CISSprep - Missing Topics from Common Books Flashcards
(249 cards)
1
Q
Unilateral NDA
A
One-way disclosure, meaning that one (uni) company is disclosing something, for example a flat file that’s sent to another organization for its own contracted use.
2
Q
Bilateral NDA
A
Two-way disclosure. Example: exchange of files between two organizations. In the previous example, if the flat file was then bounced up against another DB to match with SSNs or names, and then populated with new demographic data.
3
Q
Multilateral NDA
A
Disclosures made among three or more parties.
4
Q
Non-compete agreement
A
Basically an agreement where the the individual agrees that they won’t use your data/secrets to become your competition.
5
Q
Prudent actions
A
Prudent actions are those that most people in a similar life circumstances would do. For example, if the speed limit is 55 you might be able to argue that most “prudent” people are usually within 5 to 10 miles over or under the speed limit.
6
Q
Reasonable actions
A
Reasonable actions are actions that have logical justification. For example, if you break someone’s rib during a karate class, it’s probably reasonably justified, but if you do that to a random person on the street, it’s not justified (or in this case, reasonable).
7
Q
Data portability
A
Data portability – this is a GDPR right, and says that an individual can have their data securely transferred from one service or controller to another, and that controllers need to provide a mechanism for such requests to be made, such as a paper form to be submitted that requests the transfer, or maybe an online web form.
8
Q
Data localization
A
Data localization refers to the requirement that data be processed and stored in the country of the data’s origin, or where it was collected. GDPR discusses this principle in the context of the conditions that are required before transmitting EU data outside of the EU.
9
Q
GDPR privacy principles
A
Purpose limitation – this means it should be collected for the stated purpose.
Data minimization – this means it should be used for the stated purpose.
Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.
Storage limitation – basically, don’t keep the information longer than needed.
Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.
10
Q
Article 5 (accountability)
A
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.
11
Q
Public chapter
A
Public Chapter (previously “public domain”) – use is allowed without constraints, for any purpose, including modification and customization. Support and extra features must be purchased.
12
Q
Secure defaults
A
Video explanation: https://youtu.be/EtmTmqCglr4
SECURE DEFAULTS, derived from NIST SP 800-53 control number SA-8, sub control # (23) also known as restrictive defaults – from a manufacturer’s point of view means that products are securely configured “as-shipped”, meaning customers don’t have to apply a lot of configurations out of the box; the product or software is capable of preventing breaches from the get-go, and that the product should initialize / startup in a secured state. It also means that during any unsuccessful initialization, it should still perform actions in a secure state, or not perform the actions at all.
13
Q
Restrictive defaults
A
Video explanation: https://youtu.be/EtmTmqCglr4
From a manufacturer’s point of view means that products are securely configured “as-shipped”, meaning customers don’t have to apply a lot of configurations out of the box; the product or software is capable of preventing breaches from the get-go, and that the product should initialize / startup in a secured state. It also means that during any unsuccessful initialization, it should still perform actions in a secure state, or not perform the actions at all.
14
Q
Zero trust
A
An architecture in which nothing is trusted. Just like the name implies, devices and users need to be authenticated and authorized for each and every action. https://cissprep.net/architecture-terminology/
15
Q
Privacy by design
A
Privacy should be implemented throughout the entire SDLC, and that it needs to be collaborated and communicated at all staffing levels throughout the project.
16
Q
Trust but verify
A
Trust but verify – has two additional names to be aware of – system assurance and security verification. This is basically a process of monitoring and looking for, the presence/absence of proper/improper behaviors, against some type of measurable criteria. https://cissprep.net/architecture-terminology/
17
Q
HITRUST
A
A collection of frameworks compiled into a single resource with the objective to normalize the different sets of security requirements into a single trusted certification/assessment.
18
Q
Privacy Management Framework (PMF)
A
PMF was created as a revision to the 2009 Generally Accepted Privacy Principles (GAPP) by the AICPA. It incorporates local information and data privacy laws and standards that including GDPR and updates to the AICPA’s Trust Services Criteria (TSC).
19
Q
SWIFT security control framework
A
A security control framework for financial and payment card system builders. PCI is for payment card processors only, whereas SWIFT has a much broader scope. https://www.swift.com/about-us
20
Q
Cloud Security Alliance’s IOT security control framework
A
CSA STAR is for cloud security alliance, which publishes standards for cloud security. Of interest is: Tier 1, in which participants self-assess by filling out a questionnaire, Tier 2 is a third party assessment. Tier 3 is currently in draft, but would include continuous monitoring.
21
Q
Maximum Allowable Outage
A
Formerly called “MAD”, this is the amount of time for an outage that the organization can suffer without causing irreparable harm.
22
Q
Asset-based risk perspective (there are 4 risk perspectives in new CBK)
A
Asset-based is identifying risks based on what can happen to your assets.
https://cissprep.net/risk-management/
23
Q
Outcome-based risk perspective
A
Outcomes-based is identifying what can happen to your desired outcomes, such as profits, income, or sales.
24
Q
Vulnerability-based risk perspective
A
Vulnerability-based is centered around inherent weaknesses.
25
Threat-based risk perspective
Threat-based revolves around who can perform the attacks
26
Hazard (difference between hazard and risk - these are explicitly defined in the new CBK)
Hazard is basically a natural disaster like an earthquake or tornado.
27
Prioritize (the new pre-step before the standard 4 responses)
Management makes two decisions about risk. The decisions are: 1)Prioritize. 2) Decide how to handle the risk. This is where the four sub-decisions come into play
28
Micro training
Smaller modules than the typical annual training. An example would be a small module that trains users on how to avert phishing attempts, typically following an approved phishing campaign that's overseen by the information security office.
