CISSP4

Card Set Information

Author:
usma1976
ID:
306681
Filename:
CISSP4
Updated:
2015-08-23 18:35:59
Tags:
CISSP
Folders:

Description:
continued review
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user usma1976 on FreezingBlue Flashcards. What would you like to do?


  1. Virtual password
    the length and format required by an application
  2. Security policy (5)
    • Purpose
    • Scope
    • Responsibilities
    • Compliance
    • Enforcement
  3. Healthcare standards
    Initially NIST 800-30 and 800-66 were designed for the healthcare field and other regulated industries
  4. Scripting
    • most simplistic method of SSO; sign-on information is embedded in the script
    • least secure as password and username is in plain text
  5. Kerberos authenticator
    • user sends identification information and a timestamp encrypted with a shared session key. If data is the same, user is allowed to communicate with the resource.
    • timestamp helps prevent replay attacks
  6. Kerberos
    • The user only sends over his username to the AUTHENTICATION service (AS).
    • The AS creates a TICKET GRANTING TICKET (TGT) which is encrypted with the user's secret key.
    • The TGT is used to communicate to the TICKET GRANTING SERVICE (TGS).
    • The TGS creates a ticket that contains 2 instances of the same session key that is encrypted with the individual principal's secret keys. It is this second ticket that allows the two principles to obtain their session keys.
  7. MAC vs DAC
    • Mandatory access control uses security labels.
    • Discretionary access control (DAC) uses access control lists in a MATRIX.
    • DAC is user directed (users or data owners)
  8. Service Provisioning Markup Language
    allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems
  9. Cookies
    • can be in format of a text file stored permanently on the user's hard drive or held in memory only
    • can wipe sensitive information or hold only in memory
  10. Failure Modes and Effect Analysis (FMEA)
    • a risk assessment methodology
    • method for determining failures, identifying functional failures, and assessing the causes of failure and their effects through a structure process
  11. Data owner and system owner
    • System owner: responsible for implementing and configuring security controls
    • Data owner: responsible for outlining the security level required for the data and the appropriate use of the data
  12. Harrison-Ruzzo-Ullman model
    • newer model which outlines how access rights and be changed and how subjects and objects should be create and deleted
    • more granular than other models
  13. TCSEC evaluations
    • products are submitted to the National Computer Security Center (NCSC)
    • products ultimately published in the Evaluation Product List (EPL)
    • the act of rating a product's security capabilities is called the Trusted Products Evaluation Program (TPEP)
  14. Multilevel security mode
    • Permits two or more classification levels of information to be processed at the same time
    • all users do not have clearance to access all of the information being processed
  15. Lattice
    an access control model that provides an upper bound and lower bound outlining what a subject can and cannot do to individual objects
  16. Clark-Wilson
    • integrity model
    • dictates that critical taks should be split up between users (separation of duties) and
    • subject should only be able to access and modify an object by using an application (ACCESS TRIPLE)
    • also dictates that internal and external consistency should be in place
  17. Page fault
    When data written to the hard drive (paged) is RECALLED back into main memory
  18. Trusted Computing Base (TCB)
    • can be hardware, software and firmware
    • provides protection mechanisms in a system
  19. Multiprogramming vs. multiprocessing
    • when an operating system and CPU can execute more than one program at a time
    • different from multiprocessing as the OS has less control in releasing resources than in multiprocessing environments
  20. TCSEC rating system
    • A is best; D is worst
    • the higher the number, the better, so B3 is better than B2, which are better than C1
  21. Swap space
    secondary storage on the hard drive used for swapping from main memory; combination is called virtual memory
  22. Two foot candles
    NIST standard is to illuminate an area 8 feet high with two foot-candles
  23. Domain
    • collection of resources available to a subject, whether it is a user, network device or process
    • within an OS it night be called a protection, security or execution domain
  24. Concerns
    • each stakeholder has his own concerns pertaining to a system which can be performance, functionality, security, maintainability, quality of service etc.
    • views (logical, physical, structural or behavioral) are used to express system data pertaining to each view
  25. Brewer-Nash
    • allows for dynamically changing access controls
    • uses context-based control
    • done to ensure no conflicts of interest
    • Chinese Wall
  26. Multistate or multilevel
    • system permits two or more classification levels of information to be processed at the same time
    • does not mean that all users have the clearance to access all of the information
  27. Temperature where computers will be damaged?
    175 degrees fahrenheit
  28. Open systems
    allows different systems to interact even though they use different protocols, function in different manners and have different requirements
  29. Cipher locks (4)
    • four different features:
    • Door delay - an alarm will sound if the door stays open
    • Key override - emergency code can be programmed into the keypad
    • Master keying - authorized individuals can change key codes
    • Hostage alarm - specialty combination for someone under duress
  30. multi-level security models (4)
    • used in MAC systems
    • Dedicated security mode
    • - all users have clearance about all data in a system
    • System HIGH security mode
    • - all users have security clearance but not need to know all data so some data is restricted
    • - all users must hold the HIGHest clearance for the highest data in the system
    • Compartmented Security mode
    • - similar to high but users also need formal access approval
    • Multilevel mode
    • - all users can access some data based on need to know, clearance and formal approval
    • can have multiple clearance levels in this system
  31. ITSEC vs TCSEC mappings
    ITSEC     TCSEC (low to high)

