Domain 3: (Security Architecture and Engineering) Flashcards
What treats user identity as the control plane and assumes compromise/breach in verifying every request?
Zero Trust Security
What represents a default config reflects a restrictive and conservative enforcement of security policy?
Secure Defaults
What indicates that components should fail in a state that denies rather than grants access?
Fail Securely
What are the secure design principles?
Secure Defaults
Fail Securely
Zero Trust Security
Keep it Simple
What was created by the IAPP and represents making privacy an integral part of every system, technology, policy, and design process?
Privacy by Design
What are the seven principles of privacy by design by IAPP?
Proactive
Privacy as the default setting
Privacy must be embedded in the design
Privacy should be a positive-sum approach
End to end full lifecycle data protection
Visibility and transparency
Keep privacy user-centric
What represents a cloud provider concept in which security is provided to an org through or by an online entity?
Security-as-a-Service
What represents a class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting?
Internet of Things
What represents mobile devices that offer customization options, typically through installing apps and may use on-device or in-the-cloud AI processing?
Smart Devices
What represents a system that collects data from other sources on the network, provides real-time monitoring, traffic analysis & notification of potential attacks?
SIEM
Security Information and Event Management
What represents a centralized alert and response automation with threat-specific playbooks?
SOAR
Security Orchestration Automation, & Response
What is the creation of discrete services that may be accessed by users in a black box fashion?
SOA
Service Oriented Archietchture
What are fine-grained services with a discrete function and is a modern adaption of SOA to cloud computing?
Microservices
What should be identified early in the development lifecycle?
Code-level vulnerabilities
What techniques should be incorporated early in the CI/CD process to identify deficiencies before release?
Static code analysis
Dynamic testing
What represents a lightweight, granular, and portable way to package apps for multiple platforms and doesn’t have their own operating system?
Containerization
What reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel?
Containerization
What is a set of exposed interfaces that allow programmatic interaction between services?
APIs
What uses the HTTPS protocol for web communications to offer API end points?
REST
What must be done prior to storing, distributing, and transmitting access keys?
Encryption
What is an embedded system?
The technology component of an IOT device
A full computer system embedded inside of another larger system
What are examples of embedded systems?
Printers, GPS, drones, semi-autonomous vehicles
What must you consider when dealing with embedded devices to ensure they meet security best practices?
Authentication practices
What represents an alternative to client-server computing model for computer-intensive operations w/ large data sets?
HPC
High Performance Computing
For problems that require the use of extremely large data sets and large-scale parallel processing what type of system should you use?
High Performance Computing system
What employs a centralized controller that makes computing assignments to grid members?
Grid Computing
What do you use when you need to process data locally and far from the cloud?
Edge Computing
What is common in various internet-of-things scenarios, like agricultural, science/space, and military?
Edge Computing
What places gateway devices in the field to collect and correlate data centrally at the edge?
Fog Computing
What are some key considerations when dealing with large network-connected device counts in various locations?
Data Encryption
Spoofing Protection
Authentication
What cloud service provides the building blocks of support for networking, storage, compute, and datacenters?
IaaS
Infrastructure as a service
What cloud service is where the customer is responsible for deployment and management of apps, while the cloud service provider manages provisioning, config, hardware, and OS?
PaaS
Platform as a service
What cloud service is where the customer only configures features while the cloud service provider supports everything else?
SaaS
Software as a service
What cloud service model allows scalability, agility, pay as you go, no maintenance, and low skills?
Public cloud
What cloud service model is managed by the organization and allows for legacy support, control, and compliance?
Private cloud
What cloud service model supports public and private clouds and run apps in the right location and allows for flexibility in legacy support, compliance, and scalability scenarios?
Hybrid cloud
What is a security policy enforcement solution that may be installed on premises or in the cloud?
CASB
Cloud access security broker
What key algorithm is quantum resistant, and enables better resistance against quantum computing attacks?
Lattice
What encrypts each plaintext digit one at a time with the corresponding digit of the keystream?
Symmetric stream cipher
What method encrypts a block of data rather than one bit at a time?
Block cipher
What uses the encryption algorithm to replace each character or bit of the plaintext message with a different character?
Substitution cipher/ Caesar cipher
What uses an encryption algorithm to rearrage the letters of a plaintext message?
