additional cards Flashcards
Credential Service Provider levels, what each level means, what each level provides in terms of confidence
Identity Assurance Level 1 (IAL1) – self assertion, lowest
Identity Assurance Level 2 (IAL2) – proof is required, medium
Identity Assurance Level 3 (IAL3) – requires in-person verification, highest
AAL1 – provides some confidence. …
AAL2 – provides high confidence. …
AAL3 – provides very high confidence.
HAVAL,invented by 3 people when
HAVAL was invented by Yuliang Zheng, Josef Pieprzyk, and Jennifer Seberry in 1992.
4th amendment
search and seizure
CVSS scoring,numbers for low, medium, high and critical
CVSS Score Qualitative Rating
0.1 – 3.9 Low
4.0 – 6.9 Medium
7.0 – 8.9 High
9.0 – 10.0 Critical
shimmer attack
aka skimmer, credit card reader device that collects credit card information
most common cause of false positives
improper configuration
enumerate ram with speed and integrity
static vs dynamic
Static RAM (SRAM),
doesn’t need to refresh and is typically faster, 10 ns, 100 X more expensive, used in consumer electronics, cpu’s, hd cache, network cache, scientific devices, automotive devices, keeps memory after power is gone, uses less power, lower capacity, longer data life, lower density, uses transistors, each memory cell stores 1 bit
Dynamic RAM (DRAM)
Synchronous Dynamic RAM (SDRAM)
Single Data Rate Synchronous Dynamic RAM (SDR SDRAM)
Double Data Rate Synchronous Dynamic RAM (DDR SDRAM, DDR2, DDR3, DDR4)
normal ram for computers, slower, uses capacitors, requires power on for memory to be preserved, volatile and requires refreshing, larger capacity, more power, shorter data life, higher density
main security control of secure password
complexity
when deciding on open vs closed source software what is primary concern
potential for misuse of the software by malicious actors
most important factor to consider when implementing new security protocol
level of security provided
FIRST step that should be taken to address tampering of a company’s critical systems
disconnect affected systems to prevent further damage
What is the difference between a risk assessment and a threat assessment
A risk assessment is a proactive measure that identifies potential vulnerabilities and the risks associated with them,
threat assessment is a process that identifies and analyzes the current threats to an organization.
For an effective risk assessment, which activity would be most critical
accurate identification and cataloging of all assets
Who would decide our organization’s risk appetite?
Risk Management Team
database integrity errors, 4 types
RUDE
Referential integrity - the logical dependency of a foreign key on a primary key
User-defined integrity - acts as a way to catch errors which domain, referential and entity integrity do not
Domain integrity - series of processes that guarantee the accuracy of pieces of data within a domain
Entity integrity - each row of a table has a unique and non-null primary key value
the MOST effective measure for physical security
Implementing strict access control policies
the MOST commonly used logical addressing scheme
IP address
the PRIMARY benefit of virtualization
Increased flexibility
the BEST way to ensure privacy in online transactions
using vpn
an attacker is using a digraph attack, what is the attacker looking for
A specific pattern in the system’s password structure
the LEAST essential step in the data lifecycle management process
data backup
When considering a transition to SESAME, what should be your primary concern
resistance to change because kerberos is native to most o/s’s
the PRIMARY indicator that a cryptographic failure has occurred
the appearance of unusual error messages during communication sessions
fastest way to securely access cloud data
A private connection over a dedicated line
the most important thing to consider when planning for data portability when moving data for a merger
Conducting a thorough data audit to identify any potential vulnerabilities
the MOST important requirement for companies to adhere to in order to comply with the EU-US Privacy Shield framework
Providing individuals with clear and concise privacy notices
the difference between a root certificate and a self-signed certificate
A root certificate is used to sign other certificates, while a self-signed certificate is used to secure a single website
chaos engineering
aka fault injection, or engineering to protect from fault injection
data uptime tiers
Uptime per year Downtime per year
Tier I Basic Capacity 99.671% <28.8 hours
Tier II Redundant Capacity Components 99.741% <22 hours
Tier III Concurrently Maintainable” 99.982% <1.6 hours
Tier IV Fault Tolerant” 99.995% <26.3 minutes
BEST indicator to use for monitoring key risk areas in an organization
most comprehensive security policy in place
PRIMARY indicator of a successful information repository
comprehensive data coverage
HIGHEST level of risk for an organization
Reputational damage
key differences between a security risk assessment and a security threat assessment
primary focus of security risk assessment - the vulnerabilities
primary focus of threat assessment - the likelihood
A security risk assessment focuses on vulnerabilities and potential impact, while a security threat assessment focuses on likelihood and potential impact
A security risk assessment is a process that involves identifying, evaluating, and prioritizing potential vulnerabilities (i.e., weaknesses that could be exploited) in a system. This is done to gauge the potential impact these vulnerabilities could have if they were exploited.
