CISSP

Question 1

what is Verification?

Answer 1

The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations.

The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.

Verification is a static practice of verifying documents, design, code and program. It includes all the activities associated with producing high quality software: inspection, design analysis and specification analysis. It is a relatively objective process.

Verification will help to determine whether the software is of high quality, but it will not ensure that the system is useful. Verification is concerned with whether the system is well-engineered and error-free.

Methods of Verification : Static Testing

Walkthrough
Inspection
Review

Verification is the process of checking that the software meets the specification.

“Did I build what I need?”

Question 2

What is Validation?

Answer 2

The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements.

Validation is the process of evaluating the final product to check whether the software meets the customer expectations and requirements. It is a dynamic mechanism of validating and testing the actual product.

Methods of Validation : Dynamic Testing

Testing
End Users

Validation is the process of checking whether the specification captures the customer’s needs.

Question 3

Accreditation

Answer 3

is the act of management formally accepting an evaluating system, not evaluating the system itself.

management evaluates the capacity of a system to meet the needs of the organization. If management determines that the needs of the system satisfy the needs of the organization, they will formally accept the evaluated system, usually for a defined period of time or set of conditions. If the configuration is changed or the accreditation expires, the new configuration must be certified. Recertification must normally be performed either when the time period elapses or when significant configuration changes are made.

Question 4

Assurance

Answer 4

Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and reverified.

Question 5

Certification

Answer 5

Certification - product or system is tested to see whether it meets the documented requirements (including any security requirements). It considers the system in context, including the other systems around it, the network it is running on, and its intended use.

process of evaluating the security architecture of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements.

The term certification indicates. A technical review of security mechanism of the product. Or (a technical evaluation of a product)

Question 6

Transposition

Answer 6

Transposition ciphers use an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. The decryption algorithm simply reverses the encryption transformation to retrieve the original message.

a simple transposition cipher was used to reverse the letters of the message so that apple became
elppa.

Rearranges the position of the characters of the plaintext.

Transposition ciphers provide diffusion (obscures the relationship between message units)

Transposition ciphers use an encryption algorithm to rearrange the letters of the plain text message to form a cipher text message.

Question 7

Substitution

Answer 7

Substitution ciphers use the encryption algorithm to replace each character or bit of the
plaintext message with a different character.

Replaces the plaintext characters with other characters, numbers and symbols.

Substitution ciphers provide confusion (obscures the identity of the message unit)

Question 8

Multitasking

Answer 8

In computing, multitasking means handling two or more tasks simultaneously.

handles multiple processes on a single processor by switching between them using the operating system.

Question 9

Multiprocessing

Answer 9

uses multiple processors to perform multiple processes simultaneously.

Question 10

Multithreading

Answer 10

runs multiple threads within a single process

Multithreading permits multiple concurrent tasks to be performed within a single process

Question 11

Due Dilligence

Answer 11

The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Investigate, learn, research

What I need to ensure the issue never happens again

Question 12

Due Care

Answer 12

The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard.

Do it, Make it happen

What I need to do right now to fix an issue

***Auditing is an aspect of due care.

Question 13

Confinement

Answer 13

confinement allows a process to read from and write to only certain memory locations and resources.

Also called sandboxing

Question 14

Bounds

Answer 14

The bounds of a process consist of limits set on the memory addresses and resources it can access.

The bounds state the area within which a process is
confined or contained.

In most systems, these bounds segment logical areas of memory for each process to use.

Question 15

Isolation

Answer 15

Process isolation ensures that any behavior will affect only the memory and resources associated with the isolated process.

Isolation is used to protect the operating environment, the kernel of the operating system (OS), and other independent applications.

Question 16

Security Models

Answer 16

SCAN => Signed NDA, Clearance, Approval, Need to Know

Did Sally Call Me => Dedicated, System High, Compartmented, Multilevel.

Question 17

IPSec

Answer 17

IPSec:
Works on Layer 3. Standard Architecture for VPN. (P A I N)
Setting up secure channel between 2 parties.

