Chapter 3 - CISSP Flashcards

Question

EALs

Answer 1

EAL1: Functionality Tested EAL2: Structurally Tested EAL3: Methodically Testing and checked EAL4: Methodically designed, tested and reviewed EAL5: Semi-formally designed and tested EAL6: Semi-formally verified, designed and tested EAL7: Formally verified, designed and tested

Answer 2

Separates hardware and software functionality into four tiers. Means, doing something in one layer won't effect the other layers.

Answer 3

1) Hardware 2) Kernel and Device Drivers 3) Operating System 4) Applications

Answer 4

Means the computer hides all the crazy stuff from the users. All the crazy computer stuff that happens when you say hit .mp3 is hidden. Manages complexity to make computer more secure.

Answer 5

A security domain is a list of objects a subject is allowed to access. Ex. Confidential, Secret and Top secret are security domains used by DoD. Ex. Modern OS – Kernel mode and user mode separates domains where users interactions in the user mode should not affect processes in the kernel mode.

Answer 6

Most trusted part of the OS: Allows low level access to the memory, CPU, Disk, etc. - Most trusted and powerful part of the system.

Answer 7

The ring model is a form of CPU hardware layering that separates and protects domains (such as Kernel mode and user mode) from each other.

Answer 8

Ring 0 : Kernel Ring 1: Other OS components that do not fit into Ring 0 Ring 2: Device Drivers Ring 3: User Applications Processes communicate between the rings via system calls, which allow processes to communicate with the kernel and provide a window between the rings. While x86 CPUs have four rings – the usage is theoretical. Linux and Windows users rings 0 and 3 only opting for simplicity and speed. A new mode called hypervisor mode (informally called “ring -1” allows virtual guests to operate in ring 0 controlled by the hypervisor one ring below.

Answer 9

An "open" system uses hardware from various sources. like an IBC compatible PC. A "closed" system uses hardware from only proprietary sources, like a Mac.

Answer 10

The System Unit is the case that holds everything, the motherboard, disk drives, power supply. The Motherboard contains CPU, memory slots, firmware, etc.

Answer 11

Primary point of communication on a computer between the CPU and Memory Display, Keyboard, CD etc.

Answer 12

A computer that uses two BUSes. Northbridge (faster): Connects the CPU to to RAM and video memory Southbridge: Connects the Hard Disk, USB, CD to Northbridge

Answer 13

The central processing unit CPU is the brains of the computer, performs mathematical calculations, logical operations, accessing memory locations by address etc.

Answer 14

ALU performs mathematical calculations “it computes”. It is fed instructions by the control unit CU which acts as a traffic cop sending instructions to the ALU.

Answer 15

Fetches machine language instructions and executes in four steps: 1) Fetch 2) Decode 3) Execute 4) Write NB: These four steps take one clock cycle to complete

Answer 16

Pipelinig combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute and write steps for different instructions increasing throughput.

Answer 17

An interrupt indicates that an asynchronous event has occurred. CPU interrupts are a form of hardware interrupt that cause the CPU to stop processing it’s current task, save the state and being processing a new request. When the new task is complete the CPU will complete the prior task.

Answer 18

Process – Executable program and it’s associated data loaded and running in memory. States include: New – A process being created Ready – Process waiting to be executed by the CPU Running – Process being executed by the CPU Blocked – waiting for I/O Terminate – A completed process Zombie – A child process whose parent is terminated

Answer 19

Is called a "task." Can spawn Lightweight Processes (LWP).

Answer 20

The child process called a "thread." Can share memory resulting in lower overhead.

Answer 21

Allows multiple tasks (heavy weight processes) to run simultaneously on one CPU

Answer 22

Runs multiple process on multiple CPU.

Answer 23

Designed to recover a system by rebooting after critical process hangs or crash. It reboots the system when it reaches 0, critical operating system processes continually reset the timer so it never reaches 0. If a critical process hangs or crash they no longer reset the timer which reaches – and the system reboots

Answer 24

Two forms of CPU design

Answer 25

Complex Instruction Set Computer ie X86 - Uses a large set of complex machine language instructions - Mainly PCS

Answer 26

Reduced Instruction Set Computer ie ARM - Uses a smaller set of simpler instructions - Mostly on cell phones, PDAs,

Answer 27

Where memory is stored on the computer. RAM, registers, etc.

