What is the main problem of the renewal of a root CA certificate?
Correct Answer: B
The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users). In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could be very costly. Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX-reference), but these solutions works only well for scenarios with currently valid root CA certificates (and not for emergency cases e.g. compromise of the current root CA certificate). The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored during PKI deployment. Reference: Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
Question 898
Which of the following NAT firewall translation modes offers no protection from hacking attacks to an internal host using this functionality?
Correct Answer: D
Static translation (also called port forwarding), assigns a fixed address to a specific internal network resource (usually a server). Static NAT is required to make internal hosts available for connection from external hosts. It merely replaces port information on a one-to-one basis. This affords no protection to statistically translated hosts: hacking attacks will be just as efficiently translated as any other valid connection attempt. NOTE FROM CLEMENT: Hiding Nat or Overloaded Nat is when you have a group of users behind a unique public IP address. This will provide you with some security through obscurity where an attacker scanning your network would see the unique IP address on the outside of the gateway but could not tell if there is one user, ten users, or hundreds of users behind that IP. NAT was NEVER built as a security mechanism. In the case of Static NAT used for some of your servers for example, your web server private IP is map to a valid external public IP on a one on one basis, your SMTP server private IP is mapped to a static public IP, and so on. If an attacker scan the IP address range on the external side of the gateway he would discover every single one of your servers or any other hosts using static natting. Ports that are open, services that are listening, and all of this info could be gathered just as if the server was in fact using a public IP. It does not provide this security through obscurity mentioned above. All of the other answer are incorrect. Reference used for this question: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 7: Network Address Translation.
Question 899
Which method of password cracking takes the most time and effort?
Correct Answer: B
Question 900
As a result of a risk assessment, your security manager has determined that your organization needs to implement an intrusion detection system that can detect unknown attacks and can watch for unusual traffic behavior, such as a new service appearing on the network. What type of intrusion detection system would you select?
Correct Answer: D
Traffic anomaly-based is the correct choice. An anomaly based IDS can detect unknown attacks. A traffic anomaly based IDS identifies any unacceptable deviation from expected behavior based on network traffic. Protocol anomaly based is not the best choice as while a protocol anomaly based IDS can identify unknown attacks, this type of system is more suited to identifying deviations from established protocol standards such as HTTP. This type of IDS faces problems in analyzing complex or custom protocols. Pattern matching is not the best choice as a pattern matching IDS cannot identify unknown attacks. This type of system can only compare packets against signatures of known attacks. Stateful matching is not the best choice as a statful matching IDS cannot identify unknown attacks. This type of system works by scanning traffic streams for patterns or signatures of attacks. Reference: Official guide to the CISSP CBK. pages 198 to 201
Question 901
Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property?
Correct Answer: D
Section: Access Control Explanation/Reference: Bell-LaPadula Confidentiality Model10 The Bell-LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another. When the strong star property is not being used it means that both the property and the Simple Security Property rules would be applied. The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example. The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example. You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance. The following are incorrect answers because they are all FALSE: "It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell-LaPadula model. "It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.