Get The Important Preparation Guide With CISSP Dumps [Q752-Q770]

In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files.
FIRST: The Lattice
A lattice is simply an access control tool usually used to implement Mandatory Access Control (MAC) and it could also be used to implement RBAC but this is not as common. The lattice model can be used for Integrity level or file permissions as well. The lattice has a least upper bound and greatest lower bound. It makes use of pair of elements such as the subject security clearance pairing with the object sensitivity label.
SECOND: DAC (Discretionary Access Control)
Let’s get into Discretionary Access Control: It is an access control method where the owner (read
the creator of the object) will decide who has access at his own discretion. As we all know, users
are sometimes insane. They will share their files with other users based on their identity but
nothing prevent the user from further sharing it with other users on the network. Very quickly you
loose control on the flow of information and who has access to what. It is used in small and
friendly environment where a low level of security is all that is required.
THIRD: MAC (Mandatory Access Control)
All of the following are forms of Mandatory Access Control:
Mandatory Access control (MAC) (Implemented using the lattice)
You must remember that MAC makes use of Security Clearance for the subject and also Labels
will be assigned to the objects. The clearance of the Subject must dominate (be equal or higher)
the clearance of the Object being accessed. The label attached to the object will indicate the
sensitivity leval and the categories the object belongs to. The categories are used to implement
the Need to Know.
All of the following are forms of Non Discretionary Access Control:
Role Based Access Control (RBAC)
Rule Based Access Control (Think Firewall in this case)
The official ISC2 book says that RBAC (synonymous with Non Discretionary Access Control) is a
form of DAC but they are simply wrong. RBAC is a form of Non Discretionary Access Control. Non
Discretionary DOES NOT equal mandatory access control as there is no labels and clearance
involved.
I hope this clarifies the whole drama related to what is what in the world of access control.
In the same line of taught, you should be familiar with the difference between Explicit permission
(the user has his own profile) versus Implicit (the user inherit permissions by being a member of a
role for example).
The following answers are incorrect:
Discretionary access control. Is incorrect because in a Discretionary Access Control (DAC) model,
access is restricted based on the authorization granted to the users. It is identity based access
control only. It does not make use of a lattice.
Non-discretionary access control. Is incorrect because Non-discretionary Access Control (NDAC)
uses the role-based access control method to determine access rights and permissions. It is often
times used as a synonym to RBAC which is Role Based Access Control. The user inherit
permission from the role when they are assigned into the role. This type of access could make use
of a lattice but could also be implemented without the use of a lattice in some case. Mandatory
Access Control was a better choice than this one, but RBAC could also make use of a lattice. The
BEST answer was MAC.
Rule-based access control. Is incorrect because it is an example of a Non-discretionary Access
Control (NDAC) access control mode. You have rules that are globally applied to all users. There
is no such thing as a lattice being use in Rule-Based Access Control.
References:
AIOv3 Access Control (pages 161 – 168)
AIOv3 Security Models and Architecture (pages 291 – 293)

“Preventive-Administrative The following are the soft mechanisms that are put into place to enforce access control and protection for the company as a whole: Policies and procedures Effective hiring practices Pre-employment background checks Controlled termination processes Data classification and labeling Security awareness”
Pg. 157 Shon Harris: All-In-One CISSP Certification Guide.

A tool used to provide the authentication of the sender of a message. It can verify the origin of the message along with the identity of the sender. IT is unique for every transaction and created with a private key. – Shon Harris All-in-one CISSP Certification Guide pg 930
“Secure Multipurpose Internet Mail Extensions (S/MIME) offers authentication and privacy to e-mail through secured attachments. Authentication is provided through X.509 digital certificates. Privacy is provided through the use of Public Key Cryptography Standard (PKCS) Enryption. Two types of messages can be formed using S/MIME: signed messages and enveloped messages. A signed message provides integrity and sender authentication. An enveloped message provides ntegrity, sender authentication, and confidentiality.” Pg 123 Tittle: CISSP Study Guide

The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical servers can be accessed only by using shared user id and password. It would be very difficult to track the changes done by employee on critical server. For your exam you should know the information below:
Accountability Ultimately one of the drivers behind strong identification, authentication, auditing and session management is accountability. Accountability is fundamentally about being able to determine who or what is responsible for an action and can be held responsible. A closely related information assurance topic is non-repudiation. Repudiation is the ability to deny an action, event, impact or result. Non-repudiation is the process of ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users, processes and actions may be held responsible for impacts.
The following contribute to ensuring accountability of actions: Strong identification Strong authentication User training and awareness Comprehensive, timely and thorough monitoring Accurate and consistent audit logs Independent audits Policies enforcing accountability Organizational behaviour supporting accountability
The following answers are incorrect:
The other options are also valid concern. But the primary concern should be accountability.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 328 and 329
Official ISC2 guide to CISSP CBK 3rd Edition Page number 114

This kind of attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed. This kind of attack was used in the past to steal small quantities of money and transfer them to the attackers account, there are many other uses too. Trojan horses open ports without the user knowledge to permit remote control and a Virus is a malicious piece of code that executed inside your computer.

Explanation/Reference:
Explanation:
Attenuation is the loss of signal strength (amplitude) as it travels. The longer a cable, the more attenuation occurs, which causes the signal carrying the data to deteriorate. This
Incorrect Answers:
A: Crosstalk is not decrease in amplitude. Crosstalk is a phenomenon that occurs when electrical signals of one wire spill over to the signals of another wire.
B: Loss in signal strength is called attenuation. Noise does not affect signal strength.
C: Delay distortion does not affect signal strength.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 561

Explanation/Reference:
Explanation:
Integrity does not prevent paths that could lead to inappropriate disclosure.
Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented. Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data.
Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300.
Incorrect Answers:
A: A goal of integrity is to prevent unauthorized users from making modifications.
B. A goal of integrity is to maintain internal and external consistency.
C. A goal of integrity is to prevent authorized users from making improper modifications.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 23

Explanation/Reference:
Explanation:
Phishing is the attempt to get information such as usernames, passwords, and credit card details commonly through email spoofing and instant messaging that contain links directing the unsuspecting user to enter details at a fake website whose look and feel are almost identical to the legitimate website.
Attempts to deal with phishing include legislation, user training, public awareness, and technical security measures.
Incorrect Answers:
A: A smurf attack is a distributed denial of service (DDoS) attack in which an ICMP ECHO REQUEST packet with the victims spoofed source address is sent to the victim’s network broadcast address. Each system on the victim’s subnet receives an ICMP ECHO REQUEST packet and replies with an ICMP ECHO REPLY packet to the spoof address in the ICMP ECHO REQUEST packet. This floods the victims system, causing it to slow down, freeze, crash, or reboot.
B: A traffic analysis attack is carried out to uncover information by analyzing traffic patterns on a network.
Traffic padding can be used to counter this kind of attack, in which decoy traffic is sent out over the network to disguise patterns and make it more difficult to uncover them.
D: An interrupt or denial of service (DoS) attack occurs when an attacker sends multiple service requests to the victim’s computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 271-273, 587,
1293, 1294
http://en.wikipedia.org/wiki/Phishing

Explanation/Reference:
Explanation:
An object’s sensitivity label contains one classification and multiple categories which represent compartments of information within a system.
When the MAC model is being used, every subject and object must have a sensitivity label, also called a security label. It contains a classification and different categories. The classification indicates the sensitivity level, and the categories enforce need-to-know rules.
The classifications follow a hierarchical structure, with one level being more trusted than another.
However, the categories do not follow a hierarchical scheme, because they represent compartments of information within a system. The categories can correspond to departments (UN, Information Warfare, Treasury), projects (CRM, AirportSecurity, 2011Budget), or management levels. In a military environment, the classifications could be top secret, secret, confidential, and unclassified. Each classification is more trusted than the one below it. A commercial organization might use confidential, proprietary, corporate, and sensitive. The definition of the classification is up to the organization and should make sense for the environment in which it is used.
Incorrect Answers:
A: An object’s sensitivity label contains a single classification, not a classification set and multiple categories (compartments), not a single compartment.
B: An object’s sensitivity label contains multiple categories (compartments), not a single compartment.
C: An object’s sensitivity label contains a single classification, not a classification set. Furthermore, an object’s sensitivity label does not contain user credentials.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 223

A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.
The following answers are incorrect:
public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public key.
private keys. Although a Kerberos ticket is not shared publicly, it is not a private key.
Private keys are associated with Asymmetric crypto system which is not used by Kerberos.
Kerberos uses only the Symmetric crypto system.
private key certificates. This is a detractor. There is no such thing as a private key certificate.