CISSP terminology Flashcards

Question 1

Q

Availability terms:

MTD
RPO
RTO

Answer

A

Maximum Tolerable Downtime
Recovery Point Objective
Recovery Time Objective

Question 2

Q

Disaster vs Catastrophe?

Answer

A

todo check handerhan video

Question 3

Q

IAAAA

Answer

A

Identification: User should be uniquely Identified
Authentication: Validation of an entity’s identity claim
Authorization: Confirms that an authenticated entity has the privileges and permissions
necessary.
Auditing: Any activity in the application/system should be audited (Identify technical issues/
Breaches)
Accountability: Tracing an action to a subject

Question 4

Q

Strategic vs Tactical?

Answer

A

Strategic - Longer (5 years)

Tactical - Mid/Short (6 months to 1 year)

Operational - Shortest (Days to weeks)

Question 5

Q

US Government data classifications

Answer

A

Top Secret (Classified - grave damage to national security if disclosed)
Secret (Classified - critical/serious damage to national security if disclosed)
Confidential (Classified - serious/actual damage to national security if disclosed)
Sensitive But Unclassified
For Official Use Only
Unclassified

Note: for CISSP, sensitive typically means “neither public nor unclassified”

Question 6

Q

Security Roles

Answer

A

Senior Manager - Management (Ultimately responsible)
Security Professional - Information Security team
Data Owner - Classifies the data
Data Custodian - Takes care of day to day activity (performing backups)
User - End user
Auditor - Responsible for reviewing the data

Question 7

Q

STRIDE

Answer

A

S - Spoofing (authentication)
T - Tampering (integrity)
R - Repudiation (digital signatures)
I - Information Disclosure (encryption/confidentiality)
D - Denial of Service (availability, fault tolerance/redundancy)
E - Escalation of privilege (authorisation)

Question 8

Q

DREAD

Answer

A

D - Damage potential (How severe the damage likely to be if the threat is realized)
R - Reproducibility (How complicated it is for the attacker to reproduce the exploit)
E - Exploitability (How hard it is to perform the attack)
A - Affected users (How many users are likely to be affected)
D - Discoverability (How hard it is for an attacker to discover the weakness)

Question 9

Q

Asset, Threat, Vulnerability, Exploit, Control

Answer

A

Asset Valuation - Value of an asset
Risk: Likelihood that a threat will exploit a vulnerability in an asset.
Threat: Has the potential to harm an asset.
Vulnerability: A weakness; a lack of safeguard
Exploit: Instance of compromise
Controls: Protective mechanisms to secure vulnerabilities
• Safeguards: Proactive
• Countermeasure: Reactive mechanism

Question 10

Q

AV, EF, SLE, ARO, ALE?

Answer

A

AV = asset value
EF = exposure factor = proportion of asset value lost in single event

SLE = AV * EF = single loss expectancy (expected loss from single event)

ARO = annualised rate of occurrence

ALE = SLE * ARO = annualised loss expectancy (expected loss each year)

Question 11

Q

Risk treatments

Answer

A

M - Mitigate (Reduce likelihood and/or impact)
A - Accept
A - Avoid
T - Transfer/Assign
D -Deter

R - Reject (not a real option)

Question 12

Q

Categories of law

Answer

A

Criminal law: Law enforcement is involved (Murder) - reasonable doubt
Civil Law: Designed to provide an orderly society & govern matters which are not criminal. {United states code} (Law suite, defamation cases) - preponderance of evidence
Administrative Law: Covers topics as procedures to be used within federal agency. - balance of evidence ?

Question 13

Q

Goals of cryptography

Answer

A

P - Privacy (Confidentiality)
A - Authentication
I - Integrity

N - Non-Repudiation - depends on Authentication and Integrity

Integrity depends on Authentication and vv? check Handerhan video

Question 14

Q

Zero Knowledge proof (eg for authentication)

Answer

A

Proof that knowledge without sharing that knowledge eg challenge response

Question 15

Q

Stream vs Block ciphers

Answer

A

Stream: RC-4 on exam; also Salsa/ChaCha (DJB)
Block: generally more secure than stream but typically slower?

