New Knowledge Points

Question 1

Diameter vs Radius

Answer 1

Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.

Question 2

Due diligence vs Due care

Answer 2

Due diligence is planning. Due care is doing the right thing.
Due diligence is first, then due care.
Duo Care - prudent person rule - asking “Would a prudent person do in the same situation?”

Question 3

ISC2 Code of Ethics Canons

Answer 3

ISC2 Code of Ethics Canons:
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principles.
4. Advance and protect the profession.

Question 4

PATRIOT Act of 2001

Answer 4

Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.

Question 5

Penetration test phases -NIST defines

Answer 5

Planning
Information gathering and discovery
Attack
Reporting

Question 6

Hash Functions: RIPEMD

Answer 6

RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.

Question 7

SRAM (Static RAM)

Answer 7

SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.

Question 8

HIPAA

Answer 8

HIPAA is the Health Insurance Portability and Accountability Act.

Question 9

Regression testing

Answer 9

Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.

Question 10

MTD > RTO + WRT

Answer 10

The time to rebuild the system and configure it for reinsertion into production must be less than or equal to the MTD.

Question 11

Clipper chip

Answer 11

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.

Question 12

On which layer of the Open Systems Interconnect (OSI) model do we establish the connection between 2 applications?

Answer 12

Layer 5: Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.

Question 13

The purpose of production acceptance testing

Answer 13

Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment

Question 14

Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?

Answer 14

Extensible Authentication Protocol (EAP)

Question 15

Static testing

Answer 15

Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself, looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.

Question 16

Real Evidence

Answer 16

Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.

Question 17

Polyinstantiation

Answer 17

Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.

Question 18

Type of the trust domain

Answer 18

One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.

Question 19

Exigent circumstances

Answer 19

Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

Question 20

For access control management, which of these is considered something you have?
A. Fingerprint.
B. Cookie on computer.
C. PIN.
D. MAC address.

Answer 20

B. Cookie on computer.
Explain: Things in your possession, not things you know (knowledge factor) or something you are (biometrics).

Question 21

Digital forensics should always be done on bit-level copies of the original, never the original. Is it True or false?

Answer 21

True

Question 22

Fail-open and fail-closed

Answer 22

In the context of the physical world, the terms fail-open
is a synonym for fail-safe, and fail-closed is a synonym for fail-secure

Question 23

Unstructured audits

Answer 23

Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.

Question 24

Which of these is NOT covered by the Wassenaar Arrangement?
Rockets.
Encryption algorithms.
SQL Databases.
Munitions.

Answer 24

SQL Databases.

Question 25

Typosquatting

Answer 25

Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites.

Question 26

Key stretching

Answer 26

Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Brute Force attacks uses the entire key space (every possible key), with enough time any plaintext can be decrypted. Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

Question 27

Clipping levels

Answer 27

Clipping levels are thresholds of acceptable user errors and suspicious activities. If this threshold is exceeded, it must be logged and the administrator must decide if any malicious activity is taking place or if the user needs some training.

Question 28

What kind of proof does the Civil Law (Tort Law) require?

Answer 28

Civil Law (Tort Law): Individuals, groups or organizations are the victims and proof must be ”the majority of proof” / “More likely than not”. Financial fines to “Compensate the victim(s)”.

Question 29

The evidence we collect must be accurate, complete, authentic, convincing, and admissible.

Question 30

Drill for security awareness training

Answer 30

Drills (exercises): Walkthroughs of the plan; main focus is to train staff, and improve employee response

Question 31

Servers pull cold air in from the cold aisles and push out in the warm aisles. The cold aisles would be at the front of the rack and the hot aisles at the rear of the rack. Servers have intake in the front and exhaust in the back and switches are often reserved.

Question 32

Crypto-shredding

Answer 32

Crypto-shredding is a data destruction technique that consists in destroying the keys that allow the data to be decrypted, thus making the data undecipherable. It can be used to destruct data in the cloud server. It uses the symmetric algorithm key.