    • E0 = D
    • F1+E1 = C1
    • F2 +E2 = C2
    • F3 = E3 = B1
    • F4 + E4 = B2
    • F5 + E5 = B3
    • F5 + E6 = A1
    • F6 = systems with high integrity
    • F7 = systems with high availability
    • F8 = systems with high integrity during communication
    • F9 = systems with high confidentiality (cryptographic)
    • F10 = networks with high confidentiality and integrity
  32. X509
    • standard for PKI
    • dictates fields and possible values that can be used
  33. PPTP
    • Microsoft point to point tunneling protocol
    • VPN
    • provides encapsulation and then encrypts
    • used for untrusted networks like the Internet

    • vs. L2TP
    • provides just encapsulation
    • used when a PPP connection needs to be extended thru a non-IP based network
  34. IPSEC
    protocol that creates a secure tunnel to send information across an insecure network

    • Simple Key Management for IP (SKIP) and Internet Security Association and Key Management Protocol (ISAKMP) are key exchange protocols used by IPSEC
    • defacto standard is IKE (Internet Key Excahnge) which is a combination of ISAKMP and OAKLEY
    • all work at the network layer

    • tunnel mode = secures payload and header
    • transport mode = only secures the payload
  35. Multicast
    message from one source to MANY destinations (that have chosen to participate) vs.

    • unicast - one to one
    • broadcast - one to all
  36. Link encryption
    • encrypts ALL data along a physical path and provides for higher performance and security
    • headers, trailers, data payload and routing data are all encrypted
  37. Length of message digest
    • HAVAL - variable length message digest
    • MD family - 128 bit message digest
    • SHA - 160 bit message digest
  38. SSL
    • provides data encryption over the Internet
    • encrypts the message but does not secure the data once received and decrypted
    • does not provide a true VPN service by protecting headers
    • uses PUBLIC key encryption
    • originally developed by Netscape
    • provides encryption, message integrity, server authentication and optional client authentication
  39. Converged infrastructure
    • Combining of server, storage and network capabilities into a single framework
    • decreases costs and provides ability to pool resources and automate provisioning
  40. 3DES Modes
    • DES-EEE3 uses three keys
    • DES-EDE3 uses three keys to encrypt, decrypt and encrypt
    • DES-EEE2
    • DES-EDE2

    no such thing as DES-EEE1
  41. Key recovery
    done with asymmetric algorithms
  42. Socket
    combination of an IP address and a port number
  43. Asynchronous communication
    • such as modems
    • send data at will using start and stop bits that are reassembled on the other end

    • vs. synchronous communications
    • determines a synchronization scheme before transmitting
  44. Telnet
    • widely used protocol for remotely accessing devices
    • allows command line control
    • allows executing commands on a remote system

    DOES NOT provide network monitoring and polling (SNMP)
  45. HDLC
    • High-level Data Link Control
    • based on SDLC
    • bit-oriented
    • work over synchronous lines
    • provides polling

    • However, HDLC:
    • supports full-duplex
    • has higher throughput than SDLC
  46. Vernam cipher
    • one-time pad
    • considered unbreakable
    • invented by Gilbert Vernam
  47. Non-recursive vs. recursive DNS query
    • Non-recursive = request goes to specified DNS server and is either answered or an error  is returned
    • Recursive = if the request can't be answered by the first DNS server, the request is forwarded to others
  48. DSA
    • Digital Signature Algorithm
    • used for digital signatures
    • asymmetric algorithm
    • DSS requires SHA-1 and DSA or RSA or ECDSA
    • developed by the NSA

    NOT used for key exchange or message encryption
  49. Baseband vs. Broadband
    • Baseband uses the entire communication channel for transmission
    • Broadband breaks the channel into individual channels so different types of data can be sent simultaneously
  50. Firewall types
    • Circuit-based proxy = looks at header (addresses and ports numbers) to make decisions
    • Application-based proxy = looks at the information within the payload
    • Stateful = maintains a state table of each communication dialogue
  51. CIDR
    • Classless Interdomain Routing
    • used to make traditional classes more efficient
    • class B is usually too large while a Class C is usually too small
    • CIDR allows to increase or decrease class sizes as necessary
  52. Ethernet
    • CSMA/CD
    • carrier sense multiple access with collision detection

    monitor first to see if the line is clear; to avoid collisions
  53. UDP
    • connectionless protocol
    • "best effort"
  54. TCP Wrapper
    a firewall program to protect Unix systems
  55. "gap in the WAP"
    • wireless device transmitting encrypted data over the Internet
    • must use Wireless Transport Layer Security (WTLS) (which the Internet does not understand) so it has to be translated to SSL or TLS
    • requires traffic to be decrypted
  56. Session layer
    • optional
    • used for client/server communication in a distributed environment
    • has functionality of middleware to allow software of two different computers to communciate
  57. Scytale cipher
    Old cipher where message was written on papyrus wrapped around a staff; can only be read by wrapping around the proper diameter staff on the receiving end

What would you like to do?

Home > Flashcards > Print Preview