CISSprep - Missing Topics from Common Books Flashcards
Unilateral NDA
One-way disclosure, meaning that one (uni) company is disclosing something, for example a flat file that’s sent to another organization for its own contracted use.
Bilateral NDA
Two-way disclosure. Example: exchange of files between two organizations. In the previous example, if the flat file was then bounced up against another DB to match with SSNs or names, and then populated with new demographic data.
Multilateral NDA
Disclosures made among three or more parties.
Non-compete agreement
Basically an agreement where the the individual agrees that they won’t use your data/secrets to become your competition.
Prudent actions
Prudent actions are those that most people in a similar life circumstances would do. For example, if the speed limit is 55 you might be able to argue that most “prudent” people are usually within 5 to 10 miles over or under the speed limit.
Reasonable actions
Reasonable actions are actions that have logical justification. For example, if you break someone’s rib during a karate class, it’s probably reasonably justified, but if you do that to a random person on the street, it’s not justified (or in this case, reasonable).
Data portability
Data portability – this is a GDPR right, and says that an individual can have their data securely transferred from one service or controller to another, and that controllers need to provide a mechanism for such requests to be made, such as a paper form to be submitted that requests the transfer, or maybe an online web form.
Data localization
Data localization refers to the requirement that data be processed and stored in the country of the data’s origin, or where it was collected. GDPR discusses this principle in the context of the conditions that are required before transmitting EU data outside of the EU.
GDPR privacy principles
Purpose limitation – this means it should be collected for the stated purpose.
Data minimization – this means it should be used for the stated purpose.
Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.
Storage limitation – basically, don’t keep the information longer than needed.
Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.
Article 5 (accountability)
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.
Public chapter
Public Chapter (previously “public domain”) – use is allowed without constraints, for any purpose, including modification and customization. Support and extra features must be purchased.
Secure defaults
Video explanation: https://youtu.be/EtmTmqCglr4
SECURE DEFAULTS, derived from NIST SP 800-53 control number SA-8, sub control # (23) also known as restrictive defaults – from a manufacturer’s point of view means that products are securely configured “as-shipped”, meaning customers don’t have to apply a lot of configurations out of the box; the product or software is capable of preventing breaches from the get-go, and that the product should initialize / startup in a secured state. It also means that during any unsuccessful initialization, it should still perform actions in a secure state, or not perform the actions at all.
Restrictive defaults
Video explanation: https://youtu.be/EtmTmqCglr4
From a manufacturer’s point of view means that products are securely configured “as-shipped”, meaning customers don’t have to apply a lot of configurations out of the box; the product or software is capable of preventing breaches from the get-go, and that the product should initialize / startup in a secured state. It also means that during any unsuccessful initialization, it should still perform actions in a secure state, or not perform the actions at all.
Zero trust
An architecture in which nothing is trusted. Just like the name implies, devices and users need to be authenticated and authorized for each and every action. https://cissprep.net/architecture-terminology/
Privacy by design
Privacy should be implemented throughout the entire SDLC, and that it needs to be collaborated and communicated at all staffing levels throughout the project.
Trust but verify
Trust but verify – has two additional names to be aware of – system assurance and security verification. This is basically a process of monitoring and looking for, the presence/absence of proper/improper behaviors, against some type of measurable criteria. https://cissprep.net/architecture-terminology/
HITRUST
A collection of frameworks compiled into a single resource with the objective to normalize the different sets of security requirements into a single trusted certification/assessment.
Privacy Management Framework (PMF)
PMF was created as a revision to the 2009 Generally Accepted Privacy Principles (GAPP) by the AICPA. It incorporates local information and data privacy laws and standards that including GDPR and updates to the AICPA’s Trust Services Criteria (TSC).
SWIFT security control framework
A security control framework for financial and payment card system builders. PCI is for payment card processors only, whereas SWIFT has a much broader scope. https://www.swift.com/about-us
Cloud Security Alliance’s IOT security control framework
CSA STAR is for cloud security alliance, which publishes standards for cloud security. Of interest is: Tier 1, in which participants self-assess by filling out a questionnaire, Tier 2 is a third party assessment. Tier 3 is currently in draft, but would include continuous monitoring.
Maximum Allowable Outage
Formerly called “MAD”, this is the amount of time for an outage that the organization can suffer without causing irreparable harm.
Asset-based risk perspective (there are 4 risk perspectives in new CBK)
Asset-based is identifying risks based on what can happen to your assets.
https://cissprep.net/risk-management/
Outcome-based risk perspective
Outcomes-based is identifying what can happen to your desired outcomes, such as profits, income, or sales.
Vulnerability-based risk perspective
Vulnerability-based is centered around inherent weaknesses.
Threat-based risk perspective
Threat-based revolves around who can perform the attacks
Hazard (difference between hazard and risk - these are explicitly defined in the new CBK)
Hazard is basically a natural disaster like an earthquake or tornado.
Prioritize (the new pre-step before the standard 4 responses)
Management makes two decisions about risk. The decisions are: 1)Prioritize. 2) Decide how to handle the risk. This is where the four sub-decisions come into play
Micro training
Smaller modules than the typical annual training. An example would be a small module that trains users on how to avert phishing attempts, typically following an approved phishing campaign that’s overseen by the information security office.
Gamification
Refers to adding games to your education & training modules. An example would be one of the matching questions you might get on the exam but with images instead of words. Like dragging red flags over the text of a fake phishing email wherein points and scores are given.
Materials (CBK indicates there is a difference between materials and supplies)
Materials are the expendable items that go into finished products; things like ink and paper that go into newspapers.
Supplies
Supplies are the expendable items that go into the administrative support of creating finished products – you can also view supplies as items related to business administration rather than product creation. For example, supplies would be the ink and paper used in the office staff’s workspace, but not for the newspaper itself.
Tangible assets
Tangible assets have a physical existence. You can touch them, such as computer servers, land, or buildings.
Intangible assets
Don’t really have a physical existence. These could be ideas, reputations, undocumented agreements, but typically would be data, and software.
IT asset management lifecycle
Covered in detail here: https://cissprep.net/asset-lifecycle/
Planning (part of IT asset management lifecycle)
Planning is where you would identify the assets, put a value on them, and put them in the inventory.
Assigning security needs (part of IT asset management lifecycle)
Assigning the security needs, this is where you would classify and categorize the assets. This step likely includes assigning the protection levels or baselines if they exist.
Acquiring (part of IT asset management lifecycle)
Acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware.
Deployment (part of IT asset management lifecycle)
Deployment refers to deploying the assets and conducting training for all levels of users and support functions
Managing (part of IT asset management lifecycle)
Managing refers to the ongoing and continuous security assessment of the assets. This step includes backup and recovery activities.
Retiring (part of IT asset management lifecycle)
Retiring – obviously this step includes disposal.
Kiosk service point
Kiosk service points are mentioned in Domain 2, which are remote assets that can process transactions, such as automated teller machines (ATM), and point of sale devices (at stores for purchasing with credit/debit cards). These assets typically don’t store transaction information themselves, but rather the applications that support them.
Data security lifecycle (CSUSAD)
Covered in detail here: https://cissprep.net/asset-lifecycle/
Data lifecycle (note: there are two versions with different phases in the CBK)
Covered in detail here: https://cissprep.net/asset-lifecycle/
Pervasive encryption
Pervasive encryption is something that IBM is developing that could theoretically encrypt data in use or data in process.
Enclave
A secure enclave is an isolated component of the architecture that allows data in use (cleartext) to be protected from other less protected parts of the architecture.
Complex Hybrid Cryptography
“Complex” hybrid cryptography adds digital signatures on the sides of the sender and the receiver, with an added timestamp from the receiver. The digital signature provides integrity and proof of origin from the sender, and it provides proof of delivery from the receiver. Video explanation: https://youtu.be/NJVkR85p3dg
Type 1 security
Reduces attack surface over type 2 (runs on “bare metal”), each VM has a separate OS.
Type 2 security
Multiple VMs run on a single OS, more attractive to attackers since the OS typically has many vulnerabilities.
Government cloud
Government cloud supports government agencies and their contractors. Not open to the general public.
VM sprawl
An administrator has lost control of all the VMs on a network, which jeopardizes all the services offered.
High performance computing systems
Refers to super high-speed computers. These are used for big data, or data analytics to look at things like buying patterns of individuals so they can be sold to retailers for ads, etc. HPC’s are used also for cryptography, hacking and cryptanalysis
Edge computing
A layer of computing is put at the input source. For example, the layer can be an embedded device, such as an IOT fridge, or an IOT thermostat or cooling system.
Fog computing
Know the difference between edge and fog computing… The key difference between these is where the computations are done. Just remember the phrase “Edge is Embedded, Fog is further”. From what we understand, the purpose of both of these is to reduce the computational cost on the cloud servers. Edge is done at the source, fog is typically done further out but not in the cloud.
Key space clumping
Key space clumping or Key space clustering has to do with keys not being randomly generated or that the key randomization is not up-to-par somehow. ISC2’s material on this is lacking, and research on the web is very technical, however, PLEASE be aware that the term “key clustering” refers to something different. There could also be a mistake in the CBK in terms of how it’s worded.
Key clustering – when different keys generate the same ciphertext from the same message
Clustering/clumping of pseudorandom numbers
Again, the CBK is lacking here: clustering/clumping of pseudorandom numbers using key generation or the keys themselves, can make it easier to predict the next key that will be generated.
Deterministic decryption
Note: this is not the same as “deterministic” hash property. Deterministic decryption refers to the principle that only one plain text results from the decryption of any possible ciphertext produced by the system.
Digital envelope
Using someone’s public key (the recipient) to encrypt a symmetric key to be used for communications.
Distributed ledger
A decentralized, graph-linked register of transactions that are protected by cryptographic controls that rely heavily on asymmetric encryption techniques such as blockchain. The record of transactions is maintained on multiple, separate systems.
Blockchain
With blockchain, each block contains a list of chronological transactions, which is then cryptographically attached to the transaction record. The integrity of any particular transaction can be verified by all participants. Authenticity and non-repudiation can be part of the implementation as well. Obviously this is seen in cryptocurrency, but the CBK talks about how healthcare (pharmacology), and criminal justice (chain of custody) can also take advantage of an immutable transaction record.
Remote key management services
Crypto suite management is a cloud key management solution that has two approaches:
1) Remote key management service (RKMS). The key management server is on-prem. Processing and hosting is done at the cloud level.
Client-side key management
Part 2 of crypto suite management:
2) Client-side key management
Key management hardware and processing is on-prem.
Storage is in the cloud. Cloud Security Alliance has a publication to explain it if this doesn’t help: https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf
Kill chains
A sequence of actions that results in a successful attack. Detecting signs of a kill chain is part of incident response. The CBK talks about reducing false positives by using file signatures and event thresholds.
Contact devices
A device that performs an action when it comes into contact with a person, such as a switch or a door. The CBK indicates that having contact devices controlled by a computer are more secure, such as a locked door that authenticates employees via central server when the correct badge is presented at the door.
Contact alarms
An alarm that triggers if the right contact isn’t detected. The CBK talks about doors being propped open that trigger contact alarms.
Solid core / hollow core
This simply refers to doors that have a solid core and are heavier than doors with a hollow core (these terms may seem trivial to native English speakers, but for those who speak English as a second langauge these terms are important).
American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE)
HVAC standards for the various levels of operating computer equipment.
ANSI/ASHRAE Standard 90.4-2019
Sets the standards for data center HVAC and energy efficiency requirements.
High density equipment
No explicit definition - this likely simply refers to having a lot of equipment/servers jam-packed together in a tight space.
Very Early Smoke Detection Apparatus (VESDA)
These are highly sensitive smoke detectors and are often implemented with sensors in the plenum space beneath the raised floor that supports racks and cabinets. The various degrees of sensitivity enable the sensor to provide different levels of alarm. A low-level might trigger a sound or warning light. A high level of smoke detection initiates the full suppression system.
Aqueous Firefighting Foam (AFFF)
A water-soluble foaming agent that penetrates combustible material and makes ignition and reignition more difficult.
Non-conductive, nontoxic liquid suppressants (Novec)
Can be used instead of water or AFFF for class A, B, and C fires in enclosed equipment spaces where people are present.
Balanced Magnetic Switch (BMS)
Uses a magnetic field or mechanical contact to determine if an alarm has signaled.
Acoustic Sensors
A device that uses passive listening devices to monitor building spaces.
Infrared Linear Beam Sensors
A focused infrared (IR) beam that is produced from an emitter and bounced off a reflector that is located on the other side of the detection area.
Passive Infrared Sensors
Infrared receptors are compared to typical background infrared levels to detect intruders.
Automatic Request to Exit
An automatic sensor that detects approaching people (motion) who may be wanting to exit.
Dual-Technology Sensors
A combination of two sensor-type controls mentioned above.
Condition monitoring
Monitoring of an employees condition (performed remotely): check-in frequency status, health/condition, geolocation, and whether or not the employee is under duress.
Bricking
Essentially this means turning a device into a “brick”, or something that’s completely useless to a thief. Example with some iPhones, they will become “bricks” if the passcode is guessed too many times not only will the physical phone be locked permanently, but the currently logged-in Apple ID will also be locked. Even if the phone is completely reset, the person resetting the iPhone will still need to know the previous passcode . This is merely one example. The CBK mentions mobile device management where bricking a device could be achieved from headquarters, likely with the push of a button.
Bound network
Simply refers to a wired network.
Unbound network
A network that is not wire-bound, such as radio frequency, light wave (Li-Fi), or acoustic wave technology.
Acoustic waves
A type of wi-fi using acoustic wave (sound waves).
Line driver
A circuit that converts digital signals from a computer’s circuits into a voltage/current that can be sent down a longer wire. Signals inside circuits can only travel about half a meter before they experience too much attenuation, so line drivers provide signals that can travel down 100-meter distances on a Cat 6 Ethernet cable. The CBK talks about how LEDs in optical links also act as line drivers.
Multiplexer
Combines multiple signals into a signal path for transmission. Multiplexers are advantageous when there is limited bandwidth. Multiplexers can be simple hubs or very sophisticated dense-wave division multiplexers (DWDMs).
Dense-wave division multiplexer (DWDM)
Combines multi optical signals onto one strand of optical fiber.
Infiniband
A type of high-speed switched fabric networking technology. Infiniband provides interconnection between supercomputers and differs from Ethernet in that it has better flow control and congestion management. Packets are prioritized into virtual lanes allowing high-priority traffic to be queued first, which provides a more predictable degradation in performance when the load increases. It can provide up to 600gb bandwidth in certain computing environments.
Broadband over power line
Delivers broadband over the current low- and medium-voltage electric wiring/grid. BPL speeds are similar to DSL and cable modem speeds. It is opposed by bandwidth providers and radio frequency spectrum users who are concerned with interference. In 2019 the IEEE adopted a revised standard to support IOT devices where BPL uses frequency division multiplexing.
Frequency division multiplexing
From wikipedia: In telecommunications, frequency-division multiplexing (FDM) is a technique by which the total bandwidth available in a communication medium is divided into a series of non-overlapping frequency bands, each of which is used to carry a separate signal.
PPPoE
Point-to-Point over Ethernet allows multipoint Ethernet networks to create virtual point-to-point connections. It consist of a four-step handshake and allows clients to connect to a PPPoE server and obtain a destination IP address to send to; the address is released when the connection is over, which allows the ISP to efficiently reuse the IP addresses.
Arbitration
In the context of load management, networks are required to arbitrate between the various nodes to determine when a device can send traffic.
Deconfliction
Same as above, deconfliction refers to arbitration.
Polling protocols
Each device is allotted a specific amount of time for exclusive access to the infrastructure. As the number of devices on the network increases, the bandwidth available to each device decreases in a predictable manner. Also known as deterministic network.
Contention-based protocols
The category of protocols that includes CSMA/CD and CSMA/CA (collision detection, collision avoidance), meaning that devices must sense whether another device is attempting to communicate.
Anycast
A one-to-one transmission that uses the services of a group of devices. It’s also called one-to-one-of-many. Content distribution networks use anycast to push a continuous flow of content to regional sub-distribution servers. The “destination” address doesn’t really matter, the sending node just wants somebody in its anycast group to receive the message. The recipient could be the closest node, or the one that has the shortest number of hops, or it could be the recipient on a network path that has less traffic than the others in the anycast group.
Geocast
Geocast is similar to a broadcast, but the destination IP addresses are restricted to a predefined geographic area.
Dual stack
Uses specialized devices that can handle both IPv4 and IPv6 protocols.
Native IPv6
Native IPv6 requires complete conversion of all internal network segments and components including software to IPv6.
IPv6 at the edge
IPv6 at the edge is where you have all publicly facing content and resources accessible to either IPv4 or IPv6 protocol.
Automatic private IP addressing (APIPA)
APIPA is reserved for use when DHCP fails. Addresses are in the form of 169.254.x.x, which are class B category. It provides limited connectivity until DHCP becomes available again.