29
Gamification
Refers to adding games to your education & training modules. An example would be one of the matching questions you might get on the exam but with images instead of words. Like dragging red flags over the text of a fake phishing email wherein points and scores are given.
30
Materials (CBK indicates there is a difference between materials and supplies)
Materials are the expendable items that go into finished products; things like ink and paper that go into newspapers.
31
Supplies
Supplies are the expendable items that go into the administrative support of creating finished products – you can also view supplies as items related to business administration rather than product creation. For example, supplies would be the ink and paper used in the office staff’s workspace, but not for the newspaper itself.
32
Tangible assets
Tangible assets have a physical existence. You can touch them, such as computer servers, land, or buildings.
33
Intangible assets
Don't really have a physical existence. These could be ideas, reputations, undocumented agreements, but typically would be data, and software.
34
IT asset management lifecycle
Covered in detail here: https://cissprep.net/asset-lifecycle/
35
Planning (part of IT asset management lifecycle)
Planning is where you would identify the assets, put a value on them, and put them in the inventory.
36
Assigning security needs (part of IT asset management lifecycle)
Assigning the security needs, this is where you would classify and categorize the assets. This step likely includes assigning the protection levels or baselines if they exist.
37
Acquiring (part of IT asset management lifecycle)
Acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware.
38
Deployment (part of IT asset management lifecycle)
Deployment refers to deploying the assets and conducting training for all levels of users and support functions
39
Managing (part of IT asset management lifecycle)
Managing refers to the ongoing and continuous security assessment of the assets. This step includes backup and recovery activities.
40
Retiring (part of IT asset management lifecycle)
Retiring – obviously this step includes disposal.
41
Kiosk service point
Kiosk service points are mentioned in Domain 2, which are remote assets that can process transactions, such as automated teller machines (ATM), and point of sale devices (at stores for purchasing with credit/debit cards). These assets typically don’t store transaction information themselves, but rather the applications that support them.
42
Data security lifecycle (CSUSAD)
Covered in detail here: https://cissprep.net/asset-lifecycle/
43
Data lifecycle (note: there are two versions with different phases in the CBK)
Covered in detail here: https://cissprep.net/asset-lifecycle/
44
Pervasive encryption
Pervasive encryption is something that IBM is developing that could theoretically encrypt data in use or data in process.
45
Enclave
A secure enclave is an isolated component of the architecture that allows data in use (cleartext) to be protected from other less protected parts of the architecture.
46
Complex Hybrid Cryptography
“Complex” hybrid cryptography adds digital signatures on the sides of the sender and the receiver, with an added timestamp from the receiver. The digital signature provides integrity and proof of origin from the sender, and it provides proof of delivery from the receiver. Video explanation: https://youtu.be/NJVkR85p3dg
47
Type 1 security
Reduces attack surface over type 2 (runs on "bare metal"), each VM has a separate OS.
48
Type 2 security
Multiple VMs run on a single OS, more attractive to attackers since the OS typically has many vulnerabilities.
49
Government cloud
Government cloud supports government agencies and their contractors. Not open to the general public.
50
VM sprawl
An administrator has lost control of all the VMs on a network, which jeopardizes all the services offered.
51
High performance computing systems
Refers to super high-speed computers. These are used for big data, or data analytics to look at things like buying patterns of individuals so they can be sold to retailers for ads, etc. HPC’s are used also for cryptography, hacking and cryptanalysis
52
Edge computing
A layer of computing is put at the input source. For example, the layer can be an embedded device, such as an IOT fridge, or an IOT thermostat or cooling system.
53
Fog computing
Know the difference between edge and fog computing… The key difference between these is where the computations are done. Just remember the phrase “Edge is Embedded, Fog is further”. From what we understand, the purpose of both of these is to reduce the computational cost on the cloud servers. Edge is done at the source, fog is typically done further out but not in the cloud.
54
Key space clumping
Key space clumping or Key space clustering has to do with keys not being randomly generated or that the key randomization is not up-to-par somehow. ISC2’s material on this is lacking, and research on the web is very technical, however, PLEASE be aware that the term “key clustering” refers to something different. There could also be a mistake in the CBK in terms of how it's worded.
Key clustering – when different keys generate the same ciphertext from the same message
55
Clustering/clumping of pseudorandom numbers
Again, the CBK is lacking here: clustering/clumping of pseudorandom numbers using key generation or the keys themselves, can make it easier to predict the next key that will be generated.
56
Deterministic decryption
Note: this is not the same as "deterministic" hash property. Deterministic decryption refers to the principle that only one plain text results from the decryption of any possible ciphertext produced by the system.
57
Digital envelope
Using someone’s public key (the recipient) to encrypt a symmetric key to be used for communications.
58
Distributed ledger
A decentralized, graph-linked register of transactions that are protected by cryptographic controls that rely heavily on asymmetric encryption techniques such as blockchain. The record of transactions is maintained on multiple, separate systems.
59
Blockchain
With blockchain, each block contains a list of chronological transactions, which is then cryptographically attached to the transaction record. The integrity of any particular transaction can be verified by all participants. Authenticity and non-repudiation can be part of the implementation as well. Obviously this is seen in cryptocurrency, but the CBK talks about how healthcare (pharmacology), and criminal justice (chain of custody) can also take advantage of an immutable transaction record.
60
Remote key management services
Crypto suite management is a cloud key management solution that has two approaches:
1) Remote key management service (RKMS). The key management server is on-prem. Processing and hosting is done at the cloud level.
61
Client-side key management
Part 2 of crypto suite management:
2) Client-side key management
Key management hardware and processing is on-prem.
Storage is in the cloud. Cloud Security Alliance has a publication to explain it if this doesn’t help: https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf
62
Kill chains
A sequence of actions that results in a successful attack. Detecting signs of a kill chain is part of incident response. The CBK talks about reducing false positives by using file signatures and event thresholds.
63
Contact devices
A device that performs an action when it comes into contact with a person, such as a switch or a door. The CBK indicates that having contact devices controlled by a computer are more secure, such as a locked door that authenticates employees via central server when the correct badge is presented at the door.
64
Contact alarms
An alarm that triggers if the right contact isn't detected. The CBK talks about doors being propped open that trigger contact alarms.
65
Solid core / hollow core
This simply refers to doors that have a solid core and are heavier than doors with a hollow core (these terms may seem trivial to native English speakers, but for those who speak English as a second langauge these terms are important).
66
American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE)
HVAC standards for the various levels of operating computer equipment.
67
ANSI/ASHRAE Standard 90.4-2019
Sets the standards for data center HVAC and energy efficiency requirements.
68
High density equipment
No explicit definition - this likely simply refers to having a lot of equipment/servers jam-packed together in a tight space.
69
Very Early Smoke Detection Apparatus (VESDA)
These are highly sensitive smoke detectors and are often implemented with sensors in the plenum space beneath the raised floor that supports racks and cabinets. The various degrees of sensitivity enable the sensor to provide different levels of alarm. A low-level might trigger a sound or warning light. A high level of smoke detection initiates the full suppression system.
70
Aqueous Firefighting Foam (AFFF)
A water-soluble foaming agent that penetrates combustible material and makes ignition and reignition more difficult.
71
Non-conductive, nontoxic liquid suppressants (Novec)
Can be used instead of water or AFFF for class A, B, and C fires in enclosed equipment spaces where people are present.
72
Balanced Magnetic Switch (BMS)
Uses a magnetic field or mechanical contact to determine if an alarm has signaled.
73
Acoustic Sensors
A device that uses passive listening devices to monitor building spaces.
74
Infrared Linear Beam Sensors
A focused infrared (IR) beam that is produced from an emitter and bounced off a reflector that is located on the other side of the detection area.
75
Passive Infrared Sensors
Infrared receptors are compared to typical background infrared levels to detect intruders.
76
Automatic Request to Exit
An automatic sensor that detects approaching people (motion) who may be wanting to exit.
77
Dual-Technology Sensors
A combination of two sensor-type controls mentioned above.
78
Condition monitoring
Monitoring of an employees condition (performed remotely): check-in frequency status, health/condition, geolocation, and whether or not the employee is under duress.
79
Bricking
Essentially this means turning a device into a "brick", or something that's completely useless to a thief. Example with some iPhones, they will become "bricks" if the passcode is guessed too many times not only will the physical phone be locked permanently, but the currently logged-in Apple ID will also be locked. Even if the phone is completely reset, the person resetting the iPhone will still need to know the previous passcode . This is merely one example. The CBK mentions mobile device management where bricking a device could be achieved from headquarters, likely with the push of a button.
80
Bound network
Simply refers to a wired network.
81
Unbound network
A network that is not wire-bound, such as radio frequency, light wave (Li-Fi), or acoustic wave technology.
82
Acoustic waves
A type of wi-fi using acoustic wave (sound waves).
83
Line driver
A circuit that converts digital signals from a computer's circuits into a voltage/current that can be sent down a longer wire. Signals inside circuits can only travel about half a meter before they experience too much attenuation, so line drivers provide signals that can travel down 100-meter distances on a Cat 6 Ethernet cable. The CBK talks about how LEDs in optical links also act as line drivers.
84
Multiplexer
Combines multiple signals into a signal path for transmission. Multiplexers are advantageous when there is limited bandwidth. Multiplexers can be simple hubs or very sophisticated dense-wave division multiplexers (DWDMs).
85
Dense-wave division multiplexer (DWDM)
Combines multi optical signals onto one strand of optical fiber.
86
Infiniband
A type of high-speed switched fabric networking technology. Infiniband provides interconnection between supercomputers and differs from Ethernet in that it has better flow control and congestion management. Packets are prioritized into virtual lanes allowing high-priority traffic to be queued first, which provides a more predictable degradation in performance when the load increases. It can provide up to 600gb bandwidth in certain computing environments.
87
Broadband over power line
Delivers broadband over the current low- and medium-voltage electric wiring/grid. BPL speeds are similar to DSL and cable modem speeds. It is opposed by bandwidth providers and radio frequency spectrum users who are concerned with interference. In 2019 the IEEE adopted a revised standard to support IOT devices where BPL uses frequency division multiplexing.
88
Frequency division multiplexing
From wikipedia: In telecommunications, frequency-division multiplexing (FDM) is a technique by which the total bandwidth available in a communication medium is divided into a series of non-overlapping frequency bands, each of which is used to carry a separate signal.
89
PPPoE
Point-to-Point over Ethernet allows multipoint Ethernet networks to create virtual point-to-point connections. It consist of a four-step handshake and allows clients to connect to a PPPoE server and obtain a destination IP address to send to; the address is released when the connection is over, which allows the ISP to efficiently reuse the IP addresses.
90
Arbitration
In the context of load management, networks are required to arbitrate between the various nodes to determine when a device can send traffic.
91
Deconfliction
Same as above, deconfliction refers to arbitration.
92
Polling protocols
Each device is allotted a specific amount of time for exclusive access to the infrastructure. As the number of devices on the network increases, the bandwidth available to each device decreases in a predictable manner. Also known as deterministic network.
