Which of the following would be an example of the best password?
Answer(s): C
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.
ROTHKE, Ben, CISSP CBK Review presentation on domain 1.
A network-based vulnerability assessment is a type of test also referred to as:
Answer(s): A
A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses.Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability systems.There are mostly two main types of test:PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target.ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more.See example below of both types of attacks:Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them.Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering datA. Passive attacks are usually used to gain information prior to carrying out an active attack.IMPORTANT NOTE:On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason below:"I am a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus and Retina (among other tools) to perform our network based vulnerability scanning. Both commercially available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials, the scan tool cannot login to the system being scanned, and as such will only receive a port scan to see what ports are open and exploitable"
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw-Hill.Kindle Edition.andDUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 97).
Which of the following is NOT a form of detective administrative control?
Detective administrative controls warn of administrative control violations. Rotation of duties, required vacations and security reviews and audits are forms of detective administrative controls. Separation of duties is the practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process, thus a preventive control rather than a detective control.
DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0 (march 2002).
Which TCSEC level is labeled Controlled Access Protection?
Answer(s): B
C2 is labeled Controlled Access Protection.The TCSEC defines four divisions: D, C, B and A where division A has the highest security.Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.D -- Minimal protectionReserved for those systems that have been evaluated but that fail to meet the requirements for a higher divisionC -- Discretionary protectionC1 -- Discretionary Security ProtectionIdentification and authenticationSeparation of users and dataDiscretionary Access Control (DAC) capable of enforcing access limitations on an individual basis Required System Documentation and user manualsC2 -- Controlled Access ProtectionMore finely grained DACIndividual accountability through login proceduresAudit trailsObject reuseResource isolationB -- Mandatory protectionB1 -- Labeled Security ProtectionInformal statement of the security policy modelData sensitivity labelsMandatory Access Control (MAC) over selected subjects and objects Label exportation capabilitiesAll discovered flaws must be removed or otherwise mitigated Design specifications and verificationB2 -- Structured ProtectionSecurity policy model clearly defined and formally documented DAC and MAC enforcement extended to all subjects and objects Covert storage channels are analyzed for occurrence and bandwidth Carefully structured into protection-critical and non-protection-critical elements Design and implementation enable more comprehensive testing and reviewAuthentication mechanisms are strengthenedTrusted facility management is provided with administrator and operator segregation Strict configuration management controls are imposedB3 -- Security DomainsSatisfies reference monitor requirementsStructured to exclude code not essential to security policy enforcement Significant system engineering directed toward minimizing complexity Security administrator role definedAudit security-relevant eventsAutomated imminent intrusion detection, notification, and response Trusted system recovery proceduresCovert timing channels are analyzed for occurrence and bandwidth An example of such a system is the XTS-300, a precursor to the XTS-400A -- Verified protectionA1 -- Verified DesignFunctionally identical to B3Formal design and verification techniques including a formal top-level specification Formal management and distribution proceduresAn example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400Beyond A1System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB). Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.The following are incorrect answers:C1 is Discretionary securityC3 does not exists, it is only a detractorB1 is called Labeled Security Protection.
HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.andAIOv4 Security Architecture and Design (pages 357 - 361) AIOv5 Security Architecture and Design (pages 358 - 362)
Which security model is based on the military classification of data and people with clearances?
The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity.
HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.
Share your comments for ISC SSCP exam with other users:
helpful on 2017 scrum guide
planning to attempt for the exam.
pleaseee upload
thanks ly so i have information cia
hello team, i need sap qm dumps for practice
it’s good but not senatios based
q.119 - the correct answer is b - they are not captured in an update set as theyre data.
good matter
please upload c_sacp_2308
please upload the dump. thanks very much !!
good questions
hi, could you please update the latest dump version
this question is keep repeat : you are developing a sales application that will contain several azure cloud services and handle different components of a transaction. different cloud services will process customer orders, billing, payment, inventory, and shipping. you need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using xml messages. what should you include in the recommendation?
great questions
its realy good
oracle 1z0-1059-22 dumps
please share me the pdf..
q50: which two functions can be used by an end user when pivoting an interactive report? the correct answer is a, c because we do not have rank in the function pivoting you can check in the apex app
best to practice
so far it is good
please provide me the dump
i failed the cisa exam today. but i have found all the questions that were on the exam to be on this site.
in question 272 the right answer states that an autonomous acces point is "configured and managed by the wlc" but this is not what i have learned in my ccna course. is this a mistake? i understand that lightweight aps are managed by wlc while autonomous work as standalones on the wlan.
it was helpful
good question
really nice
please i need dumps for isc2 cybersecuity
ans is coldline i think
very helpful
can you please provide dumps so that it helps me more
thank you for providing me with the updated question and answers. this version has all the questions from the exam. i just saw them in my exam this morning. i passed my exam today.
how i can see exam questions?
can you please upload please?
question 75: option c is correct answer