still need work cissp Flashcards

Question

AS-REP Roasting, solution

Answer 1

attackers steal encrypted parts of a AS_REP message from user accounts in order to then crack them offline AS-REP ends with P and preauthentication starts with P solution: make sure all accounts in your domain have the Kerberos pre-authentication enabled

Answer 2

A golden ticket in Active Directory — much like its namesake for Willy Wonka’s chocolate factory — grants the bearer unlimited access. A Golden Ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages. P. L. Kurl is an oomploompa solution: PLKURL Protect against phishing attacks by training staff to identify suspicious emails and avoid sharing credentials. Limit user privileges to necessary roles and only use admin accounts for administrative tasks. Keep operating systems updated and disable plain text password storage in Active Directory to prevent Mimikatz-style attacks. Use a real-time auditing solution to respond to failed login attempts with custom scripts to disable accounts, stop processes, change firewall settings, or shut down servers to prevent brute force attacks. Regularly change the password for the KRBTGT user, doing it twice around 12-24 hours apart to avoid service disruptions. Look for signs of a Golden Ticket attack, such as nonexistent usernames, username and RID mismatches, modified group memberships, weaker encryption types, and ticket lifetimes exceeding the domain maximum.

Answer 3

US VAPI disable Unnecessary ports and services the use of SIPS and SRTP, both secure protocols that will keep VoIP traffic encrypted a dedicated VLAN for VoIP devices to help separate them from other networked devices Authentication implementation Patching / updates IDS / IPS AIO book conflicts and says to use IDS / IPS

Answer 4

PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption. EAP is not protected LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice. EAP-TLS is secure but requires client certificates, making it difficult to deploy and manage.

Answer 5

WPA3 SAE (simultaneous authentication of equals) is new and best, if need to worry about older devices, WPA2 PSK should be used

Answer 6

PCS predefined rules to optimize performance continuous monitoring to support better performance self-learning techniques to respond to changes in the network

Answer 7

port based authentication (can be used on both wired and wireless) can be used with EAP technologies supported by 802.1AE, 802.1AR, 801.1AF

Answer 8

MESS can be received by More than one phone, messages are not Encrypted messages can be Spoofed, messages are typically Stored on the recipient’s phone

Answer 9

PPTP, L2F, L2TP, IPsec TLS

Answer 10

HeLPS IT COMMAnD (e,n not used) Human Resources e Legal Affairs Procurement - Equipment and Supplies Security IT members from each major area Transportation & Relocation Crisis Management Operations Assessment Management Media Relations Administrative Support n Damage Assessment

Answer 11

the acquiring company usually acts like a DICk DIC Documentation of security policies Integration of security tools Consolidation of security functions

Answer 12

NIST 800-53 TPC VCS Third party service providers or vendors – from janitorial services to software engineering -‐-‐ with physical or virtual access to information systems, software code, or IP. Poor information security practices by lower-‐tier suppliers. Compromised software or hardware purchased from suppliers. software security Vulnerabilities in supply chain management or supplier systems. Counterfeit hardware or hardware with embedded malware. Third party data Storage or data aggregators. examples from practice tests: adversary tampering with hardware prior to shipment to end customer adversary using social engineering to compromise an employee of SaaS vendor to gain access to customer accounts

Answer 13

Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence

Answer 14

Co Cla Set AS IS Control Selection Classifying the Data Sets the Rules for use and protection of data assisting with or Advising the System owners on security requirements data owners are likely to ask that those responsible for control selection to Identify a Standard to use

Answer 15

Data processors are required to perform specific actions under regulations like the EU GDPR.

Answer 16

are internal roles that oversee how data is used.

Answer 17

system owner is down in the PIIT develops system security Plan Id’s security controls Implements security controls ensures system users receive appropriate security Training

Answer 18

Containers as a service (CaaS) is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service. Reduced cost – Using CaaS allows an organisation to pay for only the services used, such as load balancing, scheduling and compute instances. CaaS can also help clients reduce infrastructure, software licensing and operating costs.

Answer 19

protocol provides the ability to access resources from another service, focus on authorization - you’ve never signed up before

Answer 20

OpenID Connect standard to allow the use of an account from another service with an application, builds on oauth2 and adds authentication uses JSON Web Tokens (JWT) entitiies: relying party (target of access) IdP (identity provider) flows: authorization code flow - request -> IdP -> authorization token -> use consent request -> authorization code -> ID token *preferred and more secure [R>I>AT>C>AC>IDT] implicit flow - relying party request includes scope values *good for javascript or other serverless / browser-based request, less secure because ID token can be manipulated by user [RPR(scope values)>IDT] hybrid flow (combo of two above)

Answer 21

Security Assertion Markup Language Standardized way to tell external applications and services that a user is who they say they are. (SAM is who he says he is) SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications (Sam can use SSO) primary role in online security is that it enables you to access multiple web applications using one set of login credentials (Sam uses SSO to sign on many places with one credential set) used to make authorization and authentication data

Answer 22

Cross site scripting malware script in site (e.g. bulletin board) which is hidden but can be unintentionally run by others who access the site use script tags to prevent

Answer 23

Cross site request forgery, an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. use session tokens / keys to prevent

Answer 24

eXtensible Access Control Markup Language Markup Language and a processing model Uses: DSE used to Describe access controls, used as a means to Send an individual’s authentication information in a standard format (password, key or certificate), can also be used to enforce policies elements: subject element resources element

Answer 25

service provisioning markup language allow platforms to generate and respond to provisioning requests entities: RA - requesting authority PSP - provisioning service provider (software) PST - provisioning service target

Answer 26

simple object access protocol used for the exchange of information in decentralized, distributed application environments using XML over HTTP can transmit SOAP messages in any way that the applications require, as long as both the client and the server use the same method. components: message envelope - defines the messages allowed and how they will be processed by recipient encoding rules used to define data types conventions for remote procedures / how to interpret responses

Answer 27

introduction to computer security

Answer 28

contingency planning as a contingency, Please Buy Personal Self Care Toiletries Mama develop Policy BIA Identify Preventive controls create contingency Strategies develop information system Contingency plan Testing and Training plan Maintenance

Answer 29

Guide to Integrating Forensic Techniques into Incident Response 86 should have been media sanitization (deleting data) which would prevent forensic techniques from working, but media santization is 88

Answer 30

Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans - covers methods for assessing and measuring controls

Answer 31

nonroutable IP addresses (internal IP addresses) in 1918 we thought the moon was non-routable

Answer 32

Real User Monitoring a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior RUM is often used as part of a predeployment process using the actual user interface

Answer 33

Statement on Standards for Attestation Engagements no. 18 (SSAE 18), is an auditing standard for service organizations. It is required by many industries and organization for vendors that provide them services. The examinations and audits of these Standards are known as SOC reports.

Answer 34

Security Content Automation Protocol A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP: VCP VOX CVE (common vulnerabilities and exposures); CCE (common configuration enumeration); CPE (common platform enumeration); CVSS (common vulnerability scoring system); OVAL (open vulnerability assessment language); and XCCDF (eXtensible configuration checklist description format).

Answer 35

The Script Check Engine (SCE) is designed to make scripts interoperable with security policy definitions.

Answer 36

verify that every line of code was executed during the test

Answer 37

verifies that every logical test in the code was executed under all sets of inputs

Answer 38

Pair programming is an Agile software development technique originating from Extreme programming (XP) in which two developers team together on one computer. The two people work together to design, code and test user stories.

Answer 39

cybersecurity incident response team members - core: DICCIT CISO Director of Security Ops IR Team lead Cybersecurity Analyst IT support Threat Intelligence Analyst extended: BHeLP HR Legal counsel PR Business Unit Lead minimum: (e lips) engineering/technical staff legal representatives, information security professionals, public affairs staff, and senior management,

Answer 40

According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency: monitoring should be 24X7 not 13X7 VV WORMCORT Volatility of security controls, Vulnerability information, Weaknesses identified in security controls, Organizational risk tolerance, Risk assessment Results, Monitoring strategy review output, Categorizations/impact levels for system security controls or specific assessments Objects providing critical functions, Reporting requirements. Threat information,

Answer 41

a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process P O P Is Real Fedup [POPIRF] (planning, overview, prep, inspect, rework, followup)

Answer 42

threat MOdeling prOcess Overview threat MOdeling cOmmOnly involves: Mooo at the dairy DA IR y M AC (y not used) Decomposing the Application to understand it and how it interacts with other components or users. Identifying and Ranking threats allows you to focus on the threats that should be prioritized. identifying how to Mitigate those threats finishes the process. once complete, an organization can take action to handle the threats that were identified with Appropriate Controls.

Answer 43

allows to store data using a key-value store

Answer 44

another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values

Answer 45

C/R DUM D/S Create / Receive Distribute Use Maintain Dispose / Store or ASU SAD Acquisition Storage Use Sharing Archival Disposal

Answer 46

Modes: D Size Cups Mama (DSCM) Dedicated System High Compartmented Multi-level For Each Mode: Nice Cans Face Nookie Ass (NCFNA or SCANU) Signed NDA Clearance Formal Approval Need to Know All users

Answer 47

Signed NDA All Data Proper Clearance All Data Formal Access Approval All Data Valid Need to Know All Data All users can access All Data

Answer 48

Signed NDA All Data Proper Clearance All Data Formal Access Approval All Data Valid Need to Know Some Data All users can access Some Data

Answer 49

Signed NDA All Data Proper Clearance All Data Formal Access Approval Some Data Valid Need to Know Some Data All users can access Some Data

Answer 50

Signed NDA All Data Proper Clearance Some Data Formal Access Approval Some Data Valid Need to Know Some Data All users can access Some Data

Answer 51

communication, file transfer, network management PISS DDMMP iN FiLTH POP3, SMTP, IMAP, SNMP, FTP, Telnet, HTTP, MIME, PGP (app), S/MIME (app), HTTPS (app), DNS, DHCP, NTP POP3 - Post Office Protocol version 3 IMAP - Internet Message Access Protocol SMTP - Simple Mail Transfer Protocol SNMP - Simple Network Management Protocol DNS - Domain Name Service DHCP - Dynamic Host Configuration MIME, S/MIME - Multipurpose Internet Mail Extensions PGP - Pretty Good Privacy NTP - Network Time Protocol FTP - File Transfer Protocol LPD - Line Printer Daemon Telnet HTTP - HyperText Transfer Protocol function: formats data from applications for transmission over a network

Answer 52

GET JAMUM GIF, TIFF, JPG, MPEG, MIDI character encoding (ASCII, UNICODE, EBCDIC) compression, encryption function: formats (serializes) data in a manner the receiving computer can understand not really network protocols, only layer without real network protocols

Answer 53

(LNNPPRRSS) L2TP - Layer 2 Tunneling Protocol NFS - UNIX stateless Network File System NetBIOS - MS network basic input output system PPTP - Point-to-Point Tunneling Protocol RPC - Remote Procedure Call RTCP - RTP (Real-time Transport Protocol) Control Protocol SQL - Structured Query Language PAP - Password Authentication Protocol SIP - session initiation protocol function: creates session receiving application can understand, creating session, maintaining session, releasing session

Answer 54

TRANsport / TRANsmission control protocol (TCP) TUSQ TCP, UDP, SCTP, QUIC TCP - Transmission Control Protocol UDP - User Datagram Protocol SCTP - Stream Control Transmission Protocol QUIC Function: creates session between two computers to enable communication

Answer 55

IP, RIP, ICMP, IGMP, OSPF ORIIIP IP - Internet Protocol RIP - Routing Information Protocol ICMP - Internet Control Message Protocol IGMP - Internet Group Management Protocol OSPF - Open Shortest Path First function: insert information into packet header for addressing and routing, isolate to broadcast domains if it starts with "I" it's probably network layer (IMAP is exception, it's application layer)

Answer 56

ARP, ATM, RARP, SLIP, PPP, L2TP, Ethernet, ISDN, Wi-Fi, FCoE, FDDI, Token Ring I SLAPT A FFEW VV ISDN - Internet Services for Digital Network SLIP - Serial Line Internet Protocol L2TP - Layer 2 Tunneling Protocol ARP / RARP - (Reverse) Address Resolution Protocol PPP - Point-to-Point Protocol Token Ring ATM FDDI FCoE- Fiber Channel over Ethernet Ethernet Wi-Fi VLAN VxLAN function: formats data for the physical transmission media 2 functions LLC - logical link control, interfaces with network layer, flow control and error checking MAC - media access control, interfaces with physical layer adds last header / trailer [framing] to before it hits wire and what volts to put on the wire 1 is +.5 volt / 0 is 0 volts