AES, RC-2, RC-5/6, DES/3DES, Blowfish, IDEA (PGP) are all block based

Question 16

Q

Hybrid cryptography

Answer

A

Encrypt message with symmetric alto (faster) and then encrypt symmetric key using asymmetric crypto (public key).

used in eg SSL/TLS and PGP

Question 17

Q

Security by Design

Answer

A

Principle of Least Privilege: Access to the system should always be limited based on least privilege.
Separation of Duties: Ensuring no single person should be able to complete a critical task alone.
Trust but verify: It’s totally okay to trust your users but always ensure to verify just to avoid any unauthorized impact on CIA.
Principle of Defense in Depth: Never rely on one security control. Always implement layered security.
Fail Securely: There would be several reasons the system would fail. However, when it fails, do not let any user/process gain more privileges.
Secure defaults: Establishing secure defaults means there should be strong security rules for how user registrations are handled, how often passwords must be updated, how complex passwords should be and so on.

• Privacy by design: It’s equally important to consider privacy at the design phase. Considering the system will be subject to processing PII data, it’s important to design the controls to protect it.

Keep it simple: More complex the design of the system will be, it will be difficult to protect.
Minimize attack surface: Always perform the threat model to know your potential threats.

• Asset classification: It’s important to know what to protect. Without classification, controls cannot be implemented.

Question 18

Q

Security model composition theories

Answer

A

Composition Theories:

Cascading. Output of System A is input of System B
Feedback: Output of System A is input of System B and vice versa
Hookup: Output of System A is input of System B and other System C

Question 19

Q

Security models

Answer

A

Bell-LaPadula (prevent leak to lower level)
BIBA (prevent corruption from lower level)
Clark Wilson (untrusted accesses trusted through constrained interfaces)
Brewer Nash (chinese wall?)

Question 20

Q

Bell-LaPadula and Biba rules

Answer

A

Simple = read related
Star/* = write related

Bell-LaPadula:

Simple: no read up
Star/*: no write down

Biba:

Simple: no read down
Star/*: no write up

Strong star/*: ???

Question 21

Q

Security Evaluation Models

Answer

A

TCSEC “Orange book” - Trusted Computer System Evaluation Criteria
(Rainbow series, US Federal)

A / B1/2/3 / C1/2 / D

ITSEC - Information Technology Security Evaluation Criteria
(European alternative to TCSEC)

levels todo!!

Common Criteria ISO-15408

assurance levels EAL1..7
EAL4 is most common target - tested and reviewed but no formal methods

Question 22

Q

Security Evaluation - certification vs accreditation

Answer

A

Certification: Technical Evaluation. Internal verification trusted by your (ie the supplier’s) internal organization.

Accreditation: Formal Acceptance by the management. Performed by third party and accepted by everyone.
*Exam tip: When

Question 23

Q

Cloud computing key elements

Answer

A

Virtualisation
Elasticity
Resource pooling

Service provided by third party

Question 24

Q

SCADA

Answer

A

Supervisory Control And Data Acquisition

Control system for Industrial Control System (ICS).

Stuxnet was a root kit for SCADA systems

Question 25

Q

OWASP top 10

Answer

A

Code injection - mitigate with input validation (or proper escaping/encapsulation!)

Broken authentication / Session management

Sensitive data exposure - mitigate with encryption

XML external entities

Broken access control

Security misconfiguration

XSS Cross-site Scripting - input validation or proper escaping/encapsulation

Insecure deserialisation

Using known vulnerable components

Insufficient logging and monitoring

CSRF dropped off in 2017?

