CISSP Notes Flashcards by Dubie Dubendorfer

Type of malware which can change or update a system’s kernel

Rootkit

How well did you know this?

Not at all

Perfectly

Best practice when it comes to taking measures against a rootkit

Reinstall operating system

How well did you know this?

Not at all

Perfectly

Type of self-sufficient malware

Worm

How well did you know this?

Not at all

Perfectly

Malware which requires host-to-host transmission to work

Virus

How well did you know this?

Not at all

Perfectly

Firewall rule placed at the top of the rulebase to drop direct connections to the firewall

Stealth rule

How well did you know this?

Not at all

Perfectly

Attribute-based access control allows authorization through this type of condition

Environmental

How well did you know this?

Not at all

Perfectly

Examples of environmental attributes in ABAC

Time of day, geolocation, network type

How well did you know this?

Not at all

Perfectly

Subjects access _________

objects

How well did you know this?

Not at all

Perfectly

Signing a document with your private key provides

Nonrepudiation

How well did you know this?

Not at all

Perfectly

HMAC is associated with this high-level and fundamental security concept

Integrity

How well did you know this?

Not at all

Perfectly

Users are allowed access to resources through a pre-determined template

Role-based access control

How well did you know this?

Not at all

Perfectly

Firewall policies reflect this type of access control

Rule-based access control

How well did you know this?

Not at all

Perfectly

Every object must have an owner

Discretionary Access Control

How well did you know this?

Not at all

Perfectly

A more in-depth, granular, detailed, and fully tested evaluation provides ________

assurance

How well did you know this?

Not at all

Perfectly

Determines the functionality of a product

Certification

How well did you know this?

Not at all

Perfectly

Determining why to create the software and for what purpose

First phase of SDLC

How well did you know this?

Not at all

Perfectly

Implementing proper disposal methods for software

Last phase of SDLC

How well did you know this?

Not at all

Perfectly

A portion of software which is left unprotected and could provide a means for an attacker

Attack surface

How well did you know this?

Not at all

Perfectly

How well the components of software work together per design specifications

Integration testing

How well did you know this?

Not at all

Perfectly

Making sure the users verify the product operates as it should

User acceptance testing

How well did you know this?

Not at all

Perfectly

Enter safe mode, recover files, validate operations

What to do after a system crash

How well did you know this?

Not at all

Perfectly

Only allowing systems administrators to shut down critical systems

Reduce the possibility of denial of service

How well did you know this?

Not at all

Perfectly

When processes should not be interrupted from receiving input to providing output

Atomic transactions

How well did you know this?

Not at all

Perfectly

Type of codes which maintain the integrity of files

Message authentication code

How well did you know this?

Not at all

Perfectly

Even if a report has no data, it should still say "no data to report".

Input/output control

The default state of wiring closet doors.

Closed

When doors are opened during emergencies

Fail-safe

The estimated amount of time a device is meant to work reliably.

Mean time between failures

This should be implemented if the mean time to repair is too high on a device

Redundancy measures

The decision engine in this access control method is controlled by the operating system in highly classified computers

Mandatory Access Control

ACLs provide this type of RBAC, with no formal roles other than by the user themselves

Non-RBAC

An access control system fully defined by organizational roles, policies, and permissions for subjects to objects

Full RBAC

Attack from flaws in IP packet reassembly

Teardrop attack

10.1.2.0/23 and 10.1.3.248/30

RFC 1918 Overlapping subnets

A product which provides IDS/IPS, DLP, firewall, antimalware, antispam services

Unified Threat Management

First thing to establish before any security control or project

The business need

Transferring workers to another organization's workplace to use their infrastructure as a recovery agreement

Reciprocal agreement

Type of recovery site necessary for an MTD of 1 hour

Hot site

Type of recovery site necessary for an MTD of 12 hours

Warm site

Permissions and authorization rights are this type of control

Administrative

NIST 800-34

Contingency Guide Planning (good read for exam)

Who can declare an emergency?

Anyone

Who can declare a disaster?

