Extra Practice Flashcards
Due Care
A legal concept pertaining to the duty owed by a provider to a customer.
practicing the individual activities that maintain the due diligence effort.
I’m doing care
Due diligence
“Actions taken by a vendor to demonstrate/provide due care.
establishing a plan, policy, and process to protect the interests of an organization.”
Control Objectives for Information and Related Technologies (COBIT)
“Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).
Sy. 22
Controls orbit our technologies
Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System”
STRIDE
A Microsoft threat categorization scheme composed of spoofing, tampering, repudiation,
information disclosure, denial of service, and elevation of privilege.
Steps of Decomposition Process
“Trust boundaries, where levels of security changes
dataflow paths, movement of data between locations
input points, where external input is received
Privileged operations, any activity that requires greater privileges, making changes to security or system changes.
Details of security stance, mapping to security policy and assumptions”
authorization to operate (ATO)
Often related to government or military agencies or contractors, an ATO is the formal approval to perform business functions once compliance with a contract, standard, framework, or regulation is confirmed. An ATO is often issued for a limited period of time and can be lost or canceled by the approving authority at any time based on any significant change to the environment.
Authorizing Official (AO)
“An authorized entity who can evaluate an IT/IS system, its operations, and its risks, and potentially issue an ATO. Aka designated approving authority (DAA), Approving Authority (AA), Security Control Assessor (SCA), and Recommending Official (RA).
5 years”
Annualized Loss Expectancy
“the possible yearly loss of all instances of a specific realized threat against a specific asset.
ALE = ARO * SLE (ale is arousal)”
Single-loss expectancy (SLE)
“percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
SLE = Asset Value * Exposure Factor”
Risk
The possibility of damage or harm and the likelihood that damage or harm will be realized.
Threat* Vulnerability
Residual Risk
“The risk remaining after security controls have been put in place as a means of risk mitigation.
Risk that remains “
Inherent risk
The level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed.
Security professional
Has the functional responsibility for security, including writing the security policy and implementing it.
Senior management
Ultimately responsible for the security maintained by an organization and should be most concerned about the protection of its assets.
Business Continuity(BC) Steps
- Project Scope and planning: review the organization, create a bcp team, assess resources available, get legal information.
- Business Impact Analysis: Identify processes, critical tasks, assess likelihoods, find priorities, MTD, RTO, RPO, Identify risks and likelihood.
- Continuity Planning: Strategy development and provisions and processes, Continuity of Operations Plan (COOP)
- Approval and Implementation:
Disaster recovery(DR)
Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.
Bureau of Industry and Security
within the Department of Commerce sets regulations on the export of encryption products outside of the United States. The other agencies listed here are not involved in regulating exports.
Federal Information Security Management Act (FISMA)
includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).
Communications Assistance for Law Enforcement Act (CALEA)
required that communications carriers assist law enforcement with the implementation of wiretaps when done under an appropriate court order. CALEA only applies to communications carriers and does not apply to financial institutions, healthcare organizations, or websites.
Fourth Amendment
sets the “probable cause” standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.
Privacy Act of 1974
limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
HIPAA Relationships with 3rd Party
Organizations subject to HIPAA may enter into relationships with service providers as long as the provider’s use of protected health information is regulated under a formal business associate agreement (BAA). The BAA makes the service provider liable under HIPAA.
Gramm–Leach–Bliley Act (GLBA)
provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.
Data Destruction
the final stage in the life cycle of backup media
degausser
“a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disks.
Does not work with SSDs”
Demagnetize
Purging
The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.
Erasing or deleting
processes rarely remove the data from media but instead mark it for deletion.
End of Support (EOS)
the date that the vendor will stop supporting a product.
End of Life (EOL)
The date that a vendor stops producing and offering a product for sales but the vendor continues to support the product until the EOS date.
Confusion
occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key.
Diffusion
occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.
Symmetric Key Exposure Formula
Number of keys = n(n-1) / 2
M of N Control
requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high‐security tasks. M of N Control is an example of a split knowledge technique, but not all split knowledge techniques are used for key escrow.
