CCT 169: Practice CISSP Questions - Understanding Role, Rule, Mandatory, and Attribute Based Controls (Domain 5.4)

Can quantum computing break your encryption overnight? Discover the profound impact of this emerging technology on cybersecurity as we decode the recently introduced FIPS 203, 204, and 205 standards. Join me, Sean Gerber, on this week's electrifying episode of the CISSP Cyber Training Podcast to understand how the US government is preemptively tackling "harvest now, decrypt later" threats. Learn why these standards are crucial for federal entities and contractors and why mandatory adoption by 2035 is a game-changer for cybersecurity professionals, especially those engaging with the Cybersecurity Maturity Model Certification (CMMC).

Unlock the secrets to mastering access control models essential for fortified cybersecurity. We'll explore the nuanced features and ideal applications for Attribute-Based Access Control (ABAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), and Mandatory Access Control (MAC), as well as the fine-grained Rule-Based Access Control (RBAC). Beyond the technical knowledge, we dive into the critical mindset required for true CISSP mastery—one that transcends the exam and empowers real-world application. Plus, your participation supports adoptive families, making our journey together even more impactful. Tune in and transform your cybersecurity strategy today!

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2: 0:24 

All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and I hope you all are having a blessed day today. Today is the awesome day that we follow up every single Thursday, from the Mondays. And what is that? Yes, it's CISSP Question Thursday. So today we're going to be getting into CISSP questions related to the podcast that occurred on Monday, which is discretionary access controls, attributed access controls, mandatory access controls. So, yes, set your Tesla on autopilot and let's go, but before we do, before we do, we wanted to get into.

Speaker 2: 0:58 

I saw an article that just came out that's relatable to what you're dealing with the CISSP and and it's something that you should know, as it relates to the quantum computing capabilities that are on the precipice. They're there, they're almost there, but they're not quite, and so the US government came out with a NIST standard for encryption standards that are specifically going to be focused on quantum computing, and these are the FIPS standards of 203, 204, and 205. Now, if you go to Tech Republic, there's a really good article in there about what are the new standards that are coming out. Now, if you've talked about encryption with the CISSP, you know that the FIPS standards for 140 and so forth deal with great encryption as it relates to what you're using with mobile devices and any sort of hardware type activities. But as the fips 140-1, 2 and 3, they give you different standards all around encryption. But, as we all know, the quantum is coming. It is actually going to really quickly blow that out of the water once that does come to a head at that point. So the nisk, working with various other agencies in the united states government, came up with a standard to deal with quantum computing, and this is the FIPS 203, 204, and 205.

Speaker 2: 2:10 

Now the purpose of this is the fact is that today's RSA isn't actually going to be able to compete with what's going to happen with the quantum computing, and we know that We've been talking about this for years and I know it's been slowly coming to a head. But we all also understand that within the next five years, quantum computing is going to be much more attainable for businesses to be able to utilize it in a way that's helpful. Well, if it's going to be available for businesses, it will also be available for the bad guys and girls to help themselves with our data, and so the standard was to come out to kind of one get ahead of that. So it gives you time to be able to get in place, and I know the US government has already said that they are going to require all US government agencies to be at these standards by 2035. So what's that? Roughly About nine years, I guess, yeah, about nine years, that they're going to have to be in that position where they'll be audible to make the move to the new FIPS standards.

Speaker 2: 3:10 

The other part that is interesting is this design to help offset this, what they call harvest now decrypt later capability where they would go in attackers would go in and they would just hoover, they would take the vacuum cleaner and suck up all of these wonderful passwords and all this encrypted data and then decrypt it later once they have the ability to throw it through the quantum machine. Now I will tell you that people have said, wow, that's not going to happen. I've heard people say, yes, it's definitely going to happen. I'll give you an example of where you can kind of think about that, as I know the NSA has developed, of where you can kind of think about that is I know the NSA has developed. They've got big, humongous warehouses that have got gobs and gobs of computing power that are more or less storage capabilities out east or out west, and that's the. Everybody knows about it, they all know it exists. I don't actually know where they are out west, but they have done it. Well, you can assume that if the US government is doing something like this, well, what is Russia doing? What is China doing? What are other countries doing? So, yes, the harvest now, crack later, is definitely a factor. It'd be interesting just to see how much of an input that, how much of a change or factor that's going to add into these different countries' plans in the future.

Speaker 2: 4:23 

So again, us federal government has mandated adoption of these standards by 2035 for federal entities, business working with the government, and they will need to know and they'll need to follow suit Now. So if you are working on your CISSP, obviously you are in a position where you are one have to do it because you want to, or two you might be. I got a lot of people that listen to this podcast that are folks that know they have to do it. They're mandatory that they have to have it done. So therefore, just to kind of help keep their skills up, if you work with the government, you're going to be dealing with CMMC Now. Cmmc is the Cybersecurity Maturity, maturation Certification, something like that. But basically, if you work with the federal government, you have to meet a cmmc standard. Well, it's going to be forcing you to view this crypto for this specific standard to meet this by 2035. So if you're a business working with the federal government, yeah, you're going to have to deal with it. So, if you're listening to the cissp, you got this something you're going to have to focus on. You got nine years Giddy up, you got time, but the ultimate goal is that they want to make these systems much more secure for the event that there's going to be individuals trying to steal this data.