BCP Coordinator

Read Shon Harris 7th Edition once, Sybex 3 times, Official CBK once

Study Tips

The best way to memorize something for the exam. It creates a visual placeholder in your brain.

Handwritten notes

Don't let your dreams be dreams, achieve them with goals. Achieve them with three methods.

Discipline, dedication, consistency.

People taking the exam usually think they are going to fail. But they pass.

Just like you will.

A Cisco ASA firewall failing after 213 days of uptime

Example of mean time between failure

The more complex a device, program, or component

The less reliability

Data written across all drives increases write performance

Striping

Applying controls to better "suit" an environment beyond the recommended baseline

Tailoring

Eliminating unnecessary controls for an environment recommended by a baseline

Scoping

Applying minimum security controls as a reference point in an organization

Baseline

Pre-employment administrative detective control to gauge employee suitability

Background investigation

Most important action before applying updates or patches to a system in production

Backup

Type of knowledge that is a must for the CISSP exam

Inter-domain

The most stressful moments of the CISSP exam

First 10-15 minutes/questions

Port for SMTP

Practice CISSP questions most similar to the CISSP exam

CISSP Practice Questions, Fourth Edition, Shon Harris

A more secure way to remotely connect to servers instead of Telnet (Port 23)

SSH (Port 22)

Standards enforce a _________ environment

homogeneous

Form of API security to mitigate DOS

Rate-limiting

Those who direct the business and security efforts of an organization

Senior management

Structure to properly direct organizational business and security efforts

Security governance

Cost to support, repair, replace, manage, and administer an asset

Asset valuation

Framework which provides steps to match business goals with IT resources

COBIT

Access control method which uses classifications and utilized in government systems

Mandatory Access Control

Standard which rewards clean desk policies, proper documentation, security protocols and processes for information security management systems

ISO 27001

Security model which upholds integrity through the use of data items and well-formed transactions

Clark-Wilson

Access control method in which each object must absolutely have an owner

Discretionary Access Control

Inventors of the one of the first mathematical security models

David Elliot Bell and Leonard J. LaPadula

Risk mitigation should be considered at which stages of the system development life-cycle?

Every stage

Administrative control which aims to teach users about potential social engineering techniques and other types of risks

Security awareness training

Access control method which users a set with least upper bound and greatest lower bound

Lattice-based access control

A backup site to a backup site

Tertiary site

Renting a database program

Software as a Service

Renting an operating system

Platform as a Service

Renting a virtual firewall

Infrastructure as a Service

The use of shared resources among thousands of servers in thousands of data centers

Cloud computing

Document which outlines an appropriate level of service between a provider and a customer

Service Level Agreement (SLA)

Uptime, downtime, peak, average and failover times.

Common issues addressed in SLAs

Establishing a contract with a cloud service provider

Due care

Verifying controls are in place when forming a contract with a cloud service provider

Due diligence

Reports capable of verifying the controls used by vendors to ensure service delivery

Service Organization Control (SOC)

Virtualization spurned the invention of this technology

Cloud computing

Customer's responsibility in Software as a Service

Data Security

Customer's responsibility in Platform as a Service

Data classification

Customer's responsibility in an Infrastructure as a Service

Access Control

Cloud service provider's responsibility in a Software as a Service

Application Security

Cloud service provider's responsibility in a Platform as a Service

Infrastructure Security

Cloud service provider's responsibility in an Infrastructure as a Service

Physical Security

Companies or users who utilize the services offered by the cloud

Tenants

AWS and Microsoft Azure

Cloud service providers

Cloud service model which dedicates all services to one tenant

Private cloud

Type of cloud where multiple tenants use the same service

Community cloud

Type of cloud service which will allow you to throttle server CPU utilization if necessary

