CISSP ch 9

Question 1

AIS

Answer 1

Automated indicator sharing, initiative by the Department of Homeland Security (DHS) to facilitate the open and free exchange of indicators of compromise (IoCs) and other cyberthreat information between US federal government and the private sector in an automated and timely manner (“machine speed”)

Question 2

IoC

Answer 2

indicators of compromise

Indicator = observable and a hypothesis about a threat

Observable = identified fact of occurrence, such as the presence of a malicious file, usually accompanied by a hash

Question 3

STIX

Answer 3

Structured Threat Information eXpression, used in AIS to share threat indicators

Question 4

TAXII

Answer 4

Trusted Automated eXchanged of Intelligence Information, used in AIS to share threat indicators

Question 5

NCCIC

Answer 5

National Cybersecurity and Communications Integration Center

Question 6

Multiprogramming

Answer 6

= Pseudo-simultaneous execution of two tasks on a single processor coordinated by the OS as a way to increase operational efficiency
= Batching or serializing multiple processes so that when one process stops to wait on a peripheral, its state is saved and the next process in line begins to process
= Causes delays for a single program, but total time to complete all tasks in a batch is reduced

Question 7

Multitasking

Answer 7

= Handling two or more tasks simultaneously
= Cannot truly be performed by a single-core CPU

Question 8

Multicore

Answer 8

= CPU is a chip containing multiple independent execution cores that can operate simultaneously and/or independently

Question 9

Multiprocessing

Answer 9

= System that harnesses the power of more than one processor to complete the execution of a multithreaded application

Question 10

Affinity

Answer 10

= When a multiprocessor system assigns or dedicates a process or execution thread to a specific CPU or core

Question 11

Multithreading

Answer 11

= Permits multiple concurrent tasks to be performed within a single process

Question 12

Thread

Answer 12

= a self-contained sequence of instructions that can execute in parallel with other threads that are of the same parent process
= switching between threads is more efficient than switching between multiple active processes/contexts

Question 13

Ring 0

Answer 13

= OS Kernel/Memory
= Resident components
= Highest level of privilege, can access any resource, file or memory location
= Can preempt code running at any other ring

Question 14

Ring 1

Answer 14

= Other OS components

Question 15

Ring 2

Answer 15

= Where input-output (I/O) drivers and system utilities reside
= Able to access peripheral devices, special files and other resources that application and other programs cannot access directly

Question 16

Ring 3

Answer 16

= User-level programs and applications

Question 17

Rings for supervisory, kernel or privileged mode

Answer 17

= Rings 0 – 2 run in supervisory, kernel or privileged mode
 Designed to give the OS access to the full range of instructions supported by the CPU
 Only processes that are components of the OS itself are allowed to execute in this mode, for both security and system integrity purposes

Question 18

Rings for user mode

Answer 18

= Ring 3 runs in user mode
 Basic mode used by the CPU when executing user applications
 CPU allows execution of only a portion of its full instruction set

Question 19

System call

Answer 19

= When a process running in a higher-numbered ring asks a handler/driver in a lower-numbered ring for services they need
= Mediated-access model

Question 20

Process / operating states

Answer 20

Ready, running, waiting, supervisory, stopped

Ready state
= Process is ready to resume or begin processing as soon as it is scheduled for execution
= Moves to running state

Running state / Problem state
= Process executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked for some reason
= Moves to ready state, waiting state or stopped state

Waiting state
= Process is ready for continued execution but is waiting for I/O to be serviced before it can continue processing
= Moves to ready state

Supervisory state
= Process must perform an action that requires privileges that are greater than the problem state’s set of privileges
 E.g., modifying system configuration, installing device drivers, modifying security settings
 Any function not occurring in the user mode or problem state
= Replaces running state when a process is run with higher-level privileges

Stopped
= When a process finishes or must be terminated
 E.g., an error occurs, a required resource is not available or a resource request can’t be met

Question 21

Problem state (OS mode)

Answer 21

= Associated with user mode, where privileges are low and all access requests must be checked against credentials for authorization before they are granted/denied

Question 22

ROM

Answer 22

read-only memory = memory the system can read but can’t change (no writing)

Question 23

POST

Answer 23

power-on self-test, contained in bootstrap

Question 24

PROM

Answer 24

programmable read-only memory = chip’s contents aren’t burned in at the factory, and can instead be burned in by an end user. Once data is written to a PROM chip, no further changes are possible

Question 25

EPROM

Answer 25

Erasable programmable read-only memory

Question 26

UVEPROM

Answer 26

Ultraviolet Erasable programmable read-only memory = chips with a small window that, when illuminated with a special ultraviolet light, causes the contents of the chip to be erased, allowing end users to burn new information into the UVEPROM as if it had never been programmed before

Question 27

EEPROM

Answer 27

Electronically erasable programmable read-only memory = uses electric voltage delivered to the pins of the chip to enforce erasure = e.g. Flash memory

Question 28

RAM

Answer 28

random access memory = readable and writable memory that contains information a computer uses during processing = only retains its contents when power is continuously supplied to it, can only be used for temporary storage

Question 29

Real memory / Main memory / Primary memory

Answer 29

= The largest RAM storage resources available to a computer
= Composed of a number of dynamic RAM chips, and must therefore be refreshed by the CPU on a periodic basis

Question 30

Cache RAM

Answer 30

= Caches that improve performance by taking data from slower devices and temporarily storing it in faster devices when repeated use is likely
= Processor normally contains an onboard cache of extremely fast memory used to hold data on which it will operate, referred to L1, L2, L3 and L4 cache (L = level). L1 and L2 dedicated to a single processor core, L3 may be a shared cache between cores, some CPUs have L4, which may be located on the mainboard/motherboard or on the GPU

Question 31

Dynamic RAM

Answer 31

= Uses series of capacitors, tiny electrical devices that hold a charge
= Because capacitors naturally lose their charge over time, CPU must spend time refreshing the contents of dynamic RAM to ensure that 1 bits don’t unintentionally change to 0 bits
= Cheaper and runs slower

Question 32

Static RAM

Answer 32

= Uses a logical device known as a flip-flop, i.e., an on/off switch that must be moved from one position to another to change to a 0 to 1 or vice versa
= Maintains its contents unaltered as long as power is supplied and imposes no CPU overhead for periodic refresh operations
= More expensive and runs much faster

Question 33

HDD

Answer 33

Hard disk drives

Question 34

Register

Answer 34

Limited amount of onboard memory of a CPU directly accessible by the arithmetic logical unit when performing calculation or processing instructions = often 32 or 64 bits in size = part of the ALU itself and operates in lockstep with the CPU at typical CPU speeds

Question 35

ALU

Answer 35

arithmetic logical unit = the brain of the CPU

Question 36

Register adressing

Answer 36

= When the CPU needs information from one of its registers to complete an operation, uses a register address (e.g., register 1) to access its contents

Question 37

Immediate adressing

Answer 37

= Way of referring to data that is supplied to the CPU as part of an instruction
= E.g. “Add 2 to the value in register 1”
 Adding value 2 without need to retrieve that value from a memory location is immediate addressing

Question 38

Direct adressing

Answer 38

= CPU is provided with an actual address of the memory location to access
= Address must be located on the same memory page as the instruction being executed
= More flexible than immediate addressing, since the contents of the memory location can be changed more readily than reprogramming the immediate addressing’s hard-coded data

Question 39

Indirect adressing

Answer 39

= Memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use, but instead contains another memory address
= CPU reads the indirect address to learn the address where the desired data resides and then retrieves the actual operand (object) from that address

Question 40

Base+Offset addressing

Answer 40

= Uses a value stored in one of the CPU’s registers or points as the base location from which to begin counting

