

TIP FROM CLEMENT:

On the real exam you can expect to see synonyms and sometimes sub-categories under the main
categories. People are familiar with Pin, Passphrase, Password as subset of Something you know.
However, when people see choices such as Something you do or Something you are they immediately get
confused and they do not think of them as subset of Biometrics where you have Biometric implementation
based on behavior and physilogical attributes. So something you do falls under the Something you are
category as a subset. Something your do would be signing your name or typing text on your keyboard for
example. Strong authentication is simply when you make use of two factors that are within two different
categories.

Reference(s) used for this question:

Shon Harris, CISSP All In One, Fifth Edition, pages 158-159

QUESTION 137
Which of the following access control models introduces user security clearance and data classification?

A. Role-based access control

B. Discretionary access control
C. Non-discretionary access control
D. Mandatory access control

Correct Answer: D
Explanation

Explanation/Reference:
The mandatory access control model is based on a security label system. Users are given a security
clearance and data is classified. The classification is stored in the security labels of the resources.
Classification labels specify the level of trust a user must have to access a certain file. Source: HARRIS,
Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control
(Page 154).

QUESTION 138
Password management falls into which control category?

A. Compensating
B. Detective
C. Preventive
D. Technical

Correct Answer: C
Explanation

Explanation/Reference:
Password management is an example of preventive control. Proper passwords prevent unauthorized users
from accessing a system. There are literally hundreds of different access approaches, control methods,
and technologies, both in the physical world and in the virtual electronic world. Each method addresses a
different type of access control or a specific access need.
For example, access control solutions may incorporate identification and authentication mechanisms,
filters, rules, rights, logging and monitoring, policy, and a plethora of other controls. However, despite the
diversity of access control methods, all access control systems can be categorized into seven primary
categories.

The seven main categories of access control are:

1 Directive: Controls designed to specify acceptable rules of behavior within an organization 2 Deterrent:
Controls designed to discourage people from violating security directives 3 Preventive: Controls
implemented to prevent a security incident or information breach 4 Compensating: Controls implemented
to substitute for the loss of primary controls and mitigate risk down to an acceptable level
5 Detective: Controls designed to signal a warning when a security control has been breached

6 Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls

7 Recovery: Controls implemented to restore conditions to normal after a security incident Reference(s)
used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 1156-1176). Auerbach Publications. Kindle Edition.

QUESTION 139
Which of the following access control models requires security clearance for subjects?

A. Identity-based access control

B. Role-based access control
C. Discretionary access control
D. Mandatory access control

Correct Answer: D
Explanation

Explanation/Reference:
With mandatory access control (MAC), the authorization of a subject's access to an object is dependant
upon labels, which indicate the subject's clearance. Identity-based access control is a type of discretionary
access control. A role-based access control is a type of non-discretionary access control.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 140
Which of the following would describe a type of biometric error refers to as false rejection rate?

A. Type I error
B. Type II error
C. Type III error
D. CER error

Correct Answer: A
Explanation

Explanation/Reference:
When a biometric system rejects an authorized individual, it is called a Type I error. When a system
accepts impostors who should be rejected (false positive), it is called a Type II error.

The Crossover Error Rate (CER), stated in a percentage, represents the point at which false rejection
(Type I) rate equals the false acceptance (Type II) rate. Type III error is not defined and simply a distracter
in this case. Some people get trick on this one because they are thinking about Authentication Factors
where Biometric is a type III authentication factor.
Beware not to mix authentication factor with biometric errors. The 3 authentication factors are:

Type 1 Something you know

Type 2 Something you have
Type 3 Something you are

Reference(s) used for this question:

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4:
Access Control (page 128).
and
https://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/

QUESTION 141
Which of the following access control models requires defining classification for objects?

A. Role-based access control

B. Discretionary access control
C. Identity-based access control
D. Mandatory access control

Correct Answer: D
Explanation

Explanation/Reference:
With mandatory access control (MAC), the authorization of a subject's access to an object is dependant
upon labels, which indicate the subject's clearance, and classification of objects.

The Following answers were incorrect:

Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous.
Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non
Discretionary Access Control (NDAC).
Tip:
When you have two answers that are synonymous they are not the right choice for sure.

There is only one access control model that makes use of Label, Clearances, and Categories, it is
Mandatory Access Control, none of the other one makes use of those items.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

QUESTION 142
In the context of access control, locks, gates, guards are examples of which of the following?

A. Administrative controls
B. Technical controls
C. Physical controls
D. Logical controls

Correct Answer: C
Explanation

Explanation/Reference:
Administrative, technical and physical controls are categories of access control mechanisms. Logical and
Technical controls are synonymous. So both of them could be eliminated as possible choices.
Physical Controls: These are controls to protect the organization's people and physical environment, such
as locks, gates, and guards. Physical controls may be called "operational controls" in some contexts.
Physical security covers a broad spectrum of controls to protect the physical assets (primarily the people)
in an organization. Physical Controls are sometimes referred to as "operational" controls in some risk
management frameworks. These controls range from doors, locks, and windows to environment controls,
construction standards, and guards. Typically, physical security is based on the notion of establishing
security zones or concentric areas within a facility that require increased security as you get closer to the
valuable assets inside the facility. Security zones are the physical representation of the defense-in-depth
principle discussed earlier in this chapter. Typically, security zones are associated with rooms, offices,
floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security
controls within the facility must take into account the protection of the asset as well as the individuals
working in that area.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle Edition.

QUESTION 143
Which of the following statements pertaining to Kerberos is true?

A. Kerberos uses public key cryptography.

B. Kerberos uses X.509 certificates.
C. Kerberos is a credential-based authentication system.
D. Kerberos was developed by Microsoft.

Correct Answer: C
Explanation

Explanation/Reference:
Kerberos is a trusted, credential-based, third-party authentication protocol that was developed at MIT and
that uses symmetric (secret) key cryptography to authenticate clients to other entities on a network for
access to services. It does not use X.509 certificates, which are used in public key cryptography.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 40).

QUESTION 144
Which of the following statements pertaining to using Kerberos without any extension is false?

A. A client can be impersonated by password-guessing.

B. Kerberos is mostly a third-party authentication protocol.
C. Kerberos uses public key cryptography.
D. Kerberos provides robust authentication.

Correct Answer: C
Explanation

Explanation/Reference:
Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key
cryptography to provide robust authentication to clients accessing services on a network.
Because a client's password is used in the initiation of the Kerberos request for the service protocol,
password guessing can be used to impersonate a client.

Here is a nice overview of HOW Kerberos is implement as described in RFC 4556:

1 Introduction
The Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution
Center (KDC) to negotiate shared session keys between clients and services and provide mutual
authentication between them.

The corner-stones of Kerberos V5 are the Ticket and the Authenticator. A Ticket encapsulates a symmetric
key (the ticket session key) in an envelope (a public message) intended for a specific service. The
contents of the Ticket are encrypted with a symmetric key shared between the service principal and the
issuing KDC. The encrypted part of the Ticket contains the client principal name, among other items. An
Authenticator is a record that can be shown to have been recently generated using the ticket session key
in the associated Ticket. The ticket session key is known by the client who requested the ticket. The
contents of the Authenticator are encrypted with the associated ticket session key. The encrypted part of
an Authenticator contains a timestamp and the client principal name, among other items.

As shown in Figure 1, below, the Kerberos V5 protocol consists of the following message exchanges
between the client and the KDC, and the client and the application service:

- The Authentication Service (AS) Exchange

The client obtains an "initial" ticket from the Kerberos authentication server (AS), typically a Ticket Granting
Ticket (TGT). The AS-REQ message and the AS-REP message are the request and the reply message,
respectively, between the client and the AS.

- The Ticket Granting Service (TGS) Exchange

The client subsequently uses the TGT to authenticate and request a service ticket for a particular service,
from the Kerberos ticket-granting server (TGS). The TGS-REQ message and the TGS-REP message are
the request and the reply message respectively between the client and the TGS.

- The Client/Server Authentication Protocol (AP) Exchange The client then makes a request with an AP-
REQ message, consisting of a service ticket and an authenticator that certifies the client's possession of
the ticket session key. The server may optionally reply with an AP-REP message. AP exchanges typically
negotiate session-specific symmetric keys.

Usually, the AS and TGS are integrated in a single device also known as the KDC.

+--------------+
+--------->| KDC |
AS-REQ / +-------| |
/ / +--------------+
//^|
/ |AS-REP / |
| | / TGS-REQ + TGS-REP
||//
||//
| | / +---------+
||//
||//
||//
|v/v
++-------+------+ +-----------------+
| Client +------------>| Application |
| | AP-REQ | Server |
| |<------------| |
+---------------+ AP-REP +-----------------+

Figure 1: The Message Exchanges in the Kerberos V5 Protocol

In the AS exchange, the KDC reply contains the ticket session key, among other items, that is encrypted
using a key (the AS reply key) shared between the client and the KDC. The AS reply key is typically
derived from the client's password for human users. Therefore, for human users, the attack resistance
strength of the Kerberos protocol is no stronger than the strength of their passwords.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 40).

And

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4:
Access Control (pages 147-151).
and
http://www.ietf.org/rfc/rfc4556txt

QUESTION 145
Which access control model would a lattice-based access control model be an example of?

A. Mandatory access control.

B. Discretionary access control.
C. Non-discretionary access control.
D. Rule-based access control.

Correct Answer: A
Explanation

Explanation/Reference:
In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower
bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as
much freedom to determine who can access files.

FIRST: The Lattice

A lattice is simply an access control tool usually used to implement Mandatory Access Control (MAC) and
it could also be used to implement RBAC but this is not as common. The lattice model can be used for
Integrity level or file permissions as well. The lattice has a least upper bound and greatest lower bound. It
makes use of pair of elements such as the subject security clearance pairing with the object sensitivity
label.

SECOND: DAC (Discretionary Access Control)

Let's get into Discretionary Access Control: It is an access control method where the owner (read the
creator of the object) will decide who has access at his own discretion. As we all know, users are
sometimes insane. They will share their files with other users based on their identity but nothing prevent
the user from further sharing it with other users on the network. Very quickly you loose control on the flow
of information and who has access to what. It is used in small and friendly environment where a low level
of security is all that is required.

THIRD: MAC (Mandatory Access Control)

All of the following are forms of Mandatory Access Control:

Mandatory Access control (MAC) (Implemented using the lattice) You must remember that MAC makes
use of Security Clearance for the subject and also Labels will be assigned to the objects. The clearance of
the Subject must dominate (be equal or higher) the clearance of the Object being accessed. The label
attached to the object will indicate the sensitivity leval and the categories the object belongs to. The
categories are used to implement the Need to Know.

All of the following are forms of Non Discretionary Access Control:

Role Based Access Control (RBAC)
Rule Based Access Control (Think Firewall in this case)

The official ISC2 book says that RBAC (synonymous with Non Discretionary Access Control) is a form of
DAC but they are simply wrong. RBAC is a form of Non Discretionary Access Control. Non Discretionary
DOES NOT equal mandatory access control as there is no labels and clearance involved.

I hope this clarifies the whole drama related to what is what in the world of access control.

In the same line of taught, you should be familiar with the difference between Explicit permission (the user
has his own profile) versus Implicit (the user inherit permissions by being a member of a role for example).

The following answers are incorrect:

Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC) model, access
is restricted based on the authorization granted to the users. It is identity based access control only. It does
not make use of a lattice.

Non-discretionary access control. Is incorrect because Non-discretionary Access Control (NDAC) uses the
role-based access control method to determine access rights and permissions. It is often times used as a
synonym to RBAC which is Role Based Access Control. The user inherit permission from the role when
they are assigned into the role. This type of access could make use of a lattice but could also be
implemented without the use of a lattice in some case. Mandatory Access Control was a better choice than
this one, but RBAC could also make use of a lattice. The BEST answer was MAC.

Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access Control

(NDAC) access control mode. You have rules that are globally applied to all users. There is no such thing
as a lattice being use in Rule-Based Access Control.

References:
AIOv3 Access Control (pages 161 - 168)
AIOv3 Security Models and Architecture (pages 291 - 293)

QUESTION 146
Which of the following is an example of discretionary access control?

A. Identity-based access control

B. Task-based access control
C. Role-based access control
D. Rule-based access control
Correct Answer: A
Explanation

Explanation/Reference:
An identity-based access control is an example of discretionary access control that is based on an
individual's identity. Identity-based access control (IBAC) is access control based on the identity of the user
(typically relayed as a characteristic of the process acting on behalf of that user) where access
authorizations to specific objects are assigned based on user identity.

Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-
discretionary access controls.

Rule-based access control is a type of non-discretionary access control because this access is determined
by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of
the users or subjects.
In general, all access control policies other than DAC are grouped in the category of non- discretionary
access control (NDAC). As the name implies, policies in this category have rules that are not established at
the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users,
but only through administrative action. Both Role Based Access Control (RBAC) and Rule Based Access
Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is
most likely NDAC.

BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES:

MAC = Mandatory Access Control

Under a mandatory access control environment, the system or security administrator will define what
permissions subjects have on objects. The administrator does not dictate user's access but simply
configure the proper level of access as dictated by the Data Owner. The MAC system will look at the
Security Clearance of the subject and compare it with the object sensitivity level or classification level. This
is what is called the dominance relationship. The subject must DOMINATE the object sensitivity level.
Which means that the subject must have a security clearance equal or higher than the object he is
attempting to access. MAC also introduce the concept of labels. Every objects will have a label attached to
them indicating the classification of the object as well as categories that are used to impose the need to
know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be
able to access any Secret documents within the system. He would be allowed to access only Secret
document for which he has a Need To Know, formal approval, and object where the user belong to one of
the categories attached to the object.

If there is no clearance and no labels then IT IS NOT Mandatory Access Control.

Many of the other models can mimic MAC but none of them have labels and a dominance relationship so
they are NOT in the MAC category.

DAC = Discretionary Access Control

DAC is also known as: Identity Based access control system.

The owner of an object is define as the person who created the object. As such the owner has the
discretion to grant access to other users on the network. Access will be granted based solely on the
identity of those users.
Such system is good for low level of security. One of the major problem is the fact that a user who has
access to someone's else file can further share the file with other users without the knowledge or
permission of the owner of the file. Very quickly this could become the wild wild west as there is no control
on the dissimination of the information.

RBAC = Role Based Access Control

RBAC is a form of Non-Discretionary access control.

Role Based access control usually maps directly with the different types of jobs performed by employees
within a company.
For example there might be 5 security administrator within your company. Instead of creating each of their
profile one by one, you would simply create a role and assign the administrators to the role. Once an
administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role.
RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as
a very large help desk for example.

RBAC or RuBAC = Rule Based Access Control

RuBAC is a form of Non-Discretionary access control.

A good example of a Rule Based access control device would be a Firewall. A single set of rules is
imposed to all users attempting to connect through the firewall.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 33

and
NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316pdf and
http://itlaw.wikia.com/wiki/Identity-based_access_control

QUESTION 147
Which of the following would be used to implement Mandatory Access Control (MAC)?

A. Clark-Wilson Access Control

B. Role-based access control
C. Lattice-based access control
D. User dictated access control

Correct Answer: C
Explanation

Explanation/Reference:
The lattice is a mechanism use to implement Mandatory Access Control (MAC)

Under Mandatory Access Control (MAC) you have:

Mandatory Access Control

Under-Non Discretionary Access Control (NDAC) you have:

Rule-Based Access Control
Role-Based Access Control
Under Discretionary Access Control (DAC) you have:
Discretionary Access Control

The Lattice Based Access Control is a type of access control used to implement other access control
method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The
lattice can be used for MAC, DAC, Integrity level, File Permission, and more

For example in the case of MAC, if we look at common government classifications, we have the following:

TOP SECRET
SECRET -----------------------I am the user at secret
CONFIDENTIAL
SENSITIVE BUT UNCLASSIFIED
UNCLASSIFIED

If you look at the diagram above where I am a user at SECRET it means that I can access document at
lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this
case the ordered elements are classification levels. My least upper bound is SECRET and my most lower
bound is UNCLASSIFIED.

However the lattice could also be used for Integrity Levels such as:

VERY HIGH
HIGH
MEDIUM ----------I am a user, process, application at the medium level LOW
VERY LOW

In the case of Integrity levels you have to think about TRUST. Of course if I take for example the VISTA
operating system which is based on Biba then Integrity Levels would be used. As a user having access to
the system I cannot tell a process running with administrative privilege what to do. Else any users on the
system could take control of the system by getting highly privilege process to do things on their behalf. So
no read down would be allowed in this case and this is an example of the Biba model.

Last but not least the lattice could be use for file permissions:

RWX
RW ---------User at this level
R

If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not
have execute permission which is the X under Linux and UNIX. Many people confuse the Lattice Model
and many books says MAC = LATTICE, however the lattice can be use for other purposes.
There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC
but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC
also require a clearance that dominates the object.

You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03

Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access
Control which is RBAC, this can be confusing.
The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not
commonly used.

References:

There is a great article on technet that talks about the lattice in VISTA:
http://blogs.technet.com/b/steriley/archive/2006/07/21/442870aspx

also see:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
and
http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html

QUESTION 148
What does the Clark-Wilson security model focus on?

A. Confidentiality
B. Integrity
C. Accountability
D. Availability

Correct Answer: B
Explanation

Explanation/Reference:
The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external
consistency, a separation of duty, and a mandatory integrity policy. Source: KRUTZ, Ronald L. & VINES,
Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons,
2001, Chapter 5: Security Architectures and Models (page 205).

QUESTION 149
What does the simple security (ss) property mean in the Bell-LaPadula model?

A. No read up
B. No write down
C. No read down
D. No write up

Correct Answer: A
Explanation

Explanation/Reference:
The ss (simple security) property of the Bell-LaPadula access control model states that reading of
information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not
permitted (no read up).

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

QUESTION 150
What does the * (star) property mean in the Bell-LaPadula model?

A. No write up
B. No read up
C. No write down
D. No read down

Correct Answer: C
Explanation

Explanation/Reference:
The *- (star) property of the Bell-LaPadula access control model states that writing of information by a
subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write
down).

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).
Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002,
Chapter 5: Security Models and Architecture (page 242, 243).

QUESTION 151
What does the * (star) integrity axiom mean in the Biba model?

A. No read up
B. No write down
C. No read down
D. No write up

Correct Answer: D
Explanation

Explanation/Reference:
The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is
not permitted to modify an object of a higher level of integrity (no write up).

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

QUESTION 152
What is the Biba security model concerned with?

A. Confidentiality
B. Reliability
C. Availability
D. Integrity
Correct Answer: D
Explanation

Explanation/Reference:
The Biba security model addresses the integrity of data being threatened when subjects at lower security
levels are able to write to objects at higher security levels and when subjects can read data at lower levels.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter
5: Security Models and Architecture (Page 244).

QUESTION 153
Which security model uses division of operations into different parts and requires different users to perform
each part?

A. Bell-LaPadula model
B. Biba model
C. Clark-Wilson model
D. Non-interference model

Correct Answer: C
Explanation

Explanation/Reference:
The Clark-Wilson model uses separation of duties, which divides an operation into different parts and
requires different users to perform each part. This prevents authorized users from making unauthorized
modifications to data, thereby protecting its integrity.

The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a
computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is
maintained by preventing corruption of data items in a system due to either error or malicious intent. An
integrity policy describes how the data items in the system should be kept valid from one state of the
system to the next and specifies the capabilities of various principals in the system. The model defines
enforcement rules and certification rules. The model's enforcement and certification rules define data items
and processes that provide the basis for an integrity policy. The core of the model is based on the notion of
a transaction.

A well-formed transaction is a series of operations that transition a system from one consistent state to
another consistent state.
In this model the integrity policy addresses the integrity of the transactions. The principle of separation of
duty requires that the certifier of a transaction and the implementer be different entities.
The model contains a number of basic constructs that represent both data items and processes that
operate on those data items. The key data type in the Clark-Wilson model is a Constrained Data Item
(CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain
state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A
TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the
system from one valid state to another valid state. UDIs represent system input (such as that provided by a
user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to
a "safe" CDI.

In general, preservation of data integrity has three goals:

Prevent data modification by unauthorized parties

Prevent unauthorized data modification by authorized parties Maintain internal and external consistency
(i.e. data reflects the real world)

Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity.
References:

HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5:

Security Architecture and Design (Page 341-344).
and
http://en.wikipedia.org/wiki/Clark-Wilson_model

QUESTION 154
Which type of control is concerned with avoiding occurrences of risks?

A. Deterrent controls
B. Detective controls
C. Preventive controls
D. Compensating controls

Correct Answer: C
Explanation

Explanation/Reference:
Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are
concerned with discouraging violations. Detecting controls identify occurrences and compensating controls
are alternative controls, used to compensate weaknesses in other controls.
Supervision is an example of compensating control.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 155
Which type of control is concerned with restoring controls?

A. Compensating controls
B. Corrective controls
C. Detective controls
D. Preventive controls

Correct Answer: B
Explanation

Explanation/Reference:
Corrective controls are concerned with remedying circumstances and restoring controls. Detective controls
are concerned with investigating what happen after the fact such as logs and video surveillance tapes for
example.
Compensating controls are alternative controls, used to compensate weaknesses in other controls.
Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2,
Introduction to the CISSP Exam presentation.

QUESTION 156
Which of the following biometric parameters are better suited for authentication use over a long period of
time?

A. Iris pattern
B. Voice pattern
C. Signature dynamics
D. Retina pattern

Correct Answer: A
Explanation

Explanation/Reference:
The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations,
fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to
change over time, thus are not as suitable for authentication over a long period of time without needing re-
enrollment.
Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the
Information Security Management Handbook, 4th Ed., by Tipton & Krause).
QUESTION 157
Which of the following is required in order to provide accountability?

A. Authentication
B. Integrity
C. Confidentiality
D. Audit trails

Correct Answer: D
Explanation

Explanation/Reference:
Accountability can actually be seen in two different ways:

1) Although audit trails are also needed for accountability, no user can be accountable for their actions
unless properly authenticated.

2) Accountability is another facet of access control. Individuals on a system are responsible for their
actions. This accountability property enables system activities to be traced to the proper individuals.
Accountability is supported by audit trails that record events on the system and network. Audit trails can be
used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such
as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate
laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. The point
is that unless you employ an appropriate auditing mechanism, you don't have accountability. Authorization
only gives a user certain permissions on the network. Accountability is far more complex because it also
includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and
system faults. The audit trail provides the proof that unauthorized modifications by both authorized and
unauthorized users took place. No proof, No accountability.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, John Wiley & Sons, 2001, Page 50

The Shon Harris AIO book, 4th Edition, on Page 243 also states:
Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are
enforced,
and can be used as investigation tools. Accountability is tracked by recording user, system, and application
activities.
This recording is done through auditing functions and mechanisms within an operating sytem or
application.
Audit trail contain information about operating System activities, application events, and user actions.

QUESTION 158
Which of the following access control techniques best gives the security officers the ability to specify and
enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?

A. Access control lists

B. Discretionary access control
C. Role-based access control
D. Non-mandatory access control

Correct Answer: C
Explanation

Explanation/Reference:
Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-
specific security policies in a way that maps naturally to an organization's structure. Each user is assigned
one or more roles, and each role is assigned one or more privileges that are given to users in that role. An
access control list (ACL) is a table that tells a system which access rights each user has to a particular
system object. With discretionary access control, administration is decentralized and owners of resources
control other users' access. Non- mandatory access control is not a defined access control technique.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and
Methodology (page 9).

QUESTION 159
Which access control model was proposed for enforcing access control in government and military
applications?

A. Bell-LaPadula model
B. Biba model
C. Sutherland model
D. Brewer-Nash model

Correct Answer: A
Explanation

Explanation/Reference:
The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access
control in government and military applications. It supports mandatory access control by determining the
access rights from the security levels associated with subjects and objects. It also supports discretionary
access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the
Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with
integrity. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 11).

QUESTION 160
Which access control model achieves data integrity through well-formed transactions and separation of
duties?

A. Clark-Wilson model
B. Biba model
C. Non-interference model
D. Sutherland model

Correct Answer: A
Explanation

Explanation/Reference:
The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a
third access element programs resulting in what is called an access triple, which prevents unauthorized
users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity
based on a hierarchical lattice of integrity levels. The non- interference model is related to the information
flow model with restrictions on the information flow. The Sutherland model approaches integrity by focusing
on the problem of inference. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2:
Access Control Systems and Methodology (page 12).

And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security Management, CRC Press,
1997, Domain 1: Access Control.

QUESTION 161
This is a common security issue that is extremely hard to control in large environments. It occurs when a
user has more computer rights, permissions, and access than what is required for the tasks the user needs
to fulfill. What best describes this scenario?

A. Excessive Rights
B. Excessive Access
C. Excessive Permissions
D. Excessive Privileges

Correct Answer: D
Explanation
Explanation/Reference:
Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would
include the other three choices presented.

Reference(s) used for this question:

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645
and

QUESTION 162
Which of the following are additional access control objectives?

A. Consistency and utility

B. Reliability and utility
C. Usefulness and utility
D. Convenience and utility

Correct Answer: B
Explanation

Explanation/Reference:
Availability assures that a system's authorized users have timely and uninterrupted access to the
information in the system. The additional access control objectives are reliability and utility. These and
other related objectives flow from the organizational security policy. This policy is a high-level statement of
management intent regarding the control of access to information and the personnel who are authorized to
receive that information. Three things that must be considered for the planning and implementation of
access control mechanisms are the threats to the system, the system's vulnerability to these threats, and
the risk that the threat may materialize

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 163
Controls are implemented to:

A. eliminate risk and reduce the potential for loss

B. mitigate risk and eliminate the potential for loss
C. mitigate risk and reduce the potential for loss
D. eliminate risk and eliminate the potential for loss

Correct Answer: C
Explanation

Explanation/Reference:
Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in
place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences;
corrective controls are used to restore systems that are victims of harmful attacks.
It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly
changing.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 164
Logical or technical controls involve the restriction of access to systems and the protection of information.
Which of the following statements pertaining to these types of controls is correct?

A. Examples of these types of controls include policies and procedures, security awareness training,
background checks, work habit checks but do not include a review of vacation history, and also do not
include increased supervision.
B. Examples of these types of controls do not include encryption, smart cards, access lists, and
transmission protocols.
C. Examples of these types of controls are encryption, smart cards, access lists, and transmission
 protocols.
D. Examples of these types of controls include policies and procedures, security awareness training,
background checks, work habit checks, a review of vacation history, and increased supervision.

Correct Answer: C
Explanation

Explanation/Reference:
Logical or technical controls involve the restriction of access to systems and the protection of information.
Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 165
Controls provide accountability for individuals who are accessing sensitive information. This accountability
is accomplished:

A. through access control mechanisms that require identification and authentication and through the audit
function.
B. through logical or technical controls involving the restriction of access to systems and the protection of
information.
C. through logical or technical controls but not involving the restriction of access to systems and the
protection of information.
D. through access control mechanisms that do not require identification and authentication and do not
operate through the audit function.

