Which division of the Orange Book deals with discretionary protection (need-to-know)?
Correct Answer: B
Explanation/Reference: Explanation: The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels: A. Verified protection B. Mandatory protection C. Discretionary protection D. Minimal security C1: Discretionary Security Protection: Discretionary access control is based on individuals and/or groups. It requires a separation of users and information, and identification and authentication of individual entities. Some type of access control is necessary so users can ensure their data will not be accessed and corrupted by others. The system architecture must supply a protected execution domain so privileged system processes are not adversely affected by lower-privileged processes. There must be specific ways of validating the system's operational integrity. The documentation requirements include design documentation, which shows that the system was built to include protection mechanisms, test documentation (test plan and results), a facility manual (so companies know how to install and configure the system correctly), and user manuals. Incorrect Answers: A: Division C, not D deals with discretionary protection. C: Division C, not B deals with discretionary protection. D: Division C, not A deals with discretionary protection. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392-394
Question 97
What is the BEST first step for determining if the appropriate security controls are in place for protecting data at rest?
Correct Answer: C
Question 98
The scope and focus of the Business continuity plan development depends most on:
Correct Answer: B
Explanation/Reference: Explanation: A BIA is performed at the beginning of business continuity planning to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It identifies the company's critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption. Incorrect Answers: A: The Business continuity plan depends on the BIA, not on directives from Senior Management. C: The Business continuity plan depends on the BIA, not on Scope and Plan Initiation. D: The Business continuity plan depends on the BIA, not on Skills of BCP committee. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 909
Question 99
After following the processes defined within the change management plan, a super user has upgraded a device within an Information system. What step would be taken to ensure that the upgrade did NOT affect the network security posture?
Correct Answer: C
Question 100
What is NOT true with pre shared key authentication within IKE / IPsec protocol?
Correct Answer: B
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel, and is applied as an authentication component of IPSec. IKE uses two phases: Phase 1: In this phase, the partners authenticate with each other, using one of the following: Shared Secret: A key that is exchanged by humans via telephone, fax, encrypted e-mail, etc. Public Key Encryption: Digital certificates are exchanged. Revised mode of Public Key Encryption: To reduce the overhead of public key encryption, a nonce (a Cryptographic function that refers to a number or bit string used only once, in security engineering) is encrypted with the communicating partner's public key, and the peer's identity is encrypted with symmetric encryption using the nonce as the key. Next, IKE establishes a temporary security association and secure tunnel to protect the rest of the key exchange. Phase 2: The peers' security associations are established, using the secure tunnel and temporary SA created at the end of phase 1. The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7032-7048). Auerbach Publications. Kindle Edition. and RFC 2409 at http://tools.ietf.org/html/rfc2409 and http://en.wikipedia.org/wiki/Internet_Key_Exchange