CISSP Domain 3: Assess and Mitigate Vulnerabilities of Sec Arch, designs and Solution Elements

Question 1

What are the security challenges of IoT devices?

Answer 1

• Device Proliferation
  
  • sheer number of IoT devices, ranging from consumer gadgets to industrial sensors, creates a challenge in ensuring consistent security across the ecosystem
• Weak or Default Configurations
• Limited Computing Resources
• Lack of Standardized Security Protocols
• Data Privacy and Protection
• Inadequate Update and Patching Mechanisms
• Complex Ecosystems
• Supply Chain Risks
• Physical Security

Question 2

What are common threats and attacks against IoT devices?

Answer 2

• Botnet Attacks
• Malware Infections
• Unauthorized Access
• Data Breaches
• Device Tampering
• Supply Chain Attacks
• Denial-of-Service (DoS) Attacks
• Man-in-the-Middle (MitM) Attacks
• Physical Attacks
• Firmware and Software Exploits

Question 3

What’s Service Oriented Architecture?

Answer 3

• architectural approach that involves designing software systems by decomposing them into smaller, self-contained units called services
• services encapsulate specific functionalities or business processes

Question 4

What does it mean if a user accesses an application in a black-box fashion?

Answer 4

• users interact with the services without needing to know the inner workings or complexities of the service implementation
• users are only concerned with the inputs, outputs, and functionality provided by the service, treating it as a self-contained unit without needing to understand its internal details

Question 5

What superseded SOA?

Answer 5

Microservices

Question 6

What’s Microservices?

Answer 6

architectural style that structures an application as a collection of small, independent, and loosely coupled services

Question 7

What is the role of each microservice?

Answer 7

each service focuses on a specific business functionality, such as user authentication, inventory management, or payment processing

Question 8

What’s the benefit of microservices in terms of Scalability and Performance?

Answer 8

• microservices architecture allows for horizontal scaling, where individual services can be scaled independently based on demand
• improves performance and resource utilization, as only the necessary services are scaled, rather than the entire application

Question 9

What are the benefits of microservices in terms of Technology Diversity?

Answer 9

• microservices allow for the use of different technologies and frameworks for each service based on its specific requirements
• the flexibility enables the use of the most suitable technology stack for each service, promoting innovation and adaptation to evolving technology trends

Question 10

What are the security considerations of microservices?

Answer 10

• Authentication and Authorization
  
  • proper authentication and authorization mechanisms should be implemented for each microservice to ensure secure access and protect sensitive data
• Secure Communication
  
  • microservices should communicate over secure channels, such as HTTPS, and enforce encryption for sensitive data transmission
• Input Validation and Sanitization
  
  • each microservice should validate and sanitize incoming data to prevent common security vulnerabilities, such as injection attacks or cross-site scripting (XSS)
• Secure Configuration and Secrets Management
  
  • microservices should be securely configured, including proper handling of sensitive configuration parameters and secrets, such as API keys or database credentials
• Logging and Monitoring

Question 11

How do microservices communicate with each other?

Answer 11

through well-defined APIs, typically using lightweight protocols such as REST or messaging queues

Question 12

What’s the advantage of microservices in terms of Fault Isolation and Resilience?

Answer 12

microservices architecture enhances fault isolation, as failures or issues within one microservice do not necessarily impact the entire system

Question 13

What’s containerization?

Answer 13

technique in software development and deployment that involves encapsulating applications and their dependencies into self-contained units called containers

Question 14

What’s a Container?

Answer 14

• lightweight and portable unit that packages an application and all its dependencies, including libraries, frameworks, and runtime environments
• provides a consistent and isolated environment for the application to run, regardless of the underlying infrastructure

Question 15

What’s a Container Engine?

Answer 15

• containerization is facilitated by container engines or runtimes like Docker, Kubernetes, or containerd
• the engines provide the necessary tools and libraries to create, manage, and run containers

Question 16

What are the security considerations of containerization?

Answer 16

• Container Isolation
• Secure Image Management
• Container Runtime Security
• Vulnerability Management
• Access Controls
• Network Security
  
  • containers communicate with each other and external systems over networks
• Container Orchestration Security
• Logging and Monitoring
• Compliance and Auditing

Question 17

Explain Container Isolation

Answer 17

• while containers provide isolation between applications, it’s essential to ensure that the isolation is robust and secure
• weak container isolation can lead to container escapes or unauthorized access to sensitive resources
• implementing proper container isolation mechanisms, such as strong Linux kernel features like namespaces and cgroups, helps mitigate these risks

Question 18

Explain Container Secure Image Management

Answer 18

• container images serve as the basis for creating containers
• crucial to ensure the integrity and security of container images by using trusted sources, regularly updating images, and scanning them for vulnerabilities
• employing image signing and verification techniques can also enhance image security

Question 19

Explain Container Runtime Security

Answer 19

• keeping the runtime up to date with the latest security patches and configurations is vital
• enabling appropriate security features, like secure kernel options and runtime policies, helps mitigate security risks

Question 20

Explain Container Orchestration Security

Answer 20

• using container orchestration platforms like Kubernetes, securing the orchestration infrastructure becomes critical
• properly configuring access controls, securing API endpoints, and managing secrets and sensitive data within the orchestration platform are crucial to prevent unauthorized access and data breaches

Question 21

What’s the main advantage of containerization over virtualization?

