CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISC
  5. SSCP

Free SSCP Exam Braindumps (page: 33)

Page 33 of 269
PDF with 1074 Questions

What is the main focus of the Bell-LaPadula security model?

  1. Accountability
  2. Integrity
  3. Confidentiality
  4. Availability

Answer(s): C

Explanation:

The Bell-LaPadula model is a formal model dealing with confidentiality.
The Bell­LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").
The Bell­LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects.
The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The Bell­LaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions.
A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode.
The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties:
The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).
The -property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also known as the Confinement property.
The Discretionary Security Property - use of an access matrix to specify the discretionary access control.
The following are incorrect answers:
Accountability is incorrect. Accountability requires that actions be traceable to the user that
performed them and is not addressed by the Bell-LaPadula model.
Integrity is incorrect. Integrity is addressed in the Biba model rather than Bell-LapadulA. Availability is incorrect. Availability is concerned with assuring that data/services are available to authorized users as specified in service level objectives and is not addressed by the Bell-Lapadula model.


Reference:

CBK, pp. 325-326
AIO3, pp. 279 - 284
AIOv4 Security Architecture and Design (pages 333 - 336) AIOv5 Security Architecture and Design (pages 336 - 338)
Wikipedia at https://en.wikipedia.org/wiki/Bell-La_Padula_model



Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making use of the strong star property?

  1. It allows "read up."
  2. It addresses covert channels.
  3. It addresses management of access controls.
  4. It allows "write up."

Answer(s): D

Explanation:

Bell­LaPadula Confidentiality Model10 The Bell­LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to another.
When the strong star property is not being used it means that both the property and the Simple Security Property rules would be applied.
The Star (*) property rule of the Bell-LaPadula model says that subjects cannot write down, this
would compromise the confidentiality of the information if someone at the secret layer would write the object down to a confidential container for example.
The Simple Security Property rule states that the subject cannot read up which means that a subject at the secret layer would not be able to access objects at Top Secret for example.
You must remember: The model tells you about are NOT allowed to do. Anything else would be allowed. For example within the Bell LaPadula model you would be allowed to write up as it does not compromise the security of the information. In fact it would upgrade it to the point that you could lock yourself out of your own information if you have only a secret security clearance.
The following are incorrect answers because they are all FALSE:
"It allows read up" is incorrect. The "simple security" property forbids read up. "It addresses covert channels" is incorrect. Covert channels are not addressed by the Bell- LaPadula model.
"It addresses management of access controls" is incorrect. Management of access controls are beyond the scope of the Bell-LaPadula model.


Reference:

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17595-17600). Auerbach Publications. Kindle Edition.



Which security model introduces access to objects only through programs?

  1. The Biba model
  2. The Bell-LaPadula model
  3. The Clark-Wilson model
  4. The information flow model

Answer(s): C

Explanation:

In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The Clark­Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information
integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.
Clark­Wilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification.
Integrity goals of Clark­Wilson model:
Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).
Separation of duties prevents authorized users from making improper modifications. Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.
The following are incorrect answers:
The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object.
The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object.
The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model.


Reference:

ISC2 Official Study Guide, Pages 325 - 327
AIO3, pp. 284 - 287
AIOv4 Security Architecture and Design (pages 338 - 342) AIOv5 Security Architecture and Design (pages 341 - 344) Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model



Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?

  1. The Bell-LaPadula model
  2. The information flow model
  3. The noninterference model
  4. The Clark-Wilson model

Answer(s): C

Explanation:

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.
The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.
The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.
The following are incorrect answers:
The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects.
The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy.
The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet - interface - object).


Reference:

CBK, pp 325 - 326
AIO3, pp. 290 - 291
AIOv4 Security Architecture and Design (page 345)
AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterference _Models



Page 33 of 269



Post your Comments and Discuss ISC SSCP exam with other Community members:

Jack commented on October 03, 2024
are these still legit?
Anonymous
upvote

Anil commented on February 13, 2024
To everyone interested in this exam. I can tell you that questions are 90% accurate. Good enough to pass the exam with a good mark. But you need to study all these questions as you get randomized questions from this question bank. I pass my exam and that is what I could share as part of my study experience. Good luck to you all.
CANADA
upvote

S.H. commented on February 13, 2024
A happy returning customer. Passed one exam now preparing for my second. I hope this one is a accurate as the first exam. My score was 87% in first exam.
France
upvote

Marcus commented on February 04, 2024
Hello @Theguy, I actually used the full version of this exam (they provide the full version in PDF and it comes with an interactive test engine software which is actually pretty good). I managed to study for a month and then booked my exam. I managed to pass my exam. Make sure to practice withe test engine they provide and make sure you get more than 90% passing mark with their test engine. After that you will be ready to book your exam. Best of luck with you studies.
Anonymous
upvote

theguy commented on February 03, 2024
anyone actually used only this recently and can verify that the majority of these questions were on their exam
UNITED STATES
upvote

Niko76 commented on December 05, 2023
I hope it help me on exam
POLAND
upvote

christopher commented on March 14, 2023
The practice questions are Clear and concise, this study guide saved me and helped me pass my exam.
UNITED STATES
upvote

Bie commented on June 14, 2022
I pass today
THAILAND
upvote

Paratik-2000 commented on June 13, 2022
I encurage you to study and understand every single question in this exam dumps. Exam is very ticky but this dump helps a lot. I got to pass mine.
INDIA
upvote

Vicktor commented on October 19, 2021
These exam dumps saved me so much time. With a full-time job, studying those large books is not possible.
UNITED STATES
upvote

Delawar commented on October 20, 2020
Locked down at home due to COVID-19. Best use of my time to get some certifications. I just purchased and downloaded this braindumps PDF package. So far looks good.
CANADA
upvote

BanglaBoi commented on January 11, 2015
1074 Questions, should be fine for mock test, will report back once I take the actual exam.
UNITED KINGDOM
upvote