〇：Graham-Denning Model

The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a basic set of rights in terms of the commands that a particular subject can execute on an object. The model has eight basic protective rights or rules on how to safely perform these types of functions

×：Brewer-Nash Model

It is incorrect because its purpose is to provide access control that can be changed dynamically according to the user’s previous actions. The main purpose is to protect against conflicts of interest due to user access attempts. For example, if a large marketing firm provides marketing promotions and materials for two banks, the employee responsible for the Bank A project should not be able to see information about Bank B, the marketing firm’s other bank customer. A conflict of interest could arise because the banks are competitors. If the project manager of the marketing firm’s Project A can see information about Bank B’s new marketing campaign, he may attempt to execute it rather than promote it to please more direct customers. Marketing firms have a bad reputation when internal employees can act irresponsibly.

×：Clark-Wilson Model

The Clark-Wilson model is incorrect because it is implemented to protect data integrity and ensure that transactions are properly formatted within the application. Subjects can only access objects through authorized programs. Segregation of duties is enforced. Auditing is required. The Clark-Wilson model addresses three integrity goals: preventing changes by unauthorized users, preventing inappropriate changes by unauthorized users, and maintaining internal and external consistency.

×：Bell-LaPadula Model

This model was developed to address concerns about the security of U.S. military systems and the leakage of classified information, and is incorrect. The primary goal of the model is to prevent unauthorized access to classified information. It is a state machine model that enforces the confidentiality aspect of access control. Matrices and security levels are used to determine if a subject has access to different objects. Specific rules are applied to control how objects interact with each other compared to the subject’s object classification.

〇：CA signs certificates.

A Certificate Authority (CA) is a trusted agency (or server) that maintains digital certificates. When a certificate is requested, the Registration Authority (RA) verifies the identity of the individual and passes the certificate request to the CA The CA creates the certificate, signs it, and maintains the certificate over its lifetime.

×：RA creates the certificate and CA signs it.

Incorrect because the RA does not create the certificate; the CA creates it and signs it; the RA performs authentication and registration tasks; establishes the RA, verifies the identity of the individual requesting the certificate, initiates the authentication process to the CA on behalf of the end user, and performs certificate life cycle RAs cannot issue certificates, but can act as a broker between the user and the CA When a user needs a new certificate, they make a request to the RA and the RA goes to the CA to verify all necessary identification before granting the request The RA verifies all necessary identification information before granting the request.

×：RA signs certificates.

The RA signs the certificate, which is incorrect because the RA does not sign the certificate; the CA signs the certificate; the RA verifies the user’s identifying information and then sends the certificate request to the CA.

×：The user signs the certificate.

Incorrect because the user has not signed the certificate; in a PKI environment, the user’s certificate is created and signed by the CA. The CA is a trusted third party that generates the user certificate holding its public key.

〇：* (star) Integrity Property

The Biba model defines a model with completeness as having two axioms. The * (star) Integrity Property is that the subordinate’s document is to be seen and there is no Read Down. The * (star) Integrity Property is that there is no Write Up, that is, no rewriting of the supervisor’s document. If the Simple Integrity Axiom is not followed, the subordinate’s document will be seen and may absorb unclassified and incorrect information at a lower level. If the * (star) Integrity Property is not followed, a supervisor’s document will be rewritten, which will release incorrect information to the supervisor who sees it. Therefore, both are integrity conditions.

×：Simple Integrity Property

The Simple Integrity Property is a constraint on Read Down.

×：Strong Tranquillity Axiom

The Strong Tranquillity Axiom is the constraint not to change permissions while the system is running.

×：Weak Tranquillity Axiom

Weak Tranquillity Axiom means do not change privileges until the attribute is inconsistent.

〇：Conflict condition

A race condition is present when a process performs a task on a shared resource and the sequence could be in the wrong order. 2 or more processes can have a race condition if they use a shared resource, like data in a variable. It is important that processes perform their functions in the correct sequence.

×：Backdoors

Backdoors are incorrect because they are “listening” services on certain ports. Backdoors are implemented by attackers to allow easy access to the system without authenticating as a normal system user.

