CISSP ch 9 Flashcards
AIS
Automated indicator sharing, initiative by the Department of Homeland Security (DHS) to facilitate the open and free exchange of indicators of compromise (IoCs) and other cyberthreat information between US federal government and the private sector in an automated and timely manner (“machine speed”)
IoC
indicators of compromise
Indicator = observable and a hypothesis about a threat
Observable = identified fact of occurrence, such as the presence of a malicious file, usually accompanied by a hash
STIX
Structured Threat Information eXpression, used in AIS to share threat indicators
TAXII
Trusted Automated eXchanged of Intelligence Information, used in AIS to share threat indicators
NCCIC
National Cybersecurity and Communications Integration Center
Multiprogramming
= Pseudo-simultaneous execution of two tasks on a single processor coordinated by the OS as a way to increase operational efficiency
= Batching or serializing multiple processes so that when one process stops to wait on a peripheral, its state is saved and the next process in line begins to process
= Causes delays for a single program, but total time to complete all tasks in a batch is reduced
Multitasking
= Handling two or more tasks simultaneously
= Cannot truly be performed by a single-core CPU
Multicore
= CPU is a chip containing multiple independent execution cores that can operate simultaneously and/or independently
Multiprocessing
= System that harnesses the power of more than one processor to complete the execution of a multithreaded application
Affinity
= When a multiprocessor system assigns or dedicates a process or execution thread to a specific CPU or core
Multithreading
= Permits multiple concurrent tasks to be performed within a single process
Thread
= a self-contained sequence of instructions that can execute in parallel with other threads that are of the same parent process
= switching between threads is more efficient than switching between multiple active processes/contexts
Ring 0
= OS Kernel/Memory
= Resident components
= Highest level of privilege, can access any resource, file or memory location
= Can preempt code running at any other ring
Ring 1
= Other OS components
Ring 2
= Where input-output (I/O) drivers and system utilities reside
= Able to access peripheral devices, special files and other resources that application and other programs cannot access directly
Ring 3
= User-level programs and applications
Rings for supervisory, kernel or privileged mode
= Rings 0 – 2 run in supervisory, kernel or privileged mode
Designed to give the OS access to the full range of instructions supported by the CPU
Only processes that are components of the OS itself are allowed to execute in this mode, for both security and system integrity purposes
Ring for user mode
= Ring 3 runs in user mode
Basic mode used by the CPU when executing user applications
CPU allows execution of only a portion of its full instruction set
System call
= When a process running in a higher-numbered ring asks a handler/driver in a lower-numbered ring for services they need
= Mediated-access model
Process / operating states
Ready, running, waiting, supervisory, stopped
Ready state
= Process is ready to resume or begin processing as soon as it is scheduled for execution
= Moves to running state
Running state / Problem state
= Process executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked for some reason
= Moves to ready state, waiting state or stopped state
Waiting state
= Process is ready for continued execution but is waiting for I/O to be serviced before it can continue processing
= Moves to ready state
Supervisory state
= Process must perform an action that requires privileges that are greater than the problem state’s set of privileges
E.g., modifying system configuration, installing device drivers, modifying security settings
Any function not occurring in the user mode or problem state
= Replaces running state when a process is run with higher-level privileges
Stopped
= When a process finishes or must be terminated
E.g., an error occurs, a required resource is not available or a resource request can’t be met
Problem state (OS mode)
= Associated with user mode, where privileges are low and all access requests must be checked against credentials for authorization before they are granted/denied
ROM
read-only memory = memory the system can read but can’t change (no writing)
POST
power-on self-test, contained in bootstrap
PROM
programmable read-only memory = chip’s contents aren’t burned in at the factory, and can instead be burned in by an end user. Once data is written to a PROM chip, no further changes are possible
EPROM
Erasable programmable read-only memory
UVEPROM
Ultraviolet Erasable programmable read-only memory = chips with a small window that, when illuminated with a special ultraviolet light, causes the contents of the chip to be erased, allowing end users to burn new information into the UVEPROM as if it had never been programmed before
EEPROM
Electronically erasable programmable read-only memory = uses electric voltage delivered to the pins of the chip to enforce erasure = e.g. Flash memory
RAM