93
Contention-based protocols
The category of protocols that includes CSMA/CD and CSMA/CA (collision detection, collision avoidance), meaning that devices must sense whether another device is attempting to communicate.
94
Anycast
A one-to-one transmission that uses the services of a group of devices. It’s also called one-to-one-of-many. Content distribution networks use anycast to push a continuous flow of content to regional sub-distribution servers. The “destination” address doesn’t really matter, the sending node just wants somebody in its anycast group to receive the message. The recipient could be the closest node, or the one that has the shortest number of hops, or it could be the recipient on a network path that has less traffic than the others in the anycast group.
95
Geocast
Geocast is similar to a broadcast, but the destination IP addresses are restricted to a predefined geographic area.
96
Dual stack
Uses specialized devices that can handle both IPv4 and IPv6 protocols.
97
Native IPv6
Native IPv6 requires complete conversion of all internal network segments and components including software to IPv6.
98
IPv6 at the edge
IPv6 at the edge is where you have all publicly facing content and resources accessible to either IPv4 or IPv6 protocol.
99
Automatic private IP addressing (APIPA)
APIPA is reserved for use when DHCP fails. Addresses are in the form of 169.254.x.x, which are class B category. It provides limited connectivity until DHCP becomes available again.
100
Distance vector
Distance-vector routing protocols measure the distance to a destination IP by the number of hops (routers) a packet has to pass through.
101
Path vector
A path vector protocol maintains the path information that gets updated dynamically. The routers accumulate the cost of a particular path, and validate that the path is loop-free before advertising known paths via updates to peers.
102
Routed protocol
Differs from "routing protocol". Routed protocols (IPv4 and v6) define how data can be routed over a network. Routing protocols are used by routers to communicate and coordinate with each other, such as distance vector, path vector, link-state, and multiprotocol label switching.
103
Autonomous systems (ASN)
Supports the routing management between two or more autonomous systems.
104
Routing protocol classifications (interior, exterior gateway, classical, classless, distance vector, path vector, link-state)
This is actually not clearly captured in my CBK notes (there was a figure, but I didn't copy it down, sorry!). It indicates there are 3 classes, but web research is mixed. Likely this is not as important as the difference between "Routed" and "Routing". See two cells above this for clarification on the difference.
105
Intermediate system to intermediate system (ISIS) (IS-IS)
A link-state protocol that works at the data link layer that uses a shortest path first algorithm.
106
Area border router
Segments autonomous systems into areas, or Autonomous System Boundary Routers (ASBR) that support routing management between two or more autonomous systems.
107
DHCPV6
Manages the assignment of IP addresses for IPv6 clients.
108
Modbus or Mod bus
Information is passed without cryptographic protection and is susceptible to denial of service. Also does not provide authentication. Widely used in supervisory control and data acquisition or SCADA infrastructures
109
east bound interface
East-west bound interfaces refer to “sideways” communications between storage and hypervisors in the virtual or cloud environment.
110
west bound interface
East-west bound interfaces refer to “sideways” communications between storage and hypervisors in the virtual or cloud environment.
111
microsegmentation
Microsegmentation is referred to in zero-trust networks, where firewalls are found at every connecting point, and where information, services, and security properties are encapsulated.
112
Root of trust
Root of trust refers to an immutable unchangeable trusted hardware component such as the TPM. Root of trust is also referred to as a trust anchor, that subsequent actions can rely on, to make sure they’re starting from a secure system state.
113
Trust anchor
Root of trust refers to an immutable unchangeable trusted hardware component such as the TPM. Root of trust is also referred to as a trust anchor, that subsequent actions can rely on, to make sure they’re starting from a secure system state.
114
Immutability
Immutability means unchangeable. It is an essential component of ROT. Since software is changeable, immutability is harder to achieve. Hardware-based ROT can guarantee authenticity and integrity of an initialization process.
115
Hardware-based ROT (root of trust)
Hardware-based ROT can guarantee authenticity and integrity of an initialization process.
116
802.1X (PNAC)
a port-based network access control (or PNAC) protocol, which Provides authentication control for devices connecting to both local area networks and wireless LANs. It has three components:
1) supplicant (users’ device)
2) authenticator (a switch or access point)
3) authentication server.
802.1X provides the following:
-Detection of devices attempting to make a network connection
-Authentication of devices
-Authorization of devices
-Enforcement of the security requirements as defined by the policy
-Device scanning, checking the devices' current security settings
-Onboarding, setting or modifying the security settings
-Termination, cleaning up after session termination
The enforcement process is different between wired and wireless devices. With wireless devices, the device must first authenticate itself to the access point using Wi-Fi Protected Access (WPA). Wired devices will connect via a switch, which will provide port-based authentication.
117
Captive portal
Authentication controls for wireless networks that are implemented for public use at hotels, restaurants, libraries, etc. The way it works is to force a newly connected device to a starting webpage to establish authorized access. For a hotel you might have to enter your room number and last name. It might require other credentials like payment amount, or an access code. The portal is also a good place to display privacy policies and acceptable use terms and conditions. If end user consent for tracking and information collection is required, the Captive portal allows for that as well. Once the end user satisfies the conditions required by the starting page, only then can they communicate across the network.
118
Vertical Privilege Escalation
Vertical Privilege Escalation (or privilege elevation) is when an attacker uses an account they have access to, or one they’ve gained unauthorized use of by some means, to run applications or services at higher permission levels. This happens when the applications developers have made incorrect assumptions about the use cases for privileged functions, or if the application allows command injection or exploits to be used. Phishing attacks that lure victims into entering sign-on credentials, are a stepping-stone to vertical privilege escalation.
