CertBus 2021 Real ISC CISSP ISC Certification Exam VCE and PDF Dumps for Free Download!
☆ CISSP ISC Certification Exam PDF and VCE Dumps : 1094QAs Instant Download: https://www.certbus.com/CISSP.html [100% CISSP Exam Pass Guaranteed or Money Refund!!]
☆ Free view online pdf on CertBus free test CISSP PDF: https://www.certbus.com/online-pdf/CISSP.pdf
☆ CertBus 2021 Real CISSP ISC Certification exam Question PDF Free Download from Google Drive Share: https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing
Following CISSP 1094QAs are all new published by ISC Official Exam Center
100% candidates have passed the ISC Certification Newest CISSP vce dumps exam by the help of CertBus pass guaranteed ISC Certification Latest CISSP exam questions preparation materials. The CertBus ISC PDF and VCEs are the latest and cover every knowledge points of ISC Certification Hotest CISSP exam questions Certified Information Systems Security Professional certifications. You can try the Q and As for an undeniable success in Aug 21,2021 Latest CISSP free download exam.
CertBus 100% real CISSP certification exam questions and answers. easily pass with a high score. get CISSP certification with CertBus study materials and practice tests. CISSP certification – CISSP certifications. get your CISSP certification easily. CertBus expert team is ready to help you. latest CISSP exam dumps. get your certification easily- CertBus.
We CertBus has our own expert team. They selected and published the latest CISSP preparation materials from ISC Official Exam-Center: https://www.certbus.com/CISSP.html
In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item\’s classification
B. The item\’s classification and category set
C. The item\’s category
D. The items\’s need to know
Correct Answer: B
Explanation: The following is the correct answer: the item\’s classification and category set.
A Sensitivity label must contain at least one classification and one category set.
Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain at least one Classification and at least one Category. It is common in some environments for a single item to belong to multiple
categories. The list of all the categories to which an item belongs is called a compartment set or category set.
The following answers are incorrect:
The item\’s classification. Is incorrect because you need a category set as well.
The item\’s category. Is incorrect because category set and classification would be both be required.
The item\’s need to know. Is incorrect because there is no such thing. The need to know is indicated by the catergories the object belongs to. This is NOT the best answer.
Reference(s) used for this question:
OIG CBK, Access Control (pages 186 – 188)
AIO, 3rd Edition, Access Control (pages 162 – 163)
AIO, 4th Edition, Access Control, pp 212-214
Wikipedia – http://en.wikipedia.org/wiki/Mandatory_Access_Control
Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing
Correct Answer: B
Explanation: Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley and Sons, Page 34
Which of the following is required in order to provide accountability?
D. Audit trails
Correct Answer: D
Explanation: Accountability can actually be seen in two different ways:
1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated.
2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails
that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with
the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. The point is that unless you employ an appropriate auditing mechanism, you don\’t have accountability.
Authorization only gives a user certain permissions on the network. Accountability is far more complex because it also includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and system faults.
The audit trail provides the proof that unauthorized modifications by both authorized and unauthorized users took place. No proof, No accountability.
Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Page 50
The Shon Harris AIO book, 4th Edition, on Page 243 also states:
Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are enforced,
and can be used as investigation tools. Accountability is tracked by recording user, system, and application activities.
This recording is done through auditing functions and mechanisms within an operating sytem or application.
Audit trail contain information about operating System activities, application events, and user actions.
Which of the following statements pertaining to Kerberos is true?
A. Kerberos uses public key cryptography.
B. Kerberos uses X.509 certificates.
C. Kerberos is a credential-based authentication system.
D. Kerberos was developed by Microsoft.
Correct Answer: C
Explanation: Kerberos is a trusted, credential-based, third-party authentication protocol that was developed at MIT and that uses symmetric (secret) key cryptography to authenticate clients to other entities on a network for access to services. It does not use X.509 certificates, which are used in public key cryptography. Source: KRUTZ, Ronald L. and VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley and Sons, 2001, Chapter 2: Access control systems (page 40).