Question 41

Pointer

Answer 41

= A basic element or object used to store a memory address
= Holds the address of something stored in memory so that when the program reads the pointer, it is pointing to the location of the data actually needed by the application

Question 42

Dereferencing

Answer 42

= Act of accessing a pointer to read that memory location

Question 43

Race condition

Answer 43

= When a system or device tries to perform two or more operations at the same time
= Can cause a null pointer error in which an application dereferences a pointer that it expects to be valid is really null (or corrupted), resulting in a system crash

Question 44

Secondary memory

Answer 44

Secondary memory = magnetic, optical or flash-based media or other storage devices that contain data not immediately available to the CPU. For the CPU to access data in secondary memory, data must first be read by the OS and stored in real memory

= All the long-term storage devices
= E.g., HDDs, SSDs, flash drives, magnetic tapes, CDs, DVDs and flash memory cards

Question 45

Virtual memory

Answer 45

= Special type of secondary memory that is used to expand the addressable space of real memory
= Most common type is pagefile or swapfile that most OSs manage as part of their memory management functions
= Contains data previously stored in real memory but not recently used
= When OS needs to access addresses stored in the pagefile, it checks to see whether the page is memory-resident (can be accessed immediately) or whether it has been swapped to disk (must read data from disk back into real memory, called paging)
= Primary drawback is that paging operations that occur when data is exchanged between primary and secondary memory are relatively slow. Need for virtual memory is reduced with larger banks of actual physical RAM, and performance can be improved by using a flashcard or an SSD to host the virtual memory paging file

Question 46

pagefile

Answer 46

example of virtual memory

Question 47

swapfile

Answer 47

example of virtual memory

Question 48

cold boot attack

Answer 48

memory compromise that freezes memory chips to delay the decay of resident data when the system is turned off or the RAM is pulled out of the motherboard

Question 49

TEMPEST

Answer 49

type of countermeasures and safeguards used to protect against emanation attacks = originally a government research study aimed at protecting electronic equipment from electromagnetic pulse (EMP) emitted during nuclear explosions

Question 50

Van Eck phreaking

Answer 50

reading electric emanations from a distance = TEMPEST eavesdropping

Question 51

Control zone

Answer 51

= Implementation of both a Faraday cage and a white noise generation to protect a specific area in an environment

Question 52

STP (wire)

Answer 52

shielded twisted pair = type of wire manufactured to block emanation

Question 53

CRT (monitor)

Answer 53

legacy cathode ray tube monitors = more prone to radiate significantly

Question 54

MFP

Answer 54

multifunction printer = include fax capabilities and are network attached

Question 55

PSTN

Answer 55

public switched telephone network = type of line used to take control of a computer system using ancient AT commands supported by modems and fax modems/machines

Question 56

BIOS

Answer 56

BIOS = basic input/output system = legacy low-end firmware of software embedded in a motherboard’s EEPROM or flash chip, contains the OS-independent primitive instructions that a computer needs to start up and load the OS from disk = identifies and imitates the basic system hardware components, such as the hard drive, optical drive and video card

Question 57

UEFI

Answer 57

unified extensible firmware interface = modern BIOS replacement, with support for larger hard drives, faster boot times, enhanced security features and the ability to use a mouse when making system changes, a CPU-independent architecture, a flexible pre-OS environment with networking support, measured boot, boot attestation/secure boot, and backward and forward compatibility

Question 58

Flashing

Answer 58

process of updating the UEFI, BIOS or firmware

Question 59

Phlashing

Answer 59

attack in which a malicious variation of official firmware is installed that introduces remote control or other malicious features into a device

Question 60

Boot attestation = secure boot

Answer 60

a feature of UEFI that aims to protect the local OS by preventing the loading or installing of device drivers or an OS that is not signed by a preapproved digital certificate= protects systems against a range of low-level or boot-level malware, such as certain rootkits and backdoors