Infrastructure as a Service

Best way to secure data flowing from your organization and the cloud

Encryption

Sort of like policies

Directives

Takes over when primary controls have failed

Compensating controls

Controls which discourage those trying to subvert directives

Deterrent controls

Pours water out immediately after the suppression mechanism is triggered

Wet Pipe

Pipe system filled with compressed air

Dry pipe system

Bigger pipes, more water

Deluge system

Best type of water suppression system for computers and other electronics

Preaction system

Combination of a dry pipe/wet pipe system

Preaction system

Vulnerability which was the death of SSL

POODLE

Component of ABAC which makes it a unique type of access control method

Environmental attributes

Data state which can be secured by hard disk encryption

Data at rest

Data state which can be secured by TLS

Data in motion

Data state which can be secured by a proper a software development life cycle

Data in use

Used to assess the quality of software, but not the vendor which makes the software

Common Criteria

Used to assess the quality of a software vendor, but not the software the vendor makes

Capability Maturity Model Integration

A form of non-discretionary based access control

Mandatory Access Control

Can be used on top of role-based access control

Rule-based access control

Evaluation method which preceded the Common Criteria

TCSEC (Trusted Computer System Evaluation Criteria)

A set of categorized basic security requirements to evaluate a specific type of system

Protection Profile

Documentation and paperwork to prove the functionality and assurance of a system

Security Target

The product of a Common Criteria security evaluation

Target of Evaluation

Hiding an invention such as custom encryption and thinking attackers won't ever break it

Security through obscurity

The theory that transistors on a microchip will grow exponentially making old encryption algorithms breakable

Moore's Law

Encrypting data on a hard drive instead of deleting it

Crypto erase

Overwriting sectors on a hard drive

Overwriting

Media which cannot be degaussed

Solid state drives

Method of calculating the different ways a system can experiences faults and lower reliability and safety

Fault-tree analysis

Technology used to control physical components of industrial environments

Industrial control systems

Trusting your friend and your friend's friend with data

Transitive trust

Trusting your friend and only your friend with data

Non-transitive trust

FTPS and SMTPS

Protocols which use Transport Layer Security

What to do the night before the exam

Get at least 8 hours of sleep

Bundle of functional and assurance requirements

Common Criteria EALs

Software, encryption algorithms, key management, applications, TPMs

A cryptosystem

Encryption cipher which uses the natural world and the elements within it for the key

Running key cipher

Less mathematical computations than public key cryptography

Symmetric encryption

Probably the only stream cipher you need to know for the CISSP exam

RC4

Random values used at the beginning of a keystream or algorithm

Initialization Vectors

Signing a document with a private key provides nonrepudiation and also this

Authentication

A symmetric key used one time to secure the communication channel for data

Session key

Supports 14 rounds of encryption if both the key and block sizes are 256 bits

Rijndael 256

Cryptographic keys should never be in cleartext outside the system's trusted memory location

Key management principle

Unique private key within a TPM and a public key to authenticate the TPM

Endorsement Key

The toughest cryptographic attack

Ciphertext-Only Attacks

You can view Known-Plaintext Attack in this movie

The Imitation Game

Locks, bollards, fences, barriers

Physical detective controls which only serve to slow down an attacker, not prevent

Emergency 911 service, water sprinklers, Army National Guard

Physical responses to security incidents

Results obtained from custom measurements of information which are becoming more important in organizations

Metrics

Manipulating the natural environment to reduce crime around a facility

Crime Prevention Through Environmental Design (CPTED)

WAN technology which dedicates a single virtual connection between two systems, not multiple paths

Circuit-switched

Multitasking, multicore, multiprocessing, multithreading

They all do not mean the same thing, should know the difference

Type of system security mode which provides the least amount of risk as compared to a multilevel security mode

Dedicated mode

If you don't want the predicted path of a synthetic transactions, use this instead

Real User Monitoring (RUM)

Your mindset and role when taking the CISSP exam

Risk advisor, security consultant, CISO, senior management

Type of solutions to pick when taking the CISSP exam

High-level answers which guide the organization without taking direct hands-on action

Every choice picked on the real CISSP exam must revolve around this

Risk management and cost-benefit analysis. Identifying and valuating assets. CIA Triad.

