Ace Your CISSP ISC 2 Credentials Exam

According to the CISSP Official (ISC)2 Practice Tests, the property that is prioritized by a Mandatory Access Control (MAC) model for implementation is confidentiality. Confidentiality is the property that ensures that the data or information is only accessible or disclosed to the authorized parties, and is protected from unauthorized or unintended access or disclosure. A MAC model is a type of access control model that grants or denies access to an object based on the security labels of the subject and the object, and the security policy enforced by the system. A security label is a tag or a marker that indicates the classification, sensitivity, or clearance of the subject or the object, such as top secret, secret, or confidential. A security policy is a set of rules or criteria that defines how the access decisions are made based on the security labels, such as the Bell-LaPadula model or the Biba model. A MAC model prioritizes confidentiality, as it ensures that the data or information is only accessible or disclosed to the subjects that have the appropriate security labels and clearance, and that the data or information is not leaked or compromised by the subjects that have lower security labels or clearance. Integrity is not the property that is prioritized by a MAC model for implementation, although it may be a property that is supported or enhanced by a MAC model. Integrity is the property that ensures that the data or information is accurate, complete, and consistent, and is protected from unauthorized or unintended modification or corruption. A MAC model may support or enhance integrity, as it ensures that the data or information is only modified or corrupted by the subjects that have the appropriate security labels and clearance, and that the data or information is not altered or damaged by the subjects that have lower security labels or clearance. However, a MAC model does not prioritize integrity, as it does not prevent or detect the modification or corruption of the data or information by the subjects that have the same or higher security labels or clearance, or by the external factors or events, such as errors, failures, or accidents. Availability is not the property that is prioritized by a MAC model for implementation, although it may be a property that is supported or enhanced by a MAC model. Availability is the property that ensures that the data or information is accessible and usable by the authorized parties, and is protected from unauthorized or unintended denial or disruption of access or use. A MAC model may support or enhance availability, as it ensures that the data or information is accessible and usable by the subjects that have the appropriate security labels and clearance, and that the data or information is not denied or disrupted by the subjects that have lower security labels or clearance. However, a MAC model does not prioritize availability, as it does not prevent or detect the denial or disruption of access or use of the data or information by the subjects that have the same or higher security labels or clearance, or by the external factors or events, such as attacks, failures, or disasters. Accessibility is not the property that is prioritized by a MAC model for implementation, as it is not a security property, but a usability property. Accessibility is the property that ensures that the data or information is accessible and usable by the users with different abilities, needs, or preferences, such as the users with disabilities, impairments, or limitations. Accessibility is not a security property, as it does not protect the data or information from unauthorized or unintended access, disclosure, modification, corruption, denial, or disruption. Accessibility is a usability property, as it enhances the user experience and satisfaction of the data or information. 

Baseline configuration information is the set of data that describes the state of a computer system at a specific point in time. It is used to monitor and control changes to the system, as well as to assess its compliance with security standards and policies. Baseline configuration information must include the operating system and version, patch level, applications running, and versions, because these are the essential components that define the functionality and security of the system. These components can also affect the compatibility and interoperability of the system with other systems and networks. Therefore, it is important to maintain accurate and up-to-date records of these components for each computer system123. References:

• Create configuration baselines - Configuration Manager, Section: Configuration baselines
• About Configuration Baselines - Configuration Manager, Section: Configuration Baseline Rules
• About Configuration Baselines and Items - Configuration Manager, Section: Configuration Baselines

According to the CISSP All-in-One Exam Guide2, when designing a vulnerability test, mapping tools are likely to give the best indication of what components currently operate on the network. Mapping tools are software applications that scan and discover the network topology, devices, services, and protocols. They can provide a graphical representation of the network structure and components, as well as detailed information about each node and connection. Mapping tools can help identify potential vulnerabilities and weaknesses in the network configuration and architecture, as well as the exposure and attack surface of the network. Topology diagrams are not likely to give the best indication of what components currently operate on the network, as they may be outdated, inaccurate, or incomplete. Topology diagrams are static and abstract representations of the network layout and design, but they may not reflect the actual and dynamic state of the network. Asset register is not likely to give the best indication of what components currently operate on the network, as it may be outdated, inaccurate, or incomplete. Asset register is a document that lists and categorizes the assets owned by an organization, such as hardware, software, data, and personnel. However, it may not capture the current status, configuration, and interconnection of the assets, as well as the changes and updates that occur over time. Ping testing is not likely to give the best indication of what components currently operate on the network, as it is a simple and limited technique that only checks the availability and response time of a host. Ping testing is a network utility that sends an echo request packet to a target host and waits for an echo reply packet. It can measure the connectivity and latency of the host, but it cannot provide detailed information about the host’s characteristics, services, and vulnerabilities. References: 2

The most efficient way to secure a production program and its data is to harden the application and encrypt the data. Hardening the application means applying the security best practices and standards to the development, testing, deployment, and maintenance of the application, such as input validation, output encoding, error handling, logging, patching, and configuration. Encrypting the data means applying the cryptographic techniques and algorithms to the data at rest and in transit, such as symmetric encryption, asymmetric encryption, hashing, and digital signatures. These two measures can provide a comprehensive and effective protection for the application and its data against various threats and attacks.

• A. Disable default accounts and implement access control lists (ACL) is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is access control. Disabling default accounts and implementing ACLs can prevent unauthorized or inappropriate access to the application and its data, but it does not protect the application and its data from other vulnerabilities or risks, such as injection, cross-site scripting, denial-of-service, or data leakage.
• C. Disable unused services and implement tunneling is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is network security. Disabling unused services and implementing tunneling can reduce the attack surface and enhance the confidentiality and integrity of the data in transit, but it does not protect the application and its data from other vulnerabilities or risks, such as logic flaws, broken authentication, insecure storage, or data tampering.
• D. Harden the servers and backup the data is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is system security. Hardening the servers and backing up the data can improve the performance and availability of the application and its data, but it does not protect the application and its data from other vulnerabilities or risks, such as code injection, session hijacking, privilege escalation, or data disclosure.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 481; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 437