[Newest Version] Free CertBus ISC CISSP PDF and Exam Questions Download 100% Pass Exam

CertBus 2021 Newest ISC CISSP ISC Certification Exam VCE and PDF Dumps for Free Download!

CISSP ISC Certification Exam PDF and VCE Dumps : 970QAs Instant Download: https://www.certbus.com/CISSP.html [100% CISSP Exam Pass Guaranteed or Money Refund!!]
☆ Free view online pdf on CertBus free test CISSP PDF: https://www.certbus.com/online-pdf/CISSP.pdf
☆ CertBus 2021 Newest CISSP ISC Certification exam Question PDF Free Download from Google Drive Share: https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing

Following CISSP 970QAs are all new published by ISC Official Exam Center

No doubt that ISC Certification Hotest CISSP exam questions exam is a tough task to accomplish. But you should not feel hesitant against the confronting difficulties. CertBus provides the latest version of Newest CISSP free download Certified Information Systems Security Professional VCE dumps. Get a complete hold on ISC Certification Jan 13,2021 Newest CISSP QAs exam syllabus through CertBus and boost up your skills. Besides, the ISC dumps are the latest. It would be great helpful to your ISC Certification Hotest CISSP QAs Certified Information Systems Security Professional exam.

CertBus – clear all your CISSP certification exams with CertBus study guide. 100% pass rate and money back guarantee. CertBus – CISSP certification exams – original questions and answers – success guaranteed. CertBus – hottest CISSP certification practice questions and answers. help candidates get well prepared for their CISSP certification exams.

We CertBus has our own expert team. They selected and published the latest CISSP preparation materials from ISC Official Exam-Center: https://www.certbus.com/CISSP.html

Question 1:

How can an individual/person best be identified or authenticated to prevent local masquerading attacks?

A. User Id and password

B. Smart card and PIN code

C. Two-factor authentication

D. Biometrics

Correct Answer: D

Explanation: The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed,

or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.

Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a

system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through

bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.

A UserId only provides for identification.

A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.

A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.

Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.

See an extract below from the HISM book volume 1 Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place

and the desired action (i.e., portal passage, data, or resource access) does not occur. As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN.

This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and information, because unauthorized persons

can (and do) obtain the cards and information. Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required. The authorized person does not lose physical characteristics (i.e.,

hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten. This is why card access systems require systems and people to administer, control, record, and issue (new) cards and PINs. Moreover, the

cards are an expensive and recurring cost.

NOTE FROM CLEMENT:

This question has been generating lots of interest. The keyword in the question is:

Individual (the person) and also the authenticated portion as well. I totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication. However the question is not asking what is the strongest

mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology. When answering questions do not make assumptions to facts not presented in the question or answers.

Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan. This is why it is the best method to authenticate the user. I think the

reference is playing with semantics and that makes it a bit confusing. I have improved the question to make it a lot clearer and I have also improve the explanations attached with the question.

The reference mentioned above refers to authenticating the identity for access. So the distinction is being made that there is identity and there is authentication. In the case of physical security the enrollment process is where the identity of the

user would be validated and then the biometrics features provided by the user would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates. In the case

of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes. Biometric can also be used for Identification purpose where you do a one to many match. You take a

facial scan of someone within an airport and you attempt to match it with a large database of known criminal and terrorists. This is how you could use biometric for Identification.

There are always THREE means of authentication, they are:

Something you know (Type 1)

Something you have (Type 2)

Something you are (Type 3)

Reference(s) used for this question:

TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7).

and

Search Security at http://searchsecurity.techtarget.com/definition/masquerade


Question 2:

In a security context what are database views used for?

A. To ensure referential integrity

B. To allow easier access to data in a database

C. To restrict user access to data in a database

D. To provide audit trails

Correct Answer: C

Explanation: The use of a database view allows sensitive information to be hidden from unauthorized users. For example, the employee table might contain employee name, address, office extension and sensitive information such as social security number, etc. A view of the table could be constructed and assigned to the switchboard operator that only included the name and office extension.

To ensure referential integrity is incorrect. Referential integrity states that for each foriegn key value in a database table, there must be another table that contains a record with that value as its primary key (CBK, p. 607). For example, consider a record in the line-items table of an order management database — this table contains a foreign key of part-number from the parts-master table. Referential integrity states that for each part-number value in the line-items table, there must be a matching record with that same value in the parts- master table. Referential integrity helps avoids consistency problems that could occur when, for example, a part-number was deleted from parts-master that still appeared on records in the line-items table.

To allow easier access to the database is incorrect. While views can be used for this purpose by, for example, combining information from several tables in a single view, this is not the best answer for the use of views in a security context.

To provide audit trails is incorrect. Since a view only affects what columns of a table are shown, this has nothing to do with providing an audit trail. CBK, p. 632 AIOv3, p.168


Question 3:

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?

A. LCL and MAC; IEEE 8022 and 8023

B. LCL and MAC; IEEE 8021 and 8023

C. Network and MAC; IEEE 8021 and 8023

Correct Answer: A

Explanation: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line

transmission.

Layer 2 is divided into two functional sublayers.