Input validation, message digests, preventing unauthorized modifications

Integrity protections

Availability metrics

MTD/RTO/RPO/SLA/MTBF/MTTR

What comes after identification but before authorization

Authentication

Operational plans are within days or weeks, tactical plans are within months, and strategic plans are within

years

Why do we have data classification

For implementing proper security controls

The activities which promote due care

Due diligence

The amount of time for which an organization will face risk

FOREVER

Risk Treatment: MART

Mitigate, Accept, Reject, Transfer

What are the exact BCP/DRP steps to know for the CISSP exam?

There are no official steps. Just know the general steps. Policy, BIA, Recovery Strategies, Maintenance

What do you probably NOT have to memorize or know for the exam?

TCSEC, US Laws

The right to be forgotten and having your personal information deleted is part of which regulation?

GDPR (Global Data Protection Regulation)

Term which describes destroying media to the point of being unrecoverable

Sanitization

Science of cryptography and cryptanalysis

Cryptology

Sharing proof of a part of the knowledge without knowing the actual knowledge

Zero Knowledge Proof

The work factor to break a cryptosystem depends on this

Key strength

Do you need to know "n(n-1)/2" ?

You most likely will not need to calculate total number of symmetric keys required

Streaming cipher version of cipher block chaining

Cipher Feedback Mode

The most important phase/step of the BCP/DRP process to know for the CISSP exam

Business Impact Analysis

Temporary location for holding initial memory instructions on a CPU

Registers

A countermeasure to inference

Polyinstantiation

Java, C++, Python, or other languages all have to be broken down to this by the processor

Binary format

After passing the CISSP, what can you focus on for a prosperous future?

Cloud computing or technical certs. You already have the best high-level cert.

Method of accessing a secure and separate channel outside the realm of the existing system

Out-of-band

Reckless programming leads to vulnerabilities which lead to this

Exploits

A bug in this protocol can lead hackers to compromising single sign-on services to websites

SAML

The approach to bridge different organizational teams to prevent conflicting priorities

DevOps

System which makes decisions based on the perceived thought process of humans

Neural Network

Cost is not a factor when classifying data.

Cost is a factor when implementing the security controls on classified data.

Concerned with preventing information from lower security levels to flow to higher security levels

Biba Model

Columns are ACLs, and rows are capability tables

Access Matrix

Model which uses integrity verification procedures to confirm data ingerity

Clark-Wilson Model

Subjects take over rights of an object, subjects grant rights to an object

Take-Grant Model

Any organization with a BYOD Policy must try to enforce this first step with the user.

Device registration

When the introduction of a new company-wide application or system has been formally approved

Accreditation

Metadata repository

Data dictionary

Legal way to obtain other people's confidential information

Dumpster diving

encryption=ontinyeprc

Message reordering process associated with the terms transposition or permutation

Report which covers the security, integrity, privacy, confidentiality and availability controls shared by an NDA with management and regulators

SOC2

Report on the internal financial reporting controls used by auditors and controller offices

SOC1

Report which covers the security, integrity, privacy, confidentiality and availability controls publicly available for all to view

SOC3

When you quickly go through a door you are not supposed to go through while it is closing

Piggybacking

Type of evidence which has not been tampered with at all and aligns with the facts presented

Reliable evidence

Device which can function like an IDS if the primary feature is disabled

Intrusion Prevention System

Most conservative form of system failure in terms of information security (but may cost human life)

Fail close/fail secure

The two most important things to maintain the integrity of audit trails

Date and time stamps

Windows failure in which the system is in a full secure state

Blue Screen of Death

If this is obtained from a victim, the attacker will be able to login to web services with their identity

API Key or SAML token

On-site inspection. Review how they exchange documents and data. Check out their policies, incident handling, guaranteed uptime, procedures, standards. Perform an audit by an external third-party company.

Risk management concepts for the supply chain

They used to be hired to lower costs, but slowly and slowly they are being hired for the value they would add.

Third-party vendors

Assurance that multiple vendors and partners have followed a sufficient level of quality, performance, and security controls for a finished product to a customer.

Supply chain security

Limited visibility into partner or supplier risk. Limited information to improve supplier vulnerabilities. Limited standardized platforms.