Answer 28

Can be store directly or indirectly Direct - Goes right to location in RAM (Go to RAM-1) Indirect – Goes to the location in RAM that refers to another location (Go to RAM-1 but RAM-1 points to RAM-12) Register direct – CPU cache register direct (Go to Register 5) Register indirect – CPU cache register points to another location (Go to Register 5 but points to Register 7)

Answer 29

Memory protection prevents one process from affecting the CIA of another. This is a requirement for secure multiuser and multitasking systems.

Answer 30

Logical control: Means that one process cannot interfere with another. This is common in modern OS such as Windows and Linux. MSDOS does not have this feature. Techniques include virtual memory, object encapsulation and time multiplexing.

Answer 31

Maps processes to memory locations and keeps them separate.

Answer 32

Virtual memory provides address mapping between applications and hardware memory. Virtual memory provides many functions, including multitasking, allowing multiple processes to access the same shared library in memory, swapping and others.

Answer 33

Read This; http://www.differencebetween.com/difference-between-paging-and-vs-swapping/ What is Paging? Paging is a memory management method used by operating systems. Paging allows the main memory to use data that is residing on a secondary storage device. These data are stored in the secondary storage device as blocks of same size called pages. Paging allows the operating system to use data that will not fit in to the main memory. When a program tries to access a page, first the page table is checked to see whether that page is on the main memory. Page table holds details about where the pages are stored. If it is not in the main memory, it is called a page fault. Operating system is responsible for handling page faults without showing it to the program. The operating system first finds where that particular page is stored in the secondary storage and then brings it in to an empty page frame in the main memory. Then it updates the page table to indicate that the new data is in the main memory and returns the control back to the program that initially requested the page. What is Swapping? Swapping is the process of moving all the segments belonging to a process between the main memory and a secondary storage device. Swapping occurs under heavier work loads. Operating system kernel would move all the memory segments belonging to a process in to an area called swap area. When selecting a process for swapping, the operating system will select a process that will not become active for a while. When the main memory has enough space to hold the process, it will be transferred back in to the main memory from the swap space so that its execution could be continued. What is the difference between Paging and Swapping? In paging, blocks of equal size (called pages) are transferred between the main memory and a secondary storage device, while in swapping, all the segments belonging to a process will be moved back and forth between the main memory and a secondary storage device. Since paging allows moving pages (it could be a part of the address space of a process), it is more flexible than swapping. Since, paging only moves pages (unlike swapping, which move a whole process), paging would allow more processes to reside on the main memory at the same time, when compared with a swapping system. Swapping is more suitable when running heavier workloads.

Answer 34

Contains code in firmware that is executed when powered on – POST power on self test. Once POST completes it locates the boot sector where the OS kernel is loaded and executes to boot the OS up.

Answer 35

Write once ready many storage can only be written once and read many times. CDR, DVDR and some DLT drives support WORM. - Often used for legal reasons as long term backups

Answer 36

Piece of Hardware attached to computer - Security functions can leverage the TPM chip for random number generation, symmetric/asymmetric and hashing algorithms and secure storage of cryptographic keys and message digests. - Provides Hardware Root of Trust - Used for boot integrity - Stores keys that provide full disk encryption

Answer 37

Enabled in hardware or software attempts to ensure that memory locations not pre-defined to contain executable content will not have the ability to have code executed

Answer 38

Decrease likelihood of successful exploitation by making memory addresses employed by the system less predictable

Answer 39

Heart of the OS. - In Ring 0 - Provides interface between hardware and rest of OS.

Answer 40

Monolithic Kernel - Compiled into one static executable and entire kernel runs in supervisor mode. All functionality are precompiled. If additional drivers are needed, a recompile is necessary. Micro Kernel - Modular, and can add functionality via loadable kernel modules which can run in user mode (ring 3) - Means you can add a driver or device after the computer is running

Answer 41

A core function of the kernel is running the reference monitor, which mediates access between subjects and objects.

