Domain 3: (Security Architecture and Engineering) Flashcards
1
Q
What treats user identity as the control plane and assumes compromise/breach in verifying every request?
A
Zero Trust Security
2
Q
What represents a default config reflects a restrictive and conservative enforcement of security policy?
A
Secure Defaults
3
Q
What indicates that components should fail in a state that denies rather than grants access?
A
Fail Securely
4
Q
What are the secure design principles?
A
Secure Defaults
Fail Securely
Zero Trust Security
Keep it Simple
5
Q
What was created by the IAPP and represents making privacy an integral part of every system, technology, policy, and design process?
A
Privacy by Design
6
Q
What are the seven principles of privacy by design by IAPP?
A
Proactive
Privacy as the default setting
Privacy must be embedded in the design
Privacy should be a positive-sum approach
End to end full lifecycle data protection
Visibility and transparency
Keep privacy user-centric
7
Q
What represents a cloud provider concept in which security is provided to an org through or by an online entity?
A
Security-as-a-Service
8
Q
What represents a class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting?
A
Internet of Things
9
Q
What represents mobile devices that offer customization options, typically through installing apps and may use on-device or in-the-cloud AI processing?
A
Smart Devices
10
Q
What represents a system that collects data from other sources on the network, provides real-time monitoring, traffic analysis & notification of potential attacks?
A
SIEM
Security Information and Event Management
11
Q
What represents a centralized alert and response automation with threat-specific playbooks?
A
SOAR
Security Orchestration Automation, & Response
12
Q
What is the creation of discrete services that may be accessed by users in a black box fashion?
A
SOA
Service Oriented Archietchture
13
Q
What are fine-grained services with a discrete function and is a modern adaption of SOA to cloud computing?
A
Microservices
14
Q
What should be identified early in the development lifecycle?
A
Code-level vulnerabilities
15
Q
What techniques should be incorporated early in the CI/CD process to identify deficiencies before release?
A
Static code analysis
Dynamic testing
16
Q
What represents a lightweight, granular, and portable way to package apps for multiple platforms and doesn’t have their own operating system?
A
Containerization
17
Q
What reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel?
A
Containerization
18
Q
What is a set of exposed interfaces that allow programmatic interaction between services?
A
APIs
19
Q
What uses the HTTPS protocol for web communications to offer API end points?
A
REST
20
Q
What must be done prior to storing, distributing, and transmitting access keys?
A
Encryption
21
Q
What is an embedded system?
A
The technology component of an IOT device
A full computer system embedded inside of another larger system
22
Q
What are examples of embedded systems?
A
Printers, GPS, drones, semi-autonomous vehicles
23
Q
What must you consider when dealing with embedded devices to ensure they meet security best practices?
A
Authentication practices
24
Q
What represents an alternative to client-server computing model for computer-intensive operations w/ large data sets?
A
HPC
High Performance Computing
25
For problems that require the use of extremely large data sets and large-scale parallel processing what type of system should you use?
High Performance Computing system
26
What employs a centralized controller that makes computing assignments to grid members?
Grid Computing
27
What do you use when you need to process data locally and far from the cloud?
Edge Computing
28
What is common in various internet-of-things scenarios, like agricultural, science/space, and military?
Edge Computing
29
What places gateway devices in the field to collect and correlate data centrally at the edge?
Fog Computing
30
What are some key considerations when dealing with large network-connected device counts in various locations?
Data Encryption
Spoofing Protection
Authentication
31
What cloud service provides the building blocks of support for networking, storage, compute, and datacenters?
IaaS
Infrastructure as a service
32
What cloud service is where the customer is responsible for deployment and management of apps, while the cloud service provider manages provisioning, config, hardware, and OS?
PaaS
Platform as a service
33
What cloud service is where the customer only configures features while the cloud service provider supports everything else?
SaaS
Software as a service
34
What cloud service model allows scalability, agility, pay as you go, no maintenance, and low skills?
Public cloud
35
What cloud service model is managed by the organization and allows for legacy support, control, and compliance?
Private cloud
36
What cloud service model supports public and private clouds and run apps in the right location and allows for flexibility in legacy support, compliance, and scalability scenarios?
Hybrid cloud
37
What is a security policy enforcement solution that may be installed on premises or in the cloud?
CASB
Cloud access security broker
38
What key algorithm is quantum resistant, and enables better resistance against quantum computing attacks?
Lattice
39
What encrypts each plaintext digit one at a time with the corresponding digit of the keystream?