Speaker 2: 5:35 

Okay, so let's get started. Let's roll into the questions for this week. Okay, you can get all these questions at CISSPcybertrainingcom. Again, you sign up for my program and you'll be able to get access to all of these questions, ones that I've had, that I've been creating over the years, as well as the ones that are the most current. So, again, go to cisspcybertrainingcom, sign up with me. You can actually get a lot of my free questions, but these questions are part of the paid product that we have. But again, like I've mentioned multiple times on the podcast, the paid product is all going to charity. None of this is coming back to me, and so therefore, hey, you have a reason to spend the money. There's definitely a reason to spend the money. Help people, right? That's what you want.

Speaker 2: 6:12 

Okay, question one which access control model is primarily based on need to know principle and is often used in government and military environments. Now, as we go through these questions, you're going to go oh, you said that once before in a different way. You're right, the ultimate goal is we're focusing on the different types of controls and we want to get it through your head to kind of understand, so that when you see this on the exam, it makes more sense. Now again, these questions as I'm kind of backtracking just a little bit these questions are not questions that are being pulled specifically from the CISSP. Now, could you see some of these in a different form? It's possible, yeah, but these are questions that kind of help get your brain juices thinking, so that when you do see the question that comes up on the exam, you're like, ah, I've heard of that before. May not be exactly the same, but I've heard of it.

Speaker 2: 7:01 

So, question one again which access control model is primarily based on a need-to-know principle and is often used in government and military environments A rule-based access controls, b role-based access controls, c discretionary access controls or D mandatory access controls. Okay, we talked about the US government, one to remember about and that is mandatory access controls. It is d mandatory access controls are characterized by the need to know principle. You'll need to know that, haha, quote pun, whatever you want to call it. You need to know that and this is where access is determined by security labels assigned to subjects and to objects. Okay, this is mostly used in very highly secure environments, but it can be used outside of the us government. It's just that's typically where it is being used.

Speaker 2: 7:49 

Question two a security administrator wants to implement an access control model that is dynamically assigns permissions based on the user's attributes, such as job title, department, location, etc. Which model would be chosen? A discretionary access controls, b attribute access controls, c role-based access controls or D rule-based access controls. Okay, so if you listen to the question and it comes back to a key topic attribute such as job title, it would be B attribute. See, I can't say $10 words attribute-based access controls. And then these are designed specifically to grant or deny access based on the various attributes associated with the user, the resources and the environment. Question three which access control model is most susceptible to the propagation of excessive permissions due to the ability of the user to grant access to others? So this is granting access to other people and we're talking excessive permissions, the propagation of excessive permissions. A rule-based access, c or B role-based access controls. C discretionary access controls or D mandatory access controls Users granting access, and that would be discretionary access control. We talked about it as one of the pros or one of the cons around it is the fact that somebody can actually grant access to others, leading to potential permission creep and additional security risks.

Speaker 2: 9:17 

Question four a company wants to implement an access control model that defines access based on job function and responsibilities. Which model would be most suitable. Okay, a company wants to implement an access control model that defines access based on job function and responsibilities A rule-based, b role-based, c discretionary access or D mandatory access controls. Again, this is defining it based on job functions and responsibilities, and the answer is B role-based, right Role-based access control. This aligns with the job roles, making it more efficient and managing access to your organization.

Speaker 2: 9:56 

Question five which access control model is typically enforced by the operating system and is least flexible in terms of granting exceptions Again, operating system and least flexible in terms of granting exceptions Again, operating system and least flexible in granting exceptions A mandatory access controls. B discretionary access controls. D or C role-based access controls and D rule-based access controls. And the answer is A mandatory access controls because these are strictly enforced by the system and do not allow for easy overrides or exceptions. Because, again, it comes down to the mandatory piece of this, similar to what we do in the government, but it's very strict, it's very specific, very to the point.

Speaker 2: 10:36 

Question six a security policy states that access to sensitive data should be granted based on classification level of the data and the clearance level of the user. Which access control model is most appropriate? Okay, clearance levels and classification levels? Okay, what does that sound like? Hmm, ding, ding, ding Military, maybe. A discretionary access control. B mandatory access control. C rule-based access control or D rule-based access controls. And the answer is B Right, you are correct, mandatory access controls. This aligns with classification and clearance levels. So again you hear those key words. That would be what it is.

Speaker 2: 11:16 

Question seven a company wants to implement access control model that allows for fine-grained controls over access based on specific conditions and rules. Which model would be the most suitable in this situation? Okay, so, rules, specific, fine-grained key terms. A attribute-based controls, b discretionary access controls, c rule-based access controls or D rule-based access controls. And you got it right. You know conditions rules. Ah, it's D rule-based access controls. And you got it right. You know conditions, rules. Ah, it's D Rule-based access controls. They provide granular control through definition of specific rules and conditions for access.

