A Wide Area Network (WAN) is basically everything outside of:
Correct Answer: A
Section: Network and Telecommunications Explanation/Reference: A WAN is basically everything outside of a LAN. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 99.
Question 943
Which of the following would be used to implement Mandatory Access Control (MAC)?
Correct Answer: C
Explanation/Reference: The lattice is a mechanism use to implement Mandatory Access Control (MAC) Under Mandatory Access Control (MAC) you have: Mandatory Access Control Under Non Discretionary Access Control (NDAC) you have: Rule-Based Access Control Role-Based Access Control Under Discretionary Access Control (DAC) you have: Discretionary Access Control The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more For example in the case of MAC, if we look at common government classifications, we have the following: TOP SECRET SECRET -----------------------I am the user at secret CONFIDENTIAL SENSITIVE BUT UNCLASSIFIED UNCLASSIFIED If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET. The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower bound is UNCLASSIFIED. However the lattice could also be used for Integrity Levels such as: VERY HIGH HIGH MEDIUM ----------I am a user, process, application at the medium level LOW VERY LOW In the case of of Integrity levels you have to think about TRUST. Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used. As a user having access to the system I cannot tell a process running with administrative privilege what to do. Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this is an example of the Biba model. Last but not least the lattice could be use for file permissions: RWX RW ---------User at this level R If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX. Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes. There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories. MAC also require a clearance that dominates the object. You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC, this can be confusing. The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used. References: There is a great article on technet that talks about the lattice in VISTA: http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx also see: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33). and http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html
Question 944
Which of the following questions is less likely to help in assessing an organization's contingency planning controls?
Correct Answer: A
Section: Risk, Response and Recovery Explanation/Reference: Contingency planning involves more than planning for a move offsite after a disaster destroys a facility. It also addresses how to keep an organization's critical functions operating in the event of disruptions, large and small. Handling of damaged media is an operational task related to regular production and is not specific to contingency planning. Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-27 to A-28).
Question 945
When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?
Correct Answer: C
When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court, the following actions should be performed in the following order: Capture and record system information and evidence that may be lost, modified, or not captured during the execution of a backup procedure. Start with the most volative memory areas first. Make at least two full backups of the compromised systems, using hardware-write- protectable or write-once media. A first backup may be used to re-install the compromised system for further analysis and the second one should be preserved in a secure location to preserve the chain of custody of evidence. Isolate the compromised systems. Search for signs of intrusions on other systems. Examine logs in order to gather more information and better identify other systems to which the intruder might have gained access. Search through logs of compromised systems for information that would reveal the kind of attacks used to gain access. Identify what the intruder did, for example by analyzing various log files, comparing checksums of known, trusted files to those on the compromised machine and by using other intrusion analysis tools. Regardless of the exact steps being followed, if you wish to prosecute in a court of law it means you MUST capture the evidence as a first step before it could be lost or contaminated. You always start with the most volatile evidence first. NOTE: I have received feedback saying that some other steps may be done such as Disconnecting the system from the network or shutting down the system. This is true. However, those are not choices listed within the 4 choices attached to this question, you MUST avoid changing the question. You must stick to the four choices presented and pick which one is the best out of the four presented. In real life, Forensic is not always black or white. There are many shades of grey. In real life you would have to consult your system policy (if you have one), get your Computer Incident team involved, and talk to your forensic expert and then decide what is the best course of action. Reference(s) Used for this question: http://www.newyorkcomputerforensics.com/learn/forensics_process.php and ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).
Question 946
Which of the following is NOT a technical control?
Correct Answer: C
Explanation/Reference: It is considered to be a 'Physical Control' There are three broad categories of access control: administrative, technical, and physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data. Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories: Administrative Controls Policy and procedures - A backup policy would be in place Personnel controls Supervisory structure Security-awareness training Testing Physical Controls Network segregation Perimeter security Computer controls Work area separation Data backups (actual storage of the media, i:e Offsite Storage Facility) Cabling Technical Controls System access Network architecture Network access Encryption and protocols Control zone Auditing Backup (Actual software doing the backups) The following answers are incorrect : Password and resource management is considered to be a logical or technical control. Identification and authentication methods is considered to be a logical or technical control. Intrusion Detection Systems is considered to be a logical or technical control. Reference : Shon Harris , AIO v3 , Chapter - 4 : Access Control , Page : 180 - 185