Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

PCS CISSP MM, EC, Thor series > Domain 3A - Security Architecture and Engineering > Flashcards

Domain 3A - Security Architecture and Engineering Flashcards

1
Q

what did TLS replace and where is it used

A

Transport Layer security (TLS) replaced SSL
its used for data in motion (HTTPS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is a security architecture

A

how we secure the components in an architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what does a enterprise security architecture do

A

its how we protect all the components of the enterprise, the people, processes, systems, networks etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3 major enterprise architectures

A
  1. Zachman
  2. sabsa (sherwood applied business security architecture) - defines a risk driven enterprise security architecture model
  3. TOGAF (The Open group Architecture Framework) - helps you break an organization into components so you can build security into each component
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

2 types of security models

A

Lattice based and rule based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

describe lattice based security model

A

essentially means Layers
– define layer of confidentiality or integrity
– define rules as to what can be read or written the layers to maintain confidentially or integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

attributes of lattice based security model Bell-LaPadula

A
  1. focused on maintaining confidentiality of information
  2. simple security property states – no read up
  3. start property states – no write down
  4. strong star property - if you are both reading and writing you can only do so at your own level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

2 types of lattice (layer) based security models

A
  1. Bell-LaPadula
  2. Biba
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

describe attributes of lattice based security model Biba (inverse of Bell-LaPadula)

A
  1. focused on maintaining integrity of the information
  2. simple security property - no read down
  3. star property - no write up
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

describe attributes of Lipner implementation

A
  1. its not a security model, its an implementation
  2. its a way to get both confidentiality and integrity from both Bell-LaPadula and Biba
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

attributes of Clark Wilson rule based security model

A
  1. focus is on integrity
  2. (3) goals of integrity
    — preventing unauthorized subjects from making changes
    — preventing authorized subjects from making bad changes
    — maintaining the consistency of the system
  3. (3) rules to achieve the (3) goals
    — must have well formed transactions
    — must have separation of duties
    — must have the access triple (subject, program and object)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

attributes of Brewer-Nash rule based security model

A
  1. known as the Chinese wall model
  2. only goal is to prevent conflicts of interest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

recognize these as rule based security models

A
  1. Graham-Denning
  2. Harrison-Ruzzo-Ullman — enhancement of Graham-Denning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

name the 4 “rules based” security models

A
  1. Clark-Wilson
  2. Brewer-Nash
  3. Graham-Denning
  4. Harrison-Ruzzo-Ullman
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

name the most widely used security framework in the world

A

ISO 27001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

name some attributes about ISO 27001

A
  1. best practice recommendations for an ISMS (information security management system)
  2. defines 114 controls
  3. 14 domains/categories
  4. best practices you should have in place for a well run security program!
    – security governance, security policies, onboarding, asset management, asset control, cryptography, physical security, network security all the way to having a compliance function.
  5. you can be ISO 27001 certified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

attributes of ISO 27002

A
  1. code of practice for ISMS (information security management system) controls
  2. provide the implementation guide for the controls in 27001
  3. cant be certified for this, its just a guidance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

attributes of NIST 800-53

A

provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

attributes for COSO (Committee of Sponsoring Organizations of the Treadway Commission)

A
  1. initiative in the US in the 1980s to combat corporate fraud
  2. focused on financial reporting controls, it does contain requirement for reasonable security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

attributes of ITIL (The Information Technology Infrastructure Library)

A
  1. framework of best practices for delivering IT services and are aligned with business goals and objectives
  2. very useful for looking at IT process like change management, configuration management, access management, availability management etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

attributes of HIPAA (Health Insurance Portability and Accountability Act)

A
  1. focused on safeguarding medical healthcare information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

attributes of SOX (Sarbanes-Oxley Act)

A
  1. thanks to Enron and WorldCom for the US federal law
  2. requires top level management (CFO, CEO) to individual certify the accuracy of financial information
  3. if fraudulent activities are found, the penalty is much more severe
  4. financial records must have integrity and be available
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what are the 7 steps of NIST 800-37 (RMF) - Risk Management Framework

A
  1. Prepare to execute the RMF
  2. Categorize information system
  3. Select security controls
  4. Implement security controls
  5. Assess security controls
  6. Authorize information systems
  7. Monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

3 frameworks that you only need to know that they contain risk management components. no other details needed.

