CISSP Domain 3 Flashcards
What are technique of ensuring CIA for processes?
1.Confinement: Process to be assigned only required resources (memory, run time)
2. Bound: Process is authorised to interactions user, Kernel
3. Isolation : Enforcement of bound and implementation of confinement
What is trust and Assurance?
Trust: Presence of security mechanism
Assurance: Degree of confidence in satisfaction of security needs
What is security model?
Map abstract statements into security policy for designers
What is TCB and it’s components?
Enforcement of security policy through:
- Security perimeter: Seperate trusted to in untrusted
- Reference monitor: Restrict the access it’s a theoretical concepts
- Security kernel: Implements the above RM
What is State machine model?
Takes snapshot of a system at given time
It should always be in “secure state”
When the state changes it’s called transition state and it should happen in secure transition state
What is information flow model ?
Multilevel security
Dictates information flow from subject to object to prevent unauthorised, restricted, insecure often between different security level
What are elements of Evaluation criteria?
Protection profile ( and Security Target ()
Non Interference
Actions of subject at a higher level should not take advantage of the lower level
Take grant model
Access rights can be passed on from an object to a different object
Access control matrix
Capability list and access control matrix
Bella padula
Protect confidentiality
simple security property ( no read up) and star security property (no write down)
Discretionary security property
Biba model
Integrity
No read down ( simple integrity rule)
No write up ( star integrity rule)
Clark Wilson model
Provide integrity
Access triplet ( subject, program and object)
Subjects cannot access objects directly but only through TP
CDI - constrained data item to protect integrity using security model
UDI - not restricted
Transformation Procedure - Will use TP for subject to access object
Brewer and nash model
Provides confidentiality
Chinese wall model or to avoid conflict of interest
Goguen - Meseguer model
Integrity
Foundation of non Interference model
Sutherland model
Prevention of interference+ integrity
Graham Denning model
Creation and deletion of both subjects and objects
Harrison -Ruzo -Ulman model
Assignment of object access rights and resilience of assigned rights
Secure design principles
Secure default
Fail securely: physical - digital
Fail open( people, availability)
Fail safe ( people, CI)
Fail closed and secure( assets, CI)
KISS
Zero trust : Microsegmentation, assume there is data breach, trust but verify,
privacy by design- (proactive, default setting, positive sum, data protection, visibility and transparency, user centric)
, trust but verify - now zero trust)
Shared Responsibility
Organization do not operate in isolation in an interconnected World you can have internal and external suppliers
Process and execution types
Brain of computer
- Ready : to be executed after fetching info from memory
- Running: Execution
- Waiting: Has 2 but need to fetch other data from memory in order to complete execution
- Supervisory
- Stopped
Problem state based on low prevlige access
CPU and processing types
Brain of computer
1. Multitasking: Multiple tasks a single core
2. Multi processing: Multiple process and multiple thread executed by processor
3. Multicore : Many core cpu
4. Multi threading: Many thread executed for a single process
5. Multi programming: similar to multitasking
Fetch execute decode
Protection mechanism of OS
Ring 0 kernel
Ring 1 os components
Ring 2 drivers and protocol
Ring 3 i/o devices
What is goal of memory protection and and how can it be achieved (2 methods)?