Symmetric stream cipher
40
What method encrypts a block of data rather than one bit at a time?
Block cipher
41
What uses the encryption algorithm to replace each character or bit of the plaintext message with a different character?
Substitution cipher/ Caesar cipher
42
What uses an encryption algorithm to rearrage the letters of a plaintext message?
Transposition cipher
43
What is a random bit string that is XORed with the message and is normally the same length as the block size of the cipher?
Initialization vector IV
44
Which cipher uses a key length of one?
Caesar
45
Which cipher uses a longer key usually a word or sentence?
Vigenere
46
Which cipher uses a key that is as long as the message itself?
One-time pad
47
What criteria must be met for a one-time pad to be successful?
Generated randomly
Protected against physical disclosure
Used only one time
48
What enables someone to prove knowledge of a fact to another individual without revealing the fact itself?
Zero-knowledge proof
49
What describes the means that the information or privilege required to perform an operation is divided among multiple users?
Split knowledge
50
What is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages?
Work function or Work factor
51
What relies on the use of a shared secret key, lacks support for scalability, easy key distribution, nonrepudiation, and is faster.
Symmetric Key
52
What uses public-private key pairs for communication between parties, support scalability, easy key distribution, nonrepudiation, and is stronger?
Asymmetric Key
53
What is the least secure mode that processes 64-bit blocks, and produces the same encrypted block if it encounters the same block multiple times?
ECB
Electronic Codebook Mode
54
What XORed each block of unencrypted text with block of the ciphertext immediately preceding and the decryption process decrypts the ciphertext and reverses the XOR operation.
CBC
Cipher Block Chaining
55
What is the streaming version of CBC and works on data in real time, using memory buffers of the same block size, and uses chaining so errors propagate?
CFB
Cipher Feedback
56
What operates similar to CFB, but XORs the plain text with a seed value. No chaining function, so errors do not propagate.
OFB
Output Feedback
57
What uses an incrementing counter instead of a seed and errors do not propagate?
CTR
Counter
58
What is a weakness in cryptography where a plain text message generates identical ciphertext messages using the same algorithm but using different keys?
Key Clustering
59
When you encrypt a message what asymmetric key do you use?
The recipient's public key
60
When decrypting a message what asymmetric key do you use?
Your private key
61
When signing a message what asymmetric key do you use?
Your private key
62
When validating a signature, what asymmetric key do you use?
The sender's public key
63
What are the five requirements for good hash functions?
Allow input of any length
Provide fixed-length output
Easy to computer the hash function for any input
Provide one-way functionality
Collision free
64
What can you add to passwords before hashing them to reduce the effectiveness of rainbow table attacks?
Salts
65
What uses the SHA-1 SHA-2, and SHA-3 message digest functions, and works in conjunction with one of the three encryption algorithms (DSA, RSA, ECDSA)?
DSS
Digital Signature Standard
66
What generates digital certificates containing the public keys of system users and certificate recipients verify a certificate using the CA's public key?
Certificate Authorities
67
What are the standards for encrypted messages for email?
S/MIME and PGP
68
What is a security architecture framework that supports secure communication over IP, can be used for direct communication between cpus or over a VPN connection and uses two protocols (AH & ESP)?
IPsec
69
What are some common cryptographic attacks?
Brute-force
Meet-in-the-middle
Man-in-the-middle
Birthday
Replay
70
What attack attempts to randomly find the correct cryptographic key?
Brute-force attack
71
What attack exploits protocols that use two rounds of encryption?
Meet-in-the-middle attacks
72
What attack fools both parties into communicating with the attacker instead of directly with each other?
Man-in-the-middle attack
73
What attack attempts to find collisions in hash functions?
Birthday attack
74
What attack attempts to reuse authentication requests?
Replay attacks
75
What allows content owners to enforce restrictions on the use of their content by others, and commonly protects entertainment content, such as music, movies, and e-books?
DRM
Digital Rights Management
76
What symmetric algorithms are 64-bits in block size?
Blowfish
Skipjack
DES
3DES
IDEA
RC2
77
What symmetric algorithms are 128-bits in block size?
AES
Twofish
RC5
78
What symmetric algorithms are streaming bits in block size?
RC4
79
What hash algorithms have a hash value length of 128?
MD2
MD4
MD5
80
What are the hash value lengths of the SHA family that is still in use?
SHA-224
SHA-256
SHA-384
SHA-512
81
What SHA algorithm is not in use anymore and has a hash value length of 160?
SHA-1
82
What are the three major public key cryptosystems?
