Get ahead with a $300 test prep scholarship
| Enter to win by Tuesday 9/24
Sybex CISSP Official Study Flash Cards w/ Added Cards
Terms in this set (1069)
What are some examples of detective access controls?
Security guards, supervising users, incident investigations, and intrusion detection systems
What are some examples of physical access controls?
Guards, fences, motion detectors, locked doors, sealed windows, lights, backups, cable protection, laptop locks, swipe cards, dogs, CCTV, mantraps, and alarms
What are the three commonly recognized authentication factors?
Something you know, something you have, and something you are
What is a cognitive password?
A series of questions about facts or predefined responses that only the subject should know (for example, what is your birth date? What is your mother's maiden name?)
Name at least eight biometric factors.
Fingerprints, face scans, iris scans, retina scans, palm topography, palm geography, heart/pulse pattern, voice pattern, signature dynamics, keystroke patterns
What are the issues related to user acceptance of biometric enrollment and throughput rate?
Enrollment times longer than 2 minutes are unacceptable; subjects will typically accept a throughput rate of about 6 seconds or faster.
What access control technique employs security labels?
Mandatory access controls. Subjects are labeled as to their level of clearance. Objects are labeled as to their level of classification or sensitivity.
The Bell-LaPadula, Biba, and Clark-Wilson access control models were all designed to protect a single aspect of security. Name the corresponding aspect for each model.
Bell-LaPadula protects confidentiality; Biba and Clark-Wilson protect integrity.
Name the three types of subjects and their roles in a security environment.
The user accesses objects on a system to perform a work task; the owner is liable for protection of data; the data custodian is assigned to classify and protect data.
Explain why the separation of duties and responsibilities is a common security practice.
It prevents any single subject from being able to circumvent or disable security mechanisms.
What is the principle of least privilege?
Subjects should be granted only the amount of access to objects that is required to accomplish their assigned work tasks.
Name the four key principles upon which access control relies.
Identification, authentication, authorization, accountability
How are domains related to decentralized access control?
A domain is a realm of trust that shares a common security policy. This is a form of decentralized access control.
Why is monitoring an important part of a security policy?
Monitoring is used to watch for security policy violations and to detect unauthorized or abnormal activities.
What are the functions of an intrusion detection system (IDS)?
An IDS automates the inspection of audit logs and real-time system events, detects intrusion attempts, and watches for violations of confidentiality, integrity, and availability.
What are the pros and cons of a host-based IDS?
It can pinpoint resources compromised by a malicious user. It can't detect network-only attacks or attacks on other systems, has difficulty detecting DoS attacks, and can be detected by intruders.
What are the pros and cons of a network-based IDS?
It can monitor a large network and can be hardened against attack. It may be unable to handle large data flows, requires a central view of traffic, and can't pinpoint compromised resources.
What are the differences between knowledge-based and behavior-based detection methods used by IDS?
Knowledge-based uses a signature database and tries to match monitored events to that database. Behavior-based learns about the normal activities on your system through watching and learning.
What is a honeynet, and what is it used for?
Honeynets are fake networks used to lure intruders in order to create sufficient audit trails for tracking them down and prosecuting. Honeynets contain no real or sensitive data.
How does penetration testing improve your system's security?
Penetration testing is a good way to accurately judge the security mechanisms deployed by an organization.
What is a denial-of-service attack?
An attack that prevents the system from receiving, processing, or responding to legitimate traffic or requests for resources and objects
What is a spoofing attack?
The attacker pretends to be someone or something other than whom or what they are. They can spoof identities, IP addresses, email addresses, and phone numbers. They often replace the valid source and/or destination IP address and node numbers with false ones.
What are countermeasures to spoofing attacks?
Countermeasures to spoofing attacks include patching the OS and software, enabling source/destination verification on routers, and employing an IDS to detect and block attacks.
What is a man-in-the-middle attack?
An attack in which a malicious user is positioned between the two endpoints of a communication's link
What is a replay or playback attack?
A malicious user records the traffic between a client and a server and then retransmits them to the server with slight variations of the timestamp and source IP address. It is similar to hijacking.
What is a sniffer attack?
Any activity that results in a malicious user obtaining information about a network or the traffic over that network. Data is captured using a sniffer or protocol analyzer.
What is a spamming attack?
Directing floods of messages to a victim's email inbox or other messaging system. Such attacks cause DoS issues by filling up storage space and preventing legitimate messages from being delivered.
What are some countermeasures to common attack methods?
Patching software, reconfiguring security, employing firewalls, updating filters, using IDSs/IPSs, improving security policy, using traffic filters, improving physical access control, using system monitoring/auditing
Name the seven layers of the OSI model by their layer name and layer number.
Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1)
List the security features offered by the Network layer of the OSI model.
The Network layer (layer 3) offers confidentiality, authentication, and integrity.
What is the maximum throughput rate and maximum usable distance for 10Base2 cable?
10Base2 cable has a throughput of 10 Mbps and can be run up to distances of 185 meters.
Name the common network topologies.
Ring, bus, star, and mesh
What are the four layers of the TCP/IP protocols, and how do they relate to the OSI model layers?
The four layers of TCP/IP are Application (layers 5-7 of OSI), Transport (layer 4 of OSI), Internet (layer 3 of OSI), and Link (layers 1 and 2 of OSI).
What are the five generation types of firewalls?
Static packet filtering,
dynamic packet filtering,
Name at least five networking device types other than firewalls.
Routers, switches, hubs, repeaters, bridges, gateways, proxies
What is a proxy, and what is it used for?
Any system that performs a function or requests a service on behalf of another system. Proxies are most often used to provide clients with Internet access while protecting their identity.
Name at least 10 network and protocol security mechanisms.
IPSec, SKIP, SWIPE, SSL, S/MIME, SET, PEM, PGP, PPP, SLIP, PPTP, L2TP, CHAP, PAP, RADIUS, TACACS, S-RPC
Name at least six protocol services used to connect to LAN and WAN communication technologies.
Frame Relay, SMDS, X.25, ATM, HSSI, SDLC, HDLC, ISDN
How are PVC, SVC, DTE, and DCE used in a Frame Relay network?
Frame Relay requires the use of a DTE and a DCE at each connection point. PVC is always available; SVC is established using the best paths currently available.
What are three remote access authentication mechanisms?
RADIUS, DIAMETER, and TACACS
What is tunneling, and why is it used?
A process that protects the contents of packets by encapsulating them in another protocol. This creates the logical illusion of a communications tunnel through an untrusted intermediary network.
What is a VPN?
A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary network.
What are the four primary VPN protocols?
PPTP, L2F, L2TP, and IPSec (Note: SSL/TLS is a valid VPN protocol as well, but it's not necessarily recognized on the exam as such.)
What are the two modes available through IPSec, and what do they do?
In transport mode, the IP packet data is encrypted, but the header is not. In tunnel mode, the entire IP packet is encrypted, and a new header is added to govern transmission through the tunnel.
What is NAT?
Network Address Translation (NAT) allows the private IP addresses defined in RFC 1918 to be used in a private network while still being able to communicate with the Internet.
What is transparency?
A characteristic of a service, security control, or access mechanism that ensures it is unseen by users
What are some important aspects to consider when designing email security?
Nonrepudiation, access control, message integrity, source authentication, verified delivery, acceptable use policies, privacy, management, and backup and retention policies
What is the most serious threat of email?
Email is a common delivery mechanism for viruses, worms, Trojan horses, documents with destructive macros, and other malicious code.
What are possible mechanisms for adding security to email?
S/MIME, MOSS, PEM, and PGP
What are elements of effective user training against social-engineering attacks?
Always err on the side of caution whenever communications are odd or unexpected. Always request proof of identity. Identify what information can be conveyed via voice communications by classifying the information. Never change passwords over the phone.
What are the most common threats against communication systems?
Denial of service, eavesdropping, impersonation, replay, and modification
What are some countermeasures to eavesdropping?
Maintaining physical access security, using encryption, employing one-time authentication methods
What is an ARP attack?
The modification of ARP mappings. When ARP mappings are falsified, packets are not sent to their proper destination. ARP mappings can be attacked through spoofing. Spoofing provides false MAC addresses for requested IP addressed systems to redirect traffic to alternate destinations.
What is privacy?
Prevention of unauthorized intrusion, knowledge that information deemed personal or confidential won't be shared with unauthorized entities, freedom from being observed without consent
What are the requirements for accountability?
Identification, authentication, authorization, and auditing
What is nonrepudiation?
Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.
What is layering?
Layering is the use of multiple controls in a series. The use of a multilayered solution allows for numerous controls to be brought to bear against whatever threats occur.
How is abstraction used?
Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions.
What is data hiding?
Data hiding is preventing data from being known by a subject. Keeping a database from being accessed by unauthorized visitors is a form of data hiding.
What is change control or change management?
A mechanism used to systematically manage change. Typically, it involves extensive logging, auditing, and monitoring of activities related to security controls and security solutions.
What are the goals of change management?
Implementation of changes in an orderly manner, formalized testing, ability to reverse changes, ability to inform users of changes, systematical analysis of changes, minimization of negative impact of changes
What is data classification?
Data classification is the primary means by which data is protected based on categories of secrecy, sensitivity, or confidentiality.
What criteria are used to classify data?
Usefulness, timeliness, value or cost, maturity or age, lifetime or expiration period, disclosure damage assessment, modification damage assessment, national or business security implications, storage
What is the government/military data classification scheme?
Top secret, secret, confidential, sensitive, and unclassified
What is the commercial business/private sector classification scheme?
Confidential, private, sensitive, public
Name at least seven security management concepts and principles.
CIA Triad, confidentiality, integrity, availability, privacy, identification, authentication, authorization, auditing, accountability, and nonrepudiation
What are the elements of a termination procedure policy?
Have at least one witness; escort terminated employee off the premises immediately; collect identification, access, or security devices; perform exit interview; disable network account
What is the function of the data owner security role?
The data owner is responsible for classifying information for protection within the security solution.
What is the data custodian security role?
The data custodian is assigned the tasks of implementing the prescribed protection defined by the security policy and upper management.
What is the function of the auditor security role?
The auditor is responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
What should the documents that make up a formalized security structure include?
Policies, standards, baselines, guidelines, and procedures
What is generally involved in the processes of risk management?
Analyzing an environment for risks, evaluating each risk as to its likelihood and damage, assessing the cost of countermeasures, and creating a cost/benefit report to present to upper management
What should be considered when establishing the value of an asset?
Cost of purchase, development, maintenance, acquisition, and protection; value to owners/users/competitors; equity value; market valuation; liability of asset loss; and usefulness
Name at least five possible threats that should be evaluated when performing a risk analysis.
Viruses; buffer overflows; coding errors; user errors; intruders (physical and logical); natural disasters; equipment failure; misuse of data, resources, or services; loss of data; physical theft; denial of service
What is single loss expectancy, and how is it calculated?
The cost associated with a single realized risk against a specific asset. SLE = asset value (AV) * exposure factor (EF). The SLE is expressed in a dollar value.
What is annualized loss expectancy, and how is it calculated?
The possible yearly cost of all instances of a specific realized threat against a specific asset. ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
What are the basics distinctions between qualitative and quantitative risk analysis?
Quantitative risk analysis assigns real dollar figures to the loss of an asset. Qualitative risk analysis assigns subjective and intangible values to the loss of an asset.
What are the four possible responses by upper/senior management to risk?
Reduce/mitigate, assign/transfer, accept, or reject/deny
What is residual risk?
Once countermeasures are implemented, the risk that remains is known as residual risk. Residual risk is the risk that management has chosen to accept rather than mitigate.
What is total risk?
The amount of risk an organization would face if no safeguards were implemented. A formula for total risk is threats
asset value = total risk.
What is the controls gap?
The difference between total risk and residual risk. The controls gap is the amount of risk that is reduced by implementing safeguards.
What are the three learning levels of security?
Awareness, training, and education
What are the three types of plans employed in security management planning?
A strategic plan is a long-term plan that is fairly stable. The tactical plan is a midterm plan that provides more details. Operational plans are short term and highly detailed.
How many primary keys may each database table have?
What type of malicious code spreads through the sharing of infected media?
What term is used to describe intelligent code objects that perform actions on behalf of a user?
What term is used to describe code sent by a server to a client for execution on the client machine?
What language developed by Sun Microsystems, owned by Oracle, is often used for applet programming and development?
What type of database key enforces relationships between tables?
What security principle ensures that multiple records are created in a database table for viewing at different security levels?
What process evaluates the technical and nontechnical security features of an IT system?
Certification and accreditation
What type of accreditation evaluates the systems and applications at a specific, self-contained location?
In which phase of the Software Capability Maturity Model do you often find hardworking people charging ahead in a disorganized fashion?
In which layer of the ring protection scheme do user applications reside?
What system mode requires that the system process only one classification level at a time and all system users have clearance and need to know that information?
Dedicated security mode
What is another term for the master boot record?
What type of virus embeds itself in application documents?
What can antivirus programs do when they encounter a virus infection?
Delete the file, disinfect the file, or quarantine the file.
What type of virus modifies itself each time it infects a new system in an attempt to avoid detection?
What type of malicious code launches itself when certain conditions (such as a specific date) are met?
What were the mechanisms of action used by Robert T. Morris's Internet worm of 1988?
The worm exploited vulnerabilities in the Sendmail debug mode and finger daemon, launched password attacks, and exploited trust relationships between systems.
Where are passwords stored in a Unix system?
In the <span class=dCode dNoWrap>/etc/passwd</span> or <span class=dCode dNoWrap>/etc/shadow</span> file
What term is used to describe hackers rooting through trash looking for useful information?
What is the cornerstone of computer security?
What are the three phases of the three-way handshake used by TCP/IP?
SYN, SYN/ACK, ACK
How does the teardrop attack operate?
It sends overlapping packet fragments to the victim machine.
What is the term used to describe a secret method used by a programmer to gain access to the system?
Trap door (or back door)
When is the XOR function true?
When only one of the input bits is true
What term describes a mathematical function that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values?
True or false? All ciphers are meant to obscure the meaning of a message.
True or false? All codes are meant to obscure the meaning of a message.
What occurs when a change in the plain text results in multiple changes spread throughout the cipher text?
What type of cipher is the Caesar cipher?
True or false? Modern cryptosystems rely on the secrecy of the encryption algorithm.
What is the length of the key used by the standard DES algorithm?
How many rounds of encryption does DES utilize?
True or false? The IDEA algorithm is available free for noncommercial use.
What encryption algorithm was selected for the Advanced Encryption Standard (AES)?
What is the Diffie-Hellman algorithm most commonly used for?
True or false? The Hashed Message Authentication Code (HMAC) provides nonrepudiation.
What are the three encryption algorithms supported by the Digital Signature Standard? What are two other digital signature algorithms?
DSA, RSA, and ECDSA Schnorr's signature algorithm and Nyberg-Rueppel's signature algorithm
What ITU standard describes the contents of a digital certificate?
What is the process by which you are issued a digital certificate?
Who issues digital certificates?
Certificate authorities (CAs)
True or false? PEM provides protection against replay attacks.
Privacy Enhanced Mail (PEM) Privacy Enhanced Mail is an email encryption mechanism that provides authentication, integrity, confidentiality, and nonrepudiation. PEM uses RSA, DES, and X.509.
What protocol uses the RSA encryption algorithm to provide encrypted mail support for a number of common commercial email packages?
True or false? S-HTTP secures individual messages between a client and a server.
What cryptographic methods are used by the Secure Electronic Transaction (SET) protocol?
RSA public key cryptography and DES private key cryptography in connection with digital certificates
What are the four components of IPSec?
Authentication Header (AH), Encapsulating Security Payload (ESP), IP Payload Compression protocol (IPComp), and Internet Key Exchange (IKE)
What type of cryptographic attack is used against algorithms that don't incorporate temporal protections?
What are some common reasons a certificate might need to be revoked?
The certificate was compromised, the certificate was erroneously issued, the certificate details changed, the private key was exposed, or there was a change of security association.
What type of cryptography relies on the use of public and private keys?
What technology allows multiple users to make use of the same process without interfering with each other?
What are some of the terms used to describe the CPU mode that gives access to the full range of supported instructions?
System mode, privileged mode, supervisory mode, and kernel mode
What is the greatest security risk to RAM modules?
What addressing scheme supplies the CPU with the actual address of the memory location to be accessed?
Magnetic/optical media devices are classified as what type of memory?
Memory devices designed to retain their data when power is removed are known as ___________________.
What two ways can storage devices be accessed?
Randomly and sequentially
What is the greatest security risk to computer monitors?
What is another term often used for firmware?
Where are the operating system-independent primitive instructions that a computer needs to start and load the operating system stored?
What concept ensures that data existing at one level of security is not visible to processes running at different security levels?
What are the important factors in personnel management?
Hiring practices, ongoing job performance reviews, and termination procedures
What security mechanisms are countermeasures to collusion?
Job rotation, separation of duties, mandatory vacations, workstation change
Why is antivirus protection important?
Viruses are the most common form of security breach in the IT world. Any communications pathway can and is being exploited as a delivery mechanism for a virus or other malicious code.
What is need to know?
Need to know is the requirement to have access to, knowledge of, or possession of data or a resource in order to perform specific work tasks.
What principle states that users should be granted the minimum amount of access to the secure environment as possible for them to be able to complete their work tasks?
Principle of least privilege
What are due care and due diligence?
Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort.
How are security and illegal activities related?
A secure environment should provide mechanisms to prevent the committal of illegal activities, which are actions that violate a legal restriction, regulation, or requirement.
With what level of security precautions should backup media be treated?
Backup media should be handled with the same security precautions as any other asset with the same data classification.
What are the goals of managing backup media?
Preventing disclosure, destruction, or alteration of data
What are the processes that can be applied to used media in order to prepare the media for reuse in various environments?
Erasing, clearing, and overwriting media that will be used in the same classification environments; purging, sanitizing, and degaussing if media is used in different classification environments
What are the classifications of security control types?
Preventive, deterrent, detective, corrective, recovery, compensation, directive
What is the purpose of auditing?
