Most Up to Date Version of ISC CISSP Exam Dumps in CertBus for Free
CertBus 2021 Hottest ISC CISSP ISC Certification Exam VCE and PDF Dumps for Free Download!
☆ CISSP ISC Certification Exam PDF and VCE Dumps : 970QAs Instant Download: https://www.certgod.com/CISSP.html [100% CISSP Exam Pass Guaranteed or Money Refund!!]
☆ Free view online pdf on CertBus free test CISSP PDF: https://www.certgod.com/online-pdf/CISSP.pdf
☆ CertBus 2021 Hottest CISSP ISC Certification exam Question PDF Free Download from Google Drive Share: https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing
Following CISSP 970QAs are all new published by ISC Official Exam Center
100% candidates have passed the ISC Certification Hotest CISSP pdf exam by the help of CertBus pass guaranteed ISC Certification Hotest CISSP QAs preparation materials. The CertBus ISC PDF and VCEs are the latest and cover every knowledge points of ISC Certification Feb 02,2021 Hotest CISSP practice Certified Information Systems Security Professional certifications. You can try the Q and As for an undeniable success in Latest CISSP vce exam.
CertBus – leading source of CISSP certification exam learning/practice. CertBus free study guide and dumps for CISSP. CertBus – help candidates on all CISSP certification exams preparation. pass CISSP certification exams, get CISSP certifications easily. CertBus – latest update source for all CISSP certification exams.
We CertBus has our own expert team. They selected and published the latest CISSP preparation materials from ISC Official Exam-Center: https://www.certgod.com/CISSP.html
Question 1:
Which of the following monitors network traffic in real time?
A. network-based IDS
B. host-based IDS C. application-based IDS
D. firewall-based IDS
Correct Answer: A
Explanation: This type of IDS is called a network-based IDS because monitors network traffic in real time.
Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 48
Question 2:
Which of the following statements pertaining to access control is false?
A. Users should only access data on a need-to-know basis.
B. If access is not explicitly denied, it should be implicitly allowed.
C. Access rights should be granted based on the level of trust a company has on a subject.
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.
Correct Answer: B
Explanation: Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 4: Access Control (page 143).
Question 3:
Which of the following is not a security goal for remote access?
A. Reliable authentication of users and systems
B. Protection of confidential data
C. Easy to manage access control to systems and network resources
D. Automated login for remote users
Correct Answer: D
Explanation: An automated login function for remote users would imply a weak authentication, thus certainly not a security goal. Source: TIPTON, Harold F. and KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).
Question 4:
Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method do you think would be best for this scenario?
A. RBAC – Role-Based Access Control
B. MAC – Mandatory Access Control
C. DAC – Discretionary Access Control
D. RBAC – Rule-Based Access Control
Correct Answer: A
Explanation: RBAC – Role-Based Access Control permissions would fit best for a backup job for the employee because the permissions correlate tightly with permissions granted to a backup operator.
A role-based access control (RBAC) model, bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. The determination of what roles have access to a resource can be governed by
the owner of the data, as with DACs, or applied based on policy, as with MACs. Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities.
Objects associated with a role will inherit privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles. Specifically, in the
Microsoft Windows world there is a security group called “Backup Operators” in which you can place the users to carry out the duties. This way you could assign the backup privilege without the need to grant the Restore privilege. This would
prevent errors or a malicious person from overwriting the current data with an old copy for example.
The following answers are incorrect:
–
MAC – Mandatory Access Control: This isn\’t the right answer. The role of Backup administrator fits perfectly with the access control Role-Based access control.
–
DAC – Discretionary Access Control: This isn\’t the correct answer because DAC relies on data owner/creators to determine who has access to information.
–
RBAC – Rule-Based Access Control: If you got this wrong it may be because you didn\’t read past the RBAC part. Be very careful to read the entire question and answers before proceeding.
The following reference(s) was used to create this question:
2013 Official Security Curriculum.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1936-1943). Auerbach Publications. Kindle Edition.
Question 5:
Which of the following is most appropriate to notify an internal user that session monitoring is being conducted?
A. Logon Banners
B. Wall poster
C. Employee Handbook
D. Written agreement
Correct Answer: D
Explanation: This is a tricky question, the keyword in the question is Internal users. There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users.
Internal users should always have a written agreement first, then logon banners serve as a constant reminder.
Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the
system, who is authorized and unauthorized, and if it is an unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification
system is the use of a logon banner.
References used for this question:
KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 50 and
Shon Harris, CISSP All-in-one, 5th edition, pg 873
Latest CISSP DumpsCISSP VCE DumpsCISSP Study Guide
Question 6:
RADIUS incorporates which of the following services?
A. Authentication server and PIN codes.
B. Authentication of clients and static passwords generation.
C. Authentication of clients and dynamic passwords generation.
D. Authentication server as well as support for Static and Dynamic passwords.
Correct Answer: D
Explanation: According to RFC 2865:
A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.
RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all
configuration information necessary for the client to deliver service to the user.
RADIUS authentication is based on provisions of simple username/password credentials.
These credentials are encrypted
by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page 513
RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords.
Since it uses the PAP and CHAP protocols, it also incluses static passwords.
RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server. RADIUS features and functions are described primarily in the
IETF (International Engineering Task Force) document RFC2138
The term ” RADIUS” is an acronym which stands for Remote Authentication Dial In User Service.
The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID
and a hardware or software token to gain access.
Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry into the system, the user must generate both this
one-time number and provide his or her user ID and password.
Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active
attacks.
RADIUS: Key Features and Benefits
Features Benefits
RADIUS supports dynamic passwords and challenge/response passwords.
Improved system security due to the fact that passwords are not static. It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms.
RADIUS allows the user to have a single user ID and password for all computers in a network.
Improved usability due to the fact that the user has to remember only one login combination.
RADIUS is able to:
Prevent RADIUS users from logging in via login (or ftp).
Require them to log in via login (or ftp)
Require them to login to a specific network access server (NAS); Control access by time of day.
Provides very granular control over the types of logins allowed, on a per-user basis.
The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable.
RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices. Stratus Technology Product Brief http://www.stratus.com/products/vos/openvos/radius.htm
Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Pages 43, 44 Also check: MILLER, Lawrence and GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46
Question 7:
Identity Management solutions include such technologies as Directories services, Single Sign-On and Web Access management. There are many reasons for management to choose an identity management solution. Which of the following is a key management challenge regarding identity management solutions?
A. Increasing the number of points of failures.
B. Users will no longer be able to “recycle” their password for different applications.
C. Costs increase as identity management technologies require significant resources.
D. It must be able to scale to support high volumes of data and peak transaction rates.
Correct Answer: D
Explanation: Any identity management system used in an environment where there are tens of thousands of users must be able to scale to support the volumes of data and peak transaction rates.
The following answers are incorrect:
Increasing number of points of failures.
This is actually a potential negative impact of not implementing an identity management solution. Identity management is meant to decrease cost and inefficiencies that organizations struggle with so that failures can be managed more
efficiently.
Users will no longer be able to “recycle” their password for different applications. This is actually a function of an effective password management system. Consistency and efficiency are maintained by minimizing unique user authentication
requirements. Costs increase as identity management technologies require significant resources. On the contrary, “When users access multiple systems, they may be presented with multiple log-in IDs, multiple passwords, and multiple sign-
on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs
The following reference(s) were/was used to create this question:
ISC2 Official Guide to the CISSP CBK 2007, pg 173
“Key management challenges regarding identity management solutions are:” [consistency, efficiency, usability, reliabliity and scalability.] “Scalability: Enterprises manage user profile data for large numbers of people. There are typically tens of
thousands of internal users, and hundreds or thousands of partners or clients.”
Question 8:
Which of the following is the most reliable authentication method for remote access?
A. Variable callback system
B. Synchronous token
C. Fixed callback system
D. Combination of callback and caller ID
Correct Answer: B
Explanation: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.
The following answers are incorrect:
Variable callback system. Although variable callback systems are more flexible than fixed callback systems, the system assumes the identity of the individual unless two-factor authentication is also implemented. By itself, this method might
allow an attacker access as a trusted user.
Fixed callback system. Authentication provides assurance that someone or something is who or what he/it is supposed to be. Callback systems authenticate a person, but anyone can pretend to be that person. They are tied to a specific place
and phone number, which can be spoofed by implementing call-forwarding.
Combination of callback and Caller ID. The caller ID and callback functionality provides greater confidence and auditability of the caller\’s identity. By disconnecting and calling back only authorized phone numbers, the system has a greater
confidence in the location of the call. However, unless combined with strong authentication, any individual at the location could obtain access.