×：Maintenance Hooks

Maintenance hooks are specific software codes that allow easy and unauthorized access to sensitive parts of a software product. Software programmers use maintenance hooks to allow them to get quick access to the code so that they can make fixes in immediate, but this is dangerous.

×：Data validation errors

Data validation errors are wrong because an attacker cannot operate on the process execution sequence.

〇：Well-Formed Transaction

In the Clark-Wilson model, subjects cannot access objects without going through some type of application or program that controls how this access is done. The subject (usually the user) can access the required object based on access rules within the application software, defined as “Well-Formed Transaction,” in conjunction with the application.

×：Childwall model

This is incorrect because it is another name for the Brewer Nash model created to provide access control that can be dynamically modified according to the user’s previous behavior. It is shaped by access attempts and conflicts of interest and does not allow information to flow between subjects and objects. In this model, a subject can only write to an object if the subject cannot read another object in a different data set.

×：Access tuples

The Clark-Wilson model is incorrect because it uses access triples instead of access tuples. The access triple is the subject program object. This ensures that the subject can only access the object through the authorized program.

×：Write Up and Write Down

The Clark-Wilson model is incorrect because there is no Write Up and Write Down. These rules relate to the Bell-LaPadula and Biba models. The Bell-LaPadula model contains a simple security rule that has not been read and a star property rule that has not been written down. The Biba model contains an unread simple completeness axiom and an unwritten star completeness axiom.

A collision is when the hash value of two different data from one hash function is the same. Hashing is one-way cryptography, which means that the original plaintext is no longer known to be one or the other.

〇：TOC/TOU

Certain attacks can take advantage of the way a system processes requests and performs tasks. A TOC/TOU attack handles a series of steps that the system uses to complete a task. This type of attack takes advantage of the reliance on the timing of events occurring in a multitasking operating system; TOC/TOU is a software vulnerability that allows the use of condition checking (i.e., credential verification) and the results from that condition checking function. In the scenario in this question, the fact that the web application is likely correctly configured indicates that the programming code of this application has this type of vulnerability embedded in the code itself.

×：Buffer overflow

When too much data is accepted as input to a particular process, a buffer overflow occurs. This is incorrect because it does not match the event in the problem statement. A buffer is an allocated segment of memory. A buffer can overflow arbitrarily with too much data, but to be used by an attacker, the code inserted into the buffer must be of a specific length and require a command to be executed by the attacker. These types of attacks are usually exceptional in that the fault is segmented, or sensitive data is provided to the attacker.

×：Blind SQL Injection

Blind SQL injection attacks are wrong because they are a type of SQL injection attack that sends true or false questions to the database. In a basic SQL injection, the attacker sends specific instructions in SQL format to query the associated database. In a blind SQL attack, the attacker is limited to sending a series of true-false questions to the database in order to analyze the database responses and gather sensitive information.

×：Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) is incorrect because it is an attack type that attempts to trick the victim into loading a web page containing malicious requests or operations. The attack operation is performed within the context of the victim’s access rights. The request inherits the victim’s identity and performs undesirable functions for the victim. In this type of attack, the attacker can cause the victim’s system to perform unintended actions such as changing account information, retrieving account data, or logging out. This type of attack could be related to the scenario described in this question, but focuses on how the user can bypass the locking mechanism built into the web application. The logic in the programming code is incorrectly developed and the locking function is bypassed because a rigorous series of checks and usage sequences are not performed correctly.

〇：Conduct a risk analysis.

The first step in the procedure described, which is the first step to be taken only to deploy an effective physical security program, is to conduct a risk analysis to identify vulnerabilities and threats and to calculate the business impact of each threat. The team presents the results of the risk analysis to management to define an acceptable risk level for the physical security program. From there, the team evaluates and determines if the baseline is met by implementation. Once the team identifies its responses and implements the measures, performance is continually evaluated. These performances will be compared to the established baselines. If the baseline is maintained on an ongoing basis, the security program is successful because it does not exceed the company’s acceptable risk level.