To ensure compliance with security policy and to detect abnormalities, unauthorized occurrences, or outright crimes
What types of activities are labeled as auditing?
Recording of event/occurrence data, examination of data, data reduction, use of event/occurrence alarm triggers, log analysis, logging, monitoring, using alerts, intrusion detection
What is the purpose of compliance testing?
To ensure that all of the necessary and required elements of a security solution are properly deployed and functioning as expected
How are audit trails used?
To reconstruct an event, to extract information about an incident, to prove or disprove culpability
What types of activities can be used as penetration tests?
War dialing, sniffing, eavesdropping, radiation monitoring, dumpster diving, social engineering, port scanning, ping scanning, vulnerability scanning, and actual compromise activities
What are some ways to keep inappropriate content to a minimum?
Address the issue in the security policy, perform awareness training, use content filtering tools to filter source or word content.
Why is it important to protect against resource waste?
If the storage space, computing power, or networking bandwidth capacity is consumed by inappropriate or non-work-related (non-profit-producing) data, the organization loses money.
Why is it important to protect against privilege abuse?
It can cause the disclosure of sensitive information, violating the principle of confidentiality.
What countermeasures are moderately effective against errors and omissions?
Input validators and user training
How can you protect data against fraud and theft?
The use of access controls (auditing and monitoring, for example) reduce fraud and theft.
What are some safeguards against sabotage?
Intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and compensating and recognizing employees for excellence
Why isn't there an effective direct countermeasure against the threat of malicious hackers or crackers?
Most safeguards and countermeasures protect against one specific threat or another, but it is not possible to protect against all possible threats that a cracker represents.
What is malicious code?
Malicious code is any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
True or false? Senior management should be included in the BCP process from the beginning.
What resource is in greatest demand during the BCP testing, training, and maintenance process?
What type of decision making is mainly concerned with metrics such as dollar values and downtime?
What Business Impact Analysis/Assessment variable is used to describe the longest period of time a resource can be unavailable without causing irreparable harm to the business?
Maximum tolerable downtime (MTD)
What is the formula for computing single loss expectancy?
SLE = AV
EF [Single Loss Expectancy = Asset Value
What is the formula for computing annualized loss expectancy?
ALE = SLE
ARO [Annualized Loss Expectancy = Single Loss Expectancy
Annual Rate of Occurrence]
What are some of the qualitative factors that must be taken into account when assessing the cost of a disaster?
Loss of goodwill among client base, loss of employees after prolonged downtime, social/ethical responsibilities to the community, and negative publicity
What is the first thing you should do when a disaster strikes?
Ensure that people are safe.
What are the two possible responses to a risk?
Acceptance and mitigation
Provide two examples of devices that might be used to harden a system.
Computer-safe fire suppression systems and uninterruptible power supplies
What is the goal of business continuity planning (BCP)?
To ensure the continuous operation of a business in the face of an emergency situation
What are some of the elements that should be included in emergency response guidelines?
Immediate response procedures, notification procedures, and secondary response procedures
What are the five steps of the business impact assessment process?
Identification of priorities
What process brings order to the chaotic events surrounding the interruption of an organization's normal activities by an emergency?
Disaster recovery planning (DRP)
Name some common natural disasters.
Earthquakes, floods, storms, tornadoes, and fires
What organization sponsors the National Flood Insurance Program and is a good source of historical flood information?
Federal Emergency Management Agency (FEMA)
What disaster recovery system is often highly dependent on the public water supply?
Fire suppression system
What type of disaster recovery separates recovery sites by business teams?
What are the three major options for alternative processing sites?
Hot sites, warm sites, and cold sites
What type of recovery site is particularly suited to workgroup recovery options?
True or false? Organizations participating in a mutual assistance agreement are typically located in the same geographic region.
True or false? There is an accepted standards document defining the requirements for an electronic vaulting solution.
What is the most common document type used for emergency response plans?
What are the three major types of filesystem backups?
Full backups, incremental backups, and differential backups
What can be used to protect a company against the failure of a developer to provide adequate support?
Software escrow agreements
It is sometimes useful to separate disaster ___________________ tasks from disaster ___________________ tasks.
recovery, restoration (in either order)
True or false? In most circumstances, it is illegal for an employer to monitor an employee's email.
If a witness is not able to uniquely identify an object, how else may it be authenticated in court?
By establishing a chain of evidence
What type of evidence is an authenticated computer log?
What are the three major evidence admissibility requirements?
Evidence must be relevant, material, and competent.
What law created the category of mission-critical computer systems?
Government Information Security Reform Act
What are the two requirements for acceptance of a trademark application?
The trademark must not be confusingly similar to another trademark, and it must not be descriptive.
What are the three requirements for acceptance of a patent application?
The invention must be new, useful, and nonobvious.
How long does trade secret protection last?
What type of license agreements are written on the outside of software packaging and require no action from the user other than opening the package?
What amendment to the US Constitution forms the basis for privacy rights?
What law requires that websites provide parents with the opportunity to review any information collected from their children?
Children's Online Privacy Protection Act
What law grants privacy rights to students enrolled in educational institutions that accept government funding?
Family Educational Rights and Privacy Act
Which type of computer crime attacks an organization's computer system to extract confidential information?
Which type of computer crime would likely be timed to occur simultaneously with a physical attack to reduce the ability to effectively respond to the physical attack?
What term refers to any hardware, software, or data that can be used to prove the identity and actions of an attacker?
What term describes any violation or threatened violation of a security policy?
Which type of incident generally does not cause direct damage to the victim?
Scanning. The purpose of a scanning attack is to collect information. The real damage to the system occurs in later attacks.
How do you protect your system from a malicious code incident?
Make sure your security policy restricts the introduction of untested files to your computer system. Have a good scanner with an up-to-date signature database. Frequently scan all files. Implement whitelisting of applications.
Which two types of incidents are the easiest to stop by dynamically altering filtering rules?
Scanning and denial of service. They can both potentially be stopped by filtering out the offending packets.
What must you do to make sure evidence is kept viable for use in a trial?
You must ensure that the evidence has not changed, and you must be able to validate its integrity.
Where should you begin looking to find information about an incident that occurred in the recent past?
The first place to look is in the system and network log files.
If an incident has occurred that has violated no laws or regulations, how do you determine whether to report it?
The incident reporting guidelines should be in your security policy.
Is adherence to the (ISC)<sup>2</sup> Code of Ethics recommended, mandatory, or optional for CISSPs?
Adherence to the (ISC)<sup>2</sup> Code of Ethics is mandatory, and acceptance of the Code of Ethics is a condition of certification.
What is the leading reason many incidents are not reported?
Because they are not recognized as incidents
What are the three main types of physical security controls?
Administrative physical security controls, technical physical security controls, physical controls for physical security
What is the primary purpose of lighting as a physical security device?
To discourage casual intruders, trespassers, prowlers, and would-be thieves
What are the benefits of security guards?
They are able to adapt and react to any condition or situation, are able to learn and recognize attack patterns, can adjust to a changing environment, and are able to make decisions and judgment calls.
What are the disadvantages of security guards?
Not all environments support them; prescreening, bonding, and training is not always effective; they are expensive, subject to illness, take vacations, and are vulnerable to social engineering.
What are the benefits and disadvantages of guard dogs?
They can be deployed as a perimeter security control and as detection and deterrent agents, they are costly and require high maintenance, and their use involves insurance and liability issues.
What are the 11 electrical terms and definitions you should be aware of?
Fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, ground
What are the types of noise or interference and their sources?
Common mode noise is generated by the difference in power between the hot and ground wires. Traverse mode noise is generated by the difference in power between the hot and neutral wires.
What are the typical HVAC requirements for a computer room?
A computer room should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained at between 40 and 60 percent.
What type of damage occurs when static electricity discharges exceed 40 volts?
Destruction of sensitive circuits
What is a Type C fire extinguisher used for, and what is it made of?
A Type C fire extinguisher is for use on electrical devices, thus the extinguishing agent is non-conductive, so the devices might use CO<sub>2</sub>, halon, or various alternatives.
What are the four types of water-based fire suppression systems?
Wet pipe system, dry pipe system, deluge system, preaction system
What are the alternatives for halon?
FM-200 (HFC-227ea), CEA-410 or CEA 308, NAF-S-III (HCFC Blend A), FE-13 (HCFC-23), Aragon (IG55) or Argonite (IG01), Inergen (IG541), and low-pressure water mists
Which security vulnerability conveys information by altering the performance of a system component or modifying a resource's timing in a predictable manner?
Covert timing channel
What is a separate object that is associated with a resource and describes its security attributes?
In the Clark-Wilson security model, what is a procedure that scans data items and confirms their integrity?
Integrity verification procedure (IVP)
In the Biba integrity model, what is the Simple Integrity Axiom, which states that a subject cannot read an object of a lower integrity, also called?
No read down
Which organization developed the Bell-LaPadula security model?
The US Department of Defense
What is the collection of TCB components that work together to implement the reference monitor functions?
What does ITSEC call the system that is being evaluated?
The target of evaluation (TOE)
What are the TSEC categories?
Category A Verified protection. The highest level of security.
Category B Mandatory protection.
Category C Discretionary protection.
Category D Minimal protection. Reserved for systems that have been evaluated but do not meet requirements to belong to any other category.
Which IPSec protocol provides integrity, authentication, and nonrepudiation to the secure message exchange?
Authentication Header (AH)
Which type of controls considers static attributes of the subject and the object to determine the permissibility of an access?
Mandatory access controls
What term is used to refer to the user or process that makes a request to access a resource?
What is the imaginary boundary that separates the TCB from the rest of the system?
What term describes the technical evaluation of each part of a computer system to assess its concordance with security standards?
What is the difference between analog and digital signals?
Analog communications occur with a continuous signal that varies in frequency, amplitude, and so on. Digital communications occur through the use of a state change of on-off pulses.
What is the difference between synchronous and asynchronous communications?
Synchronous communications rely on a timing or clocking mechanism. Asynchronous communications rely on a stop and start delimiter bit to manage transmission of data.
What is the difference between baseband and broadband communications?
Baseband technology uses a direct current to support a single communication channel. Broadband technology uses frequency modulation to support multiple simultaneous signals.
Describe broadcast, multicast, and unicast communications.
A broadcast supports communications to all possible recipients. A multicast supports communications to multiple specific recipients. A unicast supports only a single communication to one recipient.
What is the difference between packet switching and circuit switching?
In circuit switching, a dedicated physical pathway is created between the two parties. Packet switching occurs when the message is broken up into segments and sent across the intermediary network.
What are the characteristics of PPP?
The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links. PPP supports CHAP and PAP for authentication.
What are the characteristics of SLIP?
Serial Line Internet Protocol (SLIP) offers no authentication, supports only half-duplex communications, has no error-detection capabilities, and requires manual link establishment and teardown.
What is CORBA?
Common Object Request Broker Architecture (CORBA) is an international standard (sanctioned by the International Organization for Standardization) for distributed computing.
What's the most desirable default setting for access control?
Denial. When access is not specifically granted, it should be denied by default. This is also known as implicit deny.
What type of approach to security is considered better than a fortress mentality approach?
Defense in depth, multiple layers of security, concentric circles of security
What form of password attack consists first of a dictionary attack and then a brute-force attack based on the dictionary list?
A hybrid attack. Sometimes called a one-upped password attack.
What is the most acceptable form of biometrics to end users?
What is the most unacceptable form of biometric control to end users?
What is the stored sample of a biometric factor called?
A reference profile or a reference template
With what other forms of single sign-on can Kerberos be combined?
Any or all of them, including SESAME, KryptoKnight, NetSP, thin clients, directory services, and scripted access
How is the ticket-granting ticket used by Kerberos generated?
The user's password is hashed, and a timestamp is added.
What is a centralized database of resources available to the network?
A directory service
What are examples of rule-based access control?
MAC, RBAC, TBAC
What form of access control can combine levels of security domains with compartments of additional control and isolation?
MAC (specifically, a hybrid MAC environment)
What form of access control is best suited to those organizations with a high rate of employee turnover?
When an intrusion is detected, what should be the first response?
Contain or constrain the intrusion.
Once an intrusion has occurred, what is the most secure process for restoring the environment?
Format and reinstall from scratch.
What form of IDS is easier for an intruder to discover and disable?
What network device works primarily at the Application layer?
What are the most common causes of network failure?
Cable failures and misconfigurations
What type of cabling must be used to comply with building code safety requirements?
How many sockets does TCP have?
65, 536 (2^16) sockets (aka ports), numbered from 0 to 65,535
What is the IP header protocol field value for TCP? UDP? ICMP? IGMP?
6, 17, 1, 2
What protocol is used by <span class=dCode dNoWrap>ping</span>, <span class=dCode dNoWrap>pathping</span>, and <span class=dCode dNoWrap>traceroute</span>?
What is the APIPA range?
169.254.0.1 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0
What port is used by IMAP?
What port is used by DHCP?
Port 68 for client request broadcast and port 67 for server point-to-point response
Network devices at what layer and above separate collision domains?
Network devices at what layer and above separate broadcast domains?
Which VPN protocol supports multiple simultaneous connections?
What is the primary weakness of satellite communications?
Large terrestrial footprint
What makes the usable throughput of ISDN less than the stated bandwidth?
The D channel is used only for call management, not data.
What type of system is a common target of attackers who want to disseminate email spam?
Open relay SMTP servers
What is the primary method to improve fax security?
Disable automatic printing of received faxes.
What is the form of new system deployment testing called when the new system and the old system are run simultaneously?
When an asset no longer needs or warrants a high security sensitivity label, what should occur?
What is the name of the security management approach in which senior management calls the shots?
What is the cost/benefit analysis equation for countermeasures?
(ALE before safeguard - ALE after implementing the safeguard) - annual cost of safeguard = value of the safeguard to the company
What type of relationships can be established with relational databases? With hierarchical databases? With distributed databases?
One-to-one, one-to-many, and many-to-many
What are the six basic SQL commands?
Select, Update, Delete, Insert, Grant, and Revoke
What is a placeholder for SQL literal values such as numbers or character strings?
What database security feature uses locking to prevent simultaneous write access to cells?
What database security feature can be used to subvert aggregation, inferencing, and contamination vulnerabilities?
What feature of databases allows two or more rows in the same table to appear to have identical primary key elements but contain different data for use at differing classification levels?
What acts as an interface between back-end database systems and user applications?
What attack collects numerous low-level security items or low-value items and combines them to create something of a higher security level or value?
What is more secure than a data warehouse and designed to store metadata?
What type of application analyzes business data and presents it in such a way as to make business decisions easier for users?
Decision support system
What security problem cannot be prevented or compensated for by environmental controls or hardware devices?
What is a valid security response when an application violates OS-imposed security, such as interfering with other processes or accessing hardware directly?
Stopping the environment, a STOP error, a BSOD
What is it called when programmers decompile vendor code in order to understand the intricate details of its functionality?
What is the communication to or input of an object?
What is the internal code that defines the actions an object performs in response to a message?
What are the results or output exhibited by an object based on processing a message through a method?
What is the collection of the common methods from a set of objects that is used to define the behavior of those objects?
What is it called when an object is an example of a class because the object contains a method from that class?
What characteristic describes an object that exhibits different behaviors based on the same message and methods because of variances in external conditions?
Highly __________ objects are not as dependent on other objects.
Lower ___________ provides better software design because objects are more independent.
What is a type of bar chart that shows the interrelationships over time between projects and schedules?
What is a project-scheduling tool that is used to judge the size of a software product in development and calculate the standard deviation for risk assessment?
Program Evaluation Review Technique (PERT)
What form of testing examines the internal logical structures of a program?
What form of testing examines the input and output of a program without focusing on the internal logical structures?
What form of testing examines the extent of the system testing in order to locate untested program logic?
Test data method
Which form of antivirus response not only removes the virus from the system but also repairs any related damage?
What is the name of the assumption that all algorithms should be public but all keys should remain private?
What is the range of valid values of keys for an algorithm called?
What defines the hardware and software requirements of cryptographic modules in use by the federal government?
Federal Information Processing Standards (FIPS-140)
What acts as a placeholder variable in mathematical functions and is used in random number generation?
What is a random bit string (a nonce) that is the same length as the block size that is XORed with the message and adds strength to cryptography systems?
Initialization vector (IV)
What is the most significant bit in a string?
The leftmost bit
What is it called when a plain-text message generates identical cipher-text messages using the same algorithm but different keys?
Clustering or key clustering
What is a concept of communication whereby a specific type of information is exchanged but no real data is exchanged?
What is the basic idea that the information or privilege required to perform an operation is divided among multiple users (it is an application of separation of duties)?
What is an example of split knowledge employed to protect key escrow?
M of N control
What is a way of measuring the strength of a cryptography system by measuring the effort in terms of cost and/or time?
Work function or work factor
What is an example of a polyalphabetic substitution cipher?
What attack is often successful against substitution ciphers?
What attack is often successful against polyalphabetic substitution ciphers?
What form of encryption is used to protect communications that occur in real time?
What form of encryption can provide secure communications between two parties when they have no prior method of communicating securely?
What modes of DES employ an IV?
CBC, CFB, OFB
What are the valid key sizes for RC5?
0 to 2,048 bits
If a message is signed and encrypted, what security services are you providing?
Confidentiality, integrity, authenticity/access control, and nonrepudiation
Who has the responsibility to ensure that communications are secured?
Historically, what custom protocol was used to provide cryptographically secure wireless network access for mobile devices?
Wireless Application Protocol (WAP)
What is the standard that wireless networking technology is based on?
What cryptographic attack attempts to find a weakness in the algorithm?
What cryptographic attack attempts to find a weakness in the software code?
What cryptographic attack attempts to exploit weaknesses in the computer hardware or operating system?
A _________ system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.
__________ is simply defined as the degree of confidence in satisfaction of security needs.
What are the security requests of a client called under Common Criteria?
What are the security features of a designed system called under Common Criteria?
What method of verifying or establishing a trusted label of system security requires a DAA?
designated approving authority (DAA)
What is the name of the accreditation process of the Department of Defense?