Correct Answer: A
Explanation

Explanation/Reference:
Controls provide accountability for individuals who are accessing sensitive information. This accountability
is accomplished through access control mechanisms that require identification and authentication and
through the audit function. These controls must be in accordance with and accurately represent the
organization's security policy. Assurance procedures ensure that the control mechanisms correctly
implement the security policy for the entire life cycle of an information system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 166
In non-discretionary access control using Role Based Access Control (RBAC), a central authority
determines what subjects can have access to certain objects based on the organizational security policy.
The access controls may be based on:

A. The societies role in the organization

B. The individual's role in the organization
C. The group-dynamics as they relate to the individual's role in the organization
D. The group-dynamics as they relate to the master-slave role in the organization

Correct Answer: B
Explanation

Explanation/Reference:
In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority
determines what subjects can have access to certain objects based on the organizational security policy.
The access controls may be based on the individual's role in the organization.

Reference(S) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 33

QUESTION 167
In an organization where there are frequent personnel changes, non-discretionary access control using
Role Based Access Control (RBAC) is useful because:

A. people need not use discretion

B. the access controls are based on the individual's role or title within the organization.
C. the access controls are not based on the individual's role or title within the organization
D. the access controls are often based on the individual's role or title within the organization

Correct Answer: B
Explanation

Explanation/Reference:
In an organization where there are frequent personnel changes, non-discretionary access control (also
called Role Based Access Control) is useful because the access controls are based on the individual's role
or title within the organization. You can easily configure a new employee acces by assigning the user to a
role that has been predefine. The user will implicitly inherit the permissions of the role by being a member
of that role. These access permissions defined within the role do not need to be changed whenever a new
person takes over the role.
Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or
RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good
example of RuBAC would be a firewall. This question is a sneaky one, one of the choice has only one
added word to it which is often. Reading questions and their choices very carefully is a must for the real
exam. Reading it twice if needed is recommended.

Shon Harris in her book list the following ways of managing RBAC:
Role-based access control can be managed in the following ways:

Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used)

Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications
that do not have role-based access functionality. (A mix of roles for applications that supports roles and
explicit access control would be used for applications that do not support roles)

Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those
roles.

Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted)

NIST defines RBAC as:

Security administration can be costly and prone to error because administrators usually specify access
control lists for each user on the system individually. With RBAC, security is managed at a level that
corresponds closely to the organization's structure. Each user is assigned one or more roles, and each
role is assigned one or more privileges that are permitted to users in that role. Security administration with
RBAC consists of determining the operations that must be executed by persons in particular jobs, and
assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role
hierarchies are handled by the RBAC software, making security administration easier.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 32
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill.
and
http://csrc.nist.gov/groups/SNS/rbac/

QUESTION 168
Another type of access control is lattice-based access control. In this type of control a lattice model is
applied. How is this type of access control concept applied?

A. The pair of elements is the subject and object, and the subject has an upper bound equal or higher
 than the upper bound of the object being accessed.
B. The pair of elements is the subject and object, and the subject has an upper bound lower then the
upper bound of the object being accessed.
C. The pair of elements is the subject and object, and the subject has no special upper or lower bound
needed within the lattice.
D. The pair of elements is the subject and object, and the subject has no access rights in relation to an
object.

Correct Answer: A
Explanation

Explanation/Reference:
In this type of control, a lattice model is applied.
To apply this concept to access control, the pair of elements is the subject and object, and the subject has
to have an upper bound equal or higher than the object being accessed.

WIKIPEDIA has a great explanation as well:

In computer security, lattice-based access control (LBAC) is a complex access control based on the
interaction between any combination of objects (such as resources, computers, and applications) and
subjects (such as individuals, groups or organizations). In this type of label-based mandatory access
control model, a lattice is used to define the levels of security that an object may have and that a subject
may have access to. The subject is only allowed to access an object if the security level of the subject is
greater than or equal to that of the object.

Reference(s) used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 34
and
http://en.wikipedia.org/wiki/Lattice-based_access_control

QUESTION 169
Detective/Technical measures:

A. include intrusion detection systems and automatically-generated violation reports from audit trail
information.
B. do not include intrusion detection systems and automatically-generated violation reports from audit trail
information.
C. include intrusion detection systems but do not include automatically-generated violation reports from
audit trail information.
D. include intrusion detection systems and customised-generated violation reports from audit trail
information.

Correct Answer: A
Explanation

Explanation/Reference:
Detective/Technical measures include intrusion detection systems and automatically-generated violation
reports from audit trail information. These reports can indicate variations from "normal" operation or detect
known signatures of unauthorized access episodes. In order to limit the amount of audit information
flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be
set.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 170
Passwords can be required to change monthly, quarterly, or at other intervals:

A. depending on the criticality of the information needing protection

B. depending on the criticality of the information needing protection and the password's frequency of use.
C. depending on the password's frequency of use.
D. not depending on the criticality of the information needing protection but depending on the password's
frequency of use.

Correct Answer: B
Explanation

Explanation/Reference:
Passwords can be compromised and must be protected. In the ideal case, a password should only be
used once. The changing of passwords can also fall between these two extremes. Passwords can be
required to change monthly, quarterly, or at other intervals, depending on the criticality of the information
needing protection and the password's frequency of use. Obviously, the more times a password is used,
the more chance there is of it being compromised. Source: KRUTZ, Ronald L. & VINES, Russel D., The
CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36
& 37

QUESTION 171
When submitting a passphrase for authentication, the passphrase is converted into ...

A. a virtual password by the system.

B. a new passphrase by the system.
C. a new passphrase by the encryption technology
D. a real password by the system which can be used forever.

Correct Answer: A
Explanation

Explanation/Reference:
Passwords can be compromised and must be protected. In the ideal case, a password should only be
used once. The changing of passwords can also fall between these two extremes. Passwords can be
required to change monthly, quarterly, or at other intervals, depending on the criticality of the information
needing protection and the password's frequency of use. Obviously, the more times a password is used,
the more chance there is of it being compromised. It is recommended to use a passphrase instead of a
password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password
by the system. Often time the passphrase will exceed the maximum length supported by the system and it
must be trucated into a Virtual Password.

Reference(s) used for this question:

http://www.itl.nist.gov/fipspubs/fip112htm
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 36 & 37

QUESTION 172
In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In
general, the device that have the lowest value would be the most accurate. Which of the following would
be used to compare accuracy of devices?

A. the CER is used.

B. the FRR is used
C. the FAR is used
D. The FER is used

Correct Answer: A
Explanation

Explanation/Reference:
equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are
equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to
compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is
most accurate.
In the context of Biometric Authentication almost all types of detection permit a system's sensitivity to be
increased or decreased during an inspection process. If the system's sensitivity is increased, such as in an
airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate
(FRR).
Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a
valid measure of the system performance, the CrossOver Error Rate (CER) is used.

The following are used as performance metrics for biometric systems:

false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the
input pattern to a non-matching template in the database. It measures the percent of invalid inputs which
are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score
is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance
also depends upon the selection of threshold value. false reject rate or false non-match rate (FRR or
FNMR): the probability that the system fails to detect a match between the input pattern and a matching
template in the database. It measures the percent of valid inputs which are incorrectly rejected.

failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is
unsuccessful. This is most commonly caused by low quality inputs. failure to capture rate (FTC): Within
automatic systems, the probability that the system fails to detect a biometric input when presented
correctly.
template capacity: the maximum number of sets of data which can be stored in the system.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 37
and
Wikipedia at: https://en.wikipedia.org/wiki/Biometrics

QUESTION 173
The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or
authenticated by a biometric system. Acceptable throughput rates are in the range
of:

A. 100 subjects per minute.

B. 25 subjects per minute.
C. 10 subjects per minute.
D. 50 subjects per minute.

Correct Answer: C
Explanation

Explanation/Reference:
The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or
authenticated by a biometric system.
Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the
throughput rate for some types of biometric systems may include:
A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. Another
concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or
high blood pressure.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 174
Which of the following biometric devices has the lowest user acceptance level?

A. Retina Scan
B. Fingerprint scan
C. Hand geometry
D. Signature recognition

Correct Answer: A
Explanation
Explanation/Reference:
According to the cited reference, of the given options, the Retina scan has the lowest user acceptance
level as it is needed for the user to get his eye close to a device and it is not user friendly and very
intrusive.

However, retina scan is the most precise with about one error per 10 millions usage. Look at the 2 tables
below. If necessary right click on the image and save it on your desktop for a larger view or visit the web
site directly at
https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy .

Biometric Comparison Chart

Biometric Aspect Descriptions

Reference(s) used for this question:

RHODES, Keith A., Chief Technologist, United States General Accounting Office, National Preparedness,
Technologies to Secure Federal Buildings, April 2002 (page 10).
and
https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy

QUESTION 175
Which of the following would be an example of the best password?

A. golf001
B. Elizabeth
C. T1me4g0lF
D. password

Correct Answer: C
Explanation

Explanation/Reference:
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack.
The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes,
ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used:
common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1

QUESTION 176
Which of the following tools is less likely to be used by a hacker?

A. l0phtcrack
B. Tripwire
C. OphCrack
D. John the Ripper

Correct Answer: B
Explanation

Explanation/Reference:
Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or
configuration files) are modified.
This is a tool that is not likely to be used by hackers, other than for studying its workings in order to
circumvent it.
Other programs are password-cracking programs and are likely to be used by security administrators as
well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site.

NOTE:
The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can
get the Open Source version of Tripwire at the following URL:
http://sourceforge.net/projects/tripwire/
QUESTION 177
What is an error called that causes a system to be vulnerable because of the environment in which it is
installed?

A. Configuration error
B. Environmental error
C. Access validation error
D. Exceptional condition handling error

Correct Answer: B
Explanation

Explanation/Reference:
In an environmental error, the environment in which a system is installed somehow causes the system to
be vulnerable. This may be due, for example, to an unexpected interaction between an application and the
operating system or between two applications on the same host. A configuration error occurs when user
controllable settings in a system are set such that the system is vulnerable. In an access validation error,
the system is vulnerable because the access control mechanism is faulty. In an exceptional condition
handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen.
Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version
10, march 2002 (page 106).

QUESTION 178
A network-based vulnerability assessment is a type of test also referred to as:

A. An active vulnerability assessment.

B. A routing vulnerability assessment.
C. A host-based vulnerability assessment.
D. A passive vulnerability assessment.

Correct Answer: A
Explanation

Explanation/Reference:
A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and
recording responses to the attacks, or probes different targets to infer weaknesses from their responses.
Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability
assessment systems are also called active vulnerability systems.

There are mostly two main types of test:

PASSIVE: You don't send any packet or interact with the remote target. You make use of public database
and other techniques to gather information about your target.

ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in
gathering information about hosts that are alive, services runnings, port state, and more.

See example below of both types of attacks:

Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the
attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system.
Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather
than to detect and stop them. Altering messages , modifying system files, and masquerading as another
individual are acts that are considered active attacks because the attacker is actually doing something
instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to
carrying out an active attack.

IMPORTANT NOTE:
On the commercial vendors will sometimes use different names for different types of scans. However, the
exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into
selecting the wrong choice sometimes. See feedback from Jason below:
"I am a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus
and Retina (among other tools) to perform our network based vulnerability scanning. Both commercially
available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials,
the scan tool cannot login to the system being scanned, and as such will only receive a port scan to see
what ports are open and exploitable"

Reference(s) used for this question:

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw-Hill.
Kindle Edition.
and
DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 10,
march 2002 (page 97).

QUESTION 179
Why would anomaly detection IDSs often generate a large number of false positives?

A. Because they can only identify correctly attacks they already know about.
B. Because they are application-based are more subject to attacks.
C. Because they can't identify abnormal behavior.
D. Because normal patterns of user and system behavior can vary wildly.

Correct Answer: D
Explanation

Explanation/Reference:
Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce
a large number of false alarms, as normal patterns of user and system behavior can vary wildly. Being only
able to identify correctly attacks they already know about is a characteristic of misuse detection (signature-
based) IDSs. Application-based IDSs are a special subset of host- based IDSs that analyze the events
transpiring within a software application. They are more vulnerable to attacks than host-based IDSs. Not
being able to identify abnormal behavior would not cause false positives, since they are not identified.
Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version
10, march 2002 (page 92).

QUESTION 180
Ensuring least privilege does not require:

A. Identifying what the user's job is.

B. Ensuring that the user alone does not have sufficient rights to subvert an important process.
C. Determining the minimum set of privileges required for a user to perform their duties.
D. Restricting the user to required privileges and nothing more.

Correct Answer: B
Explanation

Explanation/Reference:
Ensuring that the user alone does not have sufficient rights to subvert an important process is a concern of
the separation of duties principle and it does not concern the least privilege principle. Source: DUPUIS,
Clément, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002
(page 33).

QUESTION 181
Which of the following is NOT a form of detective technical control?

A. Audit trails
B. Access control software
C. Honeypot
D. Intrusion detection system

Correct Answer: B
Explanation

Explanation/Reference:
Detective technical controls warn of technical access control violations. Access control software is a rather
an example of a preventive technical control. Other choices represent detective technical controls.
Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version
10 (march 2002).

QUESTION 182
Which of the following does not apply to system-generated passwords?

A. Passwords are harder to remember for users.

B. If the password-generating algorithm gets to be known, the entire system is in jeopardy.
C. Passwords are more vulnerable to brute force and dictionary attacks.
D. Passwords are harder to guess for attackers.

Correct Answer: C
Explanation

Explanation/Reference:
Users tend to choose easier to remember passwords. System-generated passwords can provide stronger,
harder to guess passwords. Since they are based on rules provided by the administrator, they can include
combinations of uppercase/lowercase letters, numbers and special characters, making them less
vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for
users, who will tend to write them down, making them more vulnerable to anyone having access to the
user's desk. Another danger with system-generated passwords is that if the password-generating algorithm
gets to be known, the entire system is in jeopardy.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page
64).

QUESTION 183
Which of the following is not a preventive login control?

A. Last login message

B. Password aging
C. Minimum password length
D. Account expiration

Correct Answer: A
Explanation

Explanation/Reference:
The last login message displays the last login date and time, allowing a user to discover if their account
was used by someone else. Hence, this is rather a detective control. Source: RUSSEL, Deborah &
GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63).

QUESTION 184
What is the most critical characteristic of a biometric identifying system?

A. Perceived intrusiveness
B. Storage requirements
C. Accuracy
D. Scalability

Correct Answer: C
Explanation

Explanation/Reference:
Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is
measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II
errors).
The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most
important measure of biometric system accuracy. Source: TIPTON, Harold F. & KRAUSE, Micki,
Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1,
Biometric Identification (page 9).

QUESTION 185
What is considered the most important type of error to avoid for a biometric access control system?

A. Type I Error
B. Type II Error
C. Combined Error Rate
D. Crossover Error Rate

Correct Answer: B
Explanation

Explanation/Reference:
When a biometric system is used for access control, the most important error is the false accept or false
acceptance rate, or Type II error, where the system would accept an impostor. A Type I error is known as
the false reject or false rejection rate and is not as important in the security context as a type II error rate. A
type one is when a valid company employee is rejected by the system and he cannot get access even thou
it is a valid user. The Crossover Error Rate (CER) is the point at which the false rejection rate equals the
false acceptance rate if your would create a graph of Type I and Type II errors. The lower the CER the
better the device would be.
The Combined Error Rate is a distracter and does not exist.

Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition
(volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 10).

QUESTION 186
How can an individual/person best be identified or authenticated to prevent local masquerading attacks?

A. User Id and password

B. Smart card and PIN code
C. Two-factor authentication
D. Biometrics

Correct Answer: D
Explanation

Explanation/Reference:
The only way to be truly positive in authenticating identity for access is to base the authentication on the
physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be
shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect
and they would have to be supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In
terms of communications security issues, a masquerade is a type of attack where the attacker pretends to
be an authorized user of a system in order to gain access to it or to gain greater privileges than they are
authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords,
through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing
is another term used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed, shared, written down,
and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard
can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that
smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system
to identify the person.
See an extract below from the HISM book volume 1 Biometric identifying verification systems control
people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification
and verification cannot take place and the desired action (i.e., portal passage, data, or resource access)
does not occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully use access
cards, even those that require the addition of a PIN. This is because these systems control only pieces of
plastic (and sometimes information), rather than people. Real asset and resource protection can only be
accomplished by people, not cards and information, because unauthorized persons can (and do) obtain
the cards and information. Further, life-cycle costs are significantly reduced because no card or PIN
administration system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost,
stolen, or forgotten. This is why card access systems require systems and people to administer, control,
record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost.

NOTE FROM CLEMENT:

This question has been generating lots of interest. The keyword in the question is: Individual (the person)
and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest means of
authentication. However the question is not asking what is the strongest mean of authentication, it is
asking what is the best way to identify the user (individual) behind the technology. When answering
questions do not make assumptions to facts not presented in the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you
cannot borrow one of my eye balls to defeat the Iris or Retina scan. This is why it is the best method to
authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have improved the
question to make it a lot clearer and I have also improve the explanations attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the distinction is being
made that there is identity and there is authentication. In the case of physical security the enrollment
process is where the identity of the user would be validated and then the biometrics features provided by
the user would authenticate the user on a one to one matching basis (for authentication) with the reference
contained in the database of biometrics templates. In the case of system access, the user might have to
provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes.
Biometric can also be used for Identification purpose where you do a one to many match. You take a facial
scan of someone within an airport and you attempt to match it with a large database of known criminal and
terrorists. This is how you could use biometric for Identification.

There are always THREE means of authentication, they are:

Something you know (Type 1)

Something you have (Type 2)
Something you are (Type 3)

Reference(s) used for this question:

TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1)
, 2000, CRC Press, Chapter 1, Biometric Identification (page 7).
and
Search Security at http://searchsecurity.techtarget.com/definition/masquerade

QUESTION 187
Which authentication technique best protects against hijacking?

A. Static authentication
B. Continuous authentication
C. Robust authentication
D. Strong authentication

Correct Answer: B
Explanation

Explanation/Reference:
A continuous authentication provides protection against impostors who can see, alter, and insert
information passed between the claimant and verifier even after the claimant/verifier authentication is
complete. This is the best protection against hijacking. Static authentication is the type of authentication
provided by traditional password schemes and the strength of the authentication is highly dependent on
the difficulty of guessing passwords. The robust authentication mechanism relies on dynamic
authentication data that changes with each authenticated session between a claimant and a verifier, and it
does not protect against hijacking. Strong authentication refers to a two-factor authentication (like
something a user knows and something a user is).
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition
(volume 1), 2000, CRC Press, Chapter 3: Secured Connections to External Networks (page 51).

QUESTION 188
Which of the following is not a security goal for remote access?

A. Reliable authentication of users and systems

B. Protection of confidential data
C. Easy to manage access control to systems and network resources
D. Automated login for remote users

Correct Answer: D
Explanation

Explanation/Reference:
An automated login function for remote users would imply a weak authentication, thus certainly not a
security goal.
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition,
volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).

QUESTION 189
Which of the following is most concerned with personnel security?

A. Management controls
B. Operational controls
C. Technical controls
D. Human resources controls

Correct Answer: B
Explanation

Explanation/Reference:
Many important issues in computer security involve human users, designers, implementers, and
managers.
A broad range of security issues relates to how these individuals interact with computers and the access
and authorities they need to do their jobs. Since operational controls address security methods focusing on
mechanisms primarily implemented and executed by people (as opposed to systems), personnel security
is considered a form of operational control. Operational controls are put in place to improve security of a
particular system (or group of systems). They often require specialized expertise and often rely upon
management activities as well as technical controls. Implementing dual control and making sure that you
have more than one person that can perform a task would fall into this category as well. Management
controls focus on the management of the IT security system and the management of risk for a system.
They are techniques and concerns that are normally addressed by management. Technical controls focus
on security controls that the computer system executes. The controls can provide automated protection for
unauthorized access of misuse, facilitate detection of security violations, and support security requirements
for applications and data.

Reference use for this question:

NIST SP 800-53 Revision 4 http://dx.doi.org/106028/NIST.SP.800-53r4 You can get it as a word document
by clicking HERE

NIST SP 800-53 Revision 4 has superseded the document below:

SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information
Technology Systems, November 2001 (Page A-18).

QUESTION 190
Which of the following questions is less likely to help in assessing identification and authentication
controls?

A. Is a current list maintained and approved of authorized users and their access?
B. Are passwords changed at least every ninety days or earlier if needed?
C. Are inactive user identifications disabled after a specified period of time?
D. Is there a process for reporting incidents?

Correct Answer: D
Explanation

Explanation/Reference:
Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized
processes) from entering an IT system. Access control usually requires that the system be able to identify
and differentiate among users. Reporting incidents is more related to incident response capability
(operational control) than to identification and authentication (technical control).
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for
Information Technology Systems, November 2001 (Pages A-30 to A-32).

QUESTION 191
How would nonrepudiation be best classified as?

A. A preventive control
B. A logical control
C. A corrective control
D. A compensating control

Correct Answer: A
Explanation

Explanation/Reference:
Systems accountability depends on the ability to ensure that senders cannot deny sending information and
that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent
the ability to successfully repudiate an action, it can be considered as a preventive control.
Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for
Information Technology Security, National Institute of Standards and Technology, December 2001, page 7

QUESTION 192
What are cognitive passwords?

A. Passwords that can be used only once.

B. Fact or opinion-based information used to verify an individual's identity.
C. Password generators that use a challenge response scheme.
D. Passphrases.

Correct Answer: B
Explanation

Explanation/Reference:
Cognitive passwords are fact or opinion-based information used to verify an individual's identity.
Passwords that can be used only once are one-time or dynamic passwords. Password generators that use
a challenge response scheme refer to token devices. A passphrase is a sequence of characters that is
longer than a password and is transformed into a virtual password.
Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System &
Methodology (page 2), /Documents/CISSP_Summary_2002/index.html.

QUESTION 193
Which of the following Kerberos components holds all users' and services' cryptographic keys?

A. The Key Distribution Service

B. The Authentication Service
C. The Key Distribution Center
D. The Key Granting Service

Correct Answer: C
Explanation

Explanation/Reference:
The Key Distribution Center (KDC) holds all users' and services' cryptographic keys. It provides
authentication services, as well as key distribution functionality. The Authentication Service is the part of
the KDC that authenticates a principal. The Key Distribution Service and Key Granting Service are
distracters and are not defined Kerberos components. Source: WALLHOFF, John, CISSP Summary 2002,
April 2002, CBK#1 Access Control System & Methodology (page 3), /Documents/CISSP_Summary_2002/
index.html.

QUESTION 194
Most access violations are:

A. Accidental
B. Caused by internal hackers
C. Caused by external hackers
D. Related to Internet

Correct Answer: A
Explanation

Explanation/Reference:
The most likely source of exposure is from the uninformed, accidental or unknowing person, although the
greatest impact may be from those with malicious or fraudulent intent. Source: Information Systems Audit
and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection
of Information Assets (page 192).

QUESTION 195
Which of the following biometrics devices has the highest Crossover Error Rate (CER)?

A. Iris scan
B. Hand geometry
C. Voice pattern
D. Fingerprints

Correct Answer: C
Explanation

Explanation/Reference:
The Crossover Error Rate (CER) is the point where false rejection rate (type I error) equals the false
acceptance rate (type II error). The lower the CER, the better the accuracy of the device. At the time if this
writing, response times and accuracy of some devices are:
System type Response time Accuracy (CER)
Fingerprints 5-7 secs. 5%
Hand Geometry 3-5 secs. 2%
Voice Pattern 10-14 secs. 10%
Retina Scan 4-7 secs. 15%
Iris Scan 25-4 secs. 05%
The term EER which means Equal Error Rate is sometimes use instead of the term CER. It has the same
meaning.
Source: Chris Hare's CISSP Study Notes on Physical Security, based on ISC2 CBK document.
Available at http://www.ccure.org.

QUESTION 196
Which of following is not a service provided by AAA servers (Radius, TACACS and DIAMETER)?
A. Authentication
B. Administration
C. Accounting
D. Authorization

Correct Answer: B
Explanation

Explanation/Reference:
Radius, TACACS and DIAMETER are classified as authentication, authorization, and accounting (AAA)
servers.
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition,
Volume 2, 2001, CRC Press, NY, Page 33
also see:
The term "AAA" is often used, describing cornerstone concepts [of the AIC triad] Authentication,
Authorization, and Accountability. Left out of the AAA acronym is Identification which is required before the
three "A's" can follow. Identity is a claim, Authentication proves an identity, Authorization describes the
action you can perform on a system once you have been identified and authenticated, and accountability
holds users accountable for their actions.
Reference: CISSP Study Guide, Conrad Misenar, Feldman p. 10-11, (c) 2010 Elsevier.

QUESTION 197
Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access
Control System TACACS for communication between clients and servers?

A. TCP
B. SSL
C. UDP
D. SSH

Correct Answer: C
Explanation

Explanation/Reference:
The original TACACS, developed in the early ARPANet days, had very limited functionality and used the
UDP transport. In the early 1990s, the protocol was extended to include additional functionality and the
transport changed to TCP.
TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a
client to accept a username and password and send a query to a TACACS authentication server,
sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port
49 It would determine whether to accept or deny the authentication request and send a response back.
TACACS+
TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or
updated networks. TACACS+ is an entirely new protocol and is not compatible with TACACS or
XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User
Datagram Protocol (UDP). Since TCP is connection oriented protocol, TACACS+ does not have to
implement transmission control. RADIUS, however, does have to detect and correct transmission errors
like packet loss, timeout etc. since it rides on UDP which is connectionless.
RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All
other information such as the username, authorization, accounting are transmitted in clear text. Therefore it
is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and
therefore does not have the vulnerabilities present in the RADIUS protocol.
RADIUS and TACACS + are client/ server protocols, which means the server portion cannot send
unsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is
a peer-based protocol that allows either end to initiate communication. This functionality allows the
Diameter server to send a message to the access server to request the user to provide another
authentication credential if she is attempting to access a secure resource.

Reference(s) used for this question:

http://en.wikipedia.org/wiki/TACACS
and
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 239). McGraw-Hill.
Kindle Edition.

QUESTION 198
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking
vector?

A. Using a TACACS+ server.

B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to
the firewall.
C. Setting modem ring count to at least 5
D. Only attaching modems to non-networked hosts.

Correct Answer: B
Explanation

Explanation/Reference:
Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the
firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through
the RAS can be filtered as would any other connection coming from the Internet.
The use of a TACACS+ Server by itself cannot eliminate hacking. Setting a modem ring count to 5 may
help in defeating war-dialing hackers who look for modem by dialing long series of numbers.
Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from
being hacked.
Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2:
Hackers.

QUESTION 199
In the Bell-LaPadula model, the Star-property is also called:

A. The simple security property

B. The confidentiality property
C. The confinement property
D. The tranquility property

Correct Answer: C
Explanation

Explanation/Reference:
The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to
the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the
entities in an information system are divided into subjects and objects. The notion of a "secure state" is
defined, and it is proven that each state transition preserves security by moving from secure state to
secure state, thereby proving that the system satisfies the security objectives of the model.
The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a
system. The transition from one state to another state is defined by transition functions. A system state is
defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a
security policy.
To determine whether a specific access mode is allowed, the clearance of a subject is compared to the
classification of the object (more precisely, to the combination of classification and set of compartments,
making up the security level) to determine if the subject is authorized for the specific access mode.
The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory
access control (MAC) rules and one discretionary access control (DAC) rule with three security properties:
The Simple Security Property - a subject at a given security level may not read an object at a higher
security level (no read-up).
The *-property (read "star"-property) - a subject at a given security level must not write to any object at a
lower security level (no write-down). The *-property is also known as the Confinement property.
The Discretionary Security Property - use an access control matrix to specify the discretionary access
control.
The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in
the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the *-
property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the
security policy. This security model is directed toward access control and is characterized by the phrase:
"no read up, no write down." Compare the Biba model, the Clark-Wilson model and the Chinese Wall.