×：Create a performance metric for the countermeasure.  

The procedure to create a countermeasure performance metric is incorrect because it is not the first step in creating a physical security program. If monitored on a performance basis, it can be used to determine how beneficial and effective the program is. It allows management to make business decisions when investing in physical security protection for the organization. The goal is to improve the performance of the physical security program, leading to a cost-effective way to reduce the company’s risk. You should establish a performance baseline and then continually evaluate performance to ensure that the firm’s protection goals are being met. Examples of possible performance metrics include: number of successful attacks, number of successful attacks, and time taken for attacks.

×：Design program.  

Designing the program is wrong because it should be done after the risk analysis. Once the level of risk is understood, then the design phase can be done to protect against the threats identified in the risk analysis. The design of deterrents, delays, detections, assessments, and responses will incorporate the necessary controls for each category of the program.

×：Implement countermeasures.  

Wrong because implementing countermeasures is one of the last steps in the process of deploying a physical security program.

〇：Brewer-Nash Model

The Chinese Wall Model is a security model that focuses on the flow of information within an organization, such as insider trading. Insider trading occurs when inside information leaks to the outside world. In reality, information can spread to unexpected places as it is passed on orally to unrelated parties. In order to take such information flow into account, access privileges are determined in a simulation-like manner. Therefore, the correct answer is the “Chinese Wall Model (Brewer-Nash Model).

×：Lattice-based Access Control

Lattice-based access control is to assume that a single entity can have multiple access rights and to consider access control as all possible relationships under a certain condition.

×：Biba Model

The Biba model is a security model that indicates that data cannot be changed without permission.

×：Harrison-Ruzzo-Ullman Model

The Harrison-Ruzzo-Ullman model is a model that aggregates the eight rules of the Graham-Denning model into six rules using an access control matrix.

〇：Multiple processes are using the same resources.

The system uses hard drive space (called swap space) that is reserved to expand RAM memory space. When the system fills up volatile memory space, data is written from memory to the hard drive. When a program requests access to this data, it is returned from the hard drive to memory in specific units called page frames. Accessing data stored on hard drive pages takes longer than accessing data stored in memory because it requires read/write access to the physical disk. A security issue with using virtual swap space is that two or more processes can use the same resources and corrupt or damage data.

×：Allowing cookies to remain persistent in memory

This is incorrect because virtual storage is not associated with cookies. Virtual storage uses hard drive space to extend RAM memory space. Cookies are small text files used primarily by web browsers. Cookies can contain credentials for web sites, site preferences, and shopping history. Cookies are also commonly used to maintain web server-based sessions.

×：Side-channel attacks are possible.

Side-channel attacks are incorrect because they are physical attacks. This type of attack gathers information about how a mechanism (e.g., smart card or encryption processor) works from abandoned radiation, time spent processing, power consumed to perform a task, etc. Using the information, reverse engineer the mechanism to reveal how it performs its security task. This is not related to virtual storage.

×：Two processes can perform a denial of service attack.

The biggest threat within a system where resources are shared between processes is that one process can adversely affect the resources of another process, since the operating system requires memory to be shared among all resources. This is especially true in the case of memory. It is possible for two processes to work together to perform a denial of service attack, but this is only one of the attacks that can be performed with or without the use of virtual storage.

〇：Increased Processing Power

The increased processing power of personal computers and servers has increased the probability of successful brute force and cracking attacks against security mechanisms that were not feasible a few years ago. Today’s processors can execute an incredible number of instructions per second. These instructions can be used to break passwords, encryption keys, or direct malicious packets to be sent to the victim’s system.

×：Increased circuitry, cache memory, and multiprogramming

This is incorrect because an increase does not make a particular type of attack more powerful. Multiprogramming means loading multiple programs or processes into memory at the same time. It allows antivirus software, word processors, firewalls, and e-mail clients to run simultaneously. Cache memory is a type of memory used for fast write and read operations. If the system expects that the program logic will need to access certain information many times during processing, the information is stored in cache memory for easy and quick access.

