cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: CISSP questions

What is the BEST method of storing user passwords for a system?

a. Password-protected file.
b. File restricted to one individual.
c. One-way encrypted file.
d. Two-way encrypted file.


Answer: c.
Reference: Computer Security Basics; Russell & Gangemi; pg 65-66.

 

A password protected file could leave the passwords in the file in clear text so that anyone with the password could see all user’s passwords, making it impossible to hold users accountable for what happens under their ID.
The file restricted to one individual has the same problem as a.
Answer c - One-way encryption means that the password file is never decrypted, therefore, only the user knows the password (and hackers that use a dictionary attack, but nobody's perfect).
What is "two-way encryption"?  As I keep telling you, just because you don't understand it doesn't mean it's the right answer!


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: CISSP questions

19. What is the purpose of a ticket-oriented security mechanism?

 

a. Permits the subject’s access to objects
b. Assigns access modes to objects
c. Grants subject’s discretionary control
d. Assures user access accountability


Answer: a.

 

Reference: Handbook of Information Security Management; Ruthberg & Tipton; pg 538-539.

 

You could say that this is an example of all the answers being correct.  However, the answer that most completely answers the question asked is the most correct, and therefore the answer that will get you that point.  Answer a may seem a bit broad: after all, that's the purpose of any access control mechanism, and doesn't differentiate a ticket-oriented system from any other.  But that's the most correct.  Since no other answer (that you're given) distinguishes a ticket-oriented system from any other, "ticket-oriented" is irrelevant.


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Viewer II

Re: CISSP questions

thank you @rslade for these questions. For the first time I understand why people fail this exam. I went through quite a few tests and would say that I'm well versed in taking them, but this is going to be really really difficult for me

Highlighted
Community Champion

Re: CISSP questions

> Zei1dohr (Viewer) mentioned you in a post! Join the conversation below:

> thank you @rslade for these questions.

Welcome.

> For the first time I understand why
> people fail this exam. I went through quite a few tests and would say that I'm
> well versed in taking them, but this is going to be really really difficult for
> me

Remember, you need breadth of background, and you need to concentrate on the
fundamental concepts. Look at it that way, and it should get easier.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Even while they teach, men learn. - Seneca
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: CISSP questions

21. Which of the following is a rule-based control mechanism?

 

a. Discretionary Access Control
b. Task-based Access Control
c. Subject-based Access Control
d. Token-based Access Control


Answer: a.

 

Reference: Handbook of Info. Sys. Sec.; Ruthberg & Tipton; pg 517.

 

Discussion:

Answer a - some access control systems contain rules that are used to determine whether or not an individual can achieve the access requested. This is particularly true for discretionary access control.  Remember your ACL (Access Control List)?  A list of rules, right?

For those wanting to answer b, c, or d, remember that if you don't know what it is, that doesn't mean it's the right answer.  As far as I know, none of those are actual access control systems (unless some marketing department is out there messing with things again).


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468