Which of the following access control models requires security clearance for subjects?
Answer(s): D
With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of non- discretionary access control.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
Which of the following access control models requires defining classification for objects?
With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and classification of objects.The Following answers were incorrect:Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous.Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non Discretionary Access Control (NDAC).Tip:When you have two answers that are synonymous they are not the right choice for sure.There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of those items.
In the context of access control, locks, gates, guards are examples of which of the following?
Answer(s): C
Administrative, technical and physical controls are categories of access control mechanisms.Logical and Technical controls are synonymous. So both of them could be eliminated as possible choices.Physical Controls: These are controls to protect the organization's people and physical environment, such as locks, gates, and guards. Physical controls may be called "operational controls" in some contexts.Physical security covers a broad spectrum of controls to protect the physical assets (primarily the people) in an organization. Physical Controls are sometimes referred to as "operational" controls in some risk management frameworks. These controls range from doors, locks, and windows to environment controls, construction standards, and guards. Typically, physical security is based on the notion of establishing security zones or concentric areas within a facility that require increased security as you get closer to the valuable assets inside the facility. Security zones are the physical representation of the defense-in-depth principle discussed earlier in this chapter. Typically, security zones are associated with rooms, offices, floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security controls within the facility must take into account the protection of the asset as well as the individuals working in that area.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle Edition.andHernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle Edition.
Which of the following statements pertaining to using Kerberos without any extension is false?
Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network.Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client.Here is a nice overview of HOW Kerberos is implement as described in RFC 4556:1. IntroductionThe Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution Center (KDC) to negotiate shared session keys between clients and services and provide mutual authentication between them.The corner-stones of Kerberos V5 are the Ticket and the Authenticator. A Ticket encapsulates a symmetric key (the ticket session key) in an envelope (a public message) intended for a specific service. The contents of the Ticket are encrypted with a symmetric key shared between the service principal and the issuing KDC. The encrypted part of the Ticket contains the client principal name, among other items. An Authenticator is a record that can be shown to have been recently generated using the ticket session key in the associated Ticket. The ticket session key is known by the clientwho requested the ticket. The contents of the Authenticator are encrypted with the associated ticket session key. The encrypted part of an Authenticator contains a timestamp and the client principal name, among other items.As shown in Figure 1, below, the Kerberos V5 protocol consists of the following message exchanges between the client and the KDC, and the client and the application service:The Authentication Service (AS) ExchangeThe client obtains an "initial" ticket from the Kerberos authentication server (AS), typically a Ticket Granting Ticket (TGT). The AS-REQ message and the AS-REP message are the request and the reply message, respectively, between the client and the AS.The Ticket Granting Service (TGS) ExchangeThe client subsequently uses the TGT to authenticate and request a service ticket for a particular service, from the Kerberos ticket-granting server (TGS). The TGS-REQ message and the TGS-REP message are the request and the reply message respectively between the client and the TGS.The Client/Server Authentication Protocol (AP) ExchangeThe client then makes a request with an AP-REQ message, consisting of a service ticket and an authenticator that certifies the client's possession of the ticket session key. The server may optionally reply with an AP-REP message. AP exchanges typically negotiate session-specific symmetric keys.Usually, the AS and TGS are integrated in a single device also known as the KDC.+--------------++--------->| KDC |AS-REQ / +-------| |/ / +--------------+/ / ^ |/ |AS-REP / || | / TGS-REQ + TGS-REP| | / /| | / /| | / +---------+| | / /| | / /| | / /| v / v++-------+------+ +-----------------+| Client +------------>| Application || | AP-REQ | Server || |<------------| |+---------------+ AP-REP +-----------------+Figure 1: The Message Exchanges in the Kerberos V5 ProtocolIn the AS exchange, the KDC reply contains the ticket session key, among other items, that is encrypted using a key (the AS reply key) shared between the client and the KDC. The AS reply key is typically derived from the client's password for human users. Therefore, for human users, the attack resistance strength of the Kerberos protocol is no stronger than the strength of their passwords.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 40).AndHARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter4: Access Control (pages 147-151).andhttp://www.ietf.org/rfc/rfc4556.txt
Which of the following statements pertaining to Kerberos is false?
Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network.One weakness of Kerberos is its Key Distribution Center (KDC), which represents a single point of failure.The KDC contains a database that holds a copy of all of the symmetric/secret keys for the principals.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page40).
Share your comments for ISC SSCP exam with other users:
i really like the support team in this website. they are fast in communication and very helpful.
a good contemporary exam review
q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.
cool very helpfull
i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.
is this a valid prince2 practitioner dumps?
all are relatable questions
might help me to prepare for the exam
just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.
i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available
very legible
is this exam accurate or helpful?
please upload dump, i have exam in 2 days
this is useful
question 232 answer should be perimeter not netowrk layer. wrong answer selected
nice questions
hi team, could you please provide this dump ?
very helpful to clear the exam and understand the concept.
i think it is great that you are helping people when they need it. thanks.
cannot evaluate yet
a laptops wireless antenna is most likely located in the bezel of the lid
good examplae to learn basic
this is useful information
looks usefull
question 81 should be c.
question 18 : response isnt a ?
plaese add questions
is dumps still valid ?
thanks for this
please upload questions
please upload the question dump for professional machinelearning
question 4 answer is c. this site shows the correct answer as b. "adopt a consumption model" is clearly a cost optimization design principle. looks like im done using this site to study!!!
number 52 answer is d
just started preparing for my exam , and this site is so much help