A
  1. ISO 31000
  2. COSO
  3. ISACA Risk IT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
what are the two major steps in product evaluation criteria
1. Certification 2. Accreditation
26
Common criteria- what happens in the certification step
an independent lab evaluates a product and give it a rating
27
evaluation criteria systems
1. TCSEC 2. ITSEC 3. Common Criteria
28
TCSEC attributes
1. evaluate confidentiality 2. evaluate a product that was not connected to a network - single box only 3. 7 functional levels D1 (lowest) to A1 (highest) 4. C2 is the most common rating for products 4. B1 requires labeling
29
ITSEC evaluation attributes
1. Replaced TCSec 2. evaluates confidentiality and integrity 3. can evaluate devices connected to a network 4. can evaluate assurance ( how to test its working properly) 5. Was replaced by common criteria ISO 15408
30
common criteria evaluation attributes
1. adopted as sn international standard - ISO 15408) 2. Evaluation criteria for IT security 3. defines a protection profile (class of devices) - examples: firewalls, smartcards, switches 4. target of evaluation(TOE) defines the product - the very specific product, model etc. example: cisco asa 5505-X 5. security targets - document prepared by the product vendor that defines the functional and assurance properties and capabilities that the vendor claims are built into the target of evaluation 6. the independent test lab will then test the functional and assurance requirements of the target of evaluation 7. the end result will be an EAL(evaluation of assurance level) rating
31
what are the 7 common criteria EAL (evaluation of assurance level ratings
1. EAL1 - functionally tested 2. EAL2 - structurally tested 3. EAL3 - methodically tested and checked 4. EAL4 - methodically designed, tested and reviewed 5. EAL5 - semi formally designed an tested 6. EAL6 - semi formally verified designed and tested 7. EAL7 - formally verified designed and tested
32
what is accrediation
official management approval and sign off for a set period of time to purchase and deploy a product in the organization
33
definition of TCB (trusted computing base)
TCB is the totality of protection mechanisms (people, processes and technology) within a system or architecture that work together to enforce a security policy
34
taxonomy in technology
organizing into categories and subcategories
35
what is a subject
an active entity - (people, processes) that want to access objects
36
define mediate (mediation) a subjects access to an object in RMC (TCB)
---mediation is anything that is controlling a subject access to an object-- examples are: 1. physical lock on a door controlling which people (subjects) can access the building (object) 2. windows login prompt, controlling if a user can access their computer 3. could be the system kernel, controlling which applications can access the network card
37
how are rules used in RMC
rules are created so that the mediation will make decisions based on (functional aspect of the control)
38
what does the assurance aspect tell you
if the process or product is working correctly
39
in the RMC how do we get the assurance aspect
logging and monitoring
40
what is an object
a passive entity, whatever is being accessed by the subject. examples: databases, word files, buildings and sometimes other processes
41
breakdown of the RMC
subject access an object, through some form of mediation, based on a set of rules and all of it is logged and monitored to provide assurance that it is working correctly
42
RMC (reference model concept) is a concept. what is it called when you implement the concept.
security kernel
43
where are security kernels used
wherever we need to control a subjects access to an object . the access is controlled with a security kernel
44
3 criteria for a security kernel
1. completeness - subject not able to bypass the mediation (no backdoor) 2. isolation - rules are tamper proof 3. verifiability - logging and monitor to verify the mediation is working correctly (assurance)
45
4 steps of a CPU
1. fetch instructions 2. decode instructions 3. execute instructions 4. store the results
46
what is multitasking
running multiple complex applications simultaneously
47
2 major categories of storage
1. primary - super fast, little storage and volatile (ram, cache etc.) 2. secondary - slower, much more storage space ( solid state drives, CDs, DVDs, Tapes etc.)
48
firmware attributes
1. stored on the hardware 2. typically in non-volatile memory such as ROM (read only memory)
49
middleware attributes
1. act like software glue 2. acts as a translator between different incompatible applications, enabling interoperability and translating messages for incompatible applications
50
2 major methods to achieve process isolation
1. memory segmentation - each application is given its own memory space 2. Time Division Multiplexing (time slicing) - each process is given access to the resource for a specified time then handed to the next resource
51
Processor states
1. Problem state - lower privileged level - most applications will run at this level. they do not have full access to the cpu capabilities but enough to run 2. Supervisor state - higher privileged level - the kernel will run here, full access to CPUs capabilities
52
problem state meaning
its what CPUs are meant to do, solve problems. normal operating level for the CPU
53
2 common privilege levels that applications and processes code can run at
User mode - lower level, most applications will run here. User mode restricts what resources applications can have access to Kernel mode - higher level - system kernel runs here. unrestricted access to underlying hardware.
54
ring protection model - another way of how access to system resources is restricted
Ring 0 - greatest privilege, system kernel, also firmware Ring 3 - least privilege most applications will run
55
idea of data hiding is what
applications running at a lower privilege level are not aware of applications at a higher privilege level so they are simply hidden from the lower privilege levels
56
there is no security without physical security
true
57
TOCTOU (time of check time of use) attributes
1. also known as (race conditions) 2. application checks the state of resource before using it. 3. an attacker attempts to race in and change a resource (file, variable or some data in memory) between when the resource is checked and used 4. the defense for this is to increase the frequency of how often a check is performed to ensure access is appropriate. this reduces the window in time where an attacker can race in and do what they are not supposed to do
58
emanation attributes - what is it and what are some controls
1. radio signals, electrical signals, light, sound, vibrations that radiate from a system and can be intercepted to eavesdrop and allow leakage of informatoin ----- counterattacks ----- 1. shielding (tempest) designed to shield devices that emit electromagnetic radiation 2. white noise -- drowns out the weak emanations from a secured device 3. control zones - place high value systems in a physical secured zone. only authorized individuals can get near high value systems
59
covert channels attributes
1. unintentional communication path that unintentionally disclose confidential information ----- 2 Types ---- 1. storage - most common -- 2. timing ----------counter attack----------- 1. careful analysis of systems and processes to identify unintentional communication paths and design controls to prevent or mitigate
60
aggregation and inference details
1. vulnerabilities that occur when you collect and centralize a lot of data in one location -- data warehouse, data lakes 2. unauthorized inference - someone might be able to infer or figure out something they are not supposed to -----------counterattack------=-- polyinstantiation - different versions of the same information or process can exist at different classification levels -- copy of the same information with different meanings per authorization level
61
This use of mobile devices in the org causes some security risks - 1. name some concerns 2. Name some controls
1. clearly defined polies regarding the acceptable use of mobile devices 2. require that sensitive data not be stored on mobile devices or severely limited 3. training to make sure employees follow acceptable use -----------------contols------------- 1. mobile device connection back to the office should be encrypted to ensure protection of sensitive data in transit 2. strong authentication 3. whole drive encryption 4. remote wipe
62
OWASP mobile top 10 -- M1
improper platform usage - things like touch ID, face ID or keychain are not used properly counterattack -- secure coding and configuration management - use these good security features
63
OWASP mobile top 10 -- insecure data storage
-- PII is stored in insecure directories- data in these locations can be trivially accessed if an attacker gets physical access or attacker writes malware to copy the data and send to attacker ------counterattack-------- dont allow sensitive data on mobile device
64
OWASP mobile top 10 -- M3 insecurity communication
- most mobile devices will communicate with a server across the insecure internet. any such data could potentially be intercepted. ------------counterattack---------- 1. encrypt with protocols like TSL 2. authenticate with server with certificates
65
OWASP mobile top 10 -- M4
insecure authentication - an attacker figures out how a mobile application calls a backend server its connected to. once the attacker figures this out, they bypass the mobile app and send requests straight to the backend server, bypassing authentication mechanisms -----------------counterattack---------- perform authentication on the server side
66
OWASP mobile top 10 -- M5
insufficient cryptography - mobile device that is using crappy encryption algorithms or algorithms that were poorly implemented -----------------counterattack------------- use good algorithms that will withstand the test of time and implement them properly
67
OWASP mobile top 10 -- insecure authorization
- doing a poor job of authorization, potentially allow an attacker to bypass the authorization or grant themselves access they are not entitled to . ----------------counterattack--------- 1. authorization is performed by backend server and not the mobile device 2. server should verify mobile device requested access is appropriate to permitted access per user
68
OWASP mobile top 10 -- M7
client code quality - software running on a mobile device that is vulnerable to common attacks like memory leaks and buffer overflows --------------counterattack------------- 1. write more secure code 2. developers should be knowledgeable and trained