Others include: buffer overflow, race conditions, side-channel attacks, file based attacks

Question 26

Q

Primary responsibility of OS

Answer

A

To keep the computing environment stable nd to maintain process isolation

Question 27

Q

TEMPEST

Answer

A

Faraday cage around system.
+
White noise injected to mask signals

Question 28

Q

First and last lines of defence

Answer

A

Physical security is first line of defence

People are the last line of defence

Question 29

Q

Physical boundary security

Answer

A

Fence

3-4 foot - casual trespass
6-7 foot - most intruders
8+ foot - determined intruders

Gate
Turnstile - prevents tailgating
Man trap - prevents piggybacking

Security guards - expensive, unreliable, can use judgement
Dogs - expensive, liability

Question 30

Q

OSI and TCP/IP models

Answer

A

todo - picture/table

Question 31

Q

Ping based attacks

Answer

A

Loki (covert channel)

ping of death (oversized packet)

Ping flood

Smurf

level 3 attacks using ICMP

whereas SYN flood (TCP) and Fraggle (UDP echo/chargen) are layer 4

Smurf and Fraggle re both reflection/amplification attacks

Question 32

Q

RBAC, DAC, MAC, RuBAC etc

Question 33

Q

Firewall types

Answer

A

Packet Filter - layer 3(/4), src/dest IP address, port, protocol (TCP vs UDP)

Application level Proxy/Firewall - layer 7, inspect content of data stream, performance overhead

Stateful firewall - layer 3+4, tracks connection state and block unsolicited replies

Deep Packet Inspection - looks inside packets for specific threats

Question 34

Q

AIPA

Answer

A

Private IP ranges defined in RFC1918

x.x.x (Class A)
16.x.x-172.31.x.x (Class B)
168.x.x (Class C)

Question 35

Q

Protocol Data Units for each layer

Question 36

Q

wifi standards

Answer

A

11 Family
802.11 a : 54 Mbps/ 5 GHz/ 8 channels
802.11 b : 11 Mbps/ 2.4 GHz (same as home network) 3. 802.11 g : 54 Mbps/ 2.4 GHz
802.11 n : 200+ Mbps/ 2.4 GHz or 5 GHz
802.11 ac : 1 Gbps/ 5GHz

b/g/n all same freq and backwards compatible

Question 37

Q

Bluetooth attacks

Answer

A

Blue Jacking –> Sending SPAM

Blue Snarfing –> Copies information of the remote device

Blue Bugging –> More serious. Allows full use of phone, make call and can eaves drop on calls.

Question 38

Q

wireless security

Answer

A

Wired Equivalent Protocol (WEP)
a. Shared Authentication Passwords b. Weak Initialization vector (24 bits) c. IV transmitted in clear text
d. RC4 (Stream Cipher)
e. Easily crack able
f. Only option for 802.11 b
Wi-Fi Protected Access (WPA)
a. Stronger IV
b. Introduced Temporal Key Integrity Protocol (TKIP)
c. Still uses RC4 (to make upgrade from WEP easier)
WPA 2
a. AES (Block Cipher)
b. CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol)
c. Not backward compatible
Uses 802.1X/EAP authentication to have individual passwords for individual users.

Question 39

Q

Dial up/WAN link authentication

Answer

A

PAP - Password Authentication Protocol - password sent in clear

CHAP - Challenge Handshake Authentication Protocol (also MS-CHAP, MS-CHAPv2)

EAP - Extensible Authentication Protocol - to support non-password authentication e.g. biometrics

EAP variations eg PEAP, LEAP

Protected EAP: EAP itself doesn’t provide any security so it encapsulates EAP in TLS tunnel.
Lightweight EAP: Cisco Proprietary but it was broken with ASLEAP attack.

Question 40

Q

VPN protocols

Answer

A

PPP - Point-to-Point Protocol (still in use eg PPPoE, PPPoE) - no encryption
PPTP - Point-to-Point Tunnelling Protocol - no encryption
L2TP - Layer 2 Tunnelling Protocol - no encryption so often run over IPSec
IPSec - limited to IP protocols - run L2TP over IPSec to tunnel non-IP protocols

Question 41

Q

Authentication factor types

Answer

A

Type1: Something you know (password, pin)

Type2: Something you have (smart card, token)

Type3: Something you are (biometric)

Type4: Somewhere you are (location, IP address?)