Answer 57

PCRAV 10 RIDS C FEW CD LiST devices: PCRAV Pinouts, voltages, cables, antennas, radio waves protocols: 10 RIDS C FEW 10BaseX RS/EIA/TIA-422,423,449,485 ISDN - Integrated Services Digital Network DSL - Digital Subscriber Line SONET - Synchronous Optical Networking ethernet wifi Fiber Optics coaxial Functions: CD LiST Convert bits to electromagnetic signals for transmission, Synchronization, Data rates, Line noise and Transmission techniques

Answer 58

SSL2, SSL3, TLS (therefore the encryption in support of HTTPS, POP3S, FTPS) since IPSec is built into IP6 network protocols, and can be used with IP6, think of that to remember that it's in the network layer SSL - Secure Socket Layer TLS - Transport Layer Security

Answer 59

WEP, TKIP, CCMP WEP - Wire Equivalent Privacy TKIP - Temporal Key Integrity Protocol CCMP - Counter-Mode/CBC-MAC Protocol

Answer 60

IPSec Transport ESP IPSec Tunnel ESP (RC5, DES, AES)

Answer 61

Gateways and Proxies

Answer 62

SSH (therefore, the encryption in support of S-FTP, S-HTTP, PGP, S/MIME)

Answer 63

Router, L3 Switch

Answer 64

L2 Switch, Bridge

Answer 65

Hub, repeater

Answer 66

Proxy Firewall

Answer 67

Circuit (SOCKS) Firewall

Answer 68

Packet Filter Firewall

Answer 69

A three-way handshake (challenge/response) authentication protocol used for remote access connections. Both devices are configured with a password called a shared secret. For unique user authentication, this value is associated with a user account. The challenge/response authentication mechanism occurs in three steps: The server generates a challenge message and sends it to the client. The client responds with the username and a value created using a one-way hash function on the challenge message. The server checks the response against its own value created using the same hash. If the values match, the client is authenticated. With CHAP, plaintext versions of the password are never sent; only the hashed challenge message is sent between devices.

Answer 70

Allows users to use Normal credentials across trusted networks. Allows users in one organization to authenticate and access resources on another trusted organizations network using one set of credentials

Answer 71

Lower latency for clients, especially for applications in which multiple round-trips are required to load content. Large scaling to better handle instantaneous high loads, such as the start of a product launch event. Reduce the traffic sent to the origin server, as requests are handled by the edge servers. Provides protection from DoS attacks

Answer 72

RAVing about CDN A content delivery network provides DDoS protection by design, by being able to absorb Volumetric attacks. CDN also include Always-on traffic monitoring, and Real-time mitigation of common network-level attacks.

Answer 73

An IoT standard based protocol. Zigbee is a standards-based wireless technology that enables wireless machine-to-machine (M2M) and IoT networks. It is designed for low-data rate, low-power applications, and is an open standard. Zigbee is a specification based on IEEE 802.15.4 Its networks are secured by 128-bit symmetric encryption keys. Zigbee has a defined rate of 250 kbps, best suited for intermittent data transmissions from a sensor or input device. 40-250 kbps 65,000 868 mhz to 2.4 ghz

Answer 74

IoT standard based protocol. Simpler and less expensive than Zigbee. Z-Wave was created by a Danish company named Zensys. It uses the same AES-128 symmetric encryption as Zigbee. Like Zigbee, Z-Wave devices all link up together to form a mesh network. There’s one central hub that connects to the internet and then the devices themselves don’t have Wi-Fi at all, they use Z-Wave connectivity to talk to the hub either directly or through the mesh network. This is called a “source-routed mesh network topology.” Z-Wave allows up to 232 nodes on the mesh network. 9.8-100 kbps 232 908.42 mhz in North America

Answer 75

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. Works by leveraging PKI DKIM allows the receiver to check that an email that claimed to have come from a specific domain was indeed authorized by the owner of that domain.[1] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. DKIM is an Internet Standard.[3] It is defined in RFC 6376, dated September 2011, with updates in RFC 8301 and RFC 8463.

Answer 76

captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources Limitations: CBDM may be Circumvented Dns tunneling Mac spoofing require web Browser

Answer 77

WPA3-Personal (WPA3-SAE). This mode focuses on improving protection for individual users by providing better security using SAE. SAE increases security over WPA2, even when using a simple password. Operational Modes: PEE (W PEE A THREE) Personal mode lets users choose easy-to-remember passwords while still providing increased security using perfect forward secrecy to protect data traffic. WPA3-Enterprise. Enterprise mode builds on top of the previous WPA2 Enterprise mode. However, enterprise mode requires the use of Protected Management Frames on all WPA3 connections. Enterprise mode also has multiple Extensible Authentication Protocol (EAP) methods for authentication, 128-bit authenticated encryption, 256-bit key derivation and confirmation, as well as 128-bit management frame protection. Wi-Fi Enhanced Open. This extra mode focuses on increasing privacy in open networks. Enhanced Open mode prevents passive eavesdropping by encrypting traffic even when a password isn't used. This mode uses 256-bit authenticated encryption, 384-bit key derivation and confirmation, as well as 256-bit management frame protection.

Answer 78

In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method SAE is a variant of the Dragonfly Key Exchange defined in RFC 7664,[2] based on Diffie–Hellman key exchange using finite cyclic groups which can be a primary cyclic group or an elliptic curve.[1] The problem of using Diffie–Hellman key exchange is that it does not have an authentication mechanism. So the resulting key is influenced by a pre-shared key and the MAC addresses of both peers to solve the authentication problem.

Answer 79

BiG SIS (i not used) Bigger session keys GCMP WPA2 uses AES for encryption, while WPA3 uses the more secure GCMP SAE protocol Individualized data encryption Stronger brute-force attack protection

Answer 80

Galois/Counter Modea mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources used in: MWATTS OSWIFT MACsec (IEEE 802.1AE Ethernet security) WiGig (ieee 802.11AD), AES-GCM TLS 1.2[9][10] TLS 1.3.[11] SSH,[8] OpenVPN since version 2.4. SoftEther VPN server and client, WPA3-Enterprise Wifi security protocol, IPsec standards ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), Tape storage IEEE P1619.1 t

Answer 81

attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go solutions: Mac davis flooding the airwaves at 8pm network operators usually rely on the presence of one or more features in their network equipment: port security MAC filtering IEEE 802.1X

Answer 82

gain access to traffic on other VLANs that would normally not be accessible and is mitigated through proper vlan configuration switch spoofing - mitigated by ensuring that ports are not set to negotiate trunks automatically by disabling DTP on ports that are not meant to be trunks and explicitly configured as access ports double tagging - mitigated by not putting any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port, Change the native VLAN on all trunk ports to an unused VLAN ID and Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy

Answer 83

IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system solutions: packet filtering and do not allow authentication based on IP address1

Answer 84

IEEE 802.3 is a working group and a collection of standards defining the physical layer and data link layer’s media access control (MAC) of wired Ethernet

Answer 85

IEEE 802.15 is a working group of the Institute of Electrical and Electronics Engineers (IEEE) IEEE 802 standards committee which specifies Wireless Specialty Networks (WSN) standards. WPAN / Bluetooth

Answer 86

Mesh networking

Answer 87

7 is an inverted L (for LiFi) Visible Light Communication / LiFi

Answer 88

Multi-Gigabit/s Optical Wireless Communications lay 3 on left side for M in Multi-Gigabyte

Answer 89

Secure Real-time Transport Protocol Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications between transport and application layer provides CREM confidentiality, replay protection encryption, message authentication

Answer 90

E AIR SRTP is an RTP profile intended to provide Encryption, message Authentication and Integrity, and Replay attack protection to the RTP data. PI SIP TLS protocol aims primarily to provide Privacy and data Integrity between two or more communicating computer applications.

Answer 91

NAT maps public to private via IP address PAT maps public to private via port# PAT more efficient as it can use one public address for many different internal devices

Answer 92

Business Impact analysis Business Is: Protect Real Life Investment Revenue (id Priorities, id Risks, Likelihood, Impact, Resource priorities)

Answer 93

RIDEM (Replay, Impersonation, Modification, Eavesdropping, Denial of service)

Answer 94

Like microservices, each function is made to work independently and autonomously. It does not hold resources in volatile memory; computing in short bursts with the results persisted to storage. Cost is based on actual use. When the app is not in use, no compute resources are used. Elasticity: resources expand, or contract based on the need. Scalability: we scale resources to meet expected needs. aka: FaaS (only functions)

Answer 95

uses a matrix (vigenere square) X axis is plain teXt / Y axis is keY

Answer 96

Transport Mode (Only data encrypted) Tunnel Mode (entire packet encrypted)

Answer 97

Nosetackles Can Easily Upend Any Puny Runningback Sneaking the Football or first 3 not used, Unskilled Attackers Pester Real Security Folks NS (not used anymore) CWR (not used anymore) ECE (not used anymore) URG urgent ACK acknowledgement PSH push RST reset SYN synchronizeing FIN finish

Answer 98

Capability Maturity Model Integration I Rarely Develop My Own 1 Initial -undocumented and not consistent 2 Repeatable - some processes are repeatable, process might be strictly controlled 3 Defined - documented processes and standards 4 Managed - metrics used for performance measurement and process users are competent 5 Optimizing - focus on continuous improvement SWMM

Answer 99

provides integrity and non-repudiation

Answer 100

Attribute Based Access Control grants access based on attributes (often used in SDN’s)

Answer 101

is a client

Answer 102

ALE = ARO*SLE [Ale = A RO SlE] SLE = AV * EF SLE single loss expectancy AV asset value EF exposure factor ALE = ARO * SLE or ALE = ARO * AV * EF

Answer 103

SPAT (strategy, provisioning, approval, training) SICA (scope, impact, continuity, approval)

Answer 104

[Pathetic Dirty Rotten Mean REPublicans RECruit REMarkable Losers] preparation detection, search for indicators, declaration of incident response, (initial response, contain damage) mitigation, (eradicate threat actor, determine details of attack and how to mitigate and perform mitigation) reporting, recovery, (restore full functionality of business process) remediation, (prevent future incidents) lessons learned (continuous improvement)

Answer 105

Process for Attack Simulation and Threat Analysis Pasta, It’s a bowl of alphabet soup DO DTS ADA TA VA AMS RAM (determine objectives, define tech scope, application decomp analysis, threat anal, vulnerability anal, attack modeling simulation, risk anal mngmt)

Answer 106

Software Assurance Maturity Model - from OWASP focused on secure software development Business functions: [Giving Developers Incentive Via Offers] Security practices SPE, TRA, BDD, ART, IEO Governance, (strategy / metrics, policy / compliance, education / guidance) SPE Design, (threat assessment, security requirements, secure architecture) TRA Implementation, (secure build, secure deployment, defect management) BDD Verification, (architecture assessment, testing driven by requirements, security testing) ART Operations (incident management, environment management, operational management) IEO

Answer 107

RoBBoT Rootkits Buffer overflow, Backdoors, TImeofchecktotimeofuse TOCTOU (asynchronous attack)

Answer 108

A DAM LIAR (alarm triggers, data reduction, analysis of logs, monitoring, logging, IDS, alert usage, review of logs)

Answer 109

IAACCCC (implicit deny, ACL, ACM, capability tables, constrained xfaces, content, context)

Answer 110

GOD HO ST GOS TA EN (GOvernance is Dynamic, HOlistic approach, STakeholder value, GOvernance Separate from mgmt, TAilored to entity, ENd to end)

Answer 111

[The Mother Fuckers Better Takeoff Running] (terrorism, military, financial, business, thrill, revenge)

Answer 112

CCDDDPR (corrective, compensating, detective, deterrent, directive, preventive, recovery)

Answer 113

DATa LIVe SUM (disclosure damage, age, timeliness, lifetime, implications of disclosure to business or national security, value, storage, usefulness, modification damage, )