Supply chain risk management challenges

Evaluation of a vendor's internal policies, procedures, and controls as it directly relates to the CIA Triad and the service organization.

Service Organization Control 2 (SOC2)

There is never any true security in the cloud, so it's best to keep your data on your own. Or, the cloud provider has proper security controls to take care of data better than you ever could.

Two common attitudes toward putting data in the cloud. The solution is to find a balance.

Verify vendor security policies, contractors who may have access to the data, where the data is actually stored, any business relationships with parties who will also handle the data.

Cloud security due care practices by the data owner.

The best way to make sure your third-party cloud vendors properly handle your data and are held accountable.

Establishing a third-party risk management program.

To effectively manage cloud vendor information security risks, this type of monitoring should be encouraged from each cloud actor.

Near real-time monitoring.

Cloud actors and their individual businesses, processes, functions, missions, and supporting information security systems.

Cloud ecosystem.

SAML, OpenID, Kerberos.

Some standard protocols for cloud subscriber users to authenticate themselves.

The process of representing private data elements with a non-private and meaningless value.

Tokenization.

Other than the cloud vendor, this entity also has the responsibility of on-going monitoring and risk evaluation.

You.

Responsible for external vendor rules on an organization as a whole. Responsible for imposing internal rules on external vendors.

Responsibilities of a Compliance Officer.

A clear communicator, a strong constitution, intelligent, proactive, fair, modest, disciplined, fair principles, and held to the highest standard of ethics.

Qualities of a Compliance Officer.

Consists of a policy decision point, a policy enforcement point, and a supportive policy.

Main mechanisms of an Identity Provider for the cloud.

Amazon EC2, IBM Blue Mix, Microsoft Azure, Google Cloud, Dream Host.

Real time cloud providers.

An alternative open standard form of cloud authentication in which access is granted to a website/application without sharing passwords from another authenticated website/application.

OAuth.

Trade and professional organizations.

Sources of independent impartial auditors

Requires government agencies to have information security programs which provide assurance for networks, facilities, and systems.

Federal Information Security Management Act of 2002

Do this before prioritizing risk management of third-parties, cloud vendors, business partners, or the supply chain.

Prioritize the data and assets of your own organization first

Doveryai, no proveryai - Russian proverb describing clients first doing their own neutral third-party assessment before signing on with the vendor.

Trust, but verify

Know who you're trusting, anticipate problems, include vendor in your security discussions, constantly verify vendor's security.

Risk management best practices

Identify interdependencies and any risk inheritance between the cloud vendor and the consumer.

Cloud vendor risk treatment

Real-time monitoring of cloud provider's security controls, operations, and posture

Cloud vendor risk control

An early malicious form of cloud computing with cost reduction, dynamically provisioned computers, redundancy, and security.

These are the same characteristics as botnets.

Stage at which cost, security, privacy, and the effectiveness of cloud systems and vendors must be implemented for maximum effectiveness.

The first stage, and every other stage after that.

Addresses the customized concerns, data ownership, exit rights, breach notifications, tenant isolation, employee vetting, and compliance with laws and regulations.

Negotiable agreements with cloud provider

Defines the terms of use, conditions of access, period of service, and the termination or disposal of data with a cloud service provider.

Specifications of a cloud service provider

Predefined non-negotiable and negotiable.

Types of cloud service agreements.

Everything requires risk management, especially with third-party cloud providers or any other type of unfamiliar vendor.

The theme of these flashcards.

Cloud service agreement crafted completely by the cloud service provider. They serve as the general basis for a cloud vendor's economies of scale for cloud tenants. Can only be amended at the vendor's discretion.

Non-negotiable service agreement.

Promotes better automation of configuration control, vulnerability testing, audits, patching, and replacing platform components.

Cloud system homogeneity

Entity which determines alone, or jointly, the purpose for which data or personal information is processed.

Data controller

Entity which handles and processes the data as dictated by the data controller.

Data processor

Direct or indirect identification to whom personal information relates.

Data subject

Legally collected data and limited to the consent and scope of the data subject.

Data collection limitation

Relevance and kept in accurate form with integrity .