A computing device is likely running multiple applications and services simultaneously, each occupying a segment of memory. The goal of memory protection is to prevent one application or service from impacting another. There are two primary memory protection methods:
Process isolation: OS provides separate memory spaces for each processes instructions and data, and prevents one process from impacting another
Hardware segmentation: forces separation via physical hardward controls rather than logical processes; in this type of segmentation, the operating system maps processes to dedicated memory locations
Virtualization and types
technology used to host one or more operating systems within the memory of a single host, or to run applications that are not compatible with the host OS. The goal is to protect the hypervisor and ensure that compromising one VM doesn’t affect others on that host
Type 1 hypervisor: Hypervisor directly installe on bare metal server hardware mainly used for servers
Type 2: application are managed through hypervisor
Hardware
Hypervisor
OS
ROM
ROM : only reads
It’s volatile in nature and contents are burned into chips can’t be changed
PROM : Users burn in the content into chips
EEPROM and UVPROM: contents can be erased
Flash memory: USB kind of EEPROM
RAM and types
Can be read and written
Real memory
Secondary memory: ssd
Cache memory: Repetitive tasks
Virtual memory: secondary memory to expand memory space -Page file
Memory addressing
Ways by which cpu accesses memory
Register addressing
Immediate addressing
Direct addressing
Indirect addressing
Base+offset addressing
Data storage devices
Primary vs secondary
Volatile vs non volatile
Random vs sequential
Emnation security and how to reduce it
Related to emanating signals, voltage
Tempest technology can reduce it
Faraday cage
Control Zoning
White noise
Firmware
Mini OS which does very limited function of OS. ROM or EEPROM chip
BIOS and UEFI ( same as BIOS but additional support)
Phlashing and boot attestation or secure boot, measured boot
Malicious code embedded into bios
Protection of local os
Optional feature of UEFI which does hashing
TPM
cryptographic chip that is sometimes included with a client computer or server. A TPM enhances the capabilities of a computer by offering hardware-based cryptographic operations. Many security products and encryption solutions require a TPM
TPM is both a specification for a cryptoprocessor chip on a motherboard and the general name for implementation of the specification
A TPM is an example of ahardware security module (HSM)
An HSM is a cryptoprocessor used to manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication
Client and server based systems
Client based: Applet (Adobe in chrome)
Server based :
Data Flow Control: movement of data between processes, between devices, across a network, or over a communications channel
Management of data flow seeks to minimize latency/delays, keep traffic confidential (i.e. using encryption), not overload traffic (i.e. load balancer), and can be provided by network devices/applications & services
While attackers may initially target client computers, servers are often the goal
Mitigation: regular patching, deploying hardened server OS images for builds, and use host-based firewalls
DCE
collection of individual systems that work together to support a resource or provide a service
DCEs are designed to support communication and coordination among their members in order to achieve a common function, goal, or operation
Most DCEs have duplicate or concurrent components, are asynchronous, and allow for fail-soft or independent failure of components
DCE is AKA concurrent computing, parallel computing, and distributed computing
DCE solutions are implemented as client-server, three-tier, multi-tier, and peer-to-peer
Securing distributed systems:
in distributed systems, integrity is sometimes a concern because data and software are spread across various systems, often in different locations
Microservices
A component of web application and derivative of SOA instead of developer building all the services of software they can integrate using micro services which can be called upon using API
Containers Vs virtualization
Instead of using tht complete OS it will create and use only whatever is required
AKA OS virtualization is based on the concept of eliminating the duplication of OS elements in a virtual machine; instead each application is placed into a container that includes only the actual resources needed to support the enclosed application, and the common or shared OS elements are then part of the hypervisor
Containerization is able to provide 10 to 100 x more application density per physical server compared to traditional virtualization
Vendors often have security benchmarks and hardening guidelines to follow to enhance container security
Securing containers:
container challenges include the lack of isolation compared to a traditional infrastructure of physical servers and VMs
scan container images to reveal software with vulnerabilities
secure your registries: use access controls to limit who can publish images, or even access the registry; require images to be signed
harden container deployment including the OS of the underlying host, using firewalls, and VPC rules, and use limited access accounts
reduce the attack surface by minimizing the number of components in each container, and update and scan them frequently
Virtualization: System, host os , Hypervisor, guest OS, bin lib , apps
Containers: System, host os, bin abd lib, App..
Serverless architecture
Serverless architecture(AKAfunction as a service (FaaS)): a cloud computing concept where code is managed by the customer and the platform (i.e. supporting hardware and software) or servers are managed by the CSP
Applications developed on serverless architecture are similar to microservices, and each function is created to operate independently and automonomously
A serverless model, as in other CSP models, is a shared security model,and your organization and the CSP share security responsibility
Embedded systems
form of computing component added to an existing mechanical or electrical system for the purpose of providing automation, remote control, and/or monitoring; usually including a limited set of specific functions
