Which of the following would best describe a Concealment cipher?
Correct Answer: B
When a concealment cipher is used, every X number of words within a text, is a part of the real message. The message is within another message. A concealment cipher is a message within a message. If my other super-secret spy buddy and I decide our key value is every third word, then when I get a message from him, I will pick out every third word and write it down. Suppose he sends me a message that reads, "The saying, 'The time is right' is not cow language, so is now a dead subject." Because my key is every third word, I come up with "The right cow is dead." This again means nothing to me, and I am now turning in my decoder ring. Concealment ciphers include the plaintext within the ciphertext. It is up to the recipient to know which letters or symbols to exclude from the ciphertext in order to yield the plaintext. Here is an example of a concealment cipher: i2l32i5321k34e1245ch456oc12ol234at567e Remove all the numbers, and you'll have i like chocolate. How about this one? Larry even appears very excited. No one worries. The first letter from each word reveals the message leave now. Both are easy, indeed, but many people have crafted more ingenious ways of concealing the messages. By the way, this type of cipher doesn't even need ciphertext, such as that in the above examples. Consider the invisible drying ink that kids use to send secret messages. In a more extreme example, a man named Histiaeus, during 5th century B.C., shaved the head of a trusted slave, then tattooed the message onto his bald head. When the slave's hair grew back, Histiaeus sent the slave to the message's intended recipient, Aristagoros, who shaved the slave's head and read the message instructing him to revolt. The following answers are incorrect: A transposition cipher uses permutations. A substitution cipher replaces bits, characters, or blocks of characters with different bits, characters or blocks. Steganography refers to hiding the very existence of the message. Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April 2002 (page 1). and also see: http://www.go4expert.com/forums/showthread.php?t=415
Question 407
Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?
Correct Answer: C
The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel. The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level. The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know. The following are incorrect answers: The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects. The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy. The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet - interface - object). References: CBK, pp 325 - 326 AIO3, pp. 290 - 291 AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterference _Models
Question 408
Making sure that the data has not been changed unintentionally, due to an accident or malice is:
Correct Answer: A
Integrity refers to the protection of information from unauthorized modification or deletion. Confidentiality is incorrect. Confidentiality refers to the protection of information from unauthorized disclosure. Availability is incorrect. Availability refers to the assurance that information and services will be available to authorized users in accordance with the service level objective. Auditability is incorrect. Auditability refers to the ability to trace an action to the identity that performed it and identify the date and time at which it occurred. References: CBK, pp. 5 - 6 AIO3, pp. 56 - 57
Question 409
Which of the following is less likely to be used today in creating a Virtual Private Network?
Correct Answer: D
L2F (Layer 2 Forwarding) provides no authentication or encryption. It is a Protocol that supports the creation of secure virtual private dial-up networks over the Internet. At one point L2F was merged with PPTP to produce L2TP to be used on networks and not only on dial up links. IPSec is now considered the best VPN solution for IP environments. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 8: Cryptography (page 507).
Question 410
What is the company benefit, in terms of risk, for people taking a vacation of a specified minimum length?
Correct Answer: C
Mandatory vacations are another type of administrative control that may sound a bit odd at first. Chapter 3 touches on reasons to make sure that employees take their vacations; this has to do with being able to identify fraudulent activities and enable job rotation to take place. -Shon Harris All-in-one CISSP Certification Guide pg 810