additional cards Flashcards
Credential Service Provider levels, what each level means, what each level provides in terms of confidence
Identity Assurance Level 1 (IAL1) – self assertion, lowest
Identity Assurance Level 2 (IAL2) – proof is required, medium
Identity Assurance Level 3 (IAL3) – requires in-person verification, highest
AAL1 – provides some confidence. …
AAL2 – provides high confidence. …
AAL3 – provides very high confidence.
HAVAL,invented by 3 people when
HAVAL was invented by Yuliang Zheng, Josef Pieprzyk, and Jennifer Seberry in 1992.
4th amendment
search and seizure
CVSS scoring,numbers for low, medium, high and critical
CVSS Score Qualitative Rating
0.1 – 3.9 Low
4.0 – 6.9 Medium
7.0 – 8.9 High
9.0 – 10.0 Critical
shimmer attack
aka skimmer, credit card reader device that collects credit card information
most common cause of false positives
improper configuration
enumerate ram with speed and integrity
static vs dynamic
Static RAM (SRAM),
doesn’t need to refresh and is typically faster, 10 ns, 100 X more expensive, used in consumer electronics, cpu’s, hd cache, network cache, scientific devices, automotive devices, keeps memory after power is gone, uses less power, lower capacity, longer data life, lower density, uses transistors, each memory cell stores 1 bit
Dynamic RAM (DRAM)
Synchronous Dynamic RAM (SDRAM)
Single Data Rate Synchronous Dynamic RAM (SDR SDRAM)
Double Data Rate Synchronous Dynamic RAM (DDR SDRAM, DDR2, DDR3, DDR4)
normal ram for computers, slower, uses capacitors, requires power on for memory to be preserved, volatile and requires refreshing, larger capacity, more power, shorter data life, higher density
main security control of secure password
complexity
when deciding on open vs closed source software what is primary concern
potential for misuse of the software by malicious actors
most important factor to consider when implementing new security protocol
level of security provided
FIRST step that should be taken to address tampering of a company’s critical systems
disconnect affected systems to prevent further damage
What is the difference between a risk assessment and a threat assessment
A risk assessment is a proactive measure that identifies potential vulnerabilities and the risks associated with them,
threat assessment is a process that identifies and analyzes the current threats to an organization.
For an effective risk assessment, which activity would be most critical
accurate identification and cataloging of all assets
Who would decide our organization’s risk appetite?
Risk Management Team
database integrity errors, 4 types
RUDE
Referential integrity - the logical dependency of a foreign key on a primary key
User-defined integrity - acts as a way to catch errors which domain, referential and entity integrity do not
Domain integrity - series of processes that guarantee the accuracy of pieces of data within a domain
Entity integrity - each row of a table has a unique and non-null primary key value
the MOST effective measure for physical security
Implementing strict access control policies
the MOST commonly used logical addressing scheme
IP address
the PRIMARY benefit of virtualization
Increased flexibility
the BEST way to ensure privacy in online transactions
using vpn
an attacker is using a digraph attack, what is the attacker looking for
A specific pattern in the system’s password structure
the LEAST essential step in the data lifecycle management process
data backup
When considering a transition to SESAME, what should be your primary concern
resistance to change because kerberos is native to most o/s’s
the PRIMARY indicator that a cryptographic failure has occurred
the appearance of unusual error messages during communication sessions
fastest way to securely access cloud data
A private connection over a dedicated line
the most important thing to consider when planning for data portability when moving data for a merger
Conducting a thorough data audit to identify any potential vulnerabilities
the MOST important requirement for companies to adhere to in order to comply with the EU-US Privacy Shield framework
Providing individuals with clear and concise privacy notices
the difference between a root certificate and a self-signed certificate
A root certificate is used to sign other certificates, while a self-signed certificate is used to secure a single website
chaos engineering
aka fault injection, or engineering to protect from fault injection
data uptime tiers
Uptime per year Downtime per year
Tier I Basic Capacity 99.671% <28.8 hours
Tier II Redundant Capacity Components 99.741% <22 hours
Tier III Concurrently Maintainable” 99.982% <1.6 hours
Tier IV Fault Tolerant” 99.995% <26.3 minutes
BEST indicator to use for monitoring key risk areas in an organization
most comprehensive security policy in place
PRIMARY indicator of a successful information repository
comprehensive data coverage
HIGHEST level of risk for an organization
Reputational damage
key differences between a security risk assessment and a security threat assessment
primary focus of security risk assessment - the vulnerabilities
primary focus of threat assessment - the likelihood
A security risk assessment focuses on vulnerabilities and potential impact, while a security threat assessment focuses on likelihood and potential impact
A security risk assessment is a process that involves identifying, evaluating, and prioritizing potential vulnerabilities (i.e., weaknesses that could be exploited) in a system. This is done to gauge the potential impact these vulnerabilities could have if they were exploited.