Answer 114

BEETH (Backbone distribution, Entrance facility, Equipment room, Telecommunication room, Horizontal distribution)

Answer 115

VAT (vulnerabilities, assets, threats)

Answer 116

FF AI CLAN (FM200, FE13, Argonite, Inergen, CEA410/308, Low pressure water mist, Aragon, NAFSIII)

Answer 117

BIRDI (base+offset, immediate, register, direct, indirect)

Answer 118

RRSSW (ready, running, supervisory, stopped, waiting)

Answer 119

CAMO (compensation / recognition of excellence, auditing, monitoring, open communication)

Answer 120

ECCCCOG ECB, electronic code book - block is always encrypted using only the key, a certain plain text will always result in same cipher text CBC, cipher block chaining - unencrypted text is xor'd with block of cipher text resulting from previous block before encyption, first block uses IV or ECB of key, errors DO propagate CFB, cipher feedback - streaming version of cbc using memory buffers instead of blocks, errors DO propagate CTR, similar to ofb but uses counter increments instead of seed value to XOR plaintext, errors DO NOT propagate CCM, counter with cbc - ctr with confidentiality mode (used only with 128 bit block lengths) uses a nonce which is changed with each transmission, results in authenticity added OFB, output feedback - similar to cfb but instead of using previous block, it uses a seed value to XOR the plaintext, IV is used to create first seed value, no chaining, errors DO NOT propagate GCM, galois / counter mode - ctr + authenticity controls by using authentication tags to encryption process ECB should be used on short mesages only With IV CCO (CBC, CFB, OFB) Authenticated Modes: (authenticity added - all other modes only provide confidentiality) GCM, CCM propagation of errs: CBC CFB

Answer 121

PD HML DREAD (Probability X Damage Potential, H/M/L, DREAD)

Answer 122

DREAD (damage, reproducibility, exploitability, affected users, discoverability)

Answer 123

BI FI MI SI Bootsector Infection, File Infection, Macro Infection, Service Injection,

Answer 124

Bill Belichik Loves Great Head Coaches Big Nose Tackles (Bell-La Padula, BIBA, Lattice, Graham-Denning, HRU, Clark-Wilson, Brewer-Nash, Non-Interference, Take / Grant)

Answer 125

data execution prevention - prevents damage from malware by not allowing execution in Windows reserved memory locations

Answer 126

n(n-1)/2, where n = number of users

Answer 127

2n, where n = number of users

Answer 128

frequency analysis with two letter combos

Answer 129

review of description provided by management, specific point in time

Answer 130

Cyber Supply Chain Security Principles: Since it’s high level it’s the BIG picture BIG (breaches happen so develop defenses for them, IT isn’t only concern, Gaps will exist between physical and cybersecurity) Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach. Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices. Security is Security. There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.

Answer 131

CA CA SP RC IP Which security measures will be in place for Continuity of Access? How employees will Access Business-critical applications and systems as the divestiture proceeds. (Critical App access) The buyer’s and seller’s Security Policies. Are their policies compatible, or will additional training be needed before employees transfer to the new business unit? Are there Regulatory and IT Compliance issues requiring additional training before the divestiture concludes? Are there issues with Intellectual Property custody and protection as per the divestiture agreement or not covered by the agreement.

Answer 132

It is more commonly used to help enterprise users sign in to multiple applications using a single login (i.e. provide sso for enterprise users)

Answer 133

PaaS focuses on code stack infrastructure, while CaaS offers more customization and control over applications and services. Pay for a period of time, no matter what is used. As a result, CaaS is better suited to emerging frameworks, such as microservices. Pay as you use. Timed use. CaaS must be started, stopped

Answer 134

Peaky blindER packets - to remember the solutions A type of network attack where the sequence ACK numbers cannot be attained. Packets are sent to the target to obtain a sampling of the sequence numbers so that the attacker can generate a valid sequence number for the attack. Mostly used to attack older machines. Newer machines use random sequence number generation. Solutions: PER use Packet filtering; use Encryption on routers for inbound traffic; and Reject packets with incorrect network origin.

Answer 135

A type of network attack which occurs when the attacker is on the same subnet as the victim. The attack sniffs the sequence and ACK numbers and uses them to hijack the session. Solutions: You don’t have to be blind to give some EFS enable Encryption on a router for outside connections use ingress Filters on packets to filter inbound traffic use Secure protocols to connect to other systems

Answer 136

A type of network component attack where the attacker intercepts communications between two trusted hosts. The attacker gains the ability to view and change the information sent, and to forward it undetected. The attack can be accomplished using ARP cache poisoning or ICMP redirect. Solutions: MITM might SEEM like he’s not there. SEEM prevented by using Secure connections (HTTPS, SSL, TLS, VPN), Endpoint detections, Education MFA,

Answer 137

A type of network component attack in which the attack is connected to a switch and “floods” the switch with a large number of different fake MAC address sources. Prevented by: Hey MAC, avoiding a flood is SIMPle. Segmentation of network IDS MAC address filtering: Port security

Answer 138

type of network component attack. It is a tagging attack that occurs when a user on a VLAN gets unauthorized access to another VLAN. Solutions: ISL (I Still Love) D FC (Deep Fried Chicken) Dynamic Trunking Protocol (DTP) on all non-trusted ports Following Configuration guidelines for the switch.`

Answer 139

remember this one as it’s Nested which is starts with the same letter as Native A type of network component attack where an attack can cause traffic to hop VLANS by injecting packets that are double-tagged in an 802.1Q VLAN. Clear the native VLAN from all 802.1Q trunks or pick an unusual VLAN as the native VLAN.

Answer 140

A type of network component attack where an attacker can send spoofed ARP messages in to a LAN, causing the ARP cache to associate the target’s IP address with the attacker’s computer. All packets meant for the target will then be sent to the attacker. ARP is the protocol used to map an IP address to the physical MAC address. Prevented by: Use your PENUS to plug the ARP Cache poison and penus both start with p Physical Security Encryption Network segmentation / isolation Using switch security / or DAI (dynamic arp inspection) Static ARP table

Answer 141

A type of ICMP network, Denial of Service (DoS) attack on a computer that involves sending malformed or oversized IMCP packets to a target. Hackers send several oversized packets, which can cause the victim’s system to be unstable at the least, and possibly freeze up. Prevented by: Death starts with D… CBA, also it’s one of the oldest attacks so should be easy as… ABC avoid legacy equipment and patching block incoming icmp checks to packet reassembly process to prevent large / malformed packets

Answer 142

U in smurf indicates UDP is used. Smurf’s must be disabled from broadcasting ip addresses at each router and firewall. A type of ICMP, DDoS, network attack. The attacker sends a large amount of UDP echo traffic to an IP broadcast address, all of it having a fake source address, which will be the target of the system. As a DDoS attack the target system is flooded with spoofed ICMP packets. Prevented by: Smurfs is an old broadcast disable IP broadcasting addresses at each network router and firewall. Older routers are likely to enable broadcasting by default, while newer routers will likely already have it disabled

Answer 143

A type of ICMP network, DoS attack attacker sends a large amount of UDP traffic to ports 7 (Echo) and 19 (CHARGEN) Solutions: watching Fraggle Rock on my FUTON is FAB ulous FU TO NF AB solutions: Filtering UDP inbound Turn off source address spoofing by router configure routers to Not Forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.[6] Configure hosts and routers to ignore packets where the source Address is a Broadcast address;

Answer 144

A type of ICMP network attack and an example of a MITM attack. A router sends an ICMP redirect request to a host when packets are routed via sub optimal paths, requesting the packets use the attacker’s machine as a a default route. The attacker will forward all the redirected traffic to a router so that the victim will not know that his or her traffic has been intercepted. solutions: turn off redirect on hosts or network equipment IDS / IPS can prevent

Answer 145

A type of ICMP network attack that pings every IP address and keeps track of which IP address responds to the ping. This technique is also a basic network scanning technique used to map networks and can also be used to find networking devices. (aka port scannning) Prevented by blocking incoming ICMP

Answer 146

A type of network attack that occurs in the form of probing the TCP services on a machine by establishing the initial handshake for connection. It allows an attacker to test for vulnerabilities on a target system. The scan pings every address and port number combination and tracks which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.

Answer 147

DNS U Cache E A type of DNS attack where the attackers feed false information into the DNS cache. When the server refreshes its query, the attacker inserts his own access point in an attempt to harvest passwords from users through newly created fake website. Prevented by: DUCE DNSSEC Use most current version of DNS Configure DNS servers to not rely on trusts with other servers Education - don’t click links in emails

Answer 148

A type of DNS attack that uses multiple compromised systems to send network traffic to a specific targeted system creating a Denial of Service (DoS) attack. a MIC can unDENIALbly Distribute your voice Mitigated by: MIC Monitoring network traffic volume IDS / IPS CDN

Answer 149

A type of DNS attack that takes advantage of the ability to embed URLs in web pages and emails. solutions: Da BEEPS give you away when trying to hide dmarc browser security plugins email gateways education proxy firewalls sandboxing aka: clickjacking

Answer 150

A type of wireless attack that is unauthorized access to a device using a Bluetooth connection. In this case the attacker is trying to access information on the device rather than send messages to the device. Prevented by: turn off bluetooth if not being used have a long password if possible for bluetooth turn off discovery when not needed

Answer 151

A type of wireless attack that happens when an unsolicited message is sent to a Bluetooth-enabled device for the purpose of adding a business card to the victims contact list. It can be prevented by putting the device into a non-discoverable mode.

Answer 152

A type of email attack where the sender addresses parts of the email with a header altered to appear as through the email originated from a different source. Since SMTP does not provide any authentication, it is easy to impersonate and forge emails. The email appears to come from one source when it actually comes from another. Solutions: SPF, DKIM, DMARC Third party services

Answer 153

A type of cyber attack where a hacker takes advantage of the three-way TCP handshake, and spams the victim with SYN packet’s from a spoofed IP address. The victim responds with a SYN-ACK packet, but never gets a response. Eventually, it will reach its maximum number of uncompleted three-way handshakes and will refuse legitimate network connections. Mitigated by: In memory, SYNful pACKman eats cookies limiting memory for syn / ack use use of syn cookies Layer 4 / Transport

Answer 154

DoS attack where the attacker sends SYN packets to a single server, overwhelming the victim system and blocking access to legitimate traffic. Solutions: Flooding put out the fires of hell where the increasing backlog of half open souls is recycled into cookies for your SYNs. FIReS Firewall Filtering Increase Backlog Queue Recycling the oldest half-open connection SYN Cookies (will lose some details but not enter DoS state)

Answer 155

A type of cyber attack that is a process in which a hacker sends malformed fragments of packets that when reassembled by the receiver, cause the receiver to crash or become unstable. Solutions (Fucking Pussy, for crying) Mitigated with firewall / IDS / IPS patching also helps prevent

Answer 156

The spoofing happening here must FADE. A type of cyber attack that hackers use to hide their trail or to masquerade as another computer in which they alter the IP address as it appears in the packet. Prevented by: FADE using Firewall Authentication of all IP addresses DNSSEC Ip Encryption

Answer 157

Don’t SIT, hijacking! A type of cyber attack where an intruder exploits a valid computer session to gain unauthorized access to the system. The attacker places himself in the middle of an active conversation between two computers, for the purposes of taking over the session of one of the two computers, thus receiving all data sent to that computer. TCP session hijacking takes advantage of predictable TCP sequence numbers Mitigated by: SIT Strong session managment (rotating keys, preventing predictable sequences, enforcing session timeouts) IDS / IPS Token based authentication

Answer 158

types of attacks on wireless networks. solutions: tkip - upgrade to wpa2 enterprise ccm / wpa3 parking lot attack - ensure wireless signal is not too strong key authentication flaw - upgrade to wpa2 / wpa3 krack attack - enforce strong key management

Answer 159

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can: FORMA Read sensitive data from the database, Modify database data (Insert/Update/Delete), execute Administration operations on the database (such as shutdown the DBMS), recover the content of a given File present on the DBMS file system and in some cases issue commands to the Operating system. Mitigation: DIPS Parameterized sql statements / queries secure Stored procedures Input validation, input list validation Do not use escaping for user supplied data whenever possible

