CISSP Notes Flashcards
Type of malware which can change or update a system’s kernel
Rootkit
Best practice when it comes to taking measures against a rootkit
Reinstall operating system
Type of self-sufficient malware
Worm
Malware which requires host-to-host transmission to work
Virus
Firewall rule placed at the top of the rulebase to drop direct connections to the firewall
Stealth rule
Attribute-based access control allows authorization through this type of condition
Environmental
Examples of environmental attributes in ABAC
Time of day, geolocation, network type
Subjects access _________
objects
Signing a document with your private key provides
Nonrepudiation
HMAC is associated with this high-level and fundamental security concept
Integrity
Users are allowed access to resources through a pre-determined template
Role-based access control
Firewall policies reflect this type of access control
Rule-based access control
Every object must have an owner
Discretionary Access Control
A more in-depth, granular, detailed, and fully tested evaluation provides ________
assurance
Determines the functionality of a product
Certification
Determining why to create the software and for what purpose
First phase of SDLC
Implementing proper disposal methods for software
Last phase of SDLC
A portion of software which is left unprotected and could provide a means for an attacker
Attack surface
How well the components of software work together per design specifications
Integration testing
Making sure the users verify the product operates as it should
User acceptance testing
Enter safe mode, recover files, validate operations
What to do after a system crash
Only allowing systems administrators to shut down critical systems
Reduce the possibility of denial of service
When processes should not be interrupted from receiving input to providing output
Atomic transactions
Type of codes which maintain the integrity of files
Message authentication code
Even if a report has no data, it should still say “no data to report”.
Input/output control
The default state of wiring closet doors.
Closed
When doors are opened during emergencies
Fail-safe
The estimated amount of time a device is meant to work reliably.
Mean time between failures
This should be implemented if the mean time to repair is too high on a device
Redundancy measures
The decision engine in this access control method is controlled by the operating system in highly classified computers
Mandatory Access Control
ACLs provide this type of RBAC, with no formal roles other than by the user themselves
Non-RBAC
An access control system fully defined by organizational roles, policies, and permissions for subjects to objects
Full RBAC
Attack from flaws in IP packet reassembly
Teardrop attack
10.1.2.0/23 and10.1.3.248/30
RFC 1918 Overlapping subnets
A product which provides IDS/IPS, DLP, firewall, antimalware, antispam services
Unified Threat Management
First thing to establish before any security control or project
The business need
Transferring workers to another organization’s workplace to use their infrastructure as a recovery agreement
Reciprocal agreement
Type of recovery site necessary for an MTD of 1 hour
Hot site
Type of recovery site necessary for an MTD of 12 hours
Warm site
Permissions and authorization rights are this type of control
Administrative
NIST 800-34
Contingency Guide Planning (good read for exam)
Who can declare an emergency?
Anyone
Who can declare a disaster?
BCP Coordinator
Read Shon Harris 7th Edition once, Sybex 3 times, Official CBK once
Study Tips
The best way to memorize something for the exam. It creates a visual placeholder in your brain.
Handwritten notes
Don’t let your dreams be dreams, achieve them with goals. Achieve them with three methods.
Discipline, dedication, consistency.
People taking the exam usually think they are going to fail. But they pass.
Just like you will.