Question 61

Measured boot

Answer 61

optional feature of UEFI that takes a hash calculation of every element involved in the booting process, hashes are performed by and stored in the Trusted Platform Module (TPM) = if foul play is detected during booting, the hashes of the most recent boot can be accessed and compared against known-good values to determine which (if any) of the boot components have been compromised = only records, does not interrupt or stop the process of booting

Question 62

Client-side attack

Answer 62

any attack that is able to harm a client, as opposed to targeting a server or server-side component = e.g., malicious website that transfers malicious mobile code (such as an applet) to a vulnerable browser running on the client

Question 63

Applets

Answer 63

code objects sent from a server to a client to perform some action = self-contained miniature programs that execute independently of the server that sent them = use of applets was more common in early 2010s = Historical examples:

Java applets
o Java = platform-independent programming language developed by Sun Microsystems (now owned by Oracle)

ActiveX controls
o Microsoft’s answer to Sun’s Java applets
o Now a legacy technology, both EOL (end of life) and EOS (end of support)

Question 64

BHO

Answer 64

BHOs = Browser helper objects = javascript safeguard
 E.g. NoScript for Mozilla Firefox and UBlock origin for Chrome and Edge

Question 65

Same-origin policy

Answer 65

= prohibiting JavaScript code from accessing content from another origin

Question 66

Split-response attack

Answer 66

example of an exploitation that can cause the client to download content and store it in the cache that was not an intended element of a requested web page

Question 67

SMP

Answer 67

symmetric multiprocessing = where a single a computer contains multiple processors that are treated equally and controlled by a single OS = processors share a common OS, data bus and memory resources = systems use a large number of processors that work collectively on a single or primary task, code or project

Question 68

AMP

Answer 68

asymmetric multiprocessing = processors are often operating independently of one another = each processor has its own OS, task instruction set, data bus and memory resources = processors can be configured to execute only specific code or operate on specific tasks

Question 69

MPP

Answer 69

massive parallel processing = variation of AMP = numerous AMP systems are linked together in order to work on a single primary task across multiple processes in multiple linked systems

Question 70

ICS

Answer 70

industrial control system = form of computer-management device that controls industrial processes and machines, also known as operational technology (OT)

E.g., PLC, DCS, SCADA

Question 71

PLC

Answer 71

= programmable logic controllers
o Single-purpose or focused-purpose digital computers
o Typically deployed for the management and automation of various industrial electromechanical operations, such as controlling systems on an assembly line or a large-scale digital light display (e.g., giant display system in a stadium)
o Used to control a single device in a standalone manner
o E.g., used to control a single transformer

Question 72

DCS

Answer 72

= distributed control systems
o Typically found in industrial process plants where the need to gather data and implement control over a large-scale environment from a single location is essential
o Controlling elements are distributed across the monitored environment, such as the manufacturing floor or production line, and the centralized monitoring location sends commands out of those localized controllers while gathering status and performance data
o Focuses on processes and is state driven
o Used to control processes using a network of sensors, controllers, actuators and operator terminals
o Able to carry out advanced process control techniques
o More suited to operating on a limited scale
o Was used to interconnect several PLCs, but within a limited physical range
o E.g., used to manage a power station

Question 73

SCADA

Answer 73

= supervisory control and data acquisition = HMI = human-machine interface
o Focuses on data gathering and is event driven
o Suitable for managing systems over large geographic areas
o E.g., used to oversee a power grid
o Can operate as a standalone device, be networked together with other SCADA systems or be networked with traditional IT systems
o Can expand networks of PLCs to large-scale physical area
o Enables people to better understand, oversee, manage and control complex machine and technology systems
o Used to monitor and control a wide range of industrial processes, but it is not able to carry out advanced process control techniques

Question 74

ISA99 standards development committee

Answer 74

= established and is maintaining guidelines for securing ICS, DCS, PLC and SCADA systems
- Their work is integrated into the International Electrotechnical Commission’s (IEC) 62443 series of standards
- NIST SP 800-82
- North American Reliability Corporation (NERC) maintains its own security guides for ICS as part of the Critical Infrastructure Protection (CIP) standards which are similar to those of the European Reference Network for Critical Infrastructure Protection (ERNCIP)

Question 75

DCE

Answer 75

Distributed computing environment = distributed system = concurrent computing, parallel computing or distributed computing = a collection of individual systems that work together to support a resource or provide a service = can be implemented to provide resiliency, reliability, performance and scalability = often employed for scientific and medical research projects, education project and industrial applications requiring extensive computation resources = can be implemented as:
- client-server architectures
- three-tier architecture (e.g., basic web applications)
- multitiered architectures (e.g., advanced web applications)
- peer-to-peer architectures (e.g., BitTorrent and most cryptocurrency blockchain ledgers)

Question 76

SOA

Answer 76

= Service-oriented architecture

Question 77

SDN

Answer 77

= Software-defined networking = management of networking as a virtual or software resource even though it technically still occurs over hardware = derivative of IaC and DCE

Question 78

IDL

Answer 78

= interface definition language = language used to define the interface between client and server process or objects in a distributed system, enables the creation of interfaces between objects when those objects are in varying locations or are using different programming languages = e.g.,
- RPCs = remote procedure calls
- CORBA = common object request broker architecture
- DCOM = distributed component object model

Question 79

RPC

Answer 79

remote procedure calls, type of interface language

Question 80

CORBA

Answer 80

common object request broker architecture, type of interface language

Question 81

DCOM

Answer 81

distributed component object model, type of interface language

Question 82

HPC

Answer 82

High-performance computing systems = computing platforms designed to perform complex calculations or data manipulations at extremely high speeds
- E.g., super computers and MPP solutions
- Used when real-time or near-real-time processing of massive data is necessary for a particular task or application, including scientific studies, industrial research, medical analysis, societal solutions and commercial endeavors
HPC is composed of three main elements:
- Compute resources
- Network capabilities
- Storage capacity

Question 83

RTOS

Answer 83

= real time OS = designed to process or handle data as it arrives on the system with minimal latency or delay = often implemented by HPCs for compute capability = stored on ROM and is designed to operate in a hard real-time or a soft real-time condition

Question 84

Three dumb routers

Answer 84

= deploying a distinct network for the IoT equipment, separate and isolated from the primary network

Question 85

Microcontroller

Answer 85

= similar to but less complex than a system on a chip or SoC (chapter 11) = small computer consisting of a CPU (with one or more cores), memory, various input/output capabilities, RAM and often nonvolatile storage in the form of flash or ROM/PROM/EEPROM = e.g.,

Raspberry Pi
o 64-bit microcontroller or a single-board computer

Arduino
o Open source hardware and software organization that creates ingle-board 8-bit microcontrollers for building digital devices
o Simpler than a Raspberry Pi
Arduino can run C++

FPGA = field-programmable gate array = a flexible computing device intended to be programmed by end user or customer

Question 86

VDI

Answer 86

= Virtual Desktop Infrastructure = can used to implement static systems

Question 87

BLE

Answer 87

= Bluetooth low energy = special communication protocol for wireless devices

Question 88

ISFW

Answer 88

= Internal segmentation firewall = used to create a network division or segment

Question 89

SOA

Answer 89

= service oriented architecture = constructs new applications or functions out of existing but separate and distinct software services

Question 90

Microservices

Answer 90

= one element, feature, capability, business logic or function of a web application that can be called upon or used by other web applications = emerging feature of web-based solutions and are derivative of SOA = not API, which allows for I/O between multiple microservices as well as to and from other applications, but instead a type of programming or design architecture

Question 91

SDP

Answer 91

= service delivery platform = collection of components that provide the architecture for service delivery = used in relation to telecommunications, similar to a content delivery network (CDN)

