CISSP Domain 8

Question 1

Aggregate Vs Inference

Answer 1

Aggregate requires multiple small pieces

Inference requires a single data point

Question 2

Waterfall method

Answer 2

Very linear, each phase leads

Once phase done can’t go back

Sequential steps

Can be improved by adding validation and verification

Question 3

Type of program language

Answer 3

Machine language

Assembly language

High level language

Question 4

Machine language

Answer 4

Man had to manually calculate and allot memory address

Complete binary

Question 5

Assembly language

Answer 5

Users mnemonic like ADD, PUSH, POP instead of binary codes

Uses assemblers to convert assembly codes to binary codes

Question 6

High level language

Answer 6

Uses abstract statements like Excel IF - Then- ELSE function

It’s processor independent

Code written in high level language can be converted to machine language using compiler and interpreters

Question 7

4 Gen - Very high level language

Answer 7

More abstraction

Question 8

Natural language

Answer 8

Eliminate need of programming expertise like AI

Question 9

Assemblers Vs Compilers Vs Interpreters

Answer 9

No matter what language is used institutions and data have to end up in binary for processor to understand

Interpreter - Convert high level to machine level code

Question 10

What is libraries used for?

Answer 10

Software libraries contains reusable code

Question 11

Integrated development environment

Answer 11

Environment where they can write their code, write it, test it, debug it and compile it

Question 12

What happens in OOP ? And how does it work?

Answer 12

Devloper doesn’t develop each and every object

Works with class, subject and objects

Class - Set of attributes associated with it, when an object is generated, it inherits these attributes example: Furniture

From security pov provides a black box

Question 13

Polymorphism

Answer 13

Characteristic of an object that allows is to respond with different behaviours to same message or method because of change in external conditions

Question 14

Properties of OOP

Answer 14

Encapsulation

Messaging - Communication between objects

Reusability

Abstraction

Question 15

Cohesion

Answer 15

How many different types of tasks a module carry out

Should high in nature

Question 16

Coupling

Answer 16

How much interaction one module requires to carry out it’s tasks

Should be low in nature

Question 17

Steps in OOP ( FYI)

Answer 17

Devloper creates a class which outlines specifications

Object is initiated it inherits these attributes

User inputs in a software - Addition

Objects is initiated

Object A interacts with B using API

Question 18

Input validation - Limit check and Escaping input

Answer 18

Remove risky inputs

Always occurs on the server side

Question 19

Properties of session management

Answer 19

Cookies to be secure

Expire after a certain time and user to authenticate again

Identifiers to be long and randomly generated

Question 20

Error handling

Answer 20

Devloper love long detailed error messages but those might contain sensitive info hence disable it

Question 21

SDLC steps

Answer 21

Conceptual definition

Functional requirements determination

Control specifications devlopment

Design review

Coding

Code Review walk through

System test review

Maintanence and change management

Question 22

Conceptual definition

Answer 22

Project charter - Top level understanding

Designers identity classification of data to be processed

Question 23

Functional requirements determination

Answer 23

How parts of system interoperate

Characteristics:

Input

Behaviour

Output

Question 24

Control specifications determination

Answer 24

Analyse system from security perspective

1. Access control
2. Confidentiality using data encryption
3. Audit trail - Accountability
4. Availability and fault tolerance

Question 25

Design review

Answer 25

Once functional and control is completed let system designers do their thing

Question 26

Code Review walk through

Answer 26

Devloper starts writing code

Question 27

Testing

Answer 27

System testing

Regression testing

UAT

Then deployed

Question 28

Maintanence and change management

Answer 28

Maintanence tasks

Question 29

Spiral model

Answer 29

prototype and incremental model

Determine objectives

Evaluate alternatives, identify and resolve risks

Devlop and verify next level product

Plan next phases

Question 30

Agile software development - 12 principle

Answer 30

Satisfying customer

Welcome change

Devlop working software, couple of weeks

Have face to face conversation

Working software primary measure of progress

Question 31

Agile methodology

Answer 31

Scrum

Kanban

RAD

AUP

XP

Question 32

Scrum

Answer 32

Daily team meetings

Scrum master

Sprint: Organize work into shorter sprints of activity

Short term objectives that contribute to broader goals of the project

Question 33

CMMI

Answer 33

Initial - Chaotic

Repeatable - Reuse of code

Defined- Operate what is documented

Managed - Quantitative Process management

Optomizing - Continuous improvement

Question 34

Software Assurance Maturity model business functions

Answer 34

Governance - Stratergy and metrics , policy and compliance, education and guidance

