Exam (elaborations)
SSCP (questions with 100% correct answers rated A+)
- Course
- Institution
SSCP (questions with 100% correct answers rated A+)
[Show more]
Content preview
SSCPCIANA Security Paradigm - correct answer ✔✔1. Confidentiality
2. Integrity
3. Authorization
4. Nonrepudiation
5. Authentication
Confidentiality - correct answer ✔✔violated if any process or person can read, copy, redistribute, or
make use of data we deem private or of competitive advantage worthy of protection as trade secrets,
proprietary, or restricted information ; the first of the CIANA security paradigm ; sharing secrets ; legal
and ethical concept abut privileged communications or privileged information ; How much we can trust
that the information we're about to use to make a decision has not been seen by unauthorized people
Integrity - correct answer ✔✔lost if any person or process can modify data or metadata, or execute
processes out of sequence or with bad input data ; the second of the CIANA security paradigm ;
something is whole and complete and its parts are smoothly joined together
Authorization - correct answer ✔✔Granting of permission to use data - cannot make sense if there's no
way to validate to whom or what we are granting that permission ; the third of the CIANA security
paradigm ; requires a 2 step process and is the 2nd step of the triple A of identity management and
access control
1. Assigning privileges during provisioning (which permissions or privileges to grant to an identity and
whether additional constraints or conditions apply to those permissions)
2. Authorizing a specific access request - determine whether specifics of the access request are allowed
by the permissions et in the access control tables
Nonrepudiation - correct answer ✔✔Can't exist if we can't validate or prove that the person or process
in question is in fact who they claim to be and that their identity hasn't been spoofed by a man-in the
middle kind fo attacker ; the fourth of the CIANA security paradigm ; use of public key infrastructure and
its use of asymmetric encryption
,Availability - correct answer ✔✔Rapidly dwindles to zero if nothing stops data or metadata from
unauthorized modification or deletion ; the fifth of the CIANA security paradigm
Process of Identifying a Subject - correct answer ✔✔1. Ask (or device offers) a claim as to who or what it
is
2. Claimant offers further supporting information that attests to the truth of that claim
3. Verify the believability (credibility or trustworthiness) of that supporting information
4. Ask for additional supporting information or ask a trusted 3rd party to AUTHENTICATE that
information
5. Conclude subject is whom or what it claims to be
Identity Management Lifecycle - correct answer ✔✔Describes series of steps in which a subject's identity
is initially created, initialized for use, modified as needs and circumstances change, and finally retired
from authorized used in a particular information system ; provisioning —> review —> revocation
Provisioning - correct answer ✔✔Starts with initial claim of identity and a request to create a set of
credentials for that identity and distributes it throughout the organization's identity and access control
systems and data structures, starting with management's review and approval of the access request,
identifying information to be used, and privileges requested ; key to this step is IDENTITY PROOFING ;
push of this can take minutes, hours, or even a day or more; an urgent push can force a near-real-time
update if management deems necessary ; 1st step of identity management lifecycle
Review - correct answer ✔✔Ongoing process that checks whether the set of access privileges granted to
a subject are still required or if any should be modified or removed ; be careful of PRIVILEGE CREEP
during this ; 2nd step of identity management lifecycle
Revocation - correct answer ✔✔Formal process of terminating access privileges for a specific identity in
a system ; 3rd and final step of identity management lifecycle
Identity Proofing - correct answer ✔✔Separately validates that the evidence of identity as submitted by
the applicant is truthful, authoritative, and current ; a key step of provisioning In the Identity
Management Lifecycle
,Privilege Creep - correct answer ✔✔Duties have changed and yet privileges that are no longer actually
needed remain in effect for a given user ; be careful of this during the REVIEW step in the Identity
Management Lifecycle ; The only weakness of role-based access control
Revoking - correct answer ✔✔Blocks identity from further access but changes no other data pertaining
to that identity, no matter where it might be stored in your systems
Deleting - correct answer ✔✔Catastrophic loss of information
Triple A of Identity Management And Access Control - correct answer ✔✔Authenticate, Authorize, and
Accounting
Authentication - correct answer ✔✔Where everything must start ; act of examining or testing the
identity credentials provided by a subject that is requesting access, and based on information in the
access control list, either GRANTING (accepts) access, DENYING it, or REQUESTING ADDITIONAL
credential information before making an access determination ; 1st step of triple A of identity
management and access control ; provided by identity management and access control
Accounting - correct answer ✔✔Trust but verify ; gathers data from within the access control process to
monitor the lifecycle of an access, from its initial request and permissions being granted through the
interactions by the subject with the object, to capturing the manner in which the access is terminated ;
3rd step of triple A of identity management and access control
Subject - correct answer ✔✔Try to perform an action upon an object (i.e. reading, changing, executing,
or doing anything) ; can be anything requesting access to or attempting to access anything in our system,
whether data or metadata, people, devices or another process ; can be people, software processes,
devices, or services being provided by other web-based systems ; an access control concept
Object - correct answer ✔✔Gatekeeper of information ; thing that has access ; an access control concept
Example of Subject - correct answer ✔✔Example: as user of your company's systems you have in your
possession knowledge of your user ID, password, and the proper ways to log on and access certain
information of assets. You long on as what when you access that information?
, Example of Object (attacker) and Subject (user) - correct answer ✔✔Example: as user of your company's
systems, an attacker tries to get you to disclose your user ID and password. In this example the attacker
is the _____ while you are the _____
TLP: RED - correct answer ✔✔US-Cert Traffic Light Protocol - when information cannot be effectively
acted upon by additional parties and could lead to impact on party's privacy, reputation, or operations ;
may not share with any parties outside specific exchange and only information is limited to those
present in the meeting ; should be exchanged verbally or in person
How TLP:RED May Be Shared - correct answer ✔✔US-Cert Traffic Light Protocol that should be
exchanged verbally or in person ; not for disclosure and restricted to participants only
TLP: Amber - correct answer ✔✔US-Cert Traffic Light Protocol - when information requires support to be
effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the
organizations involved ; recipients may only share information with members of their OWN ORG or with
CLIENTS OR CUSTOMERS WHO NEED TO KNOW ; sources are at liberty to specify additional intended
limits of the sharing
How TLP:Amber May be Shared - correct answer ✔✔US-Cert Traffic Light Protocol - Limited disclosure,
restricted to participants' organization - sources are at liberty to specify additional intended limits of the
sharing: these must be adhered to
TLP: Green - correct answer ✔✔US-Cert Traffic Light Protocol - useful for awareness of all participating
organizations as well as with peers within broader community or sector ; may share within sector or
community but NOT via publicly accessible channels ; information can be circulated widely within a
particular community and may NOT be released outside of the community
How TLP:Green May Be Shared - correct answer ✔✔US-Cert Traffic Light Protocol in which sharing
includes within sector or community but NOT via publicly accessible channels ; limited disclosure and
restricted to the community ; may not be released outside of the community
TLP:White - correct answer ✔✔US-Cert Traffic Light Protocol - information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release ; may
be distributed without restriction
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Sakayobako30. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $19.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
81298 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now