(Type5: Something you do e.g. typing cadence, walking gait)

Question 42

Q

(Biometric/Behavioural) Authentication failure modes/rates

Answer

A

Type1 error: False Rejection Rate (FRR)

Type2 error: False Acceptance Rate (FAR)

Cross over error rate (CER): It’s the meeting point of FAR and FRR

Question 43

Q

Identity Assurance Level

Answer

A

IAL 1: If any are self-asserted or should be treated as self-asserted.

IAL 2: Either remote or in person identity proofing is required. It requires identity proofing to have been verified in person or remotely.

IAL 3: In person identity proofing is required. Identifying attributes must be verified by the authorized Credential Service Provider (CSP) representative through examination of physical documentation.

Question 44

Q

Kerberos

Question 45

Q

SSO protocols

Answer

A

SAML: Based on XML and is used to exchange authentication & Authorization between feder- ated organization.
SPML: Based on XML specifically designed for exchanging user information for federated iden- tity single sign on purposes.
XACML: Extensible Access Control Markup Language is used to define access control policies within an XML format and it commonly implements RBAC.

Others

SESAME: Secure European System for Application in a Multivendor Environment, imple- mented to overcome the weakness of Kerberos. New version of Kerberos superseded.
Krypto knight: Time based authentication system by IBM

Open ID and OAuth: OpenID is used for authentication and OAuth is used for authorization (though OAuth2 also used for identity and authentication)

Typically SAML for enterprise, OAuth/OpenID for commercial and B2C - though starting to change.

Question 46

Q

AAA protocols

Answer

A

RADIUS: IP only, uses UDP. Encrypts only password while communicating between RADIUS client & server. User ID and sessions are sent in clear text and vulnerable to Replay attack.

TACACS+: Uses TCP. Encrypts everything. Supports IP and non-IP (eg Appletalk, IPX/SPX)

Diameter (“twice as good as RADIUS”): Uses TCP on port 3868 (Stream Control Transmission Protocol, SCTP). Supports IPSec and TLS. EAP (“Diameter-EAP”) authentication. Not backward compatible.

Question 47

Q

Authorisation

Answer

A

Need to know: Access granted only to data resources they need to perform. (Permission)

Least Privilege: Access granted to the privileges necessary to perform an assigned task. (Security clearance)

Separation of Duties: No single person is allowed to perform end to end critical task alone. (Preventive control)

SegOD is said to “prevent collusion” but really it “forces attackers to collude” (making attack harder to do and easier to detect)

Constrained Interface: Access control on interface. E.g. Access to modify would be visible, however, it would be greyed out if not authorized.

Content Dependent: Database Views. Depends on the content of the Object

Context Dependent: Require specific activity before granting access. E.g. Payment needs to be made before downloading online media.

Job rotation and Mandatory Vacation act as detective controls. (As well as having skills transfer benefits)

Question 48

Q

Access Control Models

Answer

A

Access Control Models:
1. Discretionary Access Control: Owner, creator or custodian define access to the objects.
Uses Access control list (known as Identity based access control)
2. Non-Discretionary Access Control: Centrally managed by administrators. (Hint: Any model which is not DAC, can be called as Non-DAC)
3. Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
the organizations with high employee turnover.
4. Rule Based Access Control: There are set of rules. e.g. Firewall. Global rules are applied to all users equally.
5. Mandatory Access Control (Lattice Based): Implemented in high secure organizations such as Military. It is compartment based.
a. Hierarchical - Clearance of Top secret gives access to Top secret as well as Secret b. Compartmentalized - Each domain represents a separate isolated compartment. c. Hybrid - Combination of both
6. Attribute Based Access Control: Rules that can include multiple attributes. e.g. working hours, place of work, type of connection etc.

Question 49

Q

Types of Phishing attack

Answer

A

Spear Phishing: When a specific person or group of users are targeted.