69
OWASP mobile top 10 -- M8
code tampering - an attacker changing or adding new malicious code into a mobile application -------counterattack------- 1. mobile applications should be able to detect if the code has been tampered with at runtime
70
OWASP mobile top 10 -- M9
reverse engineering - an attacker carefully analyzing an app's code to reveal information about backend servers reveal problems weaknesses with crypto etc. ------------------counterattack------------ use code obfuscation tools
71
OWASP mobile top 10 -- M10
extraneous functionality - refers to an attacker carefully analyzing and application to find hidden functionality left behind by the developer. this hidden functionality will often allow the attack to have a backdoor into the application or backend servers ------------------counterattack----------- make sure extraneous functionality is removed before an application is published by doing manual code review
72
cross site scripting (XSS) is what
1. a malicious script is injected into trusted websites. a visitors browser will download and execute the attackers script, allowing the attacker to run code on victims machines
73
3 flavors of cross site scripting
1. stored 2. reflected - most common form
74
who is the target with cross site scripting
the client - the users browser
75
cross site request forgery (CSRF)
1. an attacker forces or tricks a user into executing unwanted actions on a web application in which the user is currently authenticated. allowing an attacker to execute authorized commands on a server. --(very simplified explanation)
76
who is the target of attack with cross site request forgery (CSRF)
the user may get negatively impacted but the target is the server
77
SQL injection (sequel structure query language) explain
an attacker sends SQL code to the web server, the web server passes that code onto the database, allowing the attacker to control the database
78
SQL injection -- how could this happen
1. an attacker could enter code (text) into a form field like a username password field, submit the text (code) to the web server 2. the webserver sends that text (code) from the username and password fields to the database. 3. if the web server has not validated the provide text (code) then it could be allowing sql injection attacks to occur
79
how to prevent SQL injection attacks
1. input validation. the we server should never allow sql code from a user directly to the database. the web server must validate all input, sanitize the input by removing special characters or escaping them.
80
-----test hint -----. there will be very technical questions and answers on SQL injection and cross site scripting. boiling it down what is the answer you are looking for
the users input must be validated in some way, sanitized, this is how these attacks are prevented
81
3 cloud service models
1. IAAS (infrastructure as a service) 2. PAAS (platform as a service) 3. SAAS (software as a service)
82
what is IAAS
Infrastructure as a service - virtual infrastructure, servers, appliances, storage, network components, firewalls, routers etc. virtualized physical infrastructure
83
what is PAAS
Platform as a service - provides services and functionality for customer to develop and deploy customer applications. customers can create applications without needing to worry about things server, network and storage.
84
what is SAAS
Software as a service - customers can rent access to an application hosted in the cloud.
85
IAAS what is the customer responsible for
OS, middleware, runtime, applications, data
86
PAAS what is the customer responsible for
Data, applications
87
SAAS what is the customer responsible for
nothing, its all cloud responsibility
88
in any of the cloud models who is responsible for ensuring of security and service levels
the customer much verify the levels of securities and service levels the cloud provider provides (SLAs, SOC 2 reports).
89
cloud deployment models
1. public 2. private 3. community 4. hybrid cloud
90
who are public cloud models available to
the public, anyone
91
who has access to private clouds
1. its provisions for exclusive use by a single customer. they can be owned by the customer or by a cloud service provider. 2. they can be on or off premise 3. they can be physically or logically separated from one customer to the other
92
community cloud attributes
1. only accessible by a small community 2. they have similar shared concerns, for instance, security and regulatory requirements
93
define hybrid cloud
some form of combination between public, private and community cloud. example: some businesses might have a private cloud for sensitive data and a public cloud for less sensitive data
94
cloud security and identity is very important in cloud. security professionals must ensure all traffic and all users are very thoroughly verified so we know who exactly is accessing what. this approach is often referred to as what
Zero Trust model for security
95
two man places to store users identities are
1. locally - some system (usually AD) is being maintained on premise to store user identities 2. cloud - cloud service is being used as a cloud identity provider. (Okta) is a good example of cloud identity provider.