Speaker 2: 11:55 

Question eight which access control model is best suited for dynamic environments where permissions need to be adjusted frequently based on the changing conditions, frequently based on the changing conditions? A attribute-based, b role-based, c rule-based or D mandatory? Again, access control model best suited for dynamic environments where permissions need to be adjusted frequently based on changing conditions, and that would be A attribute-based. These control adapt to changes in users' attributes or environmental conditions, making it much more flexible for dynamic environments. They are a little bit more challenging, though, to implement, so keep that in mind. Question nine which access control model is often used in conjunction with other models to provide additional layers of security? A attribute-based controls. B discretionary access controls, c rule-based, d role-based Again, which access control model is often used in conjunction with other models to provide additional layers of security, and the answer is A attribute-based controls. These can complement other models by adding dynamic or context-aware access control mechanisms. Again, the attribute based is a good addition to many of these controls.

Speaker 2: 13:12 

Question 10, which security administrator wants to implement an access control model that minimizes the risk of privilege escalation? So again, we talk about this is taking the privileges and escalating their ability to go beyond where they're at. So which access control model minimizes the risk of privilege escalation and which model would be most effective in this? A, rule, b, role, c mandatory or D discretionary? Okay, again, which one is it? It is C mandatory access controls. Again, these are based on labels reducing the likelihood of users gaining unauthorized privileges.

Speaker 2: 13:51 

Question 11, which access control model is most susceptible to the propagation of excessive permissions due to the ability of users granting access to others? So now, if you're watching this video or you are listening, I guess listening, but more you're watching this at CISSP Cyber Training you will want to go into acronyms, so I'm just changing it up just a little bit, all right? So RBAC, which could be role-based You'll have to see how that plays out Could be rule, but most cases RBAC the R-B-A-C is based on role-based. So RBAC, dac, which is discretionary access controls, mac or ABAC, which is attribute-based access controls and again most susceptible to propagation of excessive permissions due to the ability of users to grant access to others. It is B DAC, right. Discretionary access controls is where they have the power to grant access to other individuals.

Speaker 2: 14:46 

Question 12, a company wants to implement access control model that provides a fine-grained control over access based on specific conditions and rules.

Speaker 2: 14:55 

Which model would be most suitable?

Speaker 2: 14:59 

So a company wants to implement access control model that provides fine-grained control over access based on specific conditions and rules.

Speaker 2: 15:07 

Okay, so this is where the RBAC can get out. Is it RBAC or is it rule-based? What is it All right? A response A RBAC, b, dac, c, mac or D RBAC. Which one is it? But if you spell it out rule-based, then it is rule-based access controls, right? So you want to make sure that if you look through this, don't bite off on RBAC. Make sure that you understand that it could be rule or could it be RBAC, which is rule-based, and that's rule-based, right? So rule-based controls? The correct answer around this is because they have specific rules and conditions to govern access. Question 13, which access control model is typically enforced by the operating system and is least flexible in terms of granting exceptions. We talked about this a little bit ago, but now we've got an acronym ABAC, mac, dac or RBAC. What is it? Oh, it is B MAC, right, mandatory access controls those are the ones that we talked about. They're strictly adhered to security labels making it very difficult.

Speaker 2: 16:10 

Two security labels, making it very difficult. Question 14, which access control model is best suited for environments with high degree of dynamic changes in the user's roles and responsibilities? Again, roles, responsibilities A, rbac, b, abac, c, mac or D DAC.

Speaker 2: 16:24 

Okay so, which one is it Roles and responsibilities. It is RBAC, role-based access controls. Again, they're designed for permissions based on job functions. So that's the one to think about. Last question, the last melon, last question 15 the company wants to implement an access control model that provides a strong foundation for protecting classified information and enforcing the principle of least privilege. Which model would be most appropriate? A, abac, b, mac, c, dac and D RBAC? And the answer is MAC. Right, mandatory Access Controls is tied to the government, which allows you to have the enforcing of least privilege.

Speaker 2: 17:06 

It's the ultimate goal. Again, a lot of these you go over. Again You're like well, these are over and over and over again. That's the point. We want you to go over them over and over and over so that when you see them on the test, you understand or you at least feel much more confident in your answer for the test. Again, the ultimate goal of CISSP cyber training is to give you that leg up to help you with the exam. It's not to help you, not to help you pass the exam through just giving you the answers. No, it's to help you change your mindset and help you be able to understand the questions they're asking so that you can regurgitate them in a way that you are actually going to pass it and understand what you're actually putting down. And that's the goal, right?

Speaker 2: 17:45 

The ultimate goal of cissp cyber training is to give you that leg up. It's also going to be the fact that you'll learn with the CISSP. I utilize this knowledge on a daily basis, and so you better learn it because you know what You're going to deal with it on a daily basis. All right, enough about that, but you guys have a wonderful day. Go to CISSP Cyber Training again. See what I got out there for you Again. All purchases are made are going to charity. Nothing comes back to me. I'm kind of driving that home because the fact is, I want to grow our charity so that we can give out to adoptive families and be able to have money for them. All right, have a wonderful day and we will catch you guys all on the flip side, see ya.