With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret
researchers can create secret or top-secret files but may not create public files; no write-down).
Conversely, users can view content only at or below their own security level (i.e. secret researchers can
view public or secret files, but may not view top-secret files; no read-up).
Strong * Property
The Strong * Property is an alternative to the *-Property in which subjects may write to objects with only a
matching security level. Thus, the write-up operation permitted in the usual *- Property is not present, only
a write-to-same level operation. The Strong * Property is usually discussed in the context of multilevel
database management systems and is motivated by integrity concerns.
Tranquility principle
The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does
not change while it is being referenced. There are two forms to the tranquility principle: the "principle of
strong tranquility" states that security levels do not change during the normal operation of the system and
the "principle of weak tranquility" states that security levels do not change in a way that violates the rules of
a given security policy. Another interpretation of the tranquility principles is that they both apply only to the
period of time during which an operation involving an object or subject is occurring. That is, the strong
tranquility principle means that an object's security level/label will not change during an operation (such as
read or write); the weak tranquility principle means that an object's security level/label may change in a
way that does not violate the security policy during an operation.
Reference(s) used for this question:
http://en.wikipedia.org/wiki/Biba_Model
http://en.wikipedia.org/wiki/Mandatory_access_control
http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model
http://en.wikipedia.org/wiki/Brewer_and_Nash_model

QUESTION 200
An attack initiated by an entity that is authorized to access system resources but uses them in a way not
approved by those who granted the authorization is known as a(n):

A. active attack.
B. outside attack.
C. inside attack.
D. passive attack.

Correct Answer: C
Explanation

Explanation/Reference:
An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized
to access system resources but uses them in a way not approved by those who granted the authorization
whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of
the system. An active attack attempts to alter system resources to affect their operation and a passive
attack attempts to learn or make use of the information from the system but does not affect system
resources. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 201
Which of the following can be defined as a framework that supports multiple, optional authentication
mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences?

A. Extensible Authentication Protocol

B. Challenge Handshake Authentication Protocol
C. Remote Authentication Dial-In User Service
D. Multilevel Authentication Protocol.

Correct Answer: A
Explanation
Explanation/Reference:
RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that
supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-
response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects
to a PPP network server via switched circuits or dial- up lines. The Remote Authentication Dial-In User
Service (RADIUS) is defined as an Internet protocol for carrying dial-in user's authentication information
and configuration information between a shared, centralized authentication server and a network access
server that needs to authenticate the users of its network access ports. The other option is a distracter.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 202
What is the name of the first mathematical model of a multi-level security policy used to define the concept
of a secure state, the modes of access, and rules for granting access?

A. Clark and Wilson Model

B. Harrison-Ruzzo-Ullman Model
C. Rivest and Shamir Model
D. Bell-LaPadula Model

Correct Answer: D
Explanation

Explanation/Reference:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 203
What is the PRIMARY use of a password?

A. Allow access to files.

B. Identify the user.
C. Authenticate the user.
D. Segregate various user's accesses.

Correct Answer: C
Explanation

Explanation/Reference:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 204
The three classic ways of authenticating yourself to the computer security software are:
something you know, something you have, and something:

A. you need.
B. you read.
C. you are.
D. you do.

Correct Answer: C
Explanation

Explanation/Reference:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 205
An access system that grants users only those rights necessary for them to perform their work is operating
on which security principle?

A. Discretionary Access
B. Least Privilege
C. Mandatory Access
D. Separation of Duties

Correct Answer: B
Explanation

Explanation/Reference:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 206
Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used
for Authentication. When one of these item listed above in conjunction with a second factor to validate
authentication, it provides robust authentication of the individual by practicing which of the following?

A. Multi-party authentication
B. Two-factor authentication
C. Mandatory authentication
D. Discretionary authentication

Correct Answer: B
Explanation

Explanation/Reference:
Once an identity is established it must be authenticated. There exist numerous technologies and
implementation of authentication methods however they almost all fall under three major areas.

There are three fundamental types of authentication:

Authentication by knowledge--something a person knows
Authentication by possession--something a person has
Authentication by characteristic--something a person is

Logical controls related to these types are called "factors." Something you know can be a password or PIN,
something you have can be a token fob or smart card, and something you are is usually some form of
biometrics. Single-factor authentication is the employment of one of these factors, two-factor authentication
is using two of the three factors, and three-factor authentication is the combination of all three factors.
The general term for the use of more than one factor during authentication is multifactor authentication or
strong authentication.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 2367-2379). Auerbach Publications. Kindle Edition.

QUESTION 207
What would you call a network security control deployed in line to detects, alerts, and takes action when a
possible intrusion is detected.

A. Application Based Instrusion Detection Systems (AIDS)

B. Network Based Intrusion Detection System (NIDS)
C. Intrusion Prevention System (IPS)
D. Host Based Intrusion Detection System (HIDS)

Correct Answer: C
Explanation

Explanation/Reference:
IPS is a preventive and proactive mechanism whereas an IDS is detective and after the fact technology.

The following answers are incorrect:

HIDS, NIDS, AIDS are all type of Intrusion Detective Systems.
HIDS: Host Based Intrusion Detection System
HIDS is a software cluster that consists of an auditor for the file system, log file analyzers, an operating
system monitor, and a monitor for software changes. HIDS are used to supplement NIDS. NIDS cannot
make sense of encrypted traffic but the HIDS might be able to detect that suspicious activities are taking
place after the decryption took place.
NIDS: Network Based Intrusion Detection System
NIDS software is used mostly for analyzing network activities. The NIDS will analyze ALL the traffic to
identify any pattern that might indicate that an attack might be attempted.
AIDS: Application BASED Instruction Detection System
The most popular non-commercial AIDS tools are honeypots. A honeypot is network services emulation
software that allows system administrators to monitor an intruder's actions. For Web applications,
mod_security, an open source intrusion detection and prevention engine, is very popular AIDS software.
Operating as an Apache Web server module, mod_security examines HTTP queries to protect Web
applications from known and sometimes unknown attacks.

The following reference(s) were/was used to create this question:

Shon Harris AIO 4th Edition page 260 from Access Control.

QUESTION 208
What is a security policy?

A. High level statements on management's expectations that must be met in regards to security
B. A policy that defines authentication to the network.
C. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in
detail how to implement the requirements.
D. A statement that focuses on the authorization process for a system

Correct Answer: A
Explanation

Explanation/Reference:
A statement on the expectations that must be met to be considered compliant. This is because a policy is a
broad statement that management has approved of and stands behind to express the security
expectations for the organization.

The following answers are incorrect:

A statement that focuses on the authorization process for a system is incorrect because although
authorization might be an important element for meeting security policies, it is not the only focus.
A policy that defines authentication to the network is incorrect because authentication to the network is
only one aspect of an entire security concern. The policy must also focus on more than the network and
more than on authentication.
A policy that focuses on ensuring a secure posture and expresses management approval. It explains in
detail how to implement the requirements is incorrect due to the "explain in detail" portion. A policy is a
statement, it does not deal with specifics.

The following reference(s) were/was used to create this question:

Shon Harris, Latest All in Once CISSP Exam Prep p227; also ISC2 Official Guide to the CISSP Exam, p82

QUESTION 209
Legacy single sign on (SSO) is:

A. Technology to allow users to authenticate to every application by entering the same user ID and
password each time, thus having to remember only a single password.
B. Technology to manage passwords consistently across multiple platforms, enforcing policies such as
password change intervals.
C. A mechanism where users can authenticate themselves once, and then a central repository of their
credentials is used to launch various legacy applications.
D. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry
standard single sign on mechanism.

Correct Answer: C
Explanation
Explanation/Reference:
A mechanism where users can authenticate themselves once, and then a central repository of their
credentials is used to launch various legacy applications.

The following answers are incorrect:

Technology to allow users to authenticate to every application by entering the same user ID and password
each time, thus having to remember only a single password. This is a detractor. Note that it is not even a
descripton of SSO, because the user is entering user ID and password for EACH access attempt.
Technology to manage passwords consistently across multiple platforms, enforcing policies such as
password change intervals.
This is a good description for Identity Management Password Management system, but not for Legacy
SSO.
Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry
standard single sign on mechanism. This is a detractor.

The following reference(s) were/was used to create this question:

Official (ISC)2 Guide to the CISSP CBK 2007, pg 176:
"many legacy systems do not support an external means to identify and authenticate users. Therefore, it is
possible to store the credentials outside of the various applications and have them automatically entered
on behalf of the user when an application is launched."

QUESTION 210
Identity Management solutions include such technologies as Directories services, Single Sign-On and Web
Access management. There are many reasons for management to choose an identity management
solution.

Which of the following is a key management challenge regarding identity management solutions?

A. Increasing the number of points of failures.

B. Users will no longer be able to "recycle" their password for different applications.
C. Costs increase as identity management technologies require significant resources.
D. It must be able to scale to support high volumes of data and peak transaction rates.

Correct Answer: D
Explanation

Explanation/Reference:
Any identity management system used in an environment where there are tens of thousands of users must
be able to scale to support the volumes of data and peak transaction rates.

The following answers are incorrect:

Increasing number of points of failures.
This is actually a potential negative impact of not implementing an identity management solution. Identity
management is meant to decrease cost and inefficiencies that organizations struggle with so that failures
can be managed more efficiently.

Users will no longer be able to "recycle" their password for different applications. This is actually a function
of an effective password management system. Consistency and efficiency are maintained by minimizing
unique user authentication requirements. Costs increase as identity management technologies require
significant resources. On the contrary, "When users access multiple systems, they may be presented with
multiple log- in IDs, multiple passwords, and multiple sign-on screens. This complexity is burdensome to
users, who consequently have problems accessing systems and incur productivity and support costs

The following reference(s) were/was used to create this question:

ISC2 Official Guide to the CISSP CBK 2007, pg 173
"Key management challenges regarding identity management solutions are:" [consistency, efficiency,
usability, reliabliity and scalability.] "Scalability: Enterprises manage user profile data for large numbers of
people. There are typically tens of thousands of internal users, and hundreds or thousands of partners or
clients."

QUESTION 211
Which of the following describes the sequence of steps required for a Kerberos session to be established
between a user (Principal P1), and an application server (Principal P2)?

A. Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC),

B. Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service ticket
from the KDC.
C. Principal P1 authenticates to the Key Distribution Center(KDC), Principal P1 receives a Ticket Granting
Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in
order to access the application server P2
D. Principal P1 authenticates to the Key Distribution Center (KDC),
E. Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then Principal
P1 requests a service ticket from the application server P2
F. Principals P1 and P2 authenticate to the Key Distribution Center (KDC), Principal P1 requests a Ticket
Granting Ticket (TGT) from the authentication server, and application server P2 requests a service
ticket from P1

Correct Answer: C
Explanation

Explanation/Reference:
Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 receives a Ticket
Granting Ticket (TGT), and principle P2 requests a service ticket from the KDC. The principle P2 does not
request a service ticket. P1 would request a service ticket. Principles P1 and P2 authenticate to the Key
Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT) from the authentication
server, and application server P2 requests a service ticket from P1
A request by P1 to access P2 will fail without a service ticket, but this is not the best answer. Principle P1
authenticates to the Key Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT)
from the authentication server, and principle P1 requests a service ticket from the application server P2
The request for a service ticket is made to the KDC, not to P2 P2 does not proxy authentication requests
for the principle P1

The following reference(s) were/was used to create this question:

Sybex CISSP Study Guide, Third Edition. pg 21
Kerberos logon process: User types in username and password, a symmetric key is derive from the
password, the user sends a Kerberos Authentication requrest to KDC, which returns a TGT showing the
user was identified.

"1) The client sends its TGT back to Ticket Granting Service (TGS) on the KDC with request for access to
a server or service"
"3) A service ticket (ST) is granted and sent to the client. The service ticket includes a session key
encrypted with the client symmetric key and also encrypted with the service or server symmetric key"
"4) The client sends the ST to the server or service host."

QUESTION 212
Which type of security control is also known as "Logical" control?

A. Physical
B. Technical
C. Administrative
D. Risk

Correct Answer: B
Explanation

Explanation/Reference:
Physcial: This is a type of security control, but does not have an alternate name. Administrative: This is a
type of security control, but doe not have an alternate name.
Risk:This is not a type of security control.
The following reference(s) were/was used to create this question:
Shon Harris AIO 4th Edition, Chapter 3, Page 57

QUESTION 213
Which of the following term best describes a weakness that could potentially be exploited?

A. Vulnerability
B. Risk
C. Threat
D. Target of evaluation (TOE)

Correct Answer: A
Explanation

Explanation/Reference:
A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it could be a weakness
in your physical security, it could take many forms. It is a weakness that could be exploited by a Threat.
For example an open firewall port, a password that is never changed, or a flammable carpet. A missing
Control is also considered to be a Vulnerability.

The following answers are incorrect:

Risk:
It is the combination of a threat exploiting some vulnerability that could cause harm to some asset.
Management is concerned with many types of risk. Information Technology (IT) security risk management
addresses risks that arise from an organization's use of information technology. Usually a threat agent will
give rise to the threat which will attempt to take advantage of one of your vulnerability.
Risk is a function of the likelihood that a threat scenario will materialize, its resulting impact
(consequences) and the existence/effectiveness of safeguards. If the evaluation of the risk meets the risk
deemed acceptable by management, nothing needs to be done. Situations where evaluation of the risk
exceeds the accepted risk (target risk) will necessitate a risk management decision such as implementing
a safeguard to bring the risk down to an acceptable level.
Threat:
Possibility that vulnerability may be exploited to cause harm to a system, environment, or personnel. Any
potential danger. The risk level associated with a threat is evaluated by looking at the likelihood which is
how often it could happen and the impact (which is how much exposure or lost you would suffer) it would
have on the asset. A low impact threat that repeats itself multiple times would have to be addressed. A
high impact threat that happen not very often would have to be addressed as well.

Target of evaluation:
The term Target of evaluation is a term used under the common criteria evaluation scheme. It defines the
product being evaluated. It was only a detractor in this case and it is not directly related to risk
management.

Risk management info

Risk Management is an iterative process, which ensures that reasonable and cost-effective steps are
taken to protect the:
Confidentiality of information stored, processed, or transmitted electronically Integrity of the information
and related processes
Availability of the information, systems and services against accidental and deliberate threats Value of the
asset and the cost of its replacement if it is compromised

You can manage risk by:

Confirming the appropriateness of minimum standards
Supplementing the standards when necessary
Eliminating unnecessary expenditures and administrative barriers

Managing risk therefore, means defining:

What is at risk
Magnitude of the risk
Causal factors
What to do about the risk

The following reference(s) were/was used to create this question:

http://www.cse-cst.gc.ca/tutorials/english/section2/m2/index_e.htm and
The official CEH courseware Version 6 Module 1

QUESTION 214
Which of the following best describes an exploit?

A. An intentional hidden message or feature in an object such as a piece of software or a movie.

B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order
to cause unintended or unanticipated behavior to occur on computer software
C. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-
length buffer
D. A condition where a program (either an application or part of the operating system) stops performing its
expected function and also stops responding to other parts of the system

Correct Answer: B
Explanation

Explanation/Reference:
The following answers are incorrect:
An intentional hidden message or feature in an object such as a piece of software or a movie. This is the
definition of an "Easter Egg" which is code within code. A good example of this was a small flight simulator
that was hidden within Microsoft Excel. If you know which cell to go to on your spreadsheet and the special
code to type in that cell, you were able to run the flight simulator.
An anomalous condition where a process attempts to store data beyond the boundaries of a fixed- length
buffer
This is the definition of a "Buffer Overflow". Many pieces of exploit code may contain some buffer overflow
code but considering all the choices presented this was not the best choice. It is one of the vulnerability
that the exploit would take care of if no data input validation is taking place within the software that you are
targeting.
A condition where a program (either an application or part of the operating system) stops performing its
expected function and also stops responding to other parts of the system This is the definition of a "System
Crash". Such behavior might be the result of exploit code being launched against the target.

The following reference(s) were/was used to create this question:

http://en.wikipedia.org/wiki/Main_Page
and
The official CEH courseware Version 6 Module 1
The Official CEH Courseware Version 7 Module 1

QUESTION 215
A smart Card that has two chips with the Capability of utilizing both Contact and Contactless formats is
called:

A. Contact Smart Cards

B. Contactless Smart Cards
C. Hybrid Cards
D. Combi Cards

Correct Answer: C
Explanation

Explanation/Reference:
This is a contactless smart card that has two chips with the capability of utilizing both contact and
contactless formats.
Two additional categories of cards are dual-interface cards and hybrid cards which is mentioned above.
Hybrid Card
A hybrid card has two chips, one with a contact interface and one with a contactless interface.
The two chips are not interconnected.

Dual-Interface card
Do not confuse this card with the Hybrid Card. This one has only one chip. A dual-interface card has a
single chip with both contact and contactless interfaces. With dual-interface cards, it is possible to access
the same chip using either a contact or contactless interface with a very high level of security.

Inner working of the cards

The chips used in all of these cards fall into two categories as well: microcontroller chips and memory
chips. A memory chip is like a small floppy disk with optional security. Memory chips are less expensive
than microcontrollers but with a corresponding decrease in data management security. Cards that use
memory chips depend on the security of the card reader for processing and are ideal for situations that
require low or medium security. A microcontroller chip can add, delete, and otherwise manipulate
information in its memory. A microcontroller is like a miniature computer, with an input/output port,
operating system, and hard disk. Smart cards with an embedded microcontroller have the unique ability to
store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures)
and interact intelligently with a smart card reader.

The selection of a particular card technology is driven by a variety of issues, including:

Application dynamics
Prevailing market infrastructure
Economics of the business model
Strategy for shared application cards

Smart cards are used in many applications worldwide, including:

Secure identity applications - employee ID badges, citizen ID documents, electronic passports, driver's
licenses, online authentication devices
Healthcare applications - citizen health ID cards, physician ID cards, portable medical records cards
Payment applications - contact and contactless credit/debit cards, transit payment cards
Telecommunications applications - GSM Subscriber Identity Modules, pay telephone payment cards

The following answers are incorrect:

Contact Smart Cards

A contact smart card must be inserted into a smart card reader with a direct connection to a conductive
contact plate on the surface of the card (typically gold plated). Transmission of commands, data, and card
status takes place over these physical contact points.

Contactless Smart Cards

A contactless card requires only close proximity to a reader. Both the reader and the card have antennae,
and the two communicate using radio frequencies (RF) over this contactless link. Most contactless cards
also derive power for the internal chip from this electromagnetic signal. The range is typically one-half to
three inches for non-battery-powered cards, ideal for applications such as building entry and payment that
require a very fast card interface.

Combi Card
Are similar to Hybrid cards only they contain only one set of circuitry as apposed to two.

The following reference(s) were/was used to create this question:

Smart Card Primer at: http://www.smartcardalliance.org/pages/smart-cards-intro-primer

QUESTION 216
An employee ensures all cables are shielded, builds concrete walls that extend from the true floor to the
true ceiling and installs a white noise generator. What attack is the employee trying to protect against?

A. Emanation Attacks
B. Social Engineering
C. Object reuse
D. Wiretaping

Correct Answer: A
Explanation

Explanation/Reference:
Explanation :
Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment.
There are several countermeasures including shielding cabling, white noise, control zones, and TEMPEST
equipment (this is a Faraday cage around the equipment)

The following answers were incorrect:

Social Engineering: Social Engineering does not involve hardware. A person make use of his/her social
skills in order to trick someone into revealing information they should not disclose. Object Reuse: It is
related to the reuse of storage medias. One must ensure that the storage media has been sanitized
properly before it would be reuse for other usage. This is very important when computer equipment is
discarded or given to a local charity organization. Ensure there is no sensitive data left by degaussing the
device or overwriting it multiple times. Wiretapping: It consist of legally or illegally taping into someone else
phone line to eavesdrop on their communication.

The following reference(s) were/was used to create this question:

Shon Harris AIO 4th Edition

QUESTION 217
The best technique to authenticate to a system is to:

A. Establish biometric access through a secured server or Web site.

B. Ensure the person is authenticated by something he knows and something he has.
C. Maintain correct and accurate ACLs (access control lists) to allow access to applications.
D. Allow access only through user ID and password.

Correct Answer: B
Explanation

Explanation/Reference:
Something you know and something you have is two authentication factors and is better than a single
authentication factor. Strong Authentication or Two Factor Authentication is widely accepted as the best
practice for authentication.

There are three type of authentication factors:

Type 1 - Something you know (password, pin)

Type 2 - Something you have (token, smart card, magnetic card) Type 3 - Something you are (biometics)

Whenever two of the three types of factors are used together, this is called strong authentication or two
factors authentication

The following answers are incorrect:

Establish biometric access through a secured server or Web site:

This is a single factor authentication and it could be weaker than two factors, in most cases it is . Biometric
devices can be tricked or circumvented in some cases, this is why they MUST be supplemented with a
second factor of authentication. Multiple attacks have been done on different types of biometric devices.
Two factors is always the best to authenticate a user.

Maintain correct and accurate ACLs (access control lists) to allow access to applications:

ACL are attached to objects. They are used within the access control matrix to define what level of access
each of the subjects have on the object. It is a column within the Access Control matrix. This is related to
authorization and not authentication.

Allow access only through user ID and password:

This is once again a single factor of authentication because both are something the person knows.

QUESTION 218
Business Impact Analysis (BIA) is about

A. Technology
B. Supporting the mission of the organization
C. Due Care
D. Risk Assessment
Correct Answer: B
Explanation

Explanation/Reference:
Business impact analysis is not about technology ; it is about supporting the mission of the organization.

The following answers are incorrect:

Technololgy
Due Care
Risk Assessment

The following reference(s) were/was used to create this question:

Information Security Management Handbook , Sixth Edition by Tipton & Al page 321

QUESTION 219
You wish to make use of "port knocking" technologies. How can you BEST explain this?

A. Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as
an authorized client.
B. Port knocking is where the user calls the server operator to have him start the service he wants to
connect to.
C. This is where all the ports are open on the server and the connecting client scans the open port to
which he wants to connect to see if it's open and running.
D. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key
to decrypt the port sequence.

Correct Answer: A
Explanation

Explanation/Reference:
The other answers are incorrect
The following reference(s) were/was used to create this question:
http://www.portknocking.org/

QUESTION 220
Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John the
new security manager reviews the configuration of the Firewall configured by Tim and identifies an issue.
This specific firewall is configured in failover mode with another firewall. A sniffer on a PC connected to the
same switch as the firewalls can decipher the credentials, used by Tim while configuring the firewalls.
Which of the following should be used by Tim to ensure a that no one can eavesdrop on the
communication?

A. SSH
B. SFTP
C. SCP
D. RSH

Correct Answer: A
Explanation

Explanation/Reference:
The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the data, it
prevents sniffing attacks using a protocol analyzer also called a sniffer. With more and more computers
installed in networked environments, it often becomes necessary to access hosts from a remote location.
This normally means that a user sends login and password strings for authentication purposes. As long as
these strings are transmitted as plain text, they could be intercepted and misused to gain access to that
user account without the authorized user even knowing about it.
Apart from the fact that this would open all the user's files to an attacker, the illegal account could be used
to obtain administrator or root access or to penetrate other systems. In the past, remote connections were
established with telnet, which offers no guards against eavesdropping in the form of encryption or other
security mechanisms. There are other unprotected communication channels, like the traditional FTP
protocol and some remote copying programs. The SSH suite provides the necessary protection by
encrypting the authentication strings (usually a login name and a password) and all the other data
exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the
contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH
enables secure communications over insecure networks such as the Internet.

The following answers are incorrect:

SCP and SFTP
The SCP protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port
22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to
provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a
combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs
authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It
hinders the ability for packet sniffers to extract usable information from the data packets.
The SCP protocol has been superseded by the more comprehensive SFTP protocol, which is also based
on SSH.

RSH
RSH© allows a user to execute commands on a remote system without having to log in to the system. For
example, RSH can be used to remotely examine the status of a number of access servers without
connecting to each communication server, executing the command, and then disconnecting from the
communication server.
As described in the rlogin article, the rsh protocol is not secure for network use, because it sends
unencrypted information over the network, among other things. Some implementations also authenticate
by sending unencrypted passwords over the network. rsh has largely been replaced by the very similar
SSH (secure shell) program on untrusted networks like the internet. As an example of RSH use, the
following executes the command mkdir testdir as user remote user on the computer remote computer:
rsh -l remote user remote computer "mkdir testdir"

After the command has finished RSH terminates. If no command is specified then rsh will log in on the
remote system using rlogin.
The following reference(s) were/was used to create this question:
http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02html and
http://en.wikipedia.org/wiki/Remote_Shell
and
http://en.wikipedia.org/wiki/Secure_copy

QUESTION 221
Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network
Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing
through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to
prevent easy disclosure of the SNMP strings and authentication of the source of the packets?

A. UDP
B. SNMP V1
C. SNMP V3
D. SNMP V2

Correct Answer: C
Explanation

Explanation/Reference:
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on
IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers,
modem racks, and more. It is used mostly in network management systems to monitor network-attached
devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol
Suite as defined by the Internet Engineering Task Force (IETF).

SNMP V3
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it
looks much different due to new textual conventions, concepts, and terminology. SNMPv3 primarily added
security and remote configuration enhancements to SNMP. Security has been the biggest weakness of
SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a
password (community string) sent in clear text between a manager and agent. Each SNMPv3 message
contains security parameters which are encoded as an octet string. The meaning of these security
parameters depends on the security model being used.

SNMPv3 provides important security features:

Confidentiality - Encryption of packets to prevent snooping by an unauthorized source. Integrity - Message
integrity to ensure that a packet has not been tampered with in transit including an optional packet replay
protection mechanism. Authentication - to verify that the message is from a valid source.

The following answers are incorrect:

UDP
SNMP can make use of the User Datagram Protocol (UDP) protocol but the UDP protocol by itself is not
use for network monitoring.

SNMP V1
SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates over
protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless Network
Service (CLNS), AppleTalk Datagram-Delivery Protocol (DDP), and Novell Internet Packet Exchange
(IPX). SNMPv1 is widely used and is the de facto network- management protocol in the Internet
community.

SNMP V2
SNMPv2 (RFC 1441RFC 1452), revises version 1 and includes improvements in the areas of
performance, security, confidentiality, and manager-to-manager communications. It introduced
GetBulkRequest, an alternative to iterative GetNextRequests for retrieving large amounts of management
data in a single request. However, the new party-based security system in SNMPv2, viewed by many as
overly complex, was not widely accepted.

The following reference(s) were/was used to create this question:

http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol Harris, Shon (2012-10-18). CISSP All-
in-One Exam Guide, 6th Edition (p. 587). McGraw-Hill.
Kindle Edition.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 7434-7436). Auerbach Publications. Kindle Edition.

QUESTION 222
You have been approached by one of your clients . They are interested in doing some security re-
engineering . The client is looking at various information security models. It is a highly secure environment
where data at high classifications cannot be leaked to subjects at lower classifications . Of primary concern
to them, is the identification of potential covert channel. As an Information Security Professional , which
model would you recommend to the client?

