CISSP Domain 8 Flashcards
Aggregate Vs Inference
Aggregate requires multiple small pieces
Inference requires a single data point
Waterfall method
Very linear, each phase leads
Once phase done can’t go back
Sequential steps
Can be improved by adding validation and verification
Type of program language
Machine language
Assembly language
High level language
Machine language
Man had to manually calculate and allot memory address
Complete binary
Assembly language
Users mnemonic like ADD, PUSH, POP instead of binary codes
Uses assemblers to convert assembly codes to binary codes
High level language
Uses abstract statements like Excel IF - Then- ELSE function
It’s processor independent
Code written in high level language can be converted to machine language using compiler and interpreters
4 Gen - Very high level language
More abstraction
Natural language
Eliminate need of programming expertise like AI
Assemblers Vs Compilers Vs Interpreters
No matter what language is used institutions and data have to end up in binary for processor to understand
Interpreter - Convert high level to machine level code
What is libraries used for?
Software libraries contains reusable code
Integrated development environment
Environment where they can write their code, write it, test it, debug it and compile it
What happens in OOP ? And how does it work?
Devloper doesn’t develop each and every object
Works with class, subject and objects
Class - Set of attributes associated with it, when an object is generated, it inherits these attributes example: Furniture
From security pov provides a black box
Polymorphism
Characteristic of an object that allows is to respond with different behaviours to same message or method because of change in external conditions
Properties of OOP
Encapsulation
Messaging - Communication between objects
Reusability
Abstraction
Cohesion
How many different types of tasks a module carry out
Should high in nature
Coupling
How much interaction one module requires to carry out it’s tasks
Should be low in nature
Steps in OOP ( FYI)
Devloper creates a class which outlines specifications
Object is initiated it inherits these attributes
User inputs in a software - Addition
Objects is initiated
Object A interacts with B using API
Input validation - Limit check and Escaping input
Remove risky inputs
Always occurs on the server side
Properties of session management
Cookies to be secure
Expire after a certain time and user to authenticate again
Identifiers to be long and randomly generated
Error handling
Devloper love long detailed error messages but those might contain sensitive info hence disable it
SDLC steps
Conceptual definition
Functional requirements determination
Control specifications devlopment
Design review
Coding
Code Review walk through
System test review
Maintanence and change management
Conceptual definition
Project charter - Top level understanding
Designers identity classification of data to be processed
Functional requirements determination
How parts of system interoperate
Characteristics:
Input
Behaviour
Output
Control specifications determination
Analyse system from security perspective
- Access control
- Confidentiality using data encryption
- Audit trail - Accountability
- Availability and fault tolerance
Design review
Once functional and control is completed let system designers do their thing
Code Review walk through
Devloper starts writing code
Testing
System testing
Regression testing
UAT
Then deployed
Maintanence and change management
Maintanence tasks
Spiral model
prototype and incremental model
Determine objectives
Evaluate alternatives, identify and resolve risks
Devlop and verify next level product
Plan next phases
Agile software development - 12 principle
Satisfying customer
Welcome change
Devlop working software, couple of weeks
Have face to face conversation
Working software primary measure of progress
Agile methodology
Scrum
Kanban
RAD
AUP
XP
Scrum
Daily team meetings
Scrum master
Sprint: Organize work into shorter sprints of activity
Short term objectives that contribute to broader goals of the project
CMMI
Initial - Chaotic
Repeatable - Reuse of code
Defined- Operate what is documented
Managed - Quantitative Process management
Optomizing - Continuous improvement
Software Assurance Maturity model business functions
Governance - Stratergy and metrics , policy and compliance, education and guidance
Design - Threat assessment , security requirements and security architecture
Implementation - Secure build, Secure deployment, Defect management
Verification - Architecture analysis, Req driven testing, security testing
Operations - Incident management, environment management, operational management
IDEAL model
Initiation
Diagnosis: Current state of org and make general recommendation of change
Establishing
Acting: Walk the talk
Learning
Change management process and 3 basic components
Request change
Change control: test and analyse
Release control: Only approved changes into prod
Also include acceptance testing
Software configuration management
Control the version of the software used throughout an organisation and to formally track and control changes to software configuration
Configuration identification
Configuration control: Changes to software in accordance with change control and configuration management policies. Updates
Configuration status accounting - Formalized procedures to keep track of all authorised Changes they takes place
Configuration audit - Periodic audit
Devops model Vs CI/CD model
Software development+ QA+ Operations
Often deploy code several times per day
Code roll out dozens or several times per day: - Security also should move
1.High degree of automation
2. Code repositories
3. SCM process
4. Movement of code between development, testing and prod environments
API’s and what a devloper needs to consider ?
Bypass traditional web pages and interact directly with underlying service through function calls
Secure authentication and Authorization to make specific call
Software testing when is best time ? And types of test
Aa models are designed
Reasonableness check: Inputs gives desired output
Misuse case test: Code will perform under normal activity and when subjected to extreme conditions
White box, Grey box and Black box testing
Access to source code, logical structures of program, inner workings of program
Have access to source code+ analyse inputs and outputs
Do not have access to source code
Code repositories
Central storage point for developers
Version control
Bug tracking
Web hosting
Release management
Used to manage and distribute code libraries
Third party software acquisition
COTS - On premise of IaaS
Open software (OSS) - freely available for anyone to download and use
Type of DBMS
Hierarchical
Relational
Hierarchical DBMS
Each employee has one manager but one manager has one or more employees
DNS
Distributed database
Relational DBMS
Row ( Turple) and column ( fields/attributes)
Cardinality - Number of rows
Degree - Number of columns
Candidates key in RDBMS
Uniquely identify any record in a table
Primary key
Enforces uniqueness is primary key
Each table has only one primary key
Alternate keys
Any key not selected as primary key is alternate key
Foreign key
Enforces relationship between two tables, aka referential integrity
What is SQL primary security feature?