On the other hand, a security threat assessment focuses on evaluating the likelihood of threats (i.e., potential sources of harm) and the potential impact they could have if they materialized. While both types of assessments consider potential impacts, they differ in their primary focuses: vulnerabilities (for risk assessments) versus threat likelihood (for threat assessments).
FIRST step in implementing a pseudorandom number generator?
Selecting the algorithm to use
MOST effective physical perimeter security control
Security guards
MOST effective way to prevent man-in-the-middle attacks in an IPsec implementation
Digital certificates for authentication
zero-day vulnerability
a security flaw in a software or system that is unknown to the software developer or manufacturer and is being exploited by malicious actors before the developer has a chance to create and distribute a patch
LEAST effective method for identifying individuals in a network
Knowledge-based authentication
the MOST common type of false positive in security systems?
Misinterpreted user behavior
most effective in reducing the attack surface of the company’s network
Conducting regular security assessments and patching vulnerabilities
MOST common cause of security misconfigurations in web applications
Inadequate access controls
security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure
ITIL
due diligence vs due care
Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
Due care is practicing the individual activities that maintain the security effort.
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
Risk
Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited.
Exposure
phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable
Authorize
BIS, what is it, what does it do in regards to data security
The Bureau of Industry and Security within the Department of Commerce sets regulations on the export of encryption products outside of the United States.
COPPA, cut off age
Federal Law - The Children’s Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).
Term of a Patent
U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office.
Confusion occurs when
the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key
Diffusion occurs when
a change in the plaintext results in multiple changes spread throughout the ciphertext
security model has a feature that in theory has one name or label but, when implemented into a solution, takes on the name or label of the security kernel
Trusted Computing Base
security models built on machine state
Bell LaPadula
Biba
implied meaning of a property of a security model
the opposite of the property, e.g. no read down means read up
RTOS
Real Time Operating System, used for embedded devices, minimize latency and delay, storing code in ROM, and optimizing for mission-critical operations
goals of NAC (6)
I CRUZE
use Identities to perform access control
confirm Compliance
detect/block Rogue devices,
Updates and security settings,
prevent or reduce Zero-day attacks,
Enforce security policy throughout the network
RFC 1087
Ethical use of the internet
referenced specific abuses:
(a) seeks to gain unauthorized access to the resources of the Internet, (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information,
and/or
(e) compromises the privacy of users.
Configuration control (change management) ensures that changes to software … are made in accordance with the … and … management …
ensures that changes to software versions are made in accordance with the change and configuration management policies
Boyce–Codd
normal form (or BCNF or 3.5NF) is a normal form used in database normalization. It is a slightly stronger version of the third normal form (3NF).
MDR, what does it mean, combines … capabilities with a … service that reduces the … on the IT team
managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team
escaping meta characters, how is it done, prevents what type of attacks
To match the metacharacters literally, i.e. to remove their special meaning, prefix those characters with a \ (backslash) character
used to prevent XSS attacks
Most important characteristic for IAM scheme.
Understandable, comprehensible
Best group for performing risk analysis.
