C. DIACAP D. NIACAP
Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985. TCSEC was replaced by the Common Criteria international standard originally published in 2005.
Incorrect Answers:
B: The Information Technology Security Evaluation Criteria (ITSEC) was the first attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. This is not what is described in the question.
C: The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question.
D: The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. This is not what is described in the question.
References:
https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 399 QUESTION 270
The Computer Security Policy Model the Orange Book is based on is which of the following?
A. Bell-LaPadula
B. Data Encryption Standard C. Kerberos
D. Tempest Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
The Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems.
Incorrect Answers:
B: The Data Encryption Standard (DES) is a cryptographic algorithm, not a Computer Security Policy model.
C: Kerberos is an authentication protocol, not a Computer Security Policy model.
D: TEMPEST is related to limiting the electromagnetic emanations from electronic equipment.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 209, 254, 402, 800 QUESTION 271
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?
A. integrity and confidentiality B. confidentiality and availability
C. integrity and availability D. none of the above Correct Answer: C
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
A difference between ITSEC and TCSEC is that TCSEC bundles functionality and assurance into one rating, whereas ITSEC evaluates these two attributes separately. The other differences are that ITSEC was developed to provide more flexibility than TCSEC, and ITSEC addresses integrity, availability, and confidentiality, whereas TCSEC addresses only confidentiality. ITSEC also addresses networked systems, whereas TCSEC deals with stand-alone systems.
Incorrect Answers:
A: Both ITSEC and TCSEC address confidentiality.
B: Both ITSEC and TCSEC address confidentiality.
D: One of the answers given is correct.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 401 QUESTION 272
Which of the following is NOT a type of motion detector?
A. Photoelectric sensor B. Passive infrared sensors C. Microwave Sensor.
D. Ultrasonic Sensor.
Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
A photoelectric sensor does not detect motion; it detects a break in a beam of light.
A photoelectric system, or photometric system, detects the change in a light beam. These systems work like photoelectric smoke detectors, which emit a beam that hits the receiver. If this beam of light is interrupted, an alarm sounds. The beams emitted by the photoelectric cell can be cross-sectional and can be invisible or visible beams. Cross-sectional means that one area can have several different light beams extending across it, which is usually carried out by using hidden mirrors to bounce the beam from one place to another until it hits the light receiver.
Incorrect Answers:
B: A passive infrared system (PIR) identifies the changes of heat waves in an area it is configured to monitor. If the particles’ temperature within the air rises, it could be an indication of the presence of an intruder, so an alarm is sounded. A PIR is a type of motion detector. Therefore, this answer is incorrect.
C: Wave-pattern motion detectors differ in the frequency of the waves they monitor. The different frequencies are microwave, ultrasonic, and low frequency. All of these devices generate a wave pattern that is sent over a sensitive area and reflected back to a receiver. If the pattern is returned undisturbed, the device does nothing. If the pattern returns altered because something in the room is moving, an alarm sounds. A Microwave Sensor is a type of motion detector. Therefore, this answer is incorrect.
D: An Ultrasonic Sensor is an example of a wave-pattern motion detector. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 495
QUESTION 273
What is the minimum static charge able to cause disk drive data loss?
A. 550 volts B. 1000 volts C. 1500 volts D. 2000 volts Correct Answer: C
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Low humidity of less than 40 percent increases the static electricity damage potential. A static charge of 4000 volts is possible under normal humidity conditions on a hardwood or vinyl floor, and charges up to 20,000 volts or more are possible under conditions of very low humidity with non-static—free carpeting. Although you cannot control the weather, you certainly can control your relative humidity level in the computer room through your HVAC systems.
The list below lists the damage various static electricity charges can do to computer hardware:
40 volts: Sensitive circuits and transistors 1,000 volts: Scramble monitor display 1,500 volts: Disk drive data loss 2,000 volts: System shutdown 4,000 volts: Printer Jam
17,000 volts: Permanent chip damage
Incorrect Answers:
A: 550 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect.
B: 1000 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect.
D: Only 1500 volts is enough to cause disk drive data loss, not 2000 volts. Therefore, this answer is incorrect.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 460
QUESTION 274
Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)?
A. A subject is not allowed to read up.
B. The *- property restriction can be escaped by temporarily downgrading a high level subject.
C. A subject is not allowed to read down.
D. It is restricted to confidentiality.
Correct Answer: C
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
The statement that a subject is not allowed to read down in the Bell-LaPadula security model is FALSE.
The Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses confidentiality only.
The Bell-LaPadula model is a subject-to-object model. An example would be how you (subject) could read a
data element (object) from a specific database and write data into that database.
Three main rules are used and enforced in the Bell-LaPadula model: the simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. For example, if Bob is given the security clearance of secret, this rule states he cannot read data classified as top secret. If the organization wanted Bob to be able to read top-secret data, it would have given him that clearance in the first place.
The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.
Incorrect Answers:
A: It is true that a subject is not allowed to read up in the Bell-LaPadula model.
B: It is true that the *- property restriction in the Bell-LaPadula model can be escaped by temporarily downgrading a high level subject.
D: It is true that the Bell-LaPadula model is restricted to confidentiality.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 369-372 QUESTION 275
Which of the following is a class A fire?
A. common combustibles B. liquid
C. electrical D. Halon
Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Class A fires involve “common combustibles”; these are ordinary combustible materials, such as cloth, wood, paper, rubber, and many plastics.
Incorrect Answers:
B: A flammable liquid fire (such as gasoline, oil, lacquers) is a Class B fire. Therefore, this answer is incorrect.
C: Electrical fires are Class C fires. Therefore, this answer is incorrect.
