Domain 1 Flashcards
1
Q
Mindset of the CISSP Exam
A
1) Think like a CEO - an ethical CEO. answer is policies
2) Safety is the most important concept - no loss of data is worth risks loss of life - safety is always a good choice
3) Ethics are critical
- — protect society, the common good, necessary public trust and confidence and the infrastructure
- — act honorably, honestly, justly, responsibly, and legally
- — provide diligent and competent service to principals
- — advance and protect the profession
4) Business continuity: protect the organization
5) Increase profits by reducing the risk of financial loss
2
Q
Information Security is:
A
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity and availability (CIA triad)
Opposites:
Confidentiality – Disclosure
Integrity – Alteration
Availability – Destruction
3
Q
____ provides a weak and unproven claim of identity
A
Identification - providing a username
4
Q
____ serves as proof that a users identity claim was legitimate
A
authentication - password. The stronger the authentication it implies a higher integrity - e.g., multifactor authentication
Something you know
Something you have
Something you are
Someplace you are (such as GPS)
two or more of these is two factor or multifactor
5
Q
____ proceeds after successful authentication and determines what an authenticated user can do
A
authorization - roles and access in a system. which users or group of users should have access to what group of information. Need to know.
6
Q
____ details the interactions performed by individuals. Makes you responsible for your actions.
A
accountability / accounting - audit logs could be generated, which could be used to hold users accountable for their actions. However, this is not enough. Someone must actually review the logs and identify violations
7
Q
____ is the confidentiality and protection of personally identifiable information
A
privacy
8
Q
____ is acting as any reasonable person would
A
Due Care - important concept to the legal matter of negligence, and therein potential liability. Sometimes referred to as Prudent Man Rule
Base level of protection
9
Q
____ are practices or processes that ensure the decided upon standard of care is maintained
A
Due Diligence - followed to ensure that an organization is exercising their duty of care
10
Q
Access Control Measures: What are the major types of controls and how are they implemented?
A
Major types of controls:
- Preventive (the most important and cost-effective)
- Detective (assumes an attack has begun and detects after the attach occurs) - e.g., IDS, rotating duties, background check, cameras
- Corrective - reacts to an attack and takes corrective action for data recovery (run spyware and fix an issue)
- Deterrent - discourage security violations (beware of dog)
- Recovery - restores the operating state back to normal after an attack or system failure - mitigate more sever impacts compared to corrective. reimages a system to remove an infection
- Compensating - provides alternatives to other controls
Implemented Via:
- Administrative (directive):
---- Background checks
---- Policies and procedures
- Physical
---- locks
---- securing laptops
---- securing magnetic media
---- the protection of cable
Technical
---- Encryption
---- Smart Cards
Defense in depth is critical
11
Q
Definition of risk and the formula is
A
Risk = threat x vulnerability
to mitigate risks we must understand both threats and vulnerabilities, as well as their interaction
Risk analysis is the application process of applying the risk formula
Must also:
- Understand threats and their motivations
- Understand particular vulnerabilities and the likelihood of exploitation
- Understand CIA impacts if exploited
- Understand controls that could limit impact or decrease likelihood
- Perform this calculation for each particular vulnerability on each system
- Aggregated the scores and determine overall risk
12
Q
A ____ is anything that can cause harm to an information system or the potential for a threat-agent to cause harm by exploiting a particular vulnerability
A
Threat
- Threat-agents or threat-sources are what is behind a particular threat. They are organized crime and are considered as part of the “likelihood” component based on the motivation and capabilities of the threat source.
- understanding motivation and capabilities of threat sources is important.
13
Q
A ____ is a weakness in a system that could potentially be exploited
A
Vulnerability
- Without an applicable vulnerability, threats cannot introduce risk
- There is no risk, even if there are numerous motivated threat agents, if there is no vulnerability.
14
Q
A ____ is a vulnerability that is not publicly known and there is no patch that currently exists.
A
Zero-day vulnerability
15
Q
____ is the process of a threat taking advantage of a vulnerability or the means by which a threat exercises a vulnerability.
A
Exploitation / exploit
- Actions triggered by the exploit are called the payload
- An attacker (threat agent or threat source) exploits a vulnerability.
16
Q
____ is source or binary code that eases the ability for an attacker to exploit a vulnerability
A
Exploit code
The existence of publicly available exploit code is one item that can increase a vulnerability’s overall score
17
Q
The ____ is what action the attacker wants to carry out as a result of the exploitation
A
Payload
- Actions triggered by the exploit are called the payload
18
Q
In order to perform risk assessments, you must also understand the ___ and ____ of an attack.
A
Likelihood - how likely it is that the threat will exercise the vulnerability
Impact - what the outcome of successful exploitation would be
19
Q
What are the two primary approaches to Risk Analysis?
A
Quantitative (tied to dollar amounts) and Qualitative risk analysis
Risk analysis is the application process of the risk formula (risk = threat x vulnerability)
20
Q
What are some factors of Quantitative Risk Analysis
A
- More desirable and likely to sway stakeholders
- Tied to dollars - Attempts to provide a precise numerical value to risk statements but honest calculation can be cumbersome.
- Not as subjective
- Established practices and calculations
- Single Loss Expectancy (SLE) = AV x EF
- Annualized Rate of Occurrence (ARO) - (frequency of the threat occurrence per year
- Annualized Loss Expectancy (ALE) = SLE x ARO
- Total Cost of Ownership (TCO)
- Return on Investment (ROI)
- Cost/Benefit Analysis
21
Q
What are the Quantitative Risk Analysis / Management Key Formulas?
A
- Asset Value (AV) = Value of the Asset
- Exposure Factor (EF) = % of asset value at risk due to a threat
- Annualized Rate of Occurrence (ARO) = Frequency of threat occurrence per year
- Single Loss Expectancy (SLE) = AV x EF
- Annualized Loss Expectancy (ALE) = SLE x ARO
22
Q
What are some factors of Qualitative Risk Analysis
A
- Not as overly tied to dollar amounts associated with potential losses
- Easier to calculate
May not be considered as valuable because of the lack of explicit dollar amounts - Useful for prioritization of risks to be addressed
- Strong starting point
**Risk Matrix - Common approach for qualitative analysis. Plotting likelihood and impact associated with a threat vulnerability pair (high medium and low rankings)
23
Q
____ means that the level of risk is unacceptable to the decision makers
A
Excessive Risk - does not necessarily mean a lot of risk, only past the acceptable levels
If risk exceeds acceptable levels, the org. must determine how to proceed and the response
24
Q
How do you respond to excess risk?
A
1) Risk Mitigation - reduce the risk to an acceptable level by taking actions to decrease the risk
- — Most common approach to responding to excessive risk
- — Mitigation comes in many flavors:
- — threat-oriented - focused on reducing motivation of threat agents (increase fines)
- — Vulnerability oriented - reducing the vulnerabilities a threat can exploit (patching)
- — Impact oriented - reducing overall impact that an exploitation entails
- — Likelihood oriented - reducing the likelihood that the threat can exploit the vulnerability
- — Must identify current existing controls before identifying additional controls
2) Risk Avoidance - deciding not to move forward with a project that introduces a risk or decommissioning a system. (maybe deciding to do nothing or choose a different project).
3) Transferring Risk - aka risk sharing, involves a third party to help address the excess risk
- — e.g., insurance, outsourcing a risky system to a third party
4) Accepting Risk - there will always be residual risk and some risk ultimately needs to be accepted
25
Control Assessments are used to:
Determine both the cost of the control or countermeasure as well as efficacy of the control at reducing risk. Effectively, you must perform a cost benefit analysis to determine which countermeasures to employ or if they should be adopted at all.
Metrics to determine this are:
- --- Total cost of ownership (TCO) - attempts to capture the true cost of adopting something beyond merely capital expense (includes run and resource cost)
- --- Return on Investment (ROI) - attempts to determine how financially worthwhile something is based on how much money will be made (prevention of future losses) based on money spent.
First you must identify the current controls in place. Once you determine if those are not sufficient, you must identify countermeasures and controls. Then you perform a control assessment.
