Episodit
-
Description: Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. In this episode, Shon will talk about the following items that are included within Domain 3 (Security Architecture and Engineering) of the CISSP Exam: · CISSP / Cybersecurity Integration – Trusted Computing Base (TCB) · CISSP Training – Manage Engineering Processes Using Secure Design · CISSP Exam Question – CIA / TPM BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description: Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam: · CISSP / Cybersecurity Integration – Data Communications · CISSP Training – Implement Secure Communication Channels · CISSP Exam Question – Point to Point / OSI Layers BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS: • ISC2 Training Study Guide ○ https://www.isc2.org/Training/Self-Study-Resources • Quizlet ○ https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/ • Infosec Institute ○ https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/communications-and-network-security/secure-communications-channels/#gref • Wikipedia ○ https://en.wikipedia.org/wiki/Trusted_computing_base ○ https://en.wikipedia.org/wiki/SwIPe_(protocol) ○https://en.wikipedia.org/wiki/Transport_Layer_Security https://en.wikipedia.org/wiki/Secure_Electronic_Transaction
-
Puuttuva jakso?
-
Description: Shon Gerber from CISSPCyberTraining.com provides you with the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. In this episode, Shon will talk about the following items that are included within Domain 5 (Identity and Access Management) of the CISSP Exam: · CISSP / Cybersecurity Integration – Identity Governance · CISSP Training – Manage the identity and access provisioning lifecycle (Domain 5) · CISSP Exam Question – Username-Password / Preventative Controls BTW - Get access to all my Training Courses here at:
https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS: • ISC2 Training Study Guide ○ https://www.isc2.org/Training/Self-Study-Resources • Quizlet ○ https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/ • Infosec Institute ○ https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/identity-and-access-management/#gref • Wikipedia ○https://en.wikipedia.org/wiki/Identity_Governance_Framework
-
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. This is the first episode of CISSP Cyber Training.com. In this episode, Shon will talk about his background and how he has been successful in cybersecurity. BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description:
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
This is the first episode of CISSP Cyber Training.com. In this episode, Shon will talk about his background and how he has been successful in cybersecurity.
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description: Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam: · CISSP / Cybersecurity Integration – HITECH · CISSP Training – Compliance Requirements · CISSP Exam Question – Preventive Controls / CIA Triangle BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description:
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
This is the first episode of CISSP Cyber Training.com. In this episode, Shon will talk about his background and how he has been successful in cybersecurity.
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description:
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
This is the first episode of CISSP Cyber Training.com. In this episode, Shon will talk about his background and how he has been successful in cybersecurity.
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description:
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
This is the first episode of CISSP Cyber Training.com. In this episode, Shon will talk about his background and how he has been successful in cybersecurity.
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
-
Description: Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity. In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam: · CISSP / Cybersecurity Integration – Data Remanence - Rainbow Series · CISSP Training – Protecting Privacy · CISSP Exam Question – Sensitive Data / Destroying Hard Drive BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/
-
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 165
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.
Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 166
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.
Which of the following best describes Steve’s confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place before the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups with different purposes.
D. Evaluation requirements include certification and accreditation components.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 167
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design.
Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented?
A. Data hiding should be implemented through memory deallocation.
B. Data hiding should be implemented through properly developed interfaces.
C. Data hiding should be implemented through a monolithic architecture.
D. Data hiding should be implemented through multiprogramming.https://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 165
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.
Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 166
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.
Which of the following best describes Steve’s confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place before the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups with different purposes.
D. Evaluation requirements include certification and accreditation components.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 167
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design.
Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented?
A. Data hiding should be implemented through memory deallocation.
B. Data hiding should be implemented through properly developed interfaces.
C. Data hiding should be implemented through a monolithic architecture.
D. Data hiding should be implemented through multiprogramming.https://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP study and training for passing the CISSP Exam the first time
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 168
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Which of the following is a characteristic that this new system will need to implement?
A. Multiprogramming
B. Simple integrity axiom
C. Mandatory access control
D. Formal verification
Since the new system must achieve a rating of EAL 6, it must implement mandatory access control capabilities. This is an access control model that allows users with different clearances to be able to interact with a system that processes data of different classification levels in a secure manner. The rating of EAL 6 requires semiformally verified design and testing, whereas EAL 7 requires verified design and testing.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 169
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
A hybrid microkernel architecture means that all kernel processes work within kernel mode, which reduces the amount of mode transitions. The reduction of mode transitions reduces performance issues because the CPU does not have to change from user mode to kernel mode as many times during its operation.
Which of the following reasons best describes her boss’s suggestion on the kernel design of the new system?