Data quality

Unauthorized secondary usage of PII, uncertainty of data disposal, questionable data retention policies, determination if a breach has occurred.

Cloud computing privacy issues

Cloud service model which is cost-effective but raises the most concern for the privacy of data.

Public cloud

Access, transparency, control over data lifecycle, changing providers

Limitation or lack of user control over cloud vendors

Technique to lessen the impact of decisions which impact the privacy of user data.

Training and expertise

Unauthorized sale of detailed customer sales data to competitors or advertisers.

Unauthorized secondary usage of data in the cloud.

Deployed applications, virtual machine monitors, guest virtual machines, data storage, supporting middleware, backplane services, utilization metering and quota monitoring.

Cloud computing system complexities

Emails coming into data center servers are redirected to the cloud for further analysis to check for spam, malware, or phishing.

Data center oriented cloud service

The ability to reduce company capital investment and increase computational needs through operations expenses.

An advantage of cloud computing

Best way to counter a sprawling, widespread, unknown and unmanageable mix of insecure cloud services.

Proper organizational security governance

An organization's responsibility to conduct agreements in line with laws, regulations, standards, and meeting specifications.

Compliance

One of the most important and common issues facing an organization whether in-house or in the cloud.

Data location

Goes beyond that of current or previous employees and includes contractors, affiliates or other third-parties.

Insider access/threat

Often times equated to just vulnerability assessment and pen testing, it also covers people, machines, and processes. It covers the entire information ecosystem.

A systematic assessment, otherwise known as a security audit.

Two crucial first steps to take before performing a security audit. If these two steps are not undertaken, it creates more work and costs more down the line.

It is important to establish the goals for the audit and to remain within scope.

The use of technology to protect an asset.

Technical control

Regulatory requirements, an unbiased view, or meeting internal benchmarks of assets, would bring this entity in for an audit.

Third-party

A blind test of the system. Similar to recreating the approach of a real attacker. Provides insight into otherwise unknown attack vectors.

Black box testing

Full-knowledge test specifically targeted at known internal security controls and systems. Good for understanding the internal threat, but not the external one.

White box testing

A good balance of knowns and unknowns of a tested environment. Tester does not have full scale knowledge, allowing for discovering unknown issues.

Gray box testing

Written proof that a hacker can compromise a system. Permission is obtained, scope is defined, test is performed, compromised systems are reported.

Penetration testing.

Provides identification of operating systems, active hosts, non-essential ports or insecure ports or system misconfigurations

Vulnerability scanning

The lawful compromise of technical, physical, and administrative controls.

Penetration testing

Search engine results, primary or secondary domain nameserver identification, WHOIS or IP Lookup results, and input from user machines

The general first step of the penetration testing process, otherwise known as "Discovery" stage (Shon Harris 7th edition, page 872).

Spellchecking, formatting, encrypting, and then sending a report to the top level executives of an organization

Last step of the penetration testing process, otherwise known as "Report to Management" stage (Shon Harris 7th Edition, page 872).

An adversary that compromises this core part of the system allows them to gain the most control

Kernel

The amount of time, money, and personnel a company is willing to spend defending its network or infrastructure

Risk appetite

Disruption to this UDP protocol can affect the timestamps of multiple applications, services, and processes

Network Time Protocol (NTP)

This strategy for logs keeps them out of reach of attackers or at least adds an additional step before compromise

Storing logs on a remote device

Technical control similar to cipher block chaining which ensures the integrity of multiple hashed messages

Hash chaining

Application which correlates alerts from multiple devices and provides an overview to determine if action is required or if it's a false positive

Security Incident Event Management (SIEM)

Associated with Unified Modeling Language, this type of testing takes the inverse of a proper case testing

Misuse case testing

The strongest method to prevent password guessing attacks

2-factor authentication

A state of mind in which opportunities for compromise must constantly be reviewed when reviewing code

Defensive programming

One of the first operating systems to implement a ring system and also inspire the term "Unix".