Defense Information Technology Security Certification and Accreditation Process (DITSCAP)
What are the three forms of accreditation offered by National Information Assurance Certification and Accreditation Process (NIACAP)?
Site, type, system
What are often added to passwords under Linux to make their resultant hash even more secure?
When a disaster strikes but your ability to perform work tasks is only threatened, not actually interrupted, what response should be used?
What is always your top priority when dealing with a disaster of any type or significance?
Safety of personnel
What feature of insurance can improve your ability to replace lost or damaged assets?
Actual Cost Value (ACV)
What is the most common cause of unplanned downtime?
What are some examples of alternate processing facilities that should be considered when designing a DRP?
Hot, warm, and cold sites; mobile sites; service bureaus; multiple sites; and reciprocal agreements
What forms of backup always set the archive bit to 0?
Full and incremental
What backup media may be appropriate for personal backups but not for network backups?
Writable CDs and DVDs
What form of backup, when used to restore data, will always result in some amount of data loss?
What law requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order regardless of the technology in use?
Communications Assistance for Law Enforcement Act (CALEA) of 1994
What law extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage?
Economic and Protection of Proprietary Information Act of 1996
__________ controls are your first line of defense, while ________ are your last line of defense.
What is the functional order of controls when deployed for physical security?
Deterrence, then denial, then detection, then delay
What type of lock consists of three elements: an electromagnet, a credential reader, and a door-closed sensor?
Electronic access control (EAC)
Reviewing the recorded images from CCTV is what type of security control?
What is the primary difference between memory cards and smart cards?
At what stage of a fire is a flame visible?
Stage 3: Flame
What is the most common cause of fires in a data center?
Overloaded electrical distribution outlets
Where should fire detectors be placed?
In dropped ceilings, raised floors, server rooms, private offices and public areas, HVAC vents, elevator shafts, the basement, and so on
What is the most common cause of failure of a water-based suppression system?
Name three vector routing protocols.
RIP, IGRP, BGP
Name an example of a link state routing protocol.
At what layer does SSL and TLS function?
Transport layer (OSI layer 4)
Name at least four technologies commonly called wireless.
802.11 networking, Bluetooth (802.15), mobile phones, and cordless phones
What are the three unlicensed frequencies (at least in the United States as designated by the FCC)?
900 MHz, 2.4 GHz, and 5 GHz
Name three wireless frequency access technologies.
FHSS, DSSS, and OFDM
What protocol can be used to enable mobile phone access to Internet resources?
Wireless Application Protocol (WAP)
What is the IEEE standard for Bluetooth?
What is the IEEE standard for WiMax?
What is another name for the area of Bluetooth connectivity?
Personal area network (PAN)
What is the primary security feature of Bluetooth pairing?
A four-digit PIN
What two items are required for infrastructure mode wireless networking?
Wireless access points and wireless clients
What mode is used when a wireless network link is established without the use of an access point?
Ad hoc or peer-to-peer
What is the minimum amount of information needed by a wireless client to connect to a network hosted by a wireless access point?
How many wireless networking channels exist on devices in the United States? In Europe? In Japan?
United States: 11, Europe: 13, Japan: 17
What is the native authentication and encryption scheme of 802.11?
Wired Equivalent Privacy (WEP)
Name two alternatives to WEP for 802.11.
WPA and WPA-2 (802.11i)
What two forms of authentication are supported by 802.11?
Open System Authentication (OSA) and Shared Key Authentication (SKA)
What is the minimum length of a TCP header?
How long is a UDP header?
What are the four TCP header flags that are used in virtual circuit setup and teardown?
SYN, ACK, FIN, and RES (or RST)
What two ICMP type field values are employed in a successful ping activity?
8: echo request, 0: echo reply
What is Control Objectives for Information and Related Technology (COBIT)?
A security concept infrastructure used to organize the complex security solution of companies.
What form of testing examines the internal logical structures of a program from a developer's perspective?
What form of testing examines the input and output of a program without access to the internal logical structures?
What form of testing examines the input and output of a program with access to the internal logical structures?
What kinds of items qualify as access controls?
Any hardware, software, or organizational administrative policy or procedure that maintains confidentiality, integrity, and/or accountability also counts as an access control.
What is the proper term for ensuring that information is accessible only to authorized parties?
What is the proper term for the assurance that information and security controls used to protect information are accessible and usable when needed?
What is it called when an authorized party indicates its intention to fulfill some contractual obligation and forgoes its right to dispute that fulfillment after the fact?
Items of information used to establish or prove authorized identities are known as what kind of factors?
What kind of access control enforces access policy determined by the owner of the object to which the control applies?
Discretionary access control (DAC)
What kind of access control is determined by the system in which the object resides rather than its owner?
Mandatory access control (MAC)
Which access control scheme requires organizational roles to be defined along with various task requirements and applicable object permissions?
Role-based access control (RBAC)
Which access control scheme requires administrative rules to be defined along with the various conditions under which they apply as well as applicable object permissions?
Rule-based access control
What is the practice of defense in depth called when it involves a multilayered security infrastructure that includes multiple combined individual applications and processes?
Concentric circle strategy
What is the term for exercising reasonable care in protecting organizational assets and interests, including development of a formalized security structure consisting of policies, procedures, and protocols?
When users are granted only the minimum access necessary to complete some task or process, what principle is involved?
The principle of least privilege
What kinds of processes must be applied when confidential storage media is prepared for reuse in questionably secure environments?
What is the name for the demagnetization process used to erase disk drives or tapes to wipe out all previously stored data?
What kind of control does any security tool provide when it's used to guide the security implementation within an organization?
What kind of control does any mechanism, tool, or practice provide if it deters or mitigates undesirable actions or events?
What kind of control should be used to verify the effectiveness of other security controls?
What kind of check should be applied to ensure that all necessary elements of a security solution are properly deployed and functioning as expected?
What do you call a person who is trained in responsible network security methods, who employs a philosophy of nondestructive and nonintrusive penetration testing, but who may also use underground or black-hat tools?
What is the proper name for a criminal act committed against an organization by a current or former employee who exploits knowledge gained on the job in its perpetration?
What is the proper name for the illegal intent behind obtaining and profiting from sensitive information that belongs to some third party (government, corporation, individual, and so on)?
When a person attempts to deceive an insider within an organization to divulge sensitive information or to perform sensitive actions on their behalf, what might this be called?
When a penetration test team is privy to detailed information about organizational assets, including hardware and software inventory, but not to other information (accounts, users, naming conventions, and so on), how might this team be described?
When a penetration test team is privy only to what it itself can learn about the target organizations for the test, how might this team be described?
Zero-knowledge team (performs black-box testing)
What term identifies the data extraction technique whereby elements of data are extracted from a much larger body of data to construct a meaningful representation of its overall contents?
What governs how long records are kept to substantiate system security assessments and support system analysis?
What does BCP stand for, and what does it mean?
Business continuity planning (BCP) is the preventive practice of establishing and planning for threats to business flow, including natural and unnatural risk and threats to daily operations.
What does DRP stand for, and what does it mean?
Disaster recovery planning (DRP) is the practice of establishing and executing recovery actions as part of an emergency response following a disaster.
What term describes damage from disruptive and irresistible forces of nature (such as earthquakes, floods, storms, and so on)?
What term describes damage resulting from arson, human error, acts of terrorism, or power outages and other utility failures?
What kind of strategy drives defining practices, policies, and procedures to restore a business to normal operation in the wake of some kind of outage or disaster?
What label applies to a partial standby facility for which power and other infrastructure elements are available, but for which no operational computing facilities are supplied in advance of a disaster?
What label applies to a standby facility that is ready to take over for a primary facility as soon as notice is received that the primary facility has gone down?
What label applies to a site that is already provisioned with hardware and software to take over for a primary facility but that needs to obtain and install a backup or image of client-specific data before going online?
How might you describe a site housed in self-contained transportable units with all the control, hardware, and software elements necessary to establish an operational, safe computing environment?
What roles can a service bureau play in disaster recovery?
Service bureaus lease computer time via contractual agreements and can meet an organization's entire IT needs in the event of disaster or catastrophic failure.
What is critical path analysis?
A systematic effort to identify relationships between mission-critical applications, processes, and operations and all of the necessary supporting elements
Name three examples of administrative physical security controls.
Facility construction and selection, site management, personnel controls, security awareness training, emergency response, and procedures
Name three examples of technical physical security controls.
Access controls; intrusion detection; alarm systems; closed-circuit television (CCTV); monitoring systems; heating, ventilation, and air conditioning (HVAC) systems; power supplies; fire detection and suppression systems
Name three physical controls for physical security.
Fencing, lighting, locks, construction materials, mantraps, watchdogs, guards
What term describes the act of gathering information about a system by observing the display or watching an operator at the keyboard?
What term describes the act of using another person's security ID to gain unauthorized entry into a facility?
When one person follows another though a secured gate or doorway without presenting identification or otherwise being authenticated, what is this entry technique called?
What kinds of system is designed to detect intrusions, breaches, or attack attempts as they are underway or after the fact?
Intrusion detection system (IDS)
What does UPS stand for, and what does it mean?
An uninterruptible power supply (UPS) is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment.
What does EMI stand for, and what does it mean?
Electromagnetic interference refers to any noise generated by electric current and can affect any means of data transmission or storage that relies on electromagnetic transport mechanisms.
Describe the models of systems development.
The waterfall model is a sequential development process that results in the development of a finished product. Developers may step back only one phase in the process if errors are discovered. The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes. Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.
Describe the purpose of software development maturity models.
Maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes.
What are the important elements of change and configuration management?
The three basic components of change control are request control, change control, and release control.
What is TEMPEST?
TEMPEST is a standard for the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EMI and RFI radiation from leaving a strictly defined area to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.
What is static software testing?
Static testing evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
What type of software testing is most appropriate when the tester does not have access to the underlying source code?
What does malicious code often create on an infected system to allow the developers of the malicious code to remotely access the system at a later time?
What name is given to the cryptographic concept of making the relationship between the plain text and the key so complex that an attacker can't use known plain text attacks to determine the key?
What types of organizations need to comply with PCI DSS?
Those that store, process, or transmit credit card account information
What trend makes it especially important to incorporate an assessment of security controls in contracting and procurement reviews?
The increased use of third-party and cloud services
What are the branches of forensic analysis?
Media analysis, network analysis, software analysis, and hardware/embedded device analysis
What is it called when a user has more access, privilege, or permission than their assigned work tasks dictate?
Excessive privileges (also known as the violation of least privilege)
What is it called when a user accumulates privileges over time as their job roles and assigned tasks change but unneeded privileges are not revoked?
Creeping privileges or privilege creep
Which access control scheme requires administrative rules to be defined along with the various conditions under which they apply as well as applicable object permissions?
Rule-based access control
Name three physical controls for physical security.
Fencing, lighting, locks, construction materials, mantraps, watchdogs, guards
What term is used to refer to the user or process that makes a request to access a resource?
What kind of control does any mechanism, tool, or practice provide if it deters or mitigates undesirable actions or events?
What process identifies the actual value of assets so that assets can be prioritized?
What process identifies and categorizes potential threats?
What process is used to identify weaknesses?
When evaluating access control attacks, what are three primary elements that must be identified?
Assets, threats, and vulnerabilities
A group of attackers is sponsored by a government. They are highly motivated, skilled, and patient and focused on a single target to gain and retain access over long periods of time. What is this group called?
Advanced persistent threat (APT)
What are often added to passwords to make their resultant hash secure and resistant to rainbow attacks?
What is a nonstatistical sampling method that only records or alerts on events that exceed a threshold?
What is a group of records from one or more databases or logs that can be used to reconstruct events after an incident?
What is the purpose of an access review and audit?
Check to ensure that users do not have excessive privileges and that accounts are managed appropriately
What can a user entitlement review detect?
Violation of the principle of least privilege policy, as incidents of excessive privileges or creeping privileges
What types of accounts are focused on during a user entitlement review?
Privileged accounts such as administrator or root user accounts
Who should have access to audit reports?
Only people who have a need to know
What determines how often an audit should be performed?
What policy requires users to spend at least a week away from their jobs on an annual basis to help prevent fraud?
What method will remove all data with assurances that it cannot be removed using any known methods?
Purging, sanitization, or destruction
What methods can be used to protect mobile devices such as a smartphone?
Encryption, GPS, password-protected screen locks, and remote wipe
What can be used to remove data on a lost smartphone?
What should be done before disposing of a desktop computer at the end of its life cycle?
What is the term that identifies data on a disk after the data has supposedly been erased?
What are the steps of a patch management program?
What can be used to verify patches have been applied?
Vulnerability scanner or a patch management system
What should be done to verify patches have been applied?
Audit patches, or use a vulnerability scanner to verify patches have been applied
What tool can check for weaknesses in systems?
What would be completed to check an entire organization for weaknesses?
What does imaging provide in relation to configuration management?
What helps prevent outages that can occur from unauthorized modifications?
What helps prevent inadvertent weakening of security from unauthorized outages?
What are the five steps in incident response quoted in the CISSP CIB?
Remediation and Review
In which stage of incident response should a root cause analysis be conducted?
Remediation and Review
While containing an incident, what is the next important consideration?
Protection of evidence
An attack has a negative effect on the confidentiality, integrity, or availability of an organization's assets. What is this called?
Computer security incident
What is it called when malware is installed on a user's system after visiting a website?
What three generic elements can help prevent malware infections?
Education, policies, and tools
An attacker has launched an attack using a vulnerability known only to him. What is this called?
What type of attack leverages part of the TCP three-way handshake?
SYN flood attack
What are computers in a botnet commonly called?
What is the best protection against a computer joining a botnet?
Up-to-date antivirus software
What type of IDS detects attacks based on known methods?
Knowledge-based (also called signature-based or pattern-matching)
What type of IDS detects attacks based by comparing it to a baseline?
Behavior-based (also called statistical-intrusion detection or anomaly detection)
After a network is upgraded, what must be done with a behavior-based IDS?
Upgrade the baseline
What is required before starting a penetration test?
Knowledge and consent of management
When a penetration test team is privy to detailed information about organizational assets, including hardware and software inventory, but not to other information (accounts, users, naming conventions, and so on), how might this team be described?
Partial-knowledge team (performs gray-box testing)
A penetration testing team has full knowledge about a target. What is this team called?
Full-knowledge team (performs white-box testing)
What is used to provide fault tolerance for a disk subsystem?
Redundant array of independent disks (RAID)
What is used to provide fault tolerance for a server?
What is used to provide short-term fault tolerance for a power failure?
Uninterruptible power supply (UPS)
What is used to provide long-term fault tolerance for a power failure?
What are three well-known but legacy non-IP protocols?
NetBIOS, IPX/SPX, NetBEUI, and AppleTalk
What are the six flags from the TCP header that we still commonly use and what is their order in the header?
XXUAPRSF. The X represents two flags no longer used, followed by Urgent, Acknowledgment, Push, Reset, Synchronization, and Finish. You can memorize this flag order using the phrase Unskilled Attackers Pester Real Security Folk.
What is VLAN hopping?
An attack using double-encapsulated IEEE 802.1Q VLAN tags to fool a switch into allowing traffic to jump to a different VLAN from which the traffic originated
What is NAC?
Network Access Control (NAC) is a concept of controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.
What is endpoint security?
The concept that each individual device must maintain local security whether or not its network or telecommunications channels provide or offer security. Sometimes this is expressed as the end device is responsible for its own security.
On an 802.11 wireless network, what contains the regular announcement of the network name by default?
The beacon frame contains the SSID (i.e., network name) by default. This can be stopped using the Disable SSID Broadcast feature of a wireless access point.
What are the three standards-based forms of encryption of 802.11 wireless networks and the cryptography protocols related to each?
WEP (RC4), WPA (RC4, TKIP, LEAP), WPA-2 (AES/CCMP)
What is 802.1x?
Port authentication; basically a mechanism to proxy authentication from the local device to another dedicated authentication service within the network
What is war driving?
A collection of techniques to discover that a wireless network is present at a given location
What is a VLAN?
A hardware-imposed network segmentation created by switches used to manage traffic
What is multimedia collaboration?
The use of various multimedia-supporting communication solutions to enhance distance collaboration. Collaboration occurs when people can work on a project together. Often, collaboration allows workers to work simultaneously as well as across different timeframes.
What are two common attacks against Internet-based IM (instant messaging)?
Packet sniffing and eavesdropping attacks
What is screen scraping?
1) Remote control, remote access, or remote desktop-like services. 2) A technology that can allow an automated tool to interact with a human interface, such as extracting information from web pages.
What is virtualization?
Technology used to host one or more operating systems within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware. It also allows multiple operating systems to work simultaneously on the same hardware.
What are the two main forms of DoS?
The first form exploits a vulnerability in hardware or software. This exploitation of a weakness, error, or standard feature of software to cause a system to hang, freeze, consume all system resources, and so on. The end result is that the victimized computer is unable to process any legitimate tasks. The second form floods the victim's communication pipeline with garbage network traffic. Sometimes called a traffic generation or flooding attack.
What is security management planning?
Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management is a responsibility of upper management, not of the IT staff, and is considered a business operations issue rather than an IT administration issue.
What is security governance?
Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. A common goal of organizational governance is to ensure that the organization will continue to exist and will grow or expand over time.
What is third-party governance?
Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. The actual method of governance may vary but generally involves an outside investigator or auditor.
What is documentation review?
Documentation review is the process of not just reading the exchange materials but verifying it against standards and expectations. The documentation review is typically performed before any on-site inspection is performed.
Define the Goguen-Meseguer model.
The Goguen−Meseguer model is an integrity model based on predetermining the set or domain of objects that a subject can access. This model is based on automation theory and domain separation.
Define the Sutherland model.
The Sutherland model is an integrity model focused on preventing interference in support of integrity. It is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited.
Define the Graham-Denning model.
The Graham-Denning model is focused on the secure creation and deletion of both subjects and objects. Ultimately, it is a collection of eight primary protection rules or actions that define the boundaries of certain secure actions.
What are some benefits of virtualization?
Being able to launch individual instances of servers or services as needed, real-time scalability, and being able to run the exact needed OS version for the needed application
What is TPM?
