CASP Flashcards
What is ISO 31000
A risk management framework.
What type of risk can you not eliminate?
Residual risk
What is residual risk?
Risk you cannot eliminate.
What are two ways to measure risk?
Qualitative and quantitative.
Which risk response is also included when risk mitigation is performed?
Acceptance
What describes the probability of a threat being realized?
Likelihood
What describes the amount of loss during a one year timespan?
ALE
What is risk appetite?
An assessment of what level of residual risk is tolerable.
What describes the amount of residual risk that is tolerable to the organization?
Risk appetite.
What are the core functions of the NIST CSF?
NIST Cybersecurity Framework
Identify Protect Detect Respond Recover
What are the required steps of the NIST RMF?
NIST Risk Management Framework Steps:
Prepare Categorize Select Implement Assess Authorize Monitor
What are the steps of the risk management life cycle?
Risk Management Lifecycle:
Identify
Assess
Control
Review
What is risk tolerance?
The thresholds that separate different levels of risk.
Identify a popular risk framework.
NIST 800-37
COBIT
COSO
ISO 31000
What phase of the risk management life cycle identifies effective means by which identified risks can be reduce?
Control
What phase of the risk management life cycle identifies risk items?
Identify
What phase of the risk management life cycle determines associated risk levels?
Assess
What phase of the risk management life cycle determines if a risk level has changed?
Review
What should include detailed descriptions of the necessary steps to complete a task?
Process
What function of NIST CSF defines capabilities needed for the timely discovery of security incidents?
Detect
What’s a formal mechanism for measuring performance of a program against desired goals?
KPI
What program demonstrates a cloud service providers adherence to security?
CSA STAR
Cloud Security Alliance, Security Trust and Risk
What standards were established by the AICPA to evaluate controls designed to protect technology and finance?
SOC
What is the cybersecurity standards developed by the DoD?
CMMC
Cybersecurity Maturity Model Certification
Which cloud represents the lowest amount of responsibility for the customer?
SaaS
What describes when a customer is completely dependent upon a vendor for products or services?
Vendor lock in
What describes when a copy of vendor-developed code is provided to a trusted third party?
Source code escrow
What describes all of the suppliers, vendors, and partners needed to deliver a final product?
Supply chain
What type of data sanitization involves multiple block level overwrites?
Clear
What type of data sanitization is proof against all recovery techniques?
Purge
What does “clearing” data do?
Multiple block level overwrites?
What does “purging” data do?
Best recovery, even against cleanroom and material analysis.
What is an attestation of compliance?
set of policies, contracts, and standards identified as essential in the agreement between two parties
What is a set of policies, contracts, and standards identified as essential in the agreement between two parties?
Attestation of compliance
What are the five levels of the CMMI?
Initial Managed Defined Quantitatively Managed Optimizing
What’s a non regulatory agency in the US that establishes standards and best practices?
NIST
Describe the relationship between regulations and standards?
Regulations are lawful mandates that state a standard must be followed, while standards are a set of practices that can be implemented to fulfill a regulation
What regulation enforces rules for organizations related to the European Union?
GDPR
Which US Federal law is designed to protect the privacy of children?
COPPA
Which process is designed to provide assurance that information systems are compliant with federal standards?
Certification and Accreditation
What describes the actions taken to ensure that a system continues to operate in a compliant way?
Continuous monitoring.
What is authority to operate?
A formal letter of accreditation by a Certifying Authority upon successful review of an independent audit.
What are the phases of the certification and accreditation process?
Initiation and planning
Certification
Accreditation
Continuous monitoring
What is often referred to as the prudent man rule?
Due Care
What is due care?
Prudent man rule
The reasonable and expected protections put in place to protect an asset.
What is due diligence?
The ongoing and documented effort to continuously evaluate and improve asset protection.
What is an MSA?
Master service agreement
Establishes an agreement between two entities to conduct business during a defined term.
What is an NDA?
Non disclosure agreement.
What is an MOU?
