Let's See How Well You Did on This Test

Let's see how well you did on this test ...

1.  What does it mean to say that sensitivity labels are "incomparable"?

Answer: Neither label contains all the categories of the other

Sorry - you had a wrong answer, please review details below.

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 77.

2.  Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection?

Answer: C

Sorry - you had a wrong answer, please review details below.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197.
Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).

Thanks to Eric Yandell for providing this question.

3.  What can be defined as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects from unauthorized access?

Answer: The reference monitor

Sorry - you had a wrong answer, please review details below.

The reference monitor is an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights. It also protects objects from unauthorized access and destructive modifications. The security kernel is made up of mechanisms that fall under the TCB and enforces the reference monitor concept. A security domain defines which objects are available to a subject.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 232).

Thanks to Christian Vezina for providing this question.

4.  What is the purpose of Trusted Distribution?

Answer: To ensure that the Trusted Computing Base is not tampered with during shipment or installation.

Sorry - you had a wrong answer, please review details below.

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 147.

5.  Which TCSEC class specifies discretionary protection?

Answer: C1

Sorry - you had a wrong answer, please review details below.

C1 involves discretionary protection, C2 involves controlled access protection, B1 involves labeled security protection and B2 involves structured protection.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.

Thanks to Christian Vezina for providing this question.

6.  Configuration Management controls what?

Answer: Auditing and controlling any changes to the Trusted Computing Base

Sorry - you had a wrong answer, please review details below.

"Configuration management involves identifying, controlling, accounting for, and auditing all changes made to the baseline TCB, including hardware, firmware, and software...as well as all documentation, test plans, and other security-related system tools and facilities."(Computer Security Basics, pg. 145) This source code control systems such as CVS and RCS can partially fulfill this requirement.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 145.

7.  Which of the following is a UNIX utility to supplement UNIX filesystem integrity?

Answer: Tripwire

Sorry - you had a wrong answer, please review details below.

Although there are many ways to supplement UNIX filesystem integrity, one method has become so popular that it deserves to be mentioned here. Developed by Gene Kim and Gene Spafford of Purdue University, Tripwire is an add-on utility that provides additional filesystem integrity by creating a signature or message digest for each file to be monitored. Tripwire allows administrators to specify what files or directories to monitor, which attributes of an object to monitor, and which message digest algorithm (e.g. MD5, SHA, etc.) to use in generating signatures. When executed, Tripwire reports on changed, added, or deleted files. Thus, not only can Tripwire detect Trojan horses, but it can also detect changes that violate organizational policy.
The UNIX fsck command checks filesystems for inconsistencies and tries to repair them.
Chmod or change mode commands permit users to change modes or permissions of a file.
Lastcomm commands print a log of all executed commands.
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, Auerbach, NY, NY 2001, Chapter 21, Introduction to Unix Security for Security Practitioners, J. Lowder, pp. 444 - 445.
More info regarding Tripwire available on the Tripwire, Inc. Web Site.

8.  What does the * (star) integrity axiom mean in the Biba model?

Answer: No write up

Sorry - you had a wrong answer, please review details below.

The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

Thanks to Christian Vezina for providing this question.

9.  Which of the following establishes the minimal national standards for certifying and accrediting national security systems?

Answer: NIACAP

Sorry - you had a wrong answer, please review details below.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 199.

Thanks to Eric Yandell for providing this question.

10.  Which of the following increases the performance in a computer by overlapping the steps of different instructions?

Answer: pipelining

Sorry - you had a wrong answer, please review details below.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 188-189.

Thanks to Eric Yandell for providing this question.

11.  Which of the following is not a common integrity goal?

Answer: Prevent paths that could lead to inappropriate disclosure.

Sorry - you had a wrong answer, please review details below.

Inappropriate disclosure is a confidentiality, not an integrity goal. Others are integrity goals and are addressed by the Clark-Wilson integrity model.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 6. Available at http://www.cccure.org.

Thanks to Christian Vezina for providing this question and to Brian Kang for reviewing it.

12.  Device labels are required for which of the following Orange Book ratings?

Answer: B2

Sorry - you had a wrong answer, please review details below.