119
Horizontal Privilege Escalation
Horizontal Privilege Escalation, also known as lateral movement is where the attacker uses an account they have access to as a way to discover, fingerprint, and gain access to other resources. For example, a user of applications and data on one server can “jump” horizontally, or sideways, to another server to access data or resources residing therein.
120
Strong Star Propery
Only write to objects at the same security classification level as the subject, or, a lateral write, so there is no write down or write up, only a “write sideways”
121
Access Control As A System
Refers to approaching access control as an entire system of physical access controls, such as locking mechanisms, that interface with logical access controls, that are both controlled by a server or access control system that makes decisions and keeps logs. The common body of knowledge illustrates this with a model of an employee scanning his badge on a door reader, which sends data to the access control server, which then reads the data and logs the attempt, sending a reply to the locking mechanism controller, which then decides to unlock the door or deny the request.
122
Physical Access Token
Portable security device that shows a number that is synchronized or not synchronized with the authenticating system. Physical tokens are devices that generate one-time codes and are activated through a second action, whether it’s the push of a button on the device, or through swiping or inserting the token into a reader. A one-time pad generates a new code on both the server and the user’s device. Software installed on a mobile device that generates the code would be included in ISC2’s definition of a physical token.
123
Logical Access Token
Data packages sent from access control systems to applications and servers after the user has authenticated. The data packages indicate what the user is authorized for in order to establish sessions. The tokens typically have an expiration time and date that are based on security needs.
124
Hybrid Identity as a Service
Simply means that the service is partially hosted on premises and partially hosted in the cloud.
125
Identity lifecycle
Steps shown below: provisioning, authentication, authorization, accounting, user behavior review, job duties review, disable and deprovision, account access review.
126
Authentication (part of identity lifecycle)
Authentication is the act of a user claiming an identity by presenting proof that they own the ID (e.g. password).
127
Authorization (part of identity lifecycle)
Approval of the user to access resources under a user ID and/or credential.
128
Accounting (part of identity lifecycle)
Logging of account creations, deletions, modifications.
129
User behavior review (part of identity lifecycle)
Tracking user activity and reviewing to ensure appropriate use of system.
130
Job or duties review (part of identity lifecycle)
Reviewing documented job duties against real activities that are actually perfomed by the employee.
131
Permission aggregation
Another term for privilege creep is Permission Aggregation. This is when a user changes job duties but keeps the old permissions. When this happens once or more, permissions/privileges are aggregated, or collected, often unwittingly, but presents a security risk.
132
Dual custody
Also known as dual control, requires two or more people to simultaneously perform separate actions to complete a critical action.
133
Identity store
A directory that contains information about users. It includes application IDs, names, group memberships, credentials and identification attributes. It allows applications to authenticate against it. AD is an example. Certificate authorities are another example, they maintain certificate identity stores.
134
FICAM
The FICAM Roadmap and Implementation Guidance Version 2.0 has the following five-step enrollment process below.
135
Sponsorship (step 1 of 5 in FICAM)
Authorized entity “sponsors” a credential with a credential service provider.
136
Enrollment/registration (step 2 of 5 in FICAM)
A sponsored user/claimant enrolls for the credentials, includes identity proofing.
137
Credential production (step 3 of 5 in FICAM)
As the term implies, the credentials are created, including cards, cryptographic keys, digital certificates, etc.
138
Issuance (step 4 of 5 in FICAM)
Disclosing or granting access to the credentials.
139
Credential lifecycle management (step 5 of 5 in FICAM)
Activities including re-issuance, revocation, re-enrollment, expiration, suspension, reinstatement, etc.
140
Single sign-on
Typically there is a single repository of user credentials. There can be multiple credentials for multiple applications, or one set of credentials and multiple access tokens, it just depends on the security needs and requirements. Each attempt by a user to access another server requires a back-end authentication exchange between the SSO repository and the resource servers.
141
NTP (kerberos)
Network time protocol
142
Formal assessment
Evaluations against a compliance standard, which includes regulatory and other legal requirements.
143
Informal assessment
Done to provide insight, but they’re basically done the same way. They might be done by an internal group, or in an informal setting, but the objective is what matters here – which is purely to gain insight. An informal assessment might be done before a formal assessment as a preparatory exercise.
144
Condition (component of finding)
This is a statement that describes results of the test. For example, the test discovered plaintext at rest on backup media. A condition may include a severity level, or risk level, for example ‘high severity’ might refer to critical or sensitive data associated with the finding.
145
Criteria (component of finding)
The standard or requirement that was used to measure the activity, so in our example we could say that the criteria, or requirement is that data must be encrypted at rest.
146
Cause (component of finding)
Is the explanation of why a problem occurred. This could be that the application backing up the data doesn’t have any cryptographic capabilities, or that the version is deprecated and doesn’t support encrypting backups.
147
Effect (component of finding)
This is the resulting impact, or the difference between the condition and the criteria, or the resulting impact. In our example, we might say that the effect is that we now have data that’s vulnerable or susceptible to exfiltration (theft), unauthorized access, or unauthorized use.
148
Recommendation (component of finding)
This is the action that needs to be taken to correct the cause. So in this case we might recommend upgrading the software license or replacing the software to a newer product that supports encryption. If there is a severity level associated with the finding, the recommendation should include a minimum remediation/resolution date.
149
No notice assessment
Simply means that the situation being evaluated has no forewarning of the evaluation (e.g. spot check, desk audit). A no-notice assessment isn’t really a ‘type’ of assessment, it’s basically a surprise audit, or an informal assessment where notice isn’t given. It can likely fit into a subcategory, or type of informal assessment.
