cissp massive deck

Question 1

What is the opposite of the CIA triad?

Answer 1

Disclosure, Alteration, and Destruction (DAD)

Question 2

What protects publicly traded data in the US?

Answer 2

Sarbanes-Oxley Act

Question 3

What protects financial information in the US?

Answer 3

Gramm-Leach-Bliely Act

Question 4

To maintain ______, you should always encrypt data.

Answer 4

Confidentiality

Question 5

What would you use to encrypt data in motion?

Answer 5

TLS

Question 6

What would you use to encrypt data at rest?

Answer 6

AES-256

Question 7

Passwords are an example of what type of authentication?

Answer 7

Type 1 (Something You Know)

Question 8

List the types of authentication:

Answer 8

Type 1 - Something you know
Type 2 - Something you have 
Type 3 - Something you are
Type 4 - Somewhere you are
Type 5 - Something you do

(K H A A D)

• Kick
• Him
• Ahole
• Ahole
• Dck

Question 9

What type of evidence includes tangible objects such as hard drives?

Answer 9

Real Evidence

Question 10

What type of evidence includes witness who can use one of their 5 senses?

Answer 10

Direct evidence

Question 11

What type of evidence includes facts that can prove something?

Answer 11

Circumstantial Evidence

Question 12

Any company that handles financial information must adhere to what act?

Answer 12

Gramm Leech Bliely Act

Question 13

List the steps in NIST 800-34.

Answer 13

1) Policy Statement
2) BIA
3) Preventative Controls
4) Contingency Strategies
5) IT Contingency Plan
6) Ensure plan testing
7) Ensure plan maintenance

Question 14

List the ISO 27K series:

Answer 14

27001 - Establish ITSM
27002 - Security Controls
27004 - ITSM Success Measurements
27005 - Risk Management 
27799 - PHI

Question 15

Which security model is concerned with confidentiality?

Answer 15

Bell-LaPadula Model

Question 16

Which security models are concerned with integrity?

Answer 16

BIBA, Clark-Wilson

Question 17

What type of controls are used to discover and document unwanted or unauthorized activity?

Answer 17

Detective

Question 18

What does the ^ mean in “ X ^ Y “?

Answer 18

AND - if both values are true, then true

Question 19

What does the down arrow in “ X down arrow Y” mean?

Answer 19

OR (Any one value is true, then true)

Question 20

What does the ~ mean in X ~ Y?

Answer 20

NOT (reverse the input)

Question 21

What does the + mean in X + Y?

Answer 21

Exclusive OR - (Only true if only one value is true, meaning two 1 1s = 0)

Question 22

Is AES symmetric or asymmetric?

Answer 22

Symmetric

Question 23

What block size does symmetric standard DES use?

Answer 23

64 bits

Question 24

What key size does symmetric standard DES use?

Answer 24

56 bits

Question 25

How many rounds are used in symmetric standard DES?

Answer 25

16

Question 26

What is included in Type A fires and how do you put them out?

Answer 26

Common combustibles (i.e. Paper); water

Question 27

What is included in Type B fires and how do you put them out?

Answer 27

Liquid (i.e. gas); CO2, Halon, soda acid

Question 28

What is included in Type C fires and how do you put them out?

Answer 28

Electrical; CO2, Halon (FM-200)

Question 29

What is included in Type D fires and how do you put them out?

Answer 29

Metal; Dry powder

Question 30

What type of water suppression system is always filled with water?

Answer 30

Wet Pipe

Question 31

What type of water suppression system contains compressed air to push out water when there is a fire?

Answer 31

Dry Pipe

Question 32

What type of water suppression system is a dry pipe wiht large pipes that deliver huge volumes of water?

Answer 32

Deluge (not suitable for environments with computers/electronics)

Question 33

What type of water suppression system is a combination of a wet and dry pipe?

Answer 33

Preaction (most suitable for computer rooms with humans)

Question 34

What mode of EMI is the difference between hot and ground wire?

Answer 34

Common Mode

Question 35

What mode of EMI is the difference between hot and neutral wire?

Answer 35

Traverse

Question 36

What level of humidity should computer rooms stay at?

Answer 36

40-60%

Question 37

What is it called if there is a momentary loss of power?

Answer 37

Fault

Question 38

What is it called if there is a complete loss of power?

Answer 38

Blackout

Question 39

What is it called if there is a momentary low voltage?

Answer 39

Sag

Question 40

What is it called if there is a prolonged low voltage?

Answer 40

Brownout

Question 41

Which ring is also known as privileged mode?

Answer 41

Ring 0

Question 42

What does ring 0 house?

Answer 42

OS Kernel

Question 43

What do ring 1 and ring 2 house?

Answer 43

OS System Services (Drivers, ETc)

Question 44

Which level assurance level is "semi-formally designed and tested"?

Answer 44

EAL5

Question 45

Which level assurance level is "formally designed, verified, and tested?"

Answer 45

EAL7

Question 46

Which assurance level is "functionally tested"?

Answer 46

EAL1

Question 47

What is EAL2?

Answer 47

Structurally tested

Question 48

What is EAL3?

Answer 48

Methodically tested and checked

Question 49

What is EAL4?

Answer 49

Methodically designed, tested, and reviewed

Question 50

What is EAL6?

Answer 50

Semi-formally designed, verified, and tested

Question 51

Bell-LaPadula deals with:

Answer 51

confidentiality (simple: no read up, star*: no write down)

Question 52

Clark wilson model deals with:

Answer 52

integrity

Question 53

What is another name for the Brewer Nash Model and what does it do?

Answer 53

Chinese wall - protects conflicts of intererst

Question 54

BIBA model deals with:

Answer 54

Integrity (simple: no read down, star*: no write up)

Question 55

What is the primary focus of COSO?

Answer 55

Addressing issues that lead to and allow for fraudulent financial reporting.

Question 56

Kerberos has built-in protections against authentication replay attacks. Which of the following mechanisms provide that protection?

Answer 56

Time stamps

Question 57

What type of protection is used to maintain confidentiality?

Answer 57

Encryption

Question 58

What type of encryption is used for data in motion?

Answer 58

TLS

Question 59

What type of encryption is used for data at rest?

Answer 59

AES

Question 60

Which form of access control uses specific permission (W, R, Execute) for different users and/or groups?

Answer 60

DAC (Discretionary Access Control)

Question 61

Which form of access control works with labels (objects) and clearance (subjects)?

Answer 61

MAC (Mandatory Access Control)

Question 62

Which form of access control uses a combination of objects, subjects, and environment (such as physical location)?

Answer 62

AAC (Attribute Access Control)

Question 63

In software, if a field allows only 10 digits, and you do not limit the field in anyway (such as not allowing a user to enter 11 digits or having the software ignore 11th digit), what kind of attack could occur?

Answer 63

Buffer overflow

Question 64

What do developers create in a program to easily access the program they are creating via a "backdoor"?

Answer 64

software maintenance hook (can allow attackers to attack the program! make sure the developer agrees that no maintenance hook has been left)

Question 65

What type of attack includes slowly incrementing / making small changes to data?

Answer 65

data diddling

Question 66

What type of attack is when small attacks add up to one major attack?

Answer 66

salami attack

Question 67

What type of software-based password attack includes the attempt of cracking a password using defined words in a word list?

Answer 67

dictionary attack

Question 68

What type of software-based password attack uses different parameters each time over and over again until password crack is successful?

Answer 68

brute force attack

Question 69

What type of software-based password attack to crack a password uses md5 hash and tables?

Answer 69

rainbow table

Question 70

What type of software-based network attack includes placing a computer in between one host and another host and looks at the traffic between the two?

Answer 70

sniffer / sniffing (ARP spoofing, MAC changing, spoofing)

Question 71

In Kerberos, the authentication server + the ticket granting server forms what?

Answer 71

Key Distribution Center (KDC)

Question 72

What authentication method using the following: - User sends username to auth server - Auth server sends secret key and ticket granting ticket to user - User decrypts secret key with user's password - If decryption works, user sends: ---- ticket granting ticket to ticket granting server and ----- information about which resource the user wants to access - Ticket granting server grants access to user to resource

Answer 72

kerberos

Question 73

What type of authentication allows SSO without password by establishing trust between two systems and uses certificate and PKI? Used by websites!

Answer 73

Federation / federated identity | https://blog.empowerid.com/blog-1/bid/164625/what-is-federation-and-how-is-it-different-from-sso

Question 74

What is used for central authentication methods normally?

Answer 74

RADIUS

Question 75

What are the four broad domains of COBIT?

Answer 75

- Acquire and Implement - Plan and Organize - Deliver & Support - Monitor & Evaluate