Answer 160

A salami attack is a cybercrime that attackers typically use to commit financial crimes. Criminals steal money or resources from financial accounts on a system one at a time. This attack occurs when several minor attacks combine to form a powerful attack. Because of this type of cybercrime, these attacks frequently go undetected. Mitigation: I PAID for that salami. Periodic audits Anomaly detection (many small transactions going to one account) integrity checks Data validation

Answer 161

Capability Maturity Model Integration (aka CMM) - if hiring an outside development firm, can ask if they’ve been CMMI certified I,I Might Die Questioning Others (IMDQO) Incomplete (0) chaotic or ad hoc Initial (1) no effective management, no assurance of consistency or quality Managed (2) formal structure for change control and QA, repeatable processes Defined (3) formal procedures carried out in all projects, ability to be proactive Quantitatively Managed (4) metrics in place and used for self-improvement Optimizing (5) budgeted and integrated plans for continuous process improvement, can respond quickly to changes

Answer 162

a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering,[1] is a security feature often used in non-commercial and business networks. Characteristics: state of pennsylvania (chili peppers lyric) is where we find the SHS CoW Pie (o not used) State table High security without performance degrading Scalable provides data for tracking Connectionless traffic stores and updates state / context of data Within packets Weaknesses: susceptible to DoS attacks (filling state table)

Answer 163

inspects packets transferred between computers. The firewall maintains an access-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard packets inspected by SAH ALUF advantages: Scalable not Application dependent High performance weaknesses: cannot prevent Application vulnerabilities from being exploited Limited logging do not support advanced User authentication may not detect packet Fragment attacks

Answer 164

Bo Bacardi (BA RA RC DI) is our enterprise security architect. an integrated and comprehensive strategy for protecting the organization against cyber threats BO BA RA RC DI Identify Business Objectives, goals and strategy Identify Business Attributes that are required to achieve those goals Identify all the Risk Associated with the attributes that can prevent a business from achieving its goals Identify the Required Controls to manage the risk Define a program to Design and Implement those controls

Answer 165

Architecture is usually the top level and the top is sometimes known as the Capo. CA PA CAMP OA define Conceptual Architecture for business risk define Physical Architecture and map with conceptual architecture define Component Architecture and Map with Physical architecture define Operational Architecture

Answer 166

Sherwood Applied Business Security Architecture - tool for aligning security architecture with business strategy; each layer increases detail (Y axis) and decreases abstraction (policy to implementation) Matrix there’s AMPPLe Time on the SABSA Primay CLOCC X axis: Assets (What), Motivation (Why), Process (How), People (Who), Location (Where), Time (When) (AMPPLT) Y axis: Contextual, Conceptual, Logical, Physical, Component, Operational (P CLOCC) SABSA is SABEPESE SA BE PE SE Strategic Alignment - business drivers and regulatory requirements met by security architecture Business Enablement - core business processes are integrated withing the security operating model, standards based + risk based (can do new things) Process Enhancement - integrating security components into business processes (can do things better) Security Effectiveness - measured by security assessments

Answer 167

ISMS - (Information Security Management System) specifies the components of the security program ESA (Enterprise Security Architecture) - specifies how the components of the security program relate to the general business architecture and how the components are integrated in the business environment and is part of EA (enterprise architecture)

Answer 168

Hitler mad ‘39 a difficult time to manage information security risks Managing Information Security Risk 3 Tiers: Organizational view Mission / Business view Information Systems view Trust models

Answer 169

occurs in level 1-4

Answer 170

Information System Risk Management Should address: RR CORK CAP (risk reward cork cap) formal process of Risk identification approach of changing staff behavior / resource allocation in Response to risk analysis Connection between ISRM policy and strategic planning Objectives of ISRM team Responsibilities of ISRM team KPI’s mapping of risk to internal Controls Acceptable level of risk mapping risks to Performance targets / budgets

Answer 171

Goal: Organization is protected in a cost effective way Principles: The risk management team’s goal is to protect the organization in a cramped mine. CRAMPED MINe (e not used) mapping of legal / regulation Compliance to controls appropriate Resources / fund allocation security Awareness training ability to establish risk Mitigation in specific areas as necessary Procedures to identify and mitigate risks Establish risk acceptance level Documented risk assessment process development of Metrics / KPI’s Integration of ISRM and change control process ability to identify and assess New risks

Answer 172

FARM PACT TR REDI SM Frame risk: PACT Priorities Assumptions Constraints Tolerance Assess risk: TR Threat and Vulnerability Identification Risk Determination Respond to risk: REDI Risk Response Identification Evaluation of Alternatives Risk Response Decision Implementation of Response Monitor risk: SM Risk Monitoring Strategy Risk Monitoring

Answer 173

a risky goal is to skip BAIL provide economic Balance between threat impact and cost of countermeasure / control identify Assets and value of assets determine the business Impact of threats determine Likelihood a threat exploits a vulnerability

Answer 174

MOOR MULA AI Maintenance cost Operational losses without the asset value to Owners / users Replacement cost Market value Userfulness to organization Liabilities if asset is compromised Acquisition cost value to Adversaries Impact to brand / reputation if asset is lost

Answer 175

Guide for Conducting Risk Assessments Focuses on computer systems and IT security 30 days after assessing the risk, People Can Count Money from ART CRIME. You'll have 2 eyes (I’s) popping on tripple d’s but TV could be LIaR High Level Steps: People Can Count Money Prepare Conduct Communicate Maintain Categories of Threat events: ART CRIME Attack impact / Results Tools of attack creation Coordinate campaign Reconnaissance malicious capability Insertion / delivery / Installation Maintain presence / capabilities Exploit / compromise Steps: guys under 30 have 2 eyes (I’s) popping on tripple d’s but TV could be LIaR identify Threats identify Vulnerabilities determine Likelihood of occurrence determine Impact magnitude determine Risk

Answer 176

Facilitated Risk Analysis Process Intended for evaluating a single entity / system Based on experience of team members, not calculations

Answer 177

Operationally Critical Threat, Asset and Vulnerability Evaluation (Carnegie Mellon U) 80 percent of consequences come from 20 percent of the causes Intended for Information Security Qualitative and focused on speed Steps: EOS S MIRS E Octave Sounds Simply Melodic In Rhythmic Songs Phase 1 identify Enterprise Knowledge identify Operational Knowledge identify Staff Knowledge Phase 2 establish Security Requirements Phase 3 Map High-priority information assets to Information Infrastructure perform Infrastructure Vulnerability evaluation conduct Mulidimensional Risk analysis develop Protection Strategy

Answer 178

Failure Modes and Effect Analysis The failure of PRO’S shows Bad Info Fouls Credible Reports used for: PRO’S Product development, assurance Risk management and Operational environments, first developed for Systems engineering goal: identify most likely failure and fix possible causes or reduce impact of break uses failure modes and effect analysis, due to the depth it is usually only performed on critical functions application of method to chronic failure enables the determination of the point where failure is most likely steps: BIFCR (Bad Info Fouls Credible Reports) BD IF FE CD RA (Bad devices, I find, fail eventually causing destruction right away) Block Diagram of system / control consider Impact of Failure for each block table with Failures and their Effects Correct Design of system have engineers Review Analysis of the failure modes and effects

Answer 179

theirs 161 links in our supply chain Supply Chain Risk Management Practices Create supply chain map

Answer 180

FDIPS US Federal Risk and Authorization Management Program (FedRAMP) US DOD Cybersecurity Maturity Model Certification (CMMC) ISO 27001 certification PCI DSS certification Service Organizational Control (SOC1 or SOC2)

Answer 181

Business Continuity Management - holistic management process covering BCP and DRP Lifecycle: PADIV continuity is similar to persistence Persistent Actions Don’t Involve Variability Policy / Program management Analysis - BIA and Risk Assessment Design Implementation Validation - using TTE

Answer 182

TAP Technical Administrative Physical

Answer 183

California Consumer Privacy Act (2020) PII = first name, last name + (SSN or DL# or CC# with PIN) Has been copied by many different stats

Answer 184

SHIPP RT WE BANG Sexual Orientation Health ID numbers Political Phone Religious Trade Union Web Data (LICE - location, IP address, cookies, email) Ethnic Biometric Address Name Genetics DF CRIP Data Protection Officer (DPO) right to be Forgotten Consent data breach Reporting (72 hours) right to be Informed right to restrict Processing

Answer 185

Even in 27005, Crime Is Ever Evolving TREAT As-such and treat risk. What's the MATA? Risk treatment (differs from NIST RMF in that risk communication is also an additional process where in NIST RMF it’s only implied) Should be used with ISO 27001 security program Steps: C I E E T A (Crime Is Ever Evolving Treat As-such) Context Establishment risk Identification (risk analysis + assessment) risk Estimation (risk analysis + assessment) risk Evaluation (risk assessment) risk Treatment risk Acceptance risk treatments: MATA Mitigate Accept Transfer Avoid

Answer 186

Factor Analysis of Information Risk framework - focuses on precise measurement of probabilities of incidents and their impacts Only international standard that is quantitative Focus not on possible threats but probable threats

Answer 187

consists of 800-30, 800-37 and 800-39

Answer 188

catalog of controls and how to select them to protect US Federal systems, has 20 families of controls and 1000+ controls in those families

Answer 189

business framework for IT enterprise management (ISACA)

Answer 190

US DoD Architecture Framework - ensures interoperability to meet military goals Focus on: IRS is part of US gov 4 C’s IRS (irs all end in nce) Command Control Communications Computers Intelligence Surveillance Reconnaissance

Answer 191

FONI NIST RMF ISO 27005 OCTAVE FAIR

Answer 192

there is 2 c’s and 1 n in “security control” NIST 800-53 CIS Controls COBIT 2019

Answer 193

ZTDS Zachman - taxonomy TOGAF - The Open Group Arch. Framework DoDAF - Dept. of Defense Arch. Framework SABSA - Sherwood Applied Business Security Architecture

Answer 194

Industrious Physiques Don’t Ruin Reputation, Causing Imaginary Problems Activities: IPDRR Identify Protect Detect Respond Recover Tiers: CIP Framework Core - applies to all organizations Implementation Tiers - categories of rigor / sophistication Framework Profile - describes the state of organization in regards to categories

Answer 195

Framework with 20 families of controls and 171 subcontrols Control Categories: Basic - should be implemented in every organization Foundational - best practices Organizational - focus on people and processes Implementation Group 1 - SMB’s Implementation Group 2 - Large organizations with an IT security department Implementation Group 3 - Large organizations with security experts in different specialty areas

Answer 196

Information Technology Infrastructure Library - framework to combine business and IT processes 4 dimensions: VOIP Value Streams and Processes Organizations and People Information and Technology Partners and Suppliers

Answer 197

DSOCCETRA (Dont separate otherwise classified categories even to raise awareness) Define classification levels Specify classification criteria identify data Owners responsible for classifying data identify data Custodians responsible for maintaining data and classification level indicate security Controls document Exceptions methods for Transferring custody / ownership Review procedures for classification / ownership / custody declassification security Awareness for the above

Answer 198

guidelines for media sanitization

Answer 199

Guide to storage encryption

Answer 200

guide to industrial control systems (ICS), in ‘82 I became an adult in industrial society and now have to follow adult people rules AP RULES monitor Audit trails regularly ensure process for Patch management apply Risk management to ICS disable Unneeded ports / services on all ICS devices implement Least privilege use Encryption when possible Segment network to allow IPS/IDS within subnet boundaries

Answer 201

Application Container Security Guide TVOG use container-aware defense Tools (e.g. IPS) adopt container-specific Vulnerability management tools use container specific host O/S only Group containers with same purpose, senstivity and threat postures on the same O/S

Answer 202

all needed components to allow encryption components: paks protocols algorithms keys software services: ciaan confidentiality integrity authentication authorization nonrepudiation

Answer 203

confidentiality, does not provide authenticity or nonrepudiation

Answer 204

Key management you need a key for a 57 chevy

Answer 205

Attacker Stages: Real Wars Don’t Ever Indicate Course of Action (RWDEICA) Reconnaissance Weaponization Delivery Exploitation Installation Command / Control Actions on Objective Defender Actions: (5D’s + C) Deceive Degrade Deny Detect Disrupt Contain Goals: Identify indicators of attack stages Defender Actions taken earliest opportunity is best

