Stuff from Exams I don't know #3

Question 1

degree vs cardinality

Answer 1

Degree = number of columns/attributes

Cardinality = number of rows/tuples

Question 2

DRM

Answer 2

Digital Rights Management

Uses PErsistent online authentication, automatic expiration, continuous audit trails

Question 3

soc type 1 vs type 2

Answer 3

Type 1provide the auditors opinion on the description of controls provided by management, and the suitability of those controls.

Type 2 go further and also provide the audiors opinion on the operating effectiveness of controls over time.

Question 4

DB Foreign Key

Answer 4

Used to create relationships between tables in a DB. Referential integrity is enforced by ensuring the foreign key used on one table matches the primary key in the referenced table.

Question 5

Fagan Inspection

Answer 5

Type of team code review: A Fagan inspection is a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process.

Question 6

Reactive Threat Modeling

Answer 6

When you interact with an already existing system for threat modeling (whether or not an attack has taken place).

i.e. pen testing, ethical hacking, source code review, fuzz testing

Question 7

Proactive Approach/Proactive Threat Modeling

Answer 7

Takes place early in system development to put controls in place for modeled threats.

Question 7

Pass Around Review

Answer 7

Type of software review conducted by passing software off to other teammates via email or other method -i.e. github.

Allows devs to review code asynchronously.

Question 7

What linux file can be modified to limit the scope of “sudo” commands

Answer 7

The sudoers file.

This can list which users can use sudo as well as the commands and directories allowed.

Question 8

Primary purpose of periodically reviewing security training documentation:

Answer 8

Check for relevancy

Question 8

Best SDLC option when stable requirements and clear objectives are combined with need to prevent flaws, and have high control over dev process.

Answer 8

Waterfall

Question 8

EAL Levels

Answer 8

Functionally, Structurally, Methodically, Semiformally, Formally

Question 9

Session Guessing

Answer 9

Type of attack - prevented by Session Entropy and Session ID Length properly configured.

Question 10

Session ID Entropy

Answer 10

Refers to the randomness of a session id. Minimum of 64 bits is recommended

Question 11

Is a CDN or DDOS Mitigation service better at handling DDOS attacks?

Answer 11

CDN. CDNs can typically handle large scale DDOS attacks better

Question 12

Session ID Length

Answer 12

Straightforward. The length of the season Id used. Longer is better, recommended minimum of 128 bits

Question 13

Decomposing the application,, Determinint and ranking threats, and determining countermeasures and mitigaton.

These are commonly conducted during what process?

Answer 13

Threat Modeling

Question 14

Service Pack

Answer 14

Used to describe a collection of unrelated patches

Question 15

Update, Hotfix, Security fix all have what in common?

Answer 15

Generally are only a single patch for a single problem

Question 16

Golden Ticket attack

Answer 16

Use the hash of the KRBTGT user to impersonate anyone

Question 17

Kerberoasting rely on what?

Answer 17

Collected TGS (ticket granting server) tickets.

Question 18

Assurance

Answer 18

The degree of confidence that an organization has its security controls implemented properly.

Question 19

Is TLS an effective control to prevent Cookie Stealing?

Answer 19

YES

Question 20

Best practices for Session IDs

Answer 20

Session ID should have at least 64 bits of entropy, Session length should be at least 128 bits, Session ID should be meaningless

Question 21

Security assessments are for what audience?

Answer 21

Management

Question 22

Wapiti

Answer 22

Web App Scanning tool

Question 23

RFC 1087 Ethics and the Internet

Answer 23

Activities that is defined as objectionable and unethical.

Purposely seeks to gain unauthorized access to the resources of the Internet
Destroys the integrity of computer-based information
Disrupts the intended use of the Internet
Wastes resources such as people, capacity, and computers through such actions
Compromises the privacy of users
Involves negligence in the conduct of Internet-wide experiments

Question 24

Is the CEO usually involved with the BCP planning team?

Answer 24

No

Question 25

Can someone in the IT department run an internal audit?

Answer 25

No. Usually this will be another internal compliance department

Question 26

Does an SLA usually reference details around confidentiality?