Process owners
device metrics most indicative of DDOS
cpu and network utilization
greatest factor that will determine the size of the financial loss from a disaster
Side effects of disaster
what makes risk management most effective
new risk detection
highest impact feature of RIP
hold down timer
specifications is part of what phase in SDLC
analysis
feasibility study is in what phase
project planning
downtime duration most important metric
RTO
most crucial aspect that your new recruits must comprehend
providing diligent and competent services
threat modeling performed in what phase of sdlc
design
if question doesn’t specifically say something about preventing errors or fraud it’s not … … … and is either … … … or … … security concepts
it’s not segregation of duties and is either need to know or least privilege
if question says something about access to information rather than referencing privileges
it’s need to know
four eyes rule
process or decision must be approved by at least two people, could be independently working
if question doesn’t reference reviewing logs
it’s accountability
most critical action of BIA
Prioritizing systems and components based on the Maximum Tolerable Downtime (MTD)
who to ask about success of incident handling
internal and external users
key characteristic of Clark Wilson model a set of … and … used to ensure the … and … of data
a set of rules and guidelines used to ensure the security and integrity of data
to correct referential integrity issue
Verify data accuracy and completeness
list of security administrator responsibilities (7)
DD STIC M
Defending systems against unauthorized access, modification and/or destruction Developing and updating business continuity and disaster recovery protocols Scanning and assessing network for vulnerabilities Training fellow employees in security awareness and procedures Implementing network security policies, application security, access control and corporate data safeguards Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Monitoring network traffic for unusual activity
Best metric of IDS effectiveness
ratio of false positives to false negatives
capability table vs ACL
capability lists (table) show what a subject can access and how
while access control lists show who can access an object and how
common guest machine escape methods (3)
KVS
Using a Kernel vulnerability to gain root access to the host system
Leveraging a VM escape vulnerability in the hypervisor
Using a Software exploit to bypass security controls
Delegated Identity Management (DIM)
site is simply outsourcing its authentication needs to another pre-selected site
Due Care vs Due Diligence vs Prudent Person Rule
Due care: refers to the level of care that an individual would reasonably be expected to exercise in a particular situation
Due diligence: the investigative process conducted to assess a business transaction
Prudent Person Rule: a legal concept that typically applies to the management of another’s affairs, especially in a fiduciary capacity
order of acl’s
most specific to least specific, deny all at end
lines of defense
1st - typically composed of operational managers and staff who are directly responsible for maintaining control over the day-to-day business activities and processes
2nd - typically includes functions that oversee risk management and compliance with external regulations and internal policies
3rd - usually consists of internal audit functions
MOST important indicator of a lack of cloud security architecture and strategy
Unclear roles and responsibilities for security
HSM and answer for question regarding best encryption
probably the right answer as it’s more secure as it provides an easy way to score key
service in regard to domain url’s
probably the lowest level domain qualifier even if a sub domain of the main domain name is used, e.g. ftp.research.ibm.com
program library controls
can be used to enforce separation of duty
best metric to use to assess the results of the Information Security program
evaluating the percentage of control objectives achieved
PAT
must be used with NAT, can’t be used alone
Parkerian Hexad
Confidentiality
Availability
Integrity
Authenticity
Possession or control: a loss of control or possession of information, not involving the breach of confidentiality
Utility: usefulness
seeing a number of deficiencies in cryptographic algorithms
is an indication of a need to uprgrade, this would be in the recommendation of a pen tester’s report
most direct way to ensure that security governance principles are shaping the organization’s strategic objectives
policy review process to ensure it matches with security governance principles
zero client
most modern way of using VDI as it reduces attack surface area, taking thin client one step further by also not having an o/s
how to prevent vlan hopping taking advantage of layer 2
restrict traffic between hosts within the same vlan
role based access in regards to differences in access needed for the same organizational roles
can’t subtract or add, need to create new roles for differences
identification of threats is done at what SDLC phase
requirements gathering
advanced threat intelligence services
worth the extra money
removing all errors from data sets
probably cost prohibitive
last step of installing WAPS
verify there are no rogue devices
increasing the capability of a firewalls and the number of blocks in a firewall and it’s effect on authorized connections
shouldn’t change the authorized connection amount
probability of call loss is expressed as (PTSN)
grade of service
highest level of security for critical business functions
comprehensive security measures
to check for multiple invalid codes
use an edit test
primary purpose of server clustering
allow multiple servers to share workload and improve performacne
age of vulnerability
not a factor for cvss severity
first steps after driving mobile DR site to building
Move the network cables from the building’s wiring closet to the network device in the trailer
primary principle of scrum framework
empirical process control - Empirical process control is a way of managing work that is based on observation and experimentation. It is a core principle of scrum, and it is what allows scrum teams to be flexible and adaptive in the face of change. In common terms, empirical process control means learning by doing and making adjustments as needed.