random access memory = readable and writable memory that contains information a computer uses during processing = only retains its contents when power is continuously supplied to it, can only be used for temporary storage
Real memory / Main memory / Primary memory
= The largest RAM storage resources available to a computer
= Composed of a number of dynamic RAM chips, and must therefore be refreshed by the CPU on a periodic basis
Cache RAM
= Caches that improve performance by taking data from slower devices and temporarily storing it in faster devices when repeated use is likely
= Processor normally contains an onboard cache of extremely fast memory used to hold data on which it will operate, referred to L1, L2, L3 and L4 cache (L = level). L1 and L2 dedicated to a single processor core, L3 may be a shared cache between cores, some CPUs have L4, which may be located on the mainboard/motherboard or on the GPU
Dynamic RAM
= Uses series of capacitors, tiny electrical devices that hold a charge
= Because capacitors naturally lose their charge over time, CPU must spend time refreshing the contents of dynamic RAM to ensure that 1 bits don’t unintentionally change to 0 bits
= Cheaper and runs slower
Static RAM
= Uses a logical device known as a flip-flop, i.e., an on/off switch that must be moved from one position to another to change to a 0 to 1 or vice versa
= Maintains its contents unaltered as long as power is supplied and imposes no CPU overhead for periodic refresh operations
= More expensive and runs much faster
HDD
Hard disk drives
Register
Limited amount of onboard memory of a CPU directly accessible by the arithmetic logical unit when performing calculation or processing instructions = often 32 or 64 bits in size = part of the ALU itself and operates in lockstep with the CPU at typical CPU speeds
ALU
arithmetic logical unit = the brain of the CPU
Register adressing
= When the CPU needs information from one of its registers to complete an operation, uses a register address (e.g., register 1) to access its contents
Immediate adressing
= Way of referring to data that is supplied to the CPU as part of an instruction
= E.g. “Add 2 to the value in register 1”
Adding value 2 without need to retrieve that value from a memory location is immediate addressing
Direct adressing
= CPU is provided with an actual address of the memory location to access
= Address must be located on the same memory page as the instruction being executed
= More flexible than immediate addressing, since the contents of the memory location can be changed more readily than reprogramming the immediate addressing’s hard-coded data
Indirect adressing
= Memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use, but instead contains another memory address
= CPU reads the indirect address to learn the address where the desired data resides and then retrieves the actual operand (object) from that address
Base+Offset addressing
= Uses a value stored in one of the CPU’s registers or points as the base location from which to begin counting
Pointer
= A basic element or object used to store a memory address
= Holds the address of something stored in memory so that when the program reads the pointer, it is pointing to the location of the data actually needed by the application
Dereferencing
= Act of accessing a pointer to read that memory location
Race condition
= When a system or device tries to perform two or more operations at the same time
= Can cause a null pointer error in which an application dereferences a pointer that it expects to be valid is really null (or corrupted), resulting in a system crash
Secondary memory
Secondary memory = magnetic, optical or flash-based media or other storage devices that contain data not immediately available to the CPU. For the CPU to access data in secondary memory, data must first be read by the OS and stored in real memory
= All the long-term storage devices
= E.g., HDDs, SSDs, flash drives, magnetic tapes, CDs, DVDs and flash memory cards
Virtual memory
= Special type of secondary memory that is used to expand the addressable space of real memory
= Most common type is pagefile or swapfile that most OSs manage as part of their memory management functions
= Contains data previously stored in real memory but not recently used
= When OS needs to access addresses stored in the pagefile, it checks to see whether the page is memory-resident (can be accessed immediately) or whether it has been swapped to disk (must read data from disk back into real memory, called paging)
= Primary drawback is that paging operations that occur when data is exchanged between primary and secondary memory are relatively slow. Need for virtual memory is reduced with larger banks of actual physical RAM, and performance can be improved by using a flashcard or an SSD to host the virtual memory paging file
pagefile
example of virtual memory
swapfile
example of virtual memory
A swap file is a system file that creates temporary storage space on a solid-state drive or hard disk when the system runs low on memory. The file swaps a section of RAM storage from an idle program and frees up memory for other programs.