26
A ____ is used to determine providers / suppliers capabilities and allow for questions and tuning. This is made to gather information about the available providers of the item or service being procured
Request for Information (RFI) - used to also identify who will be included/excluded from a subsequent RFP/RFQ.
27
A ____ is to determine which providers will bid for a project and what it will look like.
Request for Proposal (RFP) - might include an RFI and RFQ as a part of it. will include who will bid, what their proposal looks like and commonly how much it will cost
28
A ____ is focused on determining the cost a supplier would charge
Request for Quote (RFQ) - can be included as part of RFP but can also be standalone but typically for less complex solutions.
29
A ____ is used when a business operates legally as a partnership
Business Partnership Agreement (BPA) - addresses things like ownership, profits/losses, partner contributions. A formal written BPA is not required, it could address things like ownership, profits/losses and contributions.
30
A ____ is used when two organizations interconnect information systems / networks
Memorandum of Understanding / Agreement (MOU / MOA) - goal is to establish basic roles, responsibilities and requirements for interconnection. It refers to the Interconnection Security agreements (ISA).
31
____ dictates the technical security requirements associated with two organizations connecting information systems/networks and supports the MOU/MOA
Interconnection Security Agreement (ISA) - formal ISA document is most commonly found in governments. NIST 800-47: Security Guide for Interconnecting Information Technology Systems. This supports the MOU/MOA
32
____ details the expectations a customer has for their service provider and is used to force service providers to agree to provide an acceptable level of security
Service Level Agreement (SLA) - determines breaches of contract
33
____ is an internal agreement that supports the SLA and is between groups internally (e.g., IT and HR)
Operating Level Agreement (OLA) - if internal cannot be aligned we will not be able to ensure that the service provider can honor their SLA. OLA is like an internal SLA
34
____ governs how an organization that licenses a large volume of software is allowed to use that software.
Enterprise Level Agreement (ELA) - the BSA (Software Alliance) watchdogs license violations and the use or pirated or unlicensed software. Virtualization can make this difficult to identify.
35
Third party governance includes:
1) On-site assessment
2) Document exchange and review
3) Process/policy review
36
What are important steps in assessing the security of third-party products?
1) Gather requirements before reviewing products
2) Perform a bake-off to compare products that already meet requirements
3) Look for integration with existing infrastructure
4) Consider the TCO of the product, not just the capital expense and annual maintenance (e.g., additional user provisioning, and operating expenses, not just capex
37
___ is similar to risk analysis but is more closely associated with software or application development (SDLC) to achieve a more securely designed application
Threat modeling
Seeks to understand threats and consider how they might negatively impact security.
Requires identification of various threats that could exercise vulnerabilities. Threat identification involves:
- --- understanding various threat sources
- --- appreciating threat source motivations and estimating capabilities
- --- recognizing actions taken by threat sources
38
____ are the methods attackers use to touch or exercise vulnerabilities
Threat vectors
Eliminating or limiting vectors is a way of reducing risk, even if a vulnerability exists. The mere presence of a threat an vulnerability does not mean that there is a way that the threat can exploit the vulnerability. There must be a means for the threat to exercise the vulnerability in order for there to be a risk.
39
____ represents all of the ways in which an attacker could attempt to introduce data to exploit a vulnerability
Attack Surface
Reducing this is another way to limit risk (e.g., disabling unneeded services or not listening to unnecessary ports.)
40
Two types of methods for vulnerability scoring systems are:
1) Common Vulnerability Scoring System (CVSS) - standardize scores while also allowing organizational customization. Based on three groups of metrics - Base (access vector, access complexity, authentication, CIA impacts), temporal (changes over time) and environmental.
Base metrics are the standard score and temporal and environmental are for additional precision
2) OCTAVE - Operationally critical threat, asset and vulnerability evaluation - less employed method
-----
Note that likelihood and impact should always be considered
41
A ____ occurs when a programmer fails to perform bounds checking and a user or an attacker overwrites adjacent memory with arbitrary data to the stack, including machine code (malicious code).