×：Dual-mode computation

The answer is not specific and does not measure conformance to the problem. When examining microprocessor advances, there is no actual dual-mode calculation.

×：Direct Memory Access I/O

Incorrect because this method transfers instructions and data between I/O (input/output) devices and the system’s memory without using the CPU. Direct Memory Access I/O significantly increases data transfer speed.

〇：Known Plaintext Attacks

A known-plaintext attack is a situation in which a decryptor can obtain plaintext indiscriminately. A ciphertext-alone attack is a situation where a decryptor can acquire ciphertext indiscriminately. A known-plaintext attack acquires the plaintext but does not know what ciphertext it is paired with, meaning that decryption is attempted with only two random ciphertexts. In this situation, it is difficult to decrypt. Therefore, the correct answer is “known-plaintext attack.

×：Selective Plaintext Attack

A choice-plaintext attack is a situation in which the decryptor can freely choose the plaintext to acquire and obtain the ciphertext.

×：Adaptive Choice Plaintext Attack

An adaptive choice-plaintext attack is a situation in which the decryptor can freely choose which plaintext to acquire and acquire the ciphertext, and can repeat the acquisition again after seeing the result.

×：None of the above

It is rare for the answer to be “none of the above” when the choice is “most of the above.

〇：OCSP is a protocol developed specifically to check CRLs during the certificate validation process.

A Certificate Authority (CA) is responsible for creating certificates, maintaining and distributing them, and revoking them when necessary. Revocation is handled by the CA and the revoked certificate information is stored in a Certificate Revocation List (CRL). This is a list of all revoked certificates. This list is maintained and updated periodically. A certificate is revoked if the key owner’s private key has been compromised, if the CA has been compromised, or if the certificate is incorrect. If a certificate is revoked for any reason, the CRL is a mechanism for others to inform you of this information. The Online Certificate Status Protocol (OCSP) uses this CRL; when using CRLs, the user’s browser must examine the CRL value to the client to see if the accreditation has been revoked or the CA is constantly checking to make sure they have an updated CRL. If OCSP is implemented, it will do this automatically in the background. It performs real-time verification of the certificate and reports back to the user whether the certificate is valid, invalid, or unknown.

×：CRL was developed as a more efficient approach to OCSP.

CRLs are often incorrect because they are a cumbersome approach; OCSP is used to deal with this tediousness; OCSP does this work in the background when using CRLs; OCSP checks the CRL to see if the certificate has been revoked by Checks.

×：OCSP is a protocol for submitting revoked certificates to CRLs.

OCSP is incorrect because it does not submit revoked certificates to the CRL; the CA is responsible for certificate creation, distribution, and maintenance.

×：CRL provides real-time validation of certificates and reports to OCSP.

Incorrect because CRL does not provide real-time validation of certificates to OCSP.

The Kerckhoffs’s principle is the idea that cryptography should be secure even if everything but the private key is known. When encrypting data, one decides on a private key and how to encrypt it using that private key. Kerckhoffs says that even if it is known how it is encrypted, it should not be deciphered as long as the secret key is not discovered. Encryption has been with the history of human warfare. The main purpose is to communicate a strategy to one’s allies without being discovered by the enemy. In battle, its designs and encryption devices may be stolen by spies. Therefore, the encryption must be such that it cannot be solved without the key, no matter how much is known about how it works.

〇：Keys are generated from a master key.

To generate a composite key, a master key is created and a symmetric key (subkey) is generated. The key derivation function generates the encryption key from the secret value. The secret value can be a master key, passphrase, or password. The key derivation function (KDF) generates a key for symmetric key ciphers from a given password.

×：Session keys are generated from each other.

Session keys are generated from each other, not from the master key, which is incorrect.

×：Asymmetric ciphers are used to encrypt symmetric keys.

It is incorrect because key encryption is not even related to the key derivation function (KDF).

×：The master key is generated from the session key.

Reverse, incorrect. Session keys are generally generated from master keys.

〇：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activity taking place within the host system.

