Domain_3

Question 1

Secure design principles

Answer 1

Principles like least privilege, defense in depth, secure defaults, fail securely, separation of duties, keep it simple, zero trust, privacy by design, trust but verify, shared responsibility

Question 2

Quantum cryptography

Answer 2

Relevant and expanded information versus the official study guide for selecting and determining cryptographic solutions

Question 3

Cryptanalytic attacks

Answer 3

Brute force, ciphertext only, known plaintext, frequency analysis, chosen ciphertext, implementation attacks, side-channel, fault injection, timing, Man-in-the-Middle (MITM), Pass the hash, Kerberos exploitation, Ransomware

Question 4

Purpose of a security model

Answer 4

Provides a way for designers to map abstract statements into a security policy, determines how security will be implemented and what subjects/objects can access the system

Question 5

State machine model

Answer 5

Describes a system that is always secure no matter what state it is in based on the computer science definition of a finite state machine

Question 6

Information flow model

Answer 6

Focuses on the flow of information, includes Biba and Bell-LaPadula models

Question 7

Non-interference model

Answer 7

Concerned with how higher security level subjects affect lower level subjects, ensures different subjects/objects don’t interfere with each other

Question 8

Lattice-based model

Answer 8

Based on the interaction between objects and subjects, used to define security levels

Question 9

Simple security property

Answer 9

Describes rules for read operations (no read up)

Question 10

Star * security property

Answer 10

Describes rules for write operations (no write down)

Question 11

Invocation property

Answer 11

Rules around invocations (calls) to subjects

Question 12

Bell-LaPadula

Answer 12

No read up, no write down

Question 13

Biba

Answer 13

No read down, no write up

Question 14

Clark-Wilson

Answer 14

Access control triple (principal

Question 15

Brewer and Nash (Chinese Wall)

Answer 15

Prevents conflict of interest problems

Question 16

Mandatory Access Control (MAC)

Answer 16

Enforces policy determined by the system using classification labels, not by object owner

Question 17

Role of security policy

Answer 17

To inform and guide the design, development, implementation, testing, and maintenance of a system

Question 18

Trusted Platform Module (TPM)

Answer 18

A chip on the motherboard for storage and management of encryption keys, provides OS access to keys

Question 19

Trusted Computing Base (TCB)

Answer 19

Combination of hardware, software and controls that enforce the security policy

Question 20

Reference monitor

Answer 20

The logical part of the TCB that confirms access rights prior to granting access

Question 21

Security kernel

Answer 21

The collection of TCB components that implement the reference monitor functionality

Question 22

Common Criteria

Answer 22

Enables objective evaluation to validate that a product or system satisfies security requirements, has replaced TCSEC and ITSEC

Question 23

Covert channel

Answer 23

Method to pass information over a path not normally used for communication, outside normal security controls

Question 24

Type I hypervisor

Answer 24

Native or bare-metal hypervisor with no host OS

Question 25

Type II hypervisor

Answer 25

Hosted hypervisor running on top of a regular host OS

Question 26

Cloud Access Security Broker (CASB)

Answer 26

Security policy enforcement solution for cloud environments

Question 27

Multifactor Authentication (MFA)

Answer 27

Using multiple factors like something you know, have, and are for authentication

Question 28

Authentication vs Authorization

Answer 28

Authentication proves identity, authorization grants permissions based on proven identity

Question 29

Privilege and accountability

Answer 29

Least privilege

Question 30

Security flaws and vulnerabilities

Answer 30

Buffer overflows, backdoors, time-of-check-to-time-of-use (TOCTTOU) attacks

Question 31

Secure code principles

Answer 31

Process isolation, layering, abstraction, data hiding

Question 32

Physical security controls

Answer 32

Administrative (policies, procedures), logical (technical controls), physical (fencing, locks, etc.)

Question 33

Site selection factors

Answer 33

Visibility, surrounding area, accessibility, natural disaster effects

Question 34

Secure work area design

Answer 34

Restricted access areas

Question 35

Physical access control threats

Answer 35

Propping doors, masquerading, piggybacking

Question 36

Clean power needs

Answer 36

Electronic equipment requires clean, consistent power from sources like UPS systems