Buffer Overflow
e.g., there is a 20-byte limit but it is not enforced. Anything written over 20 bytes is overwritten to the stack and can overwrite executable code and replace it with malicious code - the malicious code can cause disruption, crashing, or even taking over the computer and extracting data
42
A ____ exploits the gap between a security check and execution of code (aka time of check / time of use (TOC/TOU)).
Race Condition
*multi-user and multi-tasking systems.
A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect.
Setuid (Set user ID upon execution) programs are prime targets.
```
Example:
Program Logic:
- Is my config file secure? (TOC)
**Attacker changes config file
---- If no, abort
---- If yes, read file and execute contents (TOU)
```
between TOC and TOU - the system will TOC - check the config file and confirm it is secure. At that moment, the attacker will then go in and change the config file to no longer be secure. The system however, already checked and confirmed it was secure so it will not check again. When it executes, it will then execute the new config that is not secure during the small gap between TOC and TOU. The system was already committed to action
43
___ are used to share information that should not be shared and through normal system resources to signal information
Covert Channels
There are two kinds in a system:
1) Timing Channel - use the network bandwidth utilization - someone else can see how much CPU you are using. Tell them if you burst CPU every 5 seconds it means X and if you see every 1 second it means YY
2) Storage Channel - use the hard drive storage - You cannot see my files or file names but you can see my storage quota. Someone can see how much storage you are using. If you use 50% of quota that means X and if you use 75% of quota that means Y
44
What is a man-in-the middle attack and what are the types?
Man-in-the-middle attacks involve a suitably positioned adversary coming between two endpoints communicating. the attacker injects themselves in the middle of communication and sees (and possibly manipulates) all traffic going across the wire
Types are:
1) Replay Attack - simply sniffing traffic could allow for playing back recorded traffic at a later point in time
2) Spoofing - Impersonation of one endpoint to another
3) Session hijacking - allow for sull-session hijaking
4) Masquerading
45
Types of DOS attacks include
1) Crafted Packet attacks
2) Resource Exhaustion
3) Traditional Flooding (e.g., SYN flood)
4) Fork Bomb
46
A ____ DOS exploits TCP/IP stack implementations/poor network configuration to achieve DOS
Crafted Packet Attack:
Types:
1) Ping of Death: Send a packet that was larger than what can be handled (Maximum transmission Units (MTU) - how large a packet can be (1,500 bytes))
2) LAND Attack: Spoofed packet attack with source IP and source port matching the destination IP and port of the victim
3) Teardop: fragmented packet attack that employs large overlapping fragments that could DOS on reassembly
47
A ____ DOS targets availability, may be able to force systems to "fail open" and seeks to exhaust computer or network resources (e.g., bandwidth, memore, CPU, disk, swap, etc.)
Resource Exhaustion
Example:
CAM Flood - attacker attempts to fill the CAM table. Once the table is filled, some switches will fail open and act as a hub, sending all frames to all switch ports. This allows an attacker to sniff all traffic and also simplify man in the middle attacks
48
A ____ is malware that requires a carrier such as being carried from on computer to another via removable flash media
Virus
A virus is a form of malware and requires a carrier to spread. They typically infect mobile media such as floppy drive or USB flash media which may then be carried by a human to another system where the infection may spread
49
A ____ is malware that self-propagates. It infects one host, and then attempts to spread automatically
Worm
A worm spread independently. It infects one system and then pivots via that system to infect others.
50
A ____ is software that has two functions and is a related form of malware. The two functions are overt and covert.
Trojan
Overt benign appearing function - it is usually innocuous, such as a greeting card or game.
Covert malicious function - hidden and is typically malicious like a keystroke logger
51
Server/Service side vs. Client side attack is:
Server side attack: initiated by the attacker. Attacker tries to come into the system
Client side attack: victim initiates the attack by downloading malicious content
52
Types of phishing attacks include
1) Regular generic phishing
2) Spear phishing - more targeted attempts at social engineering
3) whaling - targeted phishing attempts against executives or senior members
4) Business email compromise (BEC) - CEO impersonation with goal of convincing employee to inappropriately make wire transer
53
Emanations are:
Every time a CPU does something it broadcasts it magnetically - this is called EMI - electronic magnetic interference.