Whaling: When the target is a CXO or someone who belong to higher management.

Vishing: It’s a technique referred to trick user over voice call.

Smishing: When a phishing attempt is done via SMS.

Question 50

Q

Common ports

Answer

A

FTP – 21
SSH – 22
Telnet - 23
SMTP – 25
DNS – 53
HTTP – 80
POP3 – 110
NTP – 123 
HTTPS – 443
MS SQL – 1433
Oracle – 1521
H.323 – 1720
PPTP – 1723
RDP – 3389

Question 51

Q

Forensics Investigation Process steps

Answer

A

Identification (of evidence)
Preservation (start chain of custody, forensic hashes)

Collection (work within knowledge, minimise handling, keeps logs, accurate image, ensure repeatable, work fast starting with most volatile eg registers/cache/RAM, take photos, label evidence)

Examination (attack signatures, logs, recover hidden data)

Analysis (on bit-level working copy of image, also hashed and write-protected)

Presentation (of findings, eg expert testimony)

Decision

IPCEAPD - order is testable

Question 52

Q

5 rules of digital evidence

Answer

A

Authentic
Accurate
Complete
Convincing
Admissible

Question 53

Q

Forensic Hashes

Answer

A

Hash of original drive
(take a bit-level copy of drive)
Hash the copy
(analyse the copy)
Hash the copy again

all 3 hashes must match

Question 54

Q

Fourth amendment protections against search/seizure unless…

Answer

A

Done by private citizens (not law enforcement)

or

subpoena
search warrant
consent
exigencies circumstances (e.g. about to be destroyed if not seized)

Question 55

Q

Evidence lifecycle

Answer

A

Identification and Collection
Analysis
Storage/Preservation, Transportation 
Presentation 
Return to owner

must maintain integrity through lifecycle

Question 56

Q

Evidence types

Answer

A

Direct Evidence - proves a fact by itself - information provided based on the 5 senses of a reliable witness

Real/Physical Evidence - the objects used in the crime

Best Evidence - original copy of a document eg a signed contract.

copies need to be demonstrated to match original - typically using hashes

Secondary Evidence - supports other evidence; includes expert opinion

Corroborative - additional support to back up claim

Circumstantial - proves one fact which can then be used to reasonably suggest another. not enough on its own.

Hearsay - usually not admissible. Includes in authenticated copies of documents

Question 57

Q

Enticement vs Entrapment

Answer

A

Enticement - tempting a potential criminal. Legal and ethical. Example: Honeypot

Entrapment - tricking a person into a crime.. Illegal and unethical. Example: providing a link to a site and then saying it is trespass to click on the link

Question 58

Q

Redundant site models

Answer

A

DR site - active/standby or active/active

Hot site - todo

Warm site - kit in place; hours/days to recover

Cold site - no kit in place, may not have connectivity; takes weeks/more to recover

Question 59

Q

Backup types

Answer

A

Full - everything, archive bit reset

Incremental - new/changed, archive bit reset. Recover from full+N increments

Differential - new/changed, archive bit not reset. Recover from full + 1 differential

Unscheduled/copy backups - as full but don’t reset archive bit (to avoid affecting next full/incremental/differential)

Question 60

Q

Backup media rotation

Answer

A

Grandfather Father Son

Tower of Hanoi: tape 1 used every other day, tape 2 every 4th day, tape 3 every 8th day, etc. N tapes allows 2^(N-1) backs before last recycling

Question 61

Q

Secure Development Principles

Answer

A

Reduce attack surface

Good enough security
Economy of mechanism
Psychological acceptability

Least privilege
Need to know
Separation of duties

Defence in depth
Layered defence

Complete mediation of flaws

Fail safe (vs fail secure)

Weakest link
Single point of failure
Redundancy

Threat modelling (STRIDE, data flow diagrams, use/mis-use cases, DREAD)

Controls evaluation (efficacy, economy/simplicity/performance, cost/benefit, user impacts/psychology)

Question 62

Q

Security flaw vs bug

Answer

A

flaw is a inherent fault in the design (eg bad choice of algorithm, not doing input validation at all)

bug is an implementation defect

secure design is intended to avoid flaws but bugs are still possible

Question 63

Q

Software Development Lifecycles

Answer

A

Waterfall
Prototyping
Spiral
Agile

Question 64

Q

Cloud security responsibilities

Answer 61

A

Business Context
Regulatory Context
Technical Context
Specifications
Roles
Processes
Application Security Control library

ONF is for whole org. Application Normative Framework for each application.