On the other hand, a security threat assessment focuses on evaluating the likelihood of threats (i.e., potential sources of harm) and the potential impact they could have if they materialized. While both types of assessments consider potential impacts, they differ in their primary focuses: vulnerabilities (for risk assessments) versus threat likelihood (for threat assessments).
FIRST step in implementing a pseudorandom number generator?
Selecting the algorithm to use
MOST effective physical perimeter security control
Security guards
MOST effective way to prevent man-in-the-middle attacks in an IPsec implementation
Digital certificates for authentication
zero-day vulnerability
a security flaw in a software or system that is unknown to the software developer or manufacturer and is being exploited by malicious actors before the developer has a chance to create and distribute a patch
LEAST effective method for identifying individuals in a network
Knowledge-based authentication
the MOST common type of false positive in security systems?
Misinterpreted user behavior
most effective in reducing the attack surface of the company’s network
Conducting regular security assessments and patching vulnerabilities
MOST common cause of security misconfigurations in web applications
Inadequate access controls
security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure
ITIL
due diligence vs due care
Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
Due care is practicing the individual activities that maintain the security effort.
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
Risk
Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited.
Exposure
phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable
Authorize
BIS, what is it, what does it do in regards to data security
The Bureau of Industry and Security within the Department of Commerce sets regulations on the export of encryption products outside of the United States.
COPPA, cut off age
Federal Law - The Children’s Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).
Term of a Patent
U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office.
Confusion occurs when
the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key
Diffusion occurs when
a change in the plaintext results in multiple changes spread throughout the ciphertext
security model has a feature that in theory has one name or label but, when implemented into a solution, takes on the name or label of the security kernel
Trusted Computing Base
security models built on machine state
Bell LaPadula
Biba
implied meaning of a property of a security model
the opposite of the property, e.g. no read down means read up
RTOS
Real Time Operating System, used for embedded devices, minimize latency and delay, storing code in ROM, and optimizing for mission-critical operations
goals of NAC (6)
I CRUZE
use Identities to perform access control
confirm Compliance
detect/block Rogue devices,
Updates and security settings,
prevent or reduce Zero-day attacks,
Enforce security policy throughout the network
RFC 1087
Ethical use of the internet
referenced specific abuses:
(a) seeks to gain unauthorized access to the resources of the Internet, (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information,
and/or
(e) compromises the privacy of users.
Configuration control (change management) ensures that changes to software … are made in accordance with the … and … management …
ensures that changes to software versions are made in accordance with the change and configuration management policies
Boyce–Codd
normal form (or BCNF or 3.5NF) is a normal form used in database normalization. It is a slightly stronger version of the third normal form (3NF).
MDR, what does it mean, combines … capabilities with a … service that reduces the … on the IT team
managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team
escaping meta characters, how is it done, prevents what type of attacks
To match the metacharacters literally, i.e. to remove their special meaning, prefix those characters with a \ (backslash) character
used to prevent XSS attacks
Most important characteristic for IAM scheme.
Understandable, comprehensible
Best group for performing risk analysis.
Process owners
device metrics most indicative of DDOS
cpu and network utilization
greatest factor that will determine the size of the financial loss from a disaster
Side effects of disaster
what makes risk management most effective
new risk detection
highest impact feature of RIP
hold down timer
specifications is part of what phase in SDLC
analysis
feasibility study is in what phase
project planning
downtime duration most important metric
RTO
most crucial aspect that your new recruits must comprehend
providing diligent and competent services
threat modeling performed in what phase of sdlc
design
if question doesn’t specifically say something about preventing errors or fraud it’s not … … … and is either … … … or … … security concepts
it’s not segregation of duties and is either need to know or least privilege
if question says something about access to information rather than referencing privileges
it’s need to know
four eyes rule
process or decision must be approved by at least two people, could be independently working
if question doesn’t reference reviewing logs
it’s accountability
most critical action of BIA
Prioritizing systems and components based on the Maximum Tolerable Downtime (MTD)
who to ask about success of incident handling
internal and external users
key characteristic of Clark Wilson model a set of … and … used to ensure the … and … of data
a set of rules and guidelines used to ensure the security and integrity of data
to correct referential integrity issue
Verify data accuracy and completeness
list of security administrator responsibilities (7)
DD STIC M
Defending systems against unauthorized access, modification and/or destruction Developing and updating business continuity and disaster recovery protocols Scanning and assessing network for vulnerabilities Training fellow employees in security awareness and procedures Implementing network security policies, application security, access control and corporate data safeguards Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Monitoring network traffic for unusual activity
Best metric of IDS effectiveness
ratio of false positives to false negatives
capability table vs ACL
capability lists (table) show what a subject can access and how
while access control lists show who can access an object and how
common guest machine escape methods (3)
KVS
Using a Kernel vulnerability to gain root access to the host system
Leveraging a VM escape vulnerability in the hypervisor
Using a Software exploit to bypass security controls
Delegated Identity Management (DIM)
site is simply outsourcing its authentication needs to another pre-selected site
Due Care vs Due Diligence vs Prudent Person Rule
Due care: refers to the level of care that an individual would reasonably be expected to exercise in a particular situation
Due diligence: the investigative process conducted to assess a business transaction
Prudent Person Rule: a legal concept that typically applies to the management of another’s affairs, especially in a fiduciary capacity
order of acl’s
most specific to least specific, deny all at end
lines of defense
1st - typically composed of operational managers and staff who are directly responsible for maintaining control over the day-to-day business activities and processes
2nd - typically includes functions that oversee risk management and compliance with external regulations and internal policies
3rd - usually consists of internal audit functions
MOST important indicator of a lack of cloud security architecture and strategy
Unclear roles and responsibilities for security
HSM and answer for question regarding best encryption
probably the right answer as it’s more secure as it provides an easy way to score key
service in regard to domain url’s
probably the lowest level domain qualifier even if a sub domain of the main domain name is used, e.g. ftp.research.ibm.com
program library controls
can be used to enforce separation of duty
best metric to use to assess the results of the Information Security program
evaluating the percentage of control objectives achieved
PAT
must be used with NAT, can’t be used alone
Parkerian Hexad
Confidentiality
Availability
Integrity
Authenticity
Possession or control: a loss of control or possession of information, not involving the breach of confidentiality
Utility: usefulness
seeing a number of deficiencies in cryptographic algorithms
is an indication of a need to uprgrade, this would be in the recommendation of a pen tester’s report
most direct way to ensure that security governance principles are shaping the organization’s strategic objectives
policy review process to ensure it matches with security governance principles
zero client
most modern way of using VDI as it reduces attack surface area, taking thin client one step further by also not having an o/s
how to prevent vlan hopping taking advantage of layer 2
restrict traffic between hosts within the same vlan
role based access in regards to differences in access needed for the same organizational roles
can’t subtract or add, need to create new roles for differences
identification of threats is done at what SDLC phase
requirements gathering
advanced threat intelligence services
worth the extra money
removing all errors from data sets
probably cost prohibitive
last step of installing WAPS
verify there are no rogue devices
increasing the capability of a firewalls and the number of blocks in a firewall and it’s effect on authorized connections
shouldn’t change the authorized connection amount
probability of call loss is expressed as (PTSN)
grade of service
highest level of security for critical business functions
comprehensive security measures
to check for multiple invalid codes
use an edit test
primary purpose of server clustering
allow multiple servers to share workload and improve performacne
age of vulnerability
not a factor for cvss severity
first steps after driving mobile DR site to building
Move the network cables from the building’s wiring closet to the network device in the trailer
primary principle of scrum framework
empirical process control - Empirical process control is a way of managing work that is based on observation and experimentation. It is a core principle of scrum, and it is what allows scrum teams to be flexible and adaptive in the face of change. In common terms, empirical process control means learning by doing and making adjustments as needed.
