CISSP2D.txt

Card Set Information

Author:
usma1976
ID:
306669
Filename:
CISSP2D.txt
Updated:
2015-08-22 11:56:15
Tags:
cissp
Folders:

Description:
smaller set
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user usma1976 on FreezingBlue Flashcards. What would you like to do?


  1. Emergency procedures
    • 1. protect human life
    • 2. mitigate against further threats
  2. Business Continuity Standards
    • BS 25999 = British Standards Institute; BS 25999-1:2006 BCM Code of Practice and BS 25999-2:2007 Specification for BCM
    • ISO 27031:2011 Guidelines for information and communications technology readiness for business continuity
    • ISO 22301 Business Continuity Management systems
    • Business Continuity Institute's Good Practice Guidelines (GPG)
  3. Contingency plan
    Best if every department in a company has it's own contingency plans and procedures which roll up into the enterprise BCP
  4. BCP steps (in order) (9)
    • Initiate project
    • Assign responsibilities
    • Define continuity policy
    • Perform BIA
    • Identify preventive controls
    • Create recovery strategies
    • Develop BCP and DRP documents
    • Test plans
    • Maintain plans
  5. BIA steps (8)
    • Identify critical business functions
    • Decide on information gathering techniques: interviews, surveys etc.
    • Identify resources these functions depend on
    • Calculate how long these functions can be without these resources
    • Identify vulnerabilities and threats to these functions
    • Calculate the risk for each different business function
    • Develop backup solutions for resources based on tolerable outage times
    • Develop recovery solutions for the company's individual departments and for the company as a whole
  6. Work Recovery Time (WRT)
    • Part of MTD (maximum tolerable downtime)
    • Deals with restoring data, testing processes and making everything "live" while
    • RTO deals with technology, infrastructure and systems
  7. Internet Architecture Board considers unethical (6)
    • purposely seeking unauthorized access
    • disrupting the intended use of the internet
    • wasting resources
    • destroying the integrity of computer-based information
    • compromising the privacy of others
    • conducting Internet wide experiments in a negligent manner
  8. Computer evidence
    Intangible in that it is made up of bits and bytes and not objects that one can hold and understand

    Often considered heresay as there is no first hand evidence backing it up
  9. Admissible evidence (3)
    • Sufficient
    • Reliable
    • Relevant
  10. Employee suspected of computer crime?
    Must involve HR (even before legal)
  11. Council of Europe (CoE) Convention on Cybercrime
    First international treaty seeking to address computer crimes by coordinating national laws, improving investigative techniques, and international cooperation.
  12. Organization for Economic Cooperation and Development (OECD)
    provides guidelines on the protection of privacy and transborder flows of personal information

    international organization with 8 principles: limited collection; notification; consent; accuracy etc.
  13. Wassenaar Arrangement
    implements export controls for conventional arms and dual-use goods (like encryption)

    40 countries; 9 categories of areas covered (category 4 covers computers)
  14. Types of Evidence
    • Best evidence - primary evidence; most reliable
    • Secondary evidence - oral evidence; not as reliable as primary
    • Direct evidence - can prove a fact all by itself
    • Conclusive evidence - irrefutable; can not be contradicted
    • Circumstantial evidence - can prove an intermediate fact which can then be used to deduce another fact
    • Corroborative evidence - supporting evidence to help prove a point; supplementary
    • Heresay evidence - oral or written that is second-hand and has no firsthand proof of accuracy or reliability ; most computer evidence
  15. Incident Response (6)
    • Triage
    • Investigation
    • Containment
    • Analysis
    • Tracking
    • Recovery
  16. Software Piracy organizations
    • Software Protection Association (SPA)
    • Federation Against Software Theft (FAST): London
    • Business Software ALLIANCE (BSA): Wash DC
  17. Types of Law (4)
    • Civil Law (system): rule-based law, not precedence based; most widespread in the world; common in europe
    • Common Law: based on previous interpretations of laws; includes CRIMINAL law and CIVIL/TORT law and ADMINISTRATIVE/Regulatory law = used in the US, UK, Australia etc.
    • Customary law: deals mainly with personal conduct and patterns of behavior; China and India
    • Religious law: based on religious beliefs
  18. Polyinstantiation
    Instantiation is when an object is created from a class.

    Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes.

    This might be done to make a copy for security purposes so a lower-level subject can't access a higher-level object.
  19. Deter database inference attacks
    • Partitioning
    • cell suppression: make specific cells hidden or not viewable
    • noise and perturbation: bogus information
  20. ACID test
    • for databases
    • Atomocity: divides transactions into units of work; all committed or none
    • Consistency: must follow integrity policy/rules
    • Isolation: transactions execute in isolation, without interfering with other transactions
    • Durability: once deemed accurate, transactions are committed and cannot be rolled back
  21. SDLC steps (8)
    • 1. project initiation
    • 2. functional design analysis and planning
    • 3. system design specifications
    • 4. software development
    • 5. testing
    • 6. installation/implementation
    • 7. operational/maintenenace
    • 8. disposal
  22. SYSTEM Development Life Cycle vs. SOFTWARE Development Life Cycle
    • System DLC:
    • 1. Initation
    • 2. Acquisition/development (may include requirements, formal risk assessment, security requirements and assurance, 3rd party evaluations etc.)
    • 3. Implementation
    • 4. Operation/maintenance
    • 5. Disposal
  23. ISO 27002
    SYSTEM acquisition, development and maintenance
  24. Software Development life cycle (5)
    • Requirements gathering
    • Design
    • Development
    • Testing/Validation
    • Release/Maintenance
  25. Certification
    TECHNICAL testing of a system
  26. Accreditation
    MANAGEMENT acceptance/authorization of a system
  27. Requirements gathering (in SDLC)
    • Security requirements
    • Security risk assessment
    • Privacy risk assessment
    • Risk-level acceptance
  28. Privacy Impact Rating (3)
    • P1 High privacy risk: multiple or ongoing privacy data issues
    • P2 Moderate privacy risk: one (sole) issue
    • P3 Low privacy risk: no behaviors or features
  29. Testing (4)
    • Unit testing: individual components in controlled environment
    • Integration testing: components work together
    • Acceptance testing: code meets customer requirements
    • Regression testing: after changes are made, ensure everything still works
  30. Software development models (12)
    • Break and fix: no real planning
    • Waterfall: sequential; inflexible
    • V-model: verification and validation at every step
    • Prototyping: sample code/model
    • Incremental: usable code at each step
    • Spiral: iterative approach that emphasizes risk analysis at each iteration
    • Rapid Application Development (RAD): combines prototyping and iterative development
    • Agile: iterative and incremental; flexible
    • Exploratory: testing to a set of specifications
    • Joint Analysis Development (JAD): team approach
    • Reuse: reusable programs are evolved by modifying pre-existing prototypes
    • Cleanroom: highly structured and formal to prevent errors; used for high-quality and critical applications
  31. CMMI (5)
    • Initial =1 (ad hoc or chaotic)
    • Repeatable = 2 (no formal processes but can repeat)
    • Defined = 3 (formal procedures)
    • Managed = 4 (formal procedures PLUS metrics to force improvement)
    • Optimizing = 5 (continuous process improvement)
  32. Fuzzing
    software testing by providing invalid, unexpected or random data to the inputs of a program
  33. Object oriented programming (OOP) benefits (4)
    • Modularity: autonomous objects, cooperation through exchange of messages
    • Deferred commitment: internal components of an object can be redefined without changing other parts of the system
    • Reusability: refining classes through inheritance; other programs use the same objects
    • Naturalness: object-oriented analysis, design and modeling map to business needs and solutions

    OOP deals with classes and objects and communicates with messages
  34. Polymorphism
    two objects can receive the same input and have different outputs

    different objects respond to the same input in different ways
  35. Cohesion
    how many different types of tasks a module can carry out

