CISSP5

  1. Fuzzing
    Sending random data to a program to test and trigger for failures
  2. Seizure of property
    A manager can seize property if he/she was not advised by law enforcement. 4th amendment rights do not apply to private citizens unless they are acting as a police agent.
  3. Hearsay
    Can include evidence created during the course of a trial; non admissable
  4. MTD Examples
    • maximum tolerable downtime
    • Critical = minutes to hours
    • Urgent = 24 hours
    • Important = 72 hours
    • Normal = 7 days
    • Nonessential = 30 days
  5. Secondary evidence
    • oral evidence or copies of documents
    • not considered reliable
  6. Generations of programming languages (5)
    • One = machine language
    • Two = Assembly
    • Three = High-level
    • Four = Very High-level
    • Five = AI and natural network language
  7. Gramm-Leach-Bliley
    • requires financial institutions to develop privacy notices for each customer
    • also requires each institution to have a comprehensive security program in place
  8. Assembly language
    • Allows for direct control of very basic activities within a computer system as in pushing data off a stack
    • attackers commonly use this language to control how malicious instructions are carried out
  9. Computer Fraud and Abuse Act
    • clarifies 1984 law and added:
    • 1. using a federal computer in a fraudulent activity
    • 2. modifying or damaging a federal computer resulting in a loss of $1000 or more
    • 3. trafficking computer passwords
  10. Evidence life cycle
    • collection and identification
    • storage, preservation and transportation
    • presentation in court
    • return to victim or owner
  11. Enticement
    "Legally and ethically making a system attractive to an attacker and logging an attacker's actions for use in future prosecution"
  12. Electronic Communications Privacy Act of 1986
    wiretapping
  13. Exigent circumstances
    could allow law enforcement to seize evidence without a warrant, such as if a suspect ties to destroy the evidence
  14. Incident handling
    Contain and repair any damage caused by an event and prevent further damage
  15. ActiveX
    • software components are digitally signed
    • runs only on windows systems

    versus Java which uses bytecode and sandboxes
  16. Slamming vs. cramming
    • Slamming = service provider changed without consent
    • Cramming = bogus charges
  17. Spit knowledge procedures
    ensures that no one person possess all of the necessary steps for carrying out an important task; way of spreading the knowledge
  18. Polyinstantiation
    • Creating a duplicate, fake record to prevent an inference attack
    • allows more than one row to contain the same primary key
  19. S-RPC
    • Secure Remote Procedure Call
    • uses Diffie Hellman public key cryptography to determine the shared secert key for  encryption with the DES algorithm
  20. Trusted recovery
    • Ensures that the right process es are followed after a system failure; either:
    • system reboot
    • emergency system restart
    • cold start
  21. Software development
    Customer requirements are in the 2nd phase; not project initiation
  22. Enterprise JavaBeans (EJB)
    • structural design for the development and implementation of distributed applications written in Java
    • provides interfaces and methods to allow different applications to communicate
  23. Logic bomb
    Relies on some action by the user such as saving a file
  24. Neural networks
    have the ability to LEARN through different scenarios vs.

    expert systems - use inference to identify patterns but can not learn
  25. Multipartite virus
    • Goes after boot records and system files
    • Can be very damaging, affecting more areas of a system
  26. Life cycle assurance
    • pertains to the product's architecture and how it was developed, for example:
    • - design specifications
    • - clipping level configurations
    • - unit and integration testing
    • - configuration management
    • - trusted distribution
  27. Operational assurance
    • basic features and architecture, such as:
    • - access control mechanisms
    • - separation of privileged an user code
    • - auditing and monitoring capabilities
    • - covert channel analysis
    • - trusted recovery
  28. SATAN
    • Security Administrator Tool for Analyzing Networks
    • scanning tool that can uncover weaknesses within a network
  29. Diffie Helmann
    • discrete logarithms in a finite field
    • vulnerable to man in the middle attack
    • Key Agreement Protocol
  30. RSA
    • de facto asymmetric algorithm
    • difficulty of factoring large numbers
    • one way function = easy to do in one direction (multiply prime numbers)  but hard to impossible in the other direction (factoring into prime)
    • key size of 1,024 bits and larger should b used
    • encryption, key exchange and digital signatures
  31. DES
    • symmetric block cipher (DEA)
    • 64 bit blocks 
    • true key size is 56 bits! (8 bits parity)
    • 16 rounds
  32. ECB
    used to encrypt a small amount of data
  33. OFB
    • does not pass errors; used in a noisy environment where there could be corruption
    • (no chaining involved)
  34. 3 tiered model
    • More secure than the 2 tier client server model
    • Separates user interface, functional process logic and back-end database/storage
  35. OSI Stack
    • Application = Message
    • Transport = segment (message plus TCP_
    • Network = datagram (segment plus routing and addressing)
    • Data link layer = frame (datagram plus header and trailer)
  36. VPN tunneling (3)
    • PPTP - de facto standard; works only over IP networks at the data link layer
    • IPSEC - not used over dial-up; only works with IP networks at the network layer; provides authentication and encryption; designed for point to point (device to device)
    • L2TP - can extend a WAN; a hybrid of L2F and PPTP; works at data link layer; needs to work with IPSEC for security
  37. Bluejacking
    • a harmless nuisance; NOT a malicious attack
    • involves sending unsolicited information/contacts to a Bluetooth device
  38. Cross-site scripting (XSS) (3)
    • Persistent = web side; bad input is allowed and STORED on a website (also called 2nd order)
    • Non-persistent = URL redirect to a rogue script to try and steal credentials (also called reflected vulnerability)
    • DOM-based = client side; malicious script runs within the browser
  39. Routing Protocols
    • Internet is essentially a network made up of AS's and routing protocols
    • AS = autonomous systems which is a grouping of nodes (networks) with common characteristics
    • Within an AS, use internal routing protocols such as: Interior Gateway Protocol (IGP)
    • - IGP can be one of 2 types
    • - Distance based like: RIP (Routing Information Protocol) which is distance based OR IGRP (Interior Gateway Routing Protocol)
    • - State-based like: OSPF (Open Shortest Path First) OR IS-IS (Intermediate System to Intermediate System)
    • Between AS's use EGP (Exterior Gateway Protocol) such as BGP (Border Gateway Protocol)
  40. IGRP
    • Proprietary to Cisco
    • Interior Gateway Routing Protocol
  41. Email spoofing
    • Easy to execute because SMTP lacks adequate authentication
    • simple Telnet command to port 25 followed by number of SMTP commands allows spoofing
  42. SONET and ATM
    SONET is the multi-lane highway and ATM are the encapsulated cars on the highway
  43. 802.1AR
    specifies unique per-device identifiers and binds a device cryptographically