Answer 26

No. This would be in an NDA

Question 27

Are watermarks limited to use in images?

Answer 27

No. For example an organization could apply watermarks to intellectual property or trade secrets

Question 28

What is a multistate system in a MAC environment?

Answer 28

A system authorized to handle information at multiple classification levels

Question 29

Mail-bombing

Answer 29

Type of DOS attack.
DoS or denial of service attacks dispatch large quantities of email messages to a user’s inbox

Question 30

What will show up in the /etc/passed file when shadowed passwords are used?

Answer 30

X

Question 31

ISO 27002

Answer 31

Supporting standard on how information security controls can be implemented.

Question 32

ATO authorization to operate

Answer 32

Through the Certification and Application process, an IT system can be declared safe and authorized to operate within an organization’s system. This formal declaration is known as Authorization to Operate (ATO), and it’s usually signed after a Certification Agent confirms that the product has met all the requirements.

Question 33

IPT

Answer 33

Integrated product teams

Question 34

Iterative waterfall

Answer 34

The more modern version of the Waterfall.

iterative waterfall allows development to return to the previous phase to correct defects discovered during the subsequent phase.

• This is known as the Feedback Loop characteristic of the waterfall.

Question 35

What element of the certificate goes on the CRL

Answer 35

Serial number

Question 36

UEBA

Answer 36

User and Entity Behavior Analysis:

Analyzes the behavior of users, subjects, visitors, customers, and so on.

Builds a profile on each entity, then can be used to detect deviations from the norm.

Can be used to improve personnel security policies, procedures, training, and security oversight programs.

Question 37

Certification versus Accreditation versus Verification versus Assurance

Answer 37

Certification: Formal evaluation ensuring a system complies with security standards, providing assurance through testing and documentation review (e.g., ISO 27001).

Accreditation: Official approval granted after certification, authorizing a system for use within a specific environment, considering risk management and organizational policies (e.g., FedRAMP).

Verification: Process of confirming correct implementation and effectiveness of security controls within a system, validating compliance with security requirements (e.g., verifying encryption protocols).

Assurance: Confidence or trust in a system’s security controls to protect information and meet security objectives, often achieved through testing, analysis, and validation processes (e.g., Common Criteria assurance levels).

Question 38

Edge vs Fog Computing

Answer 38

Edge Computing - intelligence and processing is contained within each device.

Fog Computing - there may be intelligence and processing contained in each device, but devices send data back to a central processing location.

Question 39

What layer is IPSec at?

Answer 39

Layer 3

Question 40

JIT just in time provisioning

Answer 40

Just-In-Time (JIT) provisioning refers to a method of creating user accounts or provisioning access rights dynamically and on-demand, typically triggered by the user’s first attempt to access a system or service. In the context of identity and access management, JIT provisioning ensures that user accounts are created or modified at the moment of need, reducing the need for manual administrative intervention and streamlining the user onboarding process.

Question 41

Who designed COBIT

Answer 41

ISACA

Question 42

Why is directory indexing a risk?

Answer 42

Directory indexing poses a security risk because it can expose sensitive information and files on a web server when proper access controls are not enforced. Enabling directory indexing without adequate safeguards may inadvertently disclose directory contents to potential attackers, leading to unauthorized access and potential security breaches.

Question 43

Which IPsec mode adds a new header?

Answer 43

Tunnel

Question 43

FedRAMP

Answer 43

Govt wide program that provides standardized approach to sec assessment, authorization, and monitoring of cloud services.

Question 43

Advantage of OCSP over CRL

Answer 43

CRLs can be large and require a lot of bandwidth when downloaded.

Question 43

GDPR - how many days to disclose a data breach?

Answer 43

3 days

Question 44

Role of Industry Standards in Compliance

Answer 44

Provide guidance on best practices for compliance.

Question 45

GDPR definition of personal data?

Answer 45

Any data that can be used to identify an individual.

Question 46

Middleware

Answer 46

Middleware is software that acts as an intermediary layer, facilitating communication and interaction between different applications, systems, or components. It plays a crucial role in enabling interoperability and seamless data exchange in distributed computing environments by providing a set of services that abstract complexities associated with communication and integration.