- (Topic 3)
As a result of a risk assessment, your security manager has determined that your organization needs to implement an intrusion detection system that can detect unknown attacks and can watch for unusual traffic behavior, such as a new service appearing on the network. What type of intrusion detection system would you select?

1. A. Protocol anomaly based
2. B. Pattern matching
3. C. Stateful matching
4. D. Traffic anomaly-based

Correct Answer: D
Traffic anomaly-based is the correct choice. An anomaly based IDS can detect unknown attacks. A traffic anomaly based IDS identifies any unacceptable deviation from expected behavior based on network traffic.
Protocol anomaly based is not the best choice as while a protocol anomaly based IDS can identify unknown attacks, this type of system is more suited to identifying deviations from established protocol standards such as HTTP. This type of IDS faces problems in analyzing complex or custom protocols.
Pattern matching is not the best choice as a pattern matching IDS cannot identify unknown attacks. This type of system can only compare packets against signatures of known attacks.
Stateful matching is not the best choice as a statful matching IDS cannot identify unknown attacks. This type of system works by scanning traffic streams for patterns or signatures of attacks.
Reference:
Official guide to the CISSP CBK. pages 198 to 201

- (Topic 1)
Which of the following statements pertaining to RADIUS is incorrect:

1. A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains.
2. B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy.
3. C. Most RADIUS servers have built-in database connectivity for billing and reportingpurposes.
4. D. Most RADIUS servers can work with DIAMETER servers.

Correct Answer: D
This is the correct answer because it is FALSE.
Diameter is an AAA protocol, AAA stands for authentication, authorization and accounting protocol for computer networks, and it is a successor to RADIUS.
The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius).
The main differences are as follows:
Reliable transport protocols (TCP or SCTP, not UDP)
The IETF is in the process of standardizing TCP Transport for RADIUS Network or transport layer security (IPsec or TLS)
The IETF is in the process of standardizing Transport Layer Security for RADIUS Transition support for RADIUS, although Diameter is not fully compatible with RADIUS Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits)
Client–server protocol, with exception of supporting some server-initiated messages as well Both stateful and stateless models can be used
Dynamic discovery of peers (using DNS SRV and NAPTR) Capability negotiation
Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539)
Error notification Better roaming support
More easily extended; new commands and attributes can be defined Aligned on 32-bit boundaries
Basic support for user-sessions and accounting
A Diameter Application is not a software application, but a protocol based on the Diameter base protocol (defined in RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs. Adding a new optional AVP does not require a new application.
Examples of Diameter applications:
Diameter Mobile IPv4 Application (MobileIP, RFC 4004)
Diameter Network Access Server Application (NASREQ, RFC 4005) Diameter Extensible Authentication Protocol (EAP) Application (RFC 4072) Diameter Credit-Control Application (DCCA, RFC 4006)
Diameter Session Initiation Protocol Application (RFC 4740) Various applications in the 3GPP IP Multimedia Subsystem
All of the other choices presented are true. So Diameter is backwork compatible with Radius (to some extent) but the opposite is false.
Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 38.
and https://secure.wikimedia.org/wikipedia/en/wiki/Diameter_%28protocol%29

- (Topic 1)
In discretionary access environments, which of the following entities is authorized to grant information access to other people?

1. A. Manager
2. B. Group Leader
3. C. Security Manager
4. D. Data Owner

Correct Answer: D
In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file.
The following answers are incorrect:
manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.
group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.
security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people.
IMPORTANT NOTE:
The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the classification and need to know is on the specific set of data.
The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other subjects based
on their identity.

- (Topic 1)
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except:

1. A. Inspection
2. B. History of losses
3. C. Security controls
4. D. security budget

Correct Answer: D
Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni.

- (Topic 5)
Which of the following was not designed to be a proprietary encryption algorithm?

1. A. RC2
2. B. RC4
3. C. Blowfish
4. D. Skipjack

Correct Answer: C
Blowfish is a symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA. See attributes below:
Block cipher: 64-bit block
Variable key length: 32 bits to 448 bits Designed by Bruce Schneier
Much faster than DES and IDEA Unpatented and royalty-free
No license required
Free source code available
Rivest Cipher #2 (RC2) is a proprietary, variable-key-length block cipher invented by Ron Rivest for RSA Data Security, Inc.
Rivest Cipher #4 (RC4) is a proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc.
The Skipjack algorithm is a Type II block cipher [NIST] with a block size of 64 bits and a key size of 80 bits that was developed by NSA and formerly classified at the U.S. Department of Defense "Secret" level. The NSA announced on June 23, 1998, that Skipjack had been declassified.
References:
RSA Laboratories http://www.rsa.com/rsalabs/node.asp?id=2250
RFC 2828 - Internet Security Glossary http://www.faqs.org/rfcs/rfc2828.html