Stuff from Exams I don't know #3 Flashcards
degree vs cardinality
Degree = number of columns/attributes
Cardinality = number of rows/tuples
DRM
Digital Rights Management
Uses PErsistent online authentication, automatic expiration, continuous audit trails
soc type 1 vs type 2
Type 1provide the auditors opinion on the description of controls provided by management, and the suitability of those controls.
Type 2 go further and also provide the audiors opinion on the operating effectiveness of controls over time.
DB Foreign Key
Used to create relationships between tables in a DB. Referential integrity is enforced by ensuring the foreign key used on one table matches the primary key in the referenced table.
Fagan Inspection
Type of team code review: A Fagan inspection is a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process.
Reactive Threat Modeling
When you interact with an already existing system for threat modeling (whether or not an attack has taken place).
i.e. pen testing, ethical hacking, source code review, fuzz testing
Proactive Approach/Proactive Threat Modeling
Takes place early in system development to put controls in place for modeled threats.
Pass Around Review
Type of software review conducted by passing software off to other teammates via email or other method -i.e. github.
Allows devs to review code asynchronously.
What linux file can be modified to limit the scope of “sudo” commands
The sudoers file.
This can list which users can use sudo as well as the commands and directories allowed.
Primary purpose of periodically reviewing security training documentation:
Check for relevancy
Best SDLC option when stable requirements and clear objectives are combined with need to prevent flaws, and have high control over dev process.
Waterfall
EAL Levels
Functionally, Structurally, Methodically, Semiformally, Formally
Session Guessing
Type of attack - prevented by Session Entropy and Session ID Length properly configured.
Session ID Entropy
Refers to the randomness of a session id. Minimum of 64 bits is recommended
Is a CDN or DDOS Mitigation service better at handling DDOS attacks?
CDN. CDNs can typically handle large scale DDOS attacks better
Session ID Length
Straightforward. The length of the season Id used. Longer is better, recommended minimum of 128 bits
Decomposing the application,, Determinint and ranking threats, and determining countermeasures and mitigaton.
These are commonly conducted during what process?
Threat Modeling
Service Pack
Used to describe a collection of unrelated patches
Update, Hotfix, Security fix all have what in common?
Generally are only a single patch for a single problem
Golden Ticket attack
Use the hash of the KRBTGT user to impersonate anyone
Kerberoasting rely on what?
Collected TGS (ticket granting server) tickets.
Assurance
The degree of confidence that an organization has its security controls implemented properly.
Is TLS an effective control to prevent Cookie Stealing?
YES
Best practices for Session IDs
Session ID should have at least 64 bits of entropy, Session length should be at least 128 bits, Session ID should be meaningless
Security assessments are for what audience?
Management
Wapiti
Web App Scanning tool
RFC 1087 Ethics and the Internet
Activities that is defined as objectionable and unethical.
Purposely seeks to gain unauthorized access to the resources of the Internet
Destroys the integrity of computer-based information
Disrupts the intended use of the Internet
Wastes resources such as people, capacity, and computers through such actions
Compromises the privacy of users
Involves negligence in the conduct of Internet-wide experiments
Is the CEO usually involved with the BCP planning team?
No
Can someone in the IT department run an internal audit?
No. Usually this will be another internal compliance department
Does an SLA usually reference details around confidentiality?
No. This would be in an NDA
Are watermarks limited to use in images?
No. For example an organization could apply watermarks to intellectual property or trade secrets
What is a multistate system in a MAC environment?
A system authorized to handle information at multiple classification levels
Mail-bombing
Type of DOS attack.
DoS or denial of service attacks dispatch large quantities of email messages to a user’s inbox
What will show up in the /etc/passed file when shadowed passwords are used?
X
ISO 27002
Supporting standard on how information security controls can be implemented.
ATO authorization to operate
Through the Certification and Application process, an IT system can be declared safe and authorized to operate within an organization’s system. This formal declaration is known as Authorization to Operate (ATO), and it’s usually signed after a Certification Agent confirms that the product has met all the requirements.
IPT
Integrated product teams
Iterative waterfall
The more modern version of the Waterfall.
iterative waterfall allows development to return to the previous phase to correct defects discovered during the subsequent phase.
- This is known as the Feedback Loop characteristic of the waterfall.
What element of the certificate goes on the CRL
Serial number
UEBA
User and Entity Behavior Analysis:
Analyzes the behavior of users, subjects, visitors, customers, and so on.
Builds a profile on each entity, then can be used to detect deviations from the norm.
Can be used to improve personnel security policies, procedures, training, and security oversight programs.
Certification versus Accreditation versus Verification versus Assurance
Certification: Formal evaluation ensuring a system complies with security standards, providing assurance through testing and documentation review (e.g., ISO 27001).
Accreditation: Official approval granted after certification, authorizing a system for use within a specific environment, considering risk management and organizational policies (e.g., FedRAMP).
Verification: Process of confirming correct implementation and effectiveness of security controls within a system, validating compliance with security requirements (e.g., verifying encryption protocols).
Assurance: Confidence or trust in a system’s security controls to protect information and meet security objectives, often achieved through testing, analysis, and validation processes (e.g., Common Criteria assurance levels).
Edge vs Fog Computing
Edge Computing - intelligence and processing is contained within each device.
Fog Computing - there may be intelligence and processing contained in each device, but devices send data back to a central processing location.
What layer is IPSec at?
Layer 3
JIT just in time provisioning
Just-In-Time (JIT) provisioning refers to a method of creating user accounts or provisioning access rights dynamically and on-demand, typically triggered by the user’s first attempt to access a system or service. In the context of identity and access management, JIT provisioning ensures that user accounts are created or modified at the moment of need, reducing the need for manual administrative intervention and streamlining the user onboarding process.
Who designed COBIT
ISACA
Why is directory indexing a risk?
Directory indexing poses a security risk because it can expose sensitive information and files on a web server when proper access controls are not enforced. Enabling directory indexing without adequate safeguards may inadvertently disclose directory contents to potential attackers, leading to unauthorized access and potential security breaches.
Which IPsec mode adds a new header?
Tunnel
FedRAMP
Govt wide program that provides standardized approach to sec assessment, authorization, and monitoring of cloud services.
Advantage of OCSP over CRL
CRLs can be large and require a lot of bandwidth when downloaded.
GDPR - how many days to disclose a data breach?
3 days
Role of Industry Standards in Compliance
Provide guidance on best practices for compliance.
GDPR definition of personal data?
Any data that can be used to identify an individual.
Middleware
Middleware is software that acts as an intermediary layer, facilitating communication and interaction between different applications, systems, or components. It plays a crucial role in enabling interoperability and seamless data exchange in distributed computing environments by providing a set of services that abstract complexities associated with communication and integration.