Trusted Platform Module (TPM) is a cryptoprocessor chip on a mainboard used to store and process cryptographic keys for the purposes of a hardware-supported or -implemented hard drive encryption system.
What is an HSM?
A hardware security module (HSM) is a cryptoprocessor used to manage/store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication.
What is cloud computing?
A concept of computing where processing and storage are performed elsewhere over a network connection rather than locally
What are some issues or concerns regarding cloud computing?
Privacy concerns, regulation compliance difficulties, use of open/closed source solutions, adoption of open standards, and whether or not cloud-based data is actually secured (or even securable)
What is PaaS?
Platform as a Service (PaaS) is the concept of providing a computing platform and software solution stack as a virtual or cloud-based service.
What is SaaS?
Software as a Service (SaaS) is a derivative of Platform as a Service (PaaS). Software as a Service provides on-demand online access to specific software applications or suites without the need for local installation (or even local hardware and OS requirements in many cases).
What is IaaS?
Infrastructure as a Service (IaaS) takes the Platform as a Service (PaaS) model another step forward. It provides not just on-demand operating solutions but complete outsourcing options as well. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/filtered Internet connectivity.
What is grid computing?
Grid computing is a form of parallel distributed processing that loosely groups a significant number of processing nodes toward the completion of a specific processing goal.
What is technology convergence?
The tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Often this results in multiple systems performing similar or redundant tasks or one system taking over the features and abilities of another. While in some instances this can result in improved efficiency and cost savings, it can also be an increased single point of failure and can become a more valuable target for hackers and intruders.
Define the aspect of confidentiality known as sensitivity.
Sensitivity refers to the quality of information that could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.
Define the aspect of confidentiality known as discretion.
Discretion is an act of decision whereby an operator can influence or control disclosure in order to minimize harm or damage.
Define the aspect of confidentiality known as criticality.
The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.
Define the aspect of confidentiality known as concealment.
Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction.
Define the aspect of confidentiality known as secrecy.
Secrecy is the activity of keeping something a secret or preventing the disclosure of information.
Define the aspect of confidentiality known as privacy.
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Define the aspect of confidentiality known as seclusion.
Seclusion refers to storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforce confidentiality protections.
Define the aspect of confidentiality known as isolation.
Isolation is the act of keeping something separated from others. Isolation can be used to prevent co-mingling of information or disclosure of information.
What is a business case?
A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security. It is also important to consider the budget that can be allocated to a business-need-based security project.
What is threat modeling?
Threat modeling is the security process whereby potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.
What is SD3+C?
Secure by Design, Secure by Default, Secure in Deployment and Communication
What are the two goals of SD3+C?
To reduce the number of security-related design and coding defects. To reduce the severity of any remaining defects.
Define proactive and reactive threat modeling?
A proactive approach to threat modeling takes place during early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. This method is based on predicting threats and designing in specific defenses during the coding and crafting process rather than relying on post-deployment updates and patches.<br/><br/>A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.
Name the three common approaches to identifying threats.
Focused on assets, focused on attackers, and focused on software.
What is STRIDE?
Microsoft developed a threat categorization scheme known as STRIDE. STRIDE is often used in relation to assessing threats against applications or operating systems. However, it can also be used in other contexts as well. STRIDE is an acronym standing for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
What is reduction analysis?
Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task it to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments.
Name three methods to rank and prioritize threats.
Probability * Damage Potential, high/medium/low, or DREAD.
What is DREAD?
DREAD is a threat rating system designed to provide a flexible rating solution that is based on asking five main questions of each threat:
Damage potential: How severe is the damage likely to be if the threat is realized
Reproducibility: How complicated is it for attackers to reproduce the exploit?
Exploitability: How hard is it to perform the attack?
Affected users: How many users are likely to be affected by the attack (as a percentage)?
Discoverability: How hard is it for an attacker to discover the weakness?
What is cross-training?
Cross-training is often discussed as an alternative to job rotation. In both cases, workers learn the responsibilities and tasks of multiple job positions. However, in cross-training the workers are just prepared to perform the other job positions; they are not rotated through them on a regular basis. Cross-training enables existing personnel to fill the work gap when the proper employee is unavailable as a type of emergency response procedure.
What is compliance?
Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an important concern to security governance.
What is a risk framework?
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored.
What is FISMA?
The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency's operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.
What is HITECH?
In 2009, Congress amended HIPAA by passing the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law updated many of HIPAA's privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013.
What are the parameters of the HITECH data breach notification requirements?
Under the HITECH Breach Notification Rule, HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.
What is an early step in asset security?
Classifying and labeling assets.
What is sensitive data?
Sensitive data is any information that isn't public or unclassified. It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization or to comply with existing laws and regulations.
What is PII?
Personally identifiable information (PII) is any information that can identify an individual.
What is PHI?
Protected health information (PHI) is any health-related information that can be related to a specific person. In the US, the Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.
What is proprietary data?
Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitors are able to access the proprietary data, it can seriously affect the primary mission of an organization.
What legal protections exist for proprietary data?
Copyrights, patents, and trade secret laws provide protection for proprietary data.
What are the three data states and their definitions?
Data at rest is any data stored on media such as system hard drives, external USB drives, storage area networks (SANs), and backup tapes. Data in transit (sometimes called data in motion) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the Internet. Data in use refers to data in temporary storage buffers while an application is using it.
When sensitive data is no longer needed by an organization, what should be done with it?
When an organization no longer needs sensitive data, personnel should destroy it. Proper destruction ensures that it cannot fall into the wrong hands and result in unauthorized disclosure.
What is data remanence?
Data remanence is the data that remains on a hard drive as residual magnetic flux. Using system tools to delete data generally leaves much of the data remaining on the media, and widely available tools can easily undelete it. Even when you use sophisticated tools to overwrite the media, traces of the original data may remain as less-perceptible magnetic fields.
In relation to storage media, what is erasing?
Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data. The actual data remains on the drive.
In relation to storage media, what is clearing?
Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media.
In relation to storage media, what is purging?
Purging is a more intense form of clearing that prepares media for reuse in less-secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method such as degaussing to completely remove the data. Even though purging is intended to remove all data remnants, it isn't always trusted.
In relation to storage media, what is declassification?
Declassification involves any process that purges media or a system in preparation for reuse in an unclassified environment. Purging can be used to prepare media for declassification, but often the efforts required to securely declassify media are significantly greater than the cost of new media for a less-secure environment.
In relation to storage media, what is sanitization?
Sanitization is a combination of processes that removes data from a system or from media. It ensures that data cannot be recovered by any means.
What is degaussing?
A degausser creates a strong magnetic field that erases data on some media in a process called degaussing. Technicians commonly use degaussing methods to remove data from magnetic tapes with the goal of returning the tape to its original state. While it is possible to degauss hard disks, it is not recommended. Degaussing a hard disk will normally destroy the electronics used to access the data.
What are some methods of storage media destruction?
Destruction is the final stage in the life cycle of media and is the most secure method of sanitizing media. When destroying media it's important to ensure that the media cannot be reused or repaired and that data cannot be extracted from the destroyed media. Methods of destruction include incineration, crushing, shredding, disintegration, and dissolving using caustic or acidic chemicals. Some organizations remove the platters in highly classified disk drives and destroy them separately.
What are scoping and tailoring?
Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you're trying to protect. Tailoring refers to modifying the list of security controls within a baseline so that they align with the mission of the organization.
In 2012, the committee overseeing the development of SHA-3 made what announcement?
In 2012, the federal government design committee announced the selection of the Keccak algorithm as the SHA-3 standard. However as of mid-2015, the SHA-3 standard remains in draft form and some technical details still require finalization.
What is POODLE?
In 2014, an attack known as the Padding Oracle On Downgraded Legacy Encryption (POODLE) demonstrated a significant flaw in the SSL 3.0 fallback mechanism of TLS. In an effort to remediate this vulnerability, many organizations completely dropped SSL support and now rely solely on TLS security.
What is DRM?
Digital rights management (DRM) software uses encryption to enforce copyright restrictions on digital media.
What is a cryptographic salt and what is it used for?
The cryptographic salt is a random value that is added to the end of the password before the operating system hashes the password. The salt is then stored in the password file along with the hash. It is used to help combat the use of brute-force attacks, including those aided by dictionaries and rainbow tables.
What is transitive trust?
Transitive trust is the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property, which works like it would in a mathematical equation: if A = B, and B = C, then A = C. In this example, when A requests data from B, then B requests data from C, the data that A receives is essentially from C. Transitive trust is a serious security concern because it may enable bypassing of restrictions or limitations between A and C.
What is the purpose of memory protection?
Memory protection is used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it. Memory protection is a core security component that must be designed and implemented into an operating system. It must be enforced regardless of the programs executing in the system. Otherwise instability, violation of integrity, denial of service, and disclosure are likely results.
What is flash memory?
Flash memory is a derivative concept from EEPROM. It is a nonvolatile form of storage media that can be electronically erased and rewritten. The primary difference between EEPROM and flash memory is that EEPROM must be fully erased to be rewritten, while flash memory can be erased and written in blocks or pages.
What is UEFI?
UEFI (Unified Extensible Firmware Interface) is a more advanced interface (than BIOS) between hardware and the operating system, which maintains support for legacy BIOS services.
What is a local cache?
A local cache is anything that is temporarily stored on the client for future reuse. There are many local caches on a typical client, including ARP cache, DNS cache, and Internet files cache.
What are two forms of ARP poisoning?
ARP cache poisoning is caused by an attack responding to ARP broadcast queries in order to send back falsified replies. A second form of ARP cache poisoning is to create static ARP entries.
What are five examples of DNS poisoning?
HOSTS poisoning, authorized DNS server attack, caching DNS server attack, changing a DNS server address, and DNS query spoofing
What is data analytics?
Data analytics is the science of raw data examination with the focus of extracting useful information out of the bulk information set. The results of data analytics could focus on important outliers or exceptions to normal or standard items, a summary of all data items, or some focused extraction and organization of interesting information.
What is big data?
Big data refers to collections of data that have become so large that traditional means of analysis or processing are ineffective, inefficient, and insufficient. Big data involves numerous difficult challenges, including collection, storage, analysis, mining, transfer, distribution, and results presentation.
What are parallel data systems?
Parallel data systems or parallel computing is a computation system design to perform numerous calculations simultaneously. But parallel data systems often go far beyond basic multiprocessing capabilities. They often include the concept of dividing up a large task into smaller elements, then distributing each subelement to a different processing subsystem for parallel computation. This implementation is based on the idea that some problems can be solved efficiently if they are broken into smaller tasks that can be worked on concurrently.
What is an ICS?
An industrial control system (ICS) is a form of computer-management device that controls industrial processes and machines. ICSs are used across a wide range of industries, including manufacturing, fabrication, electricity generation and distribution, water distribution, sewage processing, and oil refining.
What are three forms of ICS?
There are several forms of ICS, including distributed control systems (DCS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA).
Where are DCS systems used and why?
Distributed control systems (DCS) units are typically found in industrial process plans where the need to gather data and implement control over a large-scale environment from a single location is essential. An important aspect of DCS is the controlling elements are distributed across the monitored environment, such as a manufacturing floor or a production line, while the centralized monitoring location sends commands out of those localized controllers while gathering status and performance data.
What is a PLC?
Programmable logic controller (PLC) units are effectively single-purpose or focused-purpose digital computers. They are typically deployed for the management and automation of various industrial electromechanical operations, such as controlling systems on an assembly line or a large-scale digital light display.
What is SCADA?
Supervisory control and data acquisition (SCADA) systems can operate as a stand-alone device, be networked together with other SCADA systems, or be networked with traditional IT systems. Most SCADA systems are designed with minimal human interfaces. Often, they use mechanical buttons and knobs or simple LCD screen interfaces.
Name five generic terms that refer to mobile phones, tablets, and other similar devices.
A device owned by an individual can be referenced using any of these terms: portable device, mobile device, personal mobile device (PMD), personal electronic device or portable electronic device (PED), and personally owned device (POD).
What is Android (the OS)?
Android is a mobile device OS based on Linux, which was acquired by Google in 2005. The Android source code is made open source through the Apache license, but most devices also include proprietary software. Although it's mostly intended for use on phones and tablets, Android is being used on a wide range of devices, including televisions, game consoles, digital cameras, microwaves, watches, e-readers, cordless phones, and ski goggles.
What is iOS?
iOS is the mobile device OS from Apple that is available on the iPhone, iPad, iPod, and Apple TV. iOS isn't licensed for use on any non-Apple hardware. Thus, Apple is in full control of the features and capabilities of iOS.
What is remote wiping?
Remote wipe lets you delete all data and possibly even configuration settings from a device remotely. The wipe process can be triggered over mobile phone service or sometimes over any Internet connection.
What is storage segmentation on a mobile device?
Storage segmentation is used to artificially compartmentalize various types or values of data on a storage medium. On a mobile device, the device manufacturer and/or the service provider may use storage segmentation to isolate the device's OS and preinstalled apps from user-installed apps and user data.
What is MDM?
Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Many MDM solutions support a wide range of devices and can operate across many service providers. You can use MDM to push or remove apps, manage data, and enforce configuration settings both over the air (across a carrier network) and over Wi-Fi connections.
What is credential management?
The storage of credentials in a central location is referred to as credential management. Given the wide range of Internet sites and services, each with its own particular logon requirements, it can be a burden to use unique names and passwords. Credential management solutions offer a means to securely store a plethora of credential sets.
What is geo-tagging?
Mobile devices with GPS support enable the embedding of geographical location (geo-tagging) in the form of latitude and longitude as well as date/time information on photos taken with these devices.
What is application whitelisting?
Application whitelisting is a security option that prohibits unauthorized software from being able to execute. Whitelisting is also known as deny by default or implicit deny. In application security, whitelisting prevents any and all software, including malware, from executing unless it's on the preapproved exception list: the whitelist.
What is BYOD?
Bring-your-own-device (BYOD) is a policy that allows employees to bring their own personal mobile devices to work and use those devices to connect to (or through) the company network to business resources and/or the Internet. Although BYOD may improve employee morale and job satisfaction, it increases security risk to the organization.
What is an embedded system?
An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller (an integrated chip with on-board memory and peripheral ports). Examples of embedded systems include network-attached printers, smart TVs, HVAC controls, smart appliances, smart thermostats, Ford SYNC (a Microsoft embedded system in vehicles), and medical devices.
What is a static system?
A static system or static environment is a set of conditions, events, and surroundings that don't change. In theory, once understood, a static environment doesn't offer new or surprising elements. A static IT environment is any system that is intended to remain unchanged by users and administrators. The goal is to prevent or at least reduce the possibility of a user implementing change that could result in reduced security or functional operation.
What is a cyber-physical system?
Cyber-physical system is a term used to refer to devices that offer a computational means to control something in the physical world. In the past these might have been referred to as embedded systems, but the category of cyber-physical seems to focus more on the physical world results rather than the computational aspects.
What is IoT?
Internet of Things (IoT) is the collection of devices that can communicate over the Internet with each other or with a control console in order to affect and monitor the real world. IoT devices might be labeled as smart devices or smart home equipment.
What is DNP3?
DNP3 (Distributed Network Protocol) is a multilayer protocol primarily used in the electric and water utility and management industries. It is used to support communications between data acquisition systems and the system control equipment. DNP3 is an open and public standard. DNP3 is a multilayer protocol that functions similarly to TCP/IP, in that it has link, transport, and transportation layers. Natively, it has no security.
What are converged protocols?
Converged protocols are the merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. The primary benefit of converged protocols is the ability to use existing TCP/IP supporting network infrastructure to host special or proprietary services without the need for unique deployments of alternate networking hardware. Common examples of converged protocols include FCoE, MPLS, iSCSI, and VOIP.
What is FCoE?
Fibre Channel over Ethernet (FCoE) can be used to support Fibre Channel communications over the existing network infrastructure. FCoE is used to encapsulate Fibre Channel communications over Ethernet networks. It typically requires 10 Gbps Ethernet in order to support the Fibre Channel protocol.
What is MPLS?
MPLS (multiprotocol label switching) is a high-throughput, high-performance network technology that directs data across a network based on short path labels rather than longer network addresses.
What is iSCSI?
Internet Small Computer System Interface (iSCSI) is a networking storage standard based on IP. This technology can be used to enable location-independent file storage, transmission, and retrieval over LAN, WAN, or public Internet connections. iSCSI is often viewed as a low-cost alternative to Fibre Channel.
What is VoIP?
Voice over IP (VoIP) is a tunneling mechanism used to transport voice and/or data over a TCP/IP network. VoIP has the potential to replace or supplant PSTN because it's often less expensive and offers a wider variety of options and features.
What is SDN?
Software-defined network (SDN) is a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (i.e., hardware and hardware-based settings) from the control layer (i.e., network services of data transmission management). Furthermore, this also removes the traditional networking concepts of IP addressing, subnets, routing, and so on from needing to be programmed into or be deciphered by hosted applications.
What is a captive portal?
A captive portal is an authentication technique that redirects a newly connected wireless web client to a portal access control page. The portal page may require the user to input payment information, provide logon credentials, or input an access code.
What is a site survey?
A site survey is a formal assessment of wireless signal strength, quality, and interference using a RF signal detector. A site survey is performed by placing a wireless base station in a desired location and then collecting signal measurements from the area. The signal measurements are overlaid onto a blueprint of the building to determine whether sufficient signal is present where needed, while minimizing signals outside the desired location.
What is a CDN?
A content-distribution network (CDN) or content delivery network is a collection of resource services deployed in numerous data centers across the Internet in order to provide low-latency, high-performance, high-availability of the hosted content.
What is port isolation or private ports in relation to VLANs?
These are private VLANs that are configured to use a dedicated or reserved uplink port. The members of a private VLAN or a port isolated VLAN can only interact with each other and over the predetermined exit port or uplink port. A common implementation of port isolation occurs in hotels.
What is guest OS?
Virtualization technology is used to host one or more operating systems within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware. Such an OS is also known as a guest operating system. From the perspective that there is an original or host OS installed directly on the computer hardware, the additional OSes hosted by the hypervisor system are guests.