Granularity of authorisation
It’s very detailed
Db normalisation
Process of bringing a Db table into compliance with normal forms is known as normalisation
Developers want well organised and efficient db
4 Required characteristics of Relational DB
A- All or nothing
Consistency
Isolation
Durability - Once committed they must be preserved
What is multilevel Db and what is challenge?
Data(IC) and security should be separate it leads to data contamination
Can be implemented using restricted access with views
Concurrency in DB and what if they fail to implement?
Edit control
Certain Information stored in Db is always correct at least has integrity and availability protected
Lost updates - Two people update at same time data is lost
Dirty Reads - Transaction that did not commit because of crash
Aggregation
Multiple low level security data points combine them to produce useful info
Inference
Using a single info gain access to confidential info
Time stamps, Content dependent access control, context dependent, Db partitioning
Data integrity and availability
Contents or payload
Cell suppression - Concept of hiding individual db fields
Context - Big picture of ACL
Db partitioning - Subvert inference and aggregation
Polyinstation in DB
When 2 or more rows in same DB have same primary keys but different data for use at different data classification levels
Noise and perturbation
Can insert false or misleading data
OBDC
To communicate with different db kind of interface
No SQL and types
Uses models other than relational to store data
Key/ Value
Graph db
Document
Key/ Value pairs
Store info in key value pairs
Graph Db
Stores data in graph format
Document
Stores data in document like JSON or XML
Covert channel
Storage threat
Allow transmission of sensitive data between classification levels through direct or indirect manipulation of shared storage media
Types of knowledge based systems
AI
Expert systems and neural systems
Expert systems and 2 components
Accumulation of knowledge of experts
Knowledge system and inference engine - Prediction based on historic data
ML core approach and 2 categories:
Computer to analyse directly from data
Supervised learning - Uses labelled data for training
Unsupervised learning - Algorithm devlop model independently
Neural network
Extension of ML aka deep learning
Computational decision+ Series of rules stored in KB
Has many layers of summation - Weighting information to reflect - Delta rule
Script kiddies
Ready to use scripts from internet use them to launch attack
APT malware
Small adversaries they have zero days
2 main functions of computer viruses
Propagation and payload execution
Virus technologies
Multiparte
Stealth
Polymorphic
Encrypted
Multiparte
More than one propagation techniques in order to penetrate systems
Stealth virus
Hide themselves by actually tampering with the OS to fool AV package to thinking everything is working fine
Polymorphic virus
Modify their own code as they travel
Encrypted virus
Uses virus decryption routine
Logic bomb
Perform certain action at particular time. - A condition
Trojan horses
Appears loving but carries a malicious behind the scene payload
Remote access Trojans
Opens backdoor in system to grant attacker remote admin control of infected system
Worms
They propagate themselves without human intervention
Spyware and adware
They are potentially unwanted programs
Monitoring your actions
Display advertisement
Malicious scripts
Commonly found in fileless malware
Zero day vulnerability and reasons
Delay in patches
Slowness in applying patches
Antimalware Software and 3 things it does
Signature based system or heuristic based
S/w can eradicate the virus, restore the machine to safe condition
Quarantine until admin can examine
Predefined danger threshold- Delete
EDR and UEBA
Analysis of end points
Isolation possible malicious activity
Integration with threat intelligence to get info into malicious behaviour
UEBA- build a profile of user
Buffer overflow
Devloper doesn’t validate user inputs leading to memory segment buffer to overwrite
TOC TOU
Process executes access permissions before too far in advance of a resource request
Backdoor
Bypass normal access restrictions
Used in devlopment and debugging
Prevlige escalation - Rootkits
Freely available on internet
XSS and persistence XSS
Occur when web apps allow attacker to perform injection into a web page
Allows reflected input
Malicious scripts are injected into trusted websites
Remains even when attacker isn’t actively waging an attack
SQL injection
Unexpected input to gain unauthorised access to an underlying db
Network reconciance techniques
IP probes
Port scans
Vulnerability scans
SDLC Life cycle
Real devlopers ideas take effort
Requirement gathering
Design
Implementation
Testing
Evolution
Insecure direct object reference
If app doesn’t perform Authorization checks user may be permitted to view info that exceeds their authority
Directory transversal
Web server suffers from misconfiguration that allows attackers to navigate directory structure and access file that should remain secure
File inclusion
Simply retrieving a file from local OS and displaying it to attacker, FI actually execute code
XSRF - Cross site request forgery
XSS attack exploit the trust the user has in website to execute code in users system
SSRF
Instead of tricking users browser into visiting URL, trick server into visiting a URL based on user imput
Session hijacking
Malicious person intercepts between authorised user and resource
- Capture details of client identity
- Tricking client into thinking attacker system is server
- Accessing web app using a cookie data of user who didn’t close connection
Most effective input validation
Input whitelisting inputs which is defined by devloper for user to input
Input blacklist - To control user imput
Db security - parameterised queries and stored procedure
Techniques to protect against injection attacks doesn’t allow insertion of codes
Db admins to reduce data exposure
Obsfuscation and camaflogue
Data minimisation
Tokenization : Random token replacement of actual data
Application resilience
Scalability - Scale up
Elasticity - scale up and down
Resource exhaustion in memory management
Memory leaks memory needs to released if not in use
