CISSP Domain 3: Assess and Mitigate Vulnerabilities of Sec Arch, designs and Solution Elements Flashcards
1
Q
What are the security challenges of IoT devices?
A
- Device Proliferation
- sheer number of IoT devices, ranging from consumer gadgets to industrial sensors, creates a challenge in ensuring consistent security across the ecosystem
- Weak or Default Configurations
- Limited Computing Resources
- Lack of Standardized Security Protocols
- Data Privacy and Protection
- Inadequate Update and Patching Mechanisms
- Complex Ecosystems
- Supply Chain Risks
- Physical Security
2
Q
What are common threats and attacks against IoT devices?
A
- Botnet Attacks
- Malware Infections
- Unauthorized Access
- Data Breaches
- Device Tampering
- Supply Chain Attacks
- Denial-of-Service (DoS) Attacks
- Man-in-the-Middle (MitM) Attacks
- Physical Attacks
- Firmware and Software Exploits
3
Q
What’s Service Oriented Architecture?
A
- architectural approach that involves designing software systems by decomposing them into smaller, self-contained units called services
- services encapsulate specific functionalities or business processes
4
Q
What does it mean if a user accesses an application in a black-box fashion?
A
- users interact with the services without needing to know the inner workings or complexities of the service implementation
- users are only concerned with the inputs, outputs, and functionality provided by the service, treating it as a self-contained unit without needing to understand its internal details
5
Q
What superseded SOA?
A
Microservices
6
Q
What’s Microservices?
A
architectural style that structures an application as a collection of small, independent, and loosely coupled services
7
Q
What is the role of each microservice?
A
each service focuses on a specific business functionality, such as user authentication, inventory management, or payment processing
8
Q
What’s the benefit of microservices in terms of Scalability and Performance?
A
- microservices architecture allows for horizontal scaling, where individual services can be scaled independently based on demand
- improves performance and resource utilization, as only the necessary services are scaled, rather than the entire application
9
Q
What are the benefits of microservices in terms of Technology Diversity?
A
- microservices allow for the use of different technologies and frameworks for each service based on its specific requirements
- the flexibility enables the use of the most suitable technology stack for each service, promoting innovation and adaptation to evolving technology trends
10
Q
What are the security considerations of microservices?
A
- Authentication and Authorization
- proper authentication and authorization mechanisms should be implemented for each microservice to ensure secure access and protect sensitive data
- Secure Communication
- microservices should communicate over secure channels, such as HTTPS, and enforce encryption for sensitive data transmission
- Input Validation and Sanitization
- each microservice should validate and sanitize incoming data to prevent common security vulnerabilities, such as injection attacks or cross-site scripting (XSS)
- Secure Configuration and Secrets Management
- microservices should be securely configured, including proper handling of sensitive configuration parameters and secrets, such as API keys or database credentials
- Logging and Monitoring
11
Q
How do microservices communicate with each other?
A
through well-defined APIs, typically using lightweight protocols such as REST or messaging queues
12
Q
What’s the advantage of microservices in terms of Fault Isolation and Resilience?
A
microservices architecture enhances fault isolation, as failures or issues within one microservice do not necessarily impact the entire system
13
Q
What’s containerization?
A
technique in software development and deployment that involves encapsulating applications and their dependencies into self-contained units called containers
14
Q
What’s a Container?
A
- lightweight and portable unit that packages an application and all its dependencies, including libraries, frameworks, and runtime environments
- provides a consistent and isolated environment for the application to run, regardless of the underlying infrastructure
15
Q
What’s a Container Engine?
A
- containerization is facilitated by container engines or runtimes like Docker, Kubernetes, or containerd
- the engines provide the necessary tools and libraries to create, manage, and run containers
16
Q
What are the security considerations of containerization?
A
- Container Isolation
- Secure Image Management
- Container Runtime Security
- Vulnerability Management
- Access Controls
- Network Security
- containers communicate with each other and external systems over networks
- Container Orchestration Security
- Logging and Monitoring
- Compliance and Auditing
17
Q
Explain Container Isolation
A
- while containers provide isolation between applications, it’s essential to ensure that the isolation is robust and secure
- weak container isolation can lead to container escapes or unauthorized access to sensitive resources
- implementing proper container isolation mechanisms, such as strong Linux kernel features like namespaces and cgroups, helps mitigate these risks
18
Q
Explain Container Secure Image Management
A
- container images serve as the basis for creating containers
- crucial to ensure the integrity and security of container images by using trusted sources, regularly updating images, and scanning them for vulnerabilities
- employing image signing and verification techniques can also enhance image security
19
Q
Explain Container Runtime Security
A
- keeping the runtime up to date with the latest security patches and configurations is vital
- enabling appropriate security features, like secure kernel options and runtime policies, helps mitigate security risks
20
Q
Explain Container Orchestration Security
A
- using container orchestration platforms like Kubernetes, securing the orchestration infrastructure becomes critical
- properly configuring access controls, securing API endpoints, and managing secrets and sensitive data within the orchestration platform are crucial to prevent unauthorized access and data breaches
21
Q
What’s the main advantage of containerization over virtualization?
A
- containerization reduces the overhead of server virtualization by enabling containerized apps to run on a shared OS kernel
- containers don’t have thier own OS
22
Q
What’s embedded system?
A
- specialized computer systems designed to perform specific functions within larger systems or device
- a full computer system embedded inside of another larger system
- e.g. printers, GPS, drones, semi-automated vehicles
23
Q
What’s High Performance Computing?
A
- alternative to client-server computing model for compute-intensive operations within large data sets
- used for problems that require the use of extermly large data sets and large-scale parallel processing
24
Q
What’s Grid computing and how does it work?
A
- high performance computing often seen in business settings
- employs a centralized controller that makes computing assignments to grid members
- the grid controller needs to be secured from takover by bad actor
25
What's Edge Computing? Where is it used?
* some compute operations require processing activities to occur locally, far from the cloud
* used in various IoT scenarios - agricultural, science, retail, military
26
What's Fog computing?
* places gateway devices in the filed to collect and correlate data centrally at the edge
27
What system provides GUI to monitor industrial control systems (ICS)?
Supervisory Control and Data Acquisition system (SCADA)
28
What is the type of system that allows to simultaneously handle information classified at the SEcret and Top Secret levels?
multistate
29
Which system assurance process provides an independent third-party evaluation of controls that may be trusted by many different organizations?
verificaion
30
How many protection rings are in modern OSes and how are they marked? Name their role for each.
* Ring 0
* highest level of privilege
* can access any file, resource or memory location
* occupied by kernel
* Ring 1
* come and go as tasks are requested, operations performed, processes switched, etc.
* Ring 2
* occupied by I/O drivers and system utilities
* able to access peripheral devices, special files, etc. that other programs cannot access directly
* Ring 3
* occupied by applications and programs
31
What is the role of protection rings?
organize code and components in an operating system, as well as applications, utilities, or other code that runs under OS's control
32
What's the name of part of OS that always reside in memory?
kernel
33
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which type of encryption algorithm should he use?
asymmetric encryption algorithm that requires only two keys for each user; e.g. RSA
34
What's the formula for determining the number of encryption keys required by a symmetric algorithm?
((n*(n − 1))/2)
35
Which technique can an attacker use to exploit a TOC/TOU vulnerability?
algorithmic complexity
36
What three important items should be considered if you are attempting to control the strength of signal for a wireless network as well as where it is accessible?
**Antenna placement, antenna design, and power level control** are the three important factors in determining where a signal can be accessed and how usable it is
37
Which component of IPsec provides authentication, integrity, and nonrepudiation?
Authentication Header (AH)
38
Why should be data centers located in the core of a building?
Locating it on lower floors makes it susceptible to flooding and physical break-ins.
Locating it on the top floor makes it vulnerable to wind and roof damage.
39
Describe the corporate-owned mobile device policy
* company purchases mobile devices that can support compliance with the security policy
* devices are to be used exclusively for company purposes, and users should not perform any personal tasks on them
* often requires workers to carry a second device for personal us
40
What is a common security risk when using grid computing solutions that consume available resources from computers over the internet?
* loss of privacy - grid members can access the contents of the distributed work segments or divisions
* grid computing over the internet is not usually the best platform for sensitive operations
41
What is secondary memory?
term used to describe magnetic, optical, or flash media (i.e., typical storage devices like HDD, SSD, CD, DVD, and thumb drives).
42
Which items need to be included and label on a master cabling map as part of crafting the cable plant management policy?
* Entrance facility
* Equipment room
* Backbone distribution system
* Telecommunications room
* Horizontal distribution system
43
What's Mean time to failure (MTTF)?
expected typical functional lifetime of the device given a specific operating environment
44
What's Mean time to repair (MTTR)
average length of time required to perform a repair on the device
45
What's Mean time between failures (MTBF)?
an estimation of the time between the first and any subsequent failures
46
What does Security Model provide?
provides framework to implement a security policy