Multics operating system

Important account management step which eliminates the use of a legitimate account for malicious purposes

Suspending accounts

Allows the ability to improve the BCP/DRP process with not just a pass/fail score, but yielding long-lasting results

Performing exercises, not just testing

CPR, first aid, fire suppression, and equipment training

Physical security training

Gauging the success of a user's performance on a potential threat validates this security control

Training

A customized, detailed and specifically crafted attack against an adversary

Social engineering

Sending multiple TCP connection synchronization packets but never responding to the acknowledgement

SYN flood

Agreement, cooperation, and adherence of this group of people will determine the success of an information security awareness program

Users

Standard which provides a framework for an organization to make sure management is meeting the needs of customers and stakeholders

ISO 9000

Ernst & Young, Deloitte & Touche, PricewaterhouseCoopers, and KPMG

Big Four companies who provide a high degree of valid audits with an unbiased nature

Naming system to describe security vulnerabilities and referred to when issuing notices.

Common Vulnerabilities and Exposures (CVE)

Type of scanning in which multiple flags are set in a packet

Xmas Scanning

Ports for FTP, SSH, Telnet, SMTP, HTTP, HTTPS

20/21, 22, 23, 25, 80, 443

Software used for testing and executing exploits

Metasploit

Type of scan which opens a half TCP connection instead of a full open connection.

TCP SYN Scanning

Scanning which goes deeper into the presence of vulnerabilities within a system instead of just discovering an open port

Network vulnerability scan, not a discovery scan.

The purpose for the "sqlmap" vulnerability scanner

To discover database vulnerabilities

Associate developers, senior developers or automated tools used to look for code flaws

Code peer review measures

Planning, overview meeting, preparation, inspection, rework and follow-up.

Fagan Inspection steps

Allows the usage of web services to use code modules to interact with each other. Usages amount in the billions worldwide.

Application Programming Interfaces (APIs)

This concept is valued over knowing how to conduct vulnerability assessment and penetration testing

Understanding the important of vulnerability assessments and penetration testing

Port which allows the secure and remote management of network security devices using SSH

To be a well-rounded information security professional, the CISSP and this other type of certification goes well together

Technical certification. Examples include: CCNA, GIAC, or OSCP.

Being 15 minutes late to the testing center, not agreeing to the NDA within 5 minutes, forgetting your ID

Reasons you may be unable to take the exam without a full refund

Asking this question for any high or low-level topic in the CISSP CBK broadens your knowledge and seeks to gain high-level overral understanding

Why?

What does Wi-fi stand for?

It doesn't stand for anything. It is a marketing term.

Type of virtual desktop infrastructure which retains the custom settings and desktop environment for a user even after logging off

Persistent virtual desktops

Type of media which would require both on-site and off-site storage

Tape media

Environmental, physical, and infrastructure changes force the annual test of this process

BCP/DRP

Cryptography services provided by digital signatures

Nonrepudiation, authentication, integrity

Cryptography service NOT provided by digital signatures

Confidentiality

Method to which digital signatures provide nonrepudiation and authentication

When sender signs the hash with their private key

How to provide the confidentiality of a digital signature

Encrypted hash and plaintext message must both be encrypted with the receiver's public key

How exactly does a digital signature provide nonrepudiation and authentication?

When the sender signs the hash with their private key, since only the sender should have their private key

Besides nonrepudiation, digital signatures are also used for these vendor services

Applets, software patches, authentication of code distributions

To digitally sign a message you must use this type of key

Your private key. Signing a message with your private key ensures nonrepudiation and authentication

These are basically an official endorsement of your public key

Digital certificate

Symantec, AWS, DigiCert, Verisign, Entrust, GlobalSign, IdenTrust

Vendors who provide digital certificates

Process involves checking the certificate authority's public key, as well as CRL or OCSP

Digital certificate verification process

Compromise, loss of private key, erroneous issuance, change in public key details, a change in security association or sponsor

Reasons to revoke a digital certificate

Ticket authentication system which provides identification and authentication for services

Kerberos

Single point of failure in a Kerberos system. Is the trusted third-party for all clients and services in a realm.