A Cisco ASA firewall failing after 213 days of uptime
Example of mean time between failure
The more complex a device, program, or component
The less reliability
Data written across all drives increases write performance
Striping
Applying controls to better “suit” an environment beyond the recommended baseline
Tailoring
Eliminating unnecessary controls for an environment recommended by a baseline
Scoping
Applying minimum security controls as a reference point in an organization
Baseline
Pre-employment administrative detective control to gauge employee suitability
Background investigation
Most important action before applying updates or patches to a system in production
Backup
Type of knowledge that is a must for the CISSP exam
Inter-domain
The most stressful moments of the CISSP exam
First 10-15 minutes/questions
Port for SMTP
25
Practice CISSP questions most similar to the CISSP exam
CISSP Practice Questions, Fourth Edition, Shon Harris
A more secure way to remotely connect to servers instead of Telnet (Port 23)
SSH (Port 22)
Standards enforce a _________ environment
homogeneous
Form of API security to mitigate DOS
Rate-limiting
Those who direct the business and security efforts of an organization
Senior management
Structure to properly direct organizational business and security efforts
Security governance
Cost to support, repair, replace, manage, and administer an asset
Asset valuation
Framework which provides steps to match business goals with IT resources
COBIT
Access control method which uses classifications and utilized in government systems
Mandatory Access Control
Standard which rewards clean desk policies, proper documentation, security protocols and processes for information security management systems
ISO 27001
Security model which upholds integrity through the use of data items and well-formed transactions
Clark-Wilson
Access control method in which each object must absolutely have an owner
Discretionary Access Control
Inventors of the one of the first mathematical security models
David Elliot Bell and Leonard J. LaPadula
Risk mitigation should be considered at which stages of the system development life-cycle?
Every stage
Administrative control which aims to teach users about potential social engineering techniques and other types of risks
Security awareness training
Access control method which users a set with least upper bound and greatest lower bound
Lattice-based access control
A backup site to a backup site
Tertiary site
Renting a database program
Software as a Service
Renting an operating system
Platform as a Service
Renting a virtual firewall
Infrastructure as a Service
The use of shared resources among thousands of servers in thousands of data centers
Cloud computing
Document which outlines an appropriate level of service between a provider and a customer
Service Level Agreement (SLA)
Uptime, downtime, peak, average and failover times.
Common issues addressed in SLAs
Establishing a contract with a cloud service provider
Due care
Verifying controls are in place when forming a contract with a cloud service provider
Due diligence
Reports capable of verifying the controls used by vendors to ensure service delivery
Service Organization Control (SOC)
Virtualization spurned the invention of this technology
Cloud computing
Customer’s responsibility in Software as a Service
Data Security
Customer’s responsibility in Platform as a Service
Data classification
Customer’s responsibility in an Infrastructure as a Service
Access Control
Cloud service provider’s responsibility in a Software as a Service
Application Security
Cloud service provider’s responsibility in a Platform as a Service
Infrastructure Security
Cloud service provider’s responsibility in an Infrastructure as a Service
Physical Security
Companies or users who utilize the services offered by the cloud
Tenants
AWS and Microsoft Azure
Cloud service providers
Cloud service model which dedicates all services to one tenant
Private cloud
Type of cloud where multiple tenants use the same service
Community cloud
Type of cloud service which will allow you to throttle server CPU utilization if necessary
Infrastructure as a Service
Best way to secure data flowing from your organization and the cloud
Encryption
Sort of like policies
Directives
Takes over when primary controls have failed
Compensating controls
Controls which discourage those trying to subvert directives
Deterrent controls
Pours water out immediately after the suppression mechanism is triggered
Wet Pipe
Pipe system filled with compressed air
Dry pipe system
Bigger pipes, more water
Deluge system
Best type of water suppression system for computers and other electronics
Preaction system
Combination of a dry pipe/wet pipe system
Preaction system
Vulnerability which was the death of SSL
POODLE
Component of ABAC which makes it a unique type of access control method
Environmental attributes
Data state which can be secured by hard disk encryption
Data at rest
Data state which can be secured by TLS
Data in motion
Data state which can be secured by a proper a software development life cycle