150
Trust services criteria
Trust services criteria are used by SOC2, SOC3, and SOC for cybersecurity.
151
SOC reports for cloud and data centers
N/A, as these fall under the other SOC reports. Be sure to understand when to use which type of report/audit, and remember that it still applies to cloud/data centers, or other third parties.
152
Conducting a SOC audit (two phases)
Too lengthy for this cell; best to review it at this link, scroll down past the first youtube video to where it says "Phase One": https://cissprep.net/soc-audits-and-report-types/
153
Internal audit steps (chartering, testing, reporting, remediation)
The steps of an internal audit/assessment are: Chartering, testing, reporting and remediation
154
External audit steps (chartering, pre-audit planning, audit execution, audit reporting)
Chartering, pre-audit planning, audit execution, audit reporting. To see what happens at each step, view it in our study guide: https://cissprep.net/audits-and-assessments/
155
Compliance audit (CBK now defines "types" of audits)
Compliance audits that test specific controls to determine if the controls meet a particular standard (related to laws, regulations).
156
Financial audit
Evaluate the accuracy of financial reporting.
157
Operational audit
Ttest the internal controls of a process.
158
Information systems audit
Evaluate controls performance in the development and operation of information systems.
159
Integrated audit
Have combined elements of both operational and financial audits. Forensic audits are focused on discovering, investigating, and reporting on fraud or other criminal activity.
160
Forensic audit
Focused on discovering, investigating, and reporting on fraud or other criminal activity.
161
NCSC (12 principles)
Covered in deatil at the bottom of this page: https://cissprep.net/audits-and-assessments/
162
Compliance test
Determines if, in the opinion of the assessor, the control exists and is operating properly. If the control requires an effective onboarding/offboarding process, for a compliance test the assessor might examine a list of authorized users (via personnel file or management) against a list of system users with those permissions.
163
Substantive test
Evaluates the proper operation of a process. In our prior example, if the assessor were to conduct a substantive test, the assessor would document the actual onboarding and offboarding of an employee through observance or examination of log artifacts to ensure that the user was properly added, permissions assigned, and that the account and permissions were removed timely. Substantive tests provide better assurance but are more expensive.
164
Code review (the six objectives)
Covered in detail here, under static source code analysis: https://cissprep.net/software-development-testing-methods/
165
Ethical penetration testing (includes steps/methodology: chartering, discovery, scanning, exploitation, reporting)
Covered here in detail: https://cissprep.net/control-assessment-methods-tools-and-testing/
See middle of page, ethical penetration test.
166
Rules of engagement
Rules that are explicit about what is, will, and can/can't be done during a pentest. Specifies the limits of liability for the penetration testers.
167
Bug bounty
Encourage hacking into a company's products and systems.
168
Blind test
Ethical pentests can include both a Blind test, where the tester has no knowledge of the organization, and a Double-Blind test, where neither the tester nor the organization has knowledge of the test (with the exception of approving management).
169
Double-blind test
Ethical pentests can include both a Blind test, where the tester has no knowledge of the organization, and a Double-Blind test, where neither the tester nor the organization has knowledge of the test (with the exception of approving management).
170
Continuous full-cycle testing
Assessing controls from the perspective of continuous monitoring, or from the perspective that some assessments, such as penetration testing, represent a point in time and findings can become outdated.
171
Chaos engineering
Forces production systems to fail, and then tracks the detection, incident response and recovery activities. The internal response groups are not told in advance (blind test?) and treat the failure as if it were an actual attack, not a simulation. Keep in mind that real shut-downs may be costly, and do not represent a true attack (because they are designed internally).
172
Service-level agreement validation (in the context of synthetic performance monitoring)
A scripted process can measure aspects of availability (e.g. authentication) to document whether service levels are being met.
173
Six sigma approach (five steps)
First, define the problem. Second, measure the process and collect performance data. Third, analyze the data relationships, causality, and root cause. Fourth, improve the current process using the data and try out the new and improved process. Fifth, control the future state process to eliminate any deviations before they can result in defects and implement control systems that continuously monitor the process. Tailoring the process is important because there isn’t a one-size-fits-all approach to CPI.
174
Plan-do-check-act (four steps)
Popular, and often referred to as the Shewhart or Deming cycle. This simple approach breaks down the process improvement into four steps. Explained in our study guide toward the bottom of the page: https://cissprep.net/control-assessment-methods-tools-and-testing/
175
Non-disclosure (in the context of ethical disclosure)
It’s important to point out that auditors, assessors, and reviewers may be under non-disclosure agreements in addition to the charter or ROE. Depending on the circumstances, disclosure can be restricted or bound to other legal requirements, especially when it may interfere with an ongoing investigation or violate the privacy rights of the individuals involved.
176
Full disclosure (in the context of ethical disclosure)
Full disclosure indicates that when something bad is discovered, the discoverer should publicize the weakness as soon as possible to all affected entities.
177
Responsible disclosure (in the context of ethical disclosure)
Responsible disclosure is when a weakness is reported to the organization responsible for addressing that weakness, and some time is granted to address the issue before public disclosure.
178
Mandatory reporting
The circumstances uncovered may require reporting to authorities regardless of NDAs or chartering. While the laws vary, computer crimes, particularly those involving minors, may have mandatory reporting in many places. Information security professionals should understand their legal obligations for reporting such activity prior to conducting any audits or examinations.
179
Whistleblowing
When someone feels ethically obligated to report a situation to authorities, this is called whistleblowing. Whistleblowing laws may or may not afford legal protection to the discloser. Security professionals are responsible for understanding the legal status of whistleblowing in the jurisdiction under review prior to disclosure.
