What is the difference between Access Control Lists (ACLs) and Capability Tables?
Correct Answer: B
Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object. It is a row within the matrix. To put it another way, A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL. CLEMENT NOTE: If we wish to express this very simply: Capabilities are attached to a subject and it describe what access the subject has to each of the objects on the row that matches with the subject within the matrix. It is a row within the matrix. ACL's are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix. The following are incorrect answers: "Access control lists are subject-based whereas capability tables are object-based" is incorrect. "Capability tables are used for objects whereas access control lists are used for users" is incorrect. "They are basically the same" is incorrect. References used for this question: CBK, pp. 191 - 192 AIO3 p. 169
SSCP Exam Question 397
The Secure Hash Algorithm (SHA-1) creates:
Correct Answer: C
Section: Cryptography Explanation/Reference: According to The CISSP Prep Guide, "The Secure Hash Algorithm (SHA-1) computes a fixed length message digest from a variable length input message." Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, page 160. also see: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
SSCP Exam Question 398
Crime Prevention Through Environmental Design (CPTED) is a discipline that:
Correct Answer: A
Explanation/Reference: Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime prevention through proper facility contruction and environmental components and procedures. CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and traffic circulation patterns. It looks at microenvironments, such as offices and rest-rooms, and macroenvironments, like campuses and cities. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 435). McGraw-Hill. Kindle Edition. and CPTED Guide Book
SSCP Exam Question 399
What refers to legitimate users accessing networked services that would normally be restricted to them?
Correct Answer: D
Section: Access Control Explanation/Reference: Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 74).
SSCP Exam Question 400
Which of the following questions are least likely to help in assessing controls covering audit trails?
Correct Answer: B
Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction with appropriate tools and procedures, audit trails can provide individual accountability, a means to reconstruct events, detect intrusions, and identify problems. Audit trail controls are considered technical controls. Monitoring and tracking of incidents is more an operational control related to incident response capability. Reference(s) used for this question: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-50 to A-51). NOTE: NIST SP 800-26 has been superceded By: FIPS 200, SP 800-53, SP 800-53A You can find the new replacement at: http://csrc.nist.gov/publications/PubsSPs.html However, if you really wish to see the old standard, it is listed as an archived document at: http://csrc.nist.gov/publications/PubsSPArch.html