Galois/Counter Mode (GCM)
same as CTR but includes authentication tags to the encryption process for more authenticity
closed system
one that uses largely proprietary or unpublished protocols and standards.
trusted computing base (TCB)
has a component known as the reference monitor in theory, which becomes the security kernel in implementation.
The collection of all the hardware, software, and firmware components within an architecture that is specifically responsible for security and the isolation of objects. TCB is a term usually associated with security kernels and referencemonitor.
reference monitor
validates access to every resource prior to granting the requested access.
Bell-LaPadula Model
“Dept of Def, clearance levels and need to know,
Can’t read a higher clearance level, and you can’t write DOWN to a lower clearance level.”
there’s no I (integrity) in Bell-LaPadula
Biba Model
“Opposite of Bell-LaPadula, More about the modification of objects and data. Designed to address integrity issues of objects
Lacks confidentiality and availability”
Clark-Wilson Model
“Multifaceted approach to enforcing data integrity where the formal state machine limits modification to a system through a limited or controlled intermediary program or interface
Restricted Interface Model
Enforces separation of duties”
Federal Risk and Authorization Management Program (FedRAMP)
U.S. government‐wide program designed to standardize the security assessment, authorization, and continuous monitoring processes for cloud products and services used by federal agencies.
Cybersecurity Framework (CSF)
designed for critical infrastructure and commercial organizations.
DREAD
damage (potential), reproducibility, exploitability, affected users, and discoverability.
hoax
social engineering attack that is attempting to trick a user into taking actions that will harm them through the use of fear that not taking action would actually cause harm.
Online Certificate Status Protocol (OCSP)
provides real‐time query/response services to digital certificate users.
standard secure design principles
least privilege, secure defaults, fail securely, threat modeling, keep it simple, separation of duties, zero trust, and privacy by design.
Fog computing
relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing.
You need Sensors to see through the Fog
edge computing
the intelligence and processing is contained within each device.
A computation architecture that is part of the Industrial Internet of Things (IIoT). In edge computing, the intelligence and processing are contained within each device, which is at or near the edge of the network. See fog computing.
Simultaneous Authentication of Equals (SAE)
“An authentication option of WPA3 that
uses a password, but it no longer encrypts and sends that password across the connection.
Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange,
which is itself a derivative of Diffie–Hellman. The process uses a preset password and the
MAC addresses of the client and AP to perform authentication and session key exchange.”
IEEE 802.1X
provides port‐based access control and is useful both on wired and wireless connections to block access to systems and users that are unknown or that fail authentication.
remote access techniques
remote node operation, remote control, and service specific
smartcard
is in the something you have factor of authentication, but it doesn’t generate a password.
TOTP authenticator
synchronized with an authentication server and generates synchronous one‐time passwords.
HOTP authenticator or device
generates and displays one‐time passwords when a button is pushed.
rule‐based access control
defines access using a set of rules, such as the rules in a firewall’s access control list.
RBAC
grants access based on a subject’s membership in a group or role.
MAC model
“An access control mechanism that uses classification-based
security labels to regulate subject access to objects. Implementations include using a hierarchical
MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment.”
Discretionary Access Control (DAC)
Access control in which the system owner decides who gets access.
Dynamic Application Security Testing (DAST)
Tools that execute the software unit, application, or system under test in ways that attempt to drive it to reveal a potentially exploitable vulnerability.
SOC 1
engagements assess the organization’s controls that might impact the accuracy of financial reporting.
SOC 2 and 3
engagements extend into controls protecting confidentiality, integrity, and availability more generally.
misuse case testing
“A process used by software testers to evaluate the vulnerability of
their software to known risks. Testers first enumerate the known misuse cases and then
attempt to exploit those use cases with manual and/or automated attack techniques. It is testing that attempts to model the activity of an attacker. Aka abuse case testing.”
NIPS
placed in line with traffic and can prevent attacks from reaching an internal network. detect attacks using pattern matching (also known as signature‐based detection and knowledge‐based detection)
NIDS
placed in line with the traffic, it isn’t placed in line by default. detect attacks using pattern matching (also known as signature‐based detection and knowledge‐based detection)
parol evidence rule
states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement.
best evidence rule
“A rule that states that when a document is used as evidence in a court
proceeding, the original document must be introduced. Copies will not be accepted as evidence unless certain exceptions to the rule apply.”
direct evidence
“Evidence that proves or disproves a specific act through oral testimony
based on information gathered through the witness’s five senses.”
Integrated Product Team (IPT)
A team of stakeholders and individuals who have various skills and work together to achieve a defined process or product.
Spiral Method
Improved waterfall development process, which provides for a cycle of Plan, Do, Check, and Act (PDCA) substages at each phase of the SDLC.
Software Capability Maturity Modeling (SW-CMM) and Assessment
A management process to foster the ongoing and continuous improvement of an organization’s processes and workflows for developing, maintaining, and using software.
grid computing
A form of parallel distributed processing that loosely groups a significant number of processing nodes toward the completion of a specific processing goal.
secondary memory
Magnetic/optical media and other storage devices that contain data not immediately available to the CPU.
nonpersistent system or static system
computer system that does not allow, support, or retain changes.
embedded system
A computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller (an integrated chip with on- board memory and peripheral ports).
Temperature of a Server Room
59-89.6 Degrees F
Cable Management Policy
should include a mapping of the entrance facility (i.e., demarcation point), equipment room, backbone distribution system, telecommunications room, and horizontal distribution system.
Wet Pipe System
“A fire suppression system that is always full of water. Water discharges
immediately when triggered by a fire or smoke. Aka a closed head system.”
dry pipe system
“A fire suppression system that contains compressed air. Once suppression
is triggered, the air escapes, which opens a water valve that in turn causes the pipes to fill and discharge water into the environment.”
deluge system
“Another form of dry pipe (fire suppression) system that uses larger pipes
and therefore a significantly larger volume of water. Deluge systems are inappropriate for
environments that contain electronics and computers.”
preaction system
A combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected, and then the pipes are filled with water.
six common physical security control mechanisms
Deter, Deny, Detect, Delay, Determine, Decide.
Mean time to failure (MTTF)
expected typical functional lifetime of the device given a specific operating environment.
Mean time to repair (MTTR)
average length of time required to perform a repair on the device
Mean time between failures (MTBF)
an estimation of the time between the first and any subsequent failures
capacitance motion detector
senses changes in the electrical or magnetic field surrounding a monitored object
wave pattern motion detector
transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern.
photoelectric motion detector
senses changes in visible light levels for the monitored area. Photoelectric motion detectors are usually deployed in internal rooms that have no windows and are kept dark.
Simplex
One-way communication, for UDP, at layer 5 the Session Layer,
Means for IPv6 and IPv4 coexistence
dual stack, tunneling, or NAT‐PT Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation‐Protocol Translation (NAT‐PT) (RFC‐2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses
TLS
TLS allows for use of TCP port 443; prevents tampering, spoofing, and eavesdropping; and can be used as a VPN solution. The other options are incorrect. TLS supports both one‐way and two‐way authentication. TLS and SSL are not interoperable or backward compatible.
Encapsulation
Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols. Encapsulation allows for encryption, flexibility, and resiliency, while also enabling covert channels, filter bypass, and overstepping network segmentation boundaries.
Micro-segmentation
Micro‐segmentation can be implemented using internal segmentation firewalls (ISFWs), transactions between zones are filtered, and it can be implemented with virtual systems and virtual networks.
Zigbee
Zigbee is an IoT equipment communications concept that is based on Bluetooth. Zigbee has low power consumption and a low throughput rate, and it requires close proximity of devices. Zigbee communications are encrypted using a 128‐bit symmetric algorithm.
ARP Poisoning
ARP poisoning can use unsolicited or gratuitous replies—specifically, ARP replies for which the local device did not transmit an ARP broadcast request. Many systems accept all ARP replies regardless of who requested them.
Switch
Manage the transmission of frames via MAC address. can create separate broadcast domains to create VLANs. Primarily Layer 2
Hub
Connect multiple systems, connect network segments that use the same protocol. It is a multiport repeater, Operates at Layer 1.
Screened Subnet
A screened subnet is a type of security zone that can be positioned so that it operates as a buffer network between the secured private network and the Internet and can host publicly accessible services.
OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
Application (application, presentation, session)
Transport
Internet (Network)
Network Interface (Datalink, Physical)