180
Full cutover
A disaster recovery test that causes an actual interruption to service.
181
Desk check
A disaster recovery exercise where everyone stays at their desk to review documents.
182
XDR
Extended detection and response, a form of EDR, or endpoing detection/response, but more robust and uses AI analytics
183
Self hosted, self-managed
Your organization does everything in-house related to managing security services.
184
Cloud SIEM, self-managed
Cloud SIEM, self-managed: means that the cloud provider collects and aggregates the logs, but the customer, or your organization, manages the detection systems, the operations, analysis, correlation, rules, alerting, and incident response activities.
185
Hybrid self-hosted
Hybrid self-hosted: means that the customer organization hosts all the systems and hardware on site, but the MSSP is a partner in the collection and correlation tasks, and may participate in the overall process.
186
SIEM as a service
SIEM as a service: this is where all tasks would be provided by the third party up to and except when an incident response is needed.
187
Precursor (CBK differentiates from indicator)
Precursors are signals (based on the events) that suggest a possible change of conditions. For example, if you have a company of 100 employees, and 60 of them are filing grievances electronically (which is captured in a log), this could be a precursor to an internal incident, such as employees stealing data. Another example might be an announcement from a threat group that they will attack your company. Another example is a newly discovered vulnerability for a technology that exists in your environment.
188
External threat intelligence
External threat intelligence can include a lot of activities and sources of knowledge, such as open source research, threat modeling, and threat intel from third parties like vendors, governmental entities, and information sharing and analysis centers (ISACS).
189
Internal threat intelligence
Internal threat intelligence refers to internal sources and internal groups to provide the intel using logs, incident reporting, and the results of forensic investigations. A configuration management database or system inventory can also help identify potential threat areas, for example if there are Windows XP or Windows 2008 systems running in your environment, this could be a source of threat intel. Also, access or permission reports can be used to identify people with elevated privileges who could be a target or a risk for unusual activity.
190
Request for Change (RFC)
Change package refers to the change itself along with all its documentation, typically tracked within a request for change (RFC).
191
Change management activities (initiation, review/approval, implementation and evaluation, release/deployment planning/control)
Covered in detail by our study guide: https://cissprep.net/configuration-management/
192
NIST Forensic cycle (collection, examination, analysis, reporting)
Covered here under the "Analysis" section: https://cissprep.net/incident-management-and-investigations/
193
Incident response activities (preparation, detection, analysis, response/mitigation, recovery, remediation, reporting, review & improvement)
Covered in detail here: https://cissprep.net/incident-management-and-investigations/
194
3-2-1 backup strategy
Three copies of the data: original plus two backups
Two different storage media types, such as magnetic tape, write-once/read-many (WORM) drives, removable disks and cloud.
One copy offsite: never locate backups in the same environment, that would defeat the purpose of a backup.
195
Cloud backup as a service
Cloud Backup-as-a-Service: replicated multiple times.
On-line: available instantly from a failover instance
Near-line: available with a delay, since the data must be pulled from an onsite library.
196
RAID 15 and 51
Combines techniques from RAID 1 and RAID 5; stripes parity bits and mirrors all the drives (including both the data and parity information). Note widely used outside of highly sensitive environments because the impact to productivity and high cost.
197
Software Quality Assurance
Covered in our study guide: https://cissprep.net/software-quality-assurance/
198
Software Assurance Maturity Model (SAMM) - very brief
Covered in our study guide: https://cissprep.net/software-quality-assurance/
199
Software Assurance During Acquisition (Five Phases)
Covered in our study guide, item "g)" https://cissprep.net/software-quality-assurance/
200
Functional requirements
Functional requirements are the things the system needs to do. For example, a system might need to handle a customer purchase correctly. The software must be written to accomplish these functions.
201
Non-functional requirements
Nonfunctional requirements refer to the characteristics of the overall form, or attributes of the system’s behavior. i.e. the attributes that result from the way in which it is designed and built. If requirements are considered nonfunctional, no specific code is written, as there’s no function to carry out. (note: some security features do require specific code).
202
Unit Test
Unit tests are written and carried out by the developers themselves.
203
Data Validation
Data validation should be conducted after each test to ensure that the data hasn’t changed after each test.
204
Bounds Checking
Bounds checking can be used to verify that a variable is within the proper bounds for its field or data type (e.g. “age” field must be 18 or higher for voter registration)
205
Known-good data (testing)
Known-good data should be used to ensure the system is acting like it should, with data that is expected. It should also contain a wide range of data inputs, including known-bad data, or unexpected data, also called “fuzzy” data.
206
Software assurance policy
Can be used as a tool to guide software assurance.
207
Orphaned Software
Orphaned system refers to systems or components that rely on unsupported elements. An example would be an antiquated but functional medical system such as a heart monitor that is no longer made, and is dependent on a Windows XP operating system. The difference between orphaned and legacy systems is that legacy systems are supported in-house, or a fix can be found for any issues that pop up. Some level of assurance can still be achieved on orphaned systems by conducting ongoing security assessments.
208
Network Database Management Model
Covered in our study guide, fourth item down the page: https://cissprep.net/database-concepts/
209
CODASYL
Covered in our study guide, fifth item down the page: https://cissprep.net/database-concepts/
210
Strongly typed
Large paragraph at the bottom of this page: https://cissprep.net/primary-software-development-methods/
211
Weakly typed
Large paragraph at the bottom of this page: https://cissprep.net/primary-software-development-methods/
212
IAST
Interactive application security testing (IAST) as opposed to DAST and SAST brings software testing to web and mobile apps. It works with agents that are incorporated into the application being tested, which enables it to look through the application’s logic as far down as the library routines it calls to ensure proper use. Full code coverage for serverless applications that use non-HTTP interfaces are a challenge for IAST.
213
Privileged applets (sandbox)
Java applets are either sandbox applets or privileged applets. Sandbox applets are executed in a security sandbox that only allows explicit safe operations. Privileged applets can run outside the security sandbox and have extensive capabilities to access the client and its environment.
214
Java Network Launch Protocol
Covered in our study guide: https://cissprep.net/software-development-testing-methods/
215
CLASSPATH
Covered in our study guide: https://cissprep.net/software-development-testing-methods/
216
Class loader
Covered in our study guide: https://cissprep.net/software-development-testing-methods/
217
Native libraries
Covered in our study guide: https://cissprep.net/software-development-testing-methods/
218
High granularity
Granularity of controls: high means stricter, low means looser, easier to circumvent.
219
Low granularity
Granularity of controls: high means stricter, low means looser, easier to circumvent.
220
Configuration Audit
Configuration audit, is an assessment (typically an internal audit) that collects and analyzes artifacts and activities to determine the current, historical, or projected status of a system. It uses methods such as checklists, interviews, and observations. The auditors provide areas of improvement for Configuration Management processes and procedures to be updated in the CM Plans.
221
System Lifecycle (SLC)
Has two phases after the SDLC completes:
Operations and maintenance support, post-installation.
Decommissioning and disposal and system replacement.
222
SDLC
Covered in our study guide: https://cissprep.net/software-development-lifecycle-sdlc/
223
Memory leak
Memory/object reuse – reusing objects that are residual in memory after a process is complete. Memory reassignment (such as in RAM) should ensure that the residual objects are completely overwritten to prevent reuse attacks. This can also be referred to as a memory leak, a type of covert channel.
224
IPPD
Covered in our study guide: https://cissprep.net/software-capability-maturity-model-and-change-management/
225
Partnership for Systems Approaches to Safety and Security (PSASS)
Covered in our study guide: https://cissprep.net/security-controls-in-software-development/
226
Intermediate code
Intermediate code is somewhere between source and the object code, or binary representation.
227
Arbitrary code
Arbitrary code execution is a security flaw allowing criminals to execute arbitrary commands on the target system.
228
Refactoring
Refactoring is rewriting all or part of software to perform the same functions, but in a more efficient, straightforward, and maintainable form.
229
Level of abstraction
Level of abstraction is how close the language is to the binary environment of the CPU.
230
Lower order languages
Lower order languages represent more direct hardware-level interaction and more control for the programmer, but require the programmer to thoroughly understand the hardware at the binary data flow level and control logic.
231
Higher order languages
High (or higher)-order languages (HOL) enable thinking and programming more in the language and form of the problem that needs solving, and what the user needs to accomplish. The HOL compiler can do the translation of the HOL statement into assembly or intermediate language.
232
Code protection/logic hiding
Code protection / logic hiding restricts one software unit from reading or altering the source, intermediate, or executable code of another software unit.
233
Constraint based/logic programming
Generation 5 – natural language interfaces (aka: constraint based or logic programming), requires an expert system or AI, typically has visual tools to help with programming and does not require the developer to learn a specific language.
234
Business need identification (4 steps: Ask, evaluate, agree, document)
Covered in study guide here: https://cissprep.net/risk-management/
235
Between the lines
Data inserted into a tapped communications line.
236
Bypass attack
The attempt to bypass database management system (DBMS) controls at the front end of a database application by going around the query engine interface or its command line interpreter (CLI) to exfiltrate data.
237
Database view (used for access control)
A mechanism that restricts what users can see or request from a database. There are risks associated with how the software performs the view processing, the ability to potentially access restricted views, or the ability to modify existing views. Essentially this just restricts what a user can view, and not what actions can be done on the data.
238
Data contamination
malformed inputs at the field, record, transaction, or file level, to disrupt t functioning of the system, which essentially "contaminates" the data.
239
Improper modification
Unintentional (accidental) or intentional (malicious) modification of data. Integrity controls and data validation are needed to prevent improper modification of database content.
240
Query attacks
Using query tools to access data that is not normally available through the trusted front end, which includes malformed queries using SQL to bypass security controls.
241
Data lake
Data Lakes refer to huge assortments of information that are unorganized, uncategorized, and unclassified (and value has not been assigned yet).
242
Data farm
Data Farms are where predictive analytics and different methods are utilized to create data in between known, observed data points.
243
Graph database
Use network database architectures for complex patterns of meaningful connections or associations between data elements of disparate types. Neo4J is an example, which is a graph database often used for insider threat detection and anti-money laundering investigations. Graph databases also play an important role in COVID-19 contact tracing systems.
244
Candidate key
In relational database management, the candidate key is an attribute that is a unique identifier in a relational table. One of the candidate keys is chosen to become the primary key, after which others can be referred to as alternate keys.
245
Non-relational database
Covered in our study guide: https://cissprep.net/database-concepts/
246
Probabilistic method
As related to knowledge discovery in databases, this uses graphical representation models to come up with meaningful information based on probabilities and data independences.
247
Statistical approach
Also related to knowledge discovery, this method uses rule discovery and is based on data relationships and known statistics.
248
Deviation and trend analysis (as part of KDD)
uses filtering techniques to detect patterns in the data.
249
Commodity systems (COTS)
Sold or licensed as commodities; also known as commercial off-the-shelf (COTS) products that include, software, firmware, or embedded products.