Design - Threat assessment , security requirements and security architecture

Implementation - Secure build, Secure deployment, Defect management

Verification - Architecture analysis, Req driven testing, security testing

Operations - Incident management, environment management, operational management

Question 35

IDEAL model

Answer 35

Initiation

Diagnosis: Current state of org and make general recommendation of change

Establishing

Acting: Walk the talk

Learning

Question 36

Change management process and 3 basic components

Answer 36

Request change

Change control: test and analyse

Release control: Only approved changes into prod

Also include acceptance testing

Question 37

Software configuration management

Answer 37

Control the version of the software used throughout an organisation and to formally track and control changes to software configuration

Configuration identification

Configuration control: Changes to software in accordance with change control and configuration management policies. Updates

Configuration status accounting - Formalized procedures to keep track of all authorised Changes they takes place

Configuration audit - Periodic audit

Question 38

Devops model Vs CI/CD model

Answer 38

Software development+ QA+ Operations

Often deploy code several times per day

Code roll out dozens or several times per day: - Security also should move

1.High degree of automation
2. Code repositories
3. SCM process
4. Movement of code between development, testing and prod environments

Question 39

API’s and what a devloper needs to consider ?

Answer 39

Bypass traditional web pages and interact directly with underlying service through function calls

Secure authentication and Authorization to make specific call

Question 40

Software testing when is best time ? And types of test

Answer 40

Aa models are designed

Reasonableness check: Inputs gives desired output

Misuse case test: Code will perform under normal activity and when subjected to extreme conditions

Question 41

White box, Grey box and Black box testing

Answer 41

Access to source code, logical structures of program, inner workings of program

Have access to source code+ analyse inputs and outputs

Do not have access to source code

Question 42

Code repositories

Answer 42

Central storage point for developers

Version control

Bug tracking

Web hosting

Release management

Used to manage and distribute code libraries

Question 43

Third party software acquisition

Answer 43

COTS - On premise of IaaS

Open software (OSS) - freely available for anyone to download and use

Question 44

Type of DBMS

Answer 44

Hierarchical

Relational

Question 45

Hierarchical DBMS

Answer 45

Each employee has one manager but one manager has one or more employees

DNS

Distributed database

Question 46

Relational DBMS

Answer 46

Row ( Turple) and column ( fields/attributes)

Cardinality - Number of rows

Degree - Number of columns

Question 47

Candidates key in RDBMS

Answer 47

Uniquely identify any record in a table

Question 48

Primary key

Answer 48

Enforces uniqueness is primary key

Each table has only one primary key

Question 49

Alternate keys

Answer 49

Any key not selected as primary key is alternate key

Question 50

Foreign key

Answer 50

Enforces relationship between two tables, aka referential integrity

Question 51

What is SQL primary security feature?

Answer 51

Granularity of authorisation
It’s very detailed

Question 52

Db normalisation

Answer 52

Process of bringing a Db table into compliance with normal forms is known as normalisation

Developers want well organised and efficient db

Question 53

4 Required characteristics of Relational DB

Answer 53

A- All or nothing

Consistency

Isolation

Durability - Once committed they must be preserved

Question 54

What is multilevel Db and what is challenge?

Answer 54

Data(IC) and security should be separate it leads to data contamination

Can be implemented using restricted access with views

Question 55

Concurrency in DB and what if they fail to implement?

Answer 55

Edit control

Certain Information stored in Db is always correct at least has integrity and availability protected

Lost updates - Two people update at same time data is lost

Dirty Reads - Transaction that did not commit because of crash

Question 56

Aggregation

Answer 56

Multiple low level security data points combine them to produce useful info

Question 57

Inference

Answer 57

Using a single info gain access to confidential info

Question 58

Time stamps, Content dependent access control, context dependent, Db partitioning

Answer 58

Data integrity and availability

Contents or payload

Cell suppression - Concept of hiding individual db fields

Context - Big picture of ACL

Db partitioning - Subvert inference and aggregation

Question 59

Polyinstation in DB

Answer 59

When 2 or more rows in same DB have same primary keys but different data for use at different data classification levels

Question 60

Noise and perturbation

Answer 60

Can insert false or misleading data

Question 61

OBDC

Answer 61

To communicate with different db kind of interface

Question 62

No SQL and types

Answer 62

Uses models other than relational to store data

Key/ Value

Graph db

Document

Question 63

Key/ Value pairs

Answer 63

Store info in key value pairs

Question 64

Graph Db

Answer 64

Stores data in graph format

Question 65

Document

Answer 65

Stores data in document like JSON or XML

Question 66

Covert channel

Answer 66

Storage threat
Allow transmission of sensitive data between classification levels through direct or indirect manipulation of shared storage media

Question 67

Types of knowledge based systems

Answer 67

AI

Expert systems and neural systems

Question 68

Expert systems and 2 components

Answer 68

Accumulation of knowledge of experts

Knowledge system and inference engine - Prediction based on historic data

Question 69

ML core approach and 2 categories:

Answer 69

Computer to analyse directly from data

Supervised learning - Uses labelled data for training

Unsupervised learning - Algorithm devlop model independently

Question 70

Neural network

Answer 70

Extension of ML aka deep learning

Computational decision+ Series of rules stored in KB

Has many layers of summation - Weighting information to reflect - Delta rule

Question 71

Script kiddies

Answer 71

Ready to use scripts from internet use them to launch attack

Question 72

APT malware

Answer 72

Small adversaries they have zero days

Question 73

2 main functions of computer viruses

Answer 73

Propagation and payload execution

Question 74

Virus technologies

Answer 74

Multiparte

Stealth

Polymorphic

Encrypted

Question 75

Multiparte

Answer 75

More than one propagation techniques in order to penetrate systems

Question 76

Stealth virus

Answer 76

Hide themselves by actually tampering with the OS to fool AV package to thinking everything is working fine

Question 77

Polymorphic virus

Answer 77

Modify their own code as they travel

Question 78

Encrypted virus

Answer 78

Uses virus decryption routine

Question 79

Logic bomb

Answer 79

Perform certain action at particular time. - A condition

Question 80

Trojan horses

Answer 80

Appears loving but carries a malicious behind the scene payload

Question 81

Remote access Trojans

Answer 81

Opens backdoor in system to grant attacker remote admin control of infected system

Question 82

Worms

Answer 82

They propagate themselves without human intervention

Question 83

Spyware and adware

Answer 83

They are potentially unwanted programs

Monitoring your actions

Display advertisement

Question 84

Malicious scripts

Answer 84

Commonly found in fileless malware

Question 85

Zero day vulnerability and reasons

Answer 85

Delay in patches

Slowness in applying patches

Question 86

Antimalware Software and 3 things it does

Answer 86

Signature based system or heuristic based

S/w can eradicate the virus, restore the machine to safe condition

Quarantine until admin can examine

Predefined danger threshold- Delete

Question 87

EDR and UEBA

Answer 87

Analysis of end points
Isolation possible malicious activity
Integration with threat intelligence to get info into malicious behaviour

UEBA- build a profile of user

Question 88

Buffer overflow

Answer 88

Devloper doesn’t validate user inputs leading to memory segment buffer to overwrite

Question 89

TOC TOU

Answer 89

Process executes access permissions before too far in advance of a resource request

Question 90

Backdoor

Answer 90

Bypass normal access restrictions

Used in devlopment and debugging

Question 91

Prevlige escalation - Rootkits

Answer 91

Freely available on internet

Question 92

XSS and persistence XSS

Answer 92

Occur when web apps allow attacker to perform injection into a web page

Allows reflected input

Malicious scripts are injected into trusted websites

Remains even when attacker isn’t actively waging an attack

Question 93

SQL injection

Answer 93

Unexpected input to gain unauthorised access to an underlying db

Question 94

Network reconciance techniques

Answer 94

IP probes

Port scans

Vulnerability scans

Question 95

SDLC Life cycle

Answer 95

Real devlopers ideas take effort

Requirement gathering

Design

Implementation

Testing

Evolution

Question 96

Insecure direct object reference

Answer 96

If app doesn’t perform Authorization checks user may be permitted to view info that exceeds their authority

Question 97

Directory transversal

Answer 97

Web server suffers from misconfiguration that allows attackers to navigate directory structure and access file that should remain secure

Question 98

File inclusion

Answer 98

Simply retrieving a file from local OS and displaying it to attacker, FI actually execute code

Question 99

XSRF - Cross site request forgery

Answer 99

XSS attack exploit the trust the user has in website to execute code in users system

Question 100

SSRF

Answer 100

Instead of tricking users browser into visiting URL, trick server into visiting a URL based on user imput

Question 101

Session hijacking

Answer 101

Malicious person intercepts between authorised user and resource

1. Capture details of client identity
2. Tricking client into thinking attacker system is server
3. Accessing web app using a cookie data of user who didn’t close connection

Question 102

Most effective input validation

Answer 102

Input whitelisting inputs which is defined by devloper for user to input

Input blacklist - To control user imput

Question 103

Db security - parameterised queries and stored procedure

Answer 103

Techniques to protect against injection attacks doesn’t allow insertion of codes

Question 104

Db admins to reduce data exposure

Answer 104

Obsfuscation and camaflogue

Data minimisation

Tokenization : Random token replacement of actual data

Question 105

Application resilience

Answer 105

Scalability - Scale up

Elasticity - scale up and down

Question 106

Resource exhaustion in memory management

Answer 106

Memory leaks memory needs to released if not in use