In Mandatory Access Control, sensitivity labels attached to object contain what information?
Correct Answer: B
Explanation:
A Sensitivity label must contain at least one classification and one category set. Category
set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain
at least one Classification and at least one Category. It is common in some environments for a single
item to belong to multiple categories. The list of all the categories to which an item belongs is called a
compartment set or category set. The following answers are incorrect: the item's classification. Is
incorrect because you need a category set as well. the item's category. Is incorrect because category
set and classification would be both be required. The item's need to know. Is incorrect because there is
no such thing. The need to know is indicated by the catergories the object belongs to. This is NOT the
best answer. Reference(s) used for this question; OIG CBK , Access Control (pages 186 - 188) AIO, 3rd
Edition, Access Control (pages 162 - 163) AIO, 4th Edittion, Access Control, pp 212-214. Wikipedia
http://en.wikipedia.org/wiki/Mandatory_Access_Control
Question 2
What are the components of an object's sensitivity label?
Correct Answer: D
Explanation:
Both are the components of a sensitivity label. The following are incorrect: A Classification Set and a single Compartment. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not a "single compartment" but a Compartment Set. A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a "single compartment" but a Compartment Set. A Classification Set and user credentials. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not "user credential" but a Compartment Set. The user would have their own sensitivity label.
Question 3
What does it mean to say that sensitivity labels are "incomparable"?
Correct Answer: D
Explanation:
If a category does not exist then you cannot compare it. Incomparable is when you have two disjointed sensitivity labels, that is a category in one of the labels is not in the other label. "Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable" COMPARABILITY: The label: TOP SECRET [VENUS ALPHA] is "higher" than either of the labels: SECRET [VENUS ALPHA] TOP SECRET [VENUS] But you can't really say that the label: TOP SECRET [VENUS] is higher than the label: SECRET [ALPHA] Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable. In a mandatory access control system, you won't be allowed access to a file whose label is incomparable to your clearance. The Multilevel Security policy uses an ordering relationship between labels known as the dominance relationship. Intuitively, we think of a label that dominates another as being "higher" than the other. Similarly, we think of a label that is dominated by another as being "lower" than the other. The dominance relationship is used to determine permitted operations and information flows. DOMINANCE The dominance relationship is determined by the ordering of the Sensitivity/Clearance component of the label and the intersection of the set of Compartments. Sample Sensitivity/Clearance ordering are: Top Secret > Secret > Confidential > Unclassified s3 > s2 > s1 > s0 Formally, for label one to dominate label 2 both of the following must be true: The sensitivity/clearance of label one must be greater than or equal to the sensitivity/clearance of label two. The intersection of the compartments of label one and label two must equal the compartments of label two. Additionally: Two labels are said to be equal if their sensitivity/clearance and set of compartments are exactly equal. Note that dominance includes equality. One label is said to strictly dominate the other if it dominates the other but is not equal to the other. Two labels are said to be incomparable if each label has at least one compartment that is not included in the other's set of compartments. The dominance relationship will produce a partial ordering over all possible MLS labels, resulting in what is known as the MLS Security Lattice. The following answers are incorrect: The number of classification in the two labels is different. Is incorrect because the categories are what is being compared, not the classifications. Neither label contains all the classifications of the other. Is incorrect because the categories are what is being compared, not the classifications. the number of categories in the two labels is different. Is incorrect because it is possibe a category exists more than once in one sensitivity label and does exist in the other so they would be comparable. Reference(s) used for this question; OReilly - Computer Systems and Access Control (Chapter 3) http://www.oreilly.com/catalog/csb/chapter/ch03.html and http://rubix.com/cms/mls_dom
Question 4
Which of the following is true about Kerberos?
Correct Answer: C
Explanation:
Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys. The following answers are incorrect: It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric ciphers). It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption and decryption of the keys. It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and not the system you are accessing. References: MIT http://web.mit.edu/kerberos/ Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 OIG CBK Access Control (pages 181 - 184) AIOv3 Access Control (pages 151 - 155)
Question 5
Which of the following is needed for System Accountability?
Correct Answer: A
Explanation:
Is a means of being able to track user actions. Through the use of audit logs and other tools the user
actions are recorded and can be used at a later date to verify what actions were performed.
Accountability is the ability to identify users and to be able to track user actions.
The following answers are incorrect:
Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is
an international standard to evaluate trust and would not be a factor in System Accountability.
Authorization. Is incorrect because Authorization is granting access to subjects, just because you
have authorization does not hold the subject accountable for their actions.
Formal verification of system design. Is incorrect because all you have done is to verify the system
design and have not taken any steps toward system accountability.
References:
OIG CBK Glossary (page 778)
Demo Practice Mode
You are viewing only the questions marked as Demo.