What is OAuth?
OAuth is an open SSO standard designed to work with HTTP, and it allows users to log on with one account. For example, users can log onto their Google account and use the same account to access Facebook and Twitter pages.
What is OpenID?
OpenID is also an open SSO standard but it is maintained by the OpenID Foundation rather than as an IETF RFC standard. OpenID can be used in conjunction with OAuth or on its own.
What is IDaaS?
Identity as a Service, or Identity and Access as a Service (IDaaS), is a third-party service that provides identity and access management. IDaaS effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications.
What is ABAC?
An advanced implementation of a rule-BAC is an <i>attribute-based access control </i>(ABAC) model. ABAC models use policies that include multiple attributes for rules. Many software-defined networking applications use ABAC models.
What is a security test for?
Security tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
What is a security assessment?
Security assessments are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation as needed.
What is a security audit?
Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors.
What are vulnerability scans?
Vulnerability scans automatically probe systems, applications, and networks looking for weaknesses that may be exploited by an attacker. The scanning tools used in these tests provide quick, point-and-click tests that perform otherwise tedious tasks without requiring manual intervention.
What is nmap?
The most common tool used for network discovery scanning is an open source tool called nmap. Originally released in 1997, nmap is remarkably still maintained and in general use today. It remains one of the most popular network security tools, and almost every security professional either uses nmap regularly or used it at some point in their career.
What are network vulnerability scans?
Network vulnerability scans go deeper than discovery scans. They don't stop with detecting open ports but continue on to actually probe a targeted system or network for the presence of known vulnerabilities. These tools contain databases of thousands of known vulnerabilities along with tests they can perform to identify whether a system is susceptible to each vulnerability in the system's database.
What is a false positive?
When the scanner tests a system for vulnerabilities, it uses the tests in its database to determine whether a system may contain the vulnerability. In some cases, the scanner may not have enough information to conclusively determine that a vulnerability exists and it reports a vulnerability when there really is no problem. This situation is known as a false positive report and is sometimes seen as a nuisance to system administrators.
What is a false negative?
Far more dangerous than a false positive is when the vulnerability scanner misses a vulnerability and fails to alert the administrator to the presence of a dangerous situation. This error is known as a false negative report.
What are web vulnerability scanners?
Web vulnerability scanners are special-purpose tools that scour web applications for known vulnerabilities. They play an important role in any security testing program because they may discover flaws not visible to network vulnerability scanners. When an administrator runs a web application scan, the tool probes the web application using automated techniques that manipulate inputs and other parameters to identify web vulnerabilities.
What is a penetration test?
The penetration test goes beyond vulnerability testing techniques because it actually attempts to exploit systems. Security professionals performing penetration tests actually try to defeat security controls and break into a targeted system or application to demonstrate the flaw.
What is Nessus?
An example of a vulnerability scanner.
What is Metasploit?
A penetration testing tool used to automatically execute exploits against targeted systems. Metasploit uses a scripting language to allow the automatic execution of common attacks, saving testers (and hackers!) quite a bit of time by eliminating many of the tedious, routine steps involved in executing an attack.
What is code review?
Code review is the foundation of software assessment programs. During a code review, also known as a peer review, developers other than the one who wrote the code review it for defects. Code reviews may result in approval of an application's move into a production environment or they may send the code back to the original developer with recommendations for rework of issues detected during the review.
The Fagan code review process has six steps. Name them.
What is static testing?
Static testing evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
What is dynamic testing?
Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code.
What are synthetic transactions?
Dynamic testing may include the use of synthetic transactions to verify system performance. These are scripted transactions with known expected results. The testers run the synthetic transactions against the tested code and then compare the output of the transactions to the expected state.
What is fuzz testing?
Fuzz testing is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.
Name two types of fuzz testing.
Mutation (dumb) fuzzing takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Generational (intelligent) fuzzing develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
What is the zzuf tool used for?
The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications.
What is interface testing?
Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.
What is misuse case testing?
In some applications, there are clear examples of ways that software users might attempt to misuse the application. Software testers use a process known as misuse case testing or abuse case testing to evaluate the vulnerability of their software to these known risks.
What is test coverage analysis?
While testing is an important part of any software development process, it is unfortunately impossible to completely test any piece of software. There are simply too many ways that software might malfunction or undergo attack. Software testing professionals often conduct a test coverage analysis to estimate the degree of testing conducted against the new software.
Security managers should monitor key performance and risk indicators on an ongoing basis. Name some potential examples of metrics that should be monitored.
Number of open vulnerabilities<br/>Time to resolve vulnerabilities<br/>Number of compromised accounts<br/>Number of software flaws detected in preproduction scanning<br/>Repeat audit findings<br/>User attempts to visit known malicious sites
What is entitlement?
Entitlement refers to the amount of privileges granted to users, typically when first provisioning an account.
What is segregation of duties?
Segregation of duties is similar to a separation of duties and responsibilities policy, but it also combines the principle of least privilege. The goal is to ensure that individuals do not have excessive system access that may result in a conflict of interest.
What is two-person control?
Two-person control (often called the two-man rule) is similar to segregation of duties. It requires the approval of two individuals for critical tasks.
What is versioning?
Versioning typically refers to version control used in software configuration management. A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine.
What is CVE?
Vulnerabilities are commonly referred to using the Common Vulnerability and Exposures (CVE) dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities. MITRE maintains the CVE database, and you can view it here <a href=http://www.cve.mitre.org title=http://www.cve.mitre.org target=_new class=dHyperlink>www.cve.mitre.org</a>.
What is DDoS?
A distributed denial of service (DDoS) attack occurs when multiple systems attack a single system at the same time.
What is DRDoS?
A distributed reflective denial of service (DRDoS) attack is a variant of a DoS. It uses a reflected approach to an attack. In other words, it doesn't attack the victim directly but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources.
What is a ping flood?
A ping flood attack floods a victim with ping requests. This can be very effective when launched by zombies within a botnet as a DDoS attack. If tens of thousands of systems simultaneously send ping requests to a system, the system can be overwhelmed trying to answer the ping requests.
What is a drive-by download?
A drive-by download is code downloaded and installed on a user's system without the user's knowledge. Attackers modify the code on a web page, and when the user visits, the code downloads and installs malware on the user's system without the user's knowledge or consent.
What is war dialing?
War dialing means using a modem to search for a system that accepts inbound connection attempts.
What is a honeypot or a honeynet?
A honeypot is an individual computer created as a trap for intruders. A honeynet is two or more networked honeypots used together to simulate a network. They look and act like legitimate systems, but they do not host data of any real value for an attacker.
What is a pseudo flaw?
A pseudo flaw is a false vulnerability or apparent loophole intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate well-known operating system vulnerabilities.
What is a padded cell?
A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDS detects an intruder, that intruder is automatically transferred to a padded cell.
What is sandboxing?
Sandboxing provides a security boundary for applications and prevents the application from interacting with other applications. Anti-malware applications use sandboxing techniques to test unknown applications. If the application displays suspicious characteristics, the sandboxing technique prevents the application from infecting other applications or the operating system.
Many organizations use a centralized application to automate monitoring of systems on a network. Name three terms that refer to these types of systems.
Security Information and Event Management (SIEM), Security Event Management (SEM), and Security Information Management (SIM)
In relation to auditing and monitoring, what is sampling?
Sampling, or data extraction, is the process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole. In other words, sampling is a form of data reduction that allows someone to glean valuable information by looking at only a small sample of data in an audit trail.
What is egress monitoring?
Egress monitoring refers to monitoring outgoing traffic to prevent data exfiltration, which is the unauthorized transfer of data. Some common methods used to prevent data exfiltration are data loss prevention techniques, looking for steganography attempts, and watermarking.
What is DLP?
Data loss prevention (DLP) systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.
Name two common types of DLP.
A network-based DLP scans all outgoing data looking for specific data. An endpoint-based DLP can scan files stored on a system and files sent to external devices.
What is steganography?
Steganography is the practice of embedding a message within a file.
What is watermarking?
Watermarking is the practice of embedding an image or pattern in paper that isn't readily perceivable. It is often used with currency to thwart counterfeiting attempts. Similarly, organizations often use watermarking in digital documents and other types of files.
What is system resilience?
System resilience refers to the ability of a system to maintain an acceptable level of service during an adverse event. This could be a hardware fault managed by fault-tolerant components, or it could be an attack managed by other controls such as effective intrusion detection and prevention systems.
What is a failover cluster?
A failover cluster includes two or more servers, and if one of the servers fails, another server in the cluster can take over its load in an automatic process called failover. Failover clusters can include multiple servers (not just two), and they can also provide fault tolerance for multiple services or applications.
Define a fail-secure system.
A fail-secure system will default to a secure state in the event of a failure, blocking all access.
Define a fail-open system.
A fail-open system will fail in an open state, granting all access.
What use is QoS?
Quality of Service (QoS) controls protect the integrity of data networks under load. Many different factors contribute to the quality of the end user experience, and QoS attempts to manage all of those factors to create an experience that meets business requirements.
What does an operational investigation focus on?
An operational investigation examines issues related to the organization's computing infrastructure and has the primary goal of resolving operational issues.
What does a criminal investigation focus on?
A criminal investigation, typically conducted by law enforcement personnel, investigates the alleged violation of criminal law. A criminal investigation may result in charging suspects with a crime and the prosecution of those charges in criminal court.
What does a civil investigation focus on?
A civil investigation typically does not involve law enforcement but rather involves internal employees and outside consultants working on behalf of a legal team. It prepares the evidence necessary to present a case in civil court resolving a dispute between two parties.
What is electronic discovery?
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. This discovery process applies to both paper records and electronic records, and the electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure.
What is an APT?
Recent years marked the rise of sophisticated attackers known as advanced persistent threats (APTs). These attackers are well funded and have advanced technical skills and resources. They act on behalf of a nation-state, organized crime, terrorist group, or other sponsor and wage highly effective attacks against a very focused target in order to maintain persistent unauthorized access or effect.
What does a business attack focus on?
A business attack focuses on illegally obtaining an organization's confidential information. This could be information that is critical to the operation of the organization, such as a secret recipe, or information that could damage the organization's reputation if disclosed, such as personal information about its employees.
What is industrial espionage?
The gathering of a competitor's confidential information, also called industrial espionage, is not a new phenomenon. Businesses have used illegal means to acquire competitive information for many years. The temptation to steal a competitor's trade secrets and the ease with which a savvy attacker can compromise some computer systems makes this type of attack attractive.
What are financial attacks?
Financial attacks are carried out to unlawfully obtain money or services. They are the type of computer crime you most commonly hear about in the news. The goal of a financial attack could be to steal credit card numbers, increase the balance in a bank account, or place free long-distance telephone calls.
What are terrorist attacks?
Terrorist attacks are a reality in modern society. Our increasing reliance on information systems makes them more and more attractive to terrorists. Such attacks differ from military and intelligence attacks. The purpose of a terrorist attack is to disrupt normal life and instill fear, whereas a military or intelligence attack is designed to extract secret information.
What are grudge attacks?
Grudge attacks are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation.
What are thrill attacks?
Thrill attacks are the attacks launched only for the fun of it.
What are scanning attacks?
Scanning attacks are reconnaissance attacks that usually precede another, more serious attack.
What is the purpose of assurance procedures?
To ensure that the security control mechanisms built into a new application properly implement the security policy throughout the life cycle of the system
What is DevOps?
The word DevOps is a combination of Development and Operations, symbolizing that these functions must merge and cooperate to meet business requirements. The DevOps approach seeks to resolve these issues by bringing the three functions (software development, quality assurance, and technology operations) together in a single operational model.
What is an API?
An application programming interface (API) allows application developers to bypass traditional web pages and interact directly with the underlying service through function calls.
What is a code repository?
It acts as a central storage point for developers to place their source code. It may also provide version control, bug tracking, web hosting, release management, and communications functions that support software development.
What are the stages of Process for Attack Simulation and Threat Analysis (PASTA)?
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)
What are the differences betwen simplex, half-duplex, and full-duplex control modes?
Simplex One-way communication
Half-Duplex Two-way communication, but only one direction can send data at a time
Full-Duplex Two-way communication, in which data can be sent in both directions simultaneously
Which of the following combinations of terms defines the operations security triple?
The relationship between assets, vulnerabilities, and threats
What federal agency provides detailed data that can assist with assessing earthquake risk?
USGS, The US Geological Survey provides detailed earthquake risk data for locations in the United States.
What are examples of converged protocols?
ISCSI, VoIP, and FCoE
In a _______________, each level or classification label in the security structure grants a subject access to objects equal to and lower than that level.
Which alternate processing arrangement is rarely implemented?
Mutual assistance agreements (MAA)
Which backup format stores only those files that have been set with the archive bit and have been modified since the last complete backup?
What type of attack occurs when malicious users position themselves between a client and server and then interrupt the session and take it over?
In an Agile software development process, how often should business users be involved in development?
For how long are trademarks issued?
Trademarks are issued for 10-year periods and may be renewed for unlimited successive 10-year periods.
What is the preventive practice of establishing and planning for business-related threats and risk?
Business continuity planning
What is the primary purpose of change management?
To allow management to review all changes
What is the overall goal of change management?
To prevent unwanted reductions to security
In a discussion of high-speed telco links or network carrier services, what does fault tolerance mean?
In a discussion of high-speed telco links or network carrier services, fault tolerance means to have redundant connections.
What is the primary function of a gateway as a network device?
What regulation formalizes the prudent man rule, requiring that senior executives of an organization take personal responsibility for ensuring due care?
The Federal Sentencing Guidelines formalized the prudent man rule and applied it to information security.
What is parole evidence?
The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement.
What procedure returns business operations and processes to a working state?
What common vulnerability has no direct countermeasure and little safeguards or validators?
Both omissions and errors are difficult aspects to protect against, particularly as they deal with human and circumstantial origins.
What is a companion virus?
Companion viruses are self-contained executable files with filenames similar to those of existing system/program files but with a modified extension. The virus file is executed when an unsuspecting user types the filename without the extension at the command prompt.
What is 10 system?
The 10 system is a code used in radio communications for brevity and clarity.
What is the duration of trade secret protection under federal law?
What type of processing enables a system to operate at more than one classification level simultaneously?
What technology can be used to minimize the impact of a server failure immediately before the next backup was scheduled?
Clustering servers adds a degree of fault tolerance, protecting against the impact of a single server failure.
What is a centralized alarm system?
Centralized alarm systems remotely monitor sensors spread around a business facility or campus and trigger on some specified event.
What are the basic requirements for the admissibility of evidence?
The evidence must be relevant to determining a fact.
The fact that the evidence seeks to determine must be material (that is, related) to the case.
The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
What is a hybrid environment?
Hybrid environments combine both hierarchical and compartmentalized environments so that security levels have subcompartments.
What privacy principle requires mechanisms to protect data against loss?
The principle of security requires proper mechanisms to protect data against loss, misuse, and unauthorized disclosure.
What is the cardinality of a database table?
The cardinality of a table refers to the number of rows in the table, whereas the degree of a table is the number of columns.
Which security model is most often used for general commercial applications?
Biba and Clark-Wilson are most commonly used for commercial applications because both focus on data integrity. Of these two, Clark-Wilson offers more control and does a better job of maintaining integrity, so it's used most often for commercial applications. Bell-LaPadula is used most often for military applications. Brewer and Nash applies only to datasets (usually within database management systems) where conflict-of-interest classes prevent subjects from accessing more than one dataset that might lead to a conflict-of-interest situation.
Christopher recently received word that his application for a trademark was approved by the US Patent and Trademark Office. What symbol should he use next to the name to indicate its protected status?
The ® symbol is reserved for trademarks that have received official registration status by the US Patent and Trademark Office.
When discussing access to objects, what are the three subject levels?
A custodian is someone who has been assigned to or delegated the day-to-day responsibility of proper storage and protection of objects. A user is any subject who accesses objects on a system to perform some action or accomplish a work task. An owner is the person who has final corporate responsibility for the protection and storage of data. When discussing access to objects, three subject labels are used: user, owner, and custodian.
What is electronic vaulting?
Electronic vaulting uses bulk transfers to copy database contents to a remote site on a periodic basis.
What are the layers of the ring protection scheme?
Ring 0: OS kernel/memory
Ring 1: Other OS components
Ring 2: Drivers, protocols, etc.
Ring 3: User-Level programs and applications
(Rings 0-2 run in supervisory mode, Ring 3 runs in user mode)
What is SD3+C?
Microsoft's Security Development Lifecycle (SDL) with the motto "Secure by Design, Secure by Default, Secure in Deployment and Communication"
What is the end goal of disaster recovery planning?
Restoring normal business activity
What is the typical time estimate to activate a warm site from the time a disaster is declared?
Warm sites typically take about 12 hours to activate from the time a disaster is declared. This is compared to the relatively instantaneous activation of a hot site and the lengthy time (at least a week) required to bring a cold site to operational status.
What are the three components of DevOps?
The three elements of the DevOps model are software development, quality assurance, and IT operations.
What type of information is used to form the basis of an expert system's decision-making process?
A series of "if/then" rules codified in a knowledge base
Once a system is compromised, _______________ is deployed to restore it to its previous known-good state.
Recovery access control
A _______________ contains levels with various compartments that are isolated from the rest of the security domain.
What is confidentiality dependent on?
Which federal government agency is responsible for ensuring the security of government computer systems that are used to process sensitive and/or classified information?
The ____________ data model has data stored in more than one database, but the data is still logically connected. The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.
What is ISAKMP?
The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPsec by negotiating, establishing, modifying, and deleting security associations.
What are the TCP header flags (that I need to know)?
Urgent, Acknowledgement, Push, Reset, Syn, Fin
What flags are set during a Christmas tree attack?
Urgent, Push, Fin
What are the four main steps of the BCP process?
Project scope and planning,
business impact assessment,
approval and implementation
What are the four stages for the BCP Project Scope and Planning?
Business organization analysis,
BCP team selection,
legal and regulatory requirements
What are the five stages for the BCP BIA?
What are the subtasks involved in BCP continuity planning?
provisions and processes,
training and education
What are the major steps or phases in quantitative risk analysis?