Data in use
Used to assess the quality of software, but not the vendor which makes the software
Common Criteria
Used to assess the quality of a software vendor, but not the software the vendor makes
Capability Maturity Model Integration
A form of non-discretionary based access control
Mandatory Access Control
Can be used on top of role-based access control
Rule-based access control
Evaluation method which preceded the Common Criteria
TCSEC (Trusted Computer System Evaluation Criteria)
A set of categorized basic security requirements to evaluate a specific type of system
Protection Profile
Documentation and paperwork to prove the functionality and assurance of a system
Security Target
The product of a Common Criteria security evaluation
Target of Evaluation
Hiding an invention such as custom encryption and thinking attackers won’t ever break it
Security through obscurity
The theory that transistors on a microchip will grow exponentially making old encryption algorithms breakable
Moore’s Law
Encrypting data on a hard drive instead of deleting it
Crypto erase
Overwriting sectors on a hard drive
Overwriting
Media which cannot be degaussed
Solid state drives
Method of calculating the different ways a system can experiences faults and lower reliability and safety
Fault-tree analysis
Technology used to control physical components of industrial environments
Industrial control systems
Trusting your friend and your friend’s friend with data
Transitive trust
Trusting your friend and only your friend with data
Non-transitive trust
FTPS and SMTPS
Protocols which use Transport Layer Security
What to do the night before the exam
Get at least 8 hours of sleep
Bundle of functional and assurance requirements
Common Criteria EALs
Software, encryption algorithms, key management, applications, TPMs
A cryptosystem
Encryption cipher which uses the natural world and the elements within it for the key
Running key cipher
Less mathematical computations than public key cryptography
Symmetric encryption
Probably the only stream cipher you need to know for the CISSP exam
RC4
Random values used at the beginning of a keystream or algorithm
Initialization Vectors
Signing a document with a private key provides nonrepudiation and also this
Authentication
A symmetric key used one time to secure the communication channel for data
Session key
Supports 14 rounds of encryption if both the key and block sizes are 256 bits
Rijndael 256
Cryptographic keys should never be in cleartext outside the system’s trusted memory location
Key management principle
Unique private key within a TPM and a public key to authenticate the TPM
Endorsement Key
The toughest cryptographic attack
Ciphertext-Only Attacks
You can view Known-Plaintext Attack in this movie
The Imitation Game
Locks, bollards, fences, barriers
Physical detective controls which only serve to slow down an attacker, not prevent
Emergency 911 service, water sprinklers, Army National Guard
Physical responses to security incidents
Results obtained from custom measurements of information which are becoming more important in organizations
Metrics
Manipulating the natural environment to reduce crime around a facility
Crime Prevention Through Environmental Design (CPTED)
WAN technology which dedicates a single virtual connection between two systems, not multiple paths
Circuit-switched
Multitasking, multicore, multiprocessing, multithreading
They all do not mean the same thing, should know the difference
Type of system security mode which provides the least amount of risk as compared to a multilevel security mode
Dedicated mode
If you don’t want the predicted path of a synthetic transactions, use this instead
Real User Monitoring (RUM)
Your mindset and role when taking the CISSP exam
Risk advisor, security consultant, CISO, senior management
Type of solutions to pick when taking the CISSP exam
High-level answers which guide the organization without taking direct hands-on action
Every choice picked on the real CISSP exam must revolve around this
Risk management and cost-benefit analysis. Identifying and valuating assets. CIA Triad.
Input validation, message digests, preventing unauthorized modifications
Integrity protections
Availability metrics
MTD/RTO/RPO/SLA/MTBF/MTTR
What comes after identification but before authorization
Authentication
Operational plans are within days or weeks, tactical plans are within months, and strategic plans are within
years
Why do we have data classification
For implementing proper security controls
The activities which promote due care
Due diligence
The amount of time for which an organization will face risk
FOREVER
Risk Treatment: MART
Mitigate, Accept, Reject, Transfer
What are the exact BCP/DRP steps to know for the CISSP exam?
There are no official steps. Just know the general steps. Policy, BIA, Recovery Strategies, Maintenance
What do you probably NOT have to memorize or know for the exam?
TCSEC, US Laws
The right to be forgotten and having your personal information deleted is part of which regulation?