The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something:
A. you need.
B. you read.
C. you are.
D. you do.
Correct Answer: C
Explanation: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
What kind of certificate is used to validate a user identity?
A. Public key certificate
B. Attribute certificate
C. Root certificate
D. Code signing certificate
Correct Answer: A
Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an
organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the
signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. The
permission can be delegated.
Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more
like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.
A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and related), Symbian OS, J2ME, and others.
In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or application environment) to include one or more root certificates each
associated with a set of capabilities or permissions such as “update firmware”, “access address book”, “use radio interface”, and the most basic one, “install and execute”. When a developer wishes to enable distribution and execution in one
of these controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity verified using out-of-band mechanisms such as a combination of
phone call, validation of their legal entity through government and commercial databases, etc., similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher\’s identity certificate is not distributed but rather it is submitted to
processor to possibly test or profile the content before generating an authorization certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the
last step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new content being accepted into the system and key management as well as
recovery from errant software which can be used as attack vectors.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540
Which of the following answers best describes the type of penetration testing where the analyst has full knowledge of the network on which he is going to perform his test?
A. White-Box Penetration Testing
B. Black-Box Pen Testing
C. Penetration Testing
D. Gray-Box Pen Testing
Correct Answer: A
Explanation: In general there are three ways a pen tester can test a target system.
White-Box: The tester has full access and is testing from inside the system.
Gray-Box: The tester has some knowledge of the system he\’s testing.
Black-Box: The tester has no knowledge of the system. Each of these forms of testing has different benefits and can test different aspects of the system from different approaches.
The following answers are incorrect:
Black-Box Pen Testing: This is where no prior knowledge is given about the target network. Only a domain name or business name may be given to the analyst.
Penetration Testing: This is half correct but more specifically it is white-box testing because the tester has full access.
Gray-Box Pen Testing: This answer is not right because Gray-Box testing you are given a little information about the target network.
The following reference(s) was used to create this question:
2013 Official Security Curriculum.
tester is provided no information about the target\’s network or environment. The tester is simply left to his abilities
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4742-4743). Auerbach Publications. Kindle Edition.
Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It does not permit management to:
A. specify what users can do
B. specify which resources they can access
C. specify how to restrain hackers
D. specify what operations they can perform on a system.
Correct Answer: C
Explanation: Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. Specifying HOW to restrain hackers is not directly linked to access control. Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 12
Which of the following would be an example of the best password?
Correct Answer: C
Explanation: The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn\’t be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1
What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?
A. A capability table
B. An access control list
C. An access control matrix
D. A role-based matrix
Correct Answer: B
Explanation: “It [ACL] specifies a list of users [subjects] who are allowed access to each object” CBK, p. 188
A capability table is incorrect. “Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject,
and permits access based on the user\’s posession of a capability (or ticket) for the object.” CBK, pp. 191-192 The distinction that makes this an incorrect choice is that access is based on posession of a capability by the subject.
To put it another way, as noted in AIO3 on p. 169, “A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.”
An access control matrix is incorrect. The access control matrix is a way of describing the rules for an access control strategy. The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The
cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 – 318
AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of
subjects to a population of objects. This access control can be applied using rules, ACL\’s, capability tables, etc.
A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool for thinking about the access control to be applied to a set of objects. The results of the analysis could then be implemented using RBAC.
CBK, Domain 2: Access Control.
AIO3, Chapter 4: Access Control
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the CISSP exam successfully with our ISC materials. CertBus Certified Information Systems Security Professional exam PDF and VCE are the latest and most accurate. We have the best ISC in our team to make sure CertBus Certified Information Systems Security Professional exam questions and answers are the most valid. CertBus exam Certified Information Systems Security Professional exam dumps will help you to be the ISC specialist, clear your CISSP exam and get the final success.
CISSP Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mVXBDYy0tYmNFSHM/view?usp=sharing
CISSP ISC exam dumps (100% Pass Guaranteed) from CertBus: https://www.certbus.com/CISSP.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certbus.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.