parallel configuration of security controls
If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow
in ipsec, what ip protocol is responsible for detecting integrity problems during transmission
Authentication Header (AH) / #51
IP6 and PAT
PAT probably not needed as one IP6/64 address (the smallest available to purchase) provides 18 quintillion addresses
Ports: 7,19,20,21,22,23,25,37,49,53,67,68,69,88, 109,110,137,143,161,162,179,389,443,514, 515,520,530,543,544,636,860,989,990,993,995,1443,1444,
1701,1719,1723,1723,1812, 1813,2049,3389,3868,5060,5061,8080,8443,8530 8531
tcp only unless noted otherwise
7 - echo (both tcp/udp)
19 - chargen (both tcp/udp)
20 - FTP, data xfer
21 - FTP, ftp command
22 - ssh
23 - telnet
25 - smtp
37 - time (not ntp) (both tcp/udp)
49 - TACACS (both tcp/udp) TACACS+ (tcp only)
53 - DNS (both tcp/udp)
67 - Bootp, DHCP (udp only)
68 - Bootp, DHCP (udp only)
69 - TFTP (udp only)
80 - http (both tcp/udp)
88 - kerberos (both tcp/udp)
109 - pop2
110 - pop3
137 - Netbios (both tcp/udp)
143 - imap
161 - snmp (udp only)
162 - snmp (both tcp/udp)
179 - bgp
389 - ldap
443 - https (both tcp/udp)
514 - syslog (udp only)
515 - LPD
520 - rip (udp only)
530 - rpc (both tcp/udp)
543 - klogin (kerberos)
544 - kshell (kerberos)
587 - encrypted email
636 - ldap over tls
860 - iscsi
989 - ftps over tls (data) (both tcp/udp)
990 - ftps over tls (command) (both tcp/udp)
993 - imap - tls
995 - pop3 - tls
1443 - MSSQL (both tcp/udp) (both tcp/udp)
1434 - MSSQL monitor (both tcp/udp)
1701 - l2f, l2tp (both tcp/udp)(l2tp is udp only)
1719 - H.323 reg (both tcp/udp)
1720 - H.323 call (both tcp/udp)
1723 - PPTP
1812 - RADIUS authentication (both tcp/udp)
1813 - RADIUS accounting (both tcp/udp)
2049 - NFS (both tcp/udp)
3389 - RDP (both tcp/udp)
3868 - diameter
5060 - SIP
5061 - SIP over TLS (both tcp/udp)
8080 - alt http (both tcp/udp)
8443 - alt https
8530 - windows updates (both tcp/udp)
8531 - windows updates (both tcp/udp)
IP protocol numbers, 1,2,6,9,17,41,43,44,50,51,58,89,115,132,143
1 - icmp
2 - igmp
6 - tcp
9 - igp
17 - udp
41 - ipv6 encapsulation
43 - ipv6 routing
44 - ipv6 frag header
50 - ESP (ipsec)
51 - AH (ipsec)
58 - ipv6 icmp
89 - OSPF
115 - l2tp
132 - sctp
143 - ethernet ipv6 segment routing
database normal forms
1st - In the first normal form each field contains a single value. A field may not contain a set of values or a nested record.
2nd - the key is not finalised as the primary key, so it is called a candidate key
3rd - Every non-trivial functional dependency either begins with a superkey or ends with a prime attribute (can reduce performance)
3.5NF - slightly stronger than 3rd
4th - Every non-trivial multivalued dependency begins with a superkey
4.5NF - slight stronger than 4th
5th - Every join dependency has only superkey components
5+ - stronger than 5th
Federated Byzantine Agreement (block chain), created to reach … among a number of … nodes in a … network. Byzantine fault tolerance (BFT) is a concept that aims to … malicious or defective nodes in a network
created to reach agreement among a number of distributed nodes in a decentralized network. Byzantine fault tolerance (BFT) is a concept that aims to tolerate malicious or defective nodes in a network
MOST accurate way to assess the relative risk of a vulnerability within the CWSS
comparing the vulnerability’s base score to the maximum base score of all vulnerabilities within the system
Access control model that minimizes the involvement with access controls
MAC
Echo checking
a communication protocol technique used to ensure that transmitted data is received correctly
the MOST loosely coupled storage type
Object storage
Terminal controllers
used in environments where terminals (basic input/output devices) need to connect to and communicate with a central computer or server
The first action to take after a successful Distributed Denial-Of-Service (DDOS) attack
perform an assessment of our systems to determine their current status
Boundary value analysis
a method of software testing where the extreme boundary values are chosen
Standards definition
documented techniques or methodologies that are established by expert groups or standards organizations and prescribe lists of security controls
At what point is the RTO reached
w;hen the system is back in production
Variance-detection tools
analyze patterns in data and identify occurrences that deviate from established norms, which could indicate critical security events or unusual activity
MOST secure method of implementing ephemeral computing in a cloud environment
Regularly rotating ephemeral computing resources means that the resources are frequently replaced, which reduces the chances of a security breach
ephemeral computing
the practice of creating a virtual computing environment as a need arises and then destroying that environment when the need is met
CDN effect on security posture
may reduce the effectiveness due to a larger attack surface
encryption alrorithm with highest work factor
RSA
inspection (programming) formal review process that involves examining and evaluating code against … …, …, and …
formal review process that involves examining and evaluating code against predefined criteria, checklists, and standards
Asynchronous dynamic OTP
uses a hidden counter to generate the next code
Synchronous dynamic OTP
tokens that rely on a counter or timestamp that is synchronized between the token and the authentication server
S/KEY OTP uses a …and a … function to generate …
a specific one-time password system that uses a seed and a hash function to generate passwords
selecting a number displayed on a smart phone during MFA is how many factors if you notice the data usage being activated, and how many if not
4, 3
BEST reason to get help from external resources to work on our Information Security program
can be more cost effective and can have expertise we do not internally
highest cost expensive cloud storage
hybrid storage
XML Parser - what is it used for, where is it found
Parsed Character Data, aka, what is it
Relational Database handling of Parsed Character Data
bigger problem for the db
XML Parser - function that is part of most browsers that is able to read XML data
PC Data, data read by an XML parser
Most relational databases require PC data
A bigger problem for the relational database is that XML documents are not normalized
Federated Idenity Management vs Delegated Identity Management vs SSO
Federated Identity (Federated ID):
Federated identity allows a user to use the same identification credentials to access multiple applications or systems. This means that a user can use their credentials from one trusted identity provider to access various services from different organizations. An example of federated identity is when a user can use their Google or Facebook credentials to log in to various third-party websites or applications.
Single Sign-On (SSO):
Single Sign-On is a system that enables users to securely authenticate with multiple applications and websites by logging in only once. Once authenticated, the user can access all the connected systems without needing to log in again. An example of SSO is when an employee logs in to their company’s network and can then access their email, project management tool, and other internal systems without having to enter their credentials again.
Delegated Identity (Delegated ID):
Delegated identity allows a user to grant another application or service access to their identity information without sharing their credentials. This is often done through the use of tokens or permissions granted by the user. An example of delegated identity is when a user grants a third-party app access to their social media profile for the purpose of sharing content or accessing their social graph.