Memorandum of understanding
A contract that can establish ROE between two parties.
Difficult to enforce
Formal means to define roles and expectations
What is an ISA?
Interconnection security agreement
Rules for two entities to connect and share data
What is an OLA?
Operational level agreement
Internal documents established to define the essential operational needs for it to meet its SLAs
What is a PLA?
Privacy level agreement
SLA but for data protection requirements
What describes the identification of applicable laws depending upon the location of the organization, data, or customer/subject?
Legal Jurisdiction
What describes when an organization’s legal team receives notification to preserve electronic information?
Lit hold
What type of agreement is often an umbrella contract that establishes the agreement between two entities to conduct business?
Master Service Agreement
MSA
What agreement governs services that are both measurable and repeatable?
SLA
What are the steps of the NIST 800-34 for business continuity planning?
Develop the continuity planning policy statement
conduct the business impact analysis
identify preventive measures
create contingency strategies
develop an information systems contingency plan
ensure plan testing, training, and exercises
ensure plan maintenance
What is the relationship between disaster recovery and business continuity plans?
Disaster recovery plans are focused on the immediate needs of a disaster and is a part of the business continuity plan which is broader and covers a longer time frame.
What is the last step in a business continuity plan?
Plan maintenance
What can be described as an analysis of a system’s requirements, functions, and interdependence used to characterize system contingency requirements an dpriorities in the event of a disruption?
BIA
What generally defines the amount of data that can be lost without irreparable harm?
RPO
Recovery Point Objective
Which type of assessment seeks to identify specific types of sensitive data?
PIA
Privacy impact assessmetnt
Using other locations to manage a disaster response is known as what?
Alternate site
What type of DR site has the lowest operating expense and complexity?
Cold site
Which site is one that can be activated and used within minutes?
Hot site
Which NIST publication has to do with incident response?
NIST 800-61
What is NIST 800-61?
Incident Handling Guide
What are the types of DR tests?
Checklist Walkthrough Tabletop Parallel Full Interruption
Which type of DR test is the most disruptive?
Full interruption
Which type of DR test is a meeting to review the plans and analyze their effectiveness against various scenarios?
Walk through
Which type of DR test is used to determine whether all parties involved in the response know what to do and how to work together?
Tabletop
What is a UTM?
Unified threat management - device or virtual appliance that provides multiple security services in a single solution.
What types of services does a UTM typically offer?
Content filtering DLP SPAM Antivirus Web filtering firewall
Describe non-transparent vs transparent proxy.
Non-transparent requires clients to be manually configured with the proxy server as a target.
Transparent intercepts client traffic without the client having to be reconfigured.
What is a resource record set?
A package of resource records created by the authoritative DNS server signed by a zone signing key.
In DNS what is the difference between a zone signing key and a key signing key?
The zone signing key signs the resource record set, the key signing key signs the zone signing key so it can be easily revoked and re-established in case of compromise.
What is an API gateway?
a mechanism allowing software interfaces to be detached from the main application
What is an XML gateway?
An interface gateway that does not allow the extensibility as an API gateway but allows processing and firewall like inspection. More secure.
What can be used to protect against DNS spoofing and DNS poisoning?
DNSSEC
What is the difference in NetFlow and sFlow?
Netflow packets in a transmission are aggregated into a flow and then exported for processing and analysis. sFlow is a sampling of packets and not a true aggregate of flows.
What are the typical capabilities of a SIEM?
Aggregation Correlation Alerting Visibility Compliance Data Retention
What are the two main components of a VPN?
The creation of a network tunnel between endpoints and the protection of the data within.
What is the difference in L2TP and IPSec?
L2TP (layer two tunneling protocol) is the establishment of a vpn tunnel while IPSec is the encryption of the data within.
What is a solution designed to validate an endpoint’s security before it gets onto the network?
Network access control
What is a passive technology used to provide visibility into network traffic on a switch?
TAP
Test access port
What version of SNMP should be used?
v3
Why is a TAP preferable over a SPAN?
TAPs do not cause negative performance on the switch.
What type of networking is called east-west and is based upon policies established through SDN to limit traffic between workloads?
Microsegmentation
Which NIST SP talks about Zero Trust?
NIST SP 800-207
What is NIST 800-207?
Zero Trust Architecture
What are the planes in an SDN?
Control
Data
Management
Which SDN plane controls where traffic should be switched?
Control Plane
Which SDN plane handles the actual switching and security?
Data Plane
Which SDN plane monitors traffic and network status?
Management Plane
Which type of environment is characterized by having hosts and networks available for use by visitors?
Guest
What is a specially configured, highly hardened system for performing administrative tasks?
Jump box
What type of network segmentation differs from a traditional approach to provide higher security, granularity, and flexibility?
Microsegmentation
What network implementation creates an SDN by utilizing existing physical equipment?
SDN Overlay
What is vertical vs horizontal scaling?
Vertical scaling adds more power to an existing server, horizontal adds more servers.
What is type 1 virtualization?
“bare metal” - installed directly to the hardware, esxi, hyperv
What is type 2 virtualization?
Installed to the OS - vmware player, virtual box
What describes improving performance by adding additional resources to an individual system?
Vertical scaling
What describes improving performance by adding additional systems to distribute load?
Horizontal scaling
What leverages the global footprint of cloud platforms by distributing and replicating the components of a service?
CDN
Content delivery network
What design strategy often conflicts with IT approaches that look to consolidate platforms and reduce product portfolios?
Diversity
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application virtualization
What is the set of automated tasks to be performed as part of a cloud deployment?
Bootstrapping
Describe the three main types of VDI
Hosted - provided by a third party that manages the entire infrastructure.
Centralized - all VDI instances are hosted within the enterprise, when an instance is requested a new one is created
Synchronized - lets work continue in a disconnected state with a local copy of the VDI that is then synchronized back up
What is the difference in application virtualization and VDI?
VDI is a virtualization of the entire desktop or endpoint experience. Application virtualization is limited to just one application and may be referred to as “clientless”.
What are the extensions of service oriented architecture?
People
Process
Platform
Practice
What are some functions that can be performed via a Container API?
List logs generated by an instance
issue commands to the running container
create, update, and delete containers
list capabilities
What environment is used to merge code from multiple developers to a single master copy?
Test
What describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise?
Enterprise service bus
What is shadow IT?
IT systems deployed without the approval of centralized IT to work around shortcomings, requirements, or bottlenecks.
What are the steps of the SDLC?
Planning Solution design Coding Testing Release/ Deployment
What is regression testing?
Evaluating whether changes in code have caused unintended bugs.
What type of testing is to find issues where changes in code have caused previously working functions to fail?
Regression testing
What type of testing involves pass/fail for one block of code?
Unit Test
Which type of testing verifies that individual components of a system work together?
Integration testing
Which development model includes phases that cascade with each phase only starting when the last finishes?
Waterfall
What development model incorporates security as code and infrastructure as code?
SecDevOps
What is the director services standard?
X.500
How does kerberos work?
Clients request services from an application server, and both rely on an intermediary - the key distribution center.
User authenticates and is given a ticket granting ticket from the ticket granting server
This ticket granting ticket is used to request a ticket granting service
What port does TACACS use?
49
What is the certificate standard?
X.509v3
What does OAuth provide?
Authorization, not authentication
What is the port based network access control standard?
802.1x
What is the device requesting access in network access control called?
Supplicant
What is an HOTP?
HMAC based one time password. This is often what mfa fobs or smartphone authenticator apps use. They do not however have to expire.
What is TOTP?
Time based one time password - a refinement of HOTP that forces each token to expire.
In REST, what is a method to transfer claims between two parties?
JSON Web tokens which are signed and protected with a Message Authentication code, or encrypted
When storing passwords, what method should not be used?
Encryption
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
Which access control is a modern, fine grained type of access control that uses XACML?
ABAC
Attribute based access control
What authentication protocol is comparable to radius and used in Cisco devices
TACACS
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server’s local timestamps?
TOTP
Time based one time password
What is hardware root of trust?
Trust Anchor
Secure susbsystem that is able to provide attestation that the system hasn’t been changed.
What is a TPM?
Trusted platform module
Hardware based storage of encryption keys, passwords, and other identification information.
What is EAP?
extensible authentication protocol
provides a framework for deploying multiple types of authentication protocols and technologies
What are the parts of OAuth.
Provider - the site that owns the data and the user account, such as Facebook or Google.
Resource Owner - the user with an account with a provider that can allow a client access to some part of their account.
Client - the site that wants to use some resource of the provider by getting permission and authorization from said provider. The client must be registered with the authorization server.
What does SAML use for communication?
XML
What does OAuth use for communication?
JSON
What is the data lifecycle?
Create Store Use Archive Destroy
In which stage of the data life cycle is data shared using various mechanism such as email?
Use
What are the parts of data management?
Inventory, mapping, and integrity management.
What data obfuscation method replaces sensitive data with an irreversible value?
Tokenization
What data obfuscation method is designed to protect PII so that it can be shared?
Anonymization
What are the types of data obfuscation methods?
Encryption Format Conversion (encoding) Tokenization Scrubbing Anonymization
Which type of virtualization platform supports micro services and serverless architecture?
Containerization
What is assigned to cloud resources through the use of tags?
Metadata
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs??
Multi-tenant
What are four types of cloud storage models?
Object
File based
Block
Blob
Which storage model typically supports cloud based applications needs to access documents, video, or image files?
Object
Which storage model typically uses a traditional hierarchical system to store files by a path?
File-based
Which storage model typically supports high performance, transactional applications such as databases?
Block
Which storage model typically supports the storage of large amounts of unstructured data?
Blob
What is blockchain?
An expanding list of transactional records which are secured using cryptography. Each block is hashed and the hash value of the previous block in the chain is included int he hash calculation of the next block which links them.
The ledger is distributed across a peer to peer network.
Every node has the ability to view every transaction.
What is a system whereby multiple groups can calculate a function, but the function itself is only known by a single party?
Secure multi-party computation
MPC/SMPC
Which technology is a ledger distributed across a p2p network?
blockchain
What emulates a real life environment through computer generated sites and sounds?
Virtual reality
What term describes computer generated images of a person that appear real?
deep fake
What type of processing deconstructs knowledge into a series of smaller, simpler parts that can be interpreted?
Deep learning
What type of computing uses information represented by spin properties and momentum of matter?
Quantum
What kind of cert is used to identify a devices within an organization?
Trust certificate
What is the current wifi standard to use?
WPA3
What type of encryption does WPA2 use?
AES-CCMP
What type of encryption does WPA3 use?
AES-GCMP
What type of communication does NFC use?
RFID
What is DoH?
DNS over HTTPS
Offers privacy between the user and the DNS server by encrypting the DNS requests
What is sideloading?
Installing an apk file to android that’s not from the app store.
What is a popular android unauthorized app store?
F-Droid
What are two types of certificates commonly used to implement access controls for mobile devices?
Trust certificates, personal certificates
Which standard is associated with Simultaneous authentication of equals?
WPA3
Which device attack allows complete control of a device without the target being paired?
Blueborn attack
What is the process of determining which additional software or scripts may be installed or run on a host beyond it baseline?
execution control
What do BIOS and UEFI use?
BIOS uses the master boot record (MBR)
UEFI uses GUID partition table (GPT)
What is secure boot?
secure boot is designed to prevent a computer from being hijacked by a malicious OS via digital certificates from valid OS vendors.
What is measured boot?
uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check critical areas for change
What modules does the secure boot attestation services?
NV-RAM which stores the OEMs secure boot info
signature database (db)
revoked signature database (dbx)
Key enrollment key (kek) database
What is a hardware security module?
An HSM is a network appliance designed to perform centralized PKI for a network of devices. Can also be a plugin pcie card or usb connected.
Supposedly better than TPM.
Which types of attacks on Android can bypass the protections of mandatory access control?
Interapp communication attacks
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Secure boot
Which type of host protection should provide capabilities that directly align to the NIST cybersecurtiy framework core?
EDR
What describes intentionally spreading data across different storage locations?
data dispersion
What is bit splitting?
Aka cryptographic splitting
splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations and then encrypting the outputs a second time
What are some FaaS?
functions as a service
AWS Lambda
Google Cloud Functions
Microsoft Azure functions
What are some security concern with serverless computing?
ensuring that the clients accessing the services have not been compromised
entirely reliant on the service provider
Which cloud computing practice eliminates the use of traditional virtual machines?
Serverless
What is a critical component dictating the implementation of logging capabilities in the cloud?
Regulations
What is an ASIC?
application specific integrated circuit, expensively designed single function system
What is an FPGA?
field programmable gate array
A controller not fully set at the time of manufacture that can be programmed to perform a specific function
What is SCADA vs ICS
ICS is industrial control systems, they provide mechanisms for workflow and process automation with machinery. They have embedded PLCs which are linked by a fieldbus or industrial ethernet. Human Machine interfaces provide access via control panel or software.
SCADA is supervisory control and data acquisition - it takes the place of a control server in large scale, multiple site ICSs. Typically runs as regular software.
What is a PLC?
Programmable logic controller - act as a bridge between the real world and the digital world.
Which component integrates practically all of the components of a traditional chipset?
system on a chip
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder langauge?
Programmable logic controller
Which type of availability attack are industrial computers most sensitive to?
Denial of service
What are two popular hashing algorithms?
MD5 and SHA
What are SHA1 and SHA256’s output size?
160 bit and 256 bit
What algorithm was designated SHA3?
Keccack
What is RIPEMD?
Hashing algorithm designed at the same time as SHA1
Outputs 128, 160, 256, and 320 bits.
Used within PGP encryption.
What is HMAC?
hash based message authentication code
a way to tell the message hasn’t changed and the sender knows the secret key
requires shared key
sender uses an HMAC function to produce a MAC by feeding it the message and a secret key. the receiver can re-do the HMAC function with the message and shared key and if it matches the MAC sent it’s good
What is Poly1305?
MAC focused on speed that works well on older devices, often combined with Salsa20 and ChaCha
What is a stream cipher?
data is encrypted one bit at a time
good for encrypting items where the length of the message is not known
uses an initializaiton vector to generate a unique keystream, which changes
What is a block cipher
data is encrypted in equal sized blocks, data is padded if too short
What are some stream ciphers and which are good?
RC4 - bad
Salsa20 - good
ChaCha - good, based off Salsa, combined with Poly1305 often
What are some stream ciphers and which are good
3des - bad
AES - the best, can use variable block sizes
What are the modes of cipher blocks and which are good?
Cipher block chaining (cbc) - bad Electronic codebook - bad Galois/Counter Mode (GCM) - good Counter (CTR) - good Output Feedback (OFB) - good
Which MAC method is commonly used with Sals20?
Poly1305
What is S/MIME?
Secure multipurpose internet mail extensions
Mail using digital certificates to encrypt email
What are three signing methods?
RSA - factoring large prime numbers
DSA - digital signature algorithm, faster at generating slower at verifying
ECDSA - elliptic curve digital signature algorithm, utilizes properties of elliptic curves
What are two key agreement methods?
Diffie-helman (DH)
Elliptic curve diffie hellman (ECDH)
What are the parts of a cipher suite?
Key exchange, signature, bulk encryption, message authentication, elliptic curve
What is EAP-TLS?
extensible authentication protocol transport layer security
one of the strongest types of authentication and is widely supported
encrypted tunnel between supplicant and server
both supplication and server are configured with certificates
What is PEAP?
protected extensible authentication protocol
encrypted tunnel between supplicant and auth server
only requires server side public key
must use MS-CHAPv2 or EAP-GTC for its inner authentication method
What is Eap TTLS?
uses server side cert, can use any inner authentication protocol
What is EAP FAST?
eap with flexible authentication via secure tunneling
What is IPSEC?
VPN
works at layer 3
provides both confidentiality and integrity by signing each packet
What are the two modes of IPSEC?
Authentication header - provides integrity but does not encrypt the payload. Includes the IP header
ESP - encapsulation security payload - can be used to encrypt the packet and can provide confidentiality, authentication, and integrity. Excludes the IP header
What is ECC?
Asymmetric encryption, has low overhead.
What are the ECC implementations?
P256 - no longer recommended
P384 - can be used for top secret
What takes a key generated from a user and repeatedly converts it to a longer and more random key?
Key stretching
What are some key strethcing methods?
PBKDF2 - widely used
BCRYPT, adds salt
What is the bulk encryption method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
AES128-GCM
What is the key exchange method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
ECDHE
What is the signing method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
RSA
What is the MAC method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
SHA256
What device used to provide strong authentication stores a user’s digital certificate, private key, and a PIN?
Smart Card
What are the certificate life cycle management steps?
Generate Provision Discover Inventory Monitor Protect Renew Revoke
What is cert pinning?
techniques to ensure that when a client inspects a certificate, it is inspecting the proper certificate
What is cert stapling?
having a web server periodically obtain a time-stamped ocsp response from the CA and returns this response in lieu of making the client contact OCSP itself
What is HSTS?
HTTP strict transport security - a configuration to force https
What entity is responsible for issuing certificates?
Certificate Authority
What is a term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
Describe threat vs adversary emulation.
Threat emulation is emulating known tactics techniques and procedures in a realistic way without emulating a specific threat actor
Adversary is threat emulation but mimicing a specific actor
What is the cyber kill chain?
Developed by Lockheed Martin, steps an adversary must complete to achieve their goals
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives
What is a defensive approach that assumes breach?
Threat hunting
What are some types of decoy files?
Honytoken
Canary file
What are some deceptive security technologies?
Decoy files Honeypot Honeynet Simulators Dynamic network configurations
What is a simple to deploy deceptive technology?
Simulator
What is a sandbox application?
A self contained software application which includes all of the necessary components to operate on an immutable system.
What is a self contained software application which includes all of the necessary components to operate on an immutable system.
A sandbox application.
What ways can you fix buffer overflow?
Patching
Secure Coding
Address space layout randomization
Data execution protection
What is data execution protection?
The operating system identifies areas of memory allowed and not allowed to contain executable code and prevents that code from executing out of bounds.
What describes how software can be analyzed for open-source components?
Software composition analysis.
What is the default tcpdump command?
tcpdump -i eth0
What are some types of logs?
Network logs
Access logs
Vulnerability logs
Netflow logs
What is NetFlow also known as?
IP Flow Information Export (IPFIX)
What are the steps of the incident response process?
Preparation Detection and Analysis Containment Eradication and Recovery Post Incident Activity
Alerts generated by IDS are more critical as they go down or up in value?
Down in value, 1 is critical
What uses YARA rules most often?
Anti-virus
What are the four steps of the forensic process?
Identification
Collection
Analysis
Reporting
What are some file carving tools?
Foremost - linux
strings
What are some binary analysis tools?
hexdump Ghidra - written by NSA GNU project debugger OllyDBG - windows debugger readelf objdump strace - interactions between processes and the linux kernel ldd - dependency display file
What can be used to inspect firmware images?
Binwalk
What tool can read and write file metadata?
exiftool
What term describes evidence handling from collection through presentation in court?
chain of custody
What are some live collection tools?
netstat ps vmstat - real time I/O information lsof - listopen files netcat conntrack - interact with connection tracking tcpdump wireshark
What are some hashing utilities?
sha256sum
ssdeep - compare files