The following reference(s) were/was used to create this question:
Shon Harris AIO v3 p. 140, 548
ISC2 OIG 2007 p. 152-153, 126-127
Question 9:
When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason?
A. Human error
B. The Windows Operating system
C. Insecure programming languages
D. Insecure Transport Protocols
Correct Answer: A
Explanation: Discussion: Since computer program code is written by humans and there are proper and improper ways of writing software code it is clear that human errors create the conditions for buffer overflows to exist. Unfortunately as secure as any operating system is it becomes insecure when people install insecure code that can be host to buffer overflow attacks so it is human error that really causes these vulnerabilities.
Mitigation: The best mitigation against buffer overflow attacks is to:
–
Be sure you keep your software updated with any patches released by the vendors.
–
Have sensible configurations for your software. (e.g,. lock it down)
–
Control access to your sensitive systems with network traffic normalizing systems like a filtering firewall or other devices that drops inappropriate network packets.
–
If you don\’t need the software or service on a system, remove it. If it is useless it can only be a threat.
The following answers are incorrect:
The Windows Operating system: This isn\’t the intended answer. Insecure programming languages: This isn\’t correct. Modern programming languages are capable of being used securely. It\’s only when humans make mistakes that any
programming language becomes a threat.
Insecure Transport Protocols: This is partially correct. If you send logon ID and passwords over the network in clear text, no programming language will protect you from sniffers.
The following reference(s) were/was used to create this question:
2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v71, Module 17, Page 806
Question 10:
Which of the following is NOT true of the Kerberos protocol?
A. Only a single login is required per session.
B. The initial authentication steps are done using public key algorithm.
C. The KDC is aware of all systems in the network and is trusted by all of them D. It performs mutual authentication
Correct Answer: B
Explanation: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
?It is secure: it never sends a password unless it is encrypted.
?Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
?The concept depends on a trusted third party ?a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
?It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.
Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS ?a ticket is a time-limited cryptographic message ?giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up a KDC.
Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 “The Kerberos Network Authorization Service (V5)”.
Kerberos Authentication Step by Step
?Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT).
?Step 2: The Authorization Server verifies the user\’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user\’s password and sends a message back to the user workstation.
The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.
?Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2
?Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message contains two copies of a server session key ?one encrypted with the client password, and one encrypted by the service password.
?Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described does not include the authorization performed by the Intel AMT device, as described later.
?Step 6: If mutual authentication is required, then the server will reply with a server authentication message.
The Kerberos server knows “secrets” (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These “secrets” are used to encrypt all of the messages shown in the figure above.
To prevent “replay attacks,” Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client\’s clock and server\’s clock. If the difference between a client\’s clock and the server\’s clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic. The maximum difference is usually set to five minutes.
Note that if a client application wishes to use a service that is “Kerberized” (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses. For more information about Kerberos, see http://web.mit.edu/kerberos/www/. Introduction to Kerberos Authentication from Intel and http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1353 and http://www.ietf.org/rfc/rfc4120txt
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the CISSP exam successfully with our ISC materials. CertBus Certified Information Systems Security Professional exam PDF and VCE are the latest and most accurate. We have the best ISC in our team to make sure CertBus Certified Information Systems Security Professional exam questions and answers are the most valid. CertBus exam Certified Information Systems Security Professional exam dumps will help you to be the ISC specialist, clear your CISSP exam and get the final success.
CISSP Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing
CISSP ISC exam dumps (100% Pass Guaranteed) from CertBus: https://www.certgod.com/CISSP.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certgod.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.
 |  |  |  |  | |
|---|---|---|---|---|---|
 |  | | |  | |
| Brand | Certbus | Testking | Pass4sure | Actualtests | Others |
| Price | $45.99 | $124.99 | $125.99 | $189 | $69.99-99.99 |
| Up-to-Date Dumps |  |  | | | |
| Free 365 Days Update | | | | | |
| Real Questions | | | | | |
| Printable PDF | | | | | |
| Test Engine | | | | | |
| One Time Purchase | | | | | |
| Instant Download | | | | | |
| Unlimited Install | | | | | |
| 100% Pass Guarantee | | | | | |
| 100% Money Back | | | | | |
| Secure Payment | | | | | |
| Privacy Protection | | | | | |