The Orange book defines four levels of assessment: A,B,C,D. Level A is the highest and Level D is the lowest. The main divisions are the following:
A: Verified Protection
B: Mandatory Protection
C: Discretionary Protection
D: Minimal Security

Each division can have one or more numbered classes and each have a corresponding set of requirements that must be met for a system to achieve that particular rating. Classes are as follows:
A1: Verified Design: like B3, but the system documentation must support everything (formal design).
B3: Security Domains: Protect against covert timing channels; separate SysAdmin and SecAdmin roles.
B2: Structured Protection: Security policy clearly defined; subjects and devices require labels and system must not allow covert (storage) channels; Trusted Facility Management which means a separation of SysAdmin and SysOperator roles.
B1: Labeled Security: each data object has a classification label and each subject has a clearance label; system checks one against the other.
C2: Controlled Access Protection: Identify individuals, auditing (especially of security related events which must be protected), object reuse concept, strict logon, decision making capability when subjects access objects.
C1: Discretionary Security Protection: Users, groups, separation of identity, some access control necessary.
D: Minimal protection: Reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 5: Security Models and Architecture (pages 251-259).
And: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 123, 156-159.
The Orange book can be found at www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html or at http://www.cerberussystems.com/INFOSEC/stds/d520028.htm.

Thanks to Don Murdoch for providing an explanation and an extra reference to this question. Also thanks to Scot Hartman, Richard Stephens and Jonathan Guymon for correcting it.

13.  Which of the following security models does not concern itself with the flow of data?

Answer: The noninterference model

Sorry - you had a wrong answer, please review details below.

The concept of noninterference is implemented to ensure that any actions that take place at one security level should not be seen by, or interfere with, subjects or objects a lower level. This type of model does not concern itself with the flow of data, but with what a subject knows about the state of the system. The Bell-LaPadula and Biba models use an information flow model.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 246).

Thanks to Christian Vezina for providing this question.

14.  What is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept?

Answer: A security kernel

Sorry - you had a wrong answer, please review details below.

A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 194).

Thanks to Christian Vezina for providing this question.

15.  In Mandatory Access Control, sensitivity labels contain what information?

Answer: the item's classification and category set

Sorry - you had a wrong answer, please review details below.

Categories and Compartments are synonyms. The sensitivity label must contain at least one Classification and at least one Categories/Compartment, but it is common in some environments for a single item to belong to multiple categories. The list of all the categories to which an item belongs is called a compartment set.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 74.

16.  Which of the following is a processor in which a single instruction specifies more than one concurrent operation?

Answer: Very-Long Instruction-Word Processor (VLIW)

Sorry - you had a wrong answer, please review details below.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 189.

Thanks to Eric Yandell for providing this question.

17.  According to the Common Criteria, what can be described as an intermediate combination of security requirement components?

Answer: Package

Sorry - you had a wrong answer, please review details below.

According to the Common Criteria, an intermediate combination of security requirement components is termed a package. The package permits the expression of a set of either functional or assurance requirements that meet some particular need, expressed as a set of security objectives. A package may be used in the construction of more complex packages or Protection Profiles and Security Targets. The seven evaluation assurance levels (EALs) are predefined assurance packages. The TOE is an IT product or system to be evaluated.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Appendix G: The Common Criteria (page 529).

Thanks to Christian Vezina for providing this question.

18.  What does the simple security (ss) property mean in the Bell-LaPadula model?

Answer: No read up

Sorry - you had a wrong answer, please review details below.

The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no write down).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

Thanks to Christian Vezina for providing this question.

19.  Which of the following statements pertaining to the ITSEC is false?

Answer: The assurance is rated from E1 to E10.

Sorry - you had a wrong answer, please review details below.

Information Technology Security Evaluation Criteria (ITSEC) is used only in Europe. Whereas TCSEC combines functionality and assurance, ITSEC separates these two attributes and rates them separately. Functionality is rated from F1 to F10 and assurance is rated from E0 (D) to E6 (A1), not E1 to E10.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 259).
Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).

Thanks to Christian Vezina for providing this question.

20.  Which of the following describes a logical form of separation used by secure computing systems?

Answer: Processes are constrained so that each cannot access objects outside its permitted domain.

Sorry - you had a wrong answer, please review details below.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.

Thanks to Hal Tipton for contributing this question.

21.  What can be described as an imaginary line that separates the trusted components of the TCB from those elements that are not trusted?

Answer: The security perimeter

Sorry - you had a wrong answer, please review details below.

The security perimeter is the imaginary line that separates the trusted components of the kernel and the Trusted Computing Base (TCB) from those elements that are not trusted. The reference monitor is an abstract machine that mediates all accesses to objects by subjects. The security kernel can be software, firmware or hardware components in a trusted system and is the actual instantiation of the reference monitor. The reference perimeter is not defined and is a distracter.
Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. Available at http://www.cccure.org.