Answer 21

• containerization reduces the overhead of server virtualization by enabling containerized apps to run on a shared OS kernel
• containers don’t have thier own OS

Question 22

What’s embedded system?

Answer 22

• specialized computer systems designed to perform specific functions within larger systems or device
• a full computer system embedded inside of another larger system
  
  • e.g. printers, GPS, drones, semi-automated vehicles

Question 23

What’s High Performance Computing?

Answer 23

• alternative to client-server computing model for compute-intensive operations within large data sets
• used for problems that require the use of extermly large data sets and large-scale parallel processing

Question 24

What’s Grid computing and how does it work?

Answer 24

• high performance computing often seen in business settings
• employs a centralized controller that makes computing assignments to grid members
• the grid controller needs to be secured from takover by bad actor

Question 25

What’s Edge Computing? Where is it used?

Answer 25

• some compute operations require processing activities to occur locally, far from the cloud
• used in various IoT scenarios - agricultural, science, retail, military

Question 26

What’s Fog computing?

Answer 26

• places gateway devices in the filed to collect and correlate data centrally at the edge

Question 27

What system provides GUI to monitor industrial control systems (ICS)?

Answer 27

Supervisory Control and Data Acquisition system (SCADA)

Question 28

What is the type of system that allows to simultaneously handle information classified at the SEcret and Top Secret levels?

Answer 28

multistate

Question 29

Which system assurance process provides an independent third-party evaluation of controls that may be trusted by many different organizations?

Answer 29

verificaion

Question 30

How many protection rings are in modern OSes and how are they marked? Name their role for each.

Answer 30

• Ring 0
  
  • highest level of privilege
  • can access any file, resource or memory location
  • occupied by kernel
• Ring 1
  
  • come and go as tasks are requested, operations performed, processes switched, etc.
• Ring 2
  
  • occupied by I/O drivers and system utilities
  • able to access peripheral devices, special files, etc. that other programs cannot access directly
• Ring 3
  
  • occupied by applications and programs

Question 31

What is the role of protection rings?

Answer 31

organize code and components in an operating system, as well as applications, utilities, or other code that runs under OS’s control

Question 32

What’s the name of part of OS that always reside in memory?

Answer 32

kernel

Question 33

Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which type of encryption algorithm should he use?

Answer 33

asymmetric encryption algorithm that requires only two keys for each user; e.g. RSA

Question 34

What’s the formula for determining the number of encryption keys required by a symmetric algorithm?

Answer 34

((n*(n − 1))/2)

Question 35

Which technique can an attacker use to exploit a TOC/TOU vulnerability?

Answer 35

algorithmic complexity

Question 36

What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?

Answer 36

Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is

Question 37

Which component of IPsec provides authentication, integrity, and nonrepudiation?

Answer 37

Authentication Header (AH)

Question 38

Why should be data centers located in the core of a building?

Answer 38

Locating it on lower floors makes it susceptible to flooding and physical break-ins.
Locating it on the top floor makes it vulnerable to wind and roof damage.

Question 39

Describe the corporate-owned mobile device policy

Answer 39

• company purchases mobile devices that can support compliance with the security policy
• devices are to be used exclusively for company purposes, and users should not perform any personal tasks on them
• often requires workers to carry a second device for personal us

Question 40

What is a common security risk when using grid computing solutions that consume available resources from computers over the internet?

Answer 40

• loss of privacy - grid members can access the contents of the distributed work segments or divisions
• grid computing over the internet is not usually the best platform for sensitive operations

Question 41

What is secondary memory?

Answer 41

term used to describe magnetic, optical, or flash media (i.e., typical storage devices like HDD, SSD, CD, DVD, and thumb drives).

Question 42

Which items need to be included and label on a master cabling map as part of crafting the cable plant management policy?

Answer 42

• Entrance facility
• Equipment room
• Backbone distribution system
• Telecommunications room
• Horizontal distribution system

Question 43

What’s Mean time to failure (MTTF)?

Answer 43

expected typical functional lifetime of the device given a specific operating environment

Question 44

What’s Mean time to repair (MTTR)

Answer 44

average length of time required to perform a repair on the device

Question 45

What’s Mean time between failures (MTBF)?

Answer 45

an estimation of the time between the first and any subsequent failures

Question 46

What does Security Model provide?

Answer 46

provides framework to implement a security policy