    ONE task = HIGH cohesion = a good thing (lower complexity)
  36. Coupling
    how much interaction one module requires to carry out its tasks

    Loose coupling = little interaction = a GOOD thing versus high/tight coupling
  37. Buffer overflow
    application receives invalid input which allows the instruction pointer to be overwritten and execute code in the buffer
  38. Object relational database (ORD)
    a relational database with a software front end written in an object-oriented programming language

    allows business logic procedures (processing) to be part of the object being retrieved

    allows business logic procedures to be used by requesting applications and data within the database
  39. Active X Data Objects (4)
    • - high level data access programming interface to an underlying data access technology (like OLE DB)
    • - set of COM objects for accessing data sources, not just database access
    • - allows a developer to write programs that access data without knowing how the database is implemented
    • - SQL commands are not required
  40. Database integrity services (3)
    • Semantic = structural and semantic rules are enforced
    • Referential = all FOREIGN keys point to a primary key
    • Entity = all Tuples have a unique PRIMARY key
  41. Knowledge discovery in databases (KDD)
    field of study that works with metadata and attempts to put standards and conventions in place on the way data are analyzed and interpreted

    used to identify patterns and relationships

    also called data mining
  42. Expert system
    Knowledge base PLUS inference engine

    uses AI to solve problems
  43. Artificial intelligence (AI)
    uses non-numeric algorithms to solve complex problems; recognizes hidden patterns

    cannot be accomplished by regular programming logic; not straight-forward
  44. Software configuration management (SCM)
    identifies the attributes of software at various points in time and performs a methodical control of changes for the purpose of maintaining software integrity and traceability

    formal change tracking
  45. Service oriented architecture (SOA)
    provides standardized access to the most needed services to many different applications at one time

    allows different business applications to access the same web services

    services within SOA are usually provided by WEB Services using web-based standards such as SOAP, HTTP, Web Services Description Language, Universal Description Discovery and Integration and XML

    • WSDL = machine readable description of specific operations provided by the service
    • UDDI = XML based registry that lists available services; allows them to be published and discovered
    • SOAP = XML and HTTP communications in a web service environment; defines how objects communicate
  46. Mashup
    a combination of functionality, data and presentation capabilities (commonly using open APIs and data sources) to provide some new service or functionality
  47. Directory traversal attack
    dot dot slash ../

    tries to get a URL to back up or traverse directories that aren't supposed to be accessible from the web
  48. URL encoding
    using %20 in a URL where spaces aren't allowed; attempts to represent characters differently
  49. Client side validation
    ensures input validation in a web form is conducted on the client

    good to do but usually need additional validation at the server
  50. SQL injection
    puts actual database commands into input fields to bypass authentication and reveal the database records

    a big issue if 2 tier architecture and the web server software can directly communicate with the back-end database
  51. Cross site scripting (XSS) (3)
    • attempts to inject malicious code into a vulnerable web application (using client side scripting such as Javascript)
    • can result in the user executing the code and having cookies stolen, hijacked sessions etc.

    • Nonpersistent XSS = lack of proper input validation
    • Persistent XSS = stored data is accessed
    • DOM (Document object model) = local XSS; uses the DOM environment to modify client side Javascript
  52. Server side includes (SSI)
    server side scripting language

    reusing content on web pages by placing the same content in multiple web documents

    can be an attack vector if an attacker can substitute a file
  53. Due care vs due diligence
    Due diligence: going through the necessary steps to know what a company's risks are

    Due care: carrying out responsible actions to reduce those risks
  54. TCP wrappers (in operations security)
    wraps the different services available on a system

    provides a wrapper around incoming network traffic that forces the target operating system to inspect an ACL to ensure the requestor is allowed to access the SERVICE

    if not allowed, the packet is dropped and the connection is refused
  55. Dual control
    Requires two or more entities operating together to complete a task

    example might be key recovery

What would you like to do?

Home > Flashcards > Print Preview