CISSP PRACTICE QUESTIONS – 20200929

Effective CISSP Questions

After activating the login window and logging in your PC, you are visiting your bank’s website, https://BankOfEffectiveCISSP.com, and transferring funds from one bank account to the other. The transaction shall be authenticated and authorized by typing in the authentication code and swiping the ATM card. Which of the following does not happen in this scenario?
A. Side channel 
B. Covert channel
C. Trusted path
D. Trusted channel


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Covert channel.

A channel is an information transfer path between two parties. A covert channel is the “transmission channel that may be used to transfer data in a manner that violates security policy.” (ISO ISO/IEC 2382:2015, Information technology — Vocabulary)

  • Activating the login window establishes the trusted path.
  • Visiting your bank’s website through HTTPS creates a trusted channel.
  • Swiping the ATM card is subject to side-channel attacks.
  • Covert channels may occur ubiquitously, but it’s not specifically described in the question.

Trusted Path

A mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software. (CNSSI 4009-2015)

To build a trusted path, we identify a key on the keyboard (in Windows NT this is the key combination Ctrl-Alt-Delete) and make it special. Whenever this key is pressed, the security kernel gets control and monitors what is typed on the keyboard. There is no way to hijack the key that opens the trusted path. (Schneider)

Trusted Channel

A channel where the endpoints are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include transport layer security (TLS), IP security (IPSec), and secure physical connection.  (CNSSI 4009-2015)

Side-Channel Attacks

  • Power Analysis
  • EM Analysis (Electromagnetic emission)
  • Fault Analysis
  • Timing Analysis

References

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

激活登錄視窗並登錄PC後,您連線到銀行網站, https://BankOfEffectiveCISSP.com, 將資金從一個銀行帳戶轉移到另一個帳戶。 這筆交易必須輸入驗證碼並刷ATM卡才能完成驗證和授權。以下哪種情況在這種情境下沒有發生?
A. Side channel 
B. Covert channel
C. Trusted path
D. Trusted channel

 

Leave a Reply