Question 92

IaC

Answer 92

= Infrastructure as code = viewing hardware configuration as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (security, development and operations) = managing hardware using version control, predeployment testing, custom-crafted test code, reasonableness checks, regression testing, and consistency in a distributed environment = examples of IaC hardware management software:
- AWS CloudFormation
- Terraform
- Puppet

Question 93

VMM

Answer 93

= virtual machine monitor/manager = hypervisor = component of virtualization that creates, manages and operates the virtual machines

Question 94

Type I hypervisor

Answer 94

= native or bare-metal hypervisor = no host OS, hypervisor installs directly onto the hardware where the host OS would normally reside = often used to support server virtualization, allowing for maximization of hardware resources while eliminating any risks or resource reduction caused by a host OS

Question 95

Type II hypervisor

Answer 95

= a hosted hypervisor = a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application = often used in relation to desktop deployments, where the guest OSs offer safe sandbox areas to test new code, allow the execution of legacy applications, support apps from alternate OSs and provide the user with access to the capabilities of a host OS

Question 96

SECaaS

Answer 96

= Security as a service = cloud solutions for backup, authentication, authorization, auditing/accounting, antimalware, storage, SIEM, IDS/IPS analysis and monitoring as a service (MaaS) = a managed service provider (MSP) or a managed security service provider (MSSP)

Question 97

SDDC

Answer 97

= software-defined data center = virtual data center = VDC = replacing physical IT elements with solutions provided virtually, and often by an external third party, such as a cloud service provider (CSP)

Question 98

PMD / PED / POD

Answer 98

= personal mobile device = personal electronic device = portable electronic device = PED = personally owned device = POD

Question 99

SEAndroid

Answer 99

= Security-Enhanced Android = framework to integrate elements of Security-Enhanced Linux into Android devices, including support for Mandatory Access Control (MAC) and middleware mandatory access control (MMAC), reducing privilege daemon vulnerabilities, sandboxing and isolating apps, blocking app privilege escalation, enabling app privilege adjustments both during installation and at runtime, and defining a centralized security policy that can scrutinized

Question 100

MDM

Answer 100

= Mobile device management = software solution that manages the myriad mobile devices that employees use to access company resources = can be used to push or remove apps, manage data, and enforce configuration setting both over the air (across a carrier network) and over Wi-Fi connections

Question 101

UEM

Answer 101

= Unified endpoint management = software tool that provides a single management platform to control mobile, PC, IoT, wearables, ICS and other devices = replacement for MDM and enterprise mobility management (EMM) products, by combing the features of numerous products into one solution

Question 102

WiPS

Answer 102

= wireless positioning system = Wi-Fi positioning system = WFPS = using known location of wireless access points/base stations to determine a mobile device’s location

Question 103

MCM system

Answer 103

= mobile content management system = used to control company resources and the means by which they are accessed or used on mobile devices

Question 104

CMS

Answer 104

= content management system = goal is to maximize performance and work benefit while reducing complexity, confusion and inconvenience = e.g., firewall service on the network, rather than being on-device

Question 105

MAM

Answer 105

= mobile application management = similar to an MDM, but focuses only on app management rather than managing the entire mobile device

Question 106

BYOD

Answer 106

= bring your own device = policy that allows employees to bring their own personal mobile devices to work and may allow them to use those devices to connect to business resources and/or the internet through the company network

Question 107

COPE

Answer 107

= corporate-owned, personally enabled = organization purchases devices and provides them to employees

Question 108

CYOD

Answer 108

= choose your own device = provides users with a list of approved devices from which to select the device to implement = BYOD and COPE variants, where either employee or organization purchases approved device

Question 109

COMS / COBO

Answer 109

= corporate-owned mobile strategy = corporate-owned, business only (COBO) = company purchases the mobile devices that can support security compliance with the security policy, and that are to be used exclusively for company purposes

Question 110

DLL

Answer 110

= dynamic-link libraries = system files to verify to detect the presence of a rootkit