Answer 206

Adverserial Techniques Tactics & Common Knowledge 14 tactics have techniques and sub-techniques used by threat actors: ICED CLoCk DRIPPER (ok to not use ok) Initial Access Credential Access Execution Defense Evasion Collection Lateral Movement o Command and Control k Discovery Reconnaissance Impact Persistence Privilege Escalation Exfiltration Resource Development

Answer 207

DFKLN PSSST Z Defense in Depth Fail Securely Keep it Simple Least Privilege Need-to-know Privacy by Design Shared Responsibility Separation of Duties Secure Defaults Trust but Verify Zero Trust

Answer 208

DDDAR deterrence delaying detection assessment response

Answer 209

I don’t really recommend drawing protective curtains closed in morning (IDRRDPCCIM) Identify team Define scope (site vs facility) Risk analysis Regulatory / legal requirements Define acceptable risk level Performance baselines based on risk levels Countermeasure performance metrics Criteria for physical security goals Identify and implement countermeasures Monitor for performance and changes

Answer 210

A - common combustibles B - liquids / gases C - Electrical D - metals K - cooking oils fuel - soda acid oxygen - carbon dioxide temperature - water chemical reaction - FM-200

Answer 211

224.0.0.0 to 239.255.255.255, multicasting addresses (IP4) IP6 - addresses starting with 8 1’s

Answer 212

Internet Group Management Protocol used to report multicast group memberships to routers

Answer 213

tilt E to the right you get an M for MACsec MACSec, provides confidentiality, integrity and authentication at layer 2, prevents rogue devices, checks each frame for ICV (integrity check value) and allows if valid

Answer 214

I gave my AR a… secure device identity specifies unique per-device identifiers and cryptographic binding, provides secure device provisioning, works with EAP-TLS

Answer 215

provides key agreement for session keys

Answer 216

0 to 1023, standardized port for particular traffic

Answer 217

1024-49151 can be registered with IANA for a particular use

Answer 218

49152-65535 can be used as needed (aka ephemeral ports)

Answer 219

4,294,967,295 bytes

Answer 220

embeds IP4 addresses within IP6 addresses (intersite)

Answer 221

temporary IP4 / IP6 solution uses UDP encapsulation so that NAT are not affected (intersite)

Answer 222

Intra-Site Automatic Tunnel Addressing Protocol treats IP4 network as a virutal IP6 address (intrasite)

Answer 223

Client -> DHCPDISCOVER -> DHCP Server Client <- DHCPOFFER <- DHCP Server (with IP Address) Client -> DHCPREQUEST -> DHCP Server Client <- DHCPACK <- DHCP Server (confirming IP address with validity period)

Answer 224

CMRSS Compromise Client Configuration MITM Route traffic to unauthorized networks DHCP Spoofing - configure fake DHCP servr on network DHCP Starvation - flood DHCP server with bogus requests Solutions: enable DHCP snooping port security

Answer 225

Security measure performed on a switch, ensures only valid MAC addresses receive IP addresses from the server (NOT AN ATTACK) These switches also can provide protection against rogue DHCP servers

Answer 226

CRaMP DD FISt attacks: CRaMP can be used as a covert channel - attacker sets up an ICMP responder can be used to redirect traffic (routers use icmp to determine best route,etc.) can be used to map network (traceroute) can be used for DoS Solutions: DDFIS disable ICMP if coming from one of your on-network devices disable icmp redirect (hosts) firewall, block incoming icmp IDS / IPS Secure icmp redirect (accept only from default gateways)

Answer 227

Change default community strings Don’t use SNMP v1 or v2 (clear text community string) Close ports 161/162 to untrusted networks Filter ports 161/162 to only authorized endpoints / individuals

Answer 228

unauthorized zone transfer (update of dns information from one dns server to another) - allow zone transfers only on specific servers poisoning dns cache or primary records - use DNSSEC host file manipulation, don’t allow users to have admin access or access to host files

Answer 229

enabling router authentication

Answer 230

Orthogonal Frequency Division Multi-plexing - uses modulated signals that are orthogonal (perpendicular) to each other in tighter frequency spreads, since signals are perpendicular, they don’t interfere with each other, used in: digital tv, audio broadcasting, DSL, wifi and 4/5G wireless

Answer 231

Direct Sequence Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, uses all frequencies simultaneously using chipping code

Answer 232

Frequency Hopping Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, then changes the subchannels frequently, sender and receiver have hop sequence synchronized, makes eavesdropping harder if hopping sequence is unknown

Answer 233

allows receiver to reassemble transmission (aka pseudo-nonce sequence) in DSSS

Answer 234

WiMAX standard

Answer 235

all traffic is not Equal wireless QoS standard supporting multimedia trafic

Answer 236

f for free-range wireless addresses roaming / handoff for wireless networks

Answer 237

h - hell subject: address wireless interference (wireless hell) originally developed in Europe to address interference from other wireless activities using DFS (dynamic frequency selection) and TPC (transmit power control)

Answer 238

WSIL weak authentication static encryption keys ineffective initialization vectors lack of packet integrity assurance

Answer 239

WPA2 (note WPA is just WEP on steroids) Improvements: STAMP sequence numbers TKIP - temporal key integrity protocol - each frame has a new key AES encryption with CCMP Message integrity checks PSK size increased to 256 + salt of the SSID WPA Enterprise adds 802.1X (port authentication and EAP)

Answer 240

to remember turn over w and it makes an m for management frame Management frame protection (certain frames that can’t be encrypted) - protects from replay and DOS attacks

Answer 241

DAV WU SWAMP change Default SSID put AP’s as close to middle of building as possible VPN for wireless devices implement WPA3 guest networks should connect to Untrusted VLAN Separate VLANS for each class of users deploy Wireless Intrustion Detection System (WIDS) put AP in DMZ with firewall protection from wireless side MAC filtering Penetration testing

Answer 242

International Mobile Suscriber Identity catchers - devices that can jam 3G / 4G / 5G signals and force devices down to 2G which does not have authentication between devices and towers, can be built for less than $1500

Answer 243

Padding Oracle On Downgraded Legacy Encryption - (originated in 2014) the attack worked because SSL allowed security downgrading for interoperability

Answer 244

1Client Hello - list of cipher suites and protocols supported by client, client input for key exchange 2Server Hello - servers selection of cipher suite and protocol, server input for key exchange 3Server Authentication - server’s digital certificate, proof server owns the certificate’s private key 4Optional Client Authentication - client’s digital certificate, proof client owns the certificate’s private key Supported Cipher Suites: TLS_AES_256_GCM_SHA384 (best protection but highest resources) TLS_AES_128_GCM_SHA256 (next best protection but next highest resources) - ideal for systems with hardware encryption support TLS_AES_128_CCM_SHA256 - CCM is 16 bit similar to GCM TLS_AES_128_CCM_8_SHA256 - CCM is 8 bit, better suited for embedded devices TLS_CHACHA20_POLY1305_SHA256 - 20 rounds of ChaCha cipher combined with Poly1305 MAC - good for software based encryption Other feature: ephemeral keys - similar to one time pad, only used once, provides forward secrecy (aka perfect forward secrecy) which is attackers could only decrypt a small portion if they got the key most features of 1.3 were optional in 1.2 TLS 1.0 and 1.1 are insecure (but not formally deprecated until 3/2021)

Answer 245

algorithms providing authenticated symmetric key encryption

Answer 246

AE is IN (integrity nonrepudiation) Authenticated Encryption - integrity and non-repudiation for stream ciphers

Answer 247

Authenticated Encryption with Additional Data - present in TLS 1.3 to prevent replay attacks

Answer 248

Microsoft’s point to point tunneling protocol, TCP port 1723 works on IP networks (insecure)

Answer 249

Layer 2 Tunneling protocol (current version 3) combination of Cisco L2F [Layer 2 forwarding] and PPTP UDP port 1701(1 comes before 2 in l2tp) works on IP, ATM, X.25, by itself doesn’t provide much protection but integrates with protocols that do (e.g. IPSec) to provide confidentiality, integrity, authentication used when PPP needs to be extended through another network DOES NOT ENCRYPT

Answer 250

Point to Point Protocol line devices (e.g. routers) do not understand ip networks, but do understand PPP

Answer 251

extends PPP connections to be able to go through IP networks (which don’t understand PPP)

Answer 252

VPN provided by connecting Gateways on each end, they don’t need PPP, L2TP, IPSec (LIP) gateway vpn’s don’t need any lip, ok?

Answer 253

works at network layer (layer 3) AH - integrity, authentication, protection from replay attacks SA - specifies security properties that are recognized by communicating hosts, allows for secure exchange of data ESP - confidentiality, authentication, integrity, anti-replay (most secure part of ipsec) ISAKMP - framework for SA and IKE IKE - authenticated keying material for ISAKMP works on IP networks only, LAN to LAN communication used for g/w to g/w connections

Answer 254

session (layer 5) PT PEG types: PT tls Portal vpn - accessed via web browser (with built in TLS) to connect to websites tls Tunnel vpn - accessing non-web-based protocols / applications, usually needs custom programming to access through web connection features: PEG Protects a small number of Protocol types, so not good for infrastructure-level VPN Granular access control and configuration Easy to deploy (already built in browser) used to protect specific application layer traffic

Answer 255

Representational State Transfer architectural pattern uses HTTP to provide API to make requests from servers, creates a language where every statement is a an HTTP URI since it does the above, must use HTTPS also needs input validation

Answer 256

Web Service Security, enables SOAP security, provides confidentiality, integrity and authentication through XML digital signatures and security tokens

Answer 257

an attack using DNS to exfiltrate / infiltrate data solutions: RIM of tunnel RIM Rate limiting - capping DNS traffic per host IDS / IPS dns Monitoring tools DNSSEC does not stop it

Answer 258

I see a BIRD in the reflection DOS attack that uses open DNS servers to bombard a server with DNS queries, while spoofing source address solutions: bird Block unsolicited dns replies IDS / IPS dns Rate limiting DNS aware firewall

Answer 259

DOS attack that uses open DNS servers to bombard a server with DNS queries that require much larger responses than the size of the query (DNS ANY, EDNS(0), DNSSEC) Solutions: DNS and Doctor both start with D DR RL SIV LR MD (DR RL Silver, MD) Disabling Recursion on authoritative name servers. Rate Limiting Implementing Source IP Verification on a network device. Limiting Recursion to authorized clients. Monitoring of DNS traffic

Answer 260

set of standards developed to protect DNS record integrity (not confidentiality or availability) digitally signs groups of DNS records into RRSets with an RRSig record Also opens the possibility of DNS amplification attack think of it as a digital signature for DNS

Answer 261

DNS over HTTPS - sends DNS queries over HTTPS/TCP/IP instead of UDP providing confidentiality / privacy, does not provide integrity, but makes some DNS attacks harder to discover

Answer 262

a web proxy that blocks DNS requests to known malicious domains

Answer 263

Extended SMTP allows servers to negotiate TLS sessions when sending mail (SMTPS)

Answer 264

Post Office Protocol, POP3 is current, listens on port 110 or port 995 (POP3S using TLS) 110 ends in 0 POP has O SASL authentication

Answer 265

can remember port as 3 turned on left size makes an M in IMAP Internet Message Access Protocol listens on port 143 / 993 (IMAPS) 143, 3 tilted on left side makes an M in IMAP SASL authentication

Answer 266

Sender Policy Framework, email validation to prevent email spoofing (forged emails)

Answer 267

Domain-based Message Authentication, Reporting and Conformance combines SPF and DKIM

Answer 268

enables communications among SCADA devices (PLC’s)

Answer 269

Virtual Network Identifier - equivalent to VID in VLAN’s

Answer 270

Open - Open Network Foundation approach relying on open-source code and standards as the building blocks of a solution, uses OpenFlow a standard interface API - Cisco claims that OpenFlow is insufficient to fully leverage SDN, can do deep packet inspection and manipulation, propietary approach that enriches ONF approach Overlays - virtual overlay of physical network

Answer 271

asynchronous: uses start / stop bits to separate characters, typically used for unpredictable data transmission simple, less costly error checking using parity bits each byte requires 3 bits (stop/start/parity) framed data synchronous: uses timing to separate characters clock or signal, typically used for large amounts of data in a predictable manner more complex, costlier robust error checking, CRC (cyclic redundancy check) less overhead stream of data

Answer 272

repeater amplifies and resends entire frame received, do not separate collision or broadcast domains bridges can separate collision domains bridges do not separate broadcast domains, … do bridges / switches amplifies and can send to specific MAC addresses (if not a broadcast) routers can send to specific IP addresses, do not forward broadcasts

Answer 273

Qanon is a bridge leading from reality to fantasy RealM M bridges relaying and filtering frames on MAC addresses maintenance of frame filtering / relaying decisions management of listed elements

Answer 274

spanning tree protocol, prevents frames from looping endlessly, used in bridges on up also can build redundancy information assigns unique bridge ID’s assigns priorities calculates path cost

Answer 275

shortest path bridging, more efficient than STP

Answer 276

the bridge over AQua water is the shortest path SPB (shortest path bridging standard)

Answer 277

is like a multi port bridge prevents collisions and contention issues operates in duplex mode that doesn’t compete for the same bandwidth basic switches are layer 2, however layer 3 and 4 switches are also available, they read deeper into the data packets for decisions and tag data, the first switch a data packet encounters tag the data so any other switches can just read the tag instead of analyze the packet, last switch before destination removes the tag since switches have ASIC chips processing at the hardware layer, they can be faster than routers which function on the software layer.

