Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > CISSP > Flashcards

CISSP Flashcards

1
Q

what is Verification?

A

The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations.

The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.

Verification is a static practice of verifying documents, design, code and program. It includes all the activities associated with producing high quality software: inspection, design analysis and specification analysis. It is a relatively objective process.

Verification will help to determine whether the software is of high quality, but it will not ensure that the system is useful. Verification is concerned with whether the system is well-engineered and error-free.

Methods of Verification : Static Testing

Walkthrough
Inspection
Review

Verification is the process of checking that the software meets the specification.

“Did I build what I need?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Validation?

A

The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements.

Validation is the process of evaluating the final product to check whether the software meets the customer expectations and requirements. It is a dynamic mechanism of validating and testing the actual product.

Methods of Validation : Dynamic Testing

Testing
End Users

Validation is the process of checking whether the specification captures the customer’s needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Accreditation

A

is the act of management formally accepting an evaluating system, not evaluating the system itself.

management evaluates the capacity of a system to meet the needs of the organization. If management determines that the needs of the system satisfy the needs of the organization, they will formally accept the evaluated system, usually for a defined period of time or set of conditions. If the configuration is changed or the accreditation expires, the new configuration must be certified. Recertification must normally be performed either when the time period elapses or when significant configuration changes are made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Assurance

A

Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and reverified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Certification

A

Certification - product or system is tested to see whether it meets the documented requirements (including any security requirements). It considers the system in context, including the other systems around it, the network it is running on, and its intended use.

process of evaluating the security architecture of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements.

The term certification indicates. A technical review of security mechanism of the product. Or (a technical evaluation of a product)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Transposition

A

Transposition ciphers use an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. The decryption algorithm simply reverses the encryption transformation to retrieve the original message.

a simple transposition cipher was used to reverse the letters of the message so that apple became
elppa.

Rearranges the position of the characters of the plaintext.

Transposition ciphers provide diffusion (obscures the relationship between message units)

Transposition ciphers use an encryption algorithm to rearrange the letters of the plain text message to form a cipher text message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Substitution

A

Substitution ciphers use the encryption algorithm to replace each character or bit of the
plaintext message with a different character.

Replaces the plaintext characters with other characters, numbers and symbols.

Substitution ciphers provide confusion (obscures the identity of the message unit)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Multitasking

A

In computing, multitasking means handling two or more tasks simultaneously.

handles multiple processes on a single processor by switching between them using the operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Multiprocessing

A

uses multiple processors to perform multiple processes simultaneously.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Multithreading

A

runs multiple threads within a single process

Multithreading permits multiple concurrent tasks to be performed within a single process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Due Dilligence

A

The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Investigate, learn, research

What I need to ensure the issue never happens again

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Due Care

A

The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard.

Do it, Make it happen

What I need to do right now to fix an issue

***Auditing is an aspect of due care.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Confinement

A

confinement allows a process to read from and write to only certain memory locations and resources.

Also called sandboxing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bounds

A

The bounds of a process consist of limits set on the memory addresses and resources it can access.

The bounds state the area within which a process is
confined or contained.

In most systems, these bounds segment logical areas of memory for each process to use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Isolation

A

Process isolation ensures that any behavior will affect only the memory and resources associated with the isolated process.

Isolation is used to protect the operating environment, the kernel of the operating system (OS), and other independent applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Models

A

SCAN => Signed NDA, Clearance, Approval, Need to Know

Did Sally Call Me => Dedicated, System High, Compartmented, Multilevel.

17
Q

IPSec

A

IPSec:
Works on Layer 3. Standard Architecture for VPN. (P A I N)
Setting up secure channel between 2 parties.

Modes:

a. Tunneling: Whole Packet is encapsulated (Security)
b. Transport: Only Payload is encapsulated (Performance)
Authentication Header (AH): A I N. Prevents against replay attack
Encapsulated Security Payload (ESP): P A I

Security Association: Unique Identifier of a secure connection.
Destination address + secure parameter index
It has simplex connection —> 2-way channel needs 2 security association.

18
Q

Incident Response

A

DRMR3L

  1. Detection - Awaiting for things to happen (Get an alert or user report)
    IDS, IPS, AV, Continuous Monitoring
  2. Response - You have to verify it actually is an incident.
    The use of (CSIRT) or (CIRT) is a formalized response.
    A formal incident response plan documents who wold activate the team
  3. Mitigation - Once you verify you want to contain it. Mitigate the threat from spreading across the network or systems.
    (Mitigation - time to stop the spread)
  4. Reporting - Once it’s contained you can let upper management know or whoever is above you.
  5. Recovery - Recover all that was lost during the incident or threat
    - Restore system to normal/full operational status.
  6. Remediation - Fixing the source of the threat (modify the firewall or something like that)
    - examination of the incident to identify what allowed it to happen, and figure what needs to be changed so it does not happen again.
    - Root cause analysis
  7. Lessons Learned - Documenting the incident and how to go forward
    examination of the incident to gather important info from a broad range of people.
    what happened? what did we learn? how can we do it better next time?
19
Q

Cipher Modes

A

ECB => worst and weak (Do not use)
CBC => is very common
CFB => is stronger and faster than CBC.
CTR => Is fastest of them all and stronger than CBC.

20
Q

CC Evaluation Assurance

A

EAL1 => Functionally tested
EAL2 => Structurally tested
EAL3 => Methodically tested and Checked
EAL4 => Methodically designed, tested and reviewed
EAL5 => semi formally designed and tested
EAL6 => semi formally designed, verified, designed and tested.
EAL7 => Formally verified, designed

EAL 3 vs. EAL4…. 3 has 2 words (skip and) and 4 has 4 (skip and). Then between 5 and 6.. it is almost the same.. 6 has more words than 5

21
Q

Penetration testing phases

A

PIVER

  1. Planning (Scope of the test, Management approval, rule of engagement)
  2. Information Gathering or discovery (Network discovery scan, enumeration, perform reconnaissance)
  3. Vulnerability Scanning (Network/Web vulnerability scan, probs systems for weaknesses)
  4. Exploitation ( automated tool or manual)
  5. Reporting (summarize the results and make recommendation for improvements)
22
Q

Mutation fuzzing VS Generational fuzzing

A

Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information.

Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples

23
Q

Change Management

A
  1. Request Change: Request is made by the team who would like to make changes in the
    system
  2. Review the change: Requirement is reviewed by the designated person.
  3. Approve/Reject: Based on the review, the change will be approved/rejected
  4. Test: Once the change is approved, it should be tested in non-prod environment
  5. Schedule for implementation: Mainly on off hours (weekends)
  6. Document: All the findings should be documented. Versioning of document is also import
    ant
--------------------------
1-Request and Impact Assessment
2-Approved Build and Test
3-Notification Process
4-Implementation
5-Validation process
6-Structure Documentation
24
Q

Patch Management

A
  1. Evaluate –> Release Patches
  2. Test–> Test on isolated systems
  3. Approve–> Use of change management to approve
  4. Deploy–> Deployment of patches on affected systems.
  5. Verify–> Verify if patches are deployed.
25
Q

Change Management

A
  1. Request Change: Request is made by the team who would like to make changes in the
    system
  2. Review the change: Requirement is reviewed by the designated person.
  3. Approve/Reject: Based on the review, the change will be approved/rejected
  4. Test: Once the change is approved, it should be tested in non-prod environment
  5. Schedule for implementation: Mainly on off hours (weekends)
  6. Document: All the findings should be documented. Versioning of document is also import
    ant
26
Q

Patch Management

A
  1. Evaluate –> Release Patches
  2. Test–> Test on isolated systems
  3. Approve–> Use of change management to approve
  4. Deploy–> Deployment of patches on affected systems.
  5. Verify–> Verify if patches are deployed.
27
Q

eDiscovery

A
  1. Information Governance —> Information is well organized
  2. Identification —> locating information
  3. Preservation—> preserving the evidence is must to avoid any deviation
  4. Collection—> collection of evidence should be done by the trained professional
  5. Processing —> should get rid of irrelevant information
  6. Review —> examines the remaining information
  7. Analysis —> perform deeper inspection
  8. Production—> produce a format which can be shared
  9. Presentation —> presented to court
28
Q

Programming Languages

A

1st Gen : All Machine Language
2nd Gen : All Assembly Language
3rd Gen : All Compiled Language (C, Java, FORTRAN)
4th Gen : Natural Language like SQL (Python, R, JavaScript, VB Script)
5th Gen : Allows programmer to create own visual interface

29
Q

OBJECT ORIENTED PROGRAMMING :

A

Object: Accounts, Account holder, employee
Method: Actions on Object (Add Fund)
Sub Class: Saving account, Current account
Behavior: Result exhibited by an Object
Class: Collection of common methods from a set of Object
Polymorphism: Object that responds with different behavior to same message
Cohesion: Strength of relationship between methods of same class (HIGH)
Coupling: Interaction between Objects (LOW)

30
Q

DSLC -CBK

A

IRAD2 TRD

1- Initiation
Our Idea, what do we want to do?
Planning/Goal is to define and understand at a High Level
**Think Scope

2-Requirement
What requirement are there for the system? Requirement gathering and analysis, Meeting with managers, stake holders and users.
Goal is to ask lots of questions and get specific answers
**Think what it does and how it does it.

3-Architecture
High level view of system, including the security requirements.
Goal is Integration with what we already have & how we will make it work with this.
**Think What are the RISKS

4-Design
System and software design in prepared from the requirement specifications which were crafted in the second phase.
Goal is to transform detailed requirements into a complete, detailed design document focused on how we are going to deliver required functionality.
**Think Secure by design

5-Development
Where the system is built (implementation / Coding) The longest phase of the SDLC
Only static code review in this phase.
Goal is to build what the customer/Stakeholders actually wants, not what we think they want.
** Think Requirements = wants/Needs = Build that

6-Testing
After the code is developed it is tested against the requirements to make sure that the product is actually solving the needs addressed and gathered during the requirement phase. (all testing carried during this phase)
This is where Certification & Accreditation and Verification & Validation are done.
Goal is to verify/Prove that we did build what the customer/stakeholder actually wanted.
** Think Requirements = wants/Needs = Build that = Verify we did that

7-Release
Publish/Release the system for use.
Goal is to hand off to customer
**Think we did it & now it is theirs

8-Disposal
Once the system has served its purpose, securely dispose of it and any related assets
Goal is to securely kill the system.
**Think gone & not coming back the haunt us.

31
Q

CMM

A

IRDMO

1-Initial
Disorganized, no process, no defined SDLC

2-Repeatable
Basic life cycle management process is introduced, repeatable results. S/W project planning, tracking, quality assurance.

3-Defined

S/W developers operate with formal procedure, more organized.

4-Managed
Quantitative measures are utilized to gain detailed understanding of the development process.
Detailed understanding of development, Quantitative process & Quality Management.

5-Optimized
Continuous of improvement occurs, sophisticated software development process in place.
Sophisticated S/W development process is there, feedback oriented. Change Management.

32
Q

Relational Database

A

RTC -
Row - Tuple, Cardinality

CAD
Column - Attribute, Degree

33
Q

Database ACID

A

ACID
Atomic - All or nothing. Either every transaction is completed or nothing.
if any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.

Consistency - Transaction should be consistent to database rules.

Isolation - Should not affect other transactions.
Durability: Once its committed, it should be preserved.

34
Q

Change control

A

The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment.

Request control provides a framework for user requests.

Release control manages the deployment of code into production.

Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.

35
Q

Aggregation vs Inference

A

Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone.

An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity.

36
Q

Kerberose

A

The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly. Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.

37
Q

Scoping, Tailoring, and Baselining

A

Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to.

Tailoring is the process of matching a list of security controls to the mission of an organization.

Baselines are used as a base set of security controls, often from a third-party organization that creates them.

38
Q

Forensic Investigation

A

1-Identifying, Labelling, recording
2-Assessing and extracting relevant data
3-Analyzing the results
4-Reporting the result of Analysis

CISSP (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions