[CCCure CISSP] Some cccure Quiz question doubts

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Some cccure Quiz question doubts

Amlan Deb
 
Hi guys,
 
I have some doubts regarding some cccure Quiz questions and concepts mentioned and described in the attached document. Would really appreciate it if you could take out some time and help me with them.
 
Thanks,
Amlan

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

Some doubts 11-Apr-13.doc (769K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Some cccure Quiz question doubts

Doug Spindler

What are your questions?

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Amlan Deb
Sent: Saturday, April 13, 2013 6:38 AM
To: [hidden email]
Subject: [CCCure CISSP] Some cccure Quiz question doubts

 

 

Hi guys,

 

I have some doubts regarding some cccure Quiz questions and concepts mentioned and described in the attached document. Would really appreciate it if you could take out some time and help me with them.

 

Thanks,

Amlan

 


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Some cccure Quiz question doubts

LaurelM
In reply to this post by Amlan Deb
Q118.
"My doubt: I’m curious to know what would have happened if we had tried to insert a record of same sensitivity level in the database as that of FIGCO i.e. Top Secret ? Would that operation fail as it would create a conflict with the existing record?"

The question doesn't say that APFEL stole credentials; merely that they inserted a new unclassified record. [I don't see how APFEL could write an unclassified record about another company's shipping; you would think that only IISSCC would be able to write records about what was shipping.] However, if APFEL had stolen credentials--either for IISSCC or FIGCO, they would be able to read FIGCO's records and wouldn't have to worry about inserting records. I think that in order to create a classified top secret record, they would have to have IISSCC credentials, and then [if there wasn't some other type of control, such as a time/date stamp--that information isn't in the question], if everything lined up, there would be a conflict.

However, be careful about reading more into a question than what is there.

Q105.
"My doubt: the concepts of aggregation and inference are so similar, how do we differentiate between them? Why isn’t inference a good answer for this question? Or do we just have to cram the definition provide by Ronald Krutz?"

Aggregation is gathering data.

Inference is making a logical conclusion or a judgment based on the data gathered. You have to aggregate the data before you can infer something about it.

Maybe this might help http://ftp.sunet.se/pub/security/docs/nistpubs/800-8.txt; it explains inference, aggregation and polymorphism on page 3

Q100 & 102 seem to be memorization to me. I believe that both questions are referring to a modified Waterfall model. I guess one way to think about it is that Detailed Design [designing access controls] would build on Product Design [determining access controls], so Detailed Design would be more granular. Detailed Design would start filling in the details that were specified in Product Design.

#7 I'm not sure what your question is, so I'm guessing that you don't understand the differences between the answers. At first glance, the answers seems confusing and very similar, but they are different. Again, maybe another reference would help. http://en.wikipedia.org/wiki/Security_modes 
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Q1April-13 Some cccure Quiz question doubts

Amlan Deb
In reply to this post by Amlan Deb
 
Hi guys,
 
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them.
 
Thanks,
Amlan
 

Doubt#1
========
Question: 1944 | Difficulty: 3/5 | Relevancy: 3/3

For competitive reasons, the customers of a large shipping company called the "Integrated International Secure Shipping Containers Corporation" (IISSCC) like to keep private the various cargos that they ship. IISSCC uses a secure database system based on the Bell-LaPadula access control model to keep this information private. Different information in this database is classified at different levels. For example, the time and date a ship departs is labeled Unclassified, so customers can estimate when their cargos will arrive, but the contents of all shipping containers on the ship are labeled Top Secret to keep different shippers from viewing each other's cargos.
An unscrupulous fruit shipper, the "Association of Private Fuit Exporters, Limited" (APFEL) wants to learn whether or not a competitor, the "Fruit Is Good Corporation" (FIGCO), is shipping pineapples on the ship "S.S. Cruise Pacific" (S.S. CP). APFEL can't simply read the top secret contents in the IISSCC database because of the access model. A smart APFEL worker, however, attempts to insert a false, unclassified record in the database that says that FIGCO is shipping pineapples on the S.S. CP, reasoning that if there is already a FIGCO-pineapple-SSCP record then the insertion attempt will fail. But the attempt does not fail, so APFEL can't be sure whether or not FIGCO is shipping pineapples on the S.S. CP.
What is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information? What is a secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples?
 
o   *-Property and Polymorphism
o    Strong *-Property and Polyinstantiation
o   Simple Security Property and Polymorphism
o   Simple Security Property and Polyinstantiation

Details Submit a comment on this question
The correct answer is:
Simple Security Property and Polyinstantiation
The Simple Security Property states that a subject at a given clearance may not read an object at a higher classification, so unclassified APFEL could not read FIGCO's top secret cargo information.
Polyinstantiation permits a database to have two records that are identical except for their classifications (i.e., the primary key includes the classification). Thus, APFEL's new unclassified record did not collide with the real, top secret record, so APFEL was not able to learn about FIGs pineapples.
The following answers are incorrect:
*-Property and Polymorphism
The *-property states that a subject at a given clearance must not write to any object at a lower classification, which is irrelevant here because APFEL was trying to read data with a higher classification.
Polymorphism is a term that can refer to, among other things, viruses that can change their code to better hide from anti-virus programs or to objects of different types in an object-oriented program that are related by a common superclass and can, therefore, respond to a common set of methods in different ways. That's also irrelevant to this question.
Strong *-Property and Polyinstantiation
Half-right. The strong *-property limits a subject of a given clearance to writing only to objects with a matching classification. APFEL's attempt to insert an unclassified record was consistent with this property, but that has nothing to do with preventing APFEL from reading top secret information.
Simple Security Property and Polymorphism
Also half-right. See above for why Polymorphism is wrong.

The following reference(s) were/was used to create this question:
HARRIS, Shon, CISSP All-in-one Exam Guide, Third Edition, McGraw-Hill/Osborne, 2005
    Chapter 5: Security Models and Architecture (page 280)
    Chapter 11: Application and System Development (page 828)
Question contributed by: Mark Heckman
Email or CCCure Nickname of question author:mrheckman
Question reviewed by: Clement Dupuis
Question comment submited by:
Comment:
You could see wordy scenario questions like this on the CISSP exam. They require reasoning, application of general security concepts to a specific situation, and the ability to filter out extraneous information. The keys to this question are as follows:
1) That Bell-LaPadula is the access control model and that a low-clearance subject could not read a high-classification object. That leaves only Simple Security Property as an option.
2) That an insertion of a low-classification record in a database did not conflict with a record at a high classification. The only concept that describes this situation is Polyinstantiation.
 
========================
My doubt: I’m curious to know what would have happened if we had tried to insert a record of same sensitivity level in the database as that of FIGCO i.e. Top Secret ? Would that operation fail as it would create a conflict with the existing record?
 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Some cccure Quiz question doubts

Amlan Deb
In reply to this post by LaurelM
 
Hi Laurel / Team,
 
Thanks for taking out time and replying on this :). I'm sorry for a late response as I somehow missed this mail earlier.
 
The doubt that I have in Qs.7 is regarding the classification of the data in the different Security Modes. Let me elloborate on the same:
 
1. Is my understanding correct that the System High Security mode can consist of data which can be of different classification levels, but for allowing access the user must have clearnance = the highest classification level?
 
2. Is my understanding correct that the same rule (as point#1) is also followed for Compartemented Security model. The additional difference being that in Compartmented mode some of the users may not have formal approval for access?
 
3. Is my understanding correct that the Dedicated Security mode consists of data which are all of the same classification level?
 
4. Is my understanding correct that the Compartmented Security and Multi Level Security mode can consists of data which can be of different classification levels?
 
Thanks,
Amlan
 
 

--- On Tue, 4/16/13, LaurelM <[hidden email]> wrote:

From: LaurelM <[hidden email]>
Subject: Re: [CCCure CISSP] Some cccure Quiz question doubts
To: [hidden email]
Date: Tuesday, April 16, 2013, 11:44 AM

Q118.
"My doubt: I’m curious to know what would have happened if we had tried to
insert a record of same sensitivity level in the database as that of FIGCO
i.e. Top Secret ? Would that operation fail as it would create a conflict
with the existing record?"

The question doesn't say that APFEL stole credentials; merely that they
inserted a new unclassified record. [I don't see how APFEL could write an
unclassified record about another company's shipping; you would think that
only IISSCC would be able to write records about what was shipping.]
However, if APFEL had stolen credentials--either for IISSCC or FIGCO, they
would be able to read FIGCO's records and wouldn't have to worry about
inserting records. I think that in order to create a classified top secret
record, they would have to have IISSCC credentials, and then [if there
wasn't some other type of control, such as a time/date stamp--that
information isn't in the question], if everything lined up, there would be a
conflict.

However, be careful about reading more into a question than what is there.

Q105.
"My doubt: the concepts of aggregation and inference are so similar, how do
we differentiate between them? Why isn’t inference a good answer for this
question? Or do we just have to cram the definition provide by Ronald
Krutz?"

Aggregation is *gathering *data.

Inference is *making a logical conclusion* or a *judgment* based on the data
gathered. You have to aggregate the data before you can infer something
about it.

Maybe this might help
http://ftp.sunet.se/pub/security/docs/nistpubs/800-8.txt
<http://ftp.sunet.se/pub/security/docs/nistpubs/800-8.txt>  ; it explains
inference, aggregation and polymorphism on page 3

Q100 & 102 seem to be memorization to me. I believe that both questions are
referring to a modified Waterfall model. I guess one way to think about it
is that Detailed Design [designing access controls] would build on Product
Design [determining access controls], so Detailed Design would be more
granular. Detailed Design would start filling in the details that were
specified in Product Design.

#7 I'm not sure what your question is, so I'm guessing that you don't
understand the differences between the answers. At first glance, the answers
seems confusing and very similar, but they *are different*. Again, maybe
another reference would help. http://en.wikipedia.org/wiki/Security_modes



--
View this message in context: http://cissp-study.3965.n7.nabble.com/CCCure-CISSP-Some-cccure-Quiz-question-doubts-tp246p250.html
Sent from the CISSP_Study mailing list archive at Nabble.com.

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org