1. Assign AV
2. Calculate EF and SLE
3. Assess ARO
4. Derive ALE
5. Research countermeasures for each threat, and then calculate changes to ARO and ALE
6. Perform cost/benefit analysis of countermeasures
What are the two key elements that the Common Criteria is based off of?
Protection profiles (PPs) specify for a product that is to be evaluated (the TOE) the security requirements and protections, which are considered the security desires or the "I want" from a customer.
Security targets (STs) specify the claims of security from the vendor that are built into a TOE.
What the the Common Criteria EAL levels?
EAL1 Functionally tested
EAL2 Structurally tested
EAL3 Methodically tested and checked
EAL4 Methodically designed, tested, and reviewed
EAL5 Semi-formally designed and tested
EAL6 Semi-formally verified, designed, and tested
EAL7 Formally verified, designed, and tested
What are the functional order in which physical controls should be used?
Deter -> Deny -> Detect -> Delay
At what OSI layer are collision domains divided? Broadcast domains?
Collision domains are divided by using any layer 2 or higher device, and broadcast domains are divided by using any layer 3 or higher device.
What is mail bombing?
DoS performed by inundating a system with messages
Define the following database terms: tuple, cardinality, degree, domain
Each customer would have its own record, or tuple, represented by a row in the table. The number of rows in the relation is referred to as cardinality, and the number of columns is the degree. The domain of an attribute is the set of allowable values that the attribute can take.
What are the stages of the SW-CMM?
Compare the four US government security modes
Mode: Clearance, Need to Know All Data?, Process data from multiple clearance levels
Dedicated: Same, Yes, None
System high: Same, No, None
Compartmented: Same, No, Yes
Multilevel: Different, No, Yes
What are the steps of the vulnerability management workflow?
What are the phases for penetration testing?
2. Information gathering and discovery
3. Vulnerability scanning
What is NIST Special Publication 800-53A and what are its components?
Assessing Security and Privacy Controls in Federal Information Systems and Organizations
-Specifications are the documents associated with the system being audited. Specifications generally include policies, procedures, requirements, specifications, and designs.
-Mechanisms are the controls used within an information system to meet the specifications. Mechanisms may be based in hardware, software, or firmware.
-Activities are the actions carried out by people within an information system. These may include performing backups, exporting log files, or reviewing account histories.
-Individuals are the people who implement specifications, mechanisms, and activities.
What are ISO 27001 and 27002?
ISO 27001 describes a standard approach for setting up an information security management system, while ISO 27002 goes into more detail on the specifics of information security controls.
What are the steps for conducting eDiscovery per the Electronic Discovery Reference Model?
Information Governance ensures that information is well organized for future eDiscovery efforts.
Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely.
Preservation ensures that potentially discoverable information is protected against alteration or deletion.
Collection gathers the responsive information centrally for use in the eDiscovery process.
Processing screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening.
Review examines the remaining information to determine what information is responsive to the request and removing any information protected by attorney-client privilege.
Analysis performs deeper inspection of the content and context of remaining information.
Production places the information into a format that may be shared with others.
Presentation displays the information to witnesses, the court, and other parties.
What two additional rules apply to documentary evidence?
The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. Copies or descriptions of original evidence (known as secondary evidence) will not be accepted as evidence unless certain exceptions to the rule apply.
The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
What is IOCE?
The International Organization on Computer Evidence (IOCE) outlines six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence
Why is database concurrency important?
Concurrency, or edit control, is a preventive security mechanism that endeavors to make certain that the information stored in the database is always correct or at least has its integrity and availability protected.
What are the four key parts of the ISC2 code of ethics?
"Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
What are the Computer Ethics Institute's Ten Commandments of Computer Ethics?
"Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy proprietary software for which you have not paid.
Thou shalt not use other people's computer resources without authorization or proper compensation.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
What are some documents that may be included in the DRP?
Executive summary providing a high-level overview of the plan
Technical guides for IT personnel responsible for implementing and maintaining critical backup systems
Checklists for individuals on the disaster recovery team
Full copies of the plan for critical disaster recovery team members
What are the commonly used tape rotation strategies for backups?
the Grandfather-Father-Son (GFS) strategy, the Tower of Hanoi strategy, and the Six Cartridge Weekly Backup strategy
What is ITIL and why is it important?
Many of the configuration and change management concepts in use today are derived from ITIL (formally an acronym for Information Technology Infrastructure Library) documents originally published by the United Kingdom. The ITIL Core includes five publications addressing the overall lifecycle of systems. ITIL focuses on best practices that an organization can adopt to increase overall availability. The Service Transition publication addresses configuration management and change management processes. Even though many of the concepts come from ITIL, organizations don't need to adopt ITIL to implement change and configuration management.
Who maintains the CVE database?
What is the importance of NIST SP 800-115?
NIST SP 800-115, "Technical Guide to Information Security Testing and Assessment," includes a significant amount of information about testing, including penetration testing.
What is the IDEAL model and what are its stages?
The Software Engineering Institute also developed the IDEAL model for software development, which implements many of the SW-CMM attributes.
What are the speeds and frequencies for the following IEEE wireless standards:
802.11 2 Mbps 2.4 GHz
802.11a 54 Mbps 5 GHz
802.11b 11 Mbps 2.4 GHz
802.11g 54 Mbps 2.4 GHz
802.11n 200+ Mbps 2.4 GHz or 5 GHz
802.11ac 1 Gbps 5 GHz
What are two examples of link state routing protocols?
Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS)
What's the difference between distance vector and link state routing protocols?
Distance vector routing protocols maintain a list of destination networks along with metrics of direction and distance as measured in hops (in other words, the number of routers to cross to reach the destination). Link state routing protocols maintain a topography map of all connected networks and use this map to determine the shortest path to the destination.
Identify the OSI layer for EIA/TIA-232 and EIA/TIA-449
Identify the OSI layer for X.21
Identify the OSI layer for High-Speed Serial Interface (HSSI)
Identify the OSI layer for Synchronous Optical Networking (SONET)
Identify the OSI layer for V.24 and V.35
Identify the OSI layer for Serial Line Internet Protocol (SLIP)
Identify the OSI layer for Point-to-Point Protocol (PPP)
Identify the OSI layer for Address Resolution Protocol (ARP)
Identify the OSI layer for Layer 2 Forwarding (L2F)
Identify the OSI layer for Layer 2 Tunneling Protocol (L2TP)
Identify the OSI layer for Point-to-Point Tunneling Protocol (PPTP)
Identify the OSI layer for Integrated Services Digital Network (ISDN)
Identify the OSI layer for Internet Control Message Protocol (ICMP)
Identify the OSI layer for Routing Information Protocol (RIP)
Identify the OSI layer for Open Shortest Path First (OSPF)
Identify the OSI layer for Border Gateway Protocol (BGP)
Identify the OSI layer for Internet Group Management Protocol (IGMP)
Identify the OSI layer for Internet Protocol (IP)
Identify the OSI layer for Internet Protocol Security (IPSec)
Identify the OSI layer for Internetwork Packet Exchange (IPX)
Identify the OSI layer for Network Address Translation (NAT)
Identify the OSI layer for Simple Key Management for Internet Protocols (SKIP)
Identify the OSI layer for Transmission Control Protocol (TCP)
Identify the OSI layer for User Datagram Protocol (UDP)
Identify the OSI layer for Sequenced Packet Exchange (SPX)
Identify the OSI layer for Secure Sockets Layer (SSL)
Identify the OSI layer for Transport Layer Security (TLS)
Identify the OSI layer for Network File System (NFS)
Identify the OSI layer for Structured Query Language (SQL)
Identify the OSI layer for Remote Procedure Call (RPC)
Identify the OSI layer for American Standard Code for Information Interchange (ASCII)
Identify the OSI layer for Extended Binary-Coded Decimal Interchange Mode (EBCDICM)
Identify the OSI layer for Tagged Image File Format (TIFF)
Identify the OSI layer for Joint Photographic Experts Group (JPEG)
Identify the OSI layer for Moving Picture Experts Group (MPEG)
Identify the OSI layer for Musical Instrument Digital Interface (MIDI)
Identify the OSI layer for Hypertext Transfer Protocol (HTTP)
Identify the OSI layer for File Transfer Protocol (FTP)
Identify the OSI layer for Line Print Daemon (LPD)
Identify the OSI layer for Simple Mail Transfer Protocol (SMTP)
Identify the OSI layer for Telnet
Identify the OSI layer for Trivial File Transfer Protocol (TFTP)
Identify the OSI layer for Electronic Data Interchange (EDI)
Identify the OSI layer for Post Office Protocol version 3 (POP3)
Identify the OSI layer for Internet Message Access Protocol (IMAP)
Identify the OSI layer for Simple Network Management Protocol (SNMP)
Identify the OSI layer for Network News Transport Protocol (NNTP)
Identify the OSI layer for Secure Remote Procedure Call (S-RPC)
Identify the OSI layer for Secure Electronic Transaction (SET)
Well Known Ports
What are the Registered Software Ports?
1024 - 49151
Random, Dynamic, or Ephemeral ports
Port 20 and 21 (TCP)
FTP (File Transfer Protocol) - This is a network application that
supports an exchange of files that requires anonymous or specific authentication.
SSH (Secure Shell) - - A client server program that opens a secure, encrypted command-line shell session from the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including password, binary files and administrative commands, transmitted between system on a network. SSH is typically implemented between two parties by validating each other's credential via digital certificates. SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as opposed to operating at network layer (IPSec Implementation)
Port 23 (TCP)
Telnet (Remote Login Service) - This is a terminal emulation network application that supports
remote connectivity for executing commands and running applications but does not support transfer of files.
Port 80 (TCP)
HTTP (Hypertext Transfer Protocol) - This is the protocol used to transmit
web page elements from a web server to web browsers.
Port 25 (TCP)
SMTP (Simple Mail Transfer Protocol) - This is a protocol used to transmit
email messages from a client to an email server and from one email server to another.
Port 69 (UDP)
TFTP (Trivial FIle Transfer Protocol) - This is a network application that
supports an exchange of files that does not require authentication.
Port 110 (TCP)
POP3 (Post Office Protocol) - This is a protocol used to pull email messages
from an inbox on an email server down to an email client.
Port 143 (TCP)
IMAP (Internet Message Access Protocol) - This is a protocol used to pull
email messages from an inbox on an email server down to an email client. IMAP is more secure than POP3 and offers the ability to pull headers down from the email server as well as to delete messages directly off the email server without having to download to the local client first.
Port 67 and 68 (UDP)
DHCP (Dynamic Host Configuration Protocol) - DHCP uses port
67 for server point-to-point response and port 68 for client request broadcasts. It is used to
assign TCP/IP configuration settings to systems upon bootup. DHCP enables centralized control of network addressing.
Port 443 (TCP)
HTTPS/ SSL (Secure Sockets Layer for HTTP Encryption) - This is a VPN-like
security protocol that operates at the Transport layer. SSL was originally designed to support secured web communications (HTTPS) but is capable of securing any Application layer protocol communications.
Port 515 (TCP)
LDP (Line Print Daemon)- This is a network service that is used to spool
print jobs and to send print jobs to printers.
Port 6000-6063 (TCP)
X Windows - This is a GUI API for command-line operating
Port 2049 (TCP)
NFS (Network File System) - This is a network service used to support file
sharing between dissimilar systems.
Port 161 and 162 (UPD)
SNMP (Simple Network Management Protocol) - This is a network service used to collect network health and status information
by polling monitoring devices from a central monitoring station.
ARP (Address Resolution Protocol)
A subprotocol of the TCP/IP protocol suite that
operates at the Data Link layer (layer 2). ARP is used to discover the MAC address of a
system by polling using its IP address.
Reverse Address Resolution Protocol (RARP)
A subprotocol of the TCP/IP protocol
suite that operates at the Data Link layer (layer 2). RARP is used to discover the IP address
of a system by polling using its MAC address.
Integrated Services Digital Network (ISDN)
A digital end‐to‐end communications
mechanism. ISDN was developed by telephone companies to support high‐speed digital
communications over the same equipment and infrastructure that is used to carry voice
Point‐to‐Point Tunneling Protocol (PPTP)
An enhancement of PPP that creates encrypted
tunnels between communication endpoints. PPTP is used on VPNs but is often replaced by
What is Serial Line Internet Protocol (SLIP)?
An older technology developed to support TCP/IP
communications over asynchronous serial connections, such as serial cables or modem dialup.
What is Network Address Translation (NAT)?
A mechanism for converting the internal private
IP addresses found in packet headers into public IP addresses for transmission over the
Simple Key Management for IP (SKIP)
An encryption tool used to protect sessionless
How many bits does a MAC address have?
48-bits (e.g., MM:MM:MM:SS:SS:SS)
Define multitasking In computing, multitasking means handling two or more tasks simultaneously. In the past, most systems did not truly multitask because they relied on the operating system to simulate multitasking by carefully structuring the sequence of commands sent to the CPU for execution.
Today, most CPUs are multicore. This means that what was previously a single CPU or microprocessor chip is now a chip containing two, four, eight, or potentially dozens of independent execution cores that can operate simultaneously.
Define multiprocessing. What's the difference between Symmetric multiprocessing and massively parallel processing?
"In a multiprocessing environment, a multiprocessor computing system (that is, one with more than one CPU) harnesses the power of more than one processor to complete the execution of a multithreaded application.
In SMPs, a single computer contains multiple processors that are treated equally and controlled by a single operating system, is called symmetric multiprocessing (SMP). In SMP, processors share not only a common operating system but also a common data bus and memory resources.
MPPs require more computational power than an OS can provide. MPP systems house hundreds or even thousands of processors, each of which has its own operating system and memory/bus resources.
"Multiprogramming is similar to multitasking. It involves the pseudosimultaneous execution of two tasks on a single processor coordinated by the operating system as a way to increase operational efficiency.
Multiprogramming takes place on large-scale systems, such as mainframes. Multitasking requires special software for its activities, rather than just the OS.
Multithreading permits multiple concurrent tasks to be performed within a single process. Unlike multitasking, where multiple tasks occupy multiple processes, multithreading permits multiple tasks to operate within a single process.
What's the max speed, distance, and susceptibility to EMI for the following cable types:
Important characteristics for common network cabling types
Type Max speed Distance Suscept. to EMI
10Base2 10 Mbps 185 meters Medium
10Base5 10 Mbps 500 meters Low
10BaseT(UTP) 10 Mbps 100 meters High
STP 155 Mbps 100 meters Medium
100BaseT/TX 100 Mbps 100 meters High
1000BaseT 1 Gbps 100 meters High
Fiber-optic 2+ Gbps 2+ kilometers None
What is a SCA?
A Security Controls Assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process.
What term is used to describe overwriting media to allow for its reuse in an environment operating /at the same sensitivity level?
Identify the OSI layer for FCoE
This 802.11 standard addresses security
The process of associating a user's IP address with a single server.
The process of associating application layer information with a single server.
An expression of how much time it takes for a packet of data to get rom one designated point to another.
The quality of useful work made by the system per unit of time.
A switch that provides connectivity for other switches
Code that performs a function on behalf of an application
What is the current leading multimedia open protocol? It is designed to manage multimedia connections such as VoIP, video calls, and instant messaging over IP.
Session initiation protocol (SIP)
What security mechanisms does SIP provide?
Session initiation protocol (SIP) provides integrity protection, encryption mechanisms, and privacy extensions.
Discuss and describe the CIA Triad.
The CIA Triad is the combination of confidentiality, integrity, and availability. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, information, or resources. Integrity is the concept of protecting the reliability and correctness of data. Availability is the concept that authorized subjects are granted timely and uninterrupted access to objects. The term CIA Triad is used to indicate the three key components of a security solution.
What are the requirements to hold a person accountable for the actions of their user account?
The requirements of accountability are identification, authentication, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accountable for their actions.
Describe the benefits of change control management.
The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome.
What are the seven major steps or phases in the implementation of a classification scheme?
(1) Identify the custodian, and define their responsibilities. (2) Specify the evaluation criteria of how the information will be classified and labeled. (3) Classify and label each resource. Although the owner conducts this step, a supervisor should review it. (4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. (5) Select the security controls that will be applied to each classification level to provide the necessary level of protection. (6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. (7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.
Name the six primary security roles as defined by (ISC)2 for CISSP.
The six security roles are senior management, IT/security staff, owner, custodian, operator/user, and auditor.
What are the four components of a complete organizational security policy and their basic purpose?
The four components of a security policy are policies, standards, guidelines, and procedures. Policies are broad security statements. Standards are definitions of hardware and software security compliance. Guidelines are used when there is not an appropriate procedure. Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.
Name six different administrative controls used to secure personnel.
Possible answers include job descriptions, principle of least privilege, separation of duties, job responsibilities, job rotation/cross-training, performance reviews, background checks, job action warnings, awareness training, job training, exit interviews/terminations, nondisclosure agreements, noncompete agreements, employment agreements, privacy declaration, and acceptable use policies.
What are the basic formulas used in quantitative risk assessment?
"SLE = AV * EF
ARO = # / yr
ALE = SLE * ARO
Cost/benefit = (ALE1 - ALE2) - ACS
Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment.
The Delphi technique is an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants. The participants are usually gathered into a single meeting room. To each request for feedback, each participant writes down their response on paper anonymously. The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached.
Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?
Risk assessment often involves a hybrid approach using both quantitative and qualitative methods. A purely quantitative analysis is not possible. Not all elements and aspects of the analysis can be quantified because some are qualitative, some are subjective, and some are intangible. Since a purely quantitative risk assessment is not possible, balancing the results of a quantitative analysis is essential. The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis.
Why is it important to include legal representatives on your business continuity planning team?
Many federal, state, and local laws or regulations require businesses to implement BCP provisions. Including legal representation on your BCP team helps ensure that you remain compliant with laws, regulations, and contractual obligations.
What is wrong with the "seat-of-the-pants" approach to business continuity planning?
The "seat-of-the-pants" approach is an excuse used by individuals who do not want to invest time and money in the proper creation of a BCP. This can lead to catastrophe when a firmly laid plan isn't in place to guide the response during a stressful emergency situation.