A. Information Flow Model combined with Bell Lapadula

B. Bell Lapadula
C. Biba
D. Information Flow Model

Correct Answer: A
Explanation

Explanation/Reference:
Securing the data manipulated by computing systems has been a challenge in the past years. Several
methods to limit the information disclosure exist today, such as access control lists, firewalls, and
cryptography. However, although these methods do impose limits on the information that is released by a
system, they provide no guarantees about information propagation. For example, access control lists of file
systems prevent unauthorized file access, but they do not control how the data is used afterwards.
Similarly, cryptography provides a means to exchange information privately across a non-secure channel,
but no guarantees about the confidentiality of the data are given once it is decrypted. In low level
information flow analysis, each variable is usually assigned a security level. The basic model comprises
two distinct levels: low and high, meaning, respectively, publicly observable information, and secret
information. To ensure confidentiality, flowing information from high to low variables should not be allowed.
On the other hand, to ensure integrity, flows to high variables should be restricted.
More generally, the security levels can be viewed as a lattice with information flowing only upwards in the
lattice.

Noninterference Models
This could have been another good answer as it would help in minimizing the damage from covert
channels.
The goal of a noninterference model is to help ensure that high-level actions (inputs) do not determine
what low-level user s can see (outputs ) . Most of the security models presented are secured by permitting
restricted flows between high- and low-level users. The noninterference model maintains activities at
different security levels to separate these levels from each other. In this way, it minimizes leakages that
may happen through covert channels, because there is complete separation (noninterference) between
security levels. Because a user at a higher security level has no way to interfere with the activities at a
lower level, the lower-level user cannot get any information from the higher leve.

The following answers are incorrect:

Bell Lapadula
The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in
government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula,
subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD)
multilevel security (MLS) policy. The model is a formal state transition model of computer security policy
that describes a set of access control rules which use security labels on objects and clearances for
subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g.,
"Unclassified" or "Public"). The BellLaPadula model focuses on data confidentiality and controlled access
to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of
data integrity. In this formal model, the entities in an information system are divided into subjects and
objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves
security by moving from secure state to secure state, thereby inductively proving that the system satisfies
the security objectives of the model. The BellLaPadula model is built on the concept of a state machine
with a set of allowable states in a computer network system. The transition from one state to another state
is defined by transition functions. A system state is defined to be "secure" if the only permitted access
modes of subjects to objects are in accordance with a security policy. To determine whether a specific
access mode is allowed, the clearance of a subject is compared to the classification of the object (more
precisely, to the combination of classification and set of compartments, making up the security level) to
determine if the subject is authorized for the specific access mode. The clearance/classification scheme is
expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one
discretionary access control (DAC) rule with three security properties:
The Simple Security Property - a subject at a given security level may not read an object at a higher
security level (no read-up).
The -property (read "star"-property) - a subject at a given security level must not write to any object at a
lower security level (no write-down). The -property is also known as the Confinement property.
The Discretionary Security Property - use of an access matrix to specify the discretionary access control.
The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in
the BellLaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the -
property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the
security policy. This security model is directed toward access control and is characterized by the phrase:
"no read up, no write down." With Bell-LaPadula, users can create content only at or above their own
security level (i.e. secret researchers can create secret or top-secret files but may not create public files;
no write-down). Conversely, users can view content only at or below their own security level (i.e. secret
researchers can view public or secret files, but may not view top-secret files; no read-up).

The BellLaPadula model explicitly defined its scope. It did not treat the following extensively:
Covert channels. Passing information via pre-arranged actions was described briefly. Networks of
systems. Later modeling work did address this topic. Policies outside multilevel security. Work in the early
1990s showed that MLS is one version of boolean policies, as are all other published policies.

Biba
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition
system of computer security policy that describes a set of access control rules designed to ensure data
integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that
subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from
a lower level than the subject. In general the model was developed to circumvent a weakness in the Bell-
LaPadula model which only addresses data confidentiality.
In general, preservation of data integrity has three goals:
Prevent data modification by unauthorized parties
Prevent unauthorized data modification by authorized parties Maintain internal and external consistency
(i.e. data reflects the real world)

Note: Biba address only the first goal of integrity while Clark-Wilson addresses all three

This security model is directed toward data integrity (rather than confidentiality) and is characterized by the
phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized
by the phrase "no write down, no read up". In the Biba model, users can only create content at or below
their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to
be read by a high priest). Conversely, users can only view content at or above their own integrity level (a
monk may read a book written by the high priest, but may not read a pamphlet written by a lowly
commoner). Another analogy to consider is that of the military chain of command. A General may write
orders to a Colonel, who can issue these orders to a Major. In this fashion, the General's original orders
are kept intact and the mission of the military is protected (thus, "no read down" integrity). Conversely, a
Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also
protecting the integrity of the mission ("no write up").

The Biba model defines a set of security rules similar to the Bell-LaPadula model. These rules are the
reverse of the Bell-LaPadula rules:
The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a
lower integrity level (no read down).
The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a
higher level of integrity (no write up).

Lattice Model
In computer security, lattice-based access control (LBAC) is a complex access control model based on the
interaction between any combination of objects (such as resources, computers, and applications) and
subjects (such as individuals, groups or organizations).

In this type of label-based mandatory access control model, a lattice is used to define the levels of security
that an object may have and that a subject may have access to. The subject is only allowed to access an
object if the security level of the subject is greater than or equal to that of the object.
Mathematically, the security level access may also be expressed in terms of the lattice (a partial order set)
where each object and subject have a greatest lower bound (meet) and least upper bound (join) of access
rights. For example, if two subjects A and B need access to an object, the security level is defined as the
meet of the levels of A and B. In another example, if two objects X and Y are combined, they form another
object Z, which is assigned the security level formed by the join of the levels of X and Y.

The following reference(s) were/was used to create this question:

ISC2 Review Seminar Student Manual V800 page 255
Dorothy Denning developed the information flow model to address convert channels .
and
The ISC2 Official Study Guide, Second Edition, on page 683-685 and
https://secure.wikimedia.org/wikipedia/en/wiki/Biba_security_model and
https://secure.wikimedia.org/wikipedia/en/wiki/Bell%E2%80%93LaPadula_model and
https://secure.wikimedia.org/wikipedia/en/wiki/Lattice-based_access_control

QUESTION 223
Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects
Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP
address and port?

A. Allow the packet to be processed by the network and record the event
B. Record selected information about the packets and drop the packets
C. Resolve the destination address and process the packet
D. Translate the source address and resend the packet

Correct Answer: B
Explanation

Explanation/Reference:
This question refers specificly to the LAND Attack. This question is testing your ability to recognize
common attacks such as the Land Attack and also your understanding of what would be an acceptable
action taken by your Intrusion Detection System.

You must remember what is a LAND ATTACK for the purpose of the exam. You must also remember that
an IDS is not only a passive device. In the context of the exam it is considered an active device that is
MOSTLY passive. It can take some blocking actions such as changing a rule on a router or firewall for
example.
In the case of the Land Attack and this specific question. It must be understand that most Operating
System TCP/IP stack today would not be vulnerable to such attack. Many of the common firewall could
also drop any traffic with same Source IP/Port as the Destination IP/Port as well. So there is multiple layers
where such an attack could be stopped. The downfall of IDS compared with IPS is the fact they are usually
reacting after the packets have been sent over the network. A single packet attack should as the Land
Attack could be detected but would still complete and affect the destination target. This is where IPS could
come into play and stop the attack before it completes.

Techtarget on their SearchSecurity website has the following definition for this type of attack:
A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the
source host/port the same as the destination host/port. This is a rather old attack and current patches
should stop them for most systems. This is one of the attacks you are expected to know within the CBK.
This question mention specifically what would the reaction of the IDS be? The choices presented and the
question itself DOES NOT talk about IPS, WIDS, or other monitoring tools. It only mentions IDS. Restrict
yourself to the context of the question.

MISCONCEPTIONS
Many people have the misconception that an IDS can only record events and has no ability to take active
response. This is NOT true. An IDS could reset a connection when an attack is detected. An IDS could
change a rule on the firewall to block the attacker. An IDS could change a rule on a router to block
offending traffic. IDS do have the ability to take active response and this is not reserved only for IPS.
The second misconception is that within the ISC2 CBK an IDS is always a passive only system and does
not take any blocking actions, this is not true. The IDS is a lot more limited than IPS as we are mentioning
below but they do have the ability to block some of the attacks or traffic.

Here is a quote from the latest ISC2 on this subject:

Intrusion detection and prevention systems are used to identify and respond to suspected security-related
events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to
determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion
Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts
but also block the attack from reaching its intended target.

SANS GIAC HAS A GREAT PAPER ON THIS TOPIC

What does Limited response mean? It usually means active response in the context of IDS. There is a nice
paper in the SANS library on this topic, you can find it at http://www.sans.org/security-resources/idfaq/
active.php

See a small extract below:

Active Response is a mechanism in intrusion detection systems (IDS) that provides the IDS with capability
to respond to an attack when it has been detected. There are two methods that the IDS can take to
circumvent an attack. The first method of circumventing attacks would be Session disruption, and the
second is Filter rule manipulation. The specific feature varies with each IDS product and each
countermeasure method possesses its own strengths and weaknesses. (See paper above for more details
of these techniques)
See reference below for more info if your into this type of stuff, else just keep it simple as described below.

Do not get too deep into this topic

The discussion about what is an IDS and what is an IPS has been ongoing for the past decade at least.
Just do a quick Google search of "IDS versus IPS" and you will see what I mean. Old timers like me will
remember doing blocking with their IDS when such tool just came out. At that time the term IPS did not
even exist.
For the purpose of the exam, keep it simple. If the Instrusion Detection system is inline doing blocking of
attacks it is an IPS. If the Instrusion Detection System only monitors traffic and activity without blocking it is
an IDS.
An IPS could be configure to act like an IDS where it will not block anything if the administrator of the
device did not configure any blocking rules on the IPS. However, the opposite is not true, you cannot
configure an IDS to act as an IPS, it does not have the smarts that an IPS would have.
IPS are usually deployed inline and IDS are not deployed inline.

The following answers are incorrect:

Allow the packet to be processed by the network and record the event A spoofed packet is almost sure to
be malicious and should be dropped. Note that some students may argue that an IDS itself does not drop
the packets but it could terminate the connection by sending Reset (RST) packets to the sender pretending
to the be target. The IDS could also change an ACL or Rule on the router or firewall to block the
connections from the source IP.

Resolve the destination address and process the packet The 'correct' destination address could not be
determined by the IDS Translate the source address and resend the packet
The 'correct' source address could not be reliably determined by the IDS

The following reference(s) were/was used to create this question:

Official (ISC)2 Guide to the CISSP CBK , Second Edition, Network Intrusion Detection, Page and
Corporate; (Isc)² (2010-04-20). Official (ISC)2 Guide to the CISSP CBK , Second Edition ((ISC)2 Press)
(Kindle Locations 12545-12548). Taylor & Francis. Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Security Operations (Kindle Locations 704-707). . Kindle Edition.
and
http://searchsecurity.techtarget.com/answer/What-is-a-land-attack and
http://www.symantec.com/connect/articles/understanding-ids-active-response-mechanisms and
http://www.sans.org/security-resources/idfaq/active.php

QUESTION 224
What is the BEST definition of SQL injection.

A. SQL injection is a database problem.

B. SQL injection is a web Server problem.
C. SQL injection is a windows and Linux website problem that could be corrected by applying a website
vendors patch.
D. SQL injection is an input validation problem.

Correct Answer: D
Explanation

Explanation/Reference:
SQL injection is execution of unexpected SQL in the database as a result of unsanitized user input being
accepted and used in the application code to form the SQL statement.It is a coding problem which affects
inhouse, open source and commercial software.

The following answers are incorrect:

SQL injection is a database problem.
SQL injection is a web Server problem.
SQL injection is a windows and Linux website problem that could be corrected by applying a website
vendors patch.

The following reference(s) were/was used to create this question:

https://security.berkeley.edu/sites/default/files/uploads/SQLi_Prevention.pdf (page 9 and 10)

QUESTION 225
You are a security consultant who is required to perform penetration testing on a client's network. During
penetration testing, you are required to use a compromised system to attack other systems on the network
to avoid network restrictions like firewalls. Which method would you use in this scenario:

A. Black box Method

B. Pivoting method
C. White Box Method.
D. Grey Box Method
Correct Answer: B
Explanation

Explanation/Reference:
Pivoting refers to method used by penetration testers that uses compromised system to attack other
systems on the same network to avoid restrictions such as firewall configurations, which may prohibit
direct access to all machines. For example, an attacker compromises a web server on a corporate
network, the attacker can then use the compromised web server to attack other systems on the network.
These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping.

Pivoting can further be distinguished into proxy pivoting and VPN pivoting:
Proxy pivoting generally describes the practice channeling traffic through a compromised target using a
proxy payload on the machine and launching attacks from this computer.[1] This type of pivoting is
restricted to certain TCP and UDP ports that are supported by the proxy. VPN pivoting enables the
attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic
through that target machine, for example to run a vulnerability scan on the internal network through the
compromised machine, effectively giving the attacker full network access as if they were behind the
firewall.

Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the
payload (software) of an exploit.

The following answers are incorrect:

Black Box Method
Black-box testing is a method of software testing that tests the functionality of an application as opposed to
its internal structures or workings (see white-box testing). Specific knowledge of the application's code/
internal structure and programming knowledge in general is not required. The tester is only aware of what
the software is supposed to do, but not how i.e. when he enters a certain input, he gets a certain output;
without being aware of how the output was produced in the first place. Test cases are built around
specifications and requirements, i.e., what the application is supposed to do. It uses external descriptions
of the software, including specifications, requirements, and designs to derive test cases. These tests can
be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs
and determines the correct output. There is no knowledge of the test object's internal structure. For
Penetration testing it means that you have no knowledge of the target. You may only get an IP address or
a Domain Name and from that very limited amount of knowledge you must attempt to find all that you can.
White Box Method
In penetration testing, white-box testing refers to a methodology where a white hat hacker has full
knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious
insider who has some knowledge and possibly basic credentials to the target system.

Grey Box Method

Gray-box testing is a combination of white-box testing and black-box testing. Aim of this testing is to search
for the defects if any due to improper structure or improper usage of applications. In the context of the CEH
this also means an internal test of company networks.

The following reference(s) were/was used to create this question:

https://en.wikipedia.org/wiki/Exploit_%28computer_security%29#Pivoting https://en.wikipedia.org/wiki/
Black-box_testing
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 4656-4657). Auerbach Publications. Kindle Edition.

QUESTION 226
Which answer best describes a computer software attack that takes advantage of a previously unpublished
vulnerability?

A. Zero-Day Attack
B. Exploit Attack
C. Vulnerability Attack
D. Software Crack

Correct Answer: A
Explanation
Explanation/Reference:
A zero-day (or zero-hour, or Oday, or day zero) attack or threat is a computer threat that tries to exploit
computer application vulnerabilities that are unknown to others or the software developer. Zero-day
exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers
before the developer of the target software knows about the vulnerability.
The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth"
day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix
to users of the software.
Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability
is first exploited and when software developers start to develop a counter to that threat.
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this time line:

The developer creates software containing an unknown vulnerability The attacker finds the vulnerability
before the developer does The attacker writes and distributes an exploit while the vulnerability is not known
to the developer
The developer becomes aware of the vulnerability and starts developing a fix.

The following answers are incorrect:

Exploit Attack
An exploit (from the verb to exploit, in the meaning of using something to one's own advantage) is a piece
of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or
vulnerability in order to cause unintended or unanticipated behavior to occur on computer software,
hardware, or something electronic (usually computerised). This frequently includes such things as gaining
control of a computer system or allowing privilege escalation or a denial-of-service attack.

Vulnerability Attack
There is no such thing as the term Vulnerability Attack. However a vulnerability is synonyous with a
weakness, it could be bad quality of software, a weakness within your physical security, or a weakness in
your policies and procedures. An attacker will take advantage of a weakness and usually use an exploit to
gain access to your systems without proper authorization or privilege.

Software Crack
Software cracking is the modification of software to remove or disable features which are considered
undesirable by the person cracking the software, usually related to protection methods: copy protection,
trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag
screens and adware.

A crack is the software tool used to remove the need to insert a serial number or activation key.

The following reference(s) were/was used to create this question:

2011, Ethical Hacking and Countermeasures, EC-Council Official Curriculum, Book 1, Page 9 https://
en.wikipedia.org/wiki/Zero_day_attack
https://en.wikipedia.org/wiki/Exploit_%28computer_security%29 https://en.wikipedia.org/wiki/
Software_cracking

QUESTION 227
Data which is properly secured and can be described with terms like genuine or not corrupted from the
original refers to data that has a high level of what?

A. Authenticity
B. Authorization
C. Availability
D. Non-Repudiation

Correct Answer: A
Explanation

Explanation/Reference:
Authenticity refers to the characteristic of a communication, document or any data that ensures the quality
of being genuine or not corrupted from the original.

The following answers are incorrect:

Authorization is wrong because this refers to a users ability to access data based upon a set of credentials.
Availability is wrong because this refers to systems which deliver data are accessible when and where
required by users.
Non-Repudiation is wrong because this is where a user cannot deny their actions on data they processed.
Classic example is a legal document you signed either manually with a pen or digitally with a signing
certificate. If it is signed then you cannot proclaim you did not send the document or do a transaction.

The following reference(s) were/was used to create this question:

2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module 1,
Page. 11

QUESTION 228
Which of the following is most appropriate to notify an internal user that session monitoring is being
conducted?

A. Logon Banners
B. Wall poster
C. Employee Handbook
D. Written agreement

Correct Answer: D
Explanation

Explanation/Reference:
This is a tricky question, the keyword in the question is Internal users. There are two possible answers
based on how the question is presented, this question could either apply to internal users or ANY
anonymous/external users. Internal users should always have a written agreement first, then logon
banners serve as a constant reminder.
Banners at the log-on time should be used to notify external users of any monitoring that is being
conducted. A good banner will give you a better legal stand and also makes it obvious the user was
warned about who should access the system, who is authorized and unauthorized, and if it is an
unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging
into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.

References used for this question:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 50
and
Shon Harris, CISSP All-in-one, 5th edition, pg 873

QUESTION 229
A Differential backup process will:

A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1
B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0
C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0
D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1

Correct Answer: A
Explanation

Explanation/Reference:
Archive bit 1 = On (the archive bit is set).
Archive bit 0 = Off (the archive bit is NOT set).
When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up.
Differential backups backup all files changed since the last full. To do this, they don't change the archive bit
value when they backup a file. Instead the differential let's the full backup make that change. An
incremental only backs up data since the last incremental backup. Thus is does change the archive bit
from 1 (On) to 0 (Off).

The following answers are incorrect:

Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 - This is the behavior of
an incremental backup, not a differential backup. Backs up data labeled with archive bit 0 and leaves the
data labeled as archive bit 0 - If the archive bit is set to 0 (Off), it will only be backed up via a Full backup.
Everything else will ignore it.
Backs up data labeled with archive bit 0 and changes the data label to archive bit 1 - If the archive bit is set
to 0 (Off), it will only be backed up via a Full backup. Everything else will ignore it.

The following reference(s) were/was used to create this question:

https://en.wikipedia.org/wiki/Archive_bit

QUESTION 230
When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason?

A. Human error
B. The Windows Operating system
C. Insecure programming languages
D. Insecure Transport Protocols

Correct Answer: A
Explanation

Explanation/Reference:
Discussion: Since computer program code is written by humans and there are proper and improper ways
of writing software code it is clear that human errors create the conditions for buffer overflows to exist.
Unfortunately as secure as any operating system is it becomes insecure when people install insecure code
that can be host to buffer overflow attacks so it is human error that really causes these vulnerabilities.

Mitigation: The best mitigation against buffer overflow attacks is to:

- Be sure you keep your software updated with any patches released by the vendors.
- Have sensible configurations for your software. (e.g,. lock it down)
- Control access to your sensitive systems with network traffic normalizing systems like a filtering firewall or
other devices that drops inappropriate network packets.
- If you don't need the software or service on a system, remove it. If it is useless it can only be a threat.

The following answers are incorrect:

The Windows Operating system: This isn't the intended answer. Insecure programming languages: This
isn't correct. Modern programming languages are capable of being used securely. It's only when humans
make mistakes that any programming language becomes a threat.
Insecure Transport Protocols: This is partially correct. If you send logon ID and passwords over the
network in clear text, no programming language will protect you from sniffers. The following reference(s)
were/was used to create this question:
2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v71, Module 17, Page 806

QUESTION 231
Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards
that describe technologies at that layer?

A. LCL and MAC; IEEE 8022 and 8023

B. LCL and MAC; IEEE 8021 and 8023
C. Network and MAC; IEEE 8021 and 8023

Correct Answer: A
Explanation

Explanation/Reference:
The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a
packet to prepare the packet for the local area network or wide area network technology binary format for
proper line transmission.
Layer 2 is divided into two functional sublayers.

The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 8022 specification. It
communicates with the network layer, which is immediately above the data link layer.
Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol
requirements of the physical layer.

Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC
specification for Ethernet is 8023, Token Ring is 8025, wireless LAN is 80211, and so on. When you see a
reference to an IEEE standard, such as 80211 or 80216, it refers to the protocol working at the MAC
sublayer of the data link layer of the protocol stack.

The following answers are incorrect:

LCL and MAC; IEEE 8022 and 8023 is incorrect because LCL is a distracter. The correct acronym for the
upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing
and flow control mechanisms, the LLC enables the coexistence of network protocols within a multipoint
network and their transportation over the same network media.
LCL and MAC; IEEE 8021 and 8023 is incorrect because LCL is a distracter. The sublayers of the data link
layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is
defined in the IEEE 8022 specification, not 8021 The IEEE 8021 specifications are concerned with protocol
layers above the MAC and LLC layers. It addresses LAN/MAN architecture, network management,
internetworking between LANs and WANs, and link security, etc.
Network and MAC; IEEE 8021 and 8023 is incorrect because network is not a sublayer of the data link
layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control
(MAC). The LLC sits between the network layer (the layer immediately above the data link layer) and the
MAC sublayer. Also, the LLC is defined in the IEEE 8022 specification,not IEEE 8021 As just explained,
8021 standards address areas of LAN/MAN architecture, network management, internetworking between
LANs and WANs, and link security.The IEEE 8021 group's four active task groups are Internetworking,
Security, Audio/Video Bridging, and Data Center Bridging.

The following reference(s) were/was used to create this question:

http://en.wikipedia.org/wiki/OSI_model

QUESTION 232
Which of the following is NOT part of user provisioning?

A. Creation and deactivation of user accounts

B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration

Correct Answer: B
Explanation

Explanation/Reference:
User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as
they exist in one or more systems, directories, or applications, in response to business processes.
User provisioning software may include one or more of the following components: change propagation,
self-service workflow, consolidated user administration, delegated user administration, and federated
change control.
User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a
service.
Services may include electronic mail, access to a database, access to a file server or mainframe, and so
on

The following answers are all incorrect answers:

Creation and deactivation of user accounts
Maintenance and deactivation of user objects and attributes Delegating user administration

The following reference(s) were/was used to create this question:

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 179). McGraw-Hill .
Kindle Edition.

QUESTION 233
Which of the following answers best describes the type of penetration testing where the analyst has full
knowledge of the network on which he is going to perform his test?
A. White-Box Penetration Testing
B. Black-Box Pen Testing
C. Penetration Testing
D. Gray-Box Pen Testing

Correct Answer: A
Explanation

Explanation/Reference:
In general there are three ways a pen tester can test a target system.
- White-Box: The tester has full access and is testing from inside the system.
- Gray-Box: The tester has some knowledge of the system he's testing.
- Black-Box: The tester has no knowledge of the system. Each of these forms of testing has different
benefits and can test different aspects of the system from different approaches.

The following answers are incorrect:

- Black-Box Pen Testing: This is where no prior knowledge is given about the target network. Only a
domain name or business name may be given to the analyst.
- Penetration Testing: This is half correct but more specifically it is white-box testing because the tester has
full access.
- Gray-Box Pen Testing: This answer is not right because Gray-Box testing you are given a little
information about the target network.

The following reference(s) was used to create this question:

2013 Official Security+ Curriculum.
and
tester is provided no information about the target's network or environment. The tester is simply left to his
abilities
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 4742-4743). Auerbach Publications. Kindle Edition.

QUESTION 234
Which access control method allows the data owner (the person who created the file) to control access to
the information they own?

A. DAC - Discretionary Access Control

B. MAC - Mandatory Access Control
C. RBAC - Role-Based Access Control
D. NDAC - Non-Discretionary Access Control

Correct Answer: A
Explanation

Explanation/Reference:
DAC - Discretionary Access Control is where the user controls access to the data they create or manage.

It is the least secure method of access control because of a few factors:

- Employee changeover can lead to confusion of data ownership or abandoned data.
- Employees are not traditionally experienced enough to manage data permissions and maintain them in a
reliable fashion.
- People in general are the least reliable component of any organization

The following answers are incorrect:

- MAC - Mandatory Access Control: This is incorrect because in the MAC model of access control, labels
are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he
or she is denied access.
- RBAC - Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users' Role
determines the access level to data they are given.
- NDAC - Non-Discretionary Access Control: Sorry, this isn't a common term associated with access
control methodologies.
The following reference(s) was used to create this question:
2013 Official Security+ Curriculum.

QUESTION 235
Suppose you are a domain administrator and are choosing an employee to carry out backups. Which
access control method do you think would be best for this scenario?

A. RBAC - Role-Based Access Control

B. MAC - Mandatory Access Control
C. DAC - Discretionary Access Control
D. RBAC - Rule-Based Access Control

Correct Answer: A
Explanation

Explanation/Reference:
RBAC - Role-Based Access Control permissions would fit best for a backup job for the employee because
the permissions correlate tightly with permissions granted to a backup operator.
A role-based access control (RBAC) model, bases the access control authorizations on the roles (or
functions) that the user is assigned within an organization. The determination of what roles have access to
a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with
MACs. Access control decisions are based on job function, previously defined and governed by policy, and
each role (job function) will have its own access capabilities. Objects associated with a role will inherit
privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify
access control strategies by assigning users to groups and groups to roles.
Specifically, in the Microsoft Windows world there is a security group called "Backup Operators" in which
you can place the users to carry out the duties. This way you could assign the backup privilege without the
need to grant the Restore privilege. This would prevent errors or a malicious person from overwriting the
current data with an old copy for example.

The following answers are incorrect:

- MAC - Mandatory Access Control: This isn't the right answer. The role of Backup administrator fits
perfectly with the access control Role-Based access control.
- DAC - Discretionary Access Control: This isn't the correct answer because DAC relies on data owner/
creators to determine who has access to information.
- RBAC - Rule-Based Access Control: If you got this wrong it may be because you didn't read past the
RBAC part. Be very careful to read the entire question and answers before proceeding.

The following reference(s) was used to create this question:

2013 Official Security+ Curriculum.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 1936-1943). Auerbach Publications. Kindle Edition.

QUESTION 236
Of the seven types of Access Control Categories, which is described as such?

Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that
employees may not spend time on social media websites

A. Directive Access Control

B. Deterrent Access Control
C. Preventive Access Control
D. Detective Access Control

Correct Answer: A
Explanation

Explanation/Reference:
There are seven access control categories. Below you have the Access Control Types and Categories.
- Access Control Types:
- Administrative
- Policies, data classification and labeling and security awareness training
- Technical
- Hardare - MAC FIltering or perimeter devices like
- Software controls like account logons and encryption, file perms
- Physical
- Guard, fences and locks

- Access Control Categories:

Directive: specify rules of acceptable behavior
- Policy stating users may not use facebook
Deterrent:
- Designed to discourage people from violating security directives
- Logon banner reminding users about being subject to monitoring Preventive:
- Implemented to prevent a security incident or information breach
- Like a fence or file permissions
Detective:
- Used to mitigate the loss.
- Example: Logging, IDS with a Firewall
Compensating:
- To subsititute for the loss of a primary control of add additinoal mitigation
- Example: Logging, IDS inline with firewall
Corrective:
- To remedy circumstance, mitigate damage or restore control
- Example: Fire extinguisher, firing an employee
Recovery:
- To restore conditions to normal after a security incident
- Restore files from backup

All these are designed to shape employee behavior to better maintain an environment that supports the
business objectives and protects corporate assets.
The following answers are incorrect:
- Deterrent Access Control: This is not right because a deterrent access control discourages people from
violating security directives.
- Preventive Access Control: This is incorrect because a preventive access control category is used to
simply stop or block unwanted behavior. Users don't have a choice about whether to violate the behavior
rules.
- Detective Access Control: Sorry, this isn't a access control category.

The following reference(s) was used to create this question:

2013 Official Security+ Curriculum.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Location 1162). Auerbach Publications. Kindle Edition.

QUESTION 237
Which of the following is NOT a disadvantage of Single Sign On (SSO)?

A. Support for all major operating system environment is difficult

B. The cost associated with SSO development can be significant
C. SSO could be single point of failure and total compromise of an organization asset
D. SSO improves an administrator's ability to manage user's account and authorization to all associated
system

Correct Answer: D
Explanation

Explanation/Reference:
Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and
password in order to access multiple applications. The process authenticates the user for all the
applications they have been given rights to and eliminates further prompts when they switch applications
during a particular session.
SSO Advantages include
- Multiple passwords are no longer required
- It improves an administrator's ability to manage user's accounts and authorization to all associated
systems
- It reduces administrative overhead in resetting forgotten password over multiple platforms and
applications
- It reduces time taken by users to logon into multiple application and platform

SSO Disadvantages include

- Support for all major operating system is difficult
- The cost associated with SSO development can be significant when considering the nature and extent of
interface development and maintenance that may be necessary
- The centralize nature of SSO presents the possibility of a single point of failure and total compromise of
an organization's information asset.

The following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 332

QUESTION 238
You are a manager for a large international bank and periodically move employees between positions in
your department. What is this process called?

A. Job Rotation
B. Separation of Duties
C. Mandatory Rotations
D. Dual Control

Correct Answer: A
Explanation

Explanation/Reference:
Discussion: If a single employee were permitted to stay in one critical position for an extended period of
time without close oversight he or she could carry out fraud undetected. For this reason it is important to
rotate employees between jobs. Another good reason is to get employees experienced on their colleagues'
jobs. This way, if an employee were for some reason unavailable to work, their position could be covered.

The following answers are incorrect:

Separation of Duties: This is similar to Job Rotation because critical functions are divided up between
employees to avoid and detect fraud. It is incorrect because with Job Rotation, people move between
positions to detect fraud or even get better at each position to provide some resiliency for the organization.
Separation of Duties is more a preventative measure. Mandatory Rotations: This is incorrect because of
the terminology. There are terms called Mandatory Vacations and Job Rotation but not mandatory
rotations. Be familiar with these terms before trying to pass the exam.
Dual Control: This term describes how a manager would require employees to work together (two or more)
on critical actions so that no single employee can cause catastrophic damage. This isn't the correct answer
but it is very similar to Job Rotation where an employee rotates between job duties. Dual Control requires
employees to work together on critical tasks in hopes of limiting collusion to commit fraud.

The following reference(s) was used to create this question:

Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 245). Wiley. Kindle Edition.

QUESTION 239
Which of the following control is intended to discourage a potential attacker?

A. Deterrent
B. Preventive
C. Corrective
D. Recovery
Correct Answer: A
Explanation

Explanation/Reference:
Deterrent Control are intended to discourage a potential attacker For your exam you should know below
information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

The following answers are incorrect:

Preventive - Preventive controls are intended to avoid an incident from occurring

Corrective - Corrective control fixes components or systems after an incident has occurred

Recovery - Recovery controls are intended to bring the environment back to regular operations

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 240
Which of the following security control is intended to avoid an incident from occurring?

A. Deterrent
B. Preventive
C. Corrective
D. Recovery

Correct Answer: B
Explanation

Explanation/Reference:
Preventive controls are intended to avoid an incident from occurring For your exam you should know below
information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

The following answers are incorrect:

Deterrent - Deterrent controls are intended to discourage a potential attacker

Corrective - Corrective control fixes components or systems after an incident has occurred Recovery -
Recovery controls are intended to bring the environment back to regular operations

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44

and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 241
Which of the following control helps to identify an incident's activities and potentially an intruder?

A. Deterrent
B. Preventive
C. Detective
D. Compensating

Correct Answer: C
Explanation

Explanation/Reference:
Detective control helps identify an incident's activities and potentially an intruder For your exam you should
know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:

Deterrent - Deterrent controls are intended to discourage a potential attacker

Preventive - Preventive controls are intended to avoid an incident from occurring

Compensating - Compensating Controls provide an alternative measure of control

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44

and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 242
Which of the following is NOT an example of preventive control?

A. Physical access control like locks and door

B. User login screen which allows only authorize user to access website
C. Encrypt the data so that only authorize user can view the same
D. Duplicate checking of a calculations

Correct Answer: D
Explanation

Explanation/Reference:
The word NOT is used as a keyword in the question. You need to find out a security control from an given
options which in not preventive. Duplicate checking of a calculation is a detective control and not a
preventive control.
For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement. Other examples include a separation of duties environment, which offers the capability to
isolate certain tasks to compensate for technical limitations in the system and ensure the security of
transactions. In addition, management processes, such as authorization, supervision, and administration,
can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk.

For example, the access control policy may state that the authentication process must be encrypted when
performed over the Internet. Adjusting an application to natively support encryption for authentication
purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and
layered on top of the authentication process to support the policy statement.

Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
The other examples are belongs to Preventive control.

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44

and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 243
Which of the following is NOT an example of corrective control?

A. OS Upgrade
B. Backup and restore
C. Contingency planning
D. System Monitoring

Correct Answer: D
Explanation

Explanation/Reference:
The word NOT is used as a keyword in the question. You need to find out a security control from an given
options which in not corrective control. System Monitoring is a detective control and not a corrective
control.
For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement. Other examples include a separation of duties environment, which offers the capability to
isolate certain tasks to compensate for technical limitations in the system and ensure the security of
transactions. In addition, management processes, such as authorization, supervision, and administration,
can be used to compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk.

As mentioned previously, strongly managed access privileges provided to an authenticated user offer the
ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated
user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise
negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer
visibility into the transaction. The control environment can be established to log activity regarding the
identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

The following answers are incorrect:

The other examples are belongs to corrective control.

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 244
Which of the following is NOT an example of a detective control?

A. System Monitor
B. IDS
C. Monitor detector
D. Backup data restore

Correct Answer: D
Explanation

Explanation/Reference:
The word NOT is used as a keyword in the question. You need to find out a security control from an given
options which in not detective control. Backup data restore is a corrective control and not a detective
control.
For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events. When users begin to understand that by
authenticating into a system to perform a function, their activities are logged and monitored, and it reduces
the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat
agent, and any potential for identification and association with their actions is avoided at all costs. It is this
fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also
take the form of potential punishment if users do something unauthorized. For example, if the organization
policy specifies that an employee installing an unauthorized wireless access point will be fired, that will
determine most employees from installing wireless access points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement. Other examples include a separation of duties environment, which offers the capability to
isolate certain tasks to compensate for technical limitations in the system and ensure the security of
transactions. In addition, management processes, such as authorization, supervision, and administration,
can be used to compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

For your exam you should know below information about different security controls

Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to
threats and attacks by the simple fact that the existence of the control is enough to keep some potential
attackers from attempting to circumvent the control. This is often because the effort required to circumvent
the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative
implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing
the identification and authentication of a user, service, or application, and all that it implies, the potential for
incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential
impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.

The best example of a deterrent control is demonstrated by employees and their propensity to intentionally
perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities
are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are
based on the anonymity of the threat agent, and any potential for identification and association with their
actions is avoided at all costs. It is this fundamental reason why access controls are the key target of
circumvention by attackers. Deterrents also take the form of potential punishment if users do something
unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized
wireless access point will be fired, that will determine most employees from installing wireless access
points.

Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a
user from performing some activity or function. Preventative controls differ from deterrent controls in that
the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is
easier to obey the control rather than to risk the consequences of bypassing the control. In other words,
the power for action resides with the user (or the attacker). Preventative controls place the power of action
with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in
the control's implementation.

Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the
requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an
existing system may not support the required controls, there may exist other technology or processes that
can supplement the existing environment, closing the gap in controls, meeting policy requirements, and
reducing overall risk. For example, the access control policy may state that the authentication process
must be encrypted when performed over the Internet. Adjusting an application to natively support
encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption
protocol, can be employed and layered on top of the authentication process to support the policy
statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain
tasks to compensate for technical limitations in the system and ensure the security of transactions. In
addition, management processes, such as authorization, supervision, and administration, can be used to
compensate for gaps in the access control environment.

Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post- incident
timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful
incidents through the application of least privilege. However, the detective nature of access controls can
provide significant visibility into the access environment and help organizations manage their access
strategy and related security risk. As mentioned previously, strongly managed access privileges provided
to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting
the capabilities that authenticated user has. However, there are few options to control what a user can
perform once privileges are provided. For example, if a user is provided write access to a file and that file is
damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established
to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to
validate when provided credentials were exercised. The logging system as a detective device provides
evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any
deficiencies and return the environment to a secure state. A security incident signals the failure of one or
more directive, deterrent, preventative, or compensating controls. The detective controls may have
triggered an alarm or notification, but now the corrective controls must work to stop the incident in its
tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the
particular security failure that needs to be dealt with.

Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer
temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps,
and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it
may adversely affect controls placed on system files or even have default administrative accounts
unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on
temporary leave that may affect policy requirements regarding separation of duties. An attack on systems
may have resulted in the implantation of a Trojan horse program, potentially exposing private user
information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.

The following answers are incorrect:

The other examples are belongs to detective control.

The following reference(s) were/was used to create this question:

CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 245
During an IS audit, auditor has observed that authentication and authorization steps are split into two
functions and there is a possibility to force the authorization step to be completed before the authentication
step. Which of the following technique an attacker could user to force authorization step before
authentication?

A. Eavesdropping
B. Traffic analysis
C. Masquerading
D. Race Condition

Correct Answer: D
Explanation

Explanation/Reference:
A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race
condition is possible when two or more processes use a shared resource, as in data within a variable. It is
important that the processes carry out their functionality in the correct sequence. If process 2 carried out its
task on the data before process 1, the result will be much different than if process1 carried out its tasks on
the data before process 2 In software, when the authentication and authorization steps are split into two
functions, there is a possibility an attacker could use a race condition to force the authorization step to be
completed before the authentication step. This would be a flaw in the software that the attacker has figured
out how to exploit. A race condition occurs when two or more processes use the same resource and the
sequences of steps within the software can be carried out in an improper order, something that can
drastically affect the output. So, an attacker can force the authorization step to take place before the
authentication step and gain unauthorized access to a resource.
The following answers are incorrect:
Eavesdropping - is the act of secretly listening to the private conversation of others without their consent,
as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage
that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to
matters that concern them."

Traffic analysis - is the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages are encrypted and cannot
be decrypted. In general, the greater the number of messages observed, or even intercepted and stored,
the more can be inferred from the traffic. Traffic analysis can be performed in the context of military
intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.

Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to
gain unauthorized access to personal computer information through legitimate access identification. If an
authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack.
Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs,
or by finding a way around the authentication process. The attack can be triggered either by someone
within the organization or by an outsider if the organization is connected to a public network. The amount
of access masquerade attackers get depends on the level of authorization they've managed to attain. As
such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the
highest access authority to a business organization. Personal attacks, although less common, can also be
harmful.
Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 324

Official ISC2 guide to CISSP CBK 3rd Edition Page number 66 CISSP All-In-One Exam guide 6th Edition
Page Number 161

QUESTION 246
Which of the following attack is also known as Time of Check(TOC)/Time of Use(TOU)?

A. Eavesdropping
B. Traffic analysis
C. Masquerading
D. Race Condition

Correct Answer: D
Explanation

Explanation/Reference:
A Race Condition attack is also known as Time of Check(TOC)/Time of Use(TOU). A race condition is
when processes carry out their tasks on a shared resource in an incorrect order. A race condition is
possible when two or more processes use a shared resource, as in data within a variable. It is important
that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on
the data before process 1, the result will be much different than if process1 carried out its tasks on the data
before process 2 In software, when the authentication and authorization steps are split into two functions,
there is a possibility an attacker could use a race condition to force the authorization step to be completed
before the authentication step. This would be a flaw in the software that the attacker has figured out how to
exploit. A race condition occurs when two or more processes use the same resource and the sequences of
steps within the software can be carried out in an improper order, something that can drastically affect the
output. So, an attacker can force the authorization step to take place before the authentication step and
gain unauthorized access to a resource.

The following answers are incorrect:

Eavesdropping - is the act of secretly listening to the private conversation of others without their consent,
as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage
that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to
matters that concern them."

Traffic analysis - is the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages are encrypted and cannot
be decrypted. In general, the greater the number of messages observed, or even intercepted and stored,
the more can be inferred from the traffic. Traffic analysis can be performed in the context of military
intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.

Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to
gain unauthorized access to personal computer information through legitimate access identification. If an
authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack.
Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs,
or by finding a way around the authentication process. The attack can be triggered either by someone
within the organization or by an outsider if the organization is connected to a public network. The amount
of access masquerade attackers get depends on the level of authorization they've managed to attain. As
such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the
highest access authority to a business organization. Personal attacks, although less common, can also be
harmful.

Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 324
Official ISC2 guide to CISSP CBK 3rd Edition Page number 66 CISSP All-In-One Exam guide 6th Edition
Page Number 161

QUESTION 247
Which of the following biometrics methods provides the HIGHEST accuracy and is LEAST accepted by
users?
A. Palm Scan
B. Hand Geometry
C. Fingerprint
D. Retina scan

Correct Answer: D
Explanation

Explanation/Reference:
Retina based biometric involves analyzing the layer of blood vessels situated at the back of the eye.
An established technology, this technique involves using a low-intensity light source through an optical
coupler to scan the unique patterns of the retina. Retinal scanning can be quite accurate but does require
the user to look into a receptacle and focus on a given point. This is not particularly convenient if you wear
glasses or are concerned about having close contact with the reading device. For these reasons, retinal
scanning is not warmly accepted by all users, even though the technology itself can work well.

For your exam you should know the information below:

Biometrics
Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is
one of the most effective and accurate methods of verifying identification and not well received by society.
Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other
types of identity verification processes. A biometric system can make authentication decisions based on an
individual's behavior, as in signature dynamics, but these can change over time and possibly be forged.
Biometric systems that base authentication decisions on physical attributes (such as iris, retina, or
fingerprint) provide more accuracy because physical attributes typically don't change, absent some
disfiguring injury, and are harder to impersonate
Biometrics is typically broken up into two different categories. The first is the physiological. These are traits
that are physical attributes unique to a specific individual. Fingerprints are a common example of a
physiological trait used in biometric systems. The second category of biometrics is known as behavioral.
The behavioral authentication is also known as continuous authentication. The behavioral/continuous
authentication prevents session hijacking attack. This is based on a characteristic of an individual to
confirm his identity. An example is signature Dynamics. Physiological is "what you are" and behavioral is
"what you do." When a biometric system rejects an authorized individual, it is called a Type I error (false
rejection rate). When the system accepts impostors who should be rejected, it is called a Type II error
(false acceptance rate). The goal is to obtain low numbers for each type of error, but Type II errors are the
most dangerous and thus the most important to avoid. When comparing different biometric systems, many
different variables are used, but one of the most important metrics is the crossover error rate (CER). This
rating is stated as a percentage and represents the point at which the false rejection rate equals the false
acceptance rate. This rating is the most important measurement when determining the system's accuracy.
A biometric system that delivers a CER of 3 will be more accurate than a system that delivers a CER of 4
Crossover error rate (CER) is also called equal error rate (EER). Throughput describes the process of
authenticating to a biometric system. This is also referred to as the biometric system response time. The
primary consideration that should be put into the purchasing and implementation of biometric access
control are user acceptance, accuracy and processing speed.

Biometric Considerations
In addition to the access control elements of a biometric system, there are several other considerations
that are important to the integrity of the control environment. These are:
Resistance to counterfeiting
Data storage requirements
User acceptance
Reliability and
Target User and approach

Fingerprint
Fingerprints are made up of ridge endings and bifurcations exhibited by friction ridges and other detailed
characteristics called minutiae. It is the distinctiveness of these minutiae that gives each individual a
unique fingerprint. An individual places his finger on a device that reads the details of the fingerprint and
compares this to a reference file. If the two match, the individual's identity has been verified.

Palm Scan
The palm holds a wealth of information and has many aspects that are used to identify an individual. The
palm has creases, ridges, and grooves throughout that are unique to a specific person. The palm scan
also includes the fingerprints of each finger. An individual places his hand on the biometric device, which
scans and captures this information. This information is compared to a reference file, and the identity is
either verified or rejected.

Hand Geometry
The shape of a person's hand (the shape, length, and width of the hand and fingers) defines hand
geometry. This trait differs significantly between people and is used in some biometric systems to verify
identity. A person places her hand on a device that has grooves for each finger. The system compares the
geometry of each finger, and the hand as a whole, to the information in a reference file to verify that
person's identity.

Retina Scan
A system that reads a person's retina scans the blood-vessel pattern of the retina on the backside of the
eyeball. This pattern has shown to be extremely unique between different people. A camera is used to
project a beam inside the eye and capture the pattern and compare it to a reference file recorded
previously.

Iris Scan
An iris scan is a passive biometric control
The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors,
rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a
camera and compared with the information gathered during the enrollment phase.
When using an iris pattern biometric system, the optical unit must be positioned so the sun does not shine
into the aperture; thus, when implemented, it must have proper placement within the facility.

Signature Dynamics
When a person signs a signature, usually they do so in the same manner and speed each time. Signing a
signature produces electrical signals that can be captured by a biometric system. The physical motions
performed when someone is signing a document create these electrical signals. The signals provide
unique characteristics that can be used to distinguish one individual from another. Signature dynamics
provides more information than a static signature, so there are more variables to verify when confirming an
individual's identity and more assurance that this person is who he claims to be.

Keystroke Dynamics
Whereas signature dynamics is a method that captures the electrical signals when a person signs a name,
keystroke dynamics captures electrical signals when a person types a certain phrase. As a person types a
specified phrase, the biometric system captures the speed and motions of this action. Each individual has
a certain style and speed, which translate into unique signals. This type of authentication is more effective
than typing in a password, because a password is easily obtainable. It is much harder to repeat a person's
typing style than it is to acquire a password.

Voice Print
People's speech sounds and patterns have many subtle distinguishing differences. A biometric system that
is programmed to capture a voice print and compare it to the information held in a reference file can
differentiate one individual from another. During the enrollment process, an individual is asked to say
several different words.

Facial Scan
A system that scans a person's face takes many attributes and characteristics into account. People have
different bone structures, nose ridges, eye widths, forehead sizes, and chin shapes. These are all captured
during a facial scan and compared to an earlier captured scan held within a reference record. If the
information is a match, the person is positively identified.

Hand Topography
Whereas hand geometry looks at the size and width of an individual's hand and fingers, hand topology
looks at the different peaks and valleys of the hand, along with its overall shape and curvature. When an
individual wants to be authenticated, she places her hand on the system. Off to one side of the system, a
camera snaps a side-view picture of the hand from a different view and angle than that of systems that
target hand geometry, and thus captures different data. This attribute is not unique enough to authenticate
individuals by itself and is commonly used in conjunction with hand geometry.

Vascular Scan
Valcular Scan uses the blood vessel under the first layer of skin.

The following answers are incorrect:

Fingerprint - Fingerprints are made up of ridge endings and bifurcations exhibited by friction ridges and
other detailed characteristics called minutiae. It is the distinctiveness of these minutiae that gives each
individual a unique fingerprint. An individual places his finger on a device that reads the details of the
fingerprint and compares this to a reference file. If the two match, the individual's identity has been verified.

Hand Geometry - The shape of a person's hand (the shape, length, and width of the hand and fingers)
defines hand geometry. This trait differs significantly between people and is used in some biometric
systems to verify identity. A person places her hand on a device that has grooves for each finger. The
system compares the geometry of each finger, and the hand as a whole, to the information in a reference
file to verify that person's identity.

Palm Scan - The palm holds a wealth of information and has many aspects that are used to identify an
individual. The palm has creases, ridges, and grooves throughout that are unique to a specific person. The
palm scan also includes the fingerprints of each finger. An individual places his hand on the biometric
device, which scans and captures this information. This information is compared to a reference file, and the
identity is either verified or rejected.

Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 330 and 331
Official ISC2 guide to CISSP CBK 3rd Edition Page number 924

QUESTION 248
During an IS audit, one of your auditor has observed that some of the critical servers in your organization
can be accessed ONLY by using shared/common user name and password. What should be the auditor's
PRIMARY concern be with this approach?

A. Password sharing
B. Accountability
C. Shared account management
D. Difficulty in auditing shared account

Correct Answer: B
Explanation

Explanation/Reference:
The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical
servers can be accessed only by using shared user id and password. It would be very difficult to track the
changes done by employee on critical server.
For your exam you should know the information below:

Accountability
Ultimately one of the drivers behind strong identification, authentication, auditing and session management
is accountability. Accountability is fundamentally about being able to determine who or what is responsible
for an action and can be held responsible. A closely related information assurance topic is non-repudiation.
Repudiation is the ability to deny an action, event, impact or result. Non-repudiation is the process of
ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users,
processes and actions may be held responsible for impacts.

The following contribute to ensuring accountability of actions:

Strong identification
Strong authentication
User training and awareness
Comprehensive, timely and thorough monitoring
Accurate and consistent audit logs
Independent audits
Policies enforcing accountability
Organizational behaviour supporting accountability

The following answers are incorrect:

The other options are also valid concern. But the primary concern should be accountability.

Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 328 and 329
Official ISC2 guide to CISSP CBK 3rd Edition Page number 114

QUESTION 249
Which of the following testing method examines the functionality of an application without peering into its
internal structure or knowing the details of it's internals?

A. Black-box testing
B. Parallel Test
C. Regression Testing
D. Pilot Testing

Correct Answer: A
Explanation

Explanation/Reference:
Black-box testing is a method of software testing that examines the functionality of an application (e.g.
what the software does) without peering into its internal structures or workings (see white-box testing). This
method of test can be applied to virtually every level of software testing: unit, integration, system and
acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as
well.

For your exam you should know the information below:

Alpha and Beta Testing - An alpha version is early version is an early version of the application system
submitted to the internal user for testing. The alpha version may not contain all the features planned for the
final version. Typically software goes to two stages testing before it consider finished.The first stage is
called alpha testing is often performed only by the user within the organization developing the software.
The second stage is called beta testing, a form of user acceptance testing, generally involves a limited
number of external users. Beta testing is the last stage of testing, and normally involves real world
exposure, sending the beta version of the product to independent beta test sites or offering it free to
interested user.

Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests usually over interim platform and with only basic functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's specific logic path. However testing all
possible logical path in large information system is not feasible and would be cost prohibitive, and therefore
is used on selective basis only.

Black Box Testing - An integrity based form of testing associated with testing components of an information
system's "functional" operating effectiveness without regards to any specific internal program structure.
Applicable to integration and user acceptance testing.

Function/validation testing It is similar to system testing but it is often used to test the functionality of the
system against the detailed requirements to ensure that the software that has been built is traceable to
customer requirements.

Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.

Parallel Testing - This is the process of feeding test data into two systems the modified system and an
alternative system and comparing the result.

Sociability Testing - The purpose of these tests is to confirm that new or modified system can operate in its
target environment without adversely impacting existing system. This should cover not only platform that
will perform primary application processing and interface with other system but , in a client server and web
development, changes to the desktop environment. Multiple application may run on the users desktop,
potentially simultaneously , so it is important to test the impact of installing new dynamic link libraries
(DLLs), making operating system registry or configuration file modification, and possibly extra memory
utilization.

The following answers are incorrect:

Parallel Testing - This is the process of feeding test data into two systems the modified system and an
alternative system and comparing the result.

Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.

Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests usually over interim platform and with only basic functionalities
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 167
Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

QUESTION 250
Which of the following testing method examines internal structure or working of an application?

A. White-box testing
B. Parallel Test
C. Regression Testing
D. Pilot Testing

Correct Answer: A
Explanation

Explanation/Reference:
White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
structural testing) is a method of testing software that tests internal structures or workings of an application,
as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the
system, as well as programming skills, are used to design test cases. The tester chooses inputs to
exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes
in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system
levels of the software testing process. Although traditional testers tended to think of white-box testing as
being done at the unit level, it is used for integration and system testing more frequently today. It can test
paths within a unit, paths between units during integration, and between subsystems during a systemlevel
test. Though this method of test design can uncover many errors or problems, it has the potential to miss
unimplemented parts of the specification or missing requirements.

For your exam you should know the information below:

Alpha and Beta Testing - An alpha version is early version is an early version of the application system
submitted to the internal user for testing. The alpha version may not contain all the features planned for the
final version. Typically software goes to two stages testing before it consider finished.The first stage is
called alpha testing is often performed only by the user within the organization developing the software.
The second stage is called beta testing, a form of user acceptance testing, generally involves a limited
number of external users. Beta testing is the last stage of testing, and normally involves real world
exposure, sending the beta version of the product to independent beta test sites or offering it free to
interested user.

Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests usually over interim platform and with only basic functionalities.

White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's specific logic path. However testing all
possible logical path in large information system is not feasible and would be cost prohibitive, and therefore
is used on selective basis only.

Black Box Testing - An integrity based form of testing associated with testing components of an information
system's "functional" operating effectiveness without regards to any specific internal program structure.
Applicable to integration and user acceptance testing.

Function/validation testing It is similar to system testing but it is often used to test the functionality of the
system against the detailed requirements to ensure that the software that has been built is traceable to
customer requirements.

Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.

Parallel Testing - This is the process of feeding test data into two systems the modified system and an
alternative system and comparing the result.

Sociability Testing - The purpose of these tests is to confirm that new or modified system can operate in its
target environment without adversely impacting existing system. This should cover not only platform that
will perform primary application processing and interface with other system but , in a client server and web
development, changes to the desktop environment. Multiple application may run on the users desktop,
potentially simultaneously , so it is important to test the impact of installing new dynamic link libraries
(DLLs), making operating system registry or configuration file modification, and possibly extra memory
utilization.