Electromagnetic information leaves the system and has been protected with tempest, which involves shielding. If you can read this EMI, you can read the CPU remotely and break encryption
Out things in a faherty (metal container) which the EMI cannot go through.
54
____ governs individual conduct as it pertains to laws, both federal and state, that were designed to protect the public.
Criminal laws/proceedings
Examples: unauthorized use of a system, DOS attack, website defacement.
Violation can result in monetary penalties and/or imprisonment
Victim is society and law enforcement must take the case. An individual or company cannot take criminal charges against someone. Criminal charges are the only laws in which someone can get jail time.
Burden of Proof: To determine if someone is guilty, the burden of proof says you have to prove beyond a reasonable doubt that someone committed a crime.
55
____ refers to an action against a company that causes damage or financial loss.
Civil law
Examples: worm attacks, DOS, or any other attach that affects the availability of a system.
Violation can result in punitive or compensatory damages (monetary). No jail time. Damages are the primary outcome for defendants found liable.
*** Deals with civil actions initiated by individuals or organizations. Mostly associated with torts, contracts, and property and associated loss experienced by an individual/business
Burden of Proof: preponderance of evidence (greater than 50% chance the claim is true)
56
____ deals with the governing regulations of a particular country and is especially important for government workers or those computer professionals in highly regulated environments, such as banking, finance, healthcare and pharma.
Administrative / Regulatory law
Example = HIPAA
57
____ protects inventions and is the grant of a property right to the investor, issued by the ____ and Trademark Office.
Patent
Term of a new patent is 20 years from the date on which the application for the patent was filed in the IS. US patent grants are only effective in the US.
Gives you the right to exclude others from making, using, offering for sale, selling or importing the invention
58
____ is a form of protection provided to the authors of original works of authorship including literary, dramatic, musical, artistic and certain other intellectual works, both published and unpublished.
Copyright
Gives the owner the exclusive right to reproduce the copyrighted work to prepare derivative works, to distribute copies or phonorecords, to perform the copyrighted work publicly, or to display the copyrighted work publicly. The copyright protects the form of expression rather than the subject matter of the writing.
Authors life +70 or so years
E.g., song by the beatles, mickey mouse cartoon
Watch out for piracy
59
A ____ is a word, name, symbol or device that is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others.
Trademark
E.g., the word velcro or xerox or the red triangle for bass ale.
Mark is also used to describe trademark. A servicemark is the same as a trademark but it identifies and distinguishes the source of a service rather than a product.
Watch out for counterfeiting and dilution
60
____ consists of information and can include a formula, pattern, compilation, program, device, method, technique or process. It protects critical intellectual property that is not publicly available
Trade Secret
You do not file for a trade secret but you must show due care in keeping the asset protected and secret in order to claim the item as a trade secret. You are expected to exert overt protection and control of trade secrets and they are normally covered by an NDA or other contracts.
E.g., coca cola recipe
61
___ is software with limited functionality (software company wants to let people try out a piece of software but in order to entice them to buy the software, they give them only limited functionality
Crippleware
62
___ is when you download the software byt only pay for the software if you use it
Shareware
63
Privacy Acts in the US:
US Privacy Act of 1974
- covers federal gov. collection, use and transmission of citizen data and allows citizens to gain access to most data held about them
FTC: Fair information practice principles (FIPPs)
- OECD
- Notice / Awareness
- Choice / Consent
- Access / Participation
- Integrity / Security
- Enforcement / Redress
Private Sector guidance is considered lax by international standards - e.g., HIPAA/HITECH
64
International Privacy Acts:
OECD - Organization for economic co-operation and development
- info sec and security party that develops non-binding guidance (member countries do not have to implement the recommendations
- not a standard but a collection of countries.
