CCT 071: Decoding Security Models - CISSP Practice Questions Domain 3

Ever wonder how safe your passwords really are? Brace yourself as we unravel the shocking details of the LastPass breach from August 2020, where countless customer credentials were stolen. We'll expose the vulnerabilities that allowed this to happen and advise on the necessary steps to preserve your digital security. You'll gain insights into reliable security measures, like the Harrison-Ruzel-Ohlmann model and Trusted Computing Base, and grasp how they can prevent data degradation. 

Prepare to step into the intriguing world of unauthorized information flows. Our discussion aims to spotlight these silent threats and arm you with the knowledge to prevent them. We'll navigate through the complex maze of the Bell Laploula, BIBA, HRU, and Noninterference models, helping you understand their role in securing information. And if you're studying for the CISSP exam, you'll find our coverage of 20 questions on these topics an invaluable resource. Don't forget to check out CISSPcybertraining.com for more free CISSP questions, videos, and audio files. Join us for an episode that is more than just a conversation - it's a comprehensive guide to cybersecurity.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content

Transcript

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all of you, sean Gerber with CISSP Cyber Training, and I hope you all are having a wonderful day today. Well, today is CISSP Question Thursday, but before we have the CISSP questions for this week, we are going to go over just real quickly an article I saw in Infosec Industry and it was from Krebs on Security around the last pass breach. Now, I'm not sure if you're connected with the last pass breach that occurred. It occurred in August of last year, so basically about a year goes when it actually happened. And this is where they had an issue where they felt that the software development environment that the individuals had at last pass had been stolen. The source code had been stolen and, as a result, everything that was tied into the overall development environment was taken out. Well, unfortunately, what ended up happening in that regard is that there were many of the customers last pass credentials had been stolen along with that breach. So if you have a last pass currently in your environment and we've talked about this on CISSP Cyber Training it is highly recommended that you get away from that environment and move to somebody else. It's also highly recommended that if you had any passwords within last pass, you go through and you clean them out. You actually go through and you ensure that you have gotten new ones in there. But what they did back in February or November when this all occurred when the August breach occurred they had then disclosed that the criminal hackers had compromised the encrypted copies of some of the password vaults, and what we've come to find out is that there's more than just some. There was actually a large number of the password vaults that have been compromised. Then, come February, they basically figured out how that they targeted. A DevOps engineer was one of the only four last pass employees with access to the vault and they were able to get information from this individual as well. So it has been an absolute situation that has gone on way too much and unfortunately they did not have a lot of good security mechanisms such as FMFA, and they also had a Plex server that was sitting in there that employees were running their home networks on, so there's lots of things that was going on when you're dealing with last pass. It's actually quite sad and the fact is that they thought it so flippantly that they would have these kind of things in place, especially for a password company. But again, that's what you deal with. So when you're dealing with a PAM solution, which is your password, which is your Privilege Ident Access Management Company, you want to make sure that they are doing what they should be doing to protect your data. Okay, so again, you'll see that link. That link will be available. Again, it's Krebs on security and it is around the overall last pass breach that this came out September 5th 2023. Okay, so if you go to CISP Cyber Training and you go to the domain exam questions, you go to domain three. This is under group three. There's about 20 questions and these are all tied with today's podcast. All right, so we're going to start off and see what you get. Question one an organization needs a security model that focuses primarily on preventing information at higher levels from affecting information at lower levels. Which model should they implement? Again, the organization is focusing primarily on preventing information at higher levels from affecting information at lower levels, and the response is non-interference. The non-interference model is designed to ensure that actions at high security levels do not interfere with actions at low security levels. Question number two in a system using HRU model, which of the following is considered undecidable? Okay, so we didn't really talk about this in the podcast, but this is something for you to understand. In the system where we're using HRU model, which of the following is considered undecidable? A is integrity, b is safety, c is confidentiality, d is availability. So in a system where the HRU model which the following is considered undecidable, and it is B in the Harrison-Ruzel-Ohlmann model, safety analysis is generally undecidable, meaning its computationality is infeasible to check the safety of all possible states. The question comes in on that one is that if you didn't really know, you would know CIA triad. You're like ah yeah, what would it be of these three? Probably none of them, so I would focus on safety. In a trusted computing base, what component is responsible for enforcing mandatory access control policies? A operating system kernel, b security kernel, c hardware or D firewall. And the answer is B. The TCB, the security kernel, enforces mandatory access control policies over all subjects and objects. Again, that's a trusted computing base. What is responsible for enforcing mandatory access control policies? We talked about that in the podcast. It is the security kernel. Question four which security model utilizes a state machine model for its formal foundation? A is BIBA, b is Clark Wilson, three is Tate Grant or D is Bell Laploula. Which security model utilizes a state machine model key term there state machine model for its formal foundation? And the answer is D the Bell Laploula model uses the state machine model as its formal foundation to ensure transitions between the system states are secure. Again, the state machine model Bell Laploula. Question five what your organization wants to implement a security model that prevents data degradation from the least trustworthy objects or subjects. Which model would you suggest? So, again, your organization wants to implement a security model that prevents data degradation from a less trustworthy subject. A Bell Laploula, b BIBA, c HRU or D noninterference. The answer is B BIBA. Biba is the integrity model. Focuses on maintaining data integrity and prevents data from being degraded by less trustworthy objects. Again, that is the BIBA model. C. Question six see that in reference monitor, which attribute ensures it cannot be modified or circumvented by an unauthorized