CISSP Flashcards
What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?
The DRP is a sub-plan of the BCP.
BCP (Business Continuity Plan)
- DRP - DisasterRecovery Plan
- COOP - Continuity Of Operations Plan
- CCP - Crisis Communication Plan
- CIPP - Critical Infrastructure Protection Plan
- CIRP - Cyber Incident Response Plan
- ISCP - Information System Contingency Plan
- OEP - Occupant Emergency Plan
What does “scoping” mean?
scoping - To pick and choose which parts of the standard or framework we want to implement.
In a “White Box” test, what information would we have?
the software
source code
data structures
variables
What is the extranet?
Connected private intranets often between business partners or parent/child companies.
Quantitative Risk Analysis
cost to risk:
AV (Asset Value) - Monetary Value
EF - Exposure Factor - % of Value Lost
ARO - Annual Rate of Occurence - How often per year will it occur
PRIMARY reaon we would chose to use hash functions?
Integrity - One Way hash functions.
A variable-ength plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.
mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that?
A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
How long are copyrighted materials protected after the creator’s death?
Copyright © applies to books, art, music, software and much more. It is automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.
If we want to implement a type of encryption that uses discrete logarithms, which of these could we choose?
Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
Which type of networking circuits would we use to ensure the traffic ALWAYS uses the same path?
Circuit switching - Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.
Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code?
4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
We are adding hashing to our passwords. Which of these is a hashing function we could consider?
RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
We have decided to change the type of hashing we use to a newer version that is collision resistant. What happens when a hash collision occurs?
When 2 hashes of different data provide the same hash it is called a collision. It is possible, but very unlikely.
Key Benefit of QoS
QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.
We want to find the right mix of confidentiality, integrity and availability. Which of these is NOT one of the CIA triad opposite?
Aggregation.
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality - We keep our data and secrets secret. Integrity - We ensure the data has not been altered. Availability - We ensure authorized people can access the data they need, when they need to.
Which type of authentication is the WORST to have compromised, because we are unable to reissue it?
Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.
If we are looking for information on a specific systems hardware, which of our plans could we find that in?
DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.
Which of these types of memory keeps the data they store, as long as they have power and the data is NOT overwritten?
SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?
HIPAA is the Health Insurance Portability and Accountability Act.
Which of these countermeasures would be effective against rainbow tables?
Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.
At the quarterly leadership conference, you are talking about threats to our environments and one of the participants asks you to define what a threat is. Which of these could be your answer?
Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)
In a Business Impact Analysis (BIA) assessment, which of these statements would be acceptable?
MTD (Maximum Tolerale Downtime) ? RTO (recovery time objective) + WRT (Work Recovery Time): The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.
Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
What is the difference between freeware and shareware?
Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Which of these is NOT related to security misconfigurations (OWASP A5)?
While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
The NSA wanted to embed the clipper chip on all motherboards. Which encryption algorithm did the chip use?
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
In our best practice password policy, which of these would be allowed?
Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Which of these backup types would NOT clear the archive bit on Windows systems?
Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.
When we design our defense in depth, we use multiple overlapping controls. Which of these is a type of preventative access control?
Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.
use Redundant Array of Independent Disks (RAID) 0 on a server, what does tell us about the disk configuration?
Striping without parity.
RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks
We are using DAC (Discretionary Access Control) in our organization. What is DAC based on?
The discretion of the object owner.
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
With newer CPU (Central Processing Units) we can use pipelining, where each processor cycle does multiple tasks. Which of these are functions the CPU performs?
Fetch, Decode, Store
CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.
When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?
Insecure direct object reference.
2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
For us to ensure CONTINUAL clean power in our data center, we would use which of these?
Uninterruptable Power Supply (UPS)
An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.
Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?
F.A.R.
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?
A solid legal defense strategy for the attacker; entrapment is illegal and unethical.
Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.
What would be a reason to do misuse case testing on our software?
Because attackers do not act like normal users, we need to test against that.
Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
In which type of access control does subjects have clearance and object labels?
Mandatory Access Control (MAC)
MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?
Non-specific, but can contain patches, updates, strong encryption.
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
Which of these would be part of our Disaster Recovery Plan (DRP)?
Which teams and roles does what in an incident.
Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.
In which of these protocols, is IPSEC built into and NOT added on later?
IPv6
IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.
We have just signed a contract with a vendor for a Software as a Service (SaaS) implementation. Where does our responsibility start, and the vendor’s responsibility stop?
After the application.
In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called?
Mutation fuzzing.
Mutation fuzzing.
Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.
We are implementing new networking infrastructure in our organization. The new infrastructure is using Carrier-sense multiple access with collision detection (CSMA/CD). What are we implementing?
Ethernet
CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.
In a new data center implementation, we are wanting to use IPv6 addresses. Which of these statements are TRUE about IPv6 addresses? (Select all that apply).
They are 128 bit binary.
They use the fe80: prefix for link local addresses.
They can use EUI/MAC48 addresses, by adding fffe in the middle of the mac address.
IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.
What is the PRIMARY reason we would implement clipping levels?
To prevent administrative overhead.
Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
All of these are examples of Distributed Denial Of Service (DDOS) attacks, except one. Which of these is NOT a Distributed Denial Of Service (DDOS) attack?
IPSec flood.
There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.
When is it appropriate to install and use backdoors and maintenance hooks?
When the code is still in development.
Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Which type of access control could we use to limit access outside of regular work hours?
Context-based access control.
Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
We are using the OSI model to categorize attacks and threats. Which of these are COMMON layer 2 threats?
ARP spoofing.
ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.
We are using RAID-5 (Redundant Array of Independent Disks) on a one of our servers, that uses at least how many disks?
3
RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.