(ISO 27034 - not testable)

Answer 62

A

Verification - does it meet the spec/requirements?

(and Certification that it has been verified)

Validation - are the requirements right? does it solve the real-world problem? (Acceptability)

(and Accreditation by customer - acceptance by management of the product to go into production)

Answer 63

A

On test - “modular and reusable” usually means object oriented is part of the answer

Answer 64

A

Hierarchical (eg Active Directory, DNS)
Relational
Distributed (eg DNS)

Threats:

Aggregation & Inference:
Polyinstantiation - give alternate description of same fact depending on security clearance (eg ship destination is “training exercise” for uncleared)

Code injection: Input validation

ACID is testable too

Answer 65

A

Adware
Virus - spreads via files on its own
Worm - spreads through network on its own
Trojan - masquerades as harmless program/file
Spyware
Rootkit
Back door

Answer 66

A

BTS PFT

BUSINESS case
Create cross functional TEAM
Define charter and SCOPE
Define specific ICS POLICIES and PROCEDURES
Implement an ICS Security Risk Management FRAMEWORK
Provide TRAINING and raise security awareness for ICS staff

Answer 67

A

todo

State reason for gathering data at point of collection
Cannot use for purposes other than those stated
Data that is not needed should not be collected
Data should only be retained while it is needed for a specific task
Only individuals who are required to perform a stated task should be given access to the data
Individuals responsible for securely storing data should not allow it to be leaked

Answer 68

A

todo

Important - 72 hrs ?

Answer 69

A

Transmission Control Protocol
Unreliable Datagram Protocol ??
Internet Control Message Protocol

Answer 70

A

Sensitivity - extent to which disclosure may cause harm
Criticality - importance of the information to the mission
Discretion - act of decision by operator which may impact disclosure
Concealment - security through obscurity may have value sometimes
Secrecy - preventing disclosure
Privacy - secrecy of personal data
Seclusion - keep in an “out of the way” location
Isolation - keep separate from other information

Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.

Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage. Criticality The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.

Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases.

Secrecy is the act of keeping something a secret or preventing the disclosure of information.

Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections.

Isolation is the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.

Answer 71

A

Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality Authenticity: Being authentic or genuine
Validity: Being factually or logically sound

Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone

Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements

Answer 72

A

Accessibility
Usability
Timeliness / Performance

Answer 73

A

Identify the CUSTODIAN, and define their responsibilities.
Specify the evaluation CRITERIA of how the information will be classified and labeled.
CLASSIFY and label each resource. (The owner conducts this step, but a supervisor should review it.)
Document any EXCEPTIONS to the classification policy that are discovered, and integrate them into the evaluation criteria.
Select the SECURITY CONTROLS that will be applied to each classification level to provide the necessary level of protection.
Specify the PROCEDURES for declassifying resources and the procedures for transferring custody of a resource to an external entity.
Create an enterprise-wide AWARENESS program to instruct all personnel about the classification system.