Question 33

In the context of security incident response, which of the following is the MOST important consideration when determining the severity of an incident? A) The number of affected systems B) The financial impact on the organization C) The level of media attention D) The potential harm to the organization's reputation

Answer 33

B) The financial impact on the organization

Question 34

S/MIME

Answer 34

The Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol has emerged as a de facto standard for encrypted email. S/MIME uses the RSA encryption algorithm and has received the backing of major industry players, including RSA Security.

Question 35

ASLR

Answer 35

Address space layout randomization -  is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

Question 36

TEMPEST

Answer 36

The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations

Question 37

SSAE

Answer 37

Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18

Question 38

TACACS+ vs Radius

Answer 38

TACACS+ uses TCP and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.

Question 39

NDA

Answer 39

A nondisclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs.

Question 40

Authentication Error Type

Answer 40

Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.

Question 41

Responsibility for the serverless computing model

Answer 41

In a serverless computing model, the vendor does not expose details of the operating system to its customers. Therefore, the vendor retains full responsibility for configuring it securely under the shared responsibility model of cloud computing.

Question 42

Software Capability Maturity Model (SW-CMM)

Answer 42

Initial – good practices are disorganized and chaotic; poorly controlled. Repeatable – reactive practices and a bit more organized but not necessarily defined. Defined – formal practices/processes that are well-understood and proactive. Managed – quantitative, measured, calculatable, and assessable. Optimizing – practices/processes are continuously optimized and improved.

Question 43

A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command because doing so would violate the atomicity property of the transaction.

Question 44

NetFlow records

Answer 44

NetFlow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts.

Question 45

CRL

Answer 45

The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

Question 46

IPSec

Answer 46

The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication.

Question 47

Limit checks

Answer 47

Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure that the value remains within an expected range, as is the case described in this scenario.

Question 48

Take grant protection model

Question 49

HIPPA

Answer 49

HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business

Question 50

Kerckhoffs’ principle

Answer 50

Kerckhoffs’ principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

Question 51

Real user monitoring (RUM)

Answer 51

Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.

Question 52

Inference attack

Answer 52

In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value.

Question 53

Salami slicing attack,

Answer 53

In a salami slicing attack, the attacker siphons off minute quantities of money many times to accumulate a large amount of funds.

Question 54

Data diddling attack, t

Answer 54

In a data diddling attack, the attacker alters the contents of a database.

Question 55

Dynamic application security tools and static application security testing (SAST) tools.

Answer 55

Dynamic application security tools conduct their testing by actually executing the code. This is the case for both fuzzing and web application vulnerability scanning. Code reviews and static analysis packages analyze the code itself but do not execute it, making them static application security testing (SAST) tools.

Question 56

Evidence requirements

Answer 56

To be admissible, evidence must be relevant, material, and competent.

Question 57

BAA

Answer 57

HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).

Question 58

key escrow

Answer 58

In a key escrow arrangement, a cryptographic key is stored with a third party for safekeeping. When certain circumstances are met, the third party may use the escrowed key to either restore an authorized user’s access or decrypt the material themselves. This third party is known as the recovery agent. In an M of N control system, at least M of N possible escrow agents work together to perform high-security tasks. For example, M of N agents must collaborate to retrieve an encryption key from the escrow database.

Question 59

Split Knowledge

Answer 59

When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment. This separation of duties and two-person control contained in a single solution is called split knowledge.

Question 60

Automated recovery without undue loss

Answer 60

In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss.

Question 61

USPTO VS The Library of Congress

Answer 61

USPTO - United States Patent and Trademark Office The Library of Congress administers the copyright program.

Question 62

Parameter checking, or input validation

Answer 62

Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

Question 63

ROSI

Answer 63

ROSI - Return on Security Investment. RoSI = (Benefits of Security Investment – Cost of Security Investment) / Cost of Security Investment

Question 64

TCO

Answer 64

Total Cost of Ownership (TCO) – The mitigation cost = upfront + ongoing cost (Normally Operational)

Question 65

Password expiration recommendation

Answer 65

Modern recommendations from the National Institute of Standards and Technology (NIST) are that users should not be forced to change their passwords through the use of password expiration policies. More information on these recommendations may be found in NIST Special Publication (SP) 800-63B, “Digital Identity Guidelines.”

Question 66

STRIDE

Answer 66

Spoofing – faking an identity Tampering – modifying the data Repudiation – maintaining the ability to deny that they’ve done anything (remaining undetected) Information disclosure – the release or theft of protected data Denial of service – the impact to availability Elevation of privilege – typically escalation to administrative rights on a system I highly recommend getting more familiar with these concepts, along with reading the book and other sources.

Question 67

Information Security Management

Answer 67

It structures, implements and maintains appropriate policies, procedures, standards and guidelines in order to obtain an acceptable level of risk.

Question 68

Data Classification vs Data Categorization

Answer 68

the difference between classification and categorization is that classification indicates value, and categorization indicates impact. Both will drive the security requirements

Question 69

CSIS 5 critical tenets

Answer 69

Offense Informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation

Question 70

Data Control VS Data assurance

Question 71

WPA3

Answer 71

The replacement for WPA2, adds security features including a new mode called simultaneous authentication of equals that replaces the pre-shared key mode from WPA2 with a more secure option. Overall, it provides security improvements, but may not be immediately implemented due to time for hardware and software to fully support it.

Question 72

Backout plan

Answer 72

Backout plans are required in some change management processes to ensure that the thought process and procedures for what to do if something does not go as planned are needed. Validating backout plan quality can be just as important as the change, and you may find, in many organizations, if nobody is watching that backout plans may read, “Undo the change we made.”

Question 73

DRM

Answer 73

Digital rights management (DRM) is the use of technology to control access to copyrighted material. It also enables copyright holders and content creators to manage what users can do with their content, such as how many devices they can access media on and whether they can share it.

Question 74

Electronic discovery process 

Answer 74

During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Question 75

A. WBS chart B. PERT chart C. Gantt chart D. Wireframe diagram

Answer 75

PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in web design.

Question 76

forensic disk controller

Answer 76

A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

Question 77

Windows system and the Syslog server

Answer 77

Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

Question 78

Access to a System in System High mode

Answer 78

For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

Question 79

Database - Primary keyccccccccccccccccccccccccccccccccccccccccccccccccccc

Answer 79

Any primary key is, by definition, also a candidate key.

Question 80

SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)

Answer 80

Planning/initiation Functional requirements definition System design specifications Development Acceptance Transition to production implementation Revision/replacement Maintenance/operation

Question 81

RFC

Answer 81

RFC - request for change. Each change should result from a reviewed and approved RFC. These RFCs may be approved by the change advisory board (CAB).

Question 82

CSM and CDM

Answer 82

CSM - Cloud Service Model. IaaS, PaaS and SaaS are the three most popular types of cloud service models. CDM - Cloud Deployment Model. There are four cloud deployment models: public, private, community, and hybrid.

Question 83

TOCTOU

Answer 83

TOCTOU - time-of-check to time-of-use, is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.”

Question 84

Which of the following types of code review is not typically performed by a human? A. Software inspections B. Pair programming C. Static program analysis D. Software walk-throughs

Answer 84

Answer: C Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, pair programming, software inspections, and software walk-throughs are all human-centric methods for reviewing code.

Question 85

Forensic Disk Controller

Answer 85

A forensic disk controller performs four functions. 1. Write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. 2. Returning data requested by a read operation. 3. Returning access-significant information from the device. 4. Reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

Question 86

Synthetic Monitoring

Answer 86

Usually involving running scripts. Most typically against a web application.

Question 87

The elements in change management

Answer 87

what elements are part of change management, the elements are: Schedule and communication plans. Find project champions User Acceptance Training (UAT) Other types of training Live communication Support and feedback Continuous learning Success analysis

Question 88

MTTF

Answer 88

Mean time to failure provides the average amount of time before a device of that particular specification fails.

Question 89

Fence - 8 feet to deterrent intruders Light - 8 feet plus 2 feet candle

Question 90

Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

Question 91

Evidence must be relevant, complete, sufficient and reliable

Question 92

CASB

Answer 92

Cloud Access Security Broker