D: Halon is not flammable; it is a gas used to suppress fires. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 472 QUESTION 276
Which of the following statements relating to the Biba security model is FALSE?
A. It is a state machine model.
B. A subject is not allowed to write up.
C. Integrity levels are assigned to subjects and objects.
D. Programs serve as an intermediate layer between subjects and objects.
Correct Answer: D
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
The statement, “Programs serve as an intermediate layer between subjects and objects” in the Biba model is FALSE. The Clark–Wilson model uses programs as an intermediate layer between subjects and objects.
The Biba model was developed after the LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels.
If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a higher integrity level. Biba has three main rules to provide this type of protection:
*-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as “no write up”).
Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as “no read down”).
Invocation property A subject cannot request service (invoke) of higher integrity.
Incorrect Answers:
A: The Biba model is a state machine model.
B: It is true that a subject is not allowed to write up in the Biba model.
C: It is true that integrity levels are assigned to subjects and objects in the Biba model.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 372 QUESTION 277
Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)?
A. The National Computer Security Center (NCSC)
B. The National Institute of Standards and Technology (NIST) C. The National Security Agency (NSA)
D. The American National Standards Institute (ANSI) Correct Answer: B
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Federal Information Processing Standards (FIPS) is a standard for adoption and use by United States Federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce. FIPS describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. The standards cover a specific topic in information technology (IT) and strive to achieve a common level of quality or interoperability.
Incorrect Answers:
A: The National Computer Security Center (NCSC) does not produce or publish the Federal Information Processing Standards (FIPS).
C: The National Security Agency (NSA) does not produce or publish the Federal Information Processing Standards (FIPS).
D: The American National Standards Institute (ANSI) does not produce or publish the Federal Information Processing Standards (FIPS).
References”
http://whatis.techtarget.com/definition/Federal-Information-Processing-Standards-FIPS QUESTION 278
What is the main focus of the Bell-LaPadula security model?
A. Accountability B. Integrity C. Confidentiality D. Availability Correct Answer: C
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
The Bell-LaPadula model was developed to ensure that secrets stay secret. Therefore, it provides and addresses confidentiality only.
Incorrect Answers:
A: The main focus of the Bell- LaPadula security model is confidentiality, not accountability.
B: The main focus of the Bell- LaPadula security model is confidentiality, not integrity. The Biba model is focused on Integrity.
D: The main focus of the Bell- LaPadula security model is confidentiality, not availability.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 369-373 https://en.wikipedia.org/wiki/Bell-La_Padula_model
QUESTION 279
Which of the following suppresses combustion by disrupting a chemical reaction, by doing so it kills the fire?
A. Halon B. CO2 C. water D. soda acid Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Halon is a gas that was widely used in the past to suppress fires because it interferes with the chemical combustion of the elements within a fire. It mixes quickly with the air and does not cause harm to computer systems and other data processing devices. It was used mainly in data centers and server rooms.
It was discovered that halon has chemicals (chlorofluorocarbons) that deplete the ozone and that
concentrations greater than 10 percent are dangerous to people. Halon used on extremely hot fires degrades into toxic chemicals, which is even more dangerous to humans.
Halon has not been manufactured since January 1, 1992, by international agreement. The Montreal Protocol banned halon in 1987, and countries were given until 1992 to comply with these directives. The most effective replacement for halon is FM-200, which is similar to halon but does not damage the ozone.
Incorrect Answers:
B: CO2 suppresses fire by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect.
C: Water suppresses fire by lowering the temperature of the fuel to below its ignition point or by dispersing the fuel, not by disrupting a chemical reaction. Therefore, this answer is incorrect.
D: Soda acid fire extinguishers are CO2-based fire extinguishers. The soda and the acid react to produce CO2.
CO2 suppresses fire by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 473 QUESTION 280
Which of the following is a class C fire?
A. electrical B. liquid
C. common combustibles D. soda acid
Correct Answer: A
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Class C fires are electrical fires.
Class C fires are electrical fires which that may occur in electrical equipment or wiring. Class C fire extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive.
Incorrect Answers:
B: A flammable liquid fire (such as gasoline, oil, lacquers) is a Class B fire. Therefore, this answer is incorrect.
C: A common combustibles fire (such as wood, paper, cloth) is a Class A fire. Therefore, this answer is incorrect.
D: Soda acid is not a type of fire; it’s a type of fire extinguisher. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 472 QUESTION 281
Which of the following statements pertaining to the Bell-LaPadula model is TRUE if you are NOT making use of the strong star property?
A. It allows "read up."
B. It addresses covert channels.
C. It addresses management of access controls.
D. It allows "write up."
Correct Answer: D
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Three main rules are used and enforced in the Bell-LaPadula model:
The simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level.
The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule.
The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.
If you are NOT making use of the strong star property, then there is no rule preventing you from writing up.
Incorrect Answers:
A: The simple security rule, referred to as the “no read up” rule, will prevent you from reading up.
B: The Bell-LaPadula model does not address covert channels.
C: The Bell-LaPadula model does not address management of access controls.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370 QUESTION 282
Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?
A. The Bell-LaPadula model B. The information flow model C. The noninterference model D. The Clark-Wilson model Correct Answer: C
Section: Security Engineering Explanation
Explanation/Reference:
Explanation:
Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level.
If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level should not be aware of the commands executed by users at a higher level and should not be affected by those commands in any way.
Incorrect Answers:
A: The Bell–LaPadula model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question.
B: The information flow model forms the basis of other models such as Bell–LaPadula or Biba. This is not what is described in the question.
D: The Clark-Wilson model prevents unauthorized users from making modifications, prevents authorized users
D: The Clark-Wilson model prevents unauthorized users from making modifications, prevents authorized users