CISSP Domain 8

Question 1

Aggregate Vs Inference

Answer 1

Aggregate requires multiple small pieces

Inference requires a single data point

Question 2

Waterfall method

Answer 2

Very linear, each phase leads

Once phase done can’t go back

Sequential steps

Can be improved by adding validation and verification

Question 3

Type of program language

Answer 3

Machine language

Assembly language

High level language

Question 4

Machine language

Answer 4

Man had to manually calculate and allot memory address

Complete binary

Question 5

Assembly language

Answer 5

Users mnemonic like ADD, PUSH, POP instead of binary codes

Uses assemblers to convert assembly codes to binary codes

Question 6

High level language

Answer 6

Uses abstract statements like Excel IF - Then- ELSE function

It’s processor independent

Code written in high level language can be converted to machine language using compiler and interpreters

Question 7

4 Gen - Very high level language

Answer 7

More abstraction

Question 8

Natural language

Answer 8

Eliminate need of programming expertise like AI

Question 9

Assemblers Vs Compilers Vs Interpreters

Answer 9

No matter what language is used institutions and data have to end up in binary for processor to understand

Interpreter - Convert high level to machine level code

Question 10

What is libraries used for?

Answer 10

Software libraries contains reusable code

Question 11

Integrated development environment

Answer 11

Environment where they can write their code, write it, test it, debug it and compile it

Question 12

What happens in OOP ? And how does it work?

Answer 12

Devloper doesn’t develop each and every object

Works with class, subject and objects

Class - Set of attributes associated with it, when an object is generated, it inherits these attributes example: Furniture

From security pov provides a black box

Question 13

Polymorphism

Answer 13

Characteristic of an object that allows is to respond with different behaviours to same message or method because of change in external conditions

Question 14

Properties of OOP

Answer 14

Encapsulation

Messaging - Communication between objects

Reusability

Abstraction

Question 15

Cohesion

Answer 15

How many different types of tasks a module carry out

Should high in nature

Question 16

Coupling

Answer 16

How much interaction one module requires to carry out it’s tasks

Should be low in nature

Question 17

Steps in OOP ( FYI)

Answer 17

Devloper creates a class which outlines specifications

Object is initiated it inherits these attributes

User inputs in a software - Addition

Objects is initiated

Object A interacts with B using API

Question 18

Input validation - Limit check and Escaping input

Answer 18

Remove risky inputs

Always occurs on the server side

Question 19

Properties of session management

Answer 19

Cookies to be secure

Expire after a certain time and user to authenticate again

Identifiers to be long and randomly generated

Question 20

Error handling

Answer 20

Devloper love long detailed error messages but those might contain sensitive info hence disable it

Question 21

SDLC steps

Answer 21

Conceptual definition

Functional requirements determination

Control specifications devlopment

Design review

Coding

Code Review walk through

System test review

Maintanence and change management

Question 22

Conceptual definition

Answer 22

Project charter - Top level understanding

Designers identity classification of data to be processed

Question 23

Functional requirements determination

Answer 23

How parts of system interoperate

Characteristics:

Input

Behaviour

Output

Question 24

Control specifications determination

Answer 24

Analyse system from security perspective

1. Access control
2. Confidentiality using data encryption
3. Audit trail - Accountability
4. Availability and fault tolerance

Question 25

Design review

Answer 25

Once functional and control is completed let system designers do their thing

Question 26

Code Review walk through

Answer 26

Devloper starts writing code

Question 27

Testing

Answer 27

System testing Regression testing UAT Then deployed

Question 28

Maintanence and change management

Answer 28

Maintanence tasks

Question 29

Spiral model

Answer 29

**prototype and incremental model** Determine objectives Evaluate alternatives, identify and resolve risks Devlop and verify next level product Plan next phases

Question 30

Agile software development - 12 principle

Answer 30

Satisfying customer Welcome change Devlop working software, couple of weeks Have face to face conversation **Working software** primary measure of progress

Question 31

Agile methodology

Answer 31

Scrum Kanban RAD AUP XP

Question 32

Scrum

Answer 32

Daily team meetings Scrum master Sprint: Organize work into shorter sprints of activity Short term objectives that contribute to broader goals of the project

Question 33

CMMI

Answer 33

Initial - Chaotic Repeatable - Reuse of code Defined- Operate what is documented Managed - Quantitative Process management Optomizing - Continuous improvement

Question 34

Software Assurance Maturity model business functions

Answer 34

Governance - Stratergy and metrics , policy and compliance, education and guidance Design - Threat assessment , security requirements and security architecture Implementation - Secure build, Secure deployment, Defect management Verification - Architecture analysis, Req driven testing, security testing Operations - Incident management, environment management, operational management

Question 35

IDEAL model

Answer 35

Initiation Diagnosis: Current state of org and make general recommendation of change Establishing Acting: Walk the talk Learning

Question 36

Change management process and 3 basic components

Answer 36

Request change Change control: test and analyse Release control: Only approved changes into prod Also include acceptance testing

Question 37

Software configuration management

Answer 37

**Control the version of the software used throughout an organisation and to formally track and control changes to software configuration** Configuration identification Configuration control: Changes to software in accordance with change control and configuration management policies. Updates Configuration status accounting - Formalized procedures to keep track of all authorised Changes they takes place Configuration audit - Periodic audit

Question 38

Devops model Vs CI/CD model

Answer 38

Software development+ QA+ Operations Often deploy code several times per day Code roll out dozens or several times per day: - Security also should move 1.High degree of automation 2. Code repositories 3. SCM process 4. Movement of code between development, testing and prod environments

Question 39

API's and what a devloper needs to consider ?

Answer 39

Bypass traditional web pages and interact directly with underlying service through function calls Secure authentication and Authorization to make specific call

Question 40

Software testing when is best time ? And types of test

Answer 40

Aa models are designed Reasonableness check: Inputs gives desired output Misuse case test: Code will perform under normal activity and when subjected to extreme conditions

Question 41

White box, Grey box and Black box testing

Answer 41

Access to source code, logical structures of program, inner workings of program Have access to source code+ analyse inputs and outputs Do not have access to source code

Question 42

Code repositories

Answer 42

Central storage point for developers Version control Bug tracking Web hosting Release management Used to manage and distribute code libraries

Question 43

Third party software acquisition

Answer 43

COTS - On premise of IaaS Open software (OSS) - freely available for anyone to download and use

Question 44

Type of DBMS

Answer 44

Hierarchical Relational

Question 45

Hierarchical DBMS

Answer 45

Each employee has one manager but one manager has one or more employees DNS Distributed database

Question 46

Relational DBMS

Answer 46

Row ( Turple) and column ( fields/attributes) Cardinality - Number of rows Degree - Number of columns

Question 47

Candidates key in RDBMS

Answer 47

Uniquely identify any record in a table

Question 48

Primary key

Answer 48

Enforces uniqueness is primary key **Each table has only one primary key**

Question 49

Alternate keys

Answer 49

Any key not selected as primary key is alternate key

Question 50

Foreign key

Answer 50

Enforces relationship between two tables, aka referential integrity

Question 51

What is SQL primary security feature?

Answer 51

Granularity of authorisation It's very detailed

Question 52

Db normalisation

Answer 52

Process of bringing a Db table into compliance with normal forms is known as normalisation Developers want well organised and efficient db

Question 53

4 Required characteristics of Relational DB

Answer 53

A- All or nothing Consistency Isolation Durability - Once committed they must be preserved

Question 54

What is multilevel Db and what is challenge?

Answer 54

Data(IC) and security should be separate it leads to data contamination Can be implemented using restricted access with views

Question 55

Concurrency in DB and what if they fail to implement?

Answer 55

**Edit control** **Certain Information** stored in Db is always correct at least has integrity and availability protected Lost updates - Two people update at same time data is lost Dirty Reads - Transaction that did not commit because of crash

Question 56

Aggregation

Answer 56

Multiple low level security data points combine them to produce useful info

Question 57

Inference

Answer 57

Using a single info gain access to confidential info

Question 58

Time stamps, Content dependent access control, context dependent, Db partitioning

Answer 58

Data integrity and availability Contents or payload Cell suppression - Concept of hiding individual db fields Context - Big picture of ACL Db partitioning - Subvert inference and aggregation

Question 59

Polyinstation in DB

Answer 59

When 2 or more rows in same DB have same primary keys but different data for use at different data classification levels

Question 60

Noise and perturbation

Answer 60

Can insert false or misleading data

Question 61

OBDC

Answer 61

To communicate with different db kind of interface

Question 62

No SQL and types

Answer 62

Uses models other than relational to store data Key/ Value Graph db Document

Question 63

Key/ Value pairs

Answer 63

Store info in key value pairs

Question 64

Graph Db

Answer 64

Stores data in graph format

Question 65

Document

Answer 65

Stores data in document like JSON or XML

Question 66

Covert channel

Answer 66

Storage threat Allow transmission of sensitive data between classification levels through direct or indirect manipulation of shared storage media

Question 67

Types of knowledge based systems

Answer 67

AI Expert systems and neural systems

Question 68

Expert systems and 2 components

Answer 68

Accumulation of knowledge of experts Knowledge system and inference engine - Prediction based on historic data

Question 69

ML core approach and 2 categories:

Answer 69

Computer to analyse directly from data Supervised learning - Uses labelled data for training Unsupervised learning - Algorithm devlop model independently

Question 70

Neural network

Answer 70

Extension of ML aka deep learning **Computational decision+ Series of rules stored in KB** Has many layers of summation - Weighting information to reflect - Delta rule

Question 71

Script kiddies

Answer 71

Ready to use scripts from internet use them to launch attack

Question 72

APT malware

Answer 72

Small adversaries they have zero days

Question 73

2 main functions of computer viruses

Answer 73

Propagation and payload execution

Question 74

Virus technologies

Answer 74

Multiparte Stealth Polymorphic Encrypted

Question 75

Multiparte

Answer 75

More than one propagation techniques in order to penetrate systems

Question 76

Stealth virus

Answer 76

Hide themselves by actually tampering with the OS to fool AV package to thinking everything is working fine

Question 77

Polymorphic virus

Answer 77

Modify their own code as they travel

Question 78

Encrypted virus

Answer 78

Uses virus decryption routine

Question 79

Logic bomb

Answer 79

Perform certain action at particular time. - A condition

Question 80

Trojan horses

Answer 80

Appears loving but carries a malicious behind the scene payload

Question 81

Remote access Trojans

Answer 81

Opens backdoor in system to grant attacker remote admin control of infected system

Question 82

Worms

Answer 82

They propagate themselves without human intervention

Question 83

Spyware and adware

Answer 83

They are potentially unwanted programs Monitoring your actions Display advertisement

Question 84

Malicious scripts

Answer 84

Commonly found in fileless malware

Question 85

Zero day vulnerability and reasons

Answer 85

Delay in patches Slowness in applying patches

Question 86

Antimalware Software and 3 things it does

Answer 86

Signature based system or heuristic based S/w can eradicate the virus, restore the machine to safe condition Quarantine until admin can examine Predefined danger threshold- Delete

Question 87

EDR and UEBA

Answer 87

Analysis of end points Isolation possible malicious activity Integration with threat intelligence to get info into malicious behaviour UEBA- build a profile of user

Question 88

Buffer overflow

Answer 88

Devloper doesn't validate user inputs leading to memory segment buffer to overwrite

Question 89

TOC TOU

Answer 89

Process executes access permissions before too far in advance of a resource request

Question 90

Backdoor

Answer 90

Bypass normal access restrictions Used in devlopment and debugging

Question 91

Prevlige escalation - Rootkits

Answer 91

Freely available on internet

Question 92

XSS and persistence XSS

Answer 92

Occur when web apps allow attacker to perform injection into a web page Allows reflected input Malicious scripts are injected into trusted websites Remains even when attacker isn't actively waging an attack

Question 93

SQL injection

Answer 93

Unexpected input to gain unauthorised access to an underlying db

Question 94

Network reconciance techniques

Answer 94

IP probes Port scans Vulnerability scans

Question 95

SDLC Life cycle

Answer 95

Real devlopers ideas take effort Requirement gathering Design Implementation Testing Evolution

Question 96

Insecure direct object reference

Answer 96

If app doesn't perform Authorization checks user may be permitted to view info that exceeds their authority

Question 97

Directory transversal

Answer 97

Web server suffers from misconfiguration that allows attackers to navigate directory structure and access file that should remain secure

Question 98

File inclusion

Answer 98

Simply retrieving a file from local OS and displaying it to attacker, FI actually execute code

Question 99

XSRF - Cross site request forgery

Answer 99

XSS attack exploit the trust the user has in website to execute code in users system

Question 100

SSRF

Answer 100

Instead of tricking users browser into visiting URL, trick server into visiting a URL based on user imput

Question 101

Session hijacking

Answer 101

Malicious person intercepts between authorised user and resource 1. Capture details of client identity 2. Tricking client into thinking attacker system is server 3. Accessing web app using a cookie data of user who didn't close connection

Question 102

Most effective input validation

Answer 102

Input whitelisting inputs which is defined by devloper for user to input Input blacklist - To control user imput

Question 103

Db security - parameterised queries and stored procedure

Answer 103

Techniques to protect against injection attacks doesn't allow insertion of codes

Question 104

Db admins to reduce data exposure

Answer 104

Obsfuscation and camaflogue Data minimisation Tokenization : Random token replacement of actual data

Question 105

Application resilience

Answer 105

Scalability - Scale up Elasticity - scale up and down

Question 106

Resource exhaustion in memory management

Answer 106

Memory leaks memory needs to released if not in use