A. Hardware layer abstraction for portability capability
B. Layered functionality structure
C. Reduced mode transition requirements
D. Central location of all critical operating system processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 170
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
A multilevel security system allows for data at different classification levels to be processed and allows users with different clearance levels to interact with the system securely.
Which of the following is a required characteristic of the system Sarah’s team must build?
A. Multilevel security
B. Dedicated mode capability
C. Simple security rule
D. Clark-Wilson constructshttps://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP study and training for passing the CISSP Exam the first time
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 168
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Since the new system must achieve a rating of EAL 6, it must implement mandatory access control capabilities. This is an access control model that allows users with different clearances to be able to interact with a system that processes data of different classification levels in a secure manner. The rating of EAL 6 requires semiformally verified design and testing, whereas EAL 7 requires verified design and testing.
Which of the following is a characteristic that this new system will need to implement?
A. Multiprogramming
B. Simple integrity axiom
C. Mandatory access control
D. Formal verificationhttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 169
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
A hybrid microkernel architecture means that all kernel processes work within kernel mode, which reduces the amount of mode transitions. The reduction of mode transitions reduces performance issues because the CPU does not have to change from user mode to kernel mode as many times during its operation.
Which of the following reasons best describes her boss’s suggestion on the kernel design of the new system?
A. Hardware layer abstraction for portability capability
B. Layered functionality structure
C. Reduced mode transition requirements
D. Central location of all critical operating system processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 170
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
A multilevel security system allows for data at different classification levels to be processed and allows users with different clearance levels to interact with the system securely.
Which of the following is a required characteristic of the system Sarah’s team must build?
A. Multilevel security
B. Dedicated mode capability
C. Simple security rule
D. Clark-Wilson constructshttps://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 165
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.
Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 166
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.
Which of the following best describes Steve’s confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place before the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups with different purposes.
D. Evaluation requirements include certification and accreditation components.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 167
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design.
Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented?
A. Data hiding should be implemented through memory deallocation.
B. Data hiding should be implemented through properly developed interfaces.
C. Data hiding should be implemented through a monolithic architecture.
D. Data hiding should be implemented through multiprogramming.https://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 165
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.
Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processeshttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 166
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.
Which of the following best describes Steve’s confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place before the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups with different purposes.
D. Evaluation requirements include certification and accreditation components.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 167
Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design.
Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented?
A. Data hiding should be implemented through memory deallocation.
B. Data hiding should be implemented through properly developed interfaces.
C. Data hiding should be implemented through a monolithic architecture.
D. Data hiding should be implemented through multiprogramming.https://www.brainscape.com/subjects/cissp-domains
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 162
John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of issue?
A. Application is written in the C programming language.
B. Application is not carrying out enforcement of the trusted computing base.
C. Application is running in ring 3 of a ring-based architecture.
D. Application is not interacting with the memory manager properly.
The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 163
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
A. Non-protected ROM sections
B. Vulnerabilities that allowed malicious code to execute in protected memory sections
C. Lack of a predefined and implemented trusted computing base
D. Lack of a predefined and implemented security kernel
If testers suggested to the team that address space layout randomization and data execution protection should be integrated, this is most likely because the system allows for malicious code to easily execute in memory sections that would be dangerous to the system. These are both memory protection approaches.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 156
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________ the data, objects, and resources.
A) Control
B) Audit
C) Access
D) Repudiate
Access
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources -
Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions. His knowledge will provide the skills needed to pass the CISSP Exam.
BTW - Get access to all my Free Content and CISSP Training Courses here at: https://shongerber.com/
Available Courses:
CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6oCISSP Exam Questions
Question: 162
John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of issue?
The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.
A. Application is written in the C programming language.
B. Application is not carrying out enforcement of the trusted computing base.
C. Application is running in ring 3 of a ring-based architecture.
D. Application is not interacting with the memory manager properly.https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 163
Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection.
If testers suggested to the team that address space layout randomization and data execution protection should be integrated, this is most likely because the system allows for malicious code to easily execute in memory sections that would be dangerous to the system. These are both memory protection approaches.
A. Non-protected ROM sections
B. Vulnerabilities that allowed malicious code to execute in protected memory sections
C. Lack of a predefined and implemented trusted computing base
D. Lack of a predefined and implemented security kernelhttps://www.brainscape.com/subjects/cissp-domains
------------------------------------
Question: 156
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________ the data, objects, and resources.
A) Control
B) Audit
C) Access
D) Repudiate
Access
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
https://www.brainscape.com/subjects/cissp-domains
------------------------------------
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources - Näytä enemmän