GDPR (Global Data Protection Regulation)
Term which describes destroying media to the point of being unrecoverable
Sanitization
Science of cryptography and cryptanalysis
Cryptology
Sharing proof of a part of the knowledge without knowing the actual knowledge
Zero Knowledge Proof
The work factor to break a cryptosystem depends on this
Key strength
Do you need to know “n(n-1)/2” ?
You most likely will not need to calculate total number of symmetric keys required
Streaming cipher version of cipher block chaining
Cipher Feedback Mode
The most important phase/step of the BCP/DRP process to know for the CISSP exam
Business Impact Analysis
Temporary location for holding initial memory instructions on a CPU
Registers
A countermeasure to inference
Polyinstantiation
Java, C++, Python, or other languages all have to be broken down to this by the processor
Binary format
After passing the CISSP, what can you focus on for a prosperous future?
Cloud computing or technical certs. You already have the best high-level cert.
Method of accessing a secure and separate channel outside the realm of the existing system
Out-of-band
Reckless programming leads to vulnerabilities which lead to this
Exploits
A bug in this protocol can lead hackers to compromising single sign-on services to websites
SAML
The approach to bridge different organizational teams to prevent conflicting priorities
DevOps
System which makes decisions based on the perceived thought process of humans
Neural Network
Cost is not a factor when classifying data.
Cost is a factor when implementing the security controls on classified data.
Concerned with preventing information from lower security levels to flow to higher security levels
Biba Model
Columns are ACLs, and rows are capability tables
Access Matrix
Model which uses integrity verification procedures to confirm data ingerity
Clark-Wilson Model
Subjects take over rights of an object, subjects grant rights to an object
Take-Grant Model
Any organization with a BYOD Policy must try to enforce this first step with the user.
Device registration
When the introduction of a new company-wide application or system has been formally approved
Accreditation
Metadata repository
Data dictionary
Legal way to obtain other people’s confidential information
Dumpster diving
encryption=ontinyeprc
Message reordering process associated with the terms transposition or permutation
Report which covers the security, integrity, privacy, confidentiality and availability controls shared by an NDA with management and regulators
SOC2
Report on the internal financial reporting controls used by auditors and controller offices
SOC1
Report which covers the security, integrity, privacy, confidentiality and availability controls publicly available for all to view
SOC3
When you quickly go through a door you are not supposed to go through while it is closing
Piggybacking
Type of evidence which has not been tampered with at all and aligns with the facts presented
Reliable evidence
Device which can function like an IDS if the primary feature is disabled
Intrusion Prevention System
Most conservative form of system failure in terms of information security (but may cost human life)
Fail close/fail secure
The two most important things to maintain the integrity of audit trails
Date and time stamps
Windows failure in which the system is in a full secure state
Blue Screen of Death
If this is obtained from a victim, the attacker will be able to login to web services with their identity
API Key or SAML token
On-site inspection. Review how they exchange documents and data. Check out their policies, incident handling, guaranteed uptime, procedures, standards. Perform an audit by an external third-party company.
Risk management concepts for the supply chain
They used to be hired to lower costs, but slowly and slowly they are being hired for the value they would add.
Third-party vendors
Assurance that multiple vendors and partners have followed a sufficient level of quality, performance, and security controls for a finished product to a customer.
Supply chain security
Limited visibility into partner or supplier risk. Limited information to improve supplier vulnerabilities. Limited standardized platforms.
Supply chain risk management challenges
Evaluation of a vendor’s internal policies, procedures, and controls as it directly relates to the CIA Triad and the service organization.
Service Organization Control 2 (SOC2)
There is never any true security in the cloud, so it’s best to keep your data on your own. Or, the cloud provider has proper security controls to take care of data better than you ever could.
Two common attitudes toward putting data in the cloud. The solution is to find a balance.
Verify vendor security policies, contractors who may have access to the data, where the data is actually stored, any business relationships with parties who will also handle the data.
Cloud security due care practices by the data owner.
The best way to make sure your third-party cloud vendors properly handle your data and are held accountable.