- develops highly regarded security guidance
European union - data protection directive
- required to translate into individual law (binding)
- represents stringent privacy requirements that must be adhered to
General Data Protection Regulation (GDPR)
- Supersedes EU Data Protection Directive
- requires appointment of data protection officer
- extremely high sanctions for non-compliance
65
ISC2 Code of ethics - Canon 1 is:
1) Protect society, the common good, necessary public trust and confidence, and the infrastructure
- --- Promote and preserve public trust and confidence in information and systems
- --- Promote the understanding and acceptance of prudent information security measures
- --- Preserve and strengthen the integrity of the public infrastructure
- --- Discourage unsafe practice
66
ISC2 Code of ethics - Canon 2 is:
2) Act honorably, honestly, justly, responsibly and legally
- --- Tell the truth; make all stakeholders aware of your actions on a timely basis
- --- Observe all contracts and agreements, express or implied
- --- Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- --- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious and within your competence
- --- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction where you render your service
67
ISC2 Code of ethics - Canon 3 is:
3) Provide diligent and competent service to principals
- --- Preserve the value of their systems, applications and information
- --- Respect their trust and the privileges they grant you
- --- Avoid conflicts of interest or the appearance thereof
- --- Render only those services for which you are fully competent and qualified
68
ISC2 Code of ethics - Canon 4 is:
4) Advance and protect the profession
- --- Sponsor for professional advancement the best qualified. All other things equal, prefer those who are certified and who adhere to these anons. Avoid professional association with those whose practices or reputation might diminish the profession
- --- Take care not to injure the reputation of other professionals through malice of indifference
- --- Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others
69
What are the attributes of a security policy:
Information security policies provide high-level guidance regarding expected conditions, outcomes, and behaviors. Goal is to ensure that well-meaning employees understand organizational expectations.
They are fundamentally dependent upon organizational security posture and corporate culture - they cannot just be a cut and paste from a book/website
Policies can exist on different levels (e.g., enterprise-wide, division-wide, local, issue-specific), and must always be in accordance with laws and other regulations.
Policies are high level and will likely not change drastically on a regular basis. Can change due to new laws, new technologies, user behavior, or changes to the threat or vulnerability landscape
They provide the what and the why.
Contents include:
1) purpose
2) related documents
3) cancellation
4) background
5) scope
6) policy statement
7) responsibility
8) ownership
70
What are attributes of a security procedure:
Security procedures are focused on how to achieve what security policies mandate. Procedures allow for processes to include security control points and integrate security controls into processes/procedures that can serve as preventative or detective controls.
They are much more detailed than policies and provide detailed guidance for carrying out tasks.
They support the what and the why by detailing the how.
They should be constantly updated or developed anew.
71
What are the attributes of a standard:
Standards are applied to the organization as a whole. They are mandatory and provide additional definition to the policies and tailor them to specific technologies. They do not state what is expected of a user but instead, specify a certain way something should be done or a certain brand or type of equipment that must be used. e.g., all computers must be a certain model from a certain vendor.
They are organizational, specify uniform use of specific technologies, compulsory, refers to specific hardware and software
72
What are the attributes of a baseline:
A baseline definition is essentially a more specific implementation of a standard. It usually gets into specific technical details of how a system should be configured from either a software or hardware standpoint. Starts as a guideline until it has been properly modified to meet the needs of the organization.
Hardening rules for setting up a new server is an example of something that starts as a guideline and turns into a baseline.
73
What are the attributes of a guideline:
These are suggestions, not mandatory. Best practices are examples of guidelines that many organizations try to achieve. It is more of a recommendation of the way that something should be done.
Assists users, systems personnel, and others in effectively securing a system.
74
Documentation review and example:
Policy: Password must be changed every 90 days
Standard: Administrators must use Windows Server 2012 as the base OS
Procedures: Follow these step by step instructions to build the server
Baseline: the specific settings for windows server 2012 should match those in the CIS security benchmark
Guidelines: To create a strong password, use the first letter of every word in a sentence
75
Acceptable Use Policy (AUP) is:
A catchall policy that tries to define user behavior. The primary goal is to help well-meaning employees know what the company requires of computer use and to establish precedent for what types of behaviors are considered unacceptable.