    No such thing as 802.1XR
  44. Platform as a Service (PaaS)
    • the software environment that runs on top of the IT network
    • a computing platform which can include OS, database and web server
  45. Bridge-mode virtual firewall
    Allows the firewall to monitor individual traffic links between guest systems, not network links
  46. Steganography (3)
    • Stego-medium = the medium used for transport such as .doc or JPEG
    • Carrier - the signal or data stream or file with the message
    • Payload - the actual message
  47. End to end encryption
    • Takes place within applications layer
    • only encrypts the data payload
  48. SSL
    • works at the Transport layer
    • uses public key encryption
    • provides data encryption, authentication and message integrity

    HTTP is at the application layer
  49. PKI
    uses a hybrid of asymmetric and symmetric algorithms

    public key cryptography = asymmetric

    • symmetric algorithms provide confidentiality
    • asymmetric algorithms provide authentication and nonrepudiation
    • hashing algorithms provide integrity
  50. Key Derivation Functions
    • A master key used to generate symmetric sub-keys
    • derives the keys from a secret value
  51. Key lifetime
    • corresponds to the value/sensitivity of the data
    • less secure data may allow for a longer key lifetime
  52. Stream cipher is similar to:
    One time pad because it is bit by bit encryption (XOR)

    AES is a symmetric BLOCK cipher
  53. Stream cipher (example) vs Block ciphers
    Stream = RC4

    Block = DES, 3DES, RC5, AES, IDEA, BLOWFISH, RC5, RC6
  54. SSL process
    • starts with the client connection to a web server; the server returns a certificate with it's public key; the client then encrypts a session key with the server's public key
    • the CLIENT creates the session key
  55. Link encryption vs. end-to-end encryption
    Link encryption encrypts everything (headers, trailers and payload) EXCEPT some data link layer messaging; much stronger

    End to end encrypts just the payload (no headers and trailers)
  56. Running key cipher
    Uses components in the physical world such as books, pages, rows and columns to create a key
  57. Birthday attack
    BRUTE force attack on hashing values to try and force a collision

    if 160 bit output, bday attack is possible with 2 to the 80th
  58. Zero Knowledge proof
    Proving something without needing to share more than you need to know
  59. Binding and Sealing
    • Binding a hard disk = storing the DECRYPTION key in the TPM
    • Sealing = storing a has of the system state in the TPM
  60. BIA first step
    Data gathering techniques
  61. Damage assessment (order)
    • 1. Determine cause
    • 2. Determine time required to recover
    • 3. Declare a disaster (if needed)
  62. Business Continuity ISO standard
    ISO 27031