Developer access to source code repository
Should be only read and add new code, modify and delete both have the effect of deleting old code (new code should identify the old code it is built on)
what layer does encryption occur
layer 6
XML Features (6)
AU CASE
Adapts technology advancements
XML supports Unicode
Compatibility with other markup language HTML
Allows XML validation
Supports platform transition (data conversion)
Easy and efficient data sharing
java trust store
java key store
trust store: used to store and manage trusted certificates
key store: used to store and manage untrusted certificates
microcode and copyright infringement
microcode (a layer of hardware-level instructions) typically does not pertain to copyright infringement issues
primary purpose of CCB
ensure that all IT changes are approved by the appropriate departmental representatives
PRIMARY advantage of using a tightly coupled architecture in storage
disadvantages (3)
loosely coupled disadvantage and advantages (3)
advantages:
Better performance
disadvantages:
less security
less scalability
higher initial cost and maintenance cost
loosely coupled storage would have the opposite advantages / disadvantages
HIPAA compliance should be applied to what
any device that will be used to interact with PII
reason to not use OSS, conditional reasons to use (3)
code is not tailored to particular requirements (same as COTS)
OSS code available from trusted and reputable sites such as GitHub may very well be warranted, supported, and updated on a regular basis
When SCRUM stops accepting changes
never
best practice to handle terminated employee’s account
expire it, as expired accounts typically must go through more steps than disabled, or locked
CISO should report to
COO or equivalent due to better understanding of business
what makes password policies most effective
security awareness training
FIM, what is it, primary purposes (3), most important factor of effectiveness
File Integrity Management
detect unauthorized changes to critical files, system configurations, and other important data
Technical capabilities of the system
Two person rule
ensures one programmer does not act alone; there is another programmer present and watching who will detect if the first programmer errs or attempts to embed spurious commands, will not be independently working
What are each of these methods best suited for:
OCTAVE
PASTA
DREAD
STRIDE
OCATAVE: broad organization wide risk assessment
PASTA: application threat modeling framework
DREAD: classification scheme for categorizing the severity of security threats
STRIDE: risk assessment for software development process
First step in divestiture
Announce the divestiture to stakeholders
least effective quantitative risk analysis technique
using pen and paper due to the complex calculations involved
Monte Carlo simulation
very effective quantitative risk analysis tool
scenario analysis
effective method for understanding the impact of different risk events. It involves the use of models to estimate the expected value of a portfolio following a given event or series of events. It can handle complex situations, consider multiple variables simultaneously, and assess the interactions among them. While it may not be as comprehensive as Monte Carlo simulations in terms of handling uncertainties, it’s still a very effective tool for risk quantification.
most critical action to ensure that your outsourced data is handled securely
Conducting an annual audit of the third-party firm’s data handling processes
data controller vs data steward
steward: responsible for ensuring the accuracy and quality of data
controller: typically used in the context of data protection laws and refers to the person or entity who determines the purposes and means of processing personal data
self-signed certificate
not signed by a public or private CA
cannot be revoked
most critical action (process to use and how) to maintain the security of your organization’s IT infrastructure
automate the hardware hardening process. Hardware hardening
DNS-based Authentication of Named Entities (DANE), what is it, biggest security benefit is protection from … attacks
a security protocol that allows domain owners to specify which Transport Layer Security (TLS) certificates should be accepted by applications such as web browsers, email clients, and more. One of the biggest security benefits of DANE is its enhanced protection against man-in-the-middle attacks
ephemeral ports use
used for client side reply and therefore should not need ingress ACL’s on firewalls
IPSec tunnel mode and systems with native ipsec support
not needed for systems with native IPSec support
IKE and IPSec
used for choosing type of encryption and hashes, ISAKAMP is much simpler and will use defaults
AH vs ESP
AH only integrity and authentication
ESP adds confidentiality
when moving data to cloud, access controls vs. encryption
access controls trump encryption
BEST security measure we could use to prevent data disclosure and data exfiltration in regards to encryption
Use very strong key storage, encryption is only as strong as the key management
best protocol to use when you need to authenticate at specific time periods
OIDC
SAML used mostly commonly used for…
web-based single sign-on (SSO)
JSON web tokens contain what two fields that can be used to authenticate at specific time periods