cold boot attack
memory compromise that freezes memory chips to delay the decay of resident data when the system is turned off or the RAM is pulled out of the motherboard
TEMPEST
type of countermeasures and safeguards used to protect against emanation attacks = originally a government research study aimed at protecting electronic equipment from electromagnetic pulse (EMP) emitted during nuclear explosions
Van Eck phreaking
reading electric emanations from a distance = TEMPEST eavesdropping
Control zone
= Implementation of both a Faraday cage and a white noise generation to protect a specific area in an environment
STP (wire)
shielded twisted pair = type of wire manufactured to block emanation
CRT (monitor)
legacy cathode ray tube monitors = more prone to radiate significantly
MFP
multifunction printer = include fax capabilities and are network attached
PSTN
public switched telephone network = type of line used to take control of a computer system using ancient AT commands supported by modems and fax modems/machines
BIOS
BIOS = basic input/output system = legacy low-end firmware of software embedded in a motherboard’s EEPROM or flash chip, contains the OS-independent primitive instructions that a computer needs to start up and load the OS from disk = identifies and imitates the basic system hardware components, such as the hard drive, optical drive and video card
UEFI
unified extensible firmware interface = modern BIOS replacement, with support for larger hard drives, faster boot times, enhanced security features and the ability to use a mouse when making system changes, a CPU-independent architecture, a flexible pre-OS environment with networking support, measured boot, boot attestation/secure boot, and backward and forward compatibility
Flashing
process of updating the UEFI, BIOS or firmware
Phlashing
attack in which a malicious variation of official firmware is installed that introduces remote control or other malicious features into a device
Boot attestation = secure boot
a feature of UEFI that aims to protect the local OS by preventing the loading or installing of device drivers or an OS that is not signed by a preapproved digital certificate= protects systems against a range of low-level or boot-level malware, such as certain rootkits and backdoors
Measured boot
optional feature of UEFI that takes a hash calculation of every element involved in the booting process, hashes are performed by and stored in the Trusted Platform Module (TPM) = if foul play is detected during booting, the hashes of the most recent boot can be accessed and compared against known-good values to determine which (if any) of the boot components have been compromised = only records, does not interrupt or stop the process of booting
Client-side attack
any attack that is able to harm a client, as opposed to targeting a server or server-side component = e.g., malicious website that transfers malicious mobile code (such as an applet) to a vulnerable browser running on the client
Applets
code objects sent from a server to a client to perform some action = self-contained miniature programs that execute independently of the server that sent them = use of applets was more common in early 2010s = Historical examples:
Java applets
o Java = platform-independent programming language developed by Sun Microsystems (now owned by Oracle)
ActiveX controls
o Microsoft’s answer to Sun’s Java applets
o Now a legacy technology, both EOL (end of life) and EOS (end of support)
BHO
BHOs = Browser helper objects = javascript safeguard
E.g. NoScript for Mozilla Firefox and UBlock origin for Chrome and Edge
Same-origin policy
= prohibiting JavaScript code from accessing content from another origin
Split-response attack
example of an exploitation that can cause the client to download content and store it in the cache that was not an intended element of a requested web page
SMP
symmetric multiprocessing = where a single a computer contains multiple processors that are treated equally and controlled by a single OS = processors share a common OS, data bus and memory resources = systems use a large number of processors that work collectively on a single or primary task, code or project
AMP
asymmetric multiprocessing = processors are often operating independently of one another = each processor has its own OS, task instruction set, data bus and memory resources = processors can be configured to execute only specific code or operate on specific tasks
MPP
massive parallel processing = variation of AMP = numerous AMP systems are linked together in order to work on a single primary task across multiple processes in multiple linked systems
ICS
industrial control system = form of computer-management device that controls industrial processes and machines, also known as operational technology (OT)
E.g., PLC, DCS, SCADA
PLC
= programmable logic controllers
o Single-purpose or focused-purpose digital computers
o Typically deployed for the management and automation of various industrial electromechanical operations, such as controlling systems on an assembly line or a large-scale digital light display (e.g., giant display system in a stadium)
o Used to control a single device in a standalone manner
o E.g., used to control a single transformer
DCS
= distributed control systems
o Typically found in industrial process plants where the need to gather data and implement control over a large-scale environment from a single location is essential
o Controlling elements are distributed across the monitored environment, such as the manufacturing floor or production line, and the centralized monitoring location sends commands out of those localized controllers while gathering status and performance data