96
4 cloud identities and details
1. cloud - identity created and manage solely in the cloud 2. linked identity - two identities (one local, one cloud). there is simply some indication of a linkage between the two. change to one are NOT automatically synchronized to the other linked account 3. synced identity - two identities (one local, one cloud) and change to one automatically synchronizes that change to the other. 4. Federated identity - user has one identity that allows them to gain access to both local and cloud based services via a federated access.
97
3 protocols that enable federated access
1. SAML - security assertion markup language 2. OpenID 2. OAuth
98
attributes of SAML
Security Assertion Markup Language 1. provides both authentication and authorization in federated access 2. allows you to access multiple web applications using one set of login credentials EXAM tip -- very common, understand this
99
what does OpenID provide 1. cloud synchronization 2. authorization 3. authentication 4. is part of IAAS
authentication
100
what does OAuth provide 1. time synchronization 2. system synchronization 3. authorization 4. run time services
authorization
101
accountability in cloud attributes
1. one person liable per asset 2. the owner of the asset 3. individual that has ultimate ownership and blameworthiness 4. can not be delegated 5. responsibilities can be delegated
102
responsibility in cloud attributes
1. the doer 2. multiple persons can be responsible 3. can be delegated 4. person or multiple persons in charge of requirements that were defined by the accountable person
103
cloud data controllers
1. individuals within the cloud consumer will be the owners (data controller) of any data stored in the cloud 2. accountable for any data they store and process in the cloud 3. can not delegate responsibility
104
another name for hypervisors
vm monitor
105
another name for VM
1. instances 2. guests
106
can a VM snapshot be helpful when doing an investigation
yes, a snapshot preserves the state and data of a virtual machine at a specific time.
107
how do you do defensible data destruction of PI in the cloud?
crypto shredding
108
what is crypto shredding/erase
1. personal or any information is encrypted with an excelling algorithm like AES 2. every single copy of the encryption key is physically destroyed 3. with no possibility of recovering the encryption key the data has been crypto shredded
109
5 major services that cryptography provides
1. confidentiality 2. integrity 3. hashing 3. authenticity 4. non-repudiation 5. a form of access control
110
what does confidentiality provide
1. only those that are authorized can view the data 2. helps prevent unauthorized disclosure of information
111
what does integrity provide
1. ensure the information has not been changed or manipulated by unauthorized individuals 2. helps prevent unauthorized or unexpected changes to data
112
hashing equals what?
integrity
113
what does integrity equal
hashing
114
authenticity gives us what
1. we can verify who a message comes from
115
non-repudiation gives us what
1. someone is not able to deny ORIGIN, meaning they can not deny the message came from them 2. someone is not able to deny DELIVERY, meaning the receiver can not deny receiving the message
116
how does cryptography enable a form of access control
1. by us controlling who we give cyphertext to 2. by us controlling who we give the decryption key to with this we can control who can access some data
117
define encryption
turning plaintext into cyphertext using a cryptographic algorithm and a crypto variable
118
define crypto variable (encryption and decryption)
1. a key 2. a string of bits that must be kept secret 3 this string of bits programs the cryptographic algorithm 3. the key determines what steps the cryptographic algorithm will perform to encrypt or decrypt the plaintext (encryption) or cyphertext (decryption)
119
what is key clustering
1. when two different keys generate the same ciphertext from the same plaintext 2. we do not want this 3. this suddenly makes it twice as easy to perform a brute force attack
120
what is work factor
1. estimated time or effort to break a cryptosystem 2. the higher the work factor the more secure the cryptosystem
121
what is a initialization vector or a nonce
1. a random number used along with the key and fed into a cryptographic algorithm when encrypting some plaintext. 2. IVs should only be used once in any session and are meant to help prevent patterns
122
what two things should a good cryptographic algorithm do
1. Confusion - hides the relationship between the key and the resultant ciphertext. if one bit changes then about half the bits in the ciphertext change. 2. Diffusion - the same as confusion but focuses on plaintext. if a singe bit in the plaintext changes then about half the bits in the ciphertext should change
123
what is and what does the Avalanche effect do
1. looks at the degree of confusion and diffusion that an encryption algorithm provides 2. the ideal case: 1 bit changes in the key (confusion) or the plaintext (diffusion) will result in at least a 50% change in the ciphertext
124
what is a null cipher
1. when a message is hidden in plain site by mixing the characters of the secret message in with the non-ciphertext plain message 2. the secret message could be the first letter of each word in a paragraph
125
why use one way encryption and what is it typically called and how does it going about doing so
1. integrity 2. hashing 3. one way mathematical function 4. transforms an arbitrary length input to a fixed-length output 5. same input will always result in the same output
126
what are you talking about when talking about a message digest
cryptographic hash function
127
name 4 recognizable hashing algorithms
1. MD5 2. sha-1 3. sha-2 3. sha-3
128
2 major types of algorithms that we can use to perform two- ways encryption
1. symmetric algorithm 2. asymmetric algorithm
129
how many keys for symmetric algorithm
1. one secret key
130
how many keys for asymmetric algorithm and what are they called
1. 2 keys (key pair) 2. public and private
131
advantage of symmetric algorithm
1. speed (much faster)
132
disadvantage of symmetric algorithm
1. key distribution - single key (out of band to share key privately) 2. scalability (too many keys needed) 3. no integrity or non-repudiation 4. it does to some degree provide authenticity because the data encrypted with a symmetric key is not able to be decrypted with another key
133
formula for number of key for symmetric algorithm
N*(N-1)/2
134
what are the 2 major types of symmetric algorithm
1. block ciphers 2. stream ciphers
135
block ciphers attributes
1. encrypt or decrypt blocks of data at once: 16bits, 32, bits, 64 or 128 bit blocks of data
136
what is substitution
1. a random bit string (nonce) that is the same length as the block size that is XORed with the message. 2. IVs are used to create a "unique" cipher text every time the same message is encrypted with the same key
137
top 3 symmetric block ciphers
1. DES (Data Encryption Standard) 2. 3DES 3. AES (Advanced Encryption Standard) designed to replace DES
138
DES (Data Encryption Standard) attributes
1. 56 bit keys 2. 64 bit blocks 3. 16 rounds of substitution and transposition 4. no where near good enough
139
3DES attributes
1. using the DES algorithm 3 times 2. (3) 56 bit keys = key length of 168 bits 3. due to meet in the middle attack the effected key length is 112 bits
140
AES attributes (Rijndael) - Advanced Encryption Standard
1. replacement for DES 2. variable key length 129, 192 or 256 bits 3. uses 128 bit blocks
141
Ancillary symmetric block ciphers
1. cast-128 2. safer 3. blowfish 4. Twofish 5. RC5/RC6
142
5 different block modes
1. ECB - (Electronic codebook mode) 2. CBC - (cipher block chaining) 3. CFB (cipher feedback) 4. OFB (output feedback) 5. CIR (counter) ---- all of these block modes use IV (initialization vector) except ECB which makes it the least secure of all the modes.
143
ECB (electronic codebook mode) attributes
1. least secure ( no initialization vector) (IV) 2. fastest because of no IV 3. if same block encountered multiple times, same encryption block is produced. easy to break (patterns)
144
CTR (counter) attributes
1. is considered best balance of speed and security 2 not the most secure, slower than ECB 3. incrementing counter instead of seed 4. errors do not propagate 5. initialization vector (or IV)
145
the single stream cipher to know is
1. RC4 2. best animated explanation of how stream cipher works 13:50 of mindmap (6 of 9) domain 3
146
does asymmetric algorithm use a mathematically related key pair
yes
147
asymmetric cryptography advantages
1. solves key exchange problem 2. enables digital signatures and other services 3. solves scalability
148
asymmetric cryptography disadvantages
1. slower compared to symmetric cryptography
149
when a lot of data is needed to be encrypted what form of cryptography do we need to use
symmetric
150
what asymmetric algorithm relies of factoring for the hard math problem
RSA
151
factoring - explain
1. its easy to multiply two very large prime numbers 2. its very difficult to go backwards and factor the two original prime numbers for the sum
152
Name 2 asymmetric hard math problems And the 3rd that should not be used
1. factoring 2. discrete log 3. knapsack (should not be used)
153
discrete log
1. easy to exponentiate 2. its very difficult to go backwards to find the original integers
154
asymmetric algorithms that rely on discrete log for the hard math problem
1. Diffie-Hellmann (key exchange) 2. Elliptic Curve (ECC) (very efficient) 3. El Gamal 4. DSA
155
what is DSA used for
creating digital signatures
156
Elliptic Curve (ECC) attributes
1. same strength as RSA with a much shorter key 2. very efficient compared to other asymmetric algorithms
157
knapsack attributes
1. significant issues found with using knapsack as the hard math problem 2. any algorithm based on knapsack should not be used
158
digital signatures provide what 3 things?
1. authenticity 2. integrity 3. non-repudiation of both origin and delivery
159
2 major ways that cryptographic algorithms convert plaintext to cypher text
1. substitution 2. transposition
160
substitution for cryptography is what
1. replace one character for another -- early example is the Caesar Cypher
161
explain the Caesar Cypher
1. letters are substituted for letters in the alphabet 3 places to the right 2. monoalphabetic substitution cipher 3. use just one alphabet which leads to patterns
162
explain polyalphabetic ciphers