The following answers are incorrect:

Parallel Testing - This is the process of feeding test data into two systems the modified system and an
alternative system and comparing the result.

Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.

Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests usually over interim platform and with only basic functionalities

The following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 167
Official ISC2 guide to CISSP CBK 3rd Edition Page number 176
Question Set 1

QUESTION 1
Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the
context or state of the request?

A. ICMP
B. TCP
C. UDP
D. IP

Correct Answer: B
Explanation

Explanation/Reference:
The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or
sequence that can be expected. Consult the references for further details.

ICMP, IP and UDP don't have any concept of a session; i.e. each packet or datagram is handled
individually, with no reference to the contents of the previous one. With no sessions, these protocols
usually cannot be filtered on the state of the session.

Some newer firewalls, however, simulate the concept of state for these protocols, and filter out unexpected
packets based upon normal usage. Although these are commonly treated like normal stateful filters, they
are more complex to program, and hence more prone to errors.

A stateful packet filter or stateful inspection inspects each packet and only allows known connection states
through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would filter
that packet and not let it in. The correct sequence of steps are known and if the sequence or state is
incorrect then it is dropped.

The incorrect answers are:

ICMP. ICMP is basically stateless so you could not *easily* filter them based on the state or sequence.

UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The
question was explicit in asking *easily*. While it is possible, UDP is not the best answer.

IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out
*easily*.

The following reference(s) were used for this question:

http://www.nwo.net/ipf/ipf-howto.pdf

QUESTION 2
When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the
proper term to refer to a single unit of TCP data at the transport layer?

A. TCP segment.
B. TCP datagram.
C. TCP frame.
D. TCP packet.

Correct Answer: A
Explanation

Explanation/Reference:
A TCP Segment is the group of TCP data tramsmitted at the Transport Layer. TCP is segment based
network technology.
The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is
now a segment. If the message is being transmitted over TCP, it is referred to as a "segment."
Protocol Data Unit Layers

The following answers are incorrect:

TCP datagram. Is incorrect because a TCP datagram is only a distractor, IP datagram would be the proper
terminology. TCP is segment based network technology.

TCP frame. Is incorrect because a TCP frame is only a distractor, Ethernet Frame would be the proper
terminology. TCP is segment based network technology. TCP packet. Is incorrect because a TCP packet
is only a distractor. TCP is segment based network technology.

References(s) used for this question:

Wikipedia http://en.wikipedia.org/wiki/Transport_layer Wikipedia http://en.wikipedia.org/wiki/

Transmission_Control_Protocol#TCP_segment_structure

TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, 1994, ISBN 0-201-63346-9.

http://www.infocellar.com/networks/osi-model.htm

QUESTION 3
How do you distinguish between a bridge and a router?

A. A bridge simply connects multiple networks, a router examines each packet to determine which
network to forward it to.
B. "Bridge" and "router" are synonyms for equipment used to join two networks.
C. The bridge is a specific type of router used to connect a LAN to the global Internet.
D. The bridge connects multiple networks at the data link layer, while router connects multiple networks at
the network layer.

Correct Answer: D
Explanation

Explanation/Reference:
The following answers are incorrect:
A bridge simply connects multiple networks, a router examines each packet to determine which network to
forward it to. Is incorrect because both forward packets this is not distinctive enough.

"Bridge" and "router" are synonyms for equipment used to join two networks. Is incorrect because the two
are unique and operate at different layers of the OSI model. The bridge is a specific type of router used to
connect a LAN to the global Internet. Is incorrect because a bridge does not connect a LAN to the global
internet, but connects networks together creating a LAN.

QUESTION 4
ICMP and IGMP belong to which layer of the OSI model?

A. Datagram Layer.
B. Network Layer.
C. Transport Layer.
D. Data Link Layer.

Correct Answer: B
Explanation

Explanation/Reference:
The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and
the Internet Group Management Protocol (IGMP)

The following answers are incorrect:

Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer. Transport Layer. Is incorrect
because it is used to data between applications and uses the TCP and UDP protocols.
Data Link Layer. Is incorrect because this layer deals with addressing hardware.
QUESTION 5
What is a limitation of TCP Wrappers?

A. It cannot control access to running UDP services.

B. It stops packets before they reach the application layer, thus confusing some proxy servers.
C. The hosts.* access control system requires a complicated directory tree.
D. They are too expensive.

Correct Answer: A
Explanation

Explanation/Reference:
TCP Wrappers can control when a UDP server starts but has little control afterwards because UDP
packets can be sent randomly.

The following answers are incorrect:

It stops packets before they reach the application layer, thus confusing some proxy servers. Is incorrect
because the TCP Wrapper acts as an ACL restricting packets so would not confuse a proxy server
because the packets would not arrive and would not be a limitation.

The hosts.* access control system requires a complicated directory tree. Is incorrect because a simple
directory tree is involved.

They are too expensive. Is incorrect because TCP Wrapper is considered open source with a BSD
licensing scheme.

QUESTION 6
The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained
within the IP datagram?

A. TCP.
B. ICMP.
C. UDP.
D. IGMP.

Correct Answer: B
Explanation

Explanation/Reference:
If the protocol field has a value of 1 then it would indicate it was ICMP.

The following answers are incorrect:

TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for
an UDP protocol would be 17. IGMP. Is incorrect because the value for an IGMP protocol would be 2.

QUESTION 7
The IP header contains a protocol field. If this field contains the value of 2, what type of data is contained
within the IP datagram?

A. TCP.
B. ICMP.
C. UDP.
D. IGMP.

Correct Answer: D
Explanation

Explanation/Reference:
If the protocol field has a value of 2 then it would indicate it was IGMP.
The following answers are incorrect:
TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for
an UDP protocol would be 17. ICMP. Is incorrect because the value for an ICMP protocol would be 1.

QUESTION 8
What is the proper term to refer to a single unit of IP data?

A. IP segment.
B. IP datagram.
C. IP frame.
D. IP fragment.

Correct Answer: B
Explanation

Explanation/Reference:
IP is a datagram based technology.
DIFFERENCE BETWEEN PACKETS AND DATAGRAM

As specified at: http://en.wikipedia.org/wiki/Packet_(information_technology)

In general, the term packet applies to any message formatted as a packet, while the term datagram is
generally reserved for packets of an "unreliable" service.

A "reliable" service is one that notifies the user if delivery fails, while an "unreliable" one does not notify the
user if delivery fails. For example, IP provides an unreliable service.

Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these
protocols use packets, but UDP packets are generally called datagrams.

If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide
reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET indicated
that the network itself could not reliably detect all packet delivery failures, and this pushed responsibility for
error detection onto the sending host in any case. This led to the development of the end-to-end principle,
which is one of the Internet's fundamental design assumptions.

The following answers are incorrect:

IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is
a datagram based technology.

IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame.
IP is a datagram based technology.

IP fragment. Is incorrect because IP fragment is a detractor.

References:

Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol

QUESTION 9
A packet containing a long string of NOP's followed by a command is usually indicative of what?

A. A syn scan.
B. A half-port scan.
C. A buffer overflow attack.
D. A packet destined for the network's broadcast address.

Correct Answer: C
Explanation
Explanation/Reference:
A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a
buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal
equivalent is 0x90)

The following answers are incorrect:

A syn scan. This is incorrect because a SYN scan is when a SYN packet is sent to a specific port and the
results are then analyzed.

A half-port scan. This is incorrect because the port scanner generates a SYN packet. If the target port is
open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the
connection before the handshake is completed. Also known as a Half Open Port scan.
A packet destined for the network's broadcast address. This is incorrect because this type of packet would
not contain a long string of NOP characters.

QUESTION 10
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class C network?

A. The first bit of the IP address would be set to zero.

B. The first bit of the IP address would be set to one and the second bit set to zero.
C. The first two bits of the IP address would be set to one, and the third bit set to zero.
D. The first three bits of the IP address would be set to one.

Correct Answer: C
Explanation

Explanation/Reference:
Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0

The following answers are incorrect:

The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network
address.

The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because, this
would be a Class B network address .
The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D
& E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1.

Classless Internet Domain Routing (CIDR)

High Order bits are shown in bold below.

For Class A, the addresses are 0.0.0.0 - 127.255.255.255 The lowest Class A address is represented in
binary as 00000000.00000000.0000000.00000000

For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255. The lowest Class B address is
represented in binary as 10000000.00000000.00000000.00000000

For Class C, the addresses are 192.0.0.0 - 223.255.255.255 The lowest Class C address is represented in
binary as 11000000.00000000.00000000.00000000

For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast) The lowest Class D address is
represented in binary as 11100000.00000000.00000000.00000000

For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage) The lowest Class
E address is represented in binary as 11110000.00000000.00000000.00000000 Classful IP Address
Format

References:
3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and
Networking Security (page 438)
QUESTION 11
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid
address to use on the Internet)?

A. 192.168.42.5
B. 192.166.42.5
C. 192.175.42.5
D. 192.1.42.5

Correct Answer: A
Explanation

Explanation/Reference:
This is a valid Class C reserved address. For Class C, the reserved addresses are 192.168.0.0 -
192.168.255.255.
The private IP address ranges are defined within RFC 1918:

RFC 1918 private ip address range

The following answers are incorrect:

192.166.42.5 Is incorrect because it is not a Class C reserved address.

192.175.42.5 Is incorrect because it is not a Class C reserved address. 192.1.42.5 Is incorrect because it
is not a Class C reserved address.

QUESTION 12
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class A network?

A. The first bit of the IP address would be set to zero.

B. The first bit of the IP address would be set to one and the second bit set to zero.
C. The first two bits of the IP address would be set to one, and the third bit set to zero.
D. The first three bits of the IP address would be set to one.

Correct Answer: A
Explanation

Explanation/Reference:
Each Class A network address has a 8-bit network prefix, with the first bit of the ipaddress set to zero. See
the diagram below for more details.

The following answers are incorrect:

The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because this
would be a Class B network address.

The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect because,
this would be a Class C network address.

The first three bits of the ipaddress would be set to one. Is incorrect because, this is a distractor.

Class D & E have the first three bits set to 1.

Class D the 4th bit is 0 and for
Class E the 4th bit to 1.

See diagram below from the 3COM tutorial on everything you ever wanted to know about IP addressing:
Classful IP addressing format
Classless Internet Domain Routing (CIDR)

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet
Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous
addressing architecture of classful network design in the Internet. Their goal was to slow the growth of
routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.

For Class A, the addresses are 0.0.0.0 - 127.255.255.255. For Class B networks, the addresses are
128.0.0.0 - 191.255.255.255. For Class C, the addresses are 192.0.0.0 - 223.255.255.255. For Class D,
the addresses are 224.0.0.0 - 239.255.255.255. For Class E, the addresses are 240.0.0.0 -
255.255.255.255.

References:

3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf and

AIOv3 Telecommunications and Networking Security (page 438) and
https://secure.wikimedia.org/wikipedia/en/wiki/Classless_Inter-Domain_Routing

QUESTION 13
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid
address to use on the Internet)?

A. 10.0.42.5
B. 11.0.42.5
C. 12.0.42.5
D. 13.0.42.5

Correct Answer: A
Explanation

Explanation/Reference:
This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 -
10.255.255.255.

The following answers are incorrect:

11.0.42.5 Is incorrect because it is not a Class A reserved address. 12.0.42.5 Is incorrect because it is not
a Class A reserved address. 13.0.42.5 Is incorrect because it is not a Class A reserved address. The
private IP address ranges are defined within RFC 1918:
RFC 1918 private ip address range

References:

3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and

Networking Security (page 438)

QUESTION 14
Which one of the following authentication mechanisms creates a problem for mobile users?

A. Mechanisms based on IP addresses

B. Mechanism with reusable passwords
C. one-time password mechanism.
D. challenge response mechanism.

Correct Answer: A
Explanation

Explanation/Reference:
Anything based on a fixed IP address would be a problem for mobile users because their location and its
associated IP address can change from one time to the next. Many providers will assign a new IP every
time the device would be restarted. For example an insurance adjuster using a laptop to file claims online.
He goes to a different client each time and the address changes every time he connects to the ISP.

NOTE FROM CLEMENT:

The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and
changing location. With smartphone today that may not be an issue but it would be an issue for laptops or
WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this
question is more applicable to devices that are not cellular devices but in some cases this issue could
affect cellular devices as well.

The following answers are incorrect:

mechanism with reusable password. This is incorrect because reusable password mechanism would not
present a problem for mobile users. They are the least secure and change only at specific interval.
one-time password mechanism. This is incorrect because a one-time password mechanism would not
present a problem for mobile users. Many are based on a clock and not on the IP address of the user.
challenge response mechanism. This is incorrect because challenge response mechanism would not
present a problem for mobile users.

QUESTION 15
Which of the following media is MOST resistant to tapping?

A. microwave.
B. twisted pair.
C. coaxial cable.
D. fiber optic.

Correct Answer: D
Explanation

Explanation/Reference:
Fiber Optic is the most resistant to tapping because Fiber Optic uses a light to transmit the signal. While
there are some technologies that will allow to monitor the line passively, it is very difficult to tap into without
detection sot this technology would be the MOST resistent to tapping.

The following answers are in correct:

microwave. Is incorrect because microwave transmissions can be intercepted if in the path of the
broadcast without detection.

twisted pair. Is incorrect because it is easy to tap into a twisted pair line. coaxial cable. Is incorrect because
it is easy to tap into a coaxial cable line.

QUESTION 16
Which of the following is a tool often used to reduce the risk to a local area network (LAN) that has external
connections by filtering Ingress and Egress traffic?

A. a firewall.
B. dial-up.
C. passwords.
D. fiber optics.

Correct Answer: A
Explanation

Explanation/Reference:
The use of a firewall is a requirement to protect a local area network (LAN) that has external connections
without that you have no real protection from fraudsters.

The following answers are incorrect:

dial-up. This is incorrect because this offers little protection once the connection has been established.
passwords. This is incorrect because there are tools to crack passwords and once a user has been
authenticated and connects to the external connections, passwords do not offer protection against
incoming TCP packets.
fiber optics. This is incorrect because this offers no protection from the external connection.

QUESTION 17
Which one of the following is usually not a benefit resulting from the use of firewalls?
A. reduces the risks of external threats from malicious hackers.
B. prevents the spread of viruses.
C. reduces the threat level on internal system.
D. allows centralized management and control of services.

Correct Answer: B
Explanation

Explanation/Reference:
This is not a benefit of a firewall. Most firewalls are limited when it comes to preventing the spread of
viruses.
This question is testing your knowledge of Malware and Firewalls. The keywords within the questions are
"usually" and "virus". Once again to come up with the correct answer, you must stay within the context of
the question and really ask yourself which of the 4 choices is NOT usually done by a firewall.
Some of the latest Appliances such as Unified Threat Management (UTM) devices does have the ability to
do virus scanning but most first and second generation firewalls would not have such ability. Remember,
the questions is not asking about all possible scenarios that could exist but only about which of the 4
choices presented is the BEST.

For the exam you must know your general classes of Malware. There are generally four major classes of
malicious code that fall under the general definition of malware:

1. Virus: Parasitic code that requires human action or insertion, or which attaches itself to another program
to facilitate replication and distribution. Virus-infected containers can range from e- mail, documents, and
data file macros to boot sectors, partitions, and memory fobs. Viruses were the first iteration of malware
and were typically transferred by floppy disks (also known as "sneakernet") and injected into memory when
the disk was accessed or infected files were transferred from system to system.

2. Worm: Self-propagating code that exploits system or application vulnerabilities to replicate. Once on a
system, it may execute embedded routines to alter, destroy, or monitor the system on which it is running,
then move on to the next system. A worm is effectively a virus that does not require human interaction or
other programs to infect systems.
3. Trojan Horse: Named after the Trojan horse of Greek mythology (and serving a very similar function), a
Trojan horse is a general term referring to programs that appear desirable, but actually contain something
harmful. A Trojan horse purports to do one thing that the user wants while secretly performing other
potentially malicious actions. For example, a user may download a game file, install it, and begin playing
the game. Unbeknownst to the user, the application may also install a virus, launch a worm, or install a
utility allowing an attacker to gain unauthorized access to the system remotely, all without the user's
knowledge.

4. Spyware: Prior to its use in malicious activity, spyware was typically a hidden application injected
through poor browser security by companies seeking to gain more information about a user's Internet
activity. Today, those methods are used to deploy other malware, collect private data, send advertising or
commercial messages to a system, or monitor system input, such as keystrokes or mouse clicks.

The following answers are incorrect:

reduces the risks of external threats from malicious hackers. This is incorrect because a firewall can
reduce the risks of external threats from malicious hackers. reduces the threat level on internal system.
This is incorrect because a firewall can reduce the threat level on internal system.
allows centralized management and control of services. This is incorrect because a firewall can allow
centralize management and control of services.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 3989-4009). Auerbach Publications. Kindle Edition.

QUESTION 18
Which of the following DoD Model layer provides non-repudiation services?

A. network layer.
B. application layer.
C. transport layer.
D. data link layer.

Correct Answer: B
Explanation

Explanation/Reference:
The Application Layer determines the identity of the communication partners and this is where Non-
Repudiation service would be provided as well. See the layers below:
DOD Model DoD Model

The following answers are incorrect:

network layer. Is incorrect because the Network Layer mostly has routing protocols, ICMP, IP, and IPSEC.
It it not a layer in the DoD Model. It is called the Internet Layer within the DoD model.
transport layer. Is incorrect because the Transport layer provides transparent transfer of data between end
users. This is called Host-to-Host on the DoD model but sometimes some books will call it Transport as
well on the DoD model.
data link layer. Is incorrect because the Data Link Layer defines the protocols that computers must follow
to access the network for transmitting and receiving messages. It is part of the OSI Model. This does not
exist on the DoD model, it is called the Link Layer on the DoD model.

QUESTION 19
What is the 802.11 standard related to?

A. Public Key Infrastructure (PKI)

B. Wireless network communications
C. Packet-switching technology
D. The OSI/ISO model

Correct Answer: B
Explanation

Explanation/Reference:
The 802.11 standard outlines how wireless clients and APs communicate, lays out the specifications of
their interfaces, dictates how signal transmission should take place, and describes how authentication,
association, and security should be implemeted.

The following answers are incorrect:

Public Key Infrastructure (PKI) Public Key Infrastructure is a supporting infrastructure to manage public
keys. It is not part of the IEEE 802 Working Group standard.

Packet-switching technology A packet-switching technology is not included in the IEEE 802 Working Group
standard. It is a technology where-in messages are broken up into packets, which then travel along
different routes to the destination.

The OSI/ISO model The Open System Interconnect model is a sevel-layer model defined as an
international standard describing network communications.

The following reference(s) were/was used to create this question:

Source: Shon Harris - "All-in-One CISSP Exam Guide" Fourth Edition; Chapter 7 - Telecommunications
and Network Security: pg. 624.

802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11
specifies an over-the-air interface between a wireless client and a base station or between two wireless
clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family:

802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either
frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz
band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or
DSSS.
802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to wireless
LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band.
802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing
wireless functionality comparable to Ethernet. 802.11g # applies to wireless LANs and provides 20+ Mbps
in the 2.4 GHz band.

Source: 802.11 Planet's web site.

QUESTION 20
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program
located in another computer in a network. Within which OSI/ISO layer is RPC implemented?

A. Session layer
B. Transport layer
C. Data link layer
D. Network layer

Correct Answer: A
Explanation

Explanation/Reference:
The following answers are incorrect:

Transport layer: The Transport layer handles computer-to computer communications, rather than
application-to-application communications like RPC.
Data link Layer: The Data Link layer protocols can be divided into either Logical Link Control (LLC) or
Media Access Control (MAC) sublayers. Protocols like SLIP, PPP, RARP and L2TP are at this layer. An
application-to-application protocol like RPC would not be addressed at this layer.

Network layer: The Network Layer is mostly concerned with routing and addressing of information, not
application-to-application communication calls such as an RPC call.

The following reference(s) were/was used to create this question:

The Remote Procedure Call (RPC) protocol is implemented at the Session layer, which establishes,
maintains and manages sessions as well as synchronization of the data flow.
Source: Jason Robinett's CISSP Cram Sheet: domain2.

Source: Shon Harris AIO v3 pg. 423

QUESTION 21
Frame relay and X.25 networks are part of which of the following?

A. Circuit-switched services
B. Cell-switched services
C. Packet-switched services
D. Dedicated digital services

Correct Answer: C
Explanation

Explanation/Reference:
Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks
there are no dedicated connections between endpoints, and data is divided into packets and reassembled
on the receiving end.

Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end

stations to dynamically share the network medium and the available bandwidth. The following two
techniques are used in packet-switching technology:

Variable-length packets
Statistical multiplexing
Variable-length packets are used for more efficient and flexible data transfers. These packets are switched
between the various segments in the network until the destination is reached.

Statistical multiplexing techniques control network access in a packet-switched network. The advantage of
this technique is that it accommodates more flexibility and more efficient use of bandwidth. Most of today's
popular LANs, such as Ethernet and Token Ring, are packet- switched networks.

Frame Relay often is described as a streamlined version of X.25, offering fewer of the robust capabilities,
such as windowing and retransmission of last data that are offered in X.25. This is because Frame Relay
typically operates over WAN facilities that offer more reliable connection services and a higher degree of
reliability than the facilities available during the late 1970s and early 1980s that served as the common
platforms for X.25 WANs. As mentioned earlier, Frame Relay is strictly a Layer 2 protocol suite, whereas
X.25 provides services at Layer 3 (the network layer) as well. This enables Frame Relay to offer higher
performance and greater transmission efficiency than X.25, and makes Frame Relay suitable for current
WAN applications, such as LAN interconnection.

The following answers are incorrect:

Circuit-switched services. An example of a circuit-switched service are Integrated Services Digital Network
(ISDN) and Point-to-Point Protocol (PPP). Frame Relay and X.25 do not use circuit switching technology.

Cell-switched services. This is a distractor.

Dedicated digital services. A packet switched network is commonly via a digital method, but is not
dedicated. Examples of a Dedicated digital service might be a Permanent Virtual Circuit (PVC), which does
not use packet switching.

The following reference(s) were/was used to create this question:

The CISCO Wiki on Frame Relay

QUESTION 22
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?

A. Data Link
B. Transport
C. Presentation
D. Application

Correct Answer: A
Explanation

Explanation/Reference:
RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a
standard method for transporting multi-protocol datagrams over point-to-point links.
PPP is comprised of three main components:

1 A method for encapsulating multi-protocol datagrams. 2 A Link Control Protocol (LCP) for establishing,
configuring, and testing the data-link connection.
3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer
protocols.

QUESTION 23
In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided?

A. Transport
B. Network
C. Presentation
D. Application

Correct Answer: A
Explanation
Explanation/Reference:
The following answers are incorrect:

Network. The Network layer moves information between hosts that are not physically connected. It deals
with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at
the Layer 3 Network Layer in the OSI Reference Model.

Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation
such as
ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.

Application. The Application Layer is a service for applications and Operating Systems data transmission,
for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the
OSI Reference Model.

The following reference(s) were/was used to create this question:

ISC2 OIG, 2007 p. 411

Shon Harris AIO v.3 p. 424

QUESTION 24
Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP)?

A. TCP is connection-oriented, UDP is not.

B. UDP provides for Error Correction, TCP does not.
C. UDP is useful for longer messages, rather than TCP.
D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.

Correct Answer: A
Explanation

Explanation/Reference:
TCP is a reliable connection-oriented transport for guaranteed delivery of data.

Protocols represent certain rules and regulations that are essential in order to have data communication
between two entities. Internet Protocols work in sending and receiving data packets. This type of
communication may be either connection-less or connection-oriented. In a connection-oriented scenario,
an acknowledgement is being received by the sender from the receiver in support of a perfect transfer.
Transmission Control Protocol or TCP is such a protocol.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is
being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's not
a guaranteed method, but, once a connection is established, UDP works much faster than TCP as TCP
has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.

The following answers are incorrect:

UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP
does.

UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its
connectionless nature.

TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.

References Used for this question:

http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/ http://www.skullbox.net/
tcpudp.php

James's TCP-IP FAQ - Understanding Port Numbers.

QUESTION 25
The standard server port number for HTTP is which of the following?

A. 81
B. 80
C. 8080
D. 8180

Correct Answer: B
Explanation

Explanation/Reference:
HTTP is Port 80.
Reference: MAIWALD, Eric, Network Security: A Beginner's Guide, McGraw-Hill/Osborne Media, 2001,
page 135.

QUESTION 26
Looking at the choices below, which ones would be the most suitable protocols/tools for securing e-mail?

A. PGP and S/MIME

B. IPsec and IKE
C. TLS and SSL
D. SSH

Correct Answer: A
Explanation

Explanation/Reference:
Both PGP and S/MIME are protocol/tool used to secure internet emails. Today the de facto standard within
email client is mostly S/MIME. Around year 1999 many people were using PGP to secure their emails.

PGP was developed by Phil Zimmerman as a free product for noncommercial use that would enable all
people to have access to state-of-the-art cryptographic algorithms to protect their privacy. PGP is also
available as a commercial product that has received widespread acceptance by many organizations
looking for a user-friendly, simple system of encryption of files, documents, and e-mail and the ability to
wipe out old files through a process of overwriting them to protect old data from recovery. PGP also
compresses data to save on bandwidth and storage needs.
The Secure/Multipurpose Internet Mail Extension S/MIME is the security enhancement for the MIME
Internet e-mail standard format. S/MIME provides several features, including signed and encrypted mail
messages. As a hybrid cryptographic application, S/MIME, similar to IPSec and SSL, uses hash functions,
symmetric and asymmetric cryptographies. There are a variety of bulk encryption algorithms defined the
most popular being AES. Asymmetric encryption, such as RSA, is used for digital signatures. Secure hash
algorithms, such as SHA-1, are used to provide data integrity of the message body and message
attributes.

The following are incorrect answers:

IPSEC, TLS, SSL, SSH are all tunneling or VPN tools that could be used to secure email traffic over a
public network but there were not build specifically to address and provide Email Security.

IKE is a key exchange mechanism. Not an email encryption tool

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Location 16663). Auerbach Publications. Kindle Edition.

OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; The international PGP
homepage, online at http://www.pgpi.org

IETF S/MIME working group, online at http://www.ietf.org/html.charters/smime-charter.html

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 563;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 27
Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI
model?

A. S/MIME and SSH

B. TLS and SSL
C. IPsec and L2TP
D. PKCS#10 and X.509

Correct Answer: C
Explanation

Explanation/Reference:
Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne,
page 467; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 28
What is the role of IKE within the IPsec protocol?

A. peer authentication and key exchange

B. data encryption
C. data signature
D. enforcing quality of service

Correct Answer: A
Explanation

Explanation/Reference:
Reference: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan,
Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice
Hall PTR; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 29
What is NOT an authentication method within IKE and IPSec?

A. CHAP
B. Pre shared key
C. certificate based authentication
D. Public key authentication

Correct Answer: A
Explanation

Explanation/Reference:
CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol
(PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client
by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may
happen again at any time afterwards. The verification is based on a shared secret (such as the client
user's password). After the completion of the link establishment phase, the authenticator sends a
"challenge" message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge and the secret
combined.
The authenticator checks the response against its own calculation of the expected hash value. If the values
match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

The following were incorrect answers:

Pre Shared Keys
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two
parties using some secure channel before it needs to be used. To build a key from shared secret, the key
derivation function should be used. Such systems almost always use symmetric key cryptographic
algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless
access points (AP) and all clients share the same key. The characteristics of this secret or key are
determined by the system which uses it; some system designs require that such keys be in a particular
format. It can be a password like 'bret13i', a passphrase like 'Idaho hung gear id gene', or a hexadecimal
string like '65E4 E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic
processes used to secure the traffic between the systems.
Certificat Based Authentication
The most common form of trusted authentication between parties in the wide world of Web commerce is
the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished
Name (DN) and an associated public key. The certificate is digitally signed by a trusted third party known
as the Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. Each
principal in the transaction presents certificate as its credentials. The recipient then validates the
certificate's signature against its cache of known and trusted CA certificates. A "personal certificate"
identifies an end user in a transaction; a "server certificate" identifies the service provider.
Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the Open Systems
Interconnect
(OSI) X.500 specification.

Public Key Authentication

Public key authentication is an alternative means of identifying yourself to a login server, instead of typing
a password. It is more secure and more flexible, but more difficult to set up. In conventional password
authentication, you prove you are who you claim to be by proving that you know the correct password. The
only way to prove you know the password is to tell the server what you think the password is. This means
that if the server has been hacked, or spoofed an attacker can learn your password.
Public key authentication solves this problem. You generate a key pair, consisting of a public key (which
everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The
private key is able to generate signatures. A signature created using your private key cannot be forged by
anybody who does not have a copy of that private key; but anybody who has your public key can verify that
a particular signature is genuine. So you generate a key pair on your own computer, and you copy the
public key to the server. Then, when the server asks you to prove who you are, you can generate a
signature using your private key. The server can verify that signature (since it has your public key) and
allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or
password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
There is a problem with this: if your private key is stored unprotected on your own computer, then anybody
who gains access to your computer will be able to generate signatures as if they were you. So they will be
able to log in to your server under your account. For this reason, your private key is usually encrypted
when it is stored on your local machine, using a passphrase of your choice. In order to generate a
signature, you must decrypt the key, so you have to type your passphrase.
References:

RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan Ipsec: The
New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR;
SMITH, Richard E.

Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP Certification
Exam Guide, 2001, McGraw-Hill/Osborne, page 467.

http://en.wikipedia.org/wiki/Pre-shared_key

http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf

http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

QUESTION 30
What is NOT true with pre shared key authentication within IKE / IPsec protocol?

A. Pre shared key authentication is normally based on simple passwords

B. Needs a Public Key Infrastructure (PKI) to work
C. IKE is used to setup Security Associations
D. IKE builds upon the Oakley protocol and the ISAKMP protocol.

Correct Answer: B
Explanation

Explanation/Reference:
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the
IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for
authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a
DiffieHellman key exchange to set up a shared session secret from which cryptographic keys are derived.
Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity
to each other and establish a secure communication channel, and is applied as an authentication
component of IPSec.
IKE uses two phases:
Phase 1: In this phase, the partners authenticate with each other, using one of the following:
Shared Secret: A key that is exchanged by humans via telephone, fax, encrypted e-mail, etc. Public Key
Encryption: Digital certificates are exchanged. Revised mode of Public Key Encryption: To reduce the
overhead of public key encryption, a nonce (a Cryptographic function that refers to a number or bit string
used only once, in security engineering) is encrypted with the communicating partner's public key, and the
peer's identity is encrypted with symmetric encryption using the nonce as the key. Next, IKE establishes a
temporary security association and secure tunnel to protect the rest of the key exchange. Phase 2:
The peers' security associations are established, using the secure tunnel and temporary SA created at the
end of phase 1.

The following reference(s) were used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 7032-7048). Auerbach Publications. Kindle Edition.
and
RFC 2409 at http://tools.ietf.org/html/rfc2409
and
http://en.wikipedia.org/wiki/Internet_Key_Exchange

QUESTION 31
In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session
between a client and a server?

A. Peer-to-peer authentication
B. Only server authentication (optional)
C. Server authentication (mandatory) and client authentication (optional)
D. Role based authentication scheme

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley
Professional; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 32
What kind of encryption is realized in the S/MIME-standard?

A. Asymmetric encryption scheme

B. Password based encryption scheme
C. Public key based, hybrid encryption scheme
D. Elliptic curve based encryption

Correct Answer: C
Explanation

Explanation/Reference:
S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail
exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic
messages.
S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text
files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to
e-mails.
S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/
MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633.
How S/MIME works
The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it
possible to encrypt the content of messages but does not encrypt the communication.

The various sections of an electronic message, encoded according to the MIME standard, are each
encrypted using a session key.

The session key is inserted in each section's header, and is encrypted using the recipient's public key.
Only the recipient can open the message's body, using his private key, which guarantees the
confidentiality and integrity of the received message. In addition, the message's signature is encrypted with
the sender's private key. Anyone intercepting the communication can read the content of the message's
signature, but this ensures the recipient of the sender's identity, since only the sender is capable of
encrypting a message (with his private key) that can be decrypted with his public key.

Reference(s) used for this question:

http://en.kioskea.net/contents/139-cryptography-s-mime RFC 2630: Cryptographic Message Syntax;

OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; HARRIS, Shon, All-In-
One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 570;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 33
Which of the following is true of network security?

A. A firewall is a not a necessity in today's connected world.

B. A firewall is a necessity in today's connected world.
C. A whitewall is a necessity in today's connected world.
D. A black firewall is a necessity in today's connected world.

Correct Answer: B
Explanation

Explanation/Reference:
Commercial firewalls are a dime-a-dozen in todays world. Black firewall and whitewall are just distracters.

QUESTION 34
Which of the following best describes signature-based detection?

A. Compare source code, looking for events or sets of events that could cause damage to a system or
network.
B. Compare system activity for the behaviour patterns of new attacks.
C. Compare system activity, looking for events or sets of events that match a predefined pattern of events
that describe a known attack.
D. Compare network nodes looking for objects or sets of objects that match a predefined pattern of
objects that may describe a known attack.

Correct Answer: C
Explanation

Explanation/Reference:
Misuse detectors compare system activity, looking for events or sets of events that match a predefined
pattern of events that describe a known attack. As the patterns corresponding to known attacks are called
signatures, misuse detection is sometimes called "signature-based detection."
The most common form of misuse detection used in commercial products specifies each pattern of events
corresponding to an attack as a separate signature. However, there are more sophisticated approaches to
doing misuse detection (called "state-based" analysis techniques) that can leverage a single signature to
detect groups of attacks.

Reference:
Old Document:
BACE, Rebecca & MELL, Peter, NIST Special Publication 800-31 on Intrusion Detection Systems, Page
16.
The publication above has been replaced by 800-94 on page 2-4 The Updated URL is: http://csrc.nist.gov/
publications/nistpubs/800-94/SP800-94.pdf

QUESTION 35
Which layer deals with Media Access Control (MAC) addresses?

A. Data link layer

B. Physical layer
C. Transport layer
D. Network layer

Correct Answer: A
Explanation

Explanation/Reference:
Layer 2 (Data Link layer) transfers information to the other end of the physical link. It handles physical
addressing, network topology, error notification, delivery of frames and flow control.

QUESTION 36
What is a decrease in amplitude as a signal propagates along a transmission medium best known as?

A. Crosstalk
B. Noise
C. Delay distortion
D. Attenuation

Correct Answer: D
Explanation

Explanation/Reference:
Attenuation is the loss of signal strength as it travels. The longer a cable, the more at tenuation occurs,
which causes the signal carrying the data to deteriorate. This is why standards include suggested cable-
run lengths. If a networking cable is too long, attenuation may occur. Basically, the data are in the form of
electrons, and these electrons have to "swim" through a copper wire. However, this is more like swimming
upstream, because there is a lot of resistance on the electrons working in this media. After a certain
distance, the electrons start to slow down and their encoding format loses form. If the form gets too
degraded, the receiving system cannot interpret them any longer. If a network administrator needs to run a
cable longer than its recommended segment length, she needs to insert a repeater or some type of device
that will amplify the signal and ensure it gets to its destination in the right encoding format. Attenuation can
also be caused by cable breaks and malfunctions. This is why cables should be tested. If a cable is
suspected of attenuation problems, cable testers can inject signals into the cable and read the results at
the end of the cable.

The following answers are incorrect:

Crosstalk - Crosstalk is one example of noise where unwanted electrical coupling between adjacent lines
causes the signal in one wire to be picked up by the signal in an adjacent wire.

Noise - Noise is also a signal degradation but it refers to a large amount of electrical fluctuation that can
interfere with the interpretation of the signal by the receiver. Delay distortion - Delay distortion can result in
a misinterpretation of a signal that results from transmitting a digital signal with varying frequency
components. The various components arrive at the receiver with varying delays.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 265
Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 & CISSP All-In-One Exam guide 6th
Edition Page Number 561

QUESTION 37
Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer
7 of the ISO/OSI Model?

A. Bridge
B. Repeater
C. Router
D. Gateway

Correct Answer: D
Explanation

Explanation/Reference:
A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be
at the highest level of the protocol stack.

Important Note:
For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall.
The second thing you must remembers is the fact that a gateway act as a translation device. It could be
used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications
protocols and allow them to communicate together. A gateway could be at any of the OSI layers but
usually tend to be higher up in the stack.

For your exam you should know the information below:

Repeaters
A repeater provides the simplest type of connectivity, because it only repeats electrical signals between
cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-
on devices for extending a network connection over a greater distance. The device amplifies signals
because signals attenuate the farther they have to travel. Repeaters can also work as line conditioners by
actually cleaning up the signals. This works much better when amplifying digital signals than when
amplifying analog signals, because digital signals are discrete units, which makes extraction of background
noise from them much easier for the amplifier. If the device is amplifying analog signals, any
accompanying noise often is amplified as well, which may further distort the signal. A hub is a multi-port
repeater. A hub is often referred to as a concentrator because it is the physical communication device that
allows several computers and devices to communicate with each other. A hub does not understand or
work with IP or MAC addresses. When one system sends a signal to go to another system connected to it,
the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.

Repeater
Image Reference- http://www.erg.abdn.ac.uk/~gorry/course/images/repeater.gif

Bridges
A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore
works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it
receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on
the local network segment. If the MAC address is not on the local network segment, the bridge forwards
the frame to the necessary network segment.

Bridge
Image Reference- http://www.oreillynet.com/network/2001/01/30/graphics/bridge.jpg

Routers
Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For
example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a
device that has two or more interfaces and a routing table so it knows how to get packets to their
destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when
necessary. Because routers have more network-level knowledge, they can perform higher-level functions,
such as calculating the shortest and most economical path between the sending and receiving hosts.

Router and Switch

Image Reference- http://www.computer-networking-success.com/images/router-switch.jpg

Switches
Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the
electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port
connection device that provides connections for individual computers or other hubs and switches.
Gateways
Gateway is a general term for software running on a device that connects two different environments and
that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is
needed when one environment speaks a different language, meaning it uses a certain protocol that the
other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX)
protocol packets to IP packets, accept mail from one type of mail server and format it so another type of
mail server can accept and understand it, or connect and translate different data link technologies such as
FDDI to Ethernet.

Gateway Server
Image Reference-
http://static.howtoforge.com/images/screenshots/556af08d5e43aa768260f9e589dc547f-3024.jpg

The following answers are incorrect:

Repeater - A repeater provides the simplest type of connectivity, because it only repeats electrical signals
between cable segments, which enables it to extend a network. Repeaters work at the physical layer and
are add-on devices for extending a network connection over a greater distance. The device amplifies
signals because signals attenuate the farther they have to travel.

Bridges - A bridge is a LAN device used to connect LAN segments. It works at the data link layer and
therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals
it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on
the local network segment. If the MAC address is not on the local network segment, the bridge forwards
the frame to the necessary network segment.

Routers - Routers are layer 3, or network layer, devices that are used to connect similar or different
networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A
router is a device that has two or more interfaces and a routing table so it knows how to get packets to
their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when
necessary.

Following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 263
Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230

QUESTION 38
In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols?

A. Transport layer
B. Application layer
C. Physical layer
D. Network layer

Correct Answer: A
Explanation

Explanation/Reference:
Connection-oriented protocols such as TCP provides reliability. It is the responsibility of such protocols in
the transport layer to ensure every byte is accounted for. The network layer does not provide reliability. It
only privides the best route to get the traffic to the final destination address.

For your exam you should know the information below about OSI model:
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction layers. The
model is a product of the Open Systems Interconnection project at the International Organization for
Standardization (ISO), maintained by the identification ISO/IEC 7498-1.

The model groups communication functions into seven logical layers. A layer serves the layer above it and
is served by the layer below it. For example, a layer that provides error-free communications across a
network provides the path needed by applications above it, while it calls the next lower layer to send and
receive packets that make up the contents of that path. Two instances at one layer are connected by a
horizontal.
OSI Model
Image source: http://www.petri.co.il/images/osi_model.JPG

PHYSICAL LAYER
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of
the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and
functional interfaces to the physical medium, and carries the signals for all of the higher layers. It provides:
Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better
accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It
determines:

What signal state represents a binary 1

How the receiving station knows when a "bit-time" starts How the receiving station delimits a frame
DATA LINK LAYER
The data link layer provides error-free transfer of data frames from one node to another over the physical
layer, allowing layers above it to assume virtually error-free transmission over the link.
To do this, the data link layer provides:

Link establishment and termination: establishes and terminates the logical link between two nodes.
Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are available.
Frame sequencing: transmits/receives frames sequentially. Frame acknowledgment: provides/expects
frame acknowledgments. Detects and recovers from errors that occur in the physical layer by
retransmitting non-acknowledged frames and handling duplicate frame receipt.
Frame delimiting: creates and recognizes frame boundaries. Frame error checking: checks received
frames for integrity. Media access management: determines when the node "has the right" to use the
physical medium.

NETWORK LAYER
The network layer controls the operation of the subnet, deciding which physical path the data should take
based on network conditions, priority of service, and other factors. It provides:

Routing: routes frames among networks.

Subnet traffic control: routers (network layer intermediate systems) can instruct a sending station to
"throttle back" its frame transmission when the router's buffer fills up. Frame fragmentation: if it determines
that a downstream router's maximum transmission unit (MTU) size is less than the frame size, a router can
fragment a frame for transmission and re-assembly at the destination station.
Logical-physical address mapping: translates logical addresses, or names, into physical addresses.
Subnet usage accounting: has accounting functions to keep track of frames forwarded by subnet
intermediate systems, to produce billing information.

Communications Subnet
The network layer software must build headers so that the network layer software residing in the subnet
intermediate systems can recognize them and use them to route data to the destination address.

This layer relieves the upper layers of the need to know anything about the data transmission and
intermediate switching technologies used to connect systems. It establishes, maintains and terminates
connections across the intervening communications facility (one or several intermediate systems in the
communication subnet).

In the network layer and the layers below, peer protocols exist between a node and its immediate
neighbor, but the neighbor may be a node through which data is routed, not the destination station. The
source and destination stations may be separated by many intermediate systems.

TRANSPORT LAYER
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between them
and their peers.

The size and complexity of a transport protocol depends on the type of service it can get from the network
layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is required. If the
network layer is unreliable and/or only supports datagrams, the transport protocol should include extensive
error detection and recovery.

The transport layer provides:

Message segmentation: accepts a message from the (session) layer above it, splits the message into
smaller units (if not already small enough), and passes the smaller units down to the network layer. The
transport layer at the destination station reassembles the message. Message acknowledgment: provides
reliable end-to-end message delivery with acknowledgments.
Message traffic control: tells the transmitting station to "back-off" when no message buffers are available.
Session multiplexing: multiplexes several message streams, or sessions onto one logical link and keeps
track of which messages belong to which sessions (see session layer).

Typically, the transport layer can accept relatively large messages, but there are strict message size limits
imposed by the network (or lower) layer. Consequently, the transport layer must break up the messages
into smaller units, or frames, prepending a header to each frame.

The transport layer header information must then include control information, such as message start and
message end flags, to enable the transport layer on the other end to recognize message boundaries. In
addition, if the lower layers do not maintain sequence, the transport header must contain sequence
information to enable the transport layer on the receiving end to get the pieces back together in the right
order before handing the received message up to the layer above.

End-to-end layers
Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport
layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned
with the details of the underlying communications facility. Transport layer software (and software above it)
on the source station carries on a conversation with similar software on the destination station by using
message headers and control messages.

SESSION LAYER
The session layer allows session establishment between processes running on different stations.
It provides:

Session establishment, maintenance and termination: allows two application processes on different
machines to establish, use and terminate a connection, called a session. Session support: performs the
functions that allow these processes to communicate over the network, performing security, name
recognition, logging, and so on.

PRESENTATION LAYER
The presentation layer formats the data to be presented to the application layer. It can be viewed as the
translator for the network. This layer may translate data from a format used by the application layer into a
common format at the sending station, then translate the common format to a format known to the
application layer at the receiving station.
The presentation layer provides:

Character code translation: for example, ASCII to EBCDIC. Data conversion: bit order, CR-CR/LF, integer-
floating point, and so on. Data compression: reduces the number of bits that need to be transmitted on the
network. Data encryption: encrypt data for security purposes. For example, password encryption.

APPLICATION LAYER
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:

Resource sharing and device redirection

Remote file access
Remote printer access
Inter-process communication
Network management
Directory services
Electronic messaging (such as mail)
Network virtual terminals

The following were incorrect answers:

Application Layer - The application layer serves as the window for users and application processes to
access network services.
Network layer - The network layer controls the operation of the subnet, deciding which physical path the
data should take based on network conditions, priority of service, and other factors.
Physical Layer - The physical layer, the lowest layer of the OSI model, is concerned with the transmission
and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers.

The following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 260

and
Official ISC2 guide to CISSP CBK 3rd Edition Page number 287 and
http://en.wikipedia.org/wiki/Tcp_protocol

QUESTION 39
Which of the following transmission media would NOT be affected by cross talk or interference?

A. Copper cable
B. Radio System
C. Satellite radiolink
D. Fiber optic cables

Correct Answer: D
Explanation

Explanation/Reference:
Only fiber optic cables are not affected by crosstalk or interference.

For your exam you should know the information about transmission media:
Copper Cable

Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in the
1820s.The invention of the telephone in 1876 created further demand for copper wire as an electrical
conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power
generation, power transmission, power distribution, telecommunications, electronics circuitry, and
countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts.
Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all copper
mined is used to manufacture electrical wire and cable conductors.
Copper Cable
Image Source - http://i00.i.aliimg.com/photo/v0/570456138/FRLS_HR_PVC_Copper_Cable.jpg

Coaxial cable
Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by
a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield
sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for
carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are controlled
to give a precise, constant conductor spacing, which is needed for it to function efficiently as a radio
frequency transmission line.

Coaxial cable are expensive and does not support many LAN's. It supports data and video Coaxial Cable
Image Source - http://www.tlc-direct.co.uk/Images/Products/size_3/CARG59.JPG

Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The
optical fiber elements are typically individually coated with plastic layers and contained in a protective tube
suitable for the environment where the cable will be deployed. Different types of cable are used for
different applications, for example long distance telecommunication, or providing a high-speed data
connection between different parts of a building. Fiber optics used for long distance, hard to splice, not
vulnerable to cross talk and difficult to tap.
It supports voice data, image and video.
Radio System
Radio systems are used for short distance,cheap and easy to tap. Radio is the radiation (wireless
transmission) of electromagnetic signals through the atmosphere or free space.
Information, such as sound, is carried by systematically changing (modulating) some property of the
radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an
electrical conductor, the oscillating fields induce an alternating current in the conductor. The information in
the waves can be extracted and transformed back into its original form.

Fiber Optics
Image Source - http://aboveinfranet.com/wp-content/uploads/2014/04/fiber-optic-cables-above- infranet-
solutions.jpg

Microwave radio system

Microwave transmission refers to the technology of transmitting information or energy by the use of radio
waves whose wavelengths are conveniently measured in small numbers of centimetre; these are called
microwaves.
Microwaves are widely used for point-to-point communications because their small wavelength allows
conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the receiving
antenna. This allows nearby microwave equipment to use the same frequencies without interfering with
each other, as lower frequency radio waves do. Another advantage is that the high frequency of
microwaves gives the microwave band a very large information-carrying capacity; the microwave band has
a bandwidth 30 times that of all the rest of the radio spectrum below it. A disadvantage is that microwaves
are limited to line of sight propagation; they cannot pass around hills or mountains as lower frequency
radio waves can.

Microwave radio transmission is commonly used in point-to-point communication systems on the surface
of the Earth, in satellite communications, and in deep space radio communications. Other parts of the
microwave radio band are used for radars, radio navigation systems, sensor systems, and radio
astronomy.
Microwave radio systems are carriers for voice data signal, cheap and easy to tap.

Microwave Radio System

Image Source - http://www.valiantcom.com/images/applications/e1_digital_microwave_radio.gif

Satellite Radio Link

Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast
nationwide, across a much wider geographical area than terrestrial radio stations. It is available by
subscription, mostly commercial free, and offers subscribers more stations and a wider variety of
programming options than terrestrial radio. Satellite radio link uses transponder to send information and
easy to tap.

The following answers are incorrect:

Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short distance
and supports voice and data.

Radio System - Radio systems are used for short distance,cheap and easy to tap. Satellite Radio Link -
Satellite radio link uses transponder to send information and easy to tap.

The following reference(s) were/was used to create this question:

CISA review manual 2014 page number 265 &

Official ISC2 guide to CISSP CBK 3rd Edition Page number 233

QUESTION 40
What is called an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast
packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets?
A. SYN Flood attack
B. Smurf attack
C. Ping of Death attack
D. Denial of Service (DOS) attack

Correct Answer: B
Explanation

Explanation/Reference:
Although it may cause a denial of service to the victim's system, this type of attack is a Smurf attack. A
SYN Flood attack uses up all of a system's resources by setting up a number of bogus communication
sockets on the victim's system. A Ping of Death attack is done by sending IP packets that exceed the
maximum legal length (65535 octets). Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide,
McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 789).

QUESTION 41
Why are coaxial cables called "coaxial"?

A. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by
another concentric physical channel, both running along the same axis.
B. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by
another concentric physical channel, both running along the same axis
C. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by
another two concentric physical channels, both running along the same axis.
D. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by
another concentric physical channel, both running perpendicular and along the different axis

Correct Answer: B
Explanation

Explanation/Reference:
Coaxial cable is called "coaxial" because it includes one physical channel that carries the signal
surrounded (after a layer of insulation) by another concentric physical channel, both running along the
same axis.
The outer channel serves as a ground. Many of these cables or pairs of coaxial tubes can be placed in a
single outer sheathing and, with repeaters, can carry information for a great distance. Source: STEINER,
Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain
Leader: skottikus), Page 14.

QUESTION 42
The International Organization for Standardization / Open Systems Interconnection (ISO/OSI) Layer 7
does NOT include which of the following?

A. SMTP (Simple Mail Transfer Protocol)

B. TCP (Transmission Control Protocol )
C. SNMP (Simple Network Management Protocol
D. HTTP (Hypertext Transfer Protocol)

Correct Answer: B
Explanation

Explanation/Reference:
Layer 7 Applications Layer Provides specific services for applications such as:
FTP (File Transfer Protocol)
TFTP (Trivial File Transfer Protocol)Used by some X-Terminal systems HTTP (Hypertext Transfer
Protocol)
SNMP (Simple Network Management Protocol Helps network managers locate and correct problems in a
TCP/IP network
Used to gain information from network devices such as count of packets received and routing tables
SMTP (Simple Mail Transfer Protocol)Used by many email applications. Source: STEINER, Kurt,
Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain
Leader: skottikus), Page 12.

QUESTION 43
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT
have which of the following characteristics?

A. Standard model for network communications

B. Used to gain information from network devices such as count of packets received and routing tables
C. Enables dissimilar networks to communicate
D. Defines 7 protocol layers (a.k.a. protocol stack)

Correct Answer: B
Explanation

Explanation/Reference:
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and
Characteristics Standard model for network communications enables dissimilar networks to communicate,
Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its
respective layer on another workstation using protocols (i.e. agreed-upon communication formats)
"Mapping" each protocol to the model is useful for comparing protocols.
Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer) All People Seem To Need
Data Processing (top to bottom layer). Source: STEINER, Kurt, Telecommunications and Network
Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.

QUESTION 44
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of
the following?

A. Application Layer
B. Presentation Layer
C. Data Link Layer
D. Network Layer

Correct Answer: B
Explanation

Explanation/Reference:
International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and
Characteristics:

Layers:

1. Physical Layer
2. Data Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Applications Layer

Here's a great mnemonicfor the OSI model: "Please Do Not Throw Sausage Pizza Away". Source:
STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study
Group (Domain Leader: skottikus), Page 12.

QUESTION 45
In telephony different types of connections are being used. The connection from the phone company's
branch office to local customers is referred to as which of the following choices?

A. new loop
B. local loop
C. loopback
D. indigenous loop

Correct Answer: B
Explanation

Explanation/Reference:
Transmission on fiber optic wire requires repeating at distance intervals. The glass fiber requires more
protection within an outer cable than copper. For these reasons and because the installation of any new
wiring is labor-intensive, few communities yet have fiber optic wires or cables from the phone company's
branch office to local customers (local loop). In telephony, a local loop is the wired connection from a
telephone company's central office in a locality to its customers' telephones at homes and businesses. This
connection is usually on a pair of copper wires called twisted pair. The system was originally designed for
voice transmission only using analog transmission technology on a single voice channel. Today, your
computer's modem makes the conversion between analog signals and digital signals. With Integrated
Services Digital Network (ISDN) or Digital Subscriber Line (DSL), the local loop can carry digital signals
directly and at a much higher bandwidth than they do for voice only.
Local Loop diagram
Image from: http://www.thenetworkencyclopedia.com/entry/local-loop/

The following are incorrect answers:

New loop This is only a detractor and does not exist
Loopback In telephone systems, a loopback is a test signal sent to a network destination that is returned
as received to the originator. The returned signal may help diagnose a problem.

Ingenious loop This is only a detractor and does not exist

Reference(s) used for this question:

http://searchnetworking.techtarget.com/definition/local-loop and
STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study
Group (Domain Leader: skottikus), Page 14.

QUESTION 46
Communications and network security relates to transmission of which of the following?

A. voice
B. voice and multimedia
C. data and multimedia
D. voice, data and multimedia

Correct Answer: D
Explanation

Explanation/Reference:
From the published (ISC)2 goals for the Certified Information Systems Security Professional candidate:
The CISSP candidate should be familiar to communications and network security as it relates to voice,
data, multimedia, and facsimile transmissions in terms of local area, wide area, and remote access.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 57.

QUESTION 47
One of the following assertions is NOT a characteristic of Internet Protocol Security (IPsec)

A. Data cannot be read by unauthorized parties

B. The identity of all IPsec endpoints are confirmed by other endpoints
C. Data is delivered in the exact order in which it is sent
D. The number of packets being exchanged can be counted.