o Focuses on processes and is state driven
o Used to control processes using a network of sensors, controllers, actuators and operator terminals
o Able to carry out advanced process control techniques
o More suited to operating on a limited scale
o Was used to interconnect several PLCs, but within a limited physical range
o E.g., used to manage a power station
SCADA
= supervisory control and data acquisition = HMI = human-machine interface
o Focuses on data gathering and is event driven
o Suitable for managing systems over large geographic areas
o E.g., used to oversee a power grid
o Can operate as a standalone device, be networked together with other SCADA systems or be networked with traditional IT systems
o Can expand networks of PLCs to large-scale physical area
o Enables people to better understand, oversee, manage and control complex machine and technology systems
o Used to monitor and control a wide range of industrial processes, but it is not able to carry out advanced process control techniques
ISA99 standards development committee
= established and is maintaining guidelines for securing ICS, DCS, PLC and SCADA systems
- Their work is integrated into the International Electrotechnical Commission’s (IEC) 62443 series of standards
- NIST SP 800-82
- North American Reliability Corporation (NERC) maintains its own security guides for ICS as part of the Critical Infrastructure Protection (CIP) standards which are similar to those of the European Reference Network for Critical Infrastructure Protection (ERNCIP)
DCE
Distributed computing environment = distributed system = concurrent computing, parallel computing or distributed computing = a collection of individual systems that work together to support a resource or provide a service = can be implemented to provide resiliency, reliability, performance and scalability = often employed for scientific and medical research projects, education project and industrial applications requiring extensive computation resources = can be implemented as:
- client-server architectures
- three-tier architecture (e.g., basic web applications)
- multitiered architectures (e.g., advanced web applications)
- peer-to-peer architectures (e.g., BitTorrent and most cryptocurrency blockchain ledgers)
SOA
= Service-oriented architecture
an architectural style that focuses on discrete services instead of a monolithic design.
also applied in the field of software design where services are provided to the other components by application components, through a communication protocol over a network. A service is a discrete unit of functionality that can be accessed remotely and acted upon and updated independently, such as retrieving a credit card statement online. SOA is also intended to be independent of vendors, products and technologies.
SDN
= Software-defined networking = management of networking as a virtual or software resource even though it technically still occurs over hardware = derivative of IaC and DCE
IDL
= interface definition language = language used to define the interface between client and server process or objects in a distributed system, enables the creation of interfaces between objects when those objects are in varying locations or are using different programming languages = e.g.,
- RPCs = remote procedure calls
- CORBA = common object request broker architecture
- DCOM = distributed component object model
RPC
remote procedure calls, type of interface language
In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in a different address space (commonly on another computer on a shared computer network), which is written as if it were a normal (local) procedure call, without the programmer explicitly writing the details for the remote interaction.
CORBA
common object request broker architecture, type of interface language
designed to facilitate the communication of systems that are deployed on diverse platforms
DCOM
distributed component object model, type of interface language
Distributed Component Object Model (DCOM) is a proprietary Microsoft technology for communication between software components on networked computers
The extension COM into Distributed COM was due to extensive use of DCE/RPC (Distributed Computing Environment/Remote Procedure Calls)
HPC
High-performance computing systems = computing platforms designed to perform complex calculations or data manipulations at extremely high speeds
- E.g., super computers and MPP solutions
- Used when real-time or near-real-time processing of massive data is necessary for a particular task or application, including scientific studies, industrial research, medical analysis, societal solutions and commercial endeavors
HPC is composed of three main elements:
- Compute resources
- Network capabilities
- Storage capacity
RTOS
= real time OS = designed to process or handle data as it arrives on the system with minimal latency or delay = often implemented by HPCs for compute capability = stored on ROM and is designed to operate in a hard real-time or a soft real-time condition
Three dumb routers
= deploying a distinct network for the IoT equipment, separate and isolated from the primary network
Microcontroller
= similar to but less complex than a system on a chip or SoC (chapter 11) = small computer consisting of a CPU (with one or more cores), memory, various input/output capabilities, RAM and often nonvolatile storage in the form of flash or ROM/PROM/EEPROM = e.g.,
Raspberry Pi
o 64-bit microcontroller or a single-board computer
Arduino
o Open source hardware and software organization that creates single-board 8-bit microcontrollers for building digital devices
