Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?
Answer(s): A
Secure European System for Applications in a Multi-vendor Environment (SESAME)was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.
TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184.ISC OIG Second Edition, Access Controls, Page 111
Single Sign-on (SSO) is characterized by which of the following advantages?
Answer(s): B
Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface.The following answers are incorrect:Convenience - alone this is not the correct answer.Centralized Data or Network Administration - these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed with just an SSO.
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35.TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180.
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except:
Answer(s): D
The CISSP Examination Textbook- Volume 2: Practice by S Rao Vallabhaneni.
What is the primary role of smartcards in a PKI?
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139;SNYDER, J., What is a SMART CARD?.Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistanceSecurityTamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:physical attack of various forms (microprobing, drills, files, solvents, etc.)freezing the deviceapplying out-of-spec voltages or power surgesapplying unusual clock signalsinducing software errors using radiationmeasuring the precise time and power requirements of certain operations (see power analysis)Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled.Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.
What kind of certificate is used to validate a user identity?
In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity -- information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority(CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The permission can be delegated.Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others.In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as "update firmware", "access address book", "use radio interface", and the most basic one, "install and execute". When a developer wishes to enable distribution and execution in one of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers.Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540.http://en.wikipedia.org/wiki/Attribute_certificatehttp://en.wikipedia.org/wiki/Public_key_certificate
Share your comments for ISC SSCP exam with other users:
anyone use this? the question dont seem to follow other formats and terminology i have been studying im getting worried
good questions
hello are these questions valid for ms-102
some questions are wrongly answered but its good nonetheless
how to get system serial number using intune
is it really helpful to pass the exam
#229 in incorrect - all the customers require an annual review
kindy upload
fantastic assessment on psm 1
56 question correct answer a,b
thank you for providing the q bank
true quesstions
i can´t believe ms asks things like this, seems to be only marketing material.
hi, could you please add the last update of ns0-527
question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).
sometimes it may be good some times it may be
qs 4 answer seems wrong- please check
very detailed explanation !
the interactive nature of the test engine application makes the preparation process less boring.
very useful.
complete question dump should be made available for practice.
i just passed my first exam. i got 2 exam dumps as part of the 50% sale. my second exam is under work. once i write that exam i report my result. but so far i am confident.
nice create dewey stefen
i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.
passed my exam today. this is a good start to 2023.
great sharing
very helpful
thanks.. very helpful
i registered for 1z0-1047-23 but dumps qre available for 1z0-1047-22. help me with this...
please upload oracle 1z0-1110-22 exam pdf
becoming interesting on the logical part of the cdbs and pdbs
some of the answers are incorrect, i would be wary of using this until an admin goes back and reviews all the answers
question # 267: federated operating model is also correct.