CISSP Glossary Flashcards

Question 1

Q

Acceptable risk

Answer

A

A suitable level of risk commensurate with the potential benefits of the organization’s operations as determined by senior management.

Question 2

Q

Access control system

Answer

A

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Question 3

Q

Access control tokens

Answer

A

The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

Question 4

Q

Accountability

Answer

A

Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.

Question 5

Q

ActiveX Data Objects (ADO)

Answer

A

A Microsoft high-level interface for all kinds of data.

Question 6

Q

Address Resolution Protocol

ARP

Answer

A

Is used at the Media Access Control (MAC) Layer to provide for direct communication between two devices within the same LAN segment.

Question 7

Q

Algorithm

Answer

A

A mathematical function that is used in the encryption and decryption processes.

Question 8

Q

Asset

Answer

A

An item perceived as having value.

Question 9

Q

Asset lifecycle

Answer

A

The phases that an asset goes through from creation (collection) to destruction.

Question 10

Q

Asymmetric

Answer

A

Not identical on both sides. In cryptography, key pairs are used, one to encrypt, the other to decrypt.

Question 11

Q

Attack surface

Answer

A

Different security testing methods find different vulnerability types.

Question 12

Q

Attribute- based access control (ABAC)

Answer

A

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Question 13

Q

Audit/auditing

Answer

A

The tools, processes, and activities used to perform compliance reviews.

Question 14

Q

Authorization

Answer

A

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.

Question 15

Q

Availability

Answer

A

Ensuring timely and reliable access to and use of information by authorized users.

Question 16

Q

Baselines

Answer

A

A minimum level of security.

Question 17

Q

Bit

Answer

A

Most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.

Question 18

Q

Black-box testing

Answer

A

Testing where no internal details of the system implementation are used.

Question 19

Q

Bluetooth

Wireless Personal Area Network IEEE 802.15

Answer

A

Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices.

Question 20

Q

Bridges

Answer

A

Layer 2 devices that filter traffic between segments based on Media Access Control (MAC) addresses.

Question 21

Q

Business continuity (BC)

Answer

A

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Question 22

Q

Business continuity and disaster recovery

BCDR

Answer

A

A term used to jointly describe business continuity and disaster recovery efforts.

Question 23

Q

Business impact analysis (BIA)

Answer

A

A list of the organization’s assets, annotated to reflect the criticality of each asset to the organization.

Question 24

Q

Capability Maturity Model for Software or
Software Capability Maturity Model
(CMM or SW-CMM)

Answer

A

Maturity model focused on quality management processes and has five maturity levels that contain several key practices within each maturity level.

Question 25

Q

Cellular Network

Answer

A

A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.

Question 26

Q

Certificate authority

CA

Answer

A

An entity trusted by one or more users as an authority that issues, revokes, and manages digital certificates to bind individuals and entities to their public keys.

Question 27

Q

Change management

Answer

A

A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.

Question 28

Q

CIA/AIC Triad

Answer

A

Security model with the three security concepts of confidentiality, integrity, and availability make up the CIA Triad. It is also sometimes referred to as the AIC Triad.

Question 29

Q

Ciphertext

Answer

A

The altered form of a plaintext message, so as to be unreadable for anyone except the intended recipients. Something that has been turned into a secret.

Question 30

Q

Classification

Answer

A

Arrangement of assets into categories.

Question 31

Q

Clearing

Answer

A

The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software recovery utilities.

Question 32

Q

Code-division multiple access (CDMA)

Answer

A

Every call’s data is encoded with a unique key, then the calls are all transmitted at once.

Question 33

Q

Common Object Request Broker Architecture (CORBA)

Answer

A

A set of standards that addresses the need for interoperability between hardware and software products.

Question 34

Q

Compliance

Answer

A

Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Question 35

Q

Computer virus

Answer

A

A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer.

Question 36

Q

Concentrators

Answer

A

Multiplex connected devices into one signal to be transmitted on a network.

Question 37

Q

Condition coverage

Answer

A

This criterion requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.

Question 38

Q

Confidentiality

Answer

A

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Question 39

Q

Configuration management (CM)

Answer

A

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).

Question 40

Q

Confusion

Answer

A

Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.

Question 41

Q

Content Distribution Network (CDN)

Answer

A

Is a large distributed system of servers deployed in multiple data centers across the internet.

Question 42

Q

Covert channel

Answer

A

An information flow that is not controlled by a security control and has the opportunity of disclosing confidential information.

Question 43

Q

Covert security testing

Answer

A

Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test.

Question 44

Q

Crossover Error Rate (CER)

Answer

A

This is achieved when the type I and type II are equal.

Question 45

Q

Cryptanalysis

Answer

A

The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services provided through cryptography.

Question 46

Q

Cryptography

Answer

A

Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity, non-repudiation, and access control.

Question 47

Q

Cryptology

Answer

A

The science that deals with hidden, disguised, or encrypted information and communications.

Question 48

Q

Curie Temperature

Answer

A

The critical point where a material’s intrinsic magnetic alignment changes direction.

Question 49

Q

Custodian

Answer

A

Responsible for protecting an asset that has value, while in the custodian’s possession.

Question 50

Q

Data classification

Answer

A

Entails analyzing the data that the organization retains, determining its importance and value, and then assigning it to a category.

Question 51

Q

Data custodian

Answer

A

The person/role within the organization owner/controller.

Question 52

Q

Data flow coverage

Answer

A

This criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Question 53

Q

Data mining

Answer

A

A decision-making technique that is based on a series of analytical techniques taken from the fields of mathematics, statistics, cybernetics, and genetics.

Question 54

Q

Data owner/ controller

Answer

A

An entity that collects or creates PII.

Question 55

Q

Data subject

Answer

A

The individual human related to a set of personal data.

Question 56

Q

Database Management System (DBMS)

Answer

A

A suite of application programs that typically manages large, structured sets of persistent data.

Question 57

Q

Database model

Answer

A

Describes the relationship between the data elements and provides a framework for organizing the data.

Question 58

Q

Decision (branch) coverage

Answer

A

Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications.

Question 59

Q

Decryption

Answer

A

The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key that was used to do the original encryption.

Question 60

Q

Defensible destruction

Answer

A

Eliminating data using a controlled, legally defensible, and regulatory compliant way.

Question 61

Q

DevOps

Answer

A

An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate.

Question 62

Q

Diffusion

Answer

A

Provided by mixing up the location of the plaintext throughout the ciphertext. The strongest algorithms exhibit a high degree of confusion and diffusion.

Question 63

Q

Digital certificate

Answer

A

An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date. Used to bind individuals and entities to their public keys. Issued by a trusted third party referred to as a Certificate Authority (CA).

Question 64

Q

Digital rights management (DRM)

Answer

A

A broad range of technologies that grant control and protection to content providers over their own digital media. May use cryptography techniques.

Answer 65

A

Provide authentication of a sender and integrity of a sender’s message and non-repudiation services.

Answer 66

A

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Answer 67

A

The system owner decides who gets access.

Answer 68

A

A legal concept pertaining to the duty owed by a provider to a customer.

Answer 69

A

Actions taken by a vendor to demonstrate/ provide due care.

Answer 70

A

Ports 49152 – 65535. Whenever a service is requested that is associated with Well- Known or Registered Ports those services will respond with a dynamic port.

Answer 71

A

When the system under test is executed and its behavior is observed.

Answer 72

A

The action of changing a message into another format through the use of a code.

Answer 73

A

The process of converting the message from its plaintext to ciphertext.

Answer 74

A

This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user.

Answer 75

A

This is failure to recognize a legitimate user.

Answer 76

A

A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP layer.

Answer 77

A

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

Answer 78

A

Data represented at Layer 2 of the Open Systems Interconnection (OSI) model.

Answer 79

A

Each call is transformed into digital data that is given a channel and a time slot.

Answer 80

A

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

Answer 81

A

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Answer 82

A

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Answer 83

A

Accepts an input message of any length and generates, through a one-way operation, a fixed-length output called a message digest or hash.

Answer 84

A

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy maliciousor unauthorized intruders, as a means ofdelaying their attempts to accessproduction data/assets. A number ofmachines of this kind, linked together as anetwork or subnet, are referred to as a “honeynet.”

Answer 85

A

Cloud-based services that broker identity and access management (IAM) functions to target systems on customers’ premises and/or in the cloud.

Answer 86

A

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

Answer 87

A

A non-secret binary vector used as the initializing input algorithm, or a random starting point, for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment.

Answer 88

A

A management technique that simultaneously integrates all essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing, and supportability processes.

Answer 89

A

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Answer 90

A

Intangible assets (notably includes software and data).

Answer 91

A

Provides a means to send error messages and a way to probe the network to determine network availability.

Answer 92

A

Used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission.

Answer 93

A

Is the dominant protocol that operates at the Open Systems Interconnection (OSI) Network Layer 3. IP is responsible for addressing packets so that they can be transmitted from the source to the destination hosts.

Answer 94

A

Is a modernization of IPv4 that includes a much larger address field: IPv6 addresses are 128 bits that support 2128 hosts.

Answer 95

A

A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.

Answer 96

A

A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.

Answer 97

A

Complete list of items.

Answer 98

A

The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.

Answer 99

A

When different encryption keys generate the same ciphertext from the same plaintext message.

Answer 100

A

The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information.

Answer 101

A

The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.

Answer 102

A

A mathematical, statistical, and visualization method of identifying valid and useful patterns in data.

Answer 103

A

The practice of only granting a user the minimal permissions necessary to perform their explicit job function.

Answer 104

A

Phases that an asset goes through from creation to destruction.

Answer 105

A

A record of actions and events that have taken place on a computer system.

Answer 106

A

Non-physical system that allows access based upon pre-determined policies.

Answer 107

A

This criterion requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering initialization, typical running, and termination (boundary) conditions.

Answer 108

A

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Answer 109

A

The measure of how long an organization can survive an interruption of critical functions. Also known as maximum tolerable downtime (MTD).

Answer 110

A

Any object that contains data.

Answer 111

A

A small block of data that is generated using a secret key and then appended to the message, used to address integrity.

Answer 112

A

A small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality.

Answer 113

A

Information about the data.

Answer 114

A

A use case from the point of view of an actor hostile to the system under design.

Answer 115

A

These criteria require sufficient test cases to exercise all possible combinations of conditions in a program decision.

Answer 116

A

Ensures that a user is who he or she claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

Answer 117

A

Is a wide area networking protocol that operates at both Layer 2 and 3 and does label switching.

Answer 118

A

Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.

Answer 119

A

This ensures the application can gracefully handle invalid input or unexpected user behavior.

Answer 120

A

The objective of NFV is to decouple functions such as firewall management, intrusion detection, network address translation, or name service resolution away from specific hardware implementation into software solutions.

Answer 121

A

Inability to deny. In cryptography, a service that ensures the sender cannot deny a message was sent and the integrity of the message is intact, and the receiver cannot claim receiving a different message.

Answer 122

A

Hiding plaintext within other plaintext. A form of steganography.

Answer 123

A

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Answer 124

A

An interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm.

Answer 125

A

Physical layer.

Answer 126

A

Data-link layer.

Answer 127

A

Network layer.

Answer 128

A

Transport layer.

Answer 129

A

Session layer.

Answer 130

A

Presentation layer.

Answer 131

A

Application layer.

Answer 132

A

Overt testing can be used with both internal and external testing. When used from an internal perspective, the bad actor simulated is an employee of the organization. The organization’s IT staff is made aware of the testing and can assist the assessor in limiting the impact of the test by providing specific guidelines for the test scope and parameters.

Answer 133

A

Possessing something, usually of value.

Answer 134

A

Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.

Answer 135

A

A technique called Packet Loss Concealment (PLC) is used in VoIP communications to mask the effect of dropped packets.

Answer 136

A

RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.

Answer 137

A

An update/fix for an IT asset.

Answer 138

A

This criteria require sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once.

Answer 139

A

Any data about a human being that could be used to identify that person.

Answer 140

A

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

Answer 141

A

Exceeds maximum packet size and causes receiving system to fail.

Answer 142

A

Network mapping technique to detect if host replies to a ping, then the attacker knows that a host exists at that address.

Answer 143

A

The message in its natural format has not been turned into a secret.

Answer 144

A

Provides a standard method for transporting multiprotocol datagrams over point-to-point links.

Answer 145

A

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Answer 146

A

An extension to NAT to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value.

Answer 147

A

This determines that your application works as expected.

Answer 148

A

The right of a human individual to control the distribution of information about him- or herself.

Answer 149

A

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Answer 150

A

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.

Answer 151

A

Measuring something without using numbers, using adjectives, scales, and grades, etc.

Answer 152

A

Using numbers to measure something, usually monetary values.

Answer 153

A

An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.

Answer 154

A

A measure of how much data the organization can lose before the organization is no longer viable.

Answer 155

A

The target time set for recovering from any interruption.

Answer 156

A

Ports 1024 – 49151. These ports typically accompany non-system applications associated with vendors and developers.

Answer 157

A

This performs certificate registration services on behalf of a Certificate Authority (CA).

Answer 158

A

Residual magnetism left behind.

Answer 159

A

The risk remaining after security controls have been put in place as a means of risk mitigation.

Answer 160

A

Assets of an organization that can be used effectively.

Answer 161

A

Obligation for doing something. Can be delegated.

Answer 162

A

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Answer 163

A

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Answer 164

A

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Answer 165

A

Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk.

Answer 166

A

Paying an external party to accept the financial impact of a given risk.

Answer 167

A

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization.

Answer 168

A

An access control model that is based on a list of predefined rules that determine what accesses should be granted.

Answer 169

A

An isolated test environment that simulates the production environment but will not affect production components/data.

Answer 170

A

A version of the SAML standard for exchanging authentication and authorization data between security domains.

Answer 171

A

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.

Answer 172

A

The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Answer 173

A

Data representation at Layer 4 of the Open Systems Interconnection (OSI) model.

Answer 174

A

The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.

Answer 175

A

Is designed to manage multimedia connections.

Answer 176

A

Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

Answer 177

A

ICMP Echo Request sent to the network broadcast address of a spoofed victim causing all nodes to respond to the victim with an Echo Reply.

Answer 178

A

The level of confidence that software is free from vulnerabilities either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that it functions in the intended manner.

Answer 179

A

Separates network systems into three components: raw data, how the data is sent, and what purpose the data serves. This involves a focus on data, control, and application (management) functions or “planes”.

Answer 180

A

Is an extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration.

Answer 181

A

Specific mandates explicitly stating expectations of performance or conformance.

Answer 182

A

This criterion requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior.

Answer 183

A

Analysis of the application source code for finding vulnerabilities without executing the application.

Answer 184

A

Hiding something within something else, or data hidden within other data.

Answer 185

A

When a cryptosystem performs its encryption on a bit-by-bit basis.

Answer 186

A

RAID technique; writing a data set across multiple drives.

Answer 187

A

The process of exchanging one letter or bit for another.

Answer 188

A

Operate at Layer 2. A switch establishes a collision domain per port.

Answer 189

A

Operate with a single cryptographic key that is used for both encryption and decryption of the message.

Answer 190

A

Involves having external agents run scripted transactions against a web application.

Answer 191

A

Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.

Answer 192

A

A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations.

Answer 193

A

Allows the operating system to provide well- defined and structured access to processes that need to use resources according to a controlled and tightly managed schedule.

Answer 194

A

Takes advantage of the dependency on the timing of events that takes place in a multitasking operating system.

Answer 195

A

Provides connection-oriented data management and reliable data transfer.

Answer 196

A

Layering model structured into four layers (network interface layer, internet layer, transport layer, host-to-host transport layer, application layer).

Answer 197

A

The process of reordering the plaintext to hide the message by using the same letters or bits.

Answer 198

A

The collection of all of the hardware, software, and firmware within a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects.

Answer 199

A

A secure crypto processor and storage module.

Answer 200

A

Batteries that provide temporary, immediate power during times when utility service is interrupted.

Answer 201

A

Abstract episodes of interaction between a system and its environment.

Answer 202

A

The User Datagram Protocol provides connectionless data transfer without error detection and correction.

Answer 203

A

Allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location.

Answer 204

A

Is a technology that allows you to make voice calls using a broadband internet connection instead of a regular (or analog) phone line.

Answer 205

A

A development model in which each phase contains a list of activities that must be performed and documented before the next phase begins.

Answer 206

A

Ports 0–1023 ports are related to the common protocols that are utilized in the underlying management of Transport Control Protocol/Internet Protocol (TCP/IP) system, Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), etc.

Answer 207

A

A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the software to guide the selection of test data.

Answer 208

A

A whitelist is a list of email addresses and/or internet addresses that someone knows as “good” senders. A blacklist is a corresponding list of known “bad” senders.

Answer 209

A

Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11x specification to create a wireless local-area network either public or private.

Answer 210

A

One well-known example of wireless broadband is WiMAX. WiMAX can potentially deliver data rates of more than 30 megabits per second.

Answer 211

A

This represents the time and effort required to break a cryptography system.

Brainscape's Knowledge GenomeTM

CISSP Glossary Flashcards

Brainscape's Knowledge Genome^TM