Establishing a third-party risk management program.
To effectively manage cloud vendor information security risks, this type of monitoring should be encouraged from each cloud actor.
Near real-time monitoring.
Cloud actors and their individual businesses, processes, functions, missions, and supporting information security systems.
Cloud ecosystem.
SAML, OpenID, Kerberos.
Some standard protocols for cloud subscriber users to authenticate themselves.
The process of representing private data elements with a non-private and meaningless value.
Tokenization.
Other than the cloud vendor, this entity also has the responsibility of on-going monitoring and risk evaluation.
You.
Responsible for external vendor rules on an organization as a whole. Responsible for imposing internal rules on external vendors.
Responsibilities of a Compliance Officer.
A clear communicator, a strong constitution, intelligent, proactive, fair, modest, disciplined, fair principles, and held to the highest standard of ethics.
Qualities of a Compliance Officer.
Consists of a policy decision point, a policy enforcement point, and a supportive policy.
Main mechanisms of an Identity Provider for the cloud.
Amazon EC2, IBM Blue Mix, Microsoft Azure, Google Cloud, Dream Host.
Real time cloud providers.
An alternative open standard form of cloud authentication in which access is granted to a website/application without sharing passwords from another authenticated website/application.
OAuth.
Trade and professional organizations.
Sources of independent impartial auditors
Requires government agencies to have information security programs which provide assurance for networks, facilities, and systems.
Federal Information Security Management Act of 2002
Do this before prioritizing risk management of third-parties, cloud vendors, business partners, or the supply chain.
Prioritize the data and assets of your own organization first
Doveryai, no proveryai -Russian proverb describing clients first doing their own neutral third-party assessment before signing on with the vendor.
Trust, but verify
Know who you’re trusting, anticipate problems, include vendor in your security discussions, constantly verify vendor’s security.
Risk management best practices
Identify interdependencies and any risk inheritance between the cloud vendor and the consumer.
Cloud vendor risk treatment
Real-time monitoring of cloud provider’s security controls, operations, and posture
Cloud vendor risk control
An early malicious form of cloud computing with cost reduction, dynamically provisioned computers, redundancy, and security.
These are the same characteristics as botnets.
Stage at which cost, security, privacy, and the effectiveness of cloud systems and vendors must be implemented for maximum effectiveness.
The first stage, and every other stage after that.
Addresses the customized concerns, data ownership, exit rights, breach notifications, tenant isolation, employee vetting, and compliance with laws and regulations.
Negotiable agreements with cloud provider
Defines the terms of use, conditions of access, period of service, and the termination or disposal of data with a cloud service provider.
Specifications of a cloud service provider
Predefined non-negotiable and negotiable.
Types of cloud service agreements.
Everything requires risk management, especially with third-party cloud providers or any other type of unfamiliar vendor.
The theme of these flashcards.
Cloud service agreement crafted completely by the cloud service provider. They serve as the general basis for a cloud vendor’s economies of scale for cloud tenants. Can only be amended at the vendor’s discretion.
Non-negotiable service agreement.
Promotes better automation of configuration control, vulnerability testing, audits, patching, and replacing platform components.
Cloud system homogeneity
Entity which determines alone, or jointly, the purpose for which data or personal information is processed.
Data controller
Entity which handles and processes the data as dictated by the data controller.
Data processor
Direct or indirect identification to whom personal information relates.
Data subject
Legally collected data and limited to the consent and scope of the data subject.
Data collection limitation
Relevance and kept in accurate form with integrity .
Data quality
Unauthorized secondary usage of PII, uncertainty of data disposal, questionable data retention policies, determination if a breach has occurred.
Cloud computing privacy issues
Cloud service model which is cost-effective but raises the most concern for the privacy of data.
Public cloud
Access, transparency, control over data lifecycle, changing providers
Limitation or lack of user control over cloud vendors
Technique to lessen the impact of decisions which impact the privacy of user data.