Issued At Time (IAT) and Expiry Time (EXP) and can be used to authenticate at specific time periods
ISO 27002 Assess the … of the …, based on …, which is based on industry … …
Assess the effectiveness of the controls, based on BS7799, based on industry best practices
Audit report delivered to…
Board of Directors
controls to use to ensure that all expected records are processed and that no records are missing
Record counts and hash totals
missing data tests help identify … that are … but are …
help identify fields that are required but are blank
Limit tests
verify that a data value falls within a predetermined range and can be useful for data validation
preparing to handle new incidents does not
prepare for the damage
most important step in change management process
Developing a rollback plan in case the update causes any issues
MOST likely to be used as a C&C (Command and Control) server in a cyber-attack
use cloud-based virtual machines
best metric for measuring the effectiveness of firewalls
number of attacks blocked
first step when a compromise is suspected
Verify there was an incident
most useful logs when measuring the effectiveness and accountability of a computer security incident response capability (CSIRC)
Activity logs
MTD vs AIW
MTD has wider scope, AIW is focused on system specific disruptions
CIA triad related to access control models
C
I
A
Confidentiality - MAC
Integrity - RBAC, ABAC
Availability - DAC
RBAC can also (2)
enforce separation of duties
prevent authorization creep
ABAC aka (2), advantages (3) / disadvantage over RBAC
PBAC - policy based
CBAC - claims based
advantage over rbac - more granular, more secure, more flexible
disadvantages - more time to configure
Centralized access control pro’s / con’s
Pro’s:
all systems have same security posture
easier to manage
more secure, only a few people can update
separation of duties
SSO can be used
Con’s:
traffic overhead is greater
response time is greater
updates can take longer
requires more stable infrastructure
Decentralized access control pro’s (4) / con’s (5)
Pro’s:
traffic overhead is reduced
response time is reduced
updates may be quicker
doesn’t require as stable infrastructure
Con’s:
all systems may not have same security posture
more difficult to manage
less secure, more people can update
may lack separation of duties
SSO may not be able to be used
Hybrid access control centrally …, but access lists are … periodically
should ensure … sites follow security …
centrally controled, but access lists are pushed periodically
should ensure remote sites follow security posture
JIT access control, allows use of … … websites without … new accounts …
third party … with home org
what language used
allows use of third party websites without creating new accounts manually
third party confirms with home org
SAML
OIDC Authorization
adds … layer to OAuth2 to verify …
can use … or … to log into many websites
adds ID layer to OAuth2 to verify ID
can use google or facebook to log into many websites
Risk Based access control, access decisions based on … …
uses 3 things
access decisions based on risk assessment
uses AI, behavioral and contextual analytics
in database world relation is another name for…
table
forced browsing … … attack searching for … content on a website
brute force attack searching for unlinked content on a website
lexical obfuscation
renaming classes, fields, methods etc. replacing the name with identifiers lacking intuitive meaning
bridge model aka
aka: trusted third party model
processor states relation to isolation
does provide isolation
geotagging vs geolocating
geotagging is determining a position of a device by examining content of the data from the device
geolocationg (aka geopositioning) is determining the position of a device presumably by using gps technologies
ISO 27001 origination
Bristish Standard 7799
safest fire suppression for electrical fire
FE13
openID uses what standard as a framework
RFC 6749
CYOD
choose your own device
COPE
corporate owned personally enabled
most cost effective alternate site solution for DRP
mutual assistant agreement (MAA)
KDC purpose
acting as a trusted third party authentication server
802.11i, specific part
specific part of WPA2 using CCMP to replace TKIP is part of the standard
security marking, definition, vs. security labeling
reflects applicable laws, directives, policies, regulations and standards, making it more human readable
vs. security labeling - security labeling enables system based enforcement
most crucial log for unlicensed software
network log
dilution (intellectual property law)
entity uses a trademarked item as a generic term, kleenex
most commonly used biometric
fingerprint scan
ip6 address assignment
taking first half of mac address, adding FFFE, then appending last half of mac address
best reason to have employees acknowledge policies
protect the company
pharming
aka DNS cache poisoning
purpose of WS-SecureConversation Web Services specification
create security … for … … exchanges
create security contexts for faster message exchanges
structured walk-through test aka
table top exercise
OSPF, … the entire network … and does not … … than distance vector protocols
learns the entire network topology and does not converge slower than distance vector protocols
Lipner security architecture model
combines elements of Bell-LaPadula with Biba
antivirus has which types of controls (3)
detective, corrective, preventive
answering questions about types of controls
list out all 7 categories first and determine what each answer does
ARP resolves…
IP add to mac add
Common Criteria Security Target
documentation for a system to be tested
bluetooth 2.1
offers weak encryption but is not clear text
five rules of evidence
authentic
accurate
complete
convincing
admissable
most difficult passwords to manage
one-time password
transient authentication
something you have
combinatorial testing
black box testing that involves using every possible variation of input data
pairwise testing, aka, what is it
aka: all-pairs testing, combinatorial (a form of blackbox testing) testing entering input parameters in pairs
cryptanalysis most likely to include frequency analysis
ciphertext only
firewall layers:
proxy
application
packet filter
stateful
proxy: 5
application: 7
packet filter: 3/4
stateful: 3/4
algorithms using discrete logarithms
Diffie Hellman
ElGamal
Iinitialization vectors used in what for what
used in symmetric chaining methods to provide random first block
IPS devices location
usually inline, not on promiscuous port
NIDS devices location
usually on a promiscuous port, not inline
NDR location
SPAN port, uses syslog too
Agent Smith Attack
application replaced by malware that appears legitimate
clickjacking
aka: UI redress attack, attacker tricks users into clicking a transparent image to send them to malicious site or hijack credentials
watering hole, what is it, uses what category of attack
attacker targets specific group of users by infecting a specific website (can be infected existing site or a malicious site), typically uses zero day attacks
purpose of key escrow
access sensitive data if need arises
recovery agent
store keys to secure against lost keys
OASIS standards most commonly used by SDN
xacml
X.400
set of directory guidelines that has been mostly replaced by smtp
international security evaluation method influenced by Orange Book
ITSEC (retired)
buffer overflow protection mechanism that forces app to fail immediately if a pointer is freed incorrectly
Heap Metadata Protection
xor’s the pointer value making it difficult to be overwritten without being detected
Pointer Encoding
buffer overflow protection that prevents executable code from executing with data pages
DEP
buffer overflow protection that places executables into random memory addresses at boot time (both heap and stack memory)
ASLR
RollJam
can be used against newer garage doors
keysweeper
sniffs keystrokes from windows wireless keyboards
OpenSesame and Brute Force
can be used against older garage doors
software testing includes walkthroughs, sanity checks, syntax checks and logical code review
static
Network Access Layer (TCP model)
aka: link / physical
attempting to login to a site but are redirected to another site
pharming attack, DNS cache poisoning
jam signal
CSMA/CA vs.
CSMA/CD
in CA, requires…
requires that receiving devices send acknowledgements
used to signify impending transmission in CA in CD it indicates that two devices are sending at the same time
dry pipe vs preaction
dry pipe - filled with compressed air and when fire detected head opens, release of air causes valve to open letting water flow, used to prevent pipe freezes
preaction - has empty pipes until fire is detected, then allows water to fill, until heat triggers second stage to release water, used to prevent accidental discharge of water
RSA attack vulnerability
chosen cipher text
how to use crl
download and hunt for cert serial no
least reliable DRP solution
reciprocal agreement
NIST - to maximize number of vulnerabilities detected
use multiple vendors of scanners
evaluating an asset to ascertain the amount of vulnerability it means for an org
risk assessment
determining cost effectiveness of mitigating potential harm or loss to org
risk mgmt
AH / encryption
not used to encrypt data
attacker sends several large overlapping IP fragments
teardrop
sends ip packet with same destination and source, causes DOS
LAND, local area network denial
boundary testing
specific type of negative testing that sends known out of range data
negative testing
sending invalid information to see how the app reacts
info sec officer reporting
most likely:
CIO
CEO if security is utmost importance
legal if in a strong regulatory environment
least likely:
Audit - conflict of interest
primary objective of physical security
protecting safety of personnel
pseudonymization vs tokenization
tokenization: token has no meaning of it’s own but still can be used to link back to orginal information (cc info)
pseudonymization: artificial identifiers or aliases (patient ID)
cvss scores categories affecting each other
base > temporal > enviromental
testing / certification of digital forensic equipment
NIST CFTT
wireless client mode
prevents clients from communicating with each other
incident response phases pnemonic
dirty rotten mean REPublicans RECruit REMarkable losers
3 SAML entities
IdP - vouches for subject
SP - providing resource that the subject wants
subject (principal or agent) - attempting to authenticate
not mitigated by input validation and sanitization, but what 3 attacks are
XSRF
but, directory traversal, xml injection and XSS are
framework that exclusively uses business requirements as central point of comparison
TOGAF
internal skimmer
will normally set off tampering alarm
external skimmer
most likely to avoid being thwarted by P2PE