Answer 74

A

Confidential - significant negative impact for organisation if disclosed
Private - significant negative impact for organisation or individuals if disclosed
Sensitive - negative impact if disclosed
Public

Answer 75

A

Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

Answer 76

A

Policies - regulatory, advisory, informational
Standards
Baselines
Guidelines
Procedures

Answer 77

A

pen test / ethical hacking
source code review
fuzz testing

Answer 78

A

Process for Attack Simulation and Threat Analysis

Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)

Answer 79

A

Senior Management
Security Professional (Information Security Officer)
Data Owner 
Data Custodian
User
Auditor

Answer 80

A

HIPPA - Health Insurance Portability and Accountability Act
SOX - Sarbanes-Oxley
FERPA -Family Educational Rights and Privacy Act
GDPR
PCI-DSS

Answer 81

A

Scenarios
NIST 800-30 1..10 ratings of threats, vulnerability, etc
Brainstorming
Delphi technique
Storyboarding
Focus groups
Surveys
Questionnaires
Checklists
One-on-one meetings
Interviews

Answer 82

A

Detective
Preventative
Deterrent
Corrective (incl Recovery)
Directive (policy etc)
Compensating (replacing/substitute for another control)

Answer 83

A

Categorise the system
Select controls
Implement controls
Assess controls
Authorise system for use
Monitor controls in use

Answer 84

A

Logical / Technical
Administrative
Physical

Answer 85

A

Awareness aimed at changing behaviour and mak8ng receptive to training

Training to do specific job role

Education to learn more eg for promotion

Answer 86

A

Disable access
Notify employee
Witness
Collect company credentials and property
Exit interview - reinforce NDA obligations

Answer 87

A

Panel each anonymously provides estimate
Panel discusses each estimate
Repeat until consensus achieved

Answer 88

A

Project Scoping and Planning

Organisation Analysis
Create BCP Team
Identify Resource Requirements (incl for scope/plan and for invocation)

Business Impact Assessment

Prioritise business processes
AV, MTD/MTO, RTO
Risk Identification (incl supplier risks)
SOC2/3 from supplier
Likelihood Assessment (ARO)
Impact Assessment (EF, SLE, ALE)
Resource Prioritisation

Continuity Planning

Strategy development - determine risks to be mitigates
Provisions and processes - design mitigations

Approval and Implementation

Plan approval
Plan implementation
Training and education

Answer 89

A

Each core business department
Each functional area identified in org analysis
IT SMEs
Cybersecurity SMEs
Physical security and facilities management
Legal
HR
PR / media and communications
Senior management able to set vision, define priorities and allocate resources

Answer 90

A

Type I SOC1 - financial controls - needed by customers if eg outsource includes payment processing
Type II SOC1 - also assesses effectiveness of controls over a particular period

Type I SOC2 - for management, customers, customers’ auditors
Must cover Security (aka Common Criteria)
May also cover Processing Integrity, Availability, Confidentiality, Privacy

Type II SOC2 - also assesses effectiveness of controls over a particular period

SOC3 - for general consumption, less detail than SOC2
No Type II variant

Answer 91

A

Plan overview for everyone in org
Training on BCP responsibilities for all with direct involvement
Training for backup personnel too

Answer 92

A

CFAA - Computer Fraud and Abuse Act (last amended 1986]
* covers any computer of “federal interest” including those used by US govt or any financial institution, or any used to commit an offence across state lines

Computer Abuse Amendments Act (1994)

adds any computer used in interstate commerce
outlaws creation of any type of malicious code
includes prison sentences under strict liability
provides for civil action for injunctive relief and damages
Often criticised as over-broad - eg may make breaching website ToS a crime

National Information Infrastructure Protection Act 1996

more amendments to CFAA
include systems used in international commerce (not just inter-state)
also includes railroads, power grids, telecoms etc

Federal Sentencing Guidelines:

Prudent Man rule
Due Diligence as a defence / reduce punishment
Negligence finding based on failure to c9mply with recognised standards where there is a causal link to damages and the negligent person had legal obligation of care

Federal Information Security Management Act 2002 (and Modernisation Act, 2014)
* made NIST responsible for developing implementation guidelines for federal agencies

Cybersecurity Enhancement Act 2014:

charges NIST with coordination of nationwide work on voluntary cybersecurity standards
NIST Special Publications eg SP800-53, -171

Privacy Act 1974: like 4th amendment, constraints government agencies only

Electronic Communications Privacy Act 1986: no interception of wired or mobile comma; constrains individuals and companies not just government