Answer 42

Microsoft New Technology File System - More options than Unix - Includes Modify and Full Control

Answer 43

Programs that can be run by a user than less than root permissions that can access deep level stuff. Like setuid or passwd are programs lower level user can run that can make root level changes. - Integrity of program is key, hackers will try to attack.

Answer 44

Transparent Virtualization – Runs stock operating systems as virtual guests such as Windows 10, Ubuntu Paravirtualization – runs specifically modified operating systems with modified kernel system calls. - More efficient but means changing the OS, which may not be possible

Answer 45

Type 1: Runs on the metal | Type 2: Needs an OS to host it

Answer 46

Lower overall hardware costs, hardware consolidation, lower power and cooling needs. Snapshots allow administrators to create OS images that can be restored with a click of a mouse, making backup and recovery simple and fast, testing new OS, applications and patches can be quite simple. Clustering simplified.

Answer 47

Complexity is the enemy of security. Never combine guests with different security requirements (such as DMZ and internal) onto one host. VMEscape allows exploits on the host OS or a guest from another guest. Many network based security tools, such as NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another. There’s a shift to virtual network devices going forward

Answer 48

Public Cloud Computing – outsources IT infrastructure, storage or applications to a 3rd party provider IaaS – Infrastructure as a service – Provides entire virtualized OS, which the customer configures from OS up. PaaS – Platform as a service – provides pre-configured OS and the customer configures the application SaaS – Software as a service – is completely configured from OS to application where the customer simply uses the application Private Cloud – House data for a single organization and maybe operated by a 3rd party or organization itself. Government clouds are designed to keep data an resources geographically contained within the borders of one country.

Answer 49

Grid computing harnesses the computational power of a large number of dissimilar devices. It typically leverages the spare CPU cycles of devices.

Answer 50

Large-scale parallel and distributed computer systems assemble computing resources from many different computers that may be at multiple locations to harness their combined power to solve problems and offer services.

Answer 51

A model that any system may act as a server, client or both. P2P networks are often used to download commercial music or movies in violation of intellectual property rights. Later variations such as Gnutella or BiTorrent are decentralized and are much more resilient. Maintaining integrity could be a challenge as users have no assurance they are receiving legitimate data.

Answer 52

Hardware or software based systems that are used to access a centralized server that serves applications and store associated data. Benefits include associated security costs of upgrades, patching and data storage etc.

Answer 53

Contains CPU, memory but no disk ie PCs, routers, embedded devices, and others. The Kernel and OS are typically loaded via the network, via PXE Boot, BOOTP and DHCP

Answer 54

Thin client applications normally run on a system with a full OS but use a web browser as a universal client, providing access to robust applications that are downloaded from the thin client server an run in the client’s browser. Advantages: Simplify client/server and network architecture design, improve performance, and lowers cost.

Answer 55

Small internet connected devices such as baby monitors, cash registers, appliances, light bulbs, smart meters, fitness monitors, cars, etc which is directly accessible via the internet.

Answer 56

These devices pose significant security risks: default credentials are common, enterprise management tools are lacking, patching can be difficult. Vendors often release base OS and patch slowly and end support for devices that are still in widespread use.

Answer 57

Energy that escapes an electronic system, which may be remotely monitored under certain circumstances such as electromagnetic interference – shielding should be used to mitigate such risks.

Answer 58

Any communication that violates security policy. The opposite is called overt channel.

Answer 59

Uses shared storage such as temporary directory to allow two subjects to signal each other. - Say people have two different layers of access but can see the same tmp directory. One person can add a 1 mb file that is a message that something is happening. Or a 0 mb file that means nothing his happening.

Answer 60

uses system clock to infer sensitive information. Ex. An insecure system prints “bad username or password” immediately when a user types a base username/bad password, but there is a small delay when a user types a good username with a bad password. This timing delay allows attackers to infer which usernames are good or bad

Answer 61

Shortcut in a system that allows a user to bypass security checks to login. Maintenance hooks are a type of backdoor; they are shortcuts installed by the system designers and programmers to allow developers to bypass normal system checks during development.