Training and expertise
Unauthorized sale of detailed customer sales data to competitors or advertisers.
Unauthorized secondary usage of data in the cloud.
Deployed applications, virtual machine monitors, guest virtual machines, data storage, supporting middleware, backplane services, utilization metering and quota monitoring.
Cloud computing system complexities
Emails coming into data center servers are redirected to the cloud for further analysis to check for spam, malware, or phishing.
Data center oriented cloud service
The ability to reduce company capital investment and increase computational needs through operations expenses.
An advantage of cloud computing
Best way to counter a sprawling, widespread, unknown and unmanageable mix of insecure cloud services.
Proper organizational security governance
An organization’s responsibility to conduct agreements in line with laws, regulations, standards, and meeting specifications.
Compliance
One of the most important and common issues facing an organization whether in-house or in the cloud.
Data location
Goes beyond that of current or previous employees and includes contractors, affiliates or other third-parties.
Insider access/threat
Often times equated to just vulnerability assessment and pen testing, it also covers people, machines, and processes. It covers the entire information ecosystem.
A systematic assessment, otherwise known as a security audit.
Two crucial first steps to take before performing a security audit. If these two steps are not undertaken, it creates more work and costs more down the line.
It is important to establish the goals for the audit and to remain within scope.
The use of technology to protect an asset.
Technical control
Regulatory requirements, an unbiased view, or meeting internal benchmarks of assets, would bring this entity in for an audit.
Third-party
A blind test of the system. Similar to recreating the approach of a real attacker. Provides insight into otherwise unknown attack vectors.
Black box testing
Full-knowledge test specifically targeted at known internal security controls and systems. Good for understanding the internal threat, but not the external one.
White box testing
A good balance of knowns and unknowns of a tested environment. Tester does not have full scale knowledge, allowing for discovering unknown issues.
Gray box testing
Written proof that a hacker can compromise a system. Permission is obtained, scope is defined, test is performed, compromised systems are reported.
Penetration testing.
Provides identification of operating systems, active hosts, non-essential ports or insecure ports or system misconfigurations
Vulnerability scanning
The lawful compromise of technical, physical, and administrative controls.
Penetration testing
Search engine results, primary or secondary domain nameserver identification, WHOIS or IP Lookup results, and input from user machines
The general first step of the penetration testing process, otherwise known as “Discovery” stage (Shon Harris 7th edition, page 872).
Spellchecking, formatting, encrypting, and then sending a report to the top level executives of an organization
Last step of the penetration testing process, otherwise known as “Report to Management” stage (Shon Harris 7th Edition, page 872).
An adversary that compromises this core part of the system allows them to gain the most control
Kernel
The amount of time, money, and personnel a company is willing to spend defending its network or infrastructure
Risk appetite
Disruption to this UDP protocol can affect the timestamps of multiple applications, services, and processes
Network Time Protocol (NTP)
This strategy for logs keeps them out of reach of attackers or at least adds an additional step before compromise
Storing logs on a remote device
Technical control similar to cipher block chaining which ensures the integrity of multiple hashed messages
Hash chaining
Application which correlates alerts from multiple devices and provides an overview to determine if action is required or if it’s a false positive
Security Incident Event Management (SIEM)
Associated with Unified Modeling Language, this type of testing takes the inverse of a proper case testing
Misuse case testing
The strongest method to prevent password guessing attacks
2-factor authentication
A state of mind in which opportunities for compromise must constantly be reviewed when reviewing code
Defensive programming
One of the first operating systems to implement a ring system and also inspire the term “Unix”.