1. uses multiple substitution alphabets 2. same letters in the original plaintext will not have the same result 3. reduces patterns
163
what is transposition with cryptographic ciphers
1. rearranging all the letters in the plaintext
164
what is a Spartan Scytale
1. earliest known transposition cipher 2. stick of wood with a very precise diameter 3. wrap a piece of leather around the wood and write your message across the strip of leather 4. when you unwrapped the leather, your letters were transposed and your message encrypted 5. would require an exact same diameter of stick to be able to decrypt the message
165
what is the digital certificate standard
X.509
166
what is digital certificate replacement
1. the regular replacement of expired certificates 2. based off the expiring date on the digital certificate itself
167
certificate revocation is what and when would it be used
1. contacting your certificate authority and asking them to revoke your digital certificate 2. if your private key was compromised its no longer trustworthy 3. the CA keeps a list of revoked digital certificates
168
protocols used to check for revoked certificates
1. CRL (certificate revocation list) 2. OCSP (online certificate status protocol) -newer and more efficient
169
CRL (certificate revocation list) attributes
1. older less officiant way to check for revoked certificates --- with this process when there is a request for revoked certificates, the CA responds with a very large list of all the revoked certificates. the client then has to search through that list to see if the certificate they are asking about is in the list
170
OCSP (online certificate status protocol) attributes
1. much more efficient compared to CRL 2. when a client queries a CA for the revocation status of a specific certificate and the CA responds with the answer
171
PKI (public key infrastructure) is what
1. broadest of roles, policies, procedures, hardware and software that is used to create, distribute, use, store, replace and revoke digital certificates
172
certificate chain of trust
1. CA private key used to sign intermediate certificates CA is then offline 2. intermediate certs are used to sign issuing certs 3. issuing certs are used to sign entity certs (the certificates we pay a CA to make for us)
173
which role in the CA issues the certificate
the issuing CA, not the root CA
174
where do CAs maintain all certs they have issued and what has been revoked
1. certificate DB 2. each CA maintains their own database
175
where do endpoints (desktop, laptop, mobile phone etc.) store their private key and other certificates it might need (like big CAs public keys)
1. certificate store - local storage location 2. every endpoint has its own certificate store
176
key generation in cryptography is what
1. creating new symmetric key or asymmetric key pairs 2. each new key is randomly selected to avoid patterns
177
key distribution in cryptography is what
1. delivering new keys to the whoever needs them and nobody else
178
key distribution option
1. Diffie-Hellmann 2. out-of-band 3. Hybrid
179
hybrid key distribution steps
1. most common form of key distribution 2. encrypt the symmetric key that you need to send to the receiver, with their public key 3. you then send that cipher text to the receiver, that person would then be the only person to decrypt the ciphertext using their public key 4. you can then switch over to symmetric cryptography to encrypt and decrypt lots of data quickly and efficiently
180
why is it called hybrid cryptography
you are using asymmetric cryptography (public, private) to encrypt a symmetric key, then send that ciphertext to the intended recipient (key distribution). Once the receiver has securely received the symmetric key. you can switch to the symmetric cryptography for faster and more efficient encryption and decryption
181
TLS uses what cryptography
hybrid
182
2 primary ways to securely store encryption keys
1. TPM (trusted platform module) small chip on endpoint devices 2. HSM (hardware security module)
183
what is required if you want to have whole drive encryption
TPM (trusted platform module)
184
is it a good idea to periodically change encryption keys?
yes, this is called key rotation
185
how often should you rotate encryption keys
1. depends on the value of the data being protected 2. depends on risk of keys being compromised
186
encryption key recovery - 3 ways
1. split knowledge - split the knowledge of the key amongst 2 or more persons. they all need to get together to recover the complete key 2. dual control - two or more persons much provide some action to recover the key 3. key escrow - a copy of the key is kept by a trusted third part
187
What does Rabin-Miller primality test algorithm do
Determines if a number is a prime number
188
Why is Elliptic curve cryptography (ECC) popular in mobile applications
A 256 bit key in ECC has the same strength compared to a 3,074 bit key in other encryption systems like RSA
189
What are a couple of advantages using Elliptic curve cryptography (ECC)
• it uses less processing power • it has a stronger key strength compared to some other encryption systems. An example: an ECC 256 key is the same strength as an RSA 3072 key

PCS CISSP MM, EC, Thor series (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions