必ず合格できるISC SSCP試験の正確な1338問題と解答あります [Q111-Q133]

Share

必ず合格できるISC SSCP試験の正確な1338問題と解答あります

最新 [2025年03月20日]2025年最新の実際にある検証済みのSSCP問題集


SSCP試験は、アクセス制御、ネットワークセキュリティ、暗号化、リスク管理、およびインシデント対応など、システムセキュリティに関連する幅広いトピックをカバーしています。試験は、125問の多肢選択問題で構成され、3時間以内に完了する必要があります。受験者は、試験に合格するために少なくとも1000点中700点以上のスコアを獲得する必要があります。SSCP認定は3年間有効であり、その後、システムセキュリティの分野において引き続き知識とスキルを示すことにより再認証する必要があります。全体的に、ISC SSCP試験は、情報セキュリティの分野でキャリアを進めたい専門家にとって重要な認定資格です。

 

質問 # 111
What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?

  • A. False Rejection Rate (FRR) or Type I Error
  • B. Crossover Error Rate (CER)
  • C. False Acceptance Rate (FAR) or Type II Error
  • D. Failure to enroll rate (FTE or FER)

正解:B

解説:
Explanation/Reference:
The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.
Equal error rate or crossover error rate (EER or CER)
It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.
The other choices were all wrong answers:
The following are used as performance metrics for biometric systems:
false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. This is when an impostor would be accepted by the system.
False reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. This is when a valid company employee would be rejected by the system.
Failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.
and
https://en.wikipedia.org/wiki/Biometrics


質問 # 112
Asynchronous Communication transfers data by sending:

  • A. bits of data in sync with a heartbeat or clock
  • B. bits of data sequentially in irregular timing patterns
  • C. bits of data simultaneously
  • D. bits of data sequentially

正解:B

解説:
Section: Network and Telecommunications
Explanation/Reference:
Asynchronous Communication transfers data by sending bits of data in irregular timing patterns.
In asynchronous transmission each character is transmitted separately, that is one character at a time. The character is preceded by a start bit, which tells the receiving end where the character coding begins, and is followed by a stop bit, which tells the receiver where the character coding ends. There will be intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent characters in the asynchronous communication scheme. In this scheme, the bits within the character frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise the data transmission. Asynchronous communication is used when slow speed peripherals communicate with the computer. The main disadvantage of asynchronous communication is slow speed transmission. Asynchronous communication however, does not require the complex and costly hardware equipments as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any timing required to recover data from the communication symbols is encoded within the symbols. The most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
The use of independent transmit and receive clocks constrains transmission to relatively short characters (<8 bits) and moderate data rates (< 64 kbps, but typically lower).
The asynchronous transmitter delimits each character by a start sequence and a stop sequence. The start bit (0), data (usually 8 bits plus parity) and stop bit(s) (1) are transmitted using a shift register clocked at the nominal data rate.
When asynchronous transmission is used to support packet data links (e.g. IP), then special characters have to be used ("framing") to indicate the start and end of each frame transmitted.
One character (none as an escape character) is reserved to mark any occurrence of the special characters within the frame. In this way the receiver is able to identify which characters are part of the frame and which are part of the "framing".
Packet communication over asynchronous links is used by some users to get access to a network using a modem.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100.
and
http://en.wikipedia.org/wiki/Asynchronous_communication
and
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
and
http://www.ligaturesoft.com/data_communications/async-data-transmission.html


質問 # 113
Which of the following algorithms is a stream cipher?

  • A. RC2
  • B. RC4
  • C. RC6
  • D. RC5

正解:B

解説:
Section: Cryptography
Explanation/Reference:
RC2, RC4, RC5 and RC6 were developed by Ronal Rivest from RSA Security.
In the RC family only RC4 is a stream cipher.
RC4 allows a variable key length.
RC2 works with 64-bit blocks and variable key lengths,
RC5 has variable block sizes, key length and number of processing rounds.
RC6 was designed to fix a flaw in RC5.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 103).


質問 # 114
CORRECT TEXT
NIPC stands for _____ _____ _____ ______ and is a government organization designed to help protect our nation's vital information resources.

正解:

解説:
Infrastructure Protection Center


質問 # 115
An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as:

  • A. Network accountability
  • B. Netware availability
  • C. Network acceptability
  • D. Network availability

正解:D

解説:
Network availability can be defined as an area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.


質問 # 116
What IDS approach relies on a database of known attacks?

  • A. Network-based intrusion detection
  • B. Statistical anomaly-based intrusion detection
  • C. Behavior-based intrusion detection
  • D. Signature-based intrusion detection

正解:D

解説:
Explanation/Reference:
A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior-based).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 49).


質問 # 117
Which security model introduces access to objects only through programs?

  • A. The Biba model
  • B. The Clark-Wilson model
  • C. The Bell-LaPadula model
  • D. The information flow model

正解:B

解説:
Section: Access Control
Explanation/Reference:
In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.
Clark-Wilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification.
Integrity goals of Clark-Wilson model:
Prevent unauthorized users from making modification (Only this one is addressed by the Biba model).
Separation of duties prevents authorized users from making improper modifications.
Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.
The following are incorrect answers:
The Biba model is incorrect. The Biba model is concerned with integrity and controls access to objects based on a comparison of the security level of the subject to that of the object.
The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with confidentiality and controls access to objects based on a comparison of the clearence level of the subject to the classification level of the object.
The information flow model is incorrect. The information flow model uses a lattice where objects are labelled with security classes and information can flow either upward or at the same level. It is similar in framework to the Bell-LaPadula model.
References:
ISC2 Official Study Guide, Pages 325 - 327
AIO3, pp. 284 - 287
AIOv4 Security Architecture and Design (pages 338 - 342)
AIOv5 Security Architecture and Design (pages 341 - 344)
Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model


質問 # 118
Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following?

  • A. identity
  • B. availability
  • C. confidentiality
  • D. integrity

正解:D

解説:
Integrity is the guarantee that the message sent is the message received, and that the message was not intentionally or unintentionally altered.


質問 # 119
The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of:

  • A. Confidentiality, Integrity, and Authenticity (C.I.A.).
  • B. Confidentiality, Integrity, and Liability (C.I.L.).
  • C. Confidentiality, Integrity, and Availability (C.I.A.).
  • D. Confidentiality, Integrity, and Entity (C.I.E.).

正解:C

解説:
Explanation/Reference:
The CIA acronym stands for Confidentiality, Integrity and Availability.
"Confidentiality, Integrity and Entity (CIE)" is incorrect. "Entity" is not part of the telecommunications domain definition.
"Confidentiality, Integrity and Authenticity (CIA)" is incorrect. While authenticity is included in the telecommunications domain, CIA is the acronym for confidentiality, integrity and availability.
"Confidentiality, Integrity, and Liability (CIL)" is incorrect. Liability is not part of the telecommunications domain definition.
References:
CBK, pp. 407 - 408


質問 # 120
How can an individual/person best be identified or authenticated to prevent local masquarading attacks?

  • A. Biometrics
  • B. UserId and password
  • C. Smart card and PIN code
  • D. Two-factor authentication

正解:A

解説:
The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.
Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the
cards are an expensive and recurring cost.
NOTE FROM CLEMENT:
This question has been generating lots of interest. The keyword in the question is:
Individual (the person) and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest
means of authentication. However the question is not asking what is the strongest mean of
authentication, it is asking what is the best way to identify the user (individual) behind the
technology. When answering questions do not make assumptions to facts not presented in
the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to
someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.
This is why it is the best method to authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have
improved the question to make it a lot clearer and I have also improve the explanations
attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the
distinction is being made that there is identity and there is authentication. In the case of
physical security the enrollment process is where the identity of the user would be validated
and then the biometrics features provided by the user would authenticate the user on a one
to one matching basis (for authentication) with the reference contained in the database of
biometrics templates. In the case of system access, the user might have to provide a
username, a pin, a passphrase, a smart card, and then provide his biometric attributes.
Biometric can also be used for Identification purpose where you do a one to many match.
You take a facial scan of someone within an airport and you attempt to match it with a large
database of known criminal and terrorists. This is how you could use biometric for
Identification.
There are always THREE means of authentication, they are:
Something you know (Type 1) Something you have (Type 2) Something you are (Type 3)
Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7). and Search Security at http://searchsecurity.techtarget.com/definition/masquerade


質問 # 121
Which of the following was not designed to be a proprietary encryption algorithm?

  • A. RC4
  • B. RC2
  • C. Blowfish
  • D. Skipjack

正解:C

解説:
Blowfish is a symmetric block cipher with variable-length key (32 to 448 bits)
designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free
replacement for DES or IDEA. See attributes below:
Block cipher: 64-bit block
Variable key length: 32 bits to 448 bits
Designed by Bruce Schneier
Much faster than DES and IDEA
Unpatented and royalty-free
No license required
Free source code available
Rivest Cipher #2 (RC2) is a proprietary, variable-key-length block cipher invented by Ron
Rivest for RSA Data Security, Inc.
Rivest Cipher #4 (RC4) is a proprietary, variable-key-length stream cipher invented by Ron
Rivest for RSA Data Security, Inc.
The Skipjack algorithm is a Type II block cipher [NIST] with a block size of 64 bits and a
key size of 80 bits that was developed by NSA and formerly classified at the U.S.
Department of Defense "Secret" level. The NSA announced on June 23, 1998, that
Skipjack had been declassified.
References:
RSA Laboratories
http://www.rsa.com/rsalabs/node.asp?id=2250
RFC 2828 - Internet Security Glossary
http://www.faqs.org/rfcs/rfc2828.html


質問 # 122
Which element must computer evidence have to be admissible in court?

  • A. It must contain source code.
  • B. It must be relevant.
  • C. It must be printed.
  • D. It must be annotated.

正解:B


質問 # 123
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?

  • A. none of the above.
  • B. integrity and confidentiality.
  • C. confidentiality and availability.
  • D. integrity and availability.

正解:D

解説:
TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.
The following answers are incorrect:
integrity and confidentiality. Is incorrect because TCSEC addressed confidentiality. confidentiality and availability. Is incorrect because TCSEC addressed confidentiality. none of the above. Is incorrect because ITSEC added integrity and availability as security goals.


質問 # 124
Valuable paper insurance coverage does not cover damage to which of the following?

  • A. Manuscripts
  • B. Inscribed, printed and Written documents
  • C. Money and Securities
  • D. Records

正解:C

解説:
Explanation/Reference:
All businesses are driven by records. Even in today's electronic society businesses generate mountains of critical documents everyday. Invoices, client lists, calendars, contracts, files, medical records, and innumerable other records are generated every day.
Stop and ask yourself what happens if your business lost those documents today.
Valuable papers business insurance coverage provides coverage to your business in case of a loss of vital records. Over the years policy language has evolved to include a number of different types of records.
Generally, the policy will cover "written, printed, or otherwise inscribed documents and records, including books, maps, films, drawings, abstracts, deeds, mortgages, and manuscripts." But, read the policy coverage carefully. The policy language typically "does not mean "money" or "securities," converted data,programs or instructions used in your data processing operations, including the materials on which the data is recorded."
The coverage is often included as a part of property insurance or as part of a small business owner policy.
For example, a small business owner policy includes in many cases valuable papers coverage up to
$25,000.
It is important to realize what the coverage actually entails and, even more critical, to analyze your business to determine what it would cost to replace records.
The coverage pays for the loss of vital papers and the cost to replace the records up to the limit of the insurance and after application of any deductible. For example, the insurer will pay to have waterlogged papers dried and reproduced (remember, fires are put out by water and the fire department does not stop to remove your book keeping records). The insurer may cover temporary storage or the cost of moving records to avoid a loss.
For some businesses, losing customer lists, some business records, and contracts, can mean the expense and trouble of having to recreate those documents, but is relatively easy and a low level risk and loss.
Larger businesses and especially professionals (lawyers, accountants, doctors) are in an entirely separate category and the cost of replacement of documents is much higher. Consider, in analyzing your business and potential risk, what it would actually cost to reproduce your critical business records. Would you need to hire temporary personnel? How many hours of productivity would go into replacing the records? Would you need to obtain originals? Would original work need to be recreated (for example, home inspectors, surveyors, cartographers)?
Often when a business owner considers the actual cost related to the reproduction of records, the owner quickly realizes that their business insurance policy limits for valuable papers coverage is woefully inadequate.
Insurers (and your insurance professional)will often suggest higher coverages for valuable papers. The extra premium is often worth the cost and should be considered.
Finally, most policies will require records to be protected. You need to review your declarations pages and speak with your insurer to determine what is required. Some insurers may offer discounted coverage if there is a document retention and back up plan in place and followed. There are professional organizations that can assist your business in designing a records management policy to lower the risk (and your premiums). For example, ARMA International has been around since 1955 and its members consist of some of the top document retention and storage companies.
Reference(s) used for this question:
http://businessinsure.about.com/od/propertyinsurance/f/vpcov.htm


質問 # 125
Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users?

  • A. Inadequate user participation in defining the system's requirements.
  • B. Constantly changing user needs.
  • C. Inadequate quality assurance (QA) tools.
  • D. Inadequate project management.

正解:A

解説:
Explanation/Reference:
Inadequate user participation in defining the system's requirements. Most projects fail to meet the needs of the users because there was inadequate input in the initial steps of the project from the user community and what their needs really are.
The other answers, while potentially valid, are incorrect because they do not represent the most common problem assosciated with information systems failing to meet the needs of users.
References: All in One pg 834
Only users can define what their needs are and, therefore, what the system should accomplish. Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that doesn't fully or adequately address the needs of the user.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 296).


質問 # 126
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED?

  • A. Type I error
  • B. Type II error
  • C. Crossover error
  • D. Type III error

正解:B

解説:
When the biometric system accepts impostors who should have been rejected , it is called a Type II error or False Acceptance Rate or False Accept Rate.
Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.
Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other types of identity verification processes. A biometric system can make authentication decisions based on an individual's behavior, as in signature dynamics, but these can change over time and possibly be forged.
Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because physical attributes typically don't change much, absent some disfiguring injury, and are harder to impersonate.
When a biometric system rejects an authorized individual, it is called a Type I error (False Rejection Rate (FRR) or False Reject Rate (FRR)).
When the system accepts impostors who should be rejected, it is called a Type II error (False Acceptance Rate (FAR) or False Accept Rate (FAR)). Type II errors are the most dangerous and thus the most important to avoid.
The goal is to obtain low numbers for each type of error, but When comparing different biometric systems, many different variables are used, but one of the most important metrics is the crossover error rate (CER).
The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and Failed Rejection Rate (FRR). Both are expressed as percentages. The FAR is the rate at which attempts by unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It measures the rate at which authorized users are denied access.
The relationship between FRR (Type I) and FAR (Type II) is depicted in the graphic below . As one rate increases, the other decreases. The Cross-over Error Rate (CER) is sometimes considered a good indicator of the overall accuracy of a biometric system. This is the point at which the FRR and the FAR have the same value. Solutions with a lower CER are typically more accurate.
See graphic below from Biometria showing this relationship. The Cross-over Error Rate (CER) is also called the Equal Error Rate (EER), the two are synonymous.

Cross Over Error Rate The other answers are incorrect: Type I error is also called as False Rejection Rate where a valid user is rejected by the
system.
Type III error : there is no such error type in biometric system.
Crossover error rate stated in percentage , represents the point at which false rejection equals the false acceptance rate.
Reference(s) used for this question:
http://www.biometria.sk/en/principles-of-biometrics.html and Shon Harris, CISSP All In One (AIO), 6th Edition , Chapter 3, Access Control, Page 188189 and Tech Republic, Reduce Multi_Factor Authentication Cost


質問 # 127
A confidential number used as an authentication factor to verify a user's identity is called a:

  • A. User ID
  • B. Password
  • C. PIN
  • D. Challenge

正解:C

解説:
PIN Stands for Personal Identification Number, as the name states it is a
combination of numbers.
The following answers are incorrect:
User ID This is incorrect because a Userid is not required to be a number and a Userid is
only used to establish identity not verify it.
Password. This is incorrect because a password is not required to be a number, it could be
any combination of characters.
Challenge. This is incorrect because a challenge is not defined as a number, it could be
anything.


質問 # 128
Which of the following issues is not addressed by digital signatures?

  • A. nonrepudiation
  • B. data integrity
  • C. denial-of-service
  • D. authentication

正解:C

解説:
Section: Cryptography
Explanation/Reference:
A digital signature directly addresses both confidentiality and integrity of the CIA triad. It does not directly address availability, which is what denial-of-service attacks.
The other answers are not correct because:
"nonrepudiation" is not correct because a digital signature can provide for nonrepudiation.
"authentication" is not correct because a digital signature can be used as an authentication mechanism
"data integrity" is not correct because a digital signature does verify data integrity (as part of nonrepudiation) References:
Official ISC2 Guide page: 227 & 265
All in One Third Edition page: 648


質問 # 129
Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used) ?

  • A. A subject is not allowed to read down.
  • B. The property restriction can be escaped by temporarily downgrading a high level subject.
  • C. It is restricted to confidentiality.
  • D. A subject is not allowed to read up.

正解:A

解説:
Section: Access Control
Explanation/Reference:
It is not a property of Bell LaPadula model.
The other answers are incorrect because:
A subject is not allowed to read up is a property of the 'simple security rule' of Bell LaPadula model.
The property restriction can be escaped by temporarily downgrading a high level subject can be escaped by temporarily downgrading a high level subject or by identifying a set of trusted objects which are permitted to violate the property as long as it is not in the middle of an operation.
It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of access control.
Reference: Shon Harris AIO v3 , Chapter-5 : Security Models and Architecture , Page:279-282


質問 # 130
A Packet Filtering Firewall system is considered a:

  • A. third generation firewall.
  • B. fourth generation firewall.
  • C. first generation firewall.
  • D. second generation firewall.

正解:C

解説:
The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL's. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context of the communication and inspects every single packet one by one without understanding the context of the connection.
"Second generation firewall" is incorrect. The second generation of firewall were Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit-level proxy firewall. The application level proxy is very smart and understand the inner structure of the protocol itself. The Circui-Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to the net. Today a great example of this would be the SOCKS protocol.
"Third generation firewall" is incorrect. The third generation firewall is the Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.
"Fourth generation firewall" is incorrect. The fourth generation firewall is the dynamic packet filtering firewall.


質問 # 131
Is the person who is attempting to log on really who they say they are? What form of access control does this questions stem from?

  • A. Kerberos
  • B. Authentication
  • C. Mandatory Access Control
  • D. Authorization

正解:B


質問 # 132
What does "System Integrity" mean?

  • A. Hardware and firmware have undergone periodic testing to verify that they are functioning properly.
  • B. Design specifications have been verified against the formal top-level specification.
  • C. The software of the system has been implemented as designed.
  • D. Users can't tamper with processes they do not own.

正解:A

解説:
System Integrity means that all components of the system cannot be
tampered with by unauthorized personnel and can be verified that they work properly.
The following answers are incorrect:
The software of the system has been implemented as designed. Is incorrect because this
would fall under Trusted system distribution.
Users can't tamper with processes they do not own. Is incorrect because this would fall
under Configuration Management.
Design specifications have been verified against the formal top-level specification. Is
incorrect because this would fall under Specification and verification.
References:
AIOv3 Security Models and Architecture (pages 302 - 306)
DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm


質問 # 133
......

無料でゲット!2025年最新のに更新されたISC SSCP試験問題と解答:https://jp.fast2test.com/SSCP-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어