Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP > Domain 4 > Flashcards

Domain 4 Flashcards

(111 cards)

Start Studying
1
Q

Network Architectures
VXLAN - Virtual Extensible LAN

A

Network virtualization enabling network segmentation at high scale.

Overcomes VLAN scale limitations - limit is 4096 VLANs versus millions of VXLANs

Tunneling protocol that encapsulates an Ethernet frame (layer 2) in a UDP packet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Network Architectures
Software Defined Networks (SDNs)

A

A network architecture approach that enables the network to be intelligently and centrally controlled, or programmed using software

  • Has the capacity to reprogram the data plane aat any time
  • Use case include SD-LAN and SD-WAN
  • Separating control plane and data plane opens a number of security challenges
  • Vulnerable to attacks like MITM and DoS

Secured with TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Network Architectures
Software Defined Wide Area Networks (SD-WAN)

A

Enables users in branch offices to remotely connect to an enterprises’ network.

Enables use of many network services like MPLS, LTE, and broadband internet to securely connect users to apps

Security is based mostly on IPsec, VPN Tunnels, next gen firewalls (NGFWs), and the micro-segmentation of app traffic

Uses a centralized control function for intelligent routing and Secure Access Service Edge (SASE) to decentralize connectivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Network Architectures
Light Fidelity (Li-Fi)

A

Uses the modulation of light intensity to transmit data (uses LED)

can safely function in areas otherwise succeptible to electromagnetic interference

Can theoretically transmit at speeds of up to 100 Gbit/s

  • LiFi only requires working LED lights
  • Visible light is that is cant penetrate opaque walls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Network Architectures
Zigbee - Personal Area Network (PAN)

A

Short range wireless

Developed to support automation, machine to machine comms, remote control, and monitoring of IoT devices

Supports bot centralized and distributed security models and mesh topology

Assumes that symmetric keys used are transmitted securely (encrypted in transit)

NOTE - During pre-configuration of a new device, in which a single key may be sent unprotected, created brief vulnerability

IoT Smart Home Hub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cellular Networking
5th Gen Cellular 5G

A

Faster speeds and lower latency

  • Unlike 4G, 5G does NOT ID each user through their SIM card. Instead can assign IDs to each device
  • Some air interface threats such as session hijacking are dealt with in 5G
  • NOTE NSA anchors the control signing of 5G networks to the 4G Core
  • Diameter protocol: provides AuthN and AuthZ and accounting (AAA) with be a target
  • Old vulns of 3G/4G are still a threat bc 5G relies on them
  • DDoS is a concern bc IoT endpoint counts on 5G are exponentially greater
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Content Delivery Networks (CDN)

A

Geographically distributed network of proxy servers and their data centers

  • Goal is fast and highly availible content delivery by distributing content spatially relative users
  • CDNs serving JavaScript have been targeted to inject malicious content into pages
  • Vendors in CDN offer DDoS protection and Web Application Firewalls (WAF)
  • Ex) video streaming, software download, audio streaming
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

OSI Model

A
  1. Application
  2. Presentation
  3. Session
  4. Transport
  5. Network
  6. Data Link
  7. Physical

All People Seem To Need Data Processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Standard Network Topologies
STAR

A

Employs a centralized connection device

  • Can be a simple hub or switch
  • Each system is connected to the central hub by a dedicated segment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Standard Network Topologies
MESH

A

Connects systems to all other systems using numerous paths

  • A partial mesh is possible
  • BENEFIT provides redundant connections to systems, allowing multiple segment failures without seriously affecting connectivity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Standard Network Topologies
RING

A

Connects each system as points on a circle
- The connection medium acts as a unidirectional transmission loop
- Only one system can transmit data at a time. Traffic management is performed by a token

`NOTE token ring network is a ring-based network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Standard Network Topologies
BUS

A

Connects each system to a trunk or backbone cable
- All systems on the bus can transmit data simultaneously which can result in collisions
- collision occurs when two systems transmit data at the same time; the signals interfere with each other

NOTE ethernet is a bus network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Analog Signals

A

Communications occur with a continous signal that varies in frequency

  • Variances occur in a wave shape
  • Communication is altered / corrupted over long distances due to interference
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Digital Signals

A

Comms occur through the use of a discontinuous electrical signal and a state change or on / off pulses

1s and 0s

  • More reliable than analog
  • Uses current voltage where voltage ON is 1 and voltage OFF is 0
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Synchronous Communication

A

Rely on a timing or clocking mechanism based on either an independent clock or time stamp embedded in the data stream

  • Typically support high rates of data transfer. Example networking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Asynchronous Communication

A

Rely on a Stop and start delimeter bit to manage the transmission of data

  • Best suited for smaller amounts of data
  • EX) Public switched telephone network (PSTN) modems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Baseband

A

Supports only a single communication channel

  • It uses a direct current applied to the cable. A current that is at a higher level reps the binary signal of 1 and a lower level is 0
  • is a form of digital signal
  • EX) ethernet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Broadband

A

Can support multiple simultaneous signals uses frequency modulation to support numerous channels
- Each supporting a distinct communication session. Suitable for high throughput rates especially when several channels are multiplexed
- Is a form of analog signal
- EX) TV, Cable modem, ISDN, DSL, T1, T3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Broadcast

A

Technology supports somms to ALL possible recipients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Multicast

A

Technology supports comms to multiple specific recipients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Unicast

A

Technology support only a single comm to a specific recipient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Carrier Sense Multiple Access (CSMA)

A

Developed to decrease the chances of collisions when 2+ stations start sending their signals over the datalink layer. Requires that each station first check the state of the medium before sending

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CSMA variations and collisions
CSMA/CA (collision avoidance)

A

Attempts to avoid collisions by granting only a single permision to comm at any given time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CSMA variations and collisions
CSMA/CD (collision detection)

A

Responds to collisions by having each member of the collision domain wait for a short but random period of time before starting the process over.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Token Passing
Performs Comms using a **digital token**, Once it s transmission is complete it releases the token to the next system `NOTE` Prevents collisions in ring networks
26
Polling
Performs comms using a **master-slave configuration** The primary system polls each secondary system in turn whether they have a need to transmit data. `NOTE` used by Synchronous Data Link Control (SDLC) (layer 2 protocol used by IBM)
27
*Network Segmentation* Intranet
A **private network** that is designed to host the same information services found on the internet.
28
*Network Segmentation* Extranet
A section of an orgs network that has been **sectioned off** to act as an intranet for the private network but also serves information to the public internet `NOTE` A cross between Internet and Intranet
29
*Network Segmentation* DMZ
An **extranet** for **public** consumption is typically labeled a **perimeter network**
30
*Network Segmentation* Reasons for segmentation
- **Boosting Performance** where systems that often communicate are in the same segment - **Reducing comm problems**: reduces congestion and contains problems into each segment - **Providing Security**: isolates traffic and user access to those segments where they are authorized
31
Bluetooth (IEEE 802.15)
is a Personal Area Network - Pairing has the primary device scan for 2.4 GHz radio frequencies for avilable devices - Pairings with 4 digit code help with accidental pairings but not secure
32
*Mobile System Attacks* Bluejacking
Annoyance - Pushing unsolicited messages to nearby bluetooth devices using a loophole in the technologies messaging options
33
*Mobile System Attacks* Bluesnarfing
Data Theft - Wirelessly connect to early bluetooth enable mobile devices without owners consent to steal data
34
*Mobile System Attacks* Bluebugging
Grants hackers remote control over the features / functions of a Bluetooth device. Includes ability to turn on device mic and use it as a bug
35
Service Set Identifier ( SSID ) Broadcast
Wireless networks traditionally announce their SSID on a regular basis with a **beacon frame** - When the **SSID is broadcast**, any device with automatic detect and connect to the network - Hiding the SSID is considered **security through obscurity** - its detectable through client traffic
36
Temporal Key Integrity Protocol (TKIP)
Was designed as the replacement for WEP without the need to replace legacy hardware. - Implemented into 802.11 wireless networking under the name **WPA** (Wi-Fi Protected Access)
37
CCMP
**C**ounter Mode with **C**ipher Block Chaining **M**essage Authenticartion Code **P**rotocol - Created to **replace WEP and TKIP/WPA - Uses **AES** (Advanced Encryption Standard) with a 128-bit key
38
Fibre Channel
A form of *network data storage** solution like Storage Area Network or Network-Attached Storage that allows for **high-speed file transfers**
39
Fibre Channel over Ethernet (FCoE)
Used to encapsulate Fibre Channel comms over ethernet networks
40
Internet Small Computer System Interface (iSCSI)
a **networking storage standard** based on IP
41
Site Survey
The process of investigating the **presence, strength and reach** of *wireless* access points deployed in an environment
42
Extensible Authentication Protocol (EAP)
**Authentication framework** allows for new authentication technologies to be **compatible** with existing wireless or point-to-point connection technologies
43
Protected EAP (PEAP)
**Encapsulates EAP** method within a **TLS tunnel** that provides authentication and potentially encryption
44
Lightweight EAP (LEAP)
**Cisco proprietary** alternative to TKIP for WPA. Developed to address deficiencies in TKIP before the 802,11i/WPA2 system was ratified as a standard
45
MAC Filtering
A list of **authorized** wireless client interface MAC addresses - Used by a wireless access point to **block** access to all **nonauthorized** devices
46
Captive Portals
Authentication technique that redirect a newly connected **wireless web client** to a portal access control page - Ex) NCSU Guest wifi
47
*Network Devices* Firewalls
Used to filter traffice based on rules
48
*Network Devices* Switch
Repeats traffic only out to the port on which the destination is known to exist. - Greater efficiency for traffic delivery, create separate collision domains, improve overall data throughput `NOTE` Usually layer 2, sometimes layer 3
49
*Network Devices* Router
Controls traffic flow on network and are often used to connect similar networks and control traffic flow between the two. - Can function using statically defined routing tables, or employ dynamic routing system `NOTE` Layer 3
50
*Network Devices* Gateways
Connects networks that are using different network protocols. Also know as protocol translators, can be hardware devices or software service. `NOTE` layer 3
51
*Network Devices* Repeaters, Concentrators, Amplifiers
Strengthen the comms signal over a cable segment as well as connect network segments that use the dame protocol `Layer 1`
52
*Network Devices* Bridges
Connect 2 networks (could have different topologies, cabling types, and speeds) in order to connect network segments that use the same protocol `Layer 2`
53
*Network Devices* Hubs
Connect multiple systems and connect network segments that use the same protocol. - Multiport repeater `Layer 1`
54
*Network Devices* LAN Extenders
Remote access, multilayer switch used to connect distant networks over WAN
55
*LAN & WAN Technologies* Private Circuit
Use **dedicated physical circuits** Examples: - Dedicated or leased lines - Point-To-Point Protocol (PPP) - Serial Line Internet Protocol (SLIP) - Integrated Services Digital Network (ISDN) - Digital Subscriber Line (DSL)
56
*LAN & WAN Technologies* Packet-switching
use **virtual circuits** instead of dedicated physical circuits. - **efficient and cost effective** Examples: - X.25, Frame Relay - Asynchronous transfer mode (ATM) - Synchronous Data Linc Control (SDLC) - High-Level Data Link Control (HDLC)
57
*Firewalls* Static Packet-Filtering Firewalls
Filters traffic by examining data from a **message header** `Operate on level 3 and up`
58
*Firewalls* Application-Level Firewalls
Filters based on a **signle internet service, protocol, or application** `Operate at layer 7`
59
*Firewalls* Circuit-Level Firewalls
Used to establish comms sessions between trusted partners. Example) - SOCKS `Operate at level 5`
60
*Firewalls* Stateful Inspections Firewalls
Evaluate the **state, session, or context** of network traffic
61
*Firewalls* Deep Packet Inspection Firewalls
A Filtering mechanism that operates typically at the **application layer** in order to **filter the payload contents** of a comm rather than only on the header values.
62
*Firewalls* Stateless Firewalls
Watch network traffic and restrict or **block packets** based on src and dest addresses or other **statis values** - Not *aware* of traffic patterns or data flows - Do better for **heavy traffic loads**
63
*Firewalls* Stateful Firewalls
Can watch **traffic streams from end to end** - Are aware of comm paths - Can implement IPsec functions like tunnels / encryption - Better at ID'ing unauthorized or forged comms
64
*Firewalls* Web Application Firewalls (WAF)
Protects web apps by filtering HTTP traffic between the app and the internet. - Typically protects web apps against common attacks like XSS, CSRF, and SQL Injection - Some come **preconfigured with OWASP rulesets**
65
*Firewalls* Next Generation Firewalls
a **deep packect inspection firewall** that moves beyond port / protocol inspection and blocking. - adds app level inspection and brings in **intelligence from outside the firewall**
66
*Firewalls* Unified Threat Management (UTM)
a **Multifunction Device (MFD)** composed of several security features in *addition* to a firewall; - May include IDS, IPS, TLS/SSL proxy, Web filtering, QoS management, bandwidth throttling, NAT, VPN, antivitrus - **Hard to scale, common in small and medium businesses (SMB)**
67
*Firewalls* Network Address Translation Gateway (NAT)
**Allows** private subnets to comm with the internet but **hides** the internal network from internet users - NAT gateway has the **Network Access Control List (NACL)** for the private subnets
68
*Firewalls* Content / URL Filter
**Looks at the content** of the webpage and blocks based on filters - Used to block **inappropriate content** in the context of the situation - **associated with deep-packet inspection**
69
*Firewalls* Open-Source
Vendor makes the **license freely availible** and allows **access to the source code** - **no vendor support** - Popular option is **pfsense**
70
*Firewalls* Proprietary
**More expensive but tent to provide more / better protection** and more functionality / support (at a cost) - **no source code access**
71
*Firewalls* Hardware
Piece of **purpose built network hardware** - May offer more config support for LAN and WAN - Often has better **throughput** bc its designed for speeds and connections common to an enterprise network
72
*Firewalls* Software
**Install on your own hardware** - Provides more flexibility, can be on any **host** - **Host based (software) are more vulnerable in some aspects due to attack vectors**
73
*Firewalls* Application
Typically just for application comms - Often HTTP / Web Traffic - Ex) NGFW
74
*Firewalls* Host-Based
An **app installed on a host OS**, both client and server OSs
75
*Firewalls* Virtual
In the cloud, firewalls are implemented as **Virtual Network Appliances (VNA)** - Available from both CSP and 3rd parties
76
Intrusion Detection System (IDS)
Analyzes whole packets, both **header** and **payload**, looking for known events. - When event is detected, a **log message is created** `Reports and / or alerts`
77
Intrusion Prevention System (IPS)
Analyzes whole packets, both **header** and **payload**, looking for known events. - When event is detected, **packet is rejected** `Takes Action`
78
*Types of IDSs* Behavior Based
**Creates a baseline** of activity to ID normal behavior and then measure system performance against the baseline to detect abnormal behavior - Can detect **previously unknown attack methods**
79
*Types of IDSs* Knowledge Based
Uses **signatures** similar to the signature definitions used by anti-malware software - Only effective against **known attack methods**
80
Host Based IDS and IPS (HIDS, HIPS)
IDS / IPS in **software form**, installed on a host (often a server)
81
Network Based IDS and IPS (NIDS, NIPS)
IDS / IPS at the network level, often in **hardware** form
82
*NIDS / NIPS Modes of Operation* Inline (in-band)
NIDS / NIPS placed **on or near the firewall** as an **additional layer** of security
83
*NIDS / NIPS Modes of Operation* Passive (out-of-band)
Traffic **does `NOT` go through** the NIDS/ NIPS. - **sensor and collectors** forward alerts to the NIDS
84
*Network Appliances* Sensors and Collectors
Can be placed on a network to **alert NIDS** of any changes in traffic patterns on the network. - If you place a sensor on the Internet side of the network, it can scan **all** of the traffic from the **internet**
85
*Secure Network Design* Bastion Host
Computer or Appliance that is **exposed on the internet** and has been hardened by removing all unnecessary elements, such as services, programs, protocols, and ports `Hardened`
86
*Secure Network Design* Screened Host
A **firewall-protected system** logically positioned just inside a private network `MOST SECURE` vs Bastion Host
87
*Secure Network Design* Screened Subnet
Similar to Screened host in concept. Subnet is placed between 2 routers or firewalls and the bastion host(s) is located within that subnet
88
*Secure Network Design* Proxy Server
Functions on behalf of the client requesting service masking the true origin of the request to the resource
89
*Secure Network Design* Honeypot
Lure bad ppl into doing bad things and lets you watch them - Only `ENTICE` *not entrap*. Example: - Allowing the download of a fake payroll file would be *entrapment* `GOAL` to **distract** from real assets and **isolate** in a padded cell until you can track them down
90
*Network Attacks* Teardrop Attack
DoS attack that involves sending **fragmented packets** to a target machine - Machine cannot reassemble them due to bug in TCP / IP fragmentation reassembly, the packets overlap and crash the machine
91
*Network Attacks* Fraggle Attack
DoS attack that involves sending large amount of **spoofed UDP traffic** to a router's broadcast address within a network. - Smurf attack does the same thing but with ICMP
92
*Network Attacks* SYN Flood
DoS attack where attacker sends a lot of **SYN requests** to a target system in attempt to consume enough server resources to make the system unresponsive to legit traffic
93
*Network Attacks* Ping of Death
Sends a **oversized ping packet** - Max allowed ping sizer is 65536 bytes - PoD sends 65537 or larger
94
TCP 3-Way Handshake
Client --> SYN --> Server Client <-- SYN + ACK <-- Server Client --> ACK --> Server
95
*ID vs AuthN* Identification
Subjects **claim** an ID
96
*ID vs AuthN* Authentication
Subjects **prove** their identity by providing credentials
97
*AuthZ vs Accountability* Authorization
*After authentication* subjects, systems authorize access to objects based on their **proven identity** `After authentication`
98
*AuthZ vs Accountability* Accountability
**Auditing logs** and **audit trails** record events including the ID of the subject that performed the action `Provides proof` `Identification + authentication + auditing = Accountability`
99
*Primary Authentication Factors* Passwords
**weakest** form of authentication - `Password policies` help increase security by enforcing **complexity** and **history** requirements
100
*Primary Authentication Factors* Smartcards
include micropressors and cryptographic certificates
101
*Primary Authentication Factors* Tokens
create **onetime passwords**
102
*Primary Authentication Factors* Biometric
ID users based on characteristics like finger prints Know the `crossover error rate`
103
*Biometrics* Gait Analysis
The way a person walks to ID them, can be used on low quality cameras
104
*Biometrics* False acceptance
When an **invalid subject** is **authenticated**. - **Type 2 error** - **false positive** - FAR = False Acceptance Rate `False acceptance is generally worse than false rejection`
105
*Biometrics* False rejection
When a **valid** subject is **rejected** - **Type 1 error** - **false negative** - FRR = False Rejection Rate
106
*Biometrics* Crossover Error Rate
IDs the **accuracy** of a biometric method - It shows where the **false rejection** rate is **equal** to the **false acceptance** rate - To move the CER higher or lower, you can increase / decrease sensitivity of the biometric device
107
Single Sign-On
Allows subjects to **authenticate once** and **access multiple objects** without authenticating again. Common SSO standards: - **SAML** - SESAME - KryptoKnight - **OAuth** - **OpenID**
108
*SSO - SAML, OAuth, OpenID* Security Assertion Markup Language (SAML)
**XML-based** open standard data format for AuthN. and AuthZ data between parties - Between **ID provider** and a **service provider** - common in **federation scenarios**
109
*SSO - SAML, OAuth, OpenID* OAuth 2.0
Open standard for AuthZ, commonly used as a way for internet users to log into 3rd party websites with their Google (etc) accounts **without** exposing their password. - Developed by IETF, updated through RFC
110
*SSO - SAML, OAuth, OpenID* OpenID
Open standard, provides **decentralized** AuthN, allowing users to log into multiple unrelated websites with one set of credentials maintained by a 3rd party service refered to as **OpenID provider**
111

CISSP (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions