Which of the following would be an example of the best password?
Answer(s): C
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.
ROTHKE, Ben, CISSP CBK Review presentation on domain 1.
A network-based vulnerability assessment is a type of test also referred to as:
Answer(s): A
A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses.Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability systems.There are mostly two main types of test:PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target.ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more.See example below of both types of attacks:Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them.Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering datA. Passive attacks are usually used to gain information prior to carrying out an active attack.IMPORTANT NOTE:On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason below:"I am a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus and Retina (among other tools) to perform our network based vulnerability scanning. Both commercially available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials, the scan tool cannot login to the system being scanned, and as such will only receive a port scan to see what ports are open and exploitable"
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw-Hill.Kindle Edition.andDUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 97).
Which of the following is NOT a form of detective administrative control?
Detective administrative controls warn of administrative control violations. Rotation of duties, required vacations and security reviews and audits are forms of detective administrative controls. Separation of duties is the practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process, thus a preventive control rather than a detective control.
DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0 (march 2002).
Which TCSEC level is labeled Controlled Access Protection?
Answer(s): B
C2 is labeled Controlled Access Protection.The TCSEC defines four divisions: D, C, B and A where division A has the highest security.Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.D -- Minimal protectionReserved for those systems that have been evaluated but that fail to meet the requirements for a higher divisionC -- Discretionary protectionC1 -- Discretionary Security ProtectionIdentification and authenticationSeparation of users and dataDiscretionary Access Control (DAC) capable of enforcing access limitations on an individual basis Required System Documentation and user manualsC2 -- Controlled Access ProtectionMore finely grained DACIndividual accountability through login proceduresAudit trailsObject reuseResource isolationB -- Mandatory protectionB1 -- Labeled Security ProtectionInformal statement of the security policy modelData sensitivity labelsMandatory Access Control (MAC) over selected subjects and objects Label exportation capabilitiesAll discovered flaws must be removed or otherwise mitigated Design specifications and verificationB2 -- Structured ProtectionSecurity policy model clearly defined and formally documented DAC and MAC enforcement extended to all subjects and objects Covert storage channels are analyzed for occurrence and bandwidth Carefully structured into protection-critical and non-protection-critical elements Design and implementation enable more comprehensive testing and reviewAuthentication mechanisms are strengthenedTrusted facility management is provided with administrator and operator segregation Strict configuration management controls are imposedB3 -- Security DomainsSatisfies reference monitor requirementsStructured to exclude code not essential to security policy enforcement Significant system engineering directed toward minimizing complexity Security administrator role definedAudit security-relevant eventsAutomated imminent intrusion detection, notification, and response Trusted system recovery proceduresCovert timing channels are analyzed for occurrence and bandwidth An example of such a system is the XTS-300, a precursor to the XTS-400A -- Verified protectionA1 -- Verified DesignFunctionally identical to B3Formal design and verification techniques including a formal top-level specification Formal management and distribution proceduresAn example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400Beyond A1System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB). Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.The following are incorrect answers:C1 is Discretionary securityC3 does not exists, it is only a detractorB1 is called Labeled Security Protection.
HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.andAIOv4 Security Architecture and Design (pages 357 - 361) AIOv5 Security Architecture and Design (pages 358 - 362)
Which security model is based on the military classification of data and people with clearances?
The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity.
HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002.
Share your comments for ISC SSCP exam with other users:
I have to say this is really close to real exam. Passed my exam with this.
good analytics question
this looks accurate
question 46, the answer should be data "virtualization" (not visualization).
its useful.
Pass this exam 3 days ago. The PDF version and the Xengine App is quite useful.
informative for me.
question 134s answer shoule be "dlp"
in 72 the answer must be [sys_user_has_role] table.
i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.
great to find this website, thanks
examination questions seem to be relevant.
planning to take psm test
please allow to download
please provide dumps
is the answer to question 15 correct ? i feel like the answer should be b
its getting more technical
i think these questions are what i need.
helpful assessment
i am confused about the answers to the questions. do you know if the answers are correct?
hi, please make the dumps available for my upcoming examination.
good practice
so far it is really informative
hi i want it please please upload it
am preparing for exam ,just nice questions
please upload c_tadm_23 exam
can we get tdvan4 vantage data engineering pdf?
want to clear the exam.
could you please upload the dumps of sap c_sac_2302
asm management configuration is about storage
kool thumb up
just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
i can practice for exam
please i need this exam.