Answer 62

``` Computer Viruses Worms Trojans Rootkits Packers Logic Bombs ```

Answer 63

Malware that does not spread automatically; they require a carrier. Macro virus – virus written in macro language that targets word processors or spreadsheets Boot Sector Virus – virus that infects the boot sector which loads during PC startup Stealth Virus – A virus that hides itself from the OS and other protective software, such as AV Polymorphic Virus – A virus that changes its signature upon infection of a new system, attempting to evade signature-based AV software Multipartite Virus – A virus that spreads via multiple vectors AKA multipart virus

Answer 64

A malware that self-propagates. Worms can cause damage by two ways: first by the malicious code that it carries and second by the loss of network availability due to aggressive self-propagation. Ex, Blaster, Sasser, Conficker.

Answer 65

A malware that performs two functions; one benign and one malicious.

Answer 66

A malware that replaces portions of the kernel and/or OS. A user-mode rootkit operates in ring 3 on most systems, replacing the OS components in userland. Ex. OS binaries, ls, ps, commands on Linux/Unix. Kernel mode root kit replaces the kernel or loads malicious loadable kernel modules and operate in ring 0.

Answer 67

Provide runtime compression of executables. Upon execution the decompressor unpacks the compressed executable machine code and runs it. Often used to evade signature-based malware detection.

Answer 68

Malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on specific data (time bomb). Malware such as worms contain logic bombs, behaving in one manner, and then changing tactics on a specific date and time.

Answer 69

AV is designed to prevent and detect malware infections. Signature based AV use signatures of known malware. Heuristic based antivirus use anomaly based detection to attempt to identify behavioral characteristics of malware such as altering the boot sector.

Answer 70

aka Service side attacks are launched directly from an attacker (the client) to a listening service. Conficker worm spread via a number of methods, including service side attack on TCP port 445 exploiting a weakness on RPC service. Patching, system hardening, firewalls, and other forms of defense-in-depth mitigate server side attacks.

Answer 71

Occur when a user downloads malicious content. Attacks are initiated from the victim who downloads content from the attacker. Client side attacks are difficult to mitigate for organizations that allow internet access. Clients include, word processors, spreadsheets, web browsers – within them, flash players, media players etc. All client-side software must be patched, a challenge many organizations struggle with.

Answer 72

Runs in a sandbox which segregates code from the operating system. Interpreted by the JVM and available for many OSes - Malicious applets may be able to compromise the security of the client.

Answer 73

Uses digital certificates instead of sandbox to provide security. Tied more to OS allowing functionality such as installing patches via Windows updates but runs on Windows only - Malicious applets may be able to compromise the security of the client.

Answer 74

The open web application security project represents one of the best application security resources. OWASP provides a number of free resources dedicated to improving organization’s application security posture. The OWASP Top 10 project provides consensus guidance on what are considered to be the ten most significant application security risk.

Answer 75

Look this Up

Answer 76

Polyinstantiation allows two different objects to have the same name. In databases it means two rows may have the same primary key but different data. Databases normally require that all rows in a table contain unique primary key so a normal database would generate an error like “duplicate” entry - The reason is so that in one db with two different security levels you wouldn't be tipped off to something by not being able to duplicate a key.

Answer 77

Inference and aggregation occur when a user is able to use lower level access to learn restricted information. Inference requires deduction: there is a mystery to be solved, and a lower level details provide the clues. Aggregation is a mathematical process: a user asks every question, receives every answer, and derives restricted information. - Like guessing that a war will start because you see cars late at night at The Pentagon. - Downloading an entire phone book by sequentially adding numbers to a query string, but not having access to download an entire book in one go.

Answer 78

Improves security by analyzing a typical use cases in the database to provide a baseline. This potentially allows an organization to proactively identify abuse from insider threats or compromised accounts.

Answer 79

Administrative controls such as restricting use of mobile devices via policy. Suspend use of USB thumb drives, CDs, flash media cards, and all other removable media. Technical controls to mitigate infected drives include disabling auto-run via group policy. Technical controls to mitigate infected mobile computers include requiring authentication at layer 2 via 802.1x and NAC. Technical control to mitigate loss of backups or mobile device – use Full Disk encryption, remote wipe

Chapter 3 - CISSP Flashcards

(103 cards)