Which of the following statements pertaining to the trusted computing base (TCB) is false?
Correct Answer: A
Explanation/Reference: Explanation: The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within it and the correct input by system administrative personnel of parameters related to security policy. For example, if Jane only has a "CONFIDENTIAL" clearance, a system administrator could foil the correct operation of a TCB by providing input to the system that gave her a "SECRET" clearance. "It is defined in the Orange Book" is an incorrect choice. The TCB is defined in the Orange Book (TCSEC or Trusted Computer System Evaluation Criteria). "It includes hardware, firmware and software" is incorrect. The TCB does includes the combination of all hardware, firmware and software responsible for enforcing the security policy. "A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity" is incorrect. As the level of trust increases (D through A), the level of scrutiny required during evaluation increases as well. References: CBK, pp. 323 - 324, 329 - 330 AIO3, pp.269 - 272.
Question 47
Which of the following is the BEST mitigation from phishing attacks?
Correct Answer: B
Question 48
What does the Clark-Wilson security model focus on?
Correct Answer: B
The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).
Question 49
Which of the following is not an example of an operation control?
Correct Answer: C
"Operation controls are the mechanisms and daily procedures that provide protection for systems." When designing a protection scheme for resources, it is important to keep the following aspects or elements of the IT infrastructure in mind: Communication hardware/software Boundary devices Processing equipment Password files Application program libraries Application source code Vendor software Operating System System Utilities Directories and address tables Proprietary packages Main storage Removable storage Sensitive/critical data System logs/audit trails Violation reports Backup files and media Sensitive forms and printouts Isolated devices, such as printers and faxes Telephone network" Pg 406-407 Tittel: CISSP Study Guide
Question 50
In which mode of DES, will a block of plaintext and a key always give the same ciphertext?
Correct Answer: A
Explanation/Reference: Explanation: Electronic Code Book (ECB) is the "native" mode of DES and is a block cipher. ECB is best suited for use with small amounts of data. It is usually applied to encrypt initialization vectors or encrypting keys. ECB is applied to 64-bit blocks of plaintext, and it produces corresponding 64-bit blocks of ciphertext. Electronic Code Book (ECB) mode operates like a code book. A 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. For a given block of plaintext and a given key, the same block of ciphertext is always produced. Incorrect Answers: B: The DES Output Feedback Mode (OFB) is also a stream cipher that generates the ciphertext key by XORing the plaintext with a key stream. OFB mode is not the mode described in the question. C: Counter Mode (CTR) is very similar to OFB mode, but instead of using a randomly unique IV value to generate the keystream values, this mode uses an IV counter that increments for each plaintext block that needs to be encrypted. CTR mode is not the mode described in the question. D: The Cipher Feedback Mode (CFB) of DES is a stream cipher where the ciphertext is used as feedback into the key generation source to develop the next key stream. CFB mode is not the mode described in the question. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 803 Krutz, Ronald L. and Russel Dean Vines, The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, New York, 2001, p. 143