Example: microcontroller
Hpc and it’s there main elements
High-performance computing (HPC)systems: platforms designed to perform complex calculations/data manipulation at extremely high speeds (e.g. super computers or MPP); often used by large orgs, universities, or gov agencies
An HPC solution is composed of three main elements:
compute resources
network capabilities
storage capacity
HPCs often implement real-time OS (RTOS)
HPC systems are often rented, leased or shared, which can limit the effectiveness of firewalls and invalidate air gap solutions
Securing HPC systems:
deploy head nodes and route all outside traffic through them, isolating parts of a system
“fingerprint” HPC systems to undersatnd use, and detect anomalous behavior
Edge and fog computing
philosophy of network design where data and compute resources are located as close as possible, at or near the network edge, to optimize bandwidth use while minimizing latency
Securing edge computing:
this technology creates additional network edges that result in increased levels of complexity
visibility, control, and correlation requires a Zero Trust access-based approach to address security on the LAN edge, WAN edge and cloud edge, as well as network management
IoT devices collect data and transfer data to Central location for processing
VM escape and VM sprawl
occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor
Org deployed numerous vm without IT management
Explain 3 types of key exchange
Three main methods are used to exchange secret keys:
offline distribution
public key encryption, and
the Diffie-Hellman key exchange algorithm
Key escrow
Key escrow: process or entity that can recover lost or corrupted cryptographic keys
multiparty key recovery: when two or more entities are required to reconstruct or recover a key
m of n control: you designate a group of (n) people as recovery agents, but only need subset (m) of them for key recovery
split custody: enables two or more people to share access to a key (e.g. for example, two people each hold half the password to the key)
Key rotation: rotate keys (retire old keys, implement new) to reduce the risks of a compromised key having access
Ciphertext only attack
attack where you only have the encrypted ciphertext message at your disposal (not the plaintext)
If you have enough ciphertext samples, the idea is that you can decrypt the target ciphertext based on the ciphertext samples
One technique proves helpful against simple ciphers is frequency analysis (counting the number of times each letter appears in the ciphertext)
Known plaintext
this attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy); this knowledge greatly assists the attacker in breaking weaker codes
Frequency analysis
attack where the characteristics of a language are used to defeat substitution ciphers
For example in English, the letter “E” is the most common, so the most common letter in an encrypted cyphertext could be a substitution for “E”
Other examples might include letters that appear twice in sequence, as well as the most common words used in a language
Chosen ciphertext and differential analysis
chosen ciphertext attack, the attacker has access to one or more ciphertexts and their plaintexts; i.e. the attacker has the ability to decrypt chosen portions of the ciphertext message, and use the decrypted portion to discover the key
type of chosen plaintext attack, is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions; in the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output advanced methods such as differential cryptanalysis are types of chosen plaintext attacks;
as an example, an attacker may try to get the receiver to decrypt modified ciphertext, looking for that modification to cause a predictable change to the plaintext
Large scale parallel data system and types
Computation system designed toBreaking large tasks into smaller ones by OS
Symmetric multiprocessing: common OS shared by processors
Asymmetric multiprocessing: processor operating independently of each other, dedicated data bus and memory
Grid computing
Members of grid can join and leave grid where multiple processors group till work on a specific processing goal
P2P
Distributed Application solutions that share tasks among peers
ICS and it’s components
DCS: Need to gather data and implement control over a single location is essential - state driven and process focussed, interconnect several PLC
PLC : Single purpose or focused purpose to manage computers
SCADA (HMI): to manage large scale physical area to monitor wide range of PLC’s and DCS
Distributed systems
Collection of systems to provide a service
Think DOS attack
Blockchain
Collection of ledgers of records, transactions, timestamp working in distributed environment and each time there is change in records the ledger is updated and hashed in all the distributed systems
Static system
No updates once built-in like ATM, gaming console
Infrastructure as code
Hardware management to be treated the same as software code with proper version control, testing etc
Immutable architecture
Pet versus cattle
Elasticity and scalability in cloud computing
H/w characteristics:Expansion or contraction of resources to meet needs
S/W characteristics: Handle more tasks or workload
VDI and types
Reduce security risk by hosting desktop and workstation OS
Persistent: customisable for user
Non persistent: if user makes changes it rolls back to default state
MDM and UEM
To centrally manage mobile devices
To control mobile, IoT
Context aware authentication
Geo-tagging, unrecognisable browser like logging into Google from cafe
Geo location, geo tagging , geo fencing
Location services, automatically implementation of features
Rooting in mobile devices
Break drm and to operate mobile device in full prevlige
Mobile key management
Good key selection is based on rng’s
Best option is micro sd hsm or tpm
Byod, cyod, coms, co-pe
Co-pe : User can use for work and activities
Cyod: list of approved devices and policy to be implemented
Coms: company purchase and support their security policy
Covert channe andl types
Method of data transfer not designed for