Answer 278

multiprotocol label switching, use of tags in switches, allows for faster routing and differing service requirements for different packet types (QoS)

Answer 279

act as intermediary (and can add controls) between clients that want access to services and the servers that provide the services can provide caching for frequently requested data - reduces latency

Answer 280

Signaling System 7 , developed in 70’s, protocol used by PSTN to connect calls Signal Switching Point - a point belonging to the telephone company where your phone is connected signal transfer point in telephone companies which allows phone calls to be made sCp - c for cell phones service control point - signaling which allows PTSN to connect to mobile numbers STP, SSP, SCP

Answer 281

VOIP standard for voice and video calls 4 components: TGMG terminals - endpoints such as phones, video conferencing equipment gateways - interface H.323 with non H.323 networks MCU - multipoint control units, allow 3 or more conferences gatekeeper - provides call control services

Answer 282

Session Initiation Protocol UAC - user agent client, places calls UAS - user agen server, connects calls process: Isn’t Open Always Ring Bell Once IOARBO INVITE (trying, ringing) OK (after answer) ACK RTP voice call BYE (after hangup) OK SIP does not carry the call only the signaling to start / end calls, call carried by RTP

Answer 283

be a siPRR Proxy Server - relay packets between UAC and UAS Registrar Server - store locations of users on network Redirect Server - allows users to change locations and still get calls

Answer 284

RTP (Real Time Protocol) - used for streaming call data (transport layer) RTCP - (Real Time Control Protocol) used to control RTP (session layer) and provide QoS data

Answer 285

we’ll work on the case in the meeting CASE WURK don’t use Consumer-grade products use AES256 bit encryption where possible restrict participant screen / camera Sharing as appropriate control access to Each meeting enable Waiting room feature (prevent zoom-bombing) keep software Updated don’t Record meetings unless necessary or low risk know how to Kick-out unwanted participants

Answer 286

TIPT MG FAGS EAP-TLS - considered one of most secure, uses digital certificates EAP-IKE2 - provides mutual authentication, can be used with symmetric or asymmetric keys EAP-PSK - preshared keys EAP -TTLS - tunneled TLS, only server requires key PEAPv0/EAP-MSCHAPv2 - only requires server certificate PEAPv1/EAP-GTC - Cisco variant using Generic Token Card EAP-FAST - Cisco variant, flexible authentication via secure tunneling EAP-AKA - authentication key agreement (UMTS Universal mobile telecom systems) using USIM EAP-GSS - generic security services (kerberos) EAP-SIM - uses SIM (subscriber identity module)

Answer 287

layer 4 (transport) construct defined by: source address source port destination address destination port protocol (tcp or udp) a socket is the SAME As an ip address and port combination SAME A use Segmentation apply ACL to block every connection except those authorized Map every authorized socket where possible Encrypt channel Authenticate requests

Answer 288

63 and earlier I only had a digital identity 8/64 AD parents had first anniversary digital identity guidelines passwords: 8-64 characters allow special characters (but not require) disallow password hints

Answer 289

a RoBe or A MUMU can be worn AMUMU Accommodates Robust group-based access control, Maps to Security policy, Uses a Session as a mapping, Many to Many relationship among users and privileges, Uses Other information than user ID and credential for access decisions

Answer 290

maps to organizational structures and functional delineations, an accumulation of rights and permissions can occur, limited (allows only one level to be inherited) or general hierarchies (allows more than 1) static separation of duty - two roles have no shared principles dynamic separation of duty - two roles may have shared principles, but users can’t assume both simultaneously

Answer 291

Radius does not encrypt all data (unless used with TLS) TACACS+ encrypts all data RADIUS combines authentication and authorization TACACS+ separates authentication / authorization / auditing (or accounting) in ture AAA architecture RADIUS only works over PPP TACACS+ works over many protocols such as Apple talk, NetBIOS and IPX RADIUS - single challenge and response TACACS+ each AAA activity must be authenticated RADIUS - good for simple accept or deny situations TACACS+ - good for more sophisticated implementations both are just protocols

Answer 292

builds upon RADIUS base protocol - provides secure comms extensions - built on top of base to allow functionality with different technologies not directly compatible with RADIUS but has upgrade path has 2^32 AVP’s (attribute value pairs) compared to RADIUS (2^8)

Answer 293

XACML, SAML and SOAP

Answer 294

Steps: Does Everybody Vicariously Enter Reality DEVER Discovery Enumeration Vulnerability mapping Exploitation Report knowledge types zero partial full

Answer 295

4 things for info sec MAME Monitoring, measurement, analysis and evaluation of Information Security

Answer 296

QARRCS quantifiable - objective measurement actionable - leads to improvement robust - relevant over time relevant - aligns with goals comparative - can be evaluated against other metrics, baselines or standards simple - easy to understand SMART specific measurable achievable relevant time-bound

Answer 297

Risk (strategic) Preparedness (for security incidents - operational) Performance (tactical)

Answer 298

key performance indicators - where we are in relation to goals Fast Breaking Performance Always Counts FBPAC Choose Factors that show state of security Define Baselines for factors Develop Plan for capturing factor values Analyze and Interpret data Communicate Indicators to stakeholders

Answer 299

ASS BAM security Awareness training Security training Suspending accounts Backup verification Adding accounts Modifying accounts

Answer 300

manipulating a person to take an action to assist in a violation of a security policy Types: BBD HPP QSSS TV WW baiting - offering something of perceived value blackmail - threatening to expose secret information diversion theft - having something of value sent to an unintended destination honey trap - fake romance pretexting - simulating a situation phishing - fake email Quid pro Quo - promising reward for doing something (aka Tech Support Attack) SMS phishing / whaling - like phishing / whaling using SMS (aka smishing) scareware - fake virus alerts Spear phishing - like phishing only with a particular target in mind tailgating / piggybacking - unathorized individual following somebody to secure area Vishing - like phishing using phone (voice phishing) whaling - fake email to executives watering hole - capturing user credentials at a legitimate site

Answer 301

occupant emergency plan - used to ensure safety of personnel during emergencies

Answer 302

Technology: EDR NDR SIEM People: TTII Tier 1 Analyst - monitor alerts, eliminate false positives Tier 2 Analyst - deeper analysis of alerts Intelligence Analyst - investigate items passed by Tier1/2 analysts Incident Responder - contain, eradicate threats Processes: SOCks and podiatrists concern feet podiatrists prevent bunion pain gout Policies Procedures Business Partners Government

Answer 303

CART ‘R CAD (if you’re from Boston) Characteristics: CART Complete - enough to detect / prevent the threat from actualization Accurate - factual / error free Relevant - useful to detect / prevent the threat from actualization Timely - performed fast enough to impact damage Cycle: RCAD Requirements Collection Analysis Dissemination

Answer 304

Collection Management Framework - collecting relevant data, organizing and analyzing the data Data Sources: Third-party Feeds (generally proprietary) Open-Source INTelligence [OSINT] (free) Internal Sources - logs, alerts, etc.

Answer 305

detecting radio waves with my RCA SIMulator R C C C A S I M Risk analysis Control Selection Control Implementation Configuration Management Assessment

Answer 306

LoSSeS RarE oFF CoW C LA ToW c L SS SR E F1 F2 CW C LA TW c LISTEN SYN-SENT SYN-RECEIVED ESTABLISHED FIN-WAIT1 FIN-WAIT2 CLOSE-WAIT CLOSING LAST-ACK TIME-WAIT CLOSED (fictional)

Answer 307

HUBS Hides true source of data from untrusted network Used between trusted and Untrusted networks Breaks communication channel (no direct connections) Starts new communication Sessions between sender and receiver on the sender’s behalf Types: circuit-level proxy (on lower OSI levels - up to session layer) - cannot look at packet contents, application independent, can only approve on protocol (up to session layer) not by command, does not require configuration for each protocol (e.g. SOCKS) application-level proxy (on application layer) - inspect all the way up to application layer, can see packet content - can make specific command level decisions (e.g. FTP put or get) but must be configured for each protocol Advantages: EDS Extensive logging capabilities Direct authentication Spoofing protection disadvantages: RNL not good for high bandwidth / real-time applications limited in support for new applications / protocols lower performance

Answer 308

multiple layers combines packet, stateful, proxy capabilities and adds signature based IPS engine can share signatures with all other firewalls of the same vendor connects to external data sources such as: Active Directory, whitelists, blacklists, policy servers

Answer 309

Managed Security Service Provider - third party security service vendors Before hiring: DCURL (don’t use really corrupt losers) Determine requirements determine if MSSP Understands your business processes Reputation Costs Liability limits

Answer 310

Computer Security Incident Handling guide I hope I’m not 61 before I handle security incidents lifecycle: Please Don’t Allow Creepy, Evil, Random People Preparation Detection Analysis Containment Eradication Recovery Post Incident activity information to include in report: SIRACI IN Summary Indicators Related Incidents Actions Taken Chain of custody for all evidence Impact assessment Identity / Comments of incident handlers Next steps

Answer 311

indicators of attack / indicators of compromise typical indicators: HRODD unusually large HTTP requests / responses new Registry entries Outbound traffic to specific IP address(es) abnormal DNS queries DDoS traffic

Answer 312

Guidelines for digital evidence I CAP Identification: determination of the evidence required Collection: gaining control of evidence in a lawful manner Acquisition: digital acquisition - creating forensic image of digital data for examination, bit by bit copy of media outside the O/S [logical acquisition is done using the O/S)] 2 copies are made (1 is control copy) 1. Primary image 2. Working image Compute cryptographic hash of original and each copy Preservation: hashing as indicated above + access limited to qualified people to do limited actions (read only), possibly two-person control

Answer 313

G RA PA RA Gather system and security requirements from SOW and / or other product management documentation security requirements should be in categories: (triad) confidentiality integrity availability security Risk Assessment - identify threats and associated consequences Privacy risk Assessment - HML rating of private data, H - stores / transfers private data (PII), or makes it possible to do so, M - one time user initiated transfer of PII L - no effect to privacy Risk-level Acceptance

Answer 314

mapping planned functionality to real world possibilities BIF models designs AS A TM task Models: BIF Behavioral - explains state system will be in during and after certain transitions take place Informational - type of information to be processed and how it will move around the software system Functional - task, functions and their sequence(s) Security tasks: attack surface analysis - reduce the code that is usable by untrusted users, reduce entry points for untrusted users, provide least privilege, eliminate unnececessary services, can use software tools to perform threat modeling - analyzing the various weak points in the system (e.g. input fields, back doors, vulnerabilities, etc.) using threat trees or other constructs, software tools are also available, such as OWASP Threat Dragon

Answer 315

USC developed Use of automated tools helps develop more secure code Secure Coding techniques - helped by MITRE CWE (Common Weakness Enumeration) list of most impactful issues Code reviews catch common syntactical issues, especially input validation, prevention of covert channels, proper data typing, checksums, etc.