Transposition cipher
What is a random bit string that is XORed with the message and is normally the same length as the block size of the cipher?
Initialization vector IV
Which cipher uses a key length of one?
Caesar
Which cipher uses a longer key usually a word or sentence?
Vigenere
Which cipher uses a key that is as long as the message itself?
One-time pad
What criteria must be met for a one-time pad to be successful?
Generated randomly
Protected against physical disclosure
Used only one time
What enables someone to prove knowledge of a fact to another individual without revealing the fact itself?
Zero-knowledge proof
What describes the means that the information or privilege required to perform an operation is divided among multiple users?
Split knowledge
What is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages?
Work function or Work factor
What relies on the use of a shared secret key, lacks support for scalability, easy key distribution, nonrepudiation, and is faster.
Symmetric Key
What uses public-private key pairs for communication between parties, support scalability, easy key distribution, nonrepudiation, and is stronger?
Asymmetric Key
What is the least secure mode that processes 64-bit blocks, and produces the same encrypted block if it encounters the same block multiple times?
ECB
Electronic Codebook Mode
What XORed each block of unencrypted text with block of the ciphertext immediately preceding and the decryption process decrypts the ciphertext and reverses the XOR operation.
CBC
Cipher Block Chaining
What is the streaming version of CBC and works on data in real time, using memory buffers of the same block size, and uses chaining so errors propagate?
CFB
Cipher Feedback
What operates similar to CFB, but XORs the plain text with a seed value. No chaining function, so errors do not propagate.
OFB
Output Feedback
What uses an incrementing counter instead of a seed and errors do not propagate?
CTR
Counter
What is a weakness in cryptography where a plain text message generates identical ciphertext messages using the same algorithm but using different keys?
Key Clustering
When you encrypt a message what asymmetric key do you use?
The recipient’s public key
When decrypting a message what asymmetric key do you use?
Your private key
When signing a message what asymmetric key do you use?
Your private key
When validating a signature, what asymmetric key do you use?
The sender’s public key
What are the five requirements for good hash functions?
Allow input of any length
Provide fixed-length output
Easy to computer the hash function for any input
Provide one-way functionality
Collision free
What can you add to passwords before hashing them to reduce the effectiveness of rainbow table attacks?
Salts
What uses the SHA-1 SHA-2, and SHA-3 message digest functions, and works in conjunction with one of the three encryption algorithms (DSA, RSA, ECDSA)?
DSS
Digital Signature Standard
What generates digital certificates containing the public keys of system users and certificate recipients verify a certificate using the CA’s public key?
Certificate Authorities
What are the standards for encrypted messages for email?
S/MIME and PGP
What is a security architecture framework that supports secure communication over IP, can be used for direct communication between cpus or over a VPN connection and uses two protocols (AH & ESP)?
IPsec
What are some common cryptographic attacks?
Brute-force
Meet-in-the-middle
Man-in-the-middle
Birthday
Replay
What attack attempts to randomly find the correct cryptographic key?
Brute-force attack
What attack exploits protocols that use two rounds of encryption?
Meet-in-the-middle attacks
What attack fools both parties into communicating with the attacker instead of directly with each other?
Man-in-the-middle attack
What attack attempts to find collisions in hash functions?
Birthday attack
What attack attempts to reuse authentication requests?
Replay attacks
What allows content owners to enforce restrictions on the use of their content by others, and commonly protects entertainment content, such as music, movies, and e-books?
DRM
Digital Rights Management
What symmetric algorithms are 64-bits in block size?
Blowfish
Skipjack
DES
3DES
IDEA
RC2
What symmetric algorithms are 128-bits in block size?
AES
Twofish
RC5
What symmetric algorithms are streaming bits in block size?
RC4
What hash algorithms have a hash value length of 128?
MD2
MD4
MD5
What are the hash value lengths of the SHA family that is still in use?
SHA-224
SHA-256
SHA-384
SHA-512
What SHA algorithm is not in use anymore and has a hash value length of 160?
SHA-1
What are the three major public key cryptosystems?
RSA
El Gamal
Elliptic Curve
What is the most popular public key cryptosystem, developed by Rivest, Shamir, and Adleman in 1977, and depends on the difficulty of factoring the product of prime numbers?
RSA
What is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic and is less common?
El Gamal
What algorithm provides more security than other algorithms when both are used with keys of the same length?
Elliptic Curve
What encryption algorithm is currently approved based on FIPS 186-4?
DSA
Digital Signature Algorithm
What encryption algorithm is currently approved for use based on ANSI X9.31?
RSA
What encryption algorithm is currently approved for use based on ANSI X9.62?
ECDSA
Elliptic Curve Digital Signature Algorithm
What describes a system that is always secure no matter what state it is in, is based on the finite state machine, and is a snapshot of a system at a specific moment in time?
State machine model
What is it called when each possible state transition results in another secure state?
Secure state machine
What model focuses on the flow of information, is based on the state machine model?
Information flow model
What are two information flow models?
Biba
Bell-LaPadula
What information flow model focuses on preventing information flow from a high security level to a low security level?
Bell-LaPadula
What information flow model focuses on the flow of information from a low to high security level?
Biba
What is loosley based on the information flow model, ensure that the actions of different objects and subjects are not seen by other objects and subjects on the same system, and is concerned with how actions of a subj of a high security level affects the system state or the actions of a subj at a lower security level?
Non-Interference model
What model is used to define the levels of security that an obj may have and that a subject may have access to?
Lattice-based models
What state machine model enforces confidentiality, uses mandatory access control to enforce DOD multilevel security policy, and has “no read up” and “no write down” properties?
Bell Lapadula
What is a lattice-based model developed to address concerns of integrity, has a “no read down” and “no write up” properties, and prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity?
Biba
What uses security labels to grant access to objects?
Clark-Wilson
What describes any data item whose integrity is protected by the security model?
Constrained Data Item
CDI
What describes any data item that is not controlled by the security model?
Unconstrained Data Item
UDI
What describes a procedure that scans data items and confirms their integrity?
Integrity Verification Procedure
IVP
What are the only procedures that are allowed to modify a CDI?
Transformation Procedures
TP
What is a confidentiality-based model that supports four basic operations: take, grant, create, and revoke?
Take Grant Model
What is a confidentiality-based model, also called the “Chinese Wall model” that was developed to prevent conflict of interest problems?
Brewer and Nash Model
What model uses a formal set of protection rules for which each object has an owner and a controller, focuses on secure creation and deletion of both subjects and objects, and has a collection of eight primary protection rules that define the boundaries of certain secure actions?
Graham-Denning Model
What security mode permits access to all info processed by the sys, approval for all info processed by the sys, and valid need-to-know for all info processed by the sys through security clearance?
Dedicated Mode
What security mode can process info at different levels even when all sys users don’t have the required security clearance to access all info processed by the sys?
Multilevel Mode
What security mode requires users to have a valid security clearance, access approval for ALL info, and a valid need-to-know for a least SOME info on the sys?
System High Mode
What security mode requires each user to have a valid security clearance, access approval for ALL info processed by the sys, but requires valid need-to-know for ALL info they will have access to on the sys?
Compartmented Mode
What is the logical part of the trusted computing base that confirms whether a subject has the right to use a resource prior to granting access and enforces access control?
Reference monitor
What enables an objective evaluation to validate that a particular product or sys satisfies a defined set of security requirements?
Common Criteria
What is a structured set of criteria for evaluating computer security within products and systems?
Trusted Computer System Evaluation Criteria
TCSEC
What are the levels of the Common Criteria and their associate label?
EAL0,EAL1 - Minimal/no protection
EAL2 - Discretionary security mechanisms
EAL3 - Controlled access protection
EAL4 - Labeled security protection
EAL5 - Structured security protection
EAL6 - Security domains
EAL7 - Verified security design
What method is used to pass info over a path that is not normally used, and may not be protected by the system’s normal security controls?
Covert channels
What is a multipurpose solution, for full disk encryption through key management, by providing the OS w/ access to keys, but prevents drive removal and data access?
Trusted Platform Module
TPM
What enforces an access policy that is determined by the system not the object owner, relies on classification labels that are representative of security domains and realms?
Mandatory Access Control
MAC
What permits the owner or creator of an obj to control and define its accessibility?
Discretionary Access Control
What enables the enforcement of system-wide restrictions that override object-specific access control?
Non-discretionary Access Control
What defines specific functions for access to requested objects, commonly found in firewall systems?
Rule-based Access Control
What role uses a well-defined collection of named job roles to endow each one w/ specific permissions?
Role-based Access Control
What permits multiple concurrent tasks to be performed within a single process?
Multithreading
What are chips that have a small windows that when illuminated with a special ultraviolet light, erases contents?
UVEPROM
What memory type uses electric voltages delivered to the pins of the chip to force erasure and is more flexible alternative to UVEPROM.
EEPROM
What memory type if nonvolatile and can be electronically erased and rewritten?
Flash memory
What storage type is the same as memory?
Primary storage
What storage type consists of magnetic, flash, and optical media that must be first read into primary memory before the CPU can use the data?
Secondary storage
What storage type can be read at any point by the CPU?
Random access storage
What storage type requires scanning through all the data physically stored before the desired location?
Sequential access storage
What are the three main security issues surrounding secondary storage devices?
Removable media can be used to steal data
Access controls and encryption must be applied to protect data
Data can remain on the media even after file deletion or media formatting
What are the security risks of input and output devices?
Subject to eavesdropping and tapping
Can be used to smuggle data out of an org
Can be used to create unauthorized, insecure points of entry into an org’s systems and networks
What ensures that individual processes can access only their data?
Process isolation
What creates different realms of security within a process and limits communication between them?
Layering
What creates black-box interfaces for programmers to use without requiring knowledge of an algorithms or device’s inner workings?
Abstraction
What prevents info from being read from a different security level?
Data hiding
What is also known as a Virtual machine monitor and is the component of virtualization that creates, manages, and operates the virtual machines?
Hypervisor
What is a native or bare-metal hypervisor where there is no host OS, and instead the hypervisor installs directly onto the hardware where the host OS would normally operate?
Type I hypervisor
What is a hosted hypervisor, where a standard regular OS is present on the hardware, and the hypervisor is then installed as a another software application?
Type II hypervisor
What is the functional order of security controls?
Deter
Deny
Detect
Delay
Determine
Decide
What type of fires are common combustibles such as wood, paper, etc and should be extinguished with water or soda acid?
Class A (ASH)
What type of fires are burning alcohol, and oil and should be extinguished with gas or soda acid?
Class B (BOIL)
What type of fires are electrical fires which are fed by electricity and must be extinguished with any type of gas?
Class C (CONDUCTIVE)
What type of fires are burning metals are extinguished with dry powder?
Class D (DILYTHIUM)
What type of fires are kitchen fires, such as burning oil or grease and are extinguished with wet chemicals?
Class K (Kitchen)
What water suppression sys uses closed sprinkler heads and the pipe is charged with compressed air instead of water?
Preaction systems
What water suppression sys are filled with water and are activated when a predefined temperature is reached?
Wet pipe systems
What water suppression sys is filled with compressed air and is held back by a valve that remains closed as long as sufficient air pressure remains in the pipes?
Dry pipe systems
What water suppression sys are similar to dry pipes but the sprinkler heads are open and larger than dry pipes and the pipes are empty at normal air pressure and water is held back by a deluge valve?
Deluge system
What are usually more effective than water systems but should not be used in environments where people are located because it removes oxygen from the air.
Gas suppression systems
What type of lock type can be easily picked?
Conventional locks
What are the key elements for site selection?
Visibility
Composition of the surrounding area
Area accessibility
The effects of natural disasters
How to design and configure secure work areas?
No equal access to all areas
Valuable and confidential assets should be located at the center of protection
Centralized server and cpu rooms should not be human compatible
What describes when someone is using another’s security ID to gain entry to a facility?
Masquerading
What are protections for media storage facilities?
Lock cabinets or safes
Use a librarian/custodian
Implement a check-in/check-out process
Use media sanitization
What is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations?
Evidence sotrage
What are the protections for evidence storage?
Lock cabinets/safes
Have a dedicated/isolated storage facility
Offline storage
Access restrictions and activity tracking
Hash management and encryption
What are useful tools for managing physical access controls?
Audit trails and access logs
What is a type of self-charging battery that can be used to:
Supply consistent, clean power to sensitive equipment
Supply power for minutes or hours in the event of a power failure?
UPS