Modes:

a. Tunneling: Whole Packet is encapsulated (Security)
b. Transport: Only Payload is encapsulated (Performance)

Authentication Header (AH): A I N. Prevents against replay attack
Encapsulated Security Payload (ESP): P A I 

Security Association: Unique Identifier of a secure connection.
Destination address + secure parameter index
It has simplex connection —> 2-way channel needs 2 security association.

Question 18

Incident Response

Answer 18

DRMR3L

1. Detection - Awaiting for things to happen (Get an alert or user report)
   IDS, IPS, AV, Continuous Monitoring
2. Response - You have to verify it actually is an incident.
   The use of (CSIRT) or (CIRT) is a formalized response.
   A formal incident response plan documents who wold activate the team
3. Mitigation - Once you verify you want to contain it. Mitigate the threat from spreading across the network or systems.
   (Mitigation - time to stop the spread)
4. Reporting - Once it’s contained you can let upper management know or whoever is above you.
5. Recovery - Recover all that was lost during the incident or threat
   - Restore system to normal/full operational status.
6. Remediation - Fixing the source of the threat (modify the firewall or something like that)
   - examination of the incident to identify what allowed it to happen, and figure what needs to be changed so it does not happen again.
   - Root cause analysis
7. Lessons Learned - Documenting the incident and how to go forward
   examination of the incident to gather important info from a broad range of people.
   what happened? what did we learn? how can we do it better next time?

Question 19

Cipher Modes

Answer 19

ECB => worst and weak (Do not use)
CBC => is very common
CFB => is stronger and faster than CBC.
CTR => Is fastest of them all and stronger than CBC.

Question 20

CC Evaluation Assurance

Answer 20

EAL1 => Functionally tested
EAL2 => Structurally tested
EAL3 => Methodically tested and Checked
EAL4 => Methodically designed, tested and reviewed
EAL5 => semi formally designed and tested
EAL6 => semi formally designed, verified, designed and tested.
EAL7 => Formally verified, designed

EAL 3 vs. EAL4…. 3 has 2 words (skip and) and 4 has 4 (skip and). Then between 5 and 6.. it is almost the same.. 6 has more words than 5

Question 21

Penetration testing phases

Answer 21

PIVER

1. Planning (Scope of the test, Management approval, rule of engagement)
2. Information Gathering or discovery (Network discovery scan, enumeration, perform reconnaissance)
3. Vulnerability Scanning (Network/Web vulnerability scan, probs systems for weaknesses)
4. Exploitation ( automated tool or manual)
5. Reporting (summarize the results and make recommendation for improvements)

Question 22

Mutation fuzzing VS Generational fuzzing

Answer 22

Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information.

Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples

Question 23

Change Management

Answer 23

1. Request Change: Request is made by the team who would like to make changes in the
   system
2. Review the change: Requirement is reviewed by the designated person.
3. Approve/Reject: Based on the review, the change will be approved/rejected
4. Test: Once the change is approved, it should be tested in non-prod environment
5. Schedule for implementation: Mainly on off hours (weekends)
6. Document: All the findings should be documented. Versioning of document is also import
   ant

--------------------------
1-Request and Impact Assessment
2-Approved Build and Test
3-Notification Process
4-Implementation
5-Validation process
6-Structure Documentation

Question 24

Patch Management

Answer 24

1. Evaluate –> Release Patches
2. Test–> Test on isolated systems
3. Approve–> Use of change management to approve
4. Deploy–> Deployment of patches on affected systems.
5. Verify–> Verify if patches are deployed.

Question 25

Change Management

Answer 25

1. Request Change: Request is made by the team who would like to make changes in the system 2. Review the change: Requirement is reviewed by the designated person. 3. Approve/Reject: Based on the review, the change will be approved/rejected 4. Test: Once the change is approved, it should be tested in non-prod environment 5. Schedule for implementation: Mainly on off hours (weekends) 6. Document: All the findings should be documented. Versioning of document is also import ant

Question 26

Patch Management

Answer 26

1. Evaluate --> Release Patches 2. Test--> Test on isolated systems 3. Approve--> Use of change management to approve 4. Deploy--> Deployment of patches on affected systems. 5. Verify--> Verify if patches are deployed.