Answer 316

If you pass the test you’re all square MR. EF MR SQUAR EF Map security risks to test cases and code Separation of duties including not allowing developers to access production code separate QA testing, including possibly Red Team type of testing Unit Testing for modules using Test-Driven Development where a test is designed before or during actual coding Attack simulation / Penetration Testing Repeat testing until objectives are achieved Ensure systems Fail securely if no human life is at risk

Answer 317

Change Management (general approach) / Change Control (specific changes) Most likely phase to concern CISSP individuals

Answer 318

incremental waterfalls often result in a werl of water a multi-waterfall approach, each incremental phase results in a deliverable benefits: WERL working model delivered early end-users can provide input lower cost of initial delivery risk of critical changes are lower due to feedback cycle with end-users best used when various aspects of the project need to be understood early in the development cycle

Answer 319

Rapid Application Development - using working prototypes to quickly deliver software that’s RAD dude, A Quick Board Doesn’t Really Turn Instantly Analysis Quick design Build, Demonstrate, Refine (prototypes) Testing Implementation

Answer 320

SCRUM SCCRAL uses Sprints (predefined time of building, usually 2 weeks) or time between scrums focused on Collaboration Continuous delivery project can be Reset (like in rugby, when the game is reset to a scrum) adding new features, etc. a very widely Adopted Agile devlopment methodolgy Lean and customer focused

Answer 321

stresses visual tracking of all tasks so priorities can easily be accommodated uses a “Kanban Wall” where all tasks are placed for visualization under Planned, In progress and Done

Answer 322

SDF Static - examining source code, typically with automated tools without executing the code, of course requires access to the source code Dynamic - examining running code without access to the source code, of course requires running the code Fuzzing - used to discover flaws and vulnerabilities by sending large amounts of test data to the target trying to cause failure

Answer 323

Software developer certification

Answer 324

It’s a standard approach ramp to SA A C’M in the cloud. Federal Risk and Authorization Management Program - United States federal government-wide compliance program that provides a standardized approach to Security Assessment, Authorization, and Continuous Monitoring for cloud products and services.

Answer 325

Tier 1 Create / Deliver value Tier 2 Support business Tier 3 Protect assets from threats through safeguards to achieve CIA

Answer 326

BS VOICE Behave ethically, responsibly and legally think Strategically focus on Value / ROI emphasize Outcome and cost / benefit Innovate / enable business Continuous improvement Effective / Efficient

Answer 327

microsoft threat modeling for categorization Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege

Answer 328

microsoft threat modeling for prioritization Damage Reproducibility Exploitability Affected users Discoverability

Answer 329

A MODEL of Resistance Definitely Inspires Many Victims (RDIMV) define security Requirements create Diagram of system Identify threats Mitigate threats Validate threat mitigation

Answer 330

RAATT running over the landscaping collection of Risks, Assets, threat Actors, Threats, and observed Trend

Answer 331

Authentication - proving identity Authorization - proving clearance Accounting - recording activity

Answer 332

My CUPs could use some privacy CAIN CAID CUP of CAIN CAID Consent Use, retention and disclosure limitation Purpose Collection limitation Accuracy Individual participation / access Notice provided to owner Compliance with privacy laws Accountability Information Security Data minimization

Answer 333

no IDIOTs born in 64 Initiation Development / acquisition Implementation / assessment Operations / maintenance Trash / disposal

Answer 334

Initiate Cycle By Pushing Switch ICBPS Initiate Security Planning Categorize System Business impact Analysis Privacy impact analysis ensure use of Secure dev processes

Answer 335

Random Strangers Develop Eventual Social Ties (RS DEST) Risk assessment Select / doc. security controls Design security architecture Engineer security controls Security documentation Testing of dev., function, security

Answer 336

DIAA de implementacion DIAA Detailed compliance / auditing plan Integrate security into established systems Assess system security Authorize the system

Answer 337

(OCC) operational readiness configuration management continuous monitoring

Answer 338

dispose of that Cockroach PEST P E S T C build disposal Plan Ensure information preservation Sanitize media Trash / dispose of h/w & s/w Close system

Answer 339

The risk management chain has 31000 links where Virtuous People Find Purpose. Subject: Risk management guidelines elements: Virtuous People Find Purpose Values -> Risk Management Principles -> Risk Mangement Framework -> Risk Management Process

Answer 340

business continuity planning

Answer 341

addresses risk at the level of information systems and introduction to organizational resilience planning

Answer 342

Service Delivery Objective - level of service during alternate mode until returning to normal operations (e.g. 60% of normal capacity)

Answer 343

Business Continuity Management System - set of interrelated or interacting elements to establish policies and objectives and processes to achieve objectives of business continuity Components: if you need to manage elements, you have to see the Continuity Planning PIMP. CI P P I MR PA Continual improvement Policy Planning Implementation / Operation Management review Performance assessment

Answer 344

translation of lean manufacturing principles and practices to the software development domain principles: Lean or skinny like a snake (boa) BOA DEED Build integrity in Optimize the whole Amplify learning Decide as late as possible Eliminate waste Empower the team Deliver as fast as possible

Answer 345

ITIL: aims to plan, schedule and control the movement of releases to test and live environments. The primary goal of this process is to ensure that the integrity of the live environment is protected and that the correct components are released.

Answer 346

Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. BAE 565 TI AP AL IC FC (tilapia icky fish) RP RL AV AS IN SC (raper lava as in SC) BI DI EX EC EP/p (bidi exec p) Metric Groups: BAE Basic Finding Attack Surface Environmental Factors: TI AP AL IC FC RP RL AV AS IN SC BI DI EX EC EP/p Metric Group | factor |description Base Finding Technical Impact (TI) The potential result that can be produced by the weakness, assuming that the weakness can be successfully reached and exploited. Base Finding Acquired Privilege (AP) The type of privileges that are obtained by an attacker who can successfully exploit the weakness. Base Finding Acquired Privilege Layer (AL) The operational layer to which the attacker gains privileges by successfully exploiting the weakness. Base Finding Internal Control Effectiveness (IC) the ability of the control to render the weakness unable to be exploited by an attacker. Base Finding Finding Confidence (FC) the confidence that the reported issue is a weakness that can be utilized by an attacker Attack Surface Required Privilege (RP) The type of privileges that an attacker must already have in order to reach the code/functionality that contains the weakness. Attack Surface Required Privilege Layer (RL) The operational layer to which the attacker must have privileges in order to attempt to attack the weakness. Attack Surface Access Vector (AV) The channel through which an attacker must communicate to reach the code or functionality that contains the weakness. Attack Surface Authentication Strength (AS) The strength of the authentication routine that protects the code/functionality that contains the weakness. Attack Surface Level of Interaction (IN) the actions that are required by the human victim(s) to enable a successful attack to take place. Attack Surface Deployment Scope (SC) Whether the weakness is present in all deployable instances of the software, or if it is limited to a subset of platforms and/or configurations. Environmental Business Impact (BI) The potential impact to the business or mission if the weakness can be successfully exploited. Environmental Likelihood of Discovery (DI) The likelihood that an attacker can discover the weakness Environmental Likelihood of Exploit (EX) the likelihood that, if the weakness is discovered, an attacker with the required privileges/authentication/access would be able to successfully exploit it. Environmental External Control Effectiveness (EC) the capability of controls or mitigations outside of the software that may render the weakness more difficult for an attacker to reach and/or trigger. Environmental Prevalence (P) How frequently this type of weakness appears in software.

Answer 347

0 - used for striping data on a disk, increases speed, no redundancy, min # drives = 2 1 - Mirroring without parity or striping, min drives = 2 2 - Bit-level striping with Hamming code for error correction, min # drives = 3 3 - Byte-level striping with dedicated parity, min # drives = 3 4 - Block-level striping with dedicated parity, min # drives = 3 5 - Block-level striping with distributed parity, min # drives = 3 6 - Block-level striping with double distributed parity, min # drives = 4

Answer 348

The Scaled Agile Framework® (SAFe®) is a set of organizational and workflow patterns for implementing agile practices at an enterprise scale. The framework is a body of knowledge that includes structured guidance on roles and responsibilities, how to plan and manage the work, and values to uphold. SAFe promotes alignment, collaboration, and delivery across large numbers of agile teams. It was formed around three primary bodies of knowledge: agile software development, lean product development, and systems thinking. Core Values: TABLe P Transparency Alignment across org Built-in quality - five key dimensions of built-in quality: flow, architecture and design quality, code quality, system quality, and release quality Leadership Program execution Principles: EAV BMW CMD 1 take an Economic view 2 Apply systems thinking 3 assume Variability; preserve options 4 Build incrementally with fast, integrated learning cycles 5 base Milestones on objective evaluation of working systems 6 visualize and limit Work in Process (WIP), reduce batch sizes, and manage queue lengths 7 apply Cadence, synchronize with cross-domain planning 8 unlock the intrinsic Motivation of knowledge workers 9 Decentralize decision making

Answer 349

12 = 7 + 5 2nd - assembly 3rd - 3GLs are much more machine-independent (portable) and more programmer-friendly [C, C++, Java, Python, PHP, Perl, C#, BASIC, Pascal, Fortran, ALGOL, COBOL] 4th - Fourth-generation languages tend to be specialized toward very specific programming domains [ABAP, Unix Shell, SQL, PL/SQL, Oracle Reports, R, Halide] low code, GUI based, database, screen painters, data manipulation, software creators, mathematical optimization, web developmet 5th - A fifth-generation programming language (5GL) is any programming language based on problem-solving using constraints given to the program, rather than using an algorithm written by a programmer [Prolog, OPS5, Mercury, CVXGen [6][7] , Geometry Expert] Mainly used in AI

Answer 350

Personally Identifiable Information Examples of personally identifiable information (PII) include : categories: general (9) biometric (5) inference (9) Social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number Personal address and phone number Biometric records such as photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, retina scan, voice signature, facial geometry Information that when combined with other information like that listed above which can then be used collaboratively to identify a specific individual. For example, date of birth, place of birth, race, religion, geographical indicators, employment information, medical information, education information, financial information.

Answer 351

security content automation protocol SCAP is a method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation. SCAP comprises numerous open security standards, as well as applications which use these standards to check systems for vulnerabilities and misconfigurations Features: SIR Scan systems against open cybersecurity standards Report back with a “score” to help evaluate the system’s security posture Interoperate with other SCAP-validated scanners to express results in a standardized way Benefits: SSS cooperation among Stakeholders Stops attacks and closes vulnerabilities puts Standards into action

Answer 352

BE the I in TEEM Base: exploitability metrics impact metrics Threat / Temporal: exploit maturity Environmental: modified base + CIA

Answer 353

Process: D DIED V (configuration, Don’t Do It Every Day Victoria) Determine business objectives. CMDB Discovery tools. ITSM system integration. Equip data owners/data stewards with the right tools. Data management and retention plan. CMDB: data Visualization. The 3 C’s of CMDB - Configuration Items, Changes, and Compliance -

Answer 354

Permissionless Blockchain It is also known as trustless or public blockchains, are available to everyone to participate in the blockchains process that use to validate transactions and data. These are used in the network where high transparency is required. Permissioned Blockchain These are the closed network only a set of groups are allowed to validate transactions or data in a given blockchain network. These are used in the network where high privacy and security are required. Hybrid Blockchain: combination, controlled by permissionless Consortium Blockchain: It is a creative approach that solves the needs of the organization. This blockchain validates the transaction and also initiates or receives transactions. Also known as Federated Blockchain. This is an innovative method to solve the organization’s needs. Some part is public and some part is private. In this type, more than one organization manages the blockchain.