entity? In a reference monitor, which attribute ensures that it cannot be modified or circumvented by unauthorized entities. A tamper proof B always invoked. C verifiable D mediator Again, if you don't know, just think about this cannot be modified and that would be A tamper proof. A tamper proof attribute ensures that the reference monitor cannot be modified or circumvented by unauthorized entities. Question seven what components of the security perimeter is used as a buffer between an internal network and an external network? Getting into networking? A is firewall, b is air gap, c is DMZ or D is VPN, again, which is a buffer between an internal and external network and it is a DMZ, but it's C. C, the DMZ, the demilitarized zone, acts as a buffer between the internal and external networks to provide an extra layer of security. Question eight what does the TAKEGRAPH model formally represent? A state transitions. B information flow. D or C dynamic behavior of access rights, and D mandatory access controls. The TAKEGRAPH model, what does it formally represent? It represents C dynamic behavior of access rights. The TAKEGRAPH model is used to formally represent the dynamic behavior in the access rights of a system. Question nine which security model is safety analysis computationally infeasible due to a complexity that's a lot of big $10 words there. In which security model is safety analysis computationally infeasible due to its complexity. Now we just kind of talked about this A is bibba, c is the, b is HRU, c is Bellapudda and D is Clark Wilson, it is HRU, the Harrison Ruzulman. Checking the safety of all possible states cannot be done because it's computationally infeasible due to its undecidability. Question 10. In a system using the state machine model, what describes how a system moves from one state to another? A Transition, b Commands, c Labels, d Initial State. Again, focus on what they're actually asking what the state machine model describes where it moves from one state to another. So you're moving, that's transitions. That's A. Okay, transitions describe the rules that dictate how the system moves from one state to another. Question 11. Which security model focuses on data confidentiality and is used is often used in a military applications? A Bellapudda, b Bibba, c HRU or D Non-Interference. We talked about where the military applications are the key factor, and it is the Bellapudda. It is A that focuses on maintaining data confidentiality and is commonly used in government and military applications. 12. Which of the following is not a component of a trusted computing base? A Hardware, b Security Colonel, c Operating System Colonel, or D Firewall. Which of the following is not a component of the TCB, and that would be D the firewall. It's not a core component of the trust's computing base. It's composed, even though the trust, even though firewall, is hardware, it's the TCB is computed or is composed of hardware operating system kernel and the security kernel In the non-interference model. What concept provides logical deduction based on observable behavior at lower levels? A non-interference, b non-dissubility, c integrity or D safety, non-interference model. That's the key part there. Which concept prevents logical deduction based on observed behavior? And that would be B non-dissubility. The concept of non-dissubility is in the non-interference model prevents logical deduction based on the observed behavior at the lower security models or levels, and it's deduced to deduce the higher activities. Question 14, which model aims to provide the framework for analyzing rights amplification? A, biba, b TAKEGRANT, c BELLAPUTA or DHRU? The model that aims to provide framework for analyzing rights amplification and that is DHRU. The Harrison-Ruzzo-Ohman model basically aims to address the issues of rights amplification as a result of dynamically changing permissions. Question 15, the HRU model. What action changes the access matrix? A COMMAND, b TRANSITION, c OPERATION or D LABEL? Which action changes the access matrix? A COMMAND, hru model. The COMMAND is an action that can change the access matrix. Each command consists of preconditions and operations. Question 16, which security model provides a formal way to represent the dynamic behavior of access rights in a system? Okay, the security model. Right formal way to represent the dynamic behavior of access rights A BELLAPUTA, b, biba, c, takegrant or DHRU? And the answer is C. The TAKEGRANT model provides a formal way to represent the dynamic behavior of access rights in the system. So, again, if you're looking around that for behavior of access rights in the system, it is the TAKEGRANT model. Question 17, in the BELLAPUTA model, which component is used to prove or disprove the correctness of a system? Okay, so we're talking BELLAPUTA and we're looking at proving or disproving and the components specifically around that A STATE MACHINE MODEL, b SECURITY LABELS, d REFERENCE MONITOR or actually C REFERENCE MONITOR or D ACCESS CONTROL LIST. Okay, so in the BELLAPUTA model, the PUTA model, we want to prove or disprove the correctness of the system and that is the STATE MACHINE MODEL. The STATE MACHINE MODEL is used in the BELLAPUTA model for formal verification to prove or disprove the correctness of the system. Question 18, which of the following best describes the attribute that ensures a reference monitor is always called upon for access decisions and that A is tampered proof. B always invoked, c Verifiable or D Mediator. Okay, and the best describes the attribute that ensures a reference monitor is always called upon for access decisions, so called upon a monitor. You want to look at what would be called upon. It would be invoked, so always invokes. Attribute is ensures that the reference monitor is always called upon whenever access decisions are required. Question 19, which are the following common application of the HRU model A database security, b encryption algorithms, c physical security or D wireless networks. The answer is A database security. So database security. The HRU model often applied to databases, because we talked about this where the HRU is very complex permissions, and that's probably the really only big use case that you would use the HRU model. Then question 20, the last question which security model is mainly concerned with preventing unauthorized information flows? A Bellapula, b Beba, c information flow model or D the take grant Information flows key words that are in the question. That would be C information flow model. This is the primary design to ensure that no unauthorized information flows will occur within the system. Okay, that is all I have for you today. Hey, go on out to CISSPcybertrainingcom. You can sign up for my free CISSP questions. You'll get 30 free CISSP questions each and every month, and those are available to you. If you sign up with CISSPcybertraining, you can get access to all of my questions, even as I continue to grow them more and more every single week, and you can gain access to these videos, these audio files, as well, as you can get all the videos that will be on YouTube, and my video and audio files will be on my site as well. All this information is for you to help you pass the CISSP. So go out there, check it out, see what you like, and then we can go from there. All right, have a great day and we'll catch you on the flip side, see you.