Question 27

eDiscovery

Answer 27

1. Information Governance ---> Information is well organized 2. Identification ---> locating information 3. Preservation---> preserving the evidence is must to avoid any deviation 4. Collection---> collection of evidence should be done by the trained professional 5. Processing ---> should get rid of irrelevant information 6. Review ---> examines the remaining information 7. Analysis ---> perform deeper inspection 8. Production---> produce a format which can be shared 9. Presentation ---> presented to court

Question 28

Programming Languages

Answer 28

1st Gen : All Machine Language 2nd Gen : All Assembly Language 3rd Gen : All Compiled Language (C, Java, FORTRAN) 4th Gen : Natural Language like SQL (Python, R, JavaScript, VB Script) 5th Gen : Allows programmer to create own visual interface

Question 29

OBJECT ORIENTED PROGRAMMING :

Answer 29

Object: Accounts, Account holder, employee Method: Actions on Object (Add Fund) Sub Class: Saving account, Current account Behavior: Result exhibited by an Object Class: Collection of common methods from a set of Object Polymorphism: Object that responds with different behavior to same message Cohesion: Strength of relationship between methods of same class (HIGH) Coupling: Interaction between Objects (LOW)

Question 30

DSLC -CBK

Answer 30

IRAD2 TRD 1- Initiation Our Idea, what do we want to do? Planning/Goal is to define and understand at a High Level **Think Scope 2-Requirement What requirement are there for the system? Requirement gathering and analysis, Meeting with managers, stake holders and users. Goal is to ask lots of questions and get specific answers **Think what it does and how it does it. 3-Architecture High level view of system, including the security requirements. Goal is Integration with what we already have & how we will make it work with this. **Think What are the RISKS 4-Design System and software design in prepared from the requirement specifications which were crafted in the second phase. Goal is to transform detailed requirements into a complete, detailed design document focused on how we are going to deliver required functionality. **Think Secure by design 5-Development Where the system is built (implementation / Coding) The longest phase of the SDLC Only static code review in this phase. Goal is to build what the customer/Stakeholders actually wants, not what we think they want. ** Think Requirements = wants/Needs = Build that 6-Testing After the code is developed it is tested against the requirements to make sure that the product is actually solving the needs addressed and gathered during the requirement phase. (all testing carried during this phase) This is where Certification & Accreditation and Verification & Validation are done. Goal is to verify/Prove that we did build what the customer/stakeholder actually wanted. ** Think Requirements = wants/Needs = Build that = Verify we did that 7-Release Publish/Release the system for use. Goal is to hand off to customer **Think we did it & now it is theirs 8-Disposal Once the system has served its purpose, securely dispose of it and any related assets Goal is to securely kill the system. **Think gone & not coming back the haunt us.

Question 31

CMM

Answer 31

IRDMO 1-Initial Disorganized, no process, no defined SDLC 2-Repeatable Basic life cycle management process is introduced, repeatable results. S/W project planning, tracking, quality assurance. 3-Defined S/W developers operate with formal procedure, more organized. 4-Managed Quantitative measures are utilized to gain detailed understanding of the development process. Detailed understanding of development, Quantitative process & Quality Management. 5-Optimized Continuous of improvement occurs, sophisticated software development process in place. Sophisticated S/W development process is there, feedback oriented. Change Management.

Question 32

Relational Database

Answer 32

RTC - Row - Tuple, Cardinality CAD Column - Attribute, Degree

Question 33

Database ACID

Answer 33

ACID Atomic - All or nothing. Either every transaction is completed or nothing. if any part of the transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency - Transaction should be consistent to database rules. Isolation - Should not affect other transactions. Durability: Once its committed, it should be preserved.

Question 34

Change control

Answer 34

The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment. Request control provides a framework for user requests. Release control manages the deployment of code into production. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.

Question 35

Aggregation vs Inference

Answer 35

Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity.

Question 36

Kerberose

Answer 36

The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly. Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.

Question 37

Scoping, Tailoring, and Baselining

Answer 37

Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them.

Question 38

Forensic Investigation

Answer 38

1-Identifying, Labelling, recording 2-Assessing and extracting relevant data 3-Analyzing the results 4-Reporting the result of Analysis