Passing info on the path that’s not normally used for communication hence can’t be protected
Timing channel: modifying resources timing
Storage channel: Writing data to an area where another process can read it
Rootkits
Embeds within OS or gain full control over a system with a combination of lateral movement and remain undetected
Data didling , salami attack and incremental attacks
Modify transaction or make minor changes or delete files incrementally or slicing each time
Secure facility
Risk analysis
Critical path analysis: critical process and operations
Secure facility plan: outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security, developed through risk assessment and critical path analysis
critical path analysis (CPA): a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting components
During CPA, evaluate potential technology convergence: the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time, which can result in a single point of failure
A secure facility plan is based on a layered defense model
Industrial camouflage
Make it look like a food retail
CPTED
Crime Prevention Through Environmental Design (CPTED): a well-established school of thought on “secure architecture”
core principle of CPTED is that the design of the physical environment can be managed/manipulated, and crafted with intention in order to create behavioral effects or changes in people present in those areas that result in reduction of crime as well as a reduction of the fear of crime
CPTED stresses three main principles:
Natural surveillance
Natural actress control
Natural territorial reinforcement
Power problem types
Commercial power problem types:
fault: momentary loss of power
blackout: complete loss of power
sag: momentary low voltage
brownout: prolonged low voltage
spike: momentary high voltage
surge: prolonged high voltage
inrush: initial surge of power associated with connecting to a power source
Fire stages:
Stage 1: incipient stage: at this stage, there is only air ionization and no smoke
Stage 2: smoke stage: smoke is visible from the point of ignition
Stage 3: flame stage: this is when a flame can be seen with the naked eye
Stage 4: heat stage: at stage 4, there is an intense heat buildup and everything in the area burns
Fire extinguisher class
Fire extinguisher classes:
Class A: common combustibles
Class B: liquids
Class C: electrical
Class D: metal
Class K: cooking material (oil/grease)
4 main types of suppression system
Four main types of suppression:
wet pipe system: (AKA closed head system): is always filled with water. water discharges immediately when suppression is triggered
dry pipe system: contains compressed inert gas
preaction system: a variation of the dry pipe system that uses a two-stage detection and release mechanism
deluge system: uses larger pipes and delivers larger volume of water
Zero trust components which needs to be protected
Verify identity
Manage devices
Manage apps
Protect data
SOAR
Centralised alert and response automation with threat specific playbooks (Response automation) whereas SIEM monitoring automation
MTTF, MTTR and MTBF
MTTF is time taken for the equipment to fail
MTTR time taken to repair after fault occurs
MTBF time taken to fail after subsequent failure
Proximity devices
- Passive proximity device
- Field powered proximity device: EM
- Transponder : press of a button it opens
Intrusion alarm
Deterrent
Repellent
Notification alarm
Power considerations
Surge protectors
Power conditioner
Ups - Double conversion and line interactive - voltage regulators and surge protectors
Generator
Battery backup
Properties of Reference monitors concept
Isolation
Verifiable
Completness
2 methods of process isolation
Memory segmentation
Time division multiplexing
Difference between siem and soar
Siem is notification vs soar is response analysis
Grid computing vs fog computing
Centralised Vs gateway devices to collect data
CASB
Security policy enforcement
Shadow IT prevention
Key clustering
2 keys using same algorithm to give same result
Same as collision
Meet in middle
Attacker needs 2 rounds of encryption
3 key major PK cryptography
RSA - Factoring
El Gamal - less common than RSA
Elliptic curve - Discrete Algorithm provides more security than other algorithms when both are used with keys of the same length
Functional order of security controls
Deter
Deny
Detect
Delay
Determine
Decide
3 ways Cipher text coverts plaintext ?
Ciphers convert messages from plaintext to ciphertext on a bit basis (that is, a single digit of a binary code), character basis (that is, a single character of an ASCII message), or block basis (that is, a fixed-length segment of a message, usually expressed in number of bits).
Does digital signature provide confidentiality? If yes or no how does it provide ?
No it does not it only provide AIN and if you want to provide confidentiality then message has to be encrypted using receiver public key
In PKI why & how can CA protect their own private keys ?
Certificate authorities must carefully protect their own private keys to preserve their trust relationships. To do this, they often use an offline CA to protect their root certificate, the top- level certificate for their entire PKI. This offline CA is disconnected from networks and pow- ered down until it is needed. The offline CA uses the root certificate to create subordinate intermediate CAs that serve as the online CAs used to issue certificates on a routine basis.
.
What is certificate chaining?
In the CA trust model, the use of a series of intermediate CAs is known as certificate chaining. To validate a certificate, the browser verifies the identity of the intermediate CA(s) first and then traces the path of trust back to a known root CA, verifying the identity of each link in the chain of trust
What is difference between allow listing and deny listing in firewall etc. ?
Application allow listing (previously known as whitelisting ) is a security option that pro- hibits unauthorized software from being able to execute. Allow listing is also known as deny by default or implicit deny .
This is a significant departure from the typical device-security stance, which is to allow by default and deny by exception (also known as deny listing or block listing, previ- ously known as blacklisting)
