SSCP Practice Test

An access control list

"It [ACL] specifies a list of users [subjects] who are allowed access to each
object" CBK, p. 188
A capability table is incorrect. "Capability tables are used to track, manage and apply
controls based on the object and rights, or capabilities of a subject. For example, a table
identifies the object, specifies access rights allowed for a subject, and permits access
based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192.
The distinction that makes this an incorrect choice is that access is based on posession of a capability by the subject.
To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an
ACL because the subject is bound to the capability table, whereas the object is bound to
the ACL."
An access control matrix is incorrect. The access control matrix is a way of describing the
rules for an access control strategy. The matrix lists the users, groups and roles down the
left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318.
AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a
certain subject possesses pertaining to specific objects.
In either case, the matrix is a way of analyzing the access control needed by a population
of subjects to a population of objects. This access control can be applied using rules,
ACL's, capability tables, etc.
A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool
for thinking about the access control to be applied to a set of objects. The results of the
analysis could then be implemented using RBAC.                                                                                             References:
CBK, Domain 2: Access Control.
AIO3, Chapter 4: Access Control

Detective/technical

The detective/technical control measures are intended to reveal the
violations of security policy using technical means.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35. 

They are vulnerable to non-adversarial disturbances.

Vibration sensors are similar and are also implemented to detect forced
entry. Financial institutions may choose to implement these types of sensors on exterior
walls, where bank robbers may attempt to drive a vehicle through. They are also commonly
used around the ceiling and flooring of vaults to detect someone trying to make an
unauthorized bank withdrawal. Such sensors are proned to false positive. If there is a large truck with heavy equipment
driving by it may trigger the sensor. The same with a storm with thunder and lighting, it may
trigger the alarm even thou there are no adversarial threat or disturbance.
The following are incorrect answers:
All of the other choices are incorrect.
Reference                                                                                                                                                             used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (pp. 495-496).
McGraw-Hill . Kindle Edition.

Public key certificate

In cryptography, a public key certificate (or identity certificate) is an electronic
document which incorporates a digital signature to bind together a public key with an
identity — information such as the name of a person or an organization, their address, and
so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate
authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed
certificate) or other users ("endorsements"). In either case, the signatures on a certificate
are attestations by the certificate signer that the identity information and the public key
belong together.
In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a
resource that the issuer controls or has access to use. The permission can be delegated.
Some people constantly confuse PKCs and ACs. An analogy may make the distinction
clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last
for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is
typically issued by a different authority and does not last for as long a time. As acquiring an
entry visa typically requires presenting a passport, getting a visa can be a simpler process.
A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft Smartphone (and
related), Symbian OS, J2ME, and others.
In each of these systems a mobile communications service provider may customize the
mobile terminal client distribution (ie. the mobile phone operating system or application
environment) to include one or more root certificates each associated with a set of
capabilities or permissions such as "update firmware", "access address book", "use radio
interface", and the most basic one, "install and execute". When a developer wishes to
enable distribution and execution in one of these controlled environments they must
acquire a certificate from an appropriate CA, typically a large commercial CA, and in the
process they usually have their identity verified using out-of-band mechanisms such as a  combination of phone call, validation of their legal entity through government and
commercial databases, etc., similar to the high assurance SSL certificate vetting process,
though often there are additional specific requirements imposed on would-be
developers/publishers.
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or publisher's identity
certificate is not distributed but rather it is submitted to processor to possibly test or profile
the content before generating an authorization certificate which is unique to the particular
software release. That certificate is then used with an ephemeral asymmetric key-pair to
sign the software as the last step of preparation for distribution. There are many
advantages to separating the identity and authorization certificates especially relating to
risk mitigation of new content being accepted into the system and key management as well
as recovery from errant software which can be used as attack vectors.                                                   References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne,
page 540.
http://en.wikipedia.org/wiki/Attribute_certificate
http://en.wikipedia.org/wiki/Public_key_certificate

Clark-Wilson model

The Clark-Wilson model uses separation of duties, which divides an
operation into different parts and requires different users to perform each part. This
prevents authorized users from making unauthorized modifications to data, thereby
protecting its integrity.
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an
integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the
system should be kept valid from one state of the system to the next and specifies the
capabilities of various principals in the system. The model defines enforcement rules and
certification rules.
The model’s enforcement and certification rules define data items and processes that
provide the basis for an integrity policy. The core of the model is based on the notion of a
transaction.
A well-formed transaction is a series of operations that transition a system from one
consistent state to another consistent state.
In this model the integrity policy addresses the integrity of the transactions.
The principle of separation of duty requires that the certifier of a transaction and the
implementer be different entities. The model contains a number of basic constructs that represent both data items and
processes that operate on those data items. The key data type in the Clark-Wilson model is
a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all
CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy
are represented by Transformation Procedures (TPs). A TP takes as input a CDI or
Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from
one valid state to another valid state. UDIs represent system input (such as that provided
by a user or adversary). A TP must guarantee (via certification) that it transforms all
possible values of a UDI to a “safe” CDI. In general, preservation of data integrity has three goals:
Prevent data modification by unauthorized parties
Prevent unauthorized data modification by authorized parties
Maintain internal and external consistency (i.e. data reflects the real world)
Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity              References:                                                                                                                                                   HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter
5: Security Architecture and Design (Page 341-344).
and
http://en.wikipedia.org/wiki/Clark-Wilson_model