Virtual firewalls can be bridge-mode products that monitor individual communication links between virtual machines. They can also be integrated within a hypervisor in a virtual environment. The hypervisor is the software component that manages the virtual machines and monitors the execution of guest system software. When a firewall is embedded within the hypervisor, it can monitor all activities that occur within the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual network links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is incorrect because the firewall can monitor individual traffic links between hosts and not network links. Hypervisor integration allows the firewall to monitor all activities taking place within the guest system rather than the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is wrong because the firewall can monitor individual traffic links, and the hypervisor integration allows the firewall to monitor all activity taking place within the host system, but not the guest system. The hypervisor is the software component that manages the virtual machines and monitors the execution of the guest system software. A firewall, when embedded within the hypervisor, can monitor all activities taking place within the system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual guest systems, while a firewall integrated into the hypervisor can monitor all activities taking place within the network system.

A virtual firewall in bridge mode allows the firewall to monitor individual traffic between guest systems, and a hypervisor integrated allows the firewall to monitor all activity taking place within the host system, not the network system, so Wrong.

〇：TOGAF

The Open Group Architecture Framework (TOGAF) is a vendor-independent platform for the development and implementation of enterprise architecture. It focuses on the effective management of enterprise data using metamodels and service-oriented architectures (SOA). Proficient implementations of TOGAF aim to reduce fragmentation caused by inconsistencies between traditional IT systems and actual business processes. It also coordinates new changes and functionality so that new changes can be easily integrated into the enterprise platform.

×：Department of Defense Architecture Framework (DoDAF)

In accordance with the guidelines for the organization of the enterprise architecture of the U.S. Department of Defense systems, this is incorrect. It is also suitable for large, complex integrated systems in the military, civilian, and public sectors.

×：Capability Maturity Model Integration (CMMI) during software development.

It is inappropriate because it is a framework for the purpose of designing and further improving software. CMMI provides a standard for software development processes that can measure the maturity of the development process.

×：ISO/IEC 42010

Incorrect because it consists of recommended practices to simplify the design and conception of software-intensive system architectures. This standard provides a kind of language (terminology) to describe the different components of software architecture and how to integrate it into the development life cycle.

〇：Statistically predictable

The two main types of symmetric algorithms are block ciphers and stream ciphers. Block ciphers perform a mathematical function on a block of bits at a time. Stream ciphers do not divide the message into blocks. Instead, a stream cipher treats the message as a stream of bits and performs the mathematical function on each bit individually. If it were statistically predictable, it would not be a practical encryption technique in the first place.

×：Statistically Fair Keystreams

Statistically fair keystreams are an element of good stream ciphers. Therefore, it is incorrect. Another way to say a statistically unbiased keystream is that it is a highly random keystream that is difficult to predict.

×：The repetitive pattern of bit strings treated in a keystream is long.

Another way to say the randomness of a keystream is that it is highly random, with long repetitions = rarely repeated = highly random.

×：The keystream is irrelevant to the key.

A keystream that is not related to a key is an element of a good stream cipher. Therefore, it is incorrect. This is important because the key provides the randomness of the encryption process.

〇：All failed access attempts should be logged and reviewed.

The physical access control system may use software and auditing capabilities to generate an audit trail or access log associated with access attempts. The date and time of the entry point when access was attempted, the user ID used when access was attempted, and any failed access attempts, among others, should be recorded.

×：Failed access attempts are recorded and only security personnel are entitled to review them.

Unless someone actually reviews them, the access logs are as useless as the audit logs generated by the computer. Security guards should review these logs, but security professionals and facility managers should review these logs on a regular basis. The administrator must know the existence and location of entry points into the facility.

×：Only successful access attempts should be logged and reviewed.

Wrong, as unsuccessful access attempts should be logged and reviewed. Audit should be able to alert you to suspicious activity even though you are denying an entity access to a network, computer, or location.

×：Failed access attempts outside of business hours should be logged and reviewed.

Incorrect, as all unauthorized access attempts should be logged and reviewed regardless. Unauthorized access can occur at any time.