Key Distribution Center (KDC)

Two major components of Kerberos are provided by this entity which is hosted on the Key Distribution Center

Authentication Server

Security, reliability, transparency, scalability

Four basic access control requirements provided by Kerberos

The principal, the application or resource, and the Key Distribution Center

Components of Kerberos

Limited lifetime of tickets, physical security of KDC, turning off non-Kerberos services

Security best practices for Kerberos

Short passwords in Kerberos are susceptible to this type of attack

Brute-force

Long passwords in Kerberos are susceptible to this type of system malfunction

Overload of system services (Longer encryption and decryption time)

The basis and the main element which makes Kerberos possible

Tickets

Entering your memorized password and checking your hard token in your possession follows these authentication factors

Something you know, something you have

Process of mathematically generating a value which represents private data located somewhere else

Tokenization

Local encryption keys must be marked with this in order to prevent it from being sent to another system

Non-exportable mark

Values generated by a soft token should have this lifetime

Less than 2 minutes

A practice of spying which could reveal a user's soft token generated PIN number

Shoulder surfing

Traditional cryptography uses complex mathematical calculations, quantum cryptography relies on this branch of science

Physics

Obfuscations, tokenization, and generally altering a message from the original form to something indecipherable upholds this cryptographic service

Confidentiality

A constant state of encrypting and decrypting a message until it reaches its final destination

Link encryption

Controls designed to make sure strong cryptographic technology is not sent to places where it would be used maliciously

International Export Controls

A complementary access control principle to dual control in which two users share knowledge of a single password or secret

Split Knowledge

Technique to only allow specific hardware devices in your household access to the Wifi

MAC filtering

Transportation, industry, healthcare, energy, agriculture, defense, emergency services, building utilities, power grid

Sectors of cyber-physical systems (CPS)

Abstractions, modularity, diagnostics, prognostics, distributed sensing, integration of multi-physics models, autonomy, human-interaction

Core technologies needed to maintain the security and viability of cyber-physical systems (CPS)

Industrial Control Systems (ICS)

Single standalone computers which monitor and control industrial and infrastructure systems like cyber-physical systems

A subgroup of Industrial Control Systems widely used to control, monitor, and interconnect cyber-physical systems

Supervisory Control and Data Acquisition (SCADA )

DDOS, unauthorized remote access endpoints, human error, sabotage, technical errors or accidents, unintentional outages, compromise of network hardware

Threats to Industrial Control Systems (ICS)

NISTIR 7628 is a good document to read in order to familiarize yourself with understanding of how to secure this type of system.

Cybersecurity for the electric power infrastructure.

Special purpose long-term use key used to protect a session key

Key encrypting key (KEK)

The process of using a key encrypting key to protect a session key

Key wrapping

You will most likely not have to know this formula for the exam, but it is useful to the know purpose of n (n-1)/2

Calculating the number of symmetric keys used for users (n is the number of users)

A central location where private keys are held should be encrypted, signed, and MACed in order to provide these two security services

Integrity and confidentiality

The period of time in which a cryptographic key can be used and even stored for decades in order to verify signatures and decryption

Crypto period

Is there a policy for the governship and usage of private keys? How long will key be in long term storage? What is the exposure risk to the data if the key is compromised?

Questions to ask when archiving crypto keys

Key derivation process, the threat factor, open office vs public terminal, data encryption, key production, key protection guidelines, number of copies of a key

Factors affecting risk exposure to crypto keys

Official terms used to describe a message of mixed length to go through a hash and have the output a standard length

Variable-length input, fixed-length output (relate this to hashing algorithms like MD5 or SHA)

Studying the amount of power a device may emit in order to use it in a passive attack to discover the secret key of a cryptographic algorithm

Side-channel attack

Diffie-Hellman uses public/private keys but not for the encryption of the message. The main function is for another crypto service

Secure key exchange

Type of cryptographic attack which works best against a substitution cipher with known plaintext language statistics

Frequency analysis

If I created a file, and I trusted you with it, and only you with it

Non-transitive trust

If I created a file, I trust you with the file, and your friend with the file

Transitive trust