Communication Assistance for Law Enforcement Act 1994 (amends ECPA): wiretaps required when court ordered

Economic Espionage Act 1996: extends theft to include theft of economically valuable information

Health Insurance Portability and Accountability Act 1996 (HIPAA): includes security and privacy regulations relating to medical information about individuals

Health Information Technology for Economic and Clinical Heath Act 2009 (HITECH Act): amends HIPAA, adds data breach notification requirements to inform affected individuals

California SB1386 (2002): data breach notification if individual’s name combine with SSN/driver’s license/state id/credit/debit card#/bank acct#/medical records/health insurance information

Similar laws passed on all other states except Alabama and South Dakota

Child Online Privacy Protection Act 1998: covers information held by online services regarding children

Family Educational Rights and Privacy Act: some privacy rights for students over 18

Gramm-Leach-Bailey Act 1999: enables data sharing by FS firms but requires privacy policies to be published

USA PATRIOT Act 2001: allows blanket wiretapping of contacts of a monitored suspect, allows ISPs to share data with govt voluntarily or under subpoena, plus more severe jail terms for CFAA crimes.

Identity Theft and Assumption Deterrence Act 1998: criminalised identity theft

CalOPPA California Online Privacy Protection Act - require privacy notice for any commercial website/online service collecting personal information on California residents

Answer 93

A

Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.

Choice: An organization must offer individuals the opportunity to opt out.

Accountability for Onward Transfer: Organizations can only transfer data to other organizations that comply with the Notice and Choice principles.

Security: Organizations must take reasonable precautions to protect personal data.

Data Integrity and Purpose Limitation: Organizations should only collect data that is needed for processing purposes identified in the Notice principle. Organizations are also responsible for taking reasonable steps to ensure that personal data is accurate, complete, and current.

Access: Individuals must have access to personal information an organization holds about them. Individuals must also have the ability to correct, amend, or delete information, when it is inaccurate.

Recourse, Enforcement, and Liability: Organizations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.

Provide free and accessible dispute resolution
Cooperation with Dept of Commerce
Ensure transparency wrt enforcement actions
Ensure commitments kept as long as data held

Answer 94

A

Personally Identifiable Information

Defined in NIST SP 800-122 as:

Any information about an individual maintained by an agency, including

(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Answer 95

A

SHA-1 (believed weak, 512b blocks, 160b output)
SHA-2 (-256/-224 use 512b blocks, 512/-384 use 1024b blocks)
SHA-3 (same variants as SHA-2, mandated for FIPS digital signatures)
MD2 (broken - not one way, 16b blocks, 128b output)
MD4 (weak - collisions can be found easily, 512b blocks, 128b output)
MD5 (weak - collisions can be found, 512b blocks, 128b output)
HAVAL (1024b blocks, 128/160/192/224/256b output, MD5 variant)

HMAC (uses shared secret key plus any hash algorithm)

Password hashing;
bcrypt, script, PBKDF2

Answer 96

A

DSA FIPS 186-4
RSA ANSI X9.31
ECDSA (elliptic curve DSA) ANSI X9.62

Schnorr
Nyberg-Rueppel

Answer 97

A

RSA
El Gamal (extension of Diffie-Hellman key exchange, doubles length of message)
Elliptic Curve Cryptography (160b ECC equivalent to 1024b RSA)

Answer 98

A

Transport mode - only payload encrypted
tunnel mode - whole packet encrypted

AH Authentication Header provides authentication, access controls and replay protection

ESP Encapsulating Security Payload provides confidentiality, limited authentication, plus replay protection

ISAKMP Internet Security Association and Key Management Protocol (RFC2408)

Answer 99

A

Birthday (collision)
Man in Middle
Meet in the Middle
Replay
Known plaintext 
Chosen ciphertext
Chosen plaintext

Answer 100

A

Time of Check to Time of use

Brainscape's Knowledge GenomeTM

CISSP terminology Flashcards

Brainscape's Knowledge Genome^TM