What is the difference between quantitative and qualitative risk assessment?
Quantitative risk assessment involves using numbers and formulas to make a decision. Qualitative risk assessment includes expertise instead of numeric measures, such as emotions, investor/consumer confidence, and workforce stability.
What critical components should be included in your business continuity training plan?
The BCP training plan should include a plan overview briefing for all employees and specific training for individuals with direct or indirect involvement. In addition, backup personnel should be trained for each key BCP role.
What are the four main steps of the business continuity planning process?
The four steps of the BCP process are project scope and planning, business impact assessment, continuity planning, and approval/implementation.
What are the key provisions of the Privacy Shield Framework agreement between the United States and the European Union?
"Inform individuals about data processing
Provide free and accessible dispute resolution
Cooperate with the Department of Commerce
Maintain data integrity and purpose limitation
Ensure accountability for data transferred to third parties
Maintain transparency related to enforcement actions
Ensure commitments are kept as long as data is held
What are some common questions that organizations should ask when considering outsourcing information storage, processing, or transmission?
"What types of sensitive information are stored, processed, or transmitted by the vendor?
What controls are in place to protect the organization's information?
How is our organization's information segregated from that of other clients?
If encryption is relied on as a security control, what encryption algorithms and key lengths are used? How is key management handled?
What types of security audits does the vendor perform, and what access does the client have to those audits?
Does the vendor rely on any other third parties to store, process, or transmit data? How do the provisions of the contract related to security extend to those third parties?
Where will data storage, processing, and transmission take place? If outside the home country of the client and/or vendor, what implications does that have?
What is the vendor's incident response process and when will clients be notified of a potential security breach?
What provisions are in place to ensure the ongoing integrity and availability of client data?
What are some common steps that employers take to notify employees of system monitoring?
Some common steps that employers take to notify employees of monitoring include clauses in employment contracts that state that the employee should have no expectation of privacy while using corporate equipment, similar written statements in corporate acceptable use and privacy policies, logon banners warning that all communications are subject to monitoring, and labels on computers and telephones warning of monitoring.
Describe PII and PHI.
Personally identifiable information (PII) is any information that can identify an individual. It includes information that can be used to distinguish or trace an individual's identity, such as name, social security number or national ID number, date and place of birth, mother's maiden name, and biometric records. Protected health information (PHI) is any health-related information that can be related to a specific person. PHI doesn't apply only to healthcare providers. Any employer that provides, or supplements, healthcare policies collects and handles PHI.
Describe the best method to sanitize SSDs.
Solid state drives (SSDs) should be destroyed (such as with a disintegrator) to sanitize them. Traditional methods used for hard drives are not reliable. While it doesn't sanitize the drives, encrypting all data stored on the drive does provide an extra layer of protection.
Pseudonymization is the process of replacing data with pseudonyms. In this context, pseudonyms are artificial identifiers, which the General Data Protection Regulation (GDPR) refers to as pseudonyms. The GDPR recommends the use of pseudonyms to reduce the possibility of data identifying an individual.
Describe the difference between scoping and tailoring.
Scoping refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT system you're trying to protect. Tailoring refers to modifying the list of selected baseline controls for some systems that have different requirements.
What is the major hurdle preventing the widespread adoption of one-time pad cryptosystems to ensure data confidentiality?
The major obstacle to the widespread adoption of onetime pad cryptosystems is the difficulty in creating and distributing the very lengthy keys on which the algorithm depends.
Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.
Bob should encrypt the message using Alice's public key and then transmit the encrypted message to Alice.
Explain the process Alice would use to decrypt the message Bob sent in question 1.
Alice should decrypt the message using her private key.
Explain the process Bob should use to digitally sign a message to Alice.
Bob should generate a message digest from the plaintext message using a hash function. He should then encrypt the message digest using his own private key to create the digital signature. Finally, he should append the digital signature to the message and transmit it to Alice.
Explain the process Alice should use to verify the digital signature on the message from Bob in question 3.
Alice should decrypt the digital signature in Bob's message using Bob's public key. She should then create a message digest from the plaintext message using the same hashing algorithm Bob used to create the digital signature. Finally, she should compare the two message digests. If they are identical, the signature is authentic.
Name at least seven security models.
Security models include state machine, information flow, noninterference, Take-Grant, access control matrix, Bell-LaPadula, Biba, Clark-Wilson, Brewer and Nash (aka Chinese Wall), Goguen-Meseguer, Sutherland, and Graham-Denning.
Describe the primary components of TCB.
The primary components of the trusted computing base (TCB) are the hardware and software elements used to enforce the security policy (these elements are called the TCB), the security perimeter distinguishing and separating TCB components from non-TCB components, and the reference monitor that serves as an access control device across the security perimeter.
What are the two primary rules or principles of the Bell-LaPadula security model? Also, what are the two rules of Biba?
The two primary rules of Bell-LaPadula are the simple rule of no read-up and the star rule of no write-down. The two rules of Biba are the simple rule of no read-down and the star rule of no write-up.
What is the difference between open and closed systems and open and closed source?
An open system is one with published APIs that allow third parties to develop products to interact with it. A closed system is one that is proprietary with no third-party product support. Open source is a coding stance that allows others to view the source code of a program. Closed source is an opposing coding stance that keeps source code confidential.
Name the three standard cloud-based X as a service options and briefly describe them.
The three standard cloud-based X-as-a-service options are platform as a service (PaaS), software as a service (SaaS), and infrastructure as a service (IaaS). PaaS is the concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. SaaS is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. SaaS can be implemented as a subscription, a pay-as-you-go service, or a free service. IaaS takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/filtered internet connectivity. Ultimately, IaaS allows an enterprise to scale up new software or data-based services/solutions through cloud systems quickly and without having to install massive hardware locally.
What are the four security modes for systems processing classified information?
The four security modes are dedicated, system high, compartmented, and multilevel.
Name the three pairs of aspects or features used to describe storage.
The three pairs of aspects or features used to describe storage are primary vs. secondary, volatile vs. nonvolatile, and random vs. sequential.
Name some vulnerabilities found in distributed architectures.
Some vulnerabilities found in distributed architecture include sensitive data found on desktops/terminals/notebooks, lack of security understanding among users, greater risk of physical component theft, compromise of a client leading to the compromise of the whole network, greater risk from malware because of user-installed software and removable media, and data on clients less likely to be included in backups.
What kind of device helps to define an organization's perimeter and also serves to deter casual trespassing?
A fence is an excellent perimeter safeguard that can help to deter casual trespassing. Moderately secure installations work when the fence is 6 to 8 feet tall and will typically be cyclone (also known as chain link) fencing with the upper surface twisted or barbed to deter casual climbers. More secure installations usually opt for fence heights over 8 feet and often include multiple strands of barbed or razor wire strung above the chain link fabric to further deter climbers.
What is the problem with halon-based fire suppression technology?
Halon degrades into toxic gases at 900 degrees Fahrenheit. Also, it is not environmentally friendly (it is an ozone-depleting substance). Recycled halon is available, but production of halon ceased in developed countries in 2003. Halon is often replaced by a more ecologically friendly and less toxic medium.
What kinds of potential issues can an emergency visit from the fire department leave in its wake?
Anytime water is used to respond to fire, flame, or smoke, water damage becomes a serious concern, particularly when water is released in areas where electrical equipment is in use. Not only can computers and other electrical gear be damaged or destroyed by water, but also many forms of storage media can become damaged or unusable. Also, when seeking hot spots to put out, firefighters often use axes to break down doors or cut through walls to reach them as quickly as possible. This, too, poses the potential for physical damage to or destruction of devices and/or wiring that may also be in the vicinity.
Name the layers of the OSI model and their numbers from top to bottom.
Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1).
Name three problems with cabling and the methods to counteract those issues.
Problems with cabling and their countermeasures include attenuation (use repeaters or don't violate distance recommendations), using the wrong CAT cable (check the cable specifications against throughput requirements, and err on the side of caution), crosstalk (use shielded cables, place cables in separate conduits, or use cables of different twists per inch), cable breaks (avoid running cables in locations where movement occurs), interference (use cable shielding, use cables with higher twists per inch, or switch to fiber-optic cables), and eavesdropping (maintain physical security over all cable runs or switch to fiber-optic cables).
What are the various technologies employed by wireless devices to maximize their use of the available radio frequencies?
Some of the frequency spectrum-use technologies are spread spectrum, Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM).
Discuss methods used to secure 802.11 wireless networking.
Methods to secure 802.11 wireless networking include disabling the SSID broadcast, changing the SSID to something unique, enabling MAC filtering- considering the use of static IPs or using DHCP with reservations, turning on the highest form of encryption offered (such as WEP, WPA, or WPA2/802.11i), treating wireless as remote access and employing 802.1X, RADIUS, or TACACS, separating wireless access points from the LAN with firewalls, monitoring all wireless client activity with an IDS, and considering requiring wireless clients to connect with a VPN to gain LAN access.
Name the LAN shared media access technologies and examples of their use, if known.
The LAN shared media access technologies are CSMA, CSMA/CA (used by 802.11 and AppleTalk), CSMA/CD (used by Ethernet), token passing (used by Token Ring and FDDI/CDDI), and polling (used by SDLC, HDLC, and some mainframe systems).
Describe the differences between transport mode and tunnel mode of IPsec.
IPsec's transport mode is used for host-to-host links and encrypts only the payload, not the header. IPsec's tunnel mode is used for host-to-LAN and LAN-to-LAN links and encrypts the entire original payload and header and then adds a link header.
Discuss the benefits of NAT.
Network Address Translation (NAT) allows for the identity of internal systems to be hidden from external entities. Often NAT is used to translate between RFC 1918 private IP addresses and leased public addresses. NAT serves as a one-way firewall because it allows only inbound traffic that is a response to a previous internal query. NAT also allows a few leased public addresses to be used to grant internet connectivity to a larger number of internal systems.
What are the main differences between circuit switching and packet switching?
Circuit switching is usually associated with physical connections. The link itself is physically established and then dismantled for the communication. Circuit switching offers known fixed delays, supports constant traffic, is connection oriented, is sensitive only to the loss of the connection rather than the communication, and was most often used for voice transmissions. Packet switching is usually associated with logical connections because the link is just a logically defined path among possible paths. Within a packet-switching system, each system or link can be employed simultaneously by other circuits. Packet switching divides the communication into segments, and each segment traverses the circuit to the destination. Packet switching has variable delays because each segment could take a unique path, is usually employed for bursty traffic, is not physically connection oriented but often uses virtual circuits, is sensitive to the loss of data, and is used for any form of communication.
What are some security issues with email and options for safeguarding against them?
Email is inherently insecure because it is primarily a plaintext communication medium and employs non-encrypted transmission protocols. This allows for email to be easily spoofed, spammed, flooded, eavesdropped on, interfered with, and hijacked. Defenses against these issues primarily include having stronger authentication requirements and using encryption to protect the content while in transit.
Name at least three access control types.
Access control types include preventive, detective, corrective, deterrent, recovery, directive, and compensating access controls. They are implemented as administrative controls, logical/technical controls, and/or physical controls.
Describe the differences between identification, authentication, authorization, and accountability.
Identification occurs when a subject claims an identity, such as with a username. Authentication occurs when the subject provides information to verify the claimed identity is the subject's identity. For example, a user can provide the correct password matched to the user's name. Authorization is the process of granting the subject rights and permissions based on the subject's proven identity. Accountability is accomplished by logging actions of subjects and is reliable only if the identification and authentication processes are strong and secure.
Describe the three primary authentication factor types.
A Type 1 authentication factor is something you know. A Type 2 authentication factor is something you have. A Type 3 authentication factor is something you are.
Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.
Federated identity management systems allow single sign-on (SSO) to be extended beyond a single organization. SSO allows users to authenticate once and access multiple resources without authenticating again. SAML is a common language used to exchange federated identity information between organizations.
Identify the three primary elements within the identity and access provisioning lifecycle.
The identity and access provisioning lifecycle includes provisioning accounts, periodically reviewing and managing accounts, and disabling or deleting accounts when they are no longer being used.
Describe the primary difference between discretionary and nondiscretionary access control models.
A discretionary access control (DAC) model allows the owner, creator, or data custodian of an object to control and define access. Administrators centrally administer nondiscretionary access controls and can make changes that affect the entire environment.
List three elements to identify when attempting to identify and prevent access control attacks.
Assets, threats, and vulnerabilities should be identified through asset valuation, threat modeling, and vulnerability analysis.
Name at least three types of attacks used to discover passwords.
Brute-force attacks, dictionary attacks, sniffer attacks, rainbow table attacks, and social-engineering attacks are all known methods used to discover passwords.
Identify the differences between a salt and a pepper (used when hashing a password).
A salt is different for every password in a database. A pepper is the same for every password in a database. Salts for passwords are stored in the same database as the hashed passwords. A pepper is stored somewhere external to the database such as in application code or as a configuration setting for a server.
Describe the difference between TCP SYN scanning and TCP connect scanning.
TCP SYN scanning sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as "half-open" scanning. TCP connect scanning opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
What are the three port status values returned by the nmap network discovery scanning tool?
"Open—The port is open on the remote system and there is an application that is actively accepting connections on that port.
Closed—The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.
Filtered—Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
What is the difference between static and dynamic code testing techniques?
Static software testing techniques, such as code reviews, evaluate the security of software without running it by analyzing either the source code or the compiled application. Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
What is the difference between mutation fuzzing and generational fuzzing?
"Mutation (dumb) fuzzing takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Generational (intelligent) fuzzing develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
Define the difference between need-to-know and the principle of least privilege.
Need to know focuses on permissions and the ability to access information, whereas the principle of least privilege focuses on privileges. Privileges include both rights and permissions. Both limit the access of users and subjects to only what they need. Following these principles prevents and limits the scope of security incidents.
Name the common methods used to manage sensitive information.
Managing sensitive information includes properly marking, handling, storing, and destroying it based on its classification.
Describe the purpose of monitoring the assignment and usage of special privileges.
Monitoring the assignment of special privileges detects when individuals are granted higher privileges such as when they are added to an administrator account. It can detect when unauthorized entities are granted higher privileges. Monitoring the usage of special privileges detects when entities are using higher privileges, such as creating unauthorized accounts, accessing or deleting logs, and creating automated tasks. This monitoring can detect potential malicious insiders and remote attackers.
List the three primary cloud-based service models and identify the level of maintenance provided by the cloud service provider in each of the models.
The three models are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The cloud service provider (CSP) provides the most maintenance and security services with SaaS, less with PaaS, and the least with IaaS. While NIST SP 800-144 provides these definitions, CSPs sometimes use their own terms and definitions in marketing materials.
How do change management processes help prevent outages?
Change management processes help prevent outages by ensuring that proposed changes are reviewed and tested before being deployed. They also ensure that changes are documented.
List the different phases of incident response identified in the CISSP Security Operations domain.
Incident response steps listed in the CISSP Security Operations domain are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
Describe the primary types of intrusion detection systems.
"Intrusion detection systems can be described as host based or network based, based on their detection methods (knowledge based or behavior based), and based on their responses (passive or active).
Host-based IDSs examine events on individual computers in great detail, including file activities, accesses, and processes. Network-based IDSs examine general network events and anomalies through traffic evaluation.
A knowledge-based IDS uses a database of known attacks to detect intrusions. A behavior-based IDS starts with a baseline of normal activity and measures network activity against the baseline to identify abnormal activity.
A passive response will log the activity and often provide a notification. An active response directly responds to the intrusion to stop or block the attack.
Describe the relationship between auditing and audit trails.
Auditing is a methodical examination or review of an environment and encompasses a wide variety of activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially are what make auditing and subsequent detection of attacks and misbehavior possible.
What should an organization do to verify that accounts are managed properly?
Organizations should regularly perform access reviews and audits. These can detect when an organization is not following its own policies and procedures related to account management. They can be performed manually or using automation techniques available in some identity and access management (IAM) systems.
What are some of the main concerns businesses have when considering adopting a mutual assistance agreement?
Businesses have three main concerns when considering adopting a mutual assistance agreement. First, the nature of an MAA often necessitates that the businesses be located in close geographical proximity. However, this requirement also increases the risk that the two businesses will fall victim to the same threat. Second, MAAs are difficult to enforce in the middle of a crisis. If one of the organizations is affected by a disaster and the other isn't, the organization not affected could back out at the last minute, leaving the other organization out of luck. Finally, confidentiality concerns (both legal and business related) often prevent businesses from trusting others with their sensitive operational data.
List and explain the five types of disaster recovery tests.
"Read-through tests involve the distribution of recovery checklists to disaster recovery personnel for review.
Structured walk-throughs are "tabletop" exercises that involve assembling the disaster recovery team to discuss a disaster scenario.
Simulation tests are more comprehensive and may impact one or more noncritical business units of the organization.
Parallel tests involve relocating personnel to the alternate site and commencing operations there.
Full-interruption tests involve relocating personnel to the alternate site and shutting down operations at the primary site.
Explain the differences between the three types of backup strategies discussed in this chapter.
Full backups create a copy of all data stored on a server. Incremental backups create copies of all files modified since the last full or incremental backup. Differential backups create copies of all files modified since the last full backup without regard to any previous differential or incremental backups that may have taken place.
What are the major categories of computer crime?
The major categories of computer crime are military/intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, and thrill attacks.
What is the main motivation behind a thrill attack?
Thrill attacks are motivated by individuals seeking to achieve the "high" associated with successfully breaking into a computer system.
What is the difference between an interview and an interrogation?
Interviews are conducted with the intention of gathering information from individuals to assist with your investigation. Interrogations are conducted with the intent of gathering evidence from suspects to be used in a criminal prosecution.
What are the three basic requirements that evidence must meet in order to be admissible in court?
To be admissible, evidence must be reliable, competent, and material to the case.
What is the main purpose of a primary key in a database table?
The primary key uniquely identifies each row in the table. For example, an employee identification number might be the primary key for a table containing information about employees.
What is polyinstantiation?
Polyinstantiation is a database security technique that appears to permit the insertion of multiple rows sharing the same uniquely identifying information.
