Page 1548 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1548
12. C. Mandatory Access Control (MAC) models rely on the use of
labels for subjects and objects. Discretionary Access Control (DAC)
models allow an owner of an object to control access to the object.
Nondiscretionary access controls have centralized management
such as a rule-based access control model deployed on a firewall.
Role Based Access Control (RBAC) models define a subject’s access
based on job-related roles.
13. D. The Mandatory Access Control (MAC) model is prohibitive, and
it uses an implicit-deny philosophy (not an explicit-deny
philosophy). It is not permissive and it uses labels rather than
rules.
14. D. Compliance-based access control model is not a valid type of
access control model. The other answers list valid access control
models.
15. C. A vulnerability analysis identifies weaknesses and can include
periodic vulnerability scans and penetration tests. Asset valuation
determines the value of assets, not weaknesses. Threat modeling
attempts to identify threats, but threat modeling doesn’t identify
weaknesses. An access review audits account management and
object access practices.
16. B. An account lockout policy will lock an account after a user has
entered an incorrect password too many times, and this blocks an
online brute-force attack. Attackers use rainbow tables in offline
password attacks. Password salts reduce the effectiveness of
rainbow tables. Encrypting the password protects the stored
password but isn’t effective against a brute-force attack without an
account lockout.
17. B. Using both a salt and pepper when hashing passwords provides
strong protection against rainbow table attacks. MD5 is no longer
considered secure, so it isn’t a good choice for hashing passwords.
Account lockout helps thwart online password brute-force attacks,
but a rainbow table attack is an offline attack. Role Based Access
Control (RBAC) is an access control model and unrelated to
password attacks.