The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 8022 specification. It communicates with the network layer, which is immediately above the data link layer.

Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer.

Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 8023, Token Ring is 8025, wireless LAN is 80211, and so on. When you see a reference to an IEEE standard,

such as 80211 or 80216, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack.

The following answers are incorrect:

LCL and MAC; IEEE 8022 and 8023 is incorrect because LCL is a distracter. The correct acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing and flow control

mechanisms, the LLC enables the coexistence of network protocols within a multipoint network and their transportation over the same network media.

LCL and MAC; IEEE 8021 and 8023 is incorrect because LCL is a distracter. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is defined in the IEEE 8022

specification, not 8021 The IEEE 8021 specifications are concerned with protocol layers above the MAC and LLC layers. It addresses LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security,

etc.

Network and MAC; IEEE 8021 and 8023 is incorrect because network is not a sublayer of the data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC sits between

the network layer (the layer immediately above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 8022 specification,not IEEE 8021 As just explained, 8021 standards address areas of LAN/MAN architecture,

network management, internetworking between LANs and WANs, and link security.The IEEE 8021 group\’s four active task groups are Internetworking, Security, Audio/Video Bridging, and Data Center Bridging.

The following reference(s) were/was used to create this question:

http://en.wikipedia.org/wiki/OSI_model


Question 4:

Which of the following access control models requires defining classification for objects?

A. Role-based access control

B. Discretionary access control

C. Identity-based access control

D. Mandatory access control

Correct Answer: D

Explanation: With mandatory access control (MAC), the authorization of a subject\’s access to an object is dependant upon labels, which indicate the subject\’s clearance, and classification of objects.

The Following answers were incorrect:

Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous.

Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC) are types of Non Discretionary Access Control (NDAC).

Tip:

When you have two answers that are synonymous they are not the right choice for sure.

There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of those items.

Reference(s) used for this question:

KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 33).


Question 5:

Which access control method allows the data owner (the person who created the file) to control access to the information they own?

A. DAC – Discretionary Access Control

B. MAC – Mandatory Access Control

C. RBAC – Role-Based Access Control

D. NDAC – Non-Discretionary Access Control

Correct Answer: A

Explanation: DAC – Discretionary Access Control is where the user controls access to the data they create or manage.

It is the least secure method of access control because of a few factors:

– Employee changeover can lead to confusion of data ownership or abandoned data.

– Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion.

– People in general are the least reliable component of any organization

The following answers are incorrect:

– MAC – Mandatory Access Control: This is incorrect because in the MAC model of access control, labels are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he or she is denied access.

– RBAC – Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users\’ Role determines the access level to data they are given.

– NDAC – Non-Discretionary Access Control: Sorry, this isn\’t a common term associated with access control methodologies.

The following reference(s) was used to create this question: 2013 Official Security Curriculum.


CISSP PDF DumpsCISSP Study GuideCISSP Exam Questions

Question 6:

Which of the following would constitute the best example of a password to use for access to a system by a network administrator?

A. holiday

B. Christmas12

C. Jenny

D. GyN19Za!

Correct Answer: D

Explanation: GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks.

All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The addition of a number to the end of a common word only marginally strengthens it

because a common password attack would also check combinations of words:

Christmas23

Christmas123 etc…


Question 7:

In the Bell-LaPadula model, the Star-property is also called:

A. The simple security property

B. The confidentiality property

C. The confinement property

D. The tranquility property

Correct Answer: C

Explanation: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.

In this formal model, the entities in an information system are divided into subjects and objects.

The notion of a “secure state” is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system satisfies the security objectives of the model. The Bell-

LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions.

A system state is defined to be “secure” if the only permitted access modes of subjects to objects are in accordance with a security policy.

To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to

determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control

(DAC) rule with three security properties:

The Simple Security Property – a subject at a given security level may not read an object at a higher security level (no read-up).

The *-property (read “star”-property) – a subject at a given security level must not write to any object at a lower security level (no write-down). The *-property is also known as the Confinement property.

The Discretionary Security Property – use an access control matrix to specify the discretionary access control.

The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the *-property. Untrusted subjects

are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: “no read up, no write down.” Compare the Biba model, the

Clark-Wilson model and the Chinese Wall.

With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or

below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up).

Strong * Property

The Strong * Property is an alternative to the *-Property in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual *-Property is not present, only a write-to-same level

operation. The Strong * Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns.

Tranquility principle

The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two forms to the tranquility principle: the “principle of strong tranquility” states that

security levels do not change during the normal operation of the system and the “principle of weak tranquility” states that security levels do not change in a way that violates the rules of a given security policy.

Another interpretation of the tranquility principles is that they both apply only to the period of time during which an operation involving an object or subject is occurring. That is, the strong tranquility principle means that an object\’s security level/

label will not change during an operation (such as read or write); the weak tranquility principle means that an object\’s security level/label may change in a way that does not violate the security policy during an operation.

Reference(s) used for this question:

http://en.wikipedia.org/wiki/Biba_Model

http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model

http://en.wikipedia.org/wiki/Brewer_and_Nash_model


Question 8:

Why do buffer overflows happen? What is the main cause?

A. Because buffers can only hold so much data

B. Because of improper parameter checking within the application

C. Because they are an easy weakness to exploit

D. Because of insufficient system memory

Correct Answer: B

Explanation: Buffer Overflow attack takes advantage of improper parameter checking within the application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without

checking to make sure that the length of the input is less than the size of the buffer in the program. The buffer overflow problem is one of the oldest and most common problems in software development and programming, dating back to the

introduction of interactive computing. It can result when a program fills up the assigned buffer of memory with more data than its buffer can hold. When the program begins to write beyond the end of the buffer, the program\’s execution path

can be changed, or data can be written into areas used by the operating system itself. This can lead to the insertion of malicious code that can be used to gain administrative privileges on the program or system. As explained by Gaurab, it

can become very complex. At the time of input even if you are checking the length of the input, it has to be check against the buffer size. Consider a case where entry point of data is stored in Buffer1 of Application1 and then you copy it to

Buffer2 within Application2 later on, if you are just checking the length of data against Buffer1, it will not ensure that it will not cause a buffer overflow in Buffer2 of Application2

A bit of reassurance from the ISC2 book about level of Coding Knowledge needed for the exam:

It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the FORTRAN programming language, or how to develop Web applet code using Java. It

is not even necessary that the CISSP know detailed security-specific coding practices such as the major divisions of buffer overflow exploits or the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of

course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of

software programming. That is, in order for the CISSP to monitor the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security

strengths and weaknesses of various application development processes.

The following are incorrect answers:

“Because buffers can only hold so much data” is incorrect. This is certainly true but is not the best answer because the finite size of the buffer is not the problem — the problem is that the programmer did not check the size of the input before

moving it into the buffer.

“Because they are an easy weakness to exploit” is incorrect. This answer is sometimes true but is not the best answer because the root cause of the buffer overflow is that the programmer did not check the size of the user input.

“Because of insufficient system memory” is incorrect. This is irrelevant to the occurrence of a buffer overflow.

Reference(s) used for this question:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 13319-13323). Auerbach Publications. Kindle Edition.


Question 9:

Which of the following biometric devices offers the LOWEST CER?

A. Keystroke dynamics

B. Voice verification

C. Iris scan

D. Fingerprint

Correct Answer: C

Explanation: From most effective (lowest CER) to least effective (highest CER) are:

Iris scan, fingerprint, voice verification, keystroke dynamics. Reference : Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131 Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometric- selection-body-partsonline_139


Question 10:

Which of the following is NOT true of the Kerberos protocol?

A. Only a single login is required per session.

B. The initial authentication steps are done using public key algorithm.

C. The KDC is aware of all systems in the network and is trusted by all of them D. It performs mutual authentication

Correct Answer: B

Explanation: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:

?It is secure: it never sends a password unless it is encrypted.

?Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.

?The concept depends on a trusted third party ?a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.

?It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.

Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS ?a ticket is a time-limited cryptographic message ?giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up a KDC.

Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 “The Kerberos Network Authorization Service (V5)”.

Kerberos Authentication Step by Step

?Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT).

?Step 2: The Authorization Server verifies the user\’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user\’s password and sends a message back to the user workstation.

The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.

?Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2

?Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message contains two copies of a server session key ?one encrypted with the client password, and one encrypted by the service password.

?Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described does not include the authorization performed by the Intel AMT device, as described later.

?Step 6: If mutual authentication is required, then the server will reply with a server authentication message.

The Kerberos server knows “secrets” (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These “secrets” are used to encrypt all of the messages shown in the figure above.

To prevent “replay attacks,” Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client\’s clock and server\’s clock. If the difference between a client\’s clock and the server\’s clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic. The maximum difference is usually set to five minutes.

Note that if a client application wishes to use a service that is “Kerberized” (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses. For more information about Kerberos, see http://web.mit.edu/kerberos/www/. Introduction to Kerberos Authentication from Intel and http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1353 and http://www.ietf.org/rfc/rfc4120txt


CertBus exam braindumps are pass guaranteed. We guarantee your pass for the CISSP exam successfully with our ISC materials. CertBus Certified Information Systems Security Professional exam PDF and VCE are the latest and most accurate. We have the best ISC in our team to make sure CertBus Certified Information Systems Security Professional exam questions and answers are the most valid. CertBus exam Certified Information Systems Security Professional exam dumps will help you to be the ISC specialist, clear your CISSP exam and get the final success.

CISSP Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing

CISSP ISC exam dumps (100% Pass Guaranteed) from CertBus: https://www.certbus.com/CISSP.html [100% Exam Pass Guaranteed]

Why select/choose CertBus?

Millions of interested professionals can touch the destination of success in exams by certbus.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.

Brand Certbus Testking Pass4sure Actualtests Others
Price $45.99 $124.99 $125.99 $189 $69.99-99.99
Up-to-Date Dumps
Free 365 Days Update
Real Questions
Printable PDF
Test Engine
One Time Purchase
Instant Download
Unlimited Install
100% Pass Guarantee
100% Money Back
Secure Payment
Privacy Protection

Author: CertBus