Explain the difference between static and dynamic analysis of application code.
Static analysis performs assessment of the code itself, analyzing the sequence of instructions for security flaws. Dynamic analysis tests the code in a live production environment, searching for runtime flaws.
How far backward does the waterfall model allow developers to travel when a development flaw is discovered?
What is the major difference between a virus and a worm?
Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible. However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate. Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.
Explain how an attacker might construct a rainbow table.
"To construct a rainbow table, the attacker follows this process:
Obtain or develop a list of commonly used passwords.
Determine the hashing function used by the password mechanism.
Compute the hash value of each password on the commonly used list and store it with the password. The result of this operation is the rainbow table.
What are the actions an antivirus software package might take when it discovers an infected file?
If possible, antivirus software may try to disinfect an infected file, removing the virus's malicious code. If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.
Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.
Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system. If a file infector virus strikes the system, this would result in a change in the affected file's hash value and would, therefore, trigger a file integrity alert.
What are the differences between the three SOC reports?
The simplest of these, an SOC-1 report, covers only internal controls over financial reporting. If you want to verify the security, privacy, and availability controls, you'll want to review either an SOC-2 or SOC-3 report. The American Institute of Certified Public Accountants (AICPA) sets and maintains the standards surrounding these reports to maintain consistency between auditors from different accounting firms.
Describe reduction analysis.
In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.
What are the network devices associated with the OSI layers?
Hubs and Repeaters (Physical);
Bridges, Access Points, Switches (Data Link);
Multilayer Switches, Router, IP Filtering Firewall (Network);
Load Balancer, Port Filtering Firewall (Transport);
Protocol or Data Filtering Firewall (Application)
What are the data types associated with the OSI layers?
Bits (Physical); Frames (Data Link); Packets (Network); Segments (Transport); Data (Application, Presentation, Session)
What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act of 1986?
The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.
What is the threshold for malicious damage to a federal computer system that triggers the Comprehensive Crime Control Act of 1984?
What is NIST SP 800-171?
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Compliance with this standard's security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171.
What is the NIST Cybersecurity Framework (CSF)?
a set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
What are the six steps for the NIST risk management framework?
What is VAST?
Visual, Agile, and Simple Threat (VAST) is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment on a scalable basis.
Which law requires that communications service providers cooperate with law enforcement requests?
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
What is Trike?
Trike is another threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD. Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions.
What are the throughput speeds and details regarding the difference Cat ratings?
Cat 1 Voice only Not suitable for networks but usable by modems
Cat 2 4 Mbps Not suitable for most networks; often employed for host-to-terminal connections on mainframes
Cat 3 10 Mbps Primarily used in 10BaseT Ethernet networks (offers only 4 Mbps when used on Token Ring networks) and as telephone cables
Cat 4 16 Mbps Primarily used in Token Ring networks
Cat 5 100 Mbps Used in 100BaseTX, FDDI, and ATM networks
Cat 6 1 Gbps Used in high-speed networks
Cat 7 10 Gbps Used on 10 gigabit-speed networks
What are five packet switching technologies?
Packet-switching technologies include X.25, Frame Relay, asynchronous transfer mode (ATM), Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC). Packet-switching technologies use virtual circuits instead of dedicated physical circuits. A virtual circuit is created only when needed, which makes for efficient use of the transmission medium and is extremely cost-effective.
What is the 5-4-3 Rule?
The 5-4-3 rule was used whenever Ethernet or other IEEE 802.3 shared-access networks are deployed using hubs and repeaters as network connection devices in a tree topology (in other words, a central trunk with various splitting branches). This rule defines the number of repeaters/concentrators and segments that can be used in a network design. The rule states that between any two nodes (a node can be any type of processing entity, such as a server, client, or router), there can be a maximum of five segments connected by four repeaters/concentrators, and it states that only three of those five segments can be populated (in other words, have additional or other user, server, or networking device connections).
Frequency Hopping Spread Spectrum (FHSS) was an early implementation of the spread spectrum concept. However, instead of sending data in a parallel fashion, it transmits data in a series while constantly changing the frequency in use. The entire range of available frequencies is employed, but only one frequency at a time is used. As the sender changes from one frequency to the next, the receiver has to follow the same hopping pattern to pick up the signal. FHSS was designed to help minimize interference by not using only a single frequency that could be affected. Instead, by constantly shifting frequencies, it minimizes interference.
Direct Sequence Spread Spectrum (DSSS) employs all the available frequencies simultaneously in parallel. This provides a higher rate of data throughput than FHSS. DSSS also uses a special encoding mechanism known as chipping code to allow a receiver to reconstruct data even if parts of the signal were distorted because of interference. This occurs in much the same way that the parity of RAID-5 allows the data on a missing drive to be re-created.
Orthogonal Frequency-Division Multiplexing (OFDM) is yet another variation on frequency use. OFDM employs a digital multicarrier modulation scheme that allows for a more tightly compacted transmission. The modulated signals are perpendicular (orthogonal) and thus do not cause interference with each other. Ultimately, OFDM requires a smaller frequency set (aka channel bands) but can offer greater data throughput.
What are the key provisions/principles of GDPR?
A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours The creation of centralized data protection authorities in each EU member state Provisions that individuals will have access to their own data Data portability provisions that will facilitate the transfer of personal information between service providers at the individual's request The "right to be forgotten" that allows people to require companies to delete their information if it is no longer needed
What is ASLR?
Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
What are the steps for the Kerberos logon process?
1.The user types a username and password into the client. 2.The client encrypts the username with AES for transmission to the KDC. 3.The KDC verifies the username against a database of known credentials. 4.The KDC generates a symmetric key (client/TGS key) that will be used by the client and the Kerberos server. It encrypts this with a hash of the user's password. The KDC also generates an encrypted time-stamped TGT. 5.The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client. 6.The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user's password.
What are the steps for the Kerberos process when a client wants to access an object, such as a resource hosted on the network?
1.The client sends its TGT back to the KDC with a request for access to the resource. 2.The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource. 3.The KDC generates a service ticket (client/server ticket) and sends it to the client. 4.The client sends the ticket to the server or service hosting the resource. 5.The server or service hosting the resource verifies the validity of the ticket with the KDC. 6.Once identity and authorization is verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission.
FHSS, DSSS, and OFDM all use what wireless communication method that occurs over multiple frequencies simultaneously?
What three primary concerns are associated with multilayer protocols?
They can conceal covert channels (and thus covert channels are allowed), filters can be bypassed by traffic concealed in layered protocols, and the logical boundaries put in place by network segments can be bypassed under some circumstances. Multilayer protocols allow encryption at various layers and support a range of protocols at higher layers.
What is FDDI?
FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function.
What are capability tables? How are they different from access control lists?
Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused.
What are some weaknesses of Kerberos?
Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.
What are some SSO implementations?
Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.
Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.
What are the default ports for LDAP and LDAP-S?
389 and 636
What standards cover Kerberos, provisioning services, biometric authentication systems, and directory services?
The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.
What technology is Microsoft's Active Directory Domain Services is based on?
Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.
By default, in what format does OpenLDAP store the value of the user Password attribute?
By default, OpenLDAP stores the user Password attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.
What type of attack is the creation and exchange of state tokens intended to prevent?
The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google's OAuth service is available to verify that the user, not an attacker, is making a request.
What are the differences between an access control matrix, access control lists, and capability tables?
An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access
What is the difference between Oauth and OpenID?
OAuth provides the ability to access resources from another service and would meet Jim's needs. OpenID would allow him to use an account from another service with his application,
What are the data transfer rates for T3, T1, ATM, and ISDN?
A T3 (DS-3) line is capable of 44.736 Mbps. This is often referred to as 45 Mbps. A T1 is 1.544 Mbps, ATM is 155 Mbps, and ISDN is often 64 or 128 Kbps.
What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don't need to have challenges entered
What LDAP authentication mode can provide secure authentication?
The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.
Which Type 3 authenticator is appropriate to use by itself rather than in combination with other biometric factors?
Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.
Kerberos, KryptoKnight, and SESAME are all examples of what type of system?
Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.
For what systems are RADIUS, Kerberos, Oauth, and TACACS+ used?
Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.
Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports?
Secure LDAP and secure global directory
What is a method used to design new software tests and to ensure the quality of tests?
Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?
Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.
What major difference separates synthetic and passive monitoring?
Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
Code coverage testing most frequently requires that every function has been called, that each statement has been executed, that all branches have been fully explored, and that each condition has been evaluated for all possibilities. API, input, and loop testing are not common types of code coverage testing measures.
What is NIST SP 800-53A?
NIST SP 800-53A is titled "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans," and covers methods for assessing and measuring controls.
What is NIST 800-12?
NIST 800-12 is an introduction to computer security
What is NIST 800-34?
800-34 covers contingency planning
What is NIST 800-86?
800-86 is the "Guide to Integrating Forensic Techniques into Incident Response."
What describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?
analyze and report,
TCP 515 and 9100
LPD (line printer daemon)
What are the SCAP components?
The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to refer to operating systems and other system components. The Common Vulnerabilities and Exposures (CVE) component provides a consistent way to refer to security vulnerabilities. The Common Weaknesses Enumeration (CWE) component helps describe the root causes of software flaws. The Open Vulnerability and Assessment Language (OVAL) standardizes steps of the vulnerability assessment process.
What are the five types of Windows errors?
errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.
What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens?
Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates. Threat trees are used to map threats but don't use specialized languages like threatens and mitigates. STRIDE is a mnemonic and model used in threat modeling, and DREAD is a risk assessment model.
What are the seven principles for the EU-U.S. Privacy Shield Framework?
accountability for onward transfer,
data integrity and purpose limitation,
What is SPML?
Service Provisioning Markup Language (SPML) is used to provision users, resources, and services, not for authentication and authorization.
What is SAML?
Security Assertion Markup Language (SAML) is frequently used to integrate cloud services and provides the ability to make authentication and authorization assertions.
NIST 800-39 four steps
frame risk, assess risk, respond to risk, monitor risk
What term best describes an attack that relies on stolen or falsified authentication credentials to bypass an authentication mechanism?
Masquerading (or impersonation) attacks use stolen or falsified credentials to bypass authentication mechanisms. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Replay attacks are a more specific type of masquerading attack that relies on captured network traffic to reestablish authorized connections. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.
Which of the following statements about SSAE-18 is not true?
SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.
What markup language uses the concepts of a Requesting Authority, a Provisioning Service Point, and a Provisioning Service Target to handle its core functionality?
Service Provisioning Markup Language (SPML) uses Requesting Authorities to issue SPML requests to a Provisioning Service Point. Provisioning Service Targets are often user accounts, and are required to be allowed unique identification of the data in its implementation. SAML is used for security assertions, SAMPL is an algebraic modeling language, and XACML is an access control markup language used to describe and process access control policies in an XML format.
What is the work breakdown structure?
The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components
What are the common types of structural coverage in a code review process?
Common types of structural coverage include statement, branch or decision coverage, loop coverage, path coverage, and data flow coverage.
What does XST allow an attacker to do?
Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user's cookies via cross-site scripting (XSS)
What are the steps in the cyber kill chain?
reconnaissance, weaponization, delivery, exploitation, installation, c&c, actions on the objective
When Susan requests a SOC2 report, she receives a SAS70 report. What issue should Susan raise?
SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.
Which technique can an attacker use to exploit a TOC/TOU vulnerability?
Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit's execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.
Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications?
Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.
As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?
Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
How long are patents valid?
How long are copyrights valid?
70 years after the death of the author or 75 years if copywritten by a company
How long are trademarks valid?
In the United States, trademarks are granted for an initial period of 10 years and can be renewed for unlimited successive 10-year periods.
Fred's organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols?
L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPsec are all IP-only protocols
Which ITU-T standard should Alex expect to see in use when he uses his smart card to provide a certificate to an upstream authentication service?
X.509 defines standards for public key certificates like those used with many smart cards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren't standards that Alex should expect to see when using a smart card to authenticate.
The type of access granted to an object and the actions that you can take on or with the object are examples of what?
While the differences between rights, permissions, and roles can be confusing, typically permissions include both the access and actions that you can take on an object. Rights usually refer to the ability to take action on an object, and don't include the access to it. Privileges combine rights and permissions, and roles describe sets of privileges based on job tasks or other organizational artifacts.
What is the ECPA?
The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. It prohibits the unauthorized monitoring of email and voicemail communications.
What are the three categories of data destruction?
The three categories of data destruction are clear (overwriting with nonsensitive data), purge (removing all data), and destroy (physical destruction of the media).
Fred finds a packet that his protocol analyzer shows with both PSH and URG set. What type of packet is he looking at, and what do the flags mean?
PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and URG is the TCP urgent flag. These flags are not present in UDP headers
What are the five COBIT principles?
Meeting stakeholder needs,
covering the enterprise end-to-end,
applying a single integrated framework,
enabling a holistic approach,
separating governance from management
What are the NIST Special Publication 800-53A four types of objects?
Specifications are document-based artifacts like policies or designs. Activities are actions that support an information system that involves people. Mechanisms are the hardware-, software-, or firmware-based controls or systems in an information system, and an individual is one or more people applying specifications, mechanisms, or activities.
What is the difference between due diligence and due care?
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
What LDAP operation includes authentication to the LDAP server?
The LDAP bind operation authenticates and specifies the LDAP protocol version. Auth, StartLDAP, and AuthDN operations do not exist in the LDAP protocol.
What is another term for active monitoring?
Active monitoring is also known as synthetic monitoring and relies on prerecorded or generated traffic to test systems for performance and other issues. Passive monitoring uses span ports, network taps, or similar technologies to capture actual traffic for analysis. Reactive monitoring is not a commonly used industry term.
What are the NIST Special Publication 800-53, revision 4, two measures of assurance?
NIST Special Publication 800-53 describes depth and coverage. Depth is the level of detail, rigor, and formality of artifacts produced during design and development. Coverage is the breadth and scope of the assessment conducted. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn't a measure. Suitability is a possibility, but depth fits better than suitability or coverage.
Uptown Records Management recently entered into a contract with a hospital for the secure storage of medical records. The hospital is a HIPAA-covered entity. What type of agreement must the two organizations sign to remain compliant with HIPAA?
HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).
What is common mode noise?
Common mode noise is generated by a difference in power between the hot and ground wires of a power source or operating electrical equipment.
What is traverse mode noise?
Traverse mode noise is generated by a difference in power between the hot and neutral wires of a power source or operating electrical equipment.
What are the only procedures that are allowed to modify a constrained data item (CDI) in the Clark-Wilson model?
Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.
The Clark-Wilson access model is also called a(n) ___________________ interface model.
The Clark-Wilson model can also be described as a restricted interface model because it uses classification-based restrictions to offer subject-specific functions and information. Subjects at one classification level will see a specific set of data and obtain access to a related set of functions, while another subject at a different classification level will see a different dataset and obtain access to a different set of functions.
What strategy basically consists of multiple layers of antivirus, malware, and spyware protection distributed throughout a given network environment?
A concentric circle security model comprises several mutually independent security applications, processes, or services that operate toward a single common goal.
ISO/IEC 27031:2011 is a set of guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard is a component of the overall ISO/IEC 27000 series.
The ISO/IEC 27799 is a guideline for information security management in health organizations. It deals with how organizations that store and process sensitive medical information should protect it.
Which security mode do high-speed applications, such as IPsec and ATM, use?
What key exchange does S-RPC use?
Secure RPC (S-RPC) employs Diffie-Hellman for key exchange.
Addresses the 7-layer OSI model
In what attack can a user on one VLAN connect to another unauthorized VLAN via Dynamic Trunking Protocol (DTP) link?
802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack
NIST SP 800-192
Written to address access control systems
NIST SP 800-53
Addresses controls related to US federal systems
Which biometric reader has the most rapid authentication?
What are proper considerations to make when selecting a testing method?
attack surface and application type
Code-based testing is also know as _____
In which cellular service is each call encoded with a unique key?
Code Division Multiple Access (CDMA)
In which cellular service is each call transformed into digital data that is given a channel and a time slot?
Global System for Mobiles (GSM)
What is the purpose of the Capability Maturity Model Integration for Development (CMMI-DEV)?
CMMI-DEV help organizations improve their development and maintenance processes for both products and services.
One of the most significant differences between the software development lifecycle (SDLC) and the system lifecycle (SLC) is that the SDLC does not include which phases?
Post-development operation and maintenance
Building security into the application begins at the
project initiation phase
What does ElGamal provide that DH does not?
What are the two types of statistical analysis for cryptanalysis?
linear and differential cryptanalysis
What are IEEE 802.11x, 802.15, 802.16?
wi-fi, bluetooth, wiMAX
What OSI layers does MPLS operate on?
2 and 3
What are the OSI layers for VLANS and subnets.
VLANs work like subnets, but keep in mind that they are not actual subnets. VLANs are created by switches at layer 2. Subnets are created by IP address and subnet mask assignments at layer 3.
What are the three layers of SDN, from top to bottom?
application/management, control, data/raw/forwarding/infrastructure
At what plane can you locate routers and switches in a SDN?
What SDN planes is the user in charge of? The ISP/cloud provider?
You: application/management and control;
ISP/cloud provider: control and data/raw/forwarding/infrastructure
What is the correct order of the asset lifecycle phases?
create, store, use, share, archive, destroy
What are the three valid data states?
data in motion, data at rest, data in use
What is the purpose of the purpose of the Organisation for Economic Co-operation and Development (OECD)?
An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
What are the three roles within Security Assertion Markup Language (SAML)?
Name two roles related to Open Authorization (Oauth)?
authorization server, resource server
What is the difference between a Type I and Type II SOC report?
Type I is concerned with control design; Type II is concerned with control effectiveness.
The Software Engineering Institute's Capability Maturity Model (CMM) Integration focuses on:
Programmed procedures which ensure that valid transactions are processed accurately are referred to as:
What are the two primary components of CDNs?
origin servers and edge servers
What is the difference between data mining and data warehousing?
Data warehousing is a valuable tool that brings together several databases and compiles the different data into one data warehouse. The data can then be analyzed in different ways, which is called data mining.