Multics operating system
Important account management step which eliminates the use of a legitimate account for malicious purposes
Suspending accounts
Allows the ability to improve the BCP/DRP process with not just a pass/fail score, but yielding long-lasting results
Performing exercises, not just testing
CPR, first aid, fire suppression, and equipment training
Physical security training
Gauging the success of a user’s performance on a potential threat validates this security control
Training
A customized, detailed and specifically crafted attack against an adversary
Social engineering
Sending multiple TCP connection synchronization packets but never responding to the acknowledgement
SYN flood
Agreement, cooperation, and adherence of this group of people will determine the success of an information security awareness program
Users
Standard which provides a framework for an organization to make sure management is meeting the needs of customers and stakeholders
ISO 9000
Ernst & Young, Deloitte & Touche, PricewaterhouseCoopers, and KPMG
Big Four companies who provide a high degree of valid audits with an unbiased nature
Naming system to describe security vulnerabilities and referred to when issuing notices.
Common Vulnerabilities and Exposures (CVE)
Type of scanning in which multiple flags are set in a packet
Xmas Scanning
Ports for FTP, SSH, Telnet, SMTP, HTTP, HTTPS
20/21, 22, 23, 25, 80, 443
Software used for testing and executing exploits
Metasploit
Type of scan which opens a half TCP connection instead of a full open connection.
TCP SYN Scanning
Scanning which goes deeper into the presence of vulnerabilities within a system instead of just discovering an open port
Network vulnerability scan, not a discovery scan.
The purpose for the “sqlmap” vulnerability scanner
To discover database vulnerabilities
Associate developers, senior developers or automated tools used to look for code flaws
Code peer review measures
Planning, overview meeting, preparation, inspection, rework and follow-up.
Fagan Inspection steps
Allows the usage of web services to use code modules to interact with each other. Usages amount in the billions worldwide.
Application Programming Interfaces (APIs)
This concept is valued over knowing how to conduct vulnerability assessment and penetration testing
Understanding the important of vulnerability assessments and penetration testing
Port which allows the secure and remote management of network security devices using SSH
22
To be a well-rounded information security professional, the CISSP and this other type of certification goes well together
Technical certification. Examples include: CCNA, GIAC, or OSCP.
Being 15 minutes late to the testing center, not agreeing to the NDA within 5 minutes, forgetting your ID
Reasons you may be unable to take the exam without a full refund
Asking this question for any high or low-level topic in the CISSP CBK broadens your knowledge and seeks to gain high-level overral understanding
Why?
What does Wi-fi stand for?
It doesn’t stand for anything. It is a marketing term.
Type of virtual desktop infrastructure which retains the custom settings and desktop environment for a user even after logging off
Persistent virtual desktops
Type of media which would require both on-site and off-site storage
Tape media
Environmental, physical, and infrastructure changes force the annual test of this process
BCP/DRP
Cryptography services provided by digital signatures
Nonrepudiation, authentication, integrity
Cryptography service NOT provided by digital signatures
Confidentiality
Method to which digital signatures provide nonrepudiation and authentication
When sender signs the hash with their private key
How to provide the confidentiality of a digital signature
Encrypted hash and plaintext message must both be encrypted with the receiver’s public key
How exactly does a digital signature provide nonrepudiation and authentication?
When the sender signs the hash with their private key, since only the sender should have their private key
Besides nonrepudiation, digital signatures are also used for these vendor services
Applets, software patches, authentication of code distributions
To digitally sign a message you must use this type of key
Your private key. Signing a message with your private key ensures nonrepudiation and authentication
These are basically an official endorsement of your public key
Digital certificate
Symantec, AWS, DigiCert, Verisign, Entrust, GlobalSign, IdenTrust
Vendors who provide digital certificates
Process involves checking the certificate authority’s public key, as well as CRL or OCSP
Digital certificate verification process
Compromise, loss of private key, erroneous issuance, change in public key details, a change in security association or sponsor
Reasons to revoke a digital certificate
Ticket authentication system which provides identification and authentication for services
Kerberos
Single point of failure in a Kerberos system. Is the trusted third-party for all clients and services in a realm.
