Which security model introduces access to objects only through programs?
Answer(s): C
In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The ClarkWilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.The model is primarily concerned with formalizing the notion of information integrity. Informationintegrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.ClarkWilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification.Integrity goals of ClarkWilson model:Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.The following are incorrect answers:The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object.The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object.The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model.
ISC2 Official Study Guide, Pages 325 - 327AIO3, pp. 284 - 287AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model
Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?
The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.The following are incorrect answers:The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects.The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy.The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet - interface - object).
CBK, pp 325 - 326AIO3, pp. 290 - 291AIOv4 Security Architecture and Design (page 345)AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterference _Models
Which of the following security models does NOT concern itself with the flow of data?
Answer(s): D
The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects and the clearences of subjects.The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes.The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more trusted than lower levels. Access control us based on these integrity levels to assure that read/write operations do not decrease an object's integrity.
CBK, pp 325 - 326AIO3, pp. 290 - 291
What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions?
Answer(s): B
D or "minimal protection" is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level.A is incorrect. A or "Verified Protectection" is the highest trust level under the TCSEC. E is incorrect. The trust levels are A - D so "E" is not a valid trust level. F is incorrect. The trust levels are A - D so "F" is not a valid trust level.CBK, pp. 329 - 330AIO3, pp. 302 - 306
Which division of the Orange Book deals with discretionary protection (need-to-know)?
C deals with discretionary protection. See matric below:TCSEC MatricThe following are incorrect answers:D is incorrect. D deals with minimal security.B is incorrect. B deals with mandatory protection.A is incorrect. A deals with verified protection.
CBK, p. 329 330andShon Harris, CISSP All In One (AIO), 6th Edition , page 392-393
Share your comments for ISC SSCP exam with other users:
just started to view all questions for the exam
helpful material
hope for the best
will post exam has finished
really correct and good analyze!
excellent thanks a lot
will post once pass the cka exam
good content
q:32 answer has to be option c
nice questions
i really like the support team in this website. they are fast in communication and very helpful.
a good contemporary exam review
q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.
cool very helpfull
i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.
is this a valid prince2 practitioner dumps?
all are relatable questions
might help me to prepare for the exam
just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.
i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available
very legible
is this exam accurate or helpful?
please upload dump, i have exam in 2 days
this is useful
question 232 answer should be perimeter not netowrk layer. wrong answer selected
hi team, could you please provide this dump ?
very helpful to clear the exam and understand the concept.
i think it is great that you are helping people when they need it. thanks.
cannot evaluate yet
a laptops wireless antenna is most likely located in the bezel of the lid
good examplae to learn basic
this is useful information
looks usefull