Correct Answer: C
Explanation
Explanation/Reference:
IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not
ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be
delivered out of order to the receiving side depending which route was taken by the packet.
Internet Protocol Security (IPsec) has emerged as the most commonly used network layer security control
for protecting communications. IPsec is a framework of open standards for ensuring private
communications over IP networks. Depending on how IPsec is implemented and configured, it can provide
any combination of the following types of protection:
Confidentiality. IPsec can ensure that data cannot be read by unauthorized parties. This is accomplished
by encrypting data using a cryptographic algorithm and a secret key a value known only to the two parties
exchanging data. The data can only be decrypted by someone who has the secret key.
Integrity. IPsec can determine if data has been changed (intentionally or unintentionally) during transit. The
integrity of data can be assured by generating a message authentication code (MAC) value, which is a
cryptographic checksum of the data. If the data is altered and the MAC is recalculated, the old and new
MACs will differ.
Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it
wishes to communicate, ensuring that the network traffic and data is being sent from the expected host.
Replay Protection. The same data is not delivered multiple times, and data is not delivered grossly out of
order. However, IPsec does not ensure that data is delivered in the exact order in which it is sent.
Traffic Analysis Protection. A person monitoring network traffic does not know which parties are
communicating, how often communications are occurring, or how much data is being exchanged.
However, the number of packets being exchanged can be counted. Access Control. IPsec endpoints can
perform filtering to ensure that only authorized IPsec users can access particular network resources. IPsec
endpoints can also allow or block certain types of network traffic, such as allowing Web server access but
denying file sharing.

The following are incorrect answers because they are all features provided by IPSEC:
"Data cannot be read by unauthorized parties" is wrong because IPsec provides confidentiality through the
usage of the Encapsulating Security Protocol (ESP), once encrypted the data cannot be read by
unauthorized parties because they have access only to the ciphertext. This is accomplished by encrypting
data using a cryptographic algorithm and a session key, a value known only to the two parties exchanging
data. The data can only be decrypted by someone who has a copy of the session key.
"The identity of all IPsec endpoints are confirmed by other endpoints" is wrong because IPsec provides
peer authentication: Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it
wishes to communicate, ensuring that the network traffic and data is being sent from the expected host.
"The number of packets being exchanged can be counted" is wrong because although IPsec provides
traffic protection where a person monitoring network traffic does not know which parties are
communicating, how often communications are occurring, or how much data is being exchanged, the
number of packets being exchanged still can be counted.

Reference(s) used for this question:

NIST 800-77 Guide to IPsec VPNs . Pages 2-3 to 2-4

QUESTION 48
One of these statements about the key elements of a good configuration process is NOT true

A. Accommodate the reuse of proven standards and best practices

B. Ensure that all requirements remain clear, concise, and valid
C. Control modifications to system hardware in order to prevent resource changes
D. Ensure changes, standards, and requirements are communicated promptly and precisely

Correct Answer: C
Explanation

Explanation/Reference:
Configuration management isn't about preventing change but ensuring the integrity of IT resources by
preventing unauthorised or improper changes. According to the Official ISC2 guide to the CISSP exam, a
good CM process is one that can:

(1) accommodate change;

(2) accommodate the reuse of proven standards and best practices; (3) ensure that all requirements
remain clear, concise, and valid; (4) ensure changes, standards, and requirements are communicated
promptly and precisely; and (5) ensure that the results conform to each instance of the product.
Configuration management
Configuration management (CM) is the detailed recording and updating of information that describes an
enterprise's computer systems and networks, including all hardware and software components. Such
information typically includes the versions and updates that have been applied to installed software
packages and the locations and network addresses of hardware devices. Special configuration
management software is available. When a system needs a hardware or software upgrade, a computer
technician can accesses the configuration management program and database to see what is currently
installed. The technician can then make a more informed decision about the upgrade needed.
An advantage of a configuration management application is that the entire collection of systems can be
reviewed to make sure any changes made to one system do not adversely affect any of the other systems
Configuration management is also used in software development, where it is called Unified Configuration
Management (UCM). Using UCM, developers can keep track of the source code, documentation,
problems, changes requested, and changes made.
Change management
In a computer system environment, change management refers to a systematic approach to keeping track
of the details of the system (for example, what operating system release is running on each computer and
which fixes have been applied).

QUESTION 49
One of the following statements about the differences between PPTP and L2TP is NOT true

A. PPTP can run only on top of IP networks.

B. PPTP is an encryption protocol and L2TP is not.
C. L2TP works well with all firewalls and network devices that perform NAT.
D. L2TP supports AAA servers

Correct Answer: C
Explanation

Explanation/Reference:
L2TP is affected by packet header modification and cannot cope with firewalls and network devices that
perform NAT.
"PPTP can run only on top of IP networks." is correct as PPTP encapsulates datagrams into an IP packet,
allowing PPTP to route many network protocols across an IP network. "PPTP is an encryption protocol and
L2TP is not." is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point
Encryption (MPPE) using MSCHAP or EAP-TLS. "L2TP supports AAA servers" is correct as L2TP
supports TACACS+ and RADIUS.

NOTE:
L2TP does work over NAT. It is possible to use a tunneled mode that wraps every packet into a UDP
packet. Port 4500 is used for this purpose. However this is not true of PPTP and it is not true as well that it
works well with all firewalls and NAT devices.

References:
All in One Third Edition page 545
Official Guide to the CISSP Exam page 124-126

QUESTION 50
You have been tasked to develop an effective information classification program. Which one of the
following steps should be performed first?

A. Establish procedures for periodically reviewing the classification and ownership

B. Specify the security controls required for each classification level
C. Identify the data custodian who will be responsible for maintaining the security level of data
D. Specify the criteria that will determine how data is classified

Correct Answer: D
Explanation

Explanation/Reference:
According to the AIO 3rd edition, these are the necessary steps for a proper classification program:
1. Define classification levels.
2. Specify the criteria that will determine how data is classified.
3. Have the data owner indicate the classification of the data she is responsible for.
4. Identify the data custodian who will be responsible for maintaining data and its security level.
5. Indicate the security controls, or protection mechanisms, that are required for each classification level.
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the information to a different data owner.
8. Create a procedure to periodically review the classification and ownership. Communicate any changes
to the data custodian.
9. Indicate termination procedures for declassifying the data.
10. Integrate these issues into the security-awareness program so that all employees understand how to
handle data at different classification levels.

Domain: Information security and risk management

Reference: AIO 3rd edition page 50

QUESTION 51
In the course of responding to and handling an incident, you work on determining the root cause of the
incident. In which step are you in?

A. Recovery
B. Containment
C. Triage
D. Analysis and tracking

Correct Answer: D
Explanation

Explanation/Reference:
In this step, your main objective is to examine and analyze what has occurred and focus on determining
the root cause of the incident.
Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into
production
Containment is incorrect as containment is about reducing the potential impact of an incident. Triage is
incorrect as triage is about determining the seriousness of the incident and filtering out false positives

Reference:
Official Guide to the CISSP CBK, pages 700-704

QUESTION 52
Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion
detection?

A. Anomaly detection tends to produce more data

B. A pattern matching IDS can only identify known attacks
C. Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams
D. An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on
deviations from these baselines

Correct Answer: C
Explanation

Explanation/Reference:
This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for
attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion
detection takes pattern matching to the next level. As networks become faster there is an emerging need
for security analysis techniques that can keep up with the increased network throughput. Existing network-
based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis
tools that can deal with higher throughput are unable to maintain state between different steps of an attack
or they are limited to the analysis of packet headers.
The following answers are all incorrect:
Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as
any activity outside of expected behavior is recorded. A pattern matching IDS can only identify known
attacks is true as a pattern matching IDS works by comparing traffic streams against signatures. These
signatures are created for known attacks. An anomaly-based engine develops baselines of normal traffic
activity and throughput, and alerts on deviations from these baselines is true as the assertion is a
characteristic of a statistical anomaly-based IDS.

Reference:
Official guide to the CISSP CBK. Pages 198 to 201
http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.pdf

QUESTION 53
Which of the following is NOT a characteristic of a host-based intrusion detection system?

A. A HIDS does not consume large amounts of system resources

B. A HIDS can analyse system logs, processes and resources
C. A HIDS looks for unauthorized changes to the system
D. A HIDS can notify system administrators when unusual events are identified

Correct Answer: A
Explanation

Explanation/Reference:
A HIDS does not consume large amounts of system resources is the correct choice. HIDS can consume
inordinate amounts of CPU and system resources in order to function effectively, especially during an
event.
All the other answers are characteristics of HIDSes

A HIDS can:
- scrutinize event logs, critical system files, and other auditable system resources;
- look for unauthorized change or suspicious patterns of behavior or activity
- can send alerts when unusual events are discovered

Reference:
Official guide to the CISSP CBK. Pages 197 to 198.

QUESTION 54
Which of the following is NOT a correct notation for an IPv6 address?

A. 2001:0db8:0:0:0:0:1428:57ab
B. ABCD:EF01:2345:6789:
C. ABCD:EF01:2345:6789::1
D. 2001:DB8::8:800::417A

Correct Answer: D
Explanation

Explanation/Reference:
This is not a correct notation for an IPv6 address because the "::" can only appear once in an address. The
use of "::" is a shortcut notation that indicates one or more groups of 16 bits of zeros.
::1 is the loopback address using the special notation Reference: IP Version 6 Addressing Architecture
http://tools.ietf.org/html/rfc4291#section-2.1

QUESTION 55
Another example of Computer Incident Response Team (CIRT) activities is:

A. Management of the netware logs, including collection, retention, review, and analysis of data
B. Management of the network logs, including collection and analysis of data
C. Management of the network logs, including review and analysis of data
D. Management of the network logs, including collection, retention, review, and analysis of data

Correct Answer: D
Explanation

Explanation/Reference:
Additional examples of CIRT activities are:
- Management of the network logs, including collection, retention, review, and analysis of data
- Management of the resolution of an incident, management of the remediation of a vulnerability, and post-
event reporting to the appropriate parties.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 64.

QUESTION 56
An area of the Telecommunications and Network Security domain that directly affects the Information
Systems Security tenet of Availability can be defined as:

A. Netware availability
B. Network availability
C. Network acceptability
D. Network accountability

Correct Answer: A
Explanation

Explanation/Reference:
Details:

The Answer: Network availability

Network availability can be defined as an area of the Telecommunications and Network Security domain
that directly affects the Information Systems Security tenet of Availability. Source: KRUTZ, Ronald L. &
VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John
Wiley & Sons, Page 64.

QUESTION 57
Which of the following is the correct set of assurance requirements for EAL 5?

A. Semiformally verified design and tested

B. Semiformally tested and checked
C. Semiformally designed and tested
D. Semiformally verified tested and checked

Correct Answer: C
Explanation

Explanation/Reference:
Under the Common Criteria model, an evaluation is carried out on a product and is assigned an Evaluation
Assurance Level (EAL). The thorough and stringent testing increases in detailed- oriented tasks as the
assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1,
where functionality testing takes place, to EAL7, where thorough testing is performed and the system
design is verified. The Orange Book and the Rainbow Series provide evaluation schemes that are too rigid
and narrowly defined for the business world. ITSEC attempted to provide a more flexible approach by
separating the functionality and assurance attributes and considering the evaluation of entire systems.
However, this flexibility added complexity because evaluators could mix and match functionality and
assurance ratings, which resulted in too many classifications to keep straight. Because we are a species
that continues to try to get it right, the next attempt for an effective and usable evaluation criteria was the
Common Criteria. In 1990, the International Organization for Standardization (ISO) identified the need for
international standard evaluation criteria to be used globally. The Common Criteria project started in 1993
when several organizations came together to combine and align existing and emerging evaluation criteria
(TCSEC, ITSEC, Canadian Trusted Computer Product Evaluation Criteria [CTCPEC], and the Federal
Criteria). The Common Criteria was developed through a collaboration among national security standards
organizations within the United States, Canada, France, Germany, the United Kingdom, and the
Netherlands. The benefit of having a globally recognized and accepted set of criteria is that it helps
consumers by reducing the complexity of the ratings and eliminating the need to understand the definition
and meaning of different ratings within various evaluation schemes. This also helps vendors, because now
they can build to one specific set of requirements if they want to sell their products internationally, instead
of having to meet several different ratings with varying rules and requirements.

The full list of assurance requirements for the Evaluation Assurance Levels is provided below:

EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is
necessary, but the threats to security are not seen as serious.

EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of
independently guaranteed security.

EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of
independently ensured security.

EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a
moderate to high level of independently ensured security.

EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of
independently ensured security.

EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for
high-risk situations.

EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for
application in extremely high-risk situations.

EALs are frequently misunderstood to provide a simple means to compare security products with similar
levels. In fact, products may be very different even if they are assigned the same EAL level, since
functionality may have little in common.

Reference(s) used for this question:

Corporate; (Isc)² (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press)
(Kindle Locations 15157-15169). Taylor & Francis. Kindle Edition.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 8730- 8742).
McGraw-Hill. Kindle Edition.

QUESTION 58
Which of the following defines when RAID separates the data into multiple units and stores it on multiple
disks?

A. striping
B. scanning
C. screening
D. shadowing

Correct Answer: A
Explanation

Explanation/Reference:
Basically, RAID separates the data into multiple units and stores it on multiple disks by using a process
called "striping".
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 65.

QUESTION 59
What is the process that RAID Level 0 uses as it creates one large disk by using several disks?
A. striping
B. mirroring
C. integrating
D. clustering

Correct Answer: A
Explanation

Explanation/Reference:
RAID Level 0 creates one large disk by using several disks. This process is called striping. Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 65.

QUESTION 60
RAID Level 1 mirrors the data from one disk or set of disks using which of the following techniques?

A. duplicating the data onto another disk or set of disks.

B. moving the data onto another disk or set of disks.
C. establishing dual connectivity to another disk or set of disks.
D. establishing dual addressing to another disk or set of disks.

Correct Answer: A
Explanation

Explanation/Reference:
RAID Level 1 mirrors the data from one disk or set of disks by duplicating the data onto another disk or set
of disks.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 65.

QUESTION 61
Which of the following stripes the data and the parity information at the block level across all the drives in
the set?

A. RAID Level 5
B. RAID Level 0
C. RAID Level 2
D. RAID Level 1

Correct Answer: A
Explanation

Explanation/Reference:
RAID Level 5 stripes the data and the parity information at the block level across all the drives in the set.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 66.

QUESTION 62
A group of independent servers, which are managed as a single system, that provides higher availability,
easier manageability, and greater scalability is:

A. server cluster.
B. client cluster.
C. guest cluster.
D. host cluster.

Correct Answer: A
Explanation
Explanation/Reference:
A server cluster is a group of independent servers, which are managed as a single system, that provides
higher availability, easier manageability, and greater scalability. Source: KRUTZ, Ronald L. & VINES,
Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley &
Sons, Page 67.

QUESTION 63
If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some
performance degradation. This implementation is sometimes called a:

A. server farm
B. client farm
C. cluster farm
D. host farm

Correct Answer: A
Explanation

Explanation/Reference:
If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some
performance degradation. This implementation is sometimes called a "server farm." Source: KRUTZ,
Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
2001, John Wiley & Sons, Page 67.

QUESTION 64
Which of the following backup methods is primarily run when time and tape space permits, and is used for
the system archive or baselined tape sets?

A. full backup method.

B. incremental backup method.
C. differential backup method.
D. tape backup method.

Correct Answer: A
Explanation

Explanation/Reference:
The Full Backup Method is primarily run when time and tape space permits, and is used for the system
archive or baselined tape sets.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 69.

QUESTION 65
Which backup method is used if backup time is critical and tape space is at an extreme premium?

A. Incremental backup method.

B. Differential backup method.
C. Full backup method.
D. Tape backup method.

Correct Answer: A
Explanation

Explanation/Reference:
Full Backup/Archival Backup - Complete/Full backup of every selected file on the system regardless of
whether it has been backup recently.. This is the slowest of the backup methods since it backups all the
data. It's however the fastest for restoring data. Incremental Backup - Any backup in which only the files
that have been modified since last full back up are backed up. The archive attribute should be updated
while backing up only modified files, which indicates that the file has been backed up. This is the fastest of
the backup methods, but the slowest of the restore methods.
Differential Backup - The backup of all data files that have been modified since the last incremental backup
or archival/full backup. Uses the archive bit to determine what files have changed since last incremental
backup or full backup. The files grows each day until the next full backup is performed clearing the archive
attributes. This enables the user to restore all files changed since the last full backup in one pass. This is a
more neutral method of backing up data since it's not faster nor slower than the other two

Easy Way To Remember each of the backup type properties:

Backup Speed Restore Speed
Full 3 1
Differential 2 2
Incremental 1 3

Legend: 1 = Fastest 2 = Faster 3 = Slowest

Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 69.
and
http://www.proprofs.com/mwiki/index.php/Full_Backup,_Incremental_ %26_Differential_Backup66.
Hierarchical Storage Management (HSM) is commonly employed in:

A. very large data retrieval systems.

B. very small data retrieval systems.
C. shorter data retrieval systems.
D. most data retrieval systems.

Answer: A
Hierarchical Storage Management (HSM) is commonly employed in very large data retrieval systems.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 71.

QUESTION 66
Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a
much longer effective usable length?

A. Fiber Optic cable

B. Coaxial cable
C. Twisted Pair cable
D. Axial cable

Correct Answer: A
Explanation

Explanation/Reference:
Fiber Optic cable is immune to the effects of electromagnetic interference (EMI) and therefore has a much
longer effective usable length (up to two kilometers in some cases). Source: KRUTZ, Ronald L. & VINES,
Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley &
Sons, Page 72.

QUESTION 67
Which of the following methods of providing telecommunications continuity involves the use of an
alternative media?

A. Alternative routing
B. Diverse routing
C. Long haul network diversity
D. Last mile circuit protection

Correct Answer: A
Explanation
Explanation/Reference:
Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber
optics. This involves use of different networks, circuits or end points should the normal network be
unavailable. Diverse routing routes traffic through split cable facilities or duplicate cable facilities. This can
be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the
cable may be in the same conduit and therefore subject to the same interruptions as the cable it is backing
up. The communication service subscriber can duplicate the facilities by having alternate routes, although
the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain
diverse routing and alternate routing from the local carrier, including dual entrance facilities. This type of
access is time- consuming and costly. Long haul network diversity is a diverse long-distance network
utilizing T1 circuits among the major long-distance carriers. It ensures long-distance access should any
one carrier experience a network failure. Last mile circuit protection is a redundant combination of local
carrier T1s microwave and/or coaxial cable access to the local communications loop. This enables the
facility to have access during a local carrier communication disaster. Alternate local carrier routing is also
utilized.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002
review manual, chapter 5: Disaster Recovery and Business Continuity (page 259).

QUESTION 68
Which SERVICE usually runs on port 25?

A. File Transfer Protocol (FTP)

B. Telnet
C. Simple Mail Transfer Protocol (SMTP)
D. Domain Name Service (DNS)

Correct Answer: C
Explanation

Explanation/Reference:
FTP - Port 21
Telnet - Port 23
SMTP - Port 25
DNS - Port 53

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those
from 49152 through 65535.

Reference : http://www.iana.org/assignments/port-numbers For the purpose of the exam you DO NOT

need to know all of the 65,535 ports but you must know the one that are very commonly used.

QUESTION 69
Which port does the Post Office Protocol Version 3 (POP3) make use of?

A. 110
B. 109
C. 139
D. 119

Correct Answer: A
Explanation

Explanation/Reference:
The other answers are not correct because of the following protocol/port numbers matrix:

Post Office Protocol (POP2) 109

Network News Transfer Protocol 119
NetBIOS 139

QUESTION 70
Which of the following are WELL KNOWN PORTS assigned by the IANA?

A. Ports 0 to 255
B. Ports 0 to 1024
C. Ports 0 to 1023
D. Ports 0 to 127

Correct Answer: C
Explanation

Explanation/Reference:
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports. The range for assigned "Well Known" ports managed by the IANA (Internet
Assigned Numbers Authority) is 0-1023.
Source: iana.org: port assignments.

QUESTION 71
What is the maximum length of cable that can be used for a twisted-pair, Category 5 10Base-T cable?

A. 80 meters
B. 100 meters
C. 185 meters
D. 500 meters

Correct Answer: B
Explanation

Explanation/Reference:
As a signal travels though a medium, it attenuates (loses strength) and at some point will become
indistinguishable from noise. To assure trouble-free communication, maximum cable lengths are set
between nodes to assure that attenuation will not cause a problem. The maximum CAT-5 UTP cable
length between two nodes for 10BASE-T is 100M.

The following answers are incorrect:

80 meters. It is only a distracter.
185 meters. Is incorrect because it is the maximum length for 10Base-2 500 meters. Is incorrect because it
is the maximum length for 10Base-5

QUESTION 72
Secure Sockets Layer (SSL) is very heavily used for protecting which of the following?

A. Web transactions.
B. EDI transactions.
C. Telnet transactions.
D. Electronic Payment transactions.

Correct Answer: A
Explanation

Explanation/Reference:
SSL was developed Netscape Communications Corporation to improve security and privacy of HTTP
transactions.
SSL is one of the most common protocols used to protect Internet traffic. It encrypts the messages using
symmetric algorithms, such as IDEA, DES, 3DES, and Fortezza, and also calculates the MAC for the
message using MD5 or SHA-1. The MAC is appended to the message and encrypted along with the
message data. The exchange of the symmetric keys is accomplished through various versions of Diffie-
Hellmann or RSA. TLS is the Internet standard based on SSLv3. TLSv1 is backward compatible with
SSLv3. It uses the same algorithms as SSLv3; however, it computes an HMAC instead of a MAC along
with other enhancements to improve security.

The following are incorrect answers:

"EDI transactions" is incorrect. Electronic Data Interchange (EDI) is not the best answer to this question
though SSL could play a part in some EDI transactions. "Telnet transactions" is incorrect. Telnet is a
character mode protocol and is more likely to be secured by Secure Telnet or replaced by the Secure Shell
(SSH) protocols. "Eletronic payment transactions" is incorrect. Electronic payment is not the best answer to
this question though SSL could play a part in some electronic payment transactions.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2
Press) (Kindle Locations 16615-16619). Auerbach Publications. Kindle Edition.
and
http://en.wikipedia.org/wiki/Transport_Layer_Security

QUESTION 73
Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS
Record Protocol and the::

A. Transport Layer Security (TLS) Internet Protocol.

B. Transport Layer Security (TLS) Data Protocol.
C. Transport Layer Security (TLS) Link Protocol.
D. Transport Layer Security (TLS) Handshake Protocol.

Correct Answer: D
Explanation

Explanation/Reference:
This is the second protocol in TLS.
"Transport Layer Security (TLS) Internet Protocol" is incorrect. There is no such protocol. "Transport Layer
Security (TLS) Data Protocol" is incorrect. There is no such protocol. "Transport Layer Security (TLS) Link
Protocol" is incorrect. There is no such protocol.

References
CBK, pp. 496 - 497

QUESTION 74
Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the
bulk of the data being sent over the session and it uses asymmetric or public key cryptography for:

A. Peer Authentication
B. Peer Identification
C. Server Authentication
D. Name Resolution

Correct Answer: A
Explanation

Explanation/Reference:
SSL provides for Peer Authentication. Though peer authentication is possible, authentication of the client is
seldom used in practice when connecting to public e-commerce web sites. Once authentication is
complete, confidentiality is assured over the session by the use of symmetric encryption in the interests of
better performance.

The following answers were all incorrect:

"Peer identification" is incorrect. The desired attribute is assurance of the identity of the communicating
parties provided by authentication and NOT identification. Identification is only who you claim to be.
Authentication is proving who you claim to be. "Server authentication" is incorrect. While server
authentication only is common practice, the protocol provides for peer authentication (i.e., authentication of
both client and server). This answer was not complete.
"Name resolution" is incorrect. Name resolution is commonly provided by the Domain Name System (DNS)
not SSL.

Reference(s) used for this question:

CBK, pp. 496 - 497.

QUESTION 75
Secure Sockets Layer (SSL) uses a Message Authentication Code (MAC) for what purpose?

A. message non-repudiation.
B. message confidentiality.
C. message interleave checking.
D. message integrity.

Correct Answer: D
Explanation

Explanation/Reference:
A keyed hash also called a MAC (message authentication code) is used for integrity protection and
authenticity.
In cryptography, a message authentication code (MAC) is a generated value used to authenticate a
message. A MAC can be generated by HMAC or CBC-MAC methods. The MAC protects both a
message's integrity (by ensuring that a different MAC will be produced if the message has changed) as
well as its authenticity, because only someone who knows the secret key could have modified the
message.
MACs differ from digital signatures as MAC values are both generated and verified using the same secret
key. This implies that the sender and receiver of a message must agree on the same key before initiating
communications, as is the case with symmetric encryption. For the same reason, MACs do not provide the
property of non-repudiation offered by signatures specifically in the case of a network-wide shared secret
key: any user who can verify a MAC is also capable of generating MACs for other messages.

HMAC
When using HMAC the symmetric key of the sender would be concatenated (added at the end) with the
message. The result of this process (message + secret key) would be put through a hashing algorithm,
and the result would be a MAC value. This MAC value is then appended to the message being sent. If an
enemy were to intercept this message and modify it, he would not have the necessary symmetric key to
create a valid MAC value. The receiver would detect the tampering because the MAC value would not be
valid on the receiving side.

CBC-MAC
If a CBC-MAC is being used, the message is encrypted with a symmetric block cipher in CBC mode, and
the output of the final block of ciphertext is used as the MAC. The sender does not send the encrypted
version of the message, but instead sends the plaintext version and the MAC attached to the message.
The receiver receives the plaintext message and encrypts it with the same symmetric block cipher in CBC
mode and calculates an independent MAC value. The receiver compares the new MAC value with the
MAC value sent with the message. This method does not use a hashing algorithm as does HMAC.

Cipher-Based Message Authentication Code (CMAC)

Some security issues with CBC-MAC were found and they created Cipher-Based Message Authentication
Code (CMAC) as a replacement. CMAC provides the same type of data origin authentication and integrity
as CBC-MAC, but is more secure mathematically. CMAC is a variation of CBC-MAC. It is approved to work
with AES and Triple DES. HMAC, CBC-MAC, and CMAC work higher in the network stack and can identify
not only transmission errors (accidental), but also more nefarious modifications, as in an attacker messing
with a message for her own benefit. This means all of these technologies can identify intentional,
unauthorized modifications and accidental changes-- three in one.

The following are all incorrect answers:

"Message non-repudiation" is incorrect.
Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to
the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their
signature on a document or the sending of a message that they originated. To repudiate means to deny.
For many years, authorities have sought to make repudiation impossible in some situations. You might
To Read the Whole Q&As, please purchase the Complete Version from Our website.

Trying our product !

★ 100% Guaranteed Success

★ 100% Money Back Guarantee

★ 365 Days Free Update

★ Instant Download After Purchase

★ 24x7 Customer Support

★ Average 99.9% Success Rate

★ More than 69,000 Satisfied Customers Worldwide

★ Multi-Platform capabilities - Windows, Mac, Android, iPhone, iPod, iPad, Kindle

Need Help
Please provide as much detail as possible so we can best assist you.
To update a previously submitted ticket:

Guarantee & Policy | Privacy & Policy | Terms & Conditions

Any charges made through this site will appear as Global Simulators Limited.
All trademarks are the property of their respective owners.

Copyright © 2004-2015, All Rights Reserved.