Key Distribution Center (KDC)
Two major components of Kerberos are provided by this entity which is hosted on the Key Distribution Center
Authentication Server
Security, reliability, transparency, scalability
Four basic access control requirements provided by Kerberos
The principal, the application or resource, and the Key Distribution Center
Components of Kerberos
Limited lifetime of tickets, physical security of KDC, turning off non-Kerberos services
Security best practices for Kerberos
Short passwords in Kerberos are susceptible to this type of attack
Brute-force
Long passwords in Kerberos are susceptible to this type of system malfunction
Overload of system services (Longer encryption and decryption time)
The basis and the main element which makes Kerberos possible
Tickets
Entering your memorized password and checking your hard token in your possession follows these authentication factors
Something you know, something you have
Process of mathematically generating a value which represents private data located somewhere else
Tokenization
Local encryption keys must be marked with this in order to prevent it from being sent to another system
Non-exportable mark
Values generated by a soft token should have this lifetime
Less than 2 minutes
A practice of spying which could reveal a user’s soft token generated PIN number
Shoulder surfing
Traditional cryptography uses complex mathematical calculations, quantum cryptography relies on this branch of science
Physics
Obfuscations, tokenization, and generally altering a message from the original form to something indecipherable upholds this cryptographic service
Confidentiality
A constant state of encrypting and decrypting a message until it reaches its final destination
Link encryption
Controls designed to make sure strong cryptographic technology is not sent to places where it would be used maliciously
International Export Controls
A complementary access control principle to dual control in which two users share knowledge of a single password or secret
Split Knowledge
Technique to only allow specific hardware devices in your household access to the Wifi
MAC filtering
Transportation, industry, healthcare, energy, agriculture, defense, emergency services, building utilities, power grid
Sectors of cyber-physical systems (CPS)
Abstractions, modularity, diagnostics, prognostics, distributed sensing, integration of multi-physics models, autonomy, human-interaction
Core technologies needed to maintain the security and viability of cyber-physical systems (CPS)
Industrial Control Systems (ICS)
Single standalone computers which monitor and control industrial and infrastructure systems like cyber-physical systems
A subgroup of Industrial Control Systems widely used to control, monitor, and interconnect cyber-physical systems
Supervisory Control and Data Acquisition (SCADA )
DDOS, unauthorized remote access endpoints, human error, sabotage, technical errors or accidents, unintentional outages, compromise of network hardware
Threats to Industrial Control Systems (ICS)
NISTIR 7628 is a good document to read in order to familiarize yourself with understanding of how to secure this type of system.
Cybersecurity for the electric power infrastructure.
Special purpose long-term use key used to protect a session key
Key encrypting key (KEK)
The process of using a key encrypting key to protect a session key
Key wrapping
You will most likely not have to know this formula for the exam, but it is useful to the know purpose of n (n-1)/2
Calculating the number of symmetric keys used for users (n is the number of users)
A central location where private keys are held should be encrypted, signed, and MACed in order to provide these two security services
Integrity and confidentiality
The period of time in which a cryptographic key can be used and even stored for decades in order to verify signatures and decryption
Crypto period
Is there a policy for the governship and usage of private keys? How long will key be in long term storage? What is the exposure risk to the data if the key is compromised?
Questions to ask when archiving crypto keys
Key derivation process, the threat factor, open office vs public terminal, data encryption, key production, key protection guidelines, number of copies of a key
Factors affecting risk exposure to crypto keys
Official terms used to describe a message of mixed length to go through a hash and have the output a standard length
Variable-length input, fixed-length output (relate this to hashing algorithms like MD5 or SHA)
Studying the amount of power a device may emit in order to use it in a passive attack to discover the secret key of a cryptographic algorithm
Side-channel attack
Diffie-Hellman uses public/private keys but not for the encryption of the message. The main function is for another crypto service
Secure key exchange
Type of cryptographic attack which works best against a substitution cipher with known plaintext language statistics
Frequency analysis
If I created a file, and I trusted you with it, and only you with it
Non-transitive trust
If I created a file,I trust you with the file, and your friend with the file
Transitive trust