o Simpler than a Raspberry Pi
Arduino can run C++
FPGA = field-programmable gate array = a flexible computing device intended to be programmed by end user or customer
VDI
= Virtual Desktop Infrastructure = can used to implement static systems
BLE
= Bluetooth low energy = special communication protocol for wireless devices
ISFW
= Internal segmentation firewall = used to create a network division or segment
SOA
= service oriented architecture = constructs new applications or functions out of existing but separate and distinct software services
Microservices
= one element, feature, capability, business logic or function of a web application that can be called upon or used by other web applications = emerging feature of web-based solutions and are derivative of SOA = not API, which allows for I/O between multiple microservices as well as to and from other applications, but instead a type of programming or design architecture
SDP
= service delivery platform = collection of components that provide the architecture for service delivery = used in relation to telecommunications, similar to a content delivery network (CDN)
IaC
= Infrastructure as code = viewing hardware configuration as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (security, development and operations) = managing hardware using version control, predeployment testing, custom-crafted test code, reasonableness checks, regression testing, and consistency in a distributed environment = examples of IaC hardware management software:
- AWS CloudFormation
- Terraform
- Puppet
VMM
= virtual machine monitor/manager = hypervisor = component of virtualization that creates, manages and operates the virtual machines
Type I hypervisor
= native or bare-metal hypervisor = no host OS, hypervisor installs directly onto the hardware where the host OS would normally reside = often used to support server virtualization, allowing for maximization of hardware resources while eliminating any risks or resource reduction caused by a host OS
Type II hypervisor
= a hosted hypervisor = a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application = often used in relation to desktop deployments, where the guest OSs offer safe sandbox areas to test new code, allow the execution of legacy applications, support apps from alternate OSs and provide the user with access to the capabilities of a host OS
SECaaS
= Security as a service = cloud solutions for backup, authentication, authorization, auditing/accounting, antimalware, storage, SIEM, IDS/IPS analysis and monitoring as a service (MaaS) = a managed service provider (MSP) or a managed security service provider (MSSP)
SDDC
= software-defined data center = virtual data center = VDC = replacing physical IT elements with solutions provided virtually, and often by an external third party, such as a cloud service provider (CSP)
PMD / PED / POD
= personal mobile device = personal electronic device = portable electronic device = PED = personally owned device = POD
SEAndroid
= Security-Enhanced Android = framework to integrate elements of Security-Enhanced Linux into Android devices, including support for Mandatory Access Control (MAC) and middleware mandatory access control (MMAC), reducing privilege daemon vulnerabilities, sandboxing and isolating apps, blocking app privilege escalation, enabling app privilege adjustments both during installation and at runtime, and defining a centralized security policy that can scrutinized
MDM
= Mobile device management = software solution that manages the myriad mobile devices that employees use to access company resources = can be used to push or remove apps, manage data, and enforce configuration setting both over the air (across a carrier network) and over Wi-Fi connections
UEM
= Unified endpoint management = software tool that provides a single management platform to control mobile, PC, IoT, wearables, ICS and other devices = replacement for MDM and enterprise mobility management (EMM) products, by combing the features of numerous products into one solution
WiPS
= wireless positioning system = Wi-Fi positioning system = WFPS = using known location of wireless access points/base stations to determine a mobile device’s location
MCM system
= mobile content management system = used to control company resources and the means by which they are accessed or used on mobile devices
CMS
= content management system = goal is to maximize performance and work benefit while reducing complexity, confusion and inconvenience = e.g., firewall service on the network, rather than being on-device
MAM
= mobile application management = similar to an MDM, but focuses only on app management rather than managing the entire mobile device
BYOD
= bring your own device = policy that allows employees to bring their own personal mobile devices to work and may allow them to use those devices to connect to business resources and/or the internet through the company network
COPE
= corporate-owned, personally enabled = organization purchases devices and provides them to employees
CYOD
= choose your own device = provides users with a list of approved devices from which to select the device to implement = BYOD and COPE variants, where either employee or organization purchases approved device
COMS / COBO
= corporate-owned mobile strategy = corporate-owned, business only (COBO) = company purchases the mobile devices that can support security compliance with the security policy, and that are to be used exclusively for company purposes
DLL
= dynamic-link libraries = system files to verify to detect the presence of a rootkit