RSA
El Gamal
Elliptic Curve
83
What is the most popular public key cryptosystem, developed by Rivest, Shamir, and Adleman in 1977, and depends on the difficulty of factoring the product of prime numbers?
RSA
84
What is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic and is less common?
El Gamal
85
What algorithm provides more security than other algorithms when both are used with keys of the same length?
Elliptic Curve
86
What encryption algorithm is currently approved based on FIPS 186-4?
DSA
Digital Signature Algorithm
87
What encryption algorithm is currently approved for use based on ANSI X9.31?
RSA
88
What encryption algorithm is currently approved for use based on ANSI X9.62?
ECDSA
Elliptic Curve Digital Signature Algorithm
89
What describes a system that is always secure no matter what state it is in, is based on the finite state machine, and is a snapshot of a system at a specific moment in time?
State machine model
90
What is it called when each possible state transition results in another secure state?
Secure state machine
91
What model focuses on the flow of information, is based on the state machine model?
Information flow model
92
What are two information flow models?
Biba
Bell-LaPadula
93
What information flow model focuses on preventing information flow from a high security level to a low security level?
Bell-LaPadula
94
What information flow model focuses on the flow of information from a low to high security level?
Biba
95
What is loosley based on the information flow model, ensure that the actions of different objects and subjects are not seen by other objects and subjects on the same system, and is concerned with how actions of a subj of a high security level affects the system state or the actions of a subj at a lower security level?
Non-Interference model
96
What model is used to define the levels of security that an obj may have and that a subject may have access to?
Lattice-based models
97
What state machine model enforces confidentiality, uses mandatory access control to enforce DOD multilevel security policy, and has "no read up" and "no write down" properties?
Bell Lapadula
98
What is a lattice-based model developed to address concerns of integrity, has a "no read down" and "no write up" properties, and prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity?
Biba
99
What uses security labels to grant access to objects?
Clark-Wilson
100
What describes any data item whose integrity is protected by the security model?
Constrained Data Item
CDI
101
What describes any data item that is not controlled by the security model?
Unconstrained Data Item
UDI
102
What describes a procedure that scans data items and confirms their integrity?
Integrity Verification Procedure
IVP
103
What are the only procedures that are allowed to modify a CDI?
Transformation Procedures
TP
104
What is a confidentiality-based model that supports four basic operations: take, grant, create, and revoke?
Take Grant Model
105
What is a confidentiality-based model, also called the "Chinese Wall model" that was developed to prevent conflict of interest problems?
Brewer and Nash Model
106
What model uses a formal set of protection rules for which each object has an owner and a controller, focuses on secure creation and deletion of both subjects and objects, and has a collection of eight primary protection rules that define the boundaries of certain secure actions?
Graham-Denning Model
107
What security mode permits access to all info processed by the sys, approval for all info processed by the sys, and valid need-to-know for all info processed by the sys through security clearance?
Dedicated Mode
108
What security mode can process info at different levels even when all sys users don't have the required security clearance to access all info processed by the sys?
Multilevel Mode
109
What security mode requires users to have a valid security clearance, access approval for ALL info, and a valid need-to-know for a least SOME info on the sys?
System High Mode
110
What security mode requires each user to have a valid security clearance, access approval for ALL info processed by the sys, but requires valid need-to-know for ALL info they will have access to on the sys?
Compartmented Mode
111
What is the logical part of the trusted computing base that confirms whether a subject has the right to use a resource prior to granting access and enforces access control?
Reference monitor
112
What enables an objective evaluation to validate that a particular product or sys satisfies a defined set of security requirements?
Common Criteria
113
What is a structured set of criteria for evaluating computer security within products and systems?
Trusted Computer System Evaluation Criteria
TCSEC
114
What are the levels of the Common Criteria and their associate label?
EAL0,EAL1 - Minimal/no protection
EAL2 - Discretionary security mechanisms
EAL3 - Controlled access protection
EAL4 - Labeled security protection
EAL5 - Structured security protection
EAL6 - Security domains
EAL7 - Verified security design
115
What method is used to pass info over a path that is not normally used, and may not be protected by the system's normal security controls?
Covert channels
116
What is a multipurpose solution, for full disk encryption through key management, by providing the OS w/ access to keys, but prevents drive removal and data access?
Trusted Platform Module
TPM
117
What enforces an access policy that is determined by the system not the object owner, relies on classification labels that are representative of security domains and realms?
Mandatory Access Control
MAC
118
What permits the owner or creator of an obj to control and define its accessibility?
Discretionary Access Control
119
What enables the enforcement of system-wide restrictions that override object-specific access control?
Non-discretionary Access Control
120
What defines specific functions for access to requested objects, commonly found in firewall systems?
Rule-based Access Control
121
What role uses a well-defined collection of named job roles to endow each one w/ specific permissions?
Role-based Access Control
122
What permits multiple concurrent tasks to be performed within a single process?
Multithreading
123
What are chips that have a small windows that when illuminated with a special ultraviolet light, erases contents?
UVEPROM
124
What memory type uses electric voltages delivered to the pins of the chip to force erasure and is more flexible alternative to UVEPROM.
EEPROM
125
What memory type if nonvolatile and can be electronically erased and rewritten?
Flash memory
126
What storage type is the same as memory?
Primary storage
127
What storage type consists of magnetic, flash, and optical media that must be first read into primary memory before the CPU can use the data?
Secondary storage
128
What storage type can be read at any point by the CPU?
Random access storage
129
What storage type requires scanning through all the data physically stored before the desired location?
Sequential access storage
130
What are the three main security issues surrounding secondary storage devices?
Removable media can be used to steal data
Access controls and encryption must be applied to protect data
Data can remain on the media even after file deletion or media formatting
131
What are the security risks of input and output devices?
Subject to eavesdropping and tapping
Can be used to smuggle data out of an org
Can be used to create unauthorized, insecure points of entry into an org's systems and networks
132
What ensures that individual processes can access only their data?
Process isolation
133
What creates different realms of security within a process and limits communication between them?
Layering
134
What creates black-box interfaces for programmers to use without requiring knowledge of an algorithms or device's inner workings?
Abstraction
135
What prevents info from being read from a different security level?
Data hiding
136
What is also known as a Virtual machine monitor and is the component of virtualization that creates, manages, and operates the virtual machines?
Hypervisor
137
What is a native or bare-metal hypervisor where there is no host OS, and instead the hypervisor installs directly onto the hardware where the host OS would normally operate?
Type I hypervisor
138
What is a hosted hypervisor, where a standard regular OS is present on the hardware, and the hypervisor is then installed as a another software application?
Type II hypervisor
139
What is the functional order of security controls?
Deter
Deny
Detect
Delay
Determine
Decide
140
What type of fires are common combustibles such as wood, paper, etc and should be extinguished with water or soda acid?
Class A (ASH)
141
What type of fires are burning alcohol, and oil and should be extinguished with gas or soda acid?
Class B (BOIL)
142
What type of fires are electrical fires which are fed by electricity and must be extinguished with any type of gas?
Class C (CONDUCTIVE)
143
What type of fires are burning metals are extinguished with dry powder?
Class D (DILYTHIUM)
144
What type of fires are kitchen fires, such as burning oil or grease and are extinguished with wet chemicals?
Class K (Kitchen)
145
What water suppression sys uses closed sprinkler heads and the pipe is charged with compressed air instead of water?
Preaction systems
146
What water suppression sys are filled with water and are activated when a predefined temperature is reached?
Wet pipe systems
147
What water suppression sys is filled with compressed air and is held back by a valve that remains closed as long as sufficient air pressure remains in the pipes?
Dry pipe systems
148
What water suppression sys are similar to dry pipes but the sprinkler heads are open and larger than dry pipes and the pipes are empty at normal air pressure and water is held back by a deluge valve?
Deluge system
149
What are usually more effective than water systems but should not be used in environments where people are located because it removes oxygen from the air.
Gas suppression systems
150
What type of lock type can be easily picked?
Conventional locks
151
What are the key elements for site selection?
Visibility
Composition of the surrounding area
Area accessibility
The effects of natural disasters
152
How to design and configure secure work areas?
No equal access to all areas
Valuable and confidential assets should be located at the center of protection
Centralized server and cpu rooms should not be human compatible
153
What describes when someone is using another's security ID to gain entry to a facility?
Masquerading
154
What are protections for media storage facilities?
Lock cabinets or safes
Use a librarian/custodian
Implement a check-in/check-out process
Use media sanitization
155
What is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations?
Evidence sotrage
156
What are the protections for evidence storage?
Lock cabinets/safes
Have a dedicated/isolated storage facility
Offline storage
Access restrictions and activity tracking
Hash management and encryption
157
What are useful tools for managing physical access controls?
Audit trails and access logs
158
What is a type of self-charging battery that can be used to:
Supply consistent, clean power to sensitive equipment
Supply power for minutes or hours in the event of a power failure?
UPS