Answer 355

manual goes beyond automated There are five primary reasons why manual pen testing yields superior outcomes when compared to automated penetration tests. [Helping Human Can Make Improvements] Human expertise: Manual penetration tests are conducted by security experts with in-depth industry experience and technical know-how. They can adjust the testing methodology as per your organization’s structure. This results in optimal findings with efficient remediation measures down the line when compared to an automated report that may contain false positives. Human validation of findings: In a manual pentest exercise, the testing team validates their findings during the process as everything is done manually; each step can be documented and double-checked. However, in automated tests, this transparency is not available, and results can be tough to verify. The findings from pure automated pentests may contain false positives that analysts must verify before remediation can occur. Customized Pentest Engagements: Manual testing allows customizations based on threats your organization is more likely to face. While the efforts required by the testing team increase substantially, a thorough inspection is conducted in manual pen testing. Manual Detection of Logical Flaws: Automated tests fail to identify logical flaws in applications. While not every logical flaw is a vulnerability, manual tests can identify broken structures within your applications. Improve Mean Time to Remediate (MTTR): The remediation process becomes more effective when a test is customized for your organization’s structure, compliance requirements, and external and internal environments. Organizations can realize their return on investment by significantly reducing their overall mean time to remediate as they eliminate vulnerabilities discovered in manual pen testing

Answer 356

3 / network if you take the N from network and put it in front of IKE you get NIKE

Answer 357

Weaknesses of Kerberos: kerberos ESOS Each Network Service Needs a Set of Kerberos Keys Single Point of Failure one password gives access to all accounts Strict Time Requirements

Answer 358

phase 1, an authenticated connection between the host and user is established using a preshared key or a digital certificate. The goal is to secure the communications that occur in phase 2. The Diffie-Hellman key exchange algorithm creates a secure authentication communication channel. This digital encryption method uses numbers raised to specific powers to produce decryption keys. The negotiation should result in session keys and one bidirectional SA. Phase 1 operates under one of two modes: main mode or aggressive mode. The main mode consists of both parties sending three two-way exchanges equaling six messages in total. The first two messages confirm encryption and authentication algorithms. The second set of two messages starts a Diffie-Hellman key exchange, where both parties provide a random number. The third set of messages verifies the identities of each party. Aggressive mode accomplishes the same task as the main mode but does so in just two exchanges of three messages. Whereas the main mode protects both parties’ identities by encrypting them, the aggressive mode does not. Phase 2 of IKE negotiates an SA to secure the data that travels through IPsec, using the secure channel created in phase 1. The result is a minimum of two SAs that are unidirectional. Both parties also exchange proposals to determine which security parameter to use in the SA. Phase 2 operates in only one mode: quick mode. Quick mode provides three resources: proxy IDs, perfect forward secrecy (PFS) and replay protection. The proxy IDs of each participant are shared with each other. PFS delivers keys independent from preceding keys. Replay protection is a security method to protect against replay attacks. The main and aggressive modes found in phase 1 only apply to IKE version 1 and not to IKE version 2.

Answer 359

Improvements in IKEv2 over IKEv1 are as follows: BDFL MMNORS requires less Bandwidth; provides more resistance to denial-of-service (DoS) attacks; enables message Fragmentation and allows IKEv2 to operate in areas where IP Fragments might be blocked and an SA may fail to establish; detects automatically if an IPsec tunnel is still Live so that IKE can automatically reestablish a connection if needed; demands fewer cryptographic Mechanisms to protect packets; supports Mobile platforms, including smartphones; comes equipped with the built-in Network Address Translation (NAT) traversal needed to support routers that perform translations; requires only One four-message initial exchange mechanism; enables Rekeying to build new keys for SA. supports the securing of Stream Control Transmission Protocol (SCTP) traffic;

Answer 360

A novel attack technique is found capable of launching a looped denial of service (DoS) attack between a pair of network applications, blocking legitimate access to their respective servers indefinitely. This is an application layer attack, targeted at systems running a vulnerable transport layer protocol — user datagram protocol (UDP) — that inherently lacks request verification because of its connection-less nature. “Application-layer loop DoS attacks rely on IP spoofing and can be triggered from a single spoofing-capable host,” CISPA, the German research firm that made the discovery, said in a blog. “The attacks pair two network services in such a way that they keep responding to one another’s messages indefinitely.” solution: PPAR Patching affected systems Protect or replace UDP applications deploy Anti-spoofing enforce network Rate-limiting

Answer 361

No single definition for microservices. Most often, they include: FCASS * Services in a microservice architecture (MSA) are often processes that communicate over a network to fulfill a goal using technology-Agnostic protocols such as HTTP. * services are organized around business Capabilities. * services can be implemented using different programming languages, databases, hardware, and software environments, depending on what Fits best. * services are Small in size, messaging-enabled, bounded by contexts, autonomously developed, independently deployable, decentralized, and built and released with automated processes. * A microservice is not a layer within a monolithic application. It is a Self-contained piece of business functionality with clear interfaces and may implement a layered architecture through its own internal component

Answer 362

DEEP ContainerS deployment speed, enhanced security, easy to manage, portability, cost-effective (10-100 times more application vs. normal virtualization) scalability,

Answer 363

aka: pass the key Like PtH but used when NTLM is disabled on a network. Even when NTLM is disabled, the systems generate an NTLM hash and store it in memory. The attacker requests a TGT with the user's hash to gain access to network resources

Answer 364

The attackers attempt to collect tickets held in the lsass.exe process. The attackers then inject the ticket impersonating the user.

Answer 365

The attacker uses the NTLM hash of a service account to make a ticket-granting service (TGS) ticket. Service accounts use TGS tickets instead of TGT tickets. The silver ticket gives the attacker all the privileges granted to that specific service account. solutions: PPE will earn you some silver implement kerb with Privilege attribute certificate (as in sesame) strong passwords for local user, admin and service accounts encryption (AES for kerberos)

Answer 366

Attackers can guess passwords and usernames by using the Python script kerbrute.py on Linux or Rubeus on Windows because Kerberos will report whether a username is valid or not.

Answer 367

Synchronous Data Link Control: A synchronous L2 WAN protocol that uses polling to transmit data; combined nodes can act as primary or secondary but using NRM transmission only.

Answer 368

High-Level Data Link Control: The successor to SDLC; adds error correction and flow control and two additional modes (ARM/ABM)

Answer 369

* NRM (Normal Response Mode): Secondary nodes transmit when they get permission from the primary. * ARM (Asynchronous Response Mode): Secondary nodes can initiate communication with the primary node. * ABM (Asynchronous Balanced Mode): When nodes act as primary or secondary, initiating transmissions without receiving permission; this is the most commonly used mode.

Answer 370

(Protocol for Carrying Authentication for Network Access allows a device to authenticate itself with a network to be granted access. EAP will be used for authentication protocol, key distribution, key agreement, and key derivation protocols

Answer 371

One login can allow you to access many systems and sites. Social media logins are common super sign-on; an attacker can access multiple other sites or systems if an account is compromised. The social media account is linked to all the other systems

Answer 372

(Secure European System for Applications in a Multi-vendor Environment): Called the successor to Kerberos, addresses some of the issues of Kerberos. It uses PKI encryption, which fixed the Kerberos the plaintext storage of symmetric keys issue. Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos' tickets. Not widely used.

Answer 373

aka Pairwise Testing All-Pairs Testing is defined as a black-box test design technique in which test cases are designed to execute all possible discrete combinations of each pair of input parameters; the most common bugs in a program are generally triggered by either a single input parameter or an interaction between pairs of parameters; it uses carefully chosen test vectors, this can be done much faster than an exhaustive search of all combinations of all parameters by parallelizing the tests of parameter pairs.

Answer 374

The configuration of 128 in Boston is a mess, and ICBM would fix it Guide for Security-Focused Config. Mgmt. of Information Systems (also change mgmt) The basic parts of a CM Plan include: * Configuration Control Board (CCB): Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational life cycle of products and systems may also be referred to as a change control board. * Configuration Item Identification: For selecting and naming configuration items that need to be placed under CM. * Configuration Change Control: Process for managing updates to the baseline configurations for the configuration items. * Configuration Monitoring: Process for assessing/testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM.

Answer 375

E DRONES (1) Navigational databases: Hierarchical database model, Network model, Graph database. (2) Relational model (3) Entity–relationship model, Enhanced entity–relationship model (4) Object model. (5) Document model. (6) Entity–attribute–value model. (7) Star schema.

Answer 376

Used to clean up the data in a database table to make it logically concise, organized, and consistent. Removes redundant data and improves the integrity and availability of the database Normalization has three forms (rules): * First Normal Form: Divides the base data into tables. The primary key is assigned to most or all tables. * Second Normal Form: Move data partially dependent on the primary key to another table. * Third Normal Form: Remove data that is not dependent on the primary key. FORCeS (1) greater overall database Organization. (2) Reduction of Redundant data. (3) data Consistency within the database. (4) a much more Flexible database design. (5) a better handle on database Security.

Answer 377

Database query languages have at least two subsets of commands: * Data Definition Language (DDL): * A standard for commands that define the different structures in a database. * Creates, modifies, and removes database objects such as tables, indexes, and users. * Common DDL statements are CREATE, ALTER, and DROP. * Data Manipulation Language (DML): * Used for selecting, inserting, deleting, and updating data in a database. * Common DML statements are SELECT, DELETE, INSERT, UPDATE.

Answer 378

DB characteristics: SO UL DN C * Object databases store objects rather than data such as integers, strings, or real numbers. * Objects are used in object-oriented languages such as Smalltalk, C++, Java, ... * Objects in an object-oriented database reference developing a product and then defining and naming it. * The object can then be referenced, or called later, as a unit without going into its complexities Object characteristics: AMC * Attributes: Data that defines the characteristics of an object. This data may be simple such as integers, strings, real numbers, or a reference to a complex object. * Methods: Defines the behavior of an object and are what were formerly called procedures or functions. Objects contain both executable code and data. * Classes: Define the data and methods the object will contain; they are the template for the object. It does not contain data or methods but defines the data and methods contained in the object.

Answer 379

Corba, better have that ORB checked at the CDC. (Object Request Broker): Middleware that allows program calls to be made from one computer to another via a network, providing location transparency through remote procedure calls. ORBs promote interoperability of distributed object systems, enabling such systems to be built by piecing together objects from different vendors while different parts communicate with each other via the ORB. Common object brokers included: .NET remoting, COM, DCOM, and CORBA. Types: CDC * COM (Component Object Model): A language-neutral way of implementing objects that can be used in environments different from the one in which they were created, even across machine boundaries. It is used to enable inter-process communication object creation in a large range of programming languages. * DCOM (Distributed COM): The networked sequel to COM, which adds to support communication among objects on different computers—on a LAN, a WAN, or even the Internet. The application can be distributed at locations that make the most sense to your customer and to the application itself. DCOM includes Object Linking and Embedding (OLE) to link documents to other documents. * CORBA (Common Object Request Broker Architecture): Open vendor-neutral ORB standard defined by the Object Management Group (OMG) designed to facilitate the communication of systems that are deployed on diverse platforms; enables collaboration between systems on different operating systems, programming languages, and computing hardware; uses an object-oriented model although the systems that use the CORBA do not have to be object-oriented.

Answer 380

Genetic Programming: * A technique where computer programs are encoded as a set of genes that are then modified (evolved) using an evolutionary algorithm, often a GA (Genetic Algorithm). * The results are computer programs able to perform well in a predefined task. * The methods used to encode a computer program in an artificial chromosome and to evaluate its fitness with respect to the predefined task are central in the GP technique and still the subject of active research. * GP evolves computer programs, traditionally represented in memory as tree structures. Trees can be easily evaluated recursively. Every tree node has an operator function, and every terminal node has an operand, making mathematical expressions easy to evolve and evaluate. * Traditionally, GP favors programming languages that naturally embody tree structures, such as Lisp or other functional programming languages. * The process is in its simple form like this: * Generate an initial population of random computer programs. * Execute each program in the population and assign it a fitness value according to how well it solves the problem. * Create a new population of computer programs. * Copy the best existing programs. * Create new computer programs by mutation. * Create new computer programs by crossover. * Genetic Algorithms and Genetic Programming have been used to program a Pac-Man playing program, robotic soccer teams, networked intrusion detection systems, and many others

Answer 381

DD STIC M Defending systems against unauthorized access, modification and/or destruction Scanning and assessing network for vulnerabilities Monitoring network traffic for unusual activity Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Implementing network security policies, application security, access control and corporate data safeguards Training fellow employees in security awareness and procedures Developing and updating business continuity and disaster recovery protocols

Answer 382

capability lists (table) are used to grant access rights to objects, while access control lists specify the access rights for objects in a network

Answer 383

site is simply outsourcing its authentication needs to another pre-selected site

Answer 384

Due care: refers to the level of care that an individual would reasonably be expected to exercise in a particular situation Due diligence: the investigative process conducted to assess a business transaction Prudent Person Rule: a legal concept that typically applies to the management of another's affairs, especially in a fiduciary capacity

still need work cissp Flashcards

nail down less know cards