    • 27005 = risk management
    • 27001 = general guidelines
  63. Work Recovery Time (WRT)
    • Difference between RTO and MTD
    • represents the time for restoring data, testing processes and making everything live
  64. Categories of computer crimes (3)
    • Computer-assisted = used as a tool in carrying out a crime, such as attacking financial systems, performing information warfare
    • Computer-targeted = computer was the victim of an attack, such as DOS, malware, rootkits etc.
    • Computer-incidental = computer is involved in a secondary manner, such as distribution of child porn
  65. Council of Europe Convention
    FIRST international treaty seeking to address computer crimes and improving investigative techniques
  66. Types of Law (5)
    • Customary - deals primarily with personal conduct and patterns of behavior; not widely used unless mixed with something else
    • Civil (code) law - rule-based; not precedence based; most widespread system in the world; most of Europe
    • Common law - based on previous interpretation of law; 3 types: Civil/tort; Criminal; Regulatory; used in US, England etc.
    • Religious law - responsibilities and obligations to others and religious duties; Islamic law
    • Mixed law - usually a combination of civil and common law
  67. Trademark
    protect a word, name, symbol, sound, logo
  68. Computer Fraud and Abuse Act
    • primary US federal antihacking law
    • addresses 7 forms of computer activity, making them federal crimes
  69. Due Care
    • company did all it reasonably could
    • put proper controls or countermeasures in place

    versus due diligence which is RESEARCHING and assessing all of the possible vulnerabilities
  70. Computer forensics
    • synonomous with digital forensics, network forensics, electronic data discovery, cyber forensics
    • all encompassing term dealing with processes to examine computer usage in order for evidence to be admissable in a court of law
  71. Secondary evidence
    • not viewed as reliable as best evidence
    • includes oral evidence of a witness; copies of documents etc.

    as compared to best or primary evidence such as an original signed document
  72. Legally admissible evidence (4)
    • Authentic = RELEVANT; has a reasonable and sensible relationship to the findings
    • Complete - presents the whole truth
    • Sufficient - believable and persuasive
    • Reliable - consistent with the facts; not based on opinion, copies or circumstantial evidence such as computer generated documents or an investigator's notebook
  73. Circumstantial evidence
    Can prove an intermediate fact that allows one to assume or deduce another fact; insufficient by itself
  74. Internet Architecture Board (IAB)
    • coordinates Internet design, engineering and management
    • responsible for the IETF which issues Requests for Comments
    • issues ethics-related statements concerning Internet use; tries to protect the Internet as a resource
  75. Computer Ethics Institute
    • nonprofit 
    • has issued its own 10 commandments of Computer Ethics
  76. Incident Response stages (6)
    • Triage = assess scope and severity
    • Investigation = collection of data; as well as analysis, interpretation, reaction and recovery
    • Containment = buys time for further work; isolate the system
    • Analysis = gather more data to figure out who did it and how
    • Tracking = determine if the source was internal or external and how the offender gained access
    • Recovery = implement necessaryu fixes
  77. Locard's Principle of Exchange
    states that a criminal takes something with him and leaves something behind
  78. International Organization on Computer Evidence (IOCE)
    drew up international principles for procedures related to digital evidence and to guarantee  the ability to use digital evidence collected by one nation state in the courts of another
  79. ACID test
    • Used in On Line Transaction Processing (OLTP) databases to ensure integrity 
    • Atomicity - either all modifications take affect or none at all
    • Consistency - enforcement of integrity rules
    • Isolation - no interaction with other processes or transactions
    • Durability - once committed, rollback is not allowed
  80. Concurrency
    • Different processes (applications and users) are accessing the database at the same time
    • can result in overwrites or deadlock
    • thus reducing integrity
    • can be prevented by locking
  81. Polymorphism
    When different objects are given the same inputs and react differently, i.e. the same input produces different results
  82. Object-oriented database (as opposed to others)
    when an application queries for data, it receives BOTH the data and the procedure

    • relational - applications uses its own procedures; 2 dimensional tables linked by relationships
    • hierarchical - must have knowledge of a well-defined path to traverse the tree
  83. Regression testing
    Retesting a system after changes have been made; oftentimes a change or fix can break something else
  84. Tunneling virus
    Attempts to install itself under an antivirus program
  85. Polymorphic virus
    • produces varied copies of itself
    • might use noise or bogus instructions or change the sequence of instructions
    • might vary its encryption methods
  86. Java
    • object-oriented, platform-independent programming language
    • Compiler converts source code to to bytecode; JVM converts bytcode to machine code (which is why it can tun on multiple machines/processors)
  87. Database integrity types (3)
    • Entity - ensures tuples are uniquely identified by one primary key
    • Referential - ensures that all foreign keys REFER to existing primary keys 
    • Semantic - ensures that rules and semantics of the database are followed
  88. High cohesion and low coupling
    HIGH cohesion - Carries out FEW tasks (simpler)

    Low coupling - little interaction with other modules (low dependency)
  89. Modified prototype method
    used when the developer and client are unsure of the final nature of the product
  90. SOAP and RPC
    • SOAP was designed to replace RPCs to allow applications to communicate
    • designed to work across multiple operating systems
    • works with HTTP and is allowed thru firewalls
  91. Programming languages generations
    • Machine language - 1st gen = binary is time consuming and prone to errors
    • Assembly - 2nd gen = symbols saved time but required deep knowledge of machine architecture
    • High level - 3rd gen = used abstract statements If-then-else
    • Very high level - 4th gen = natural language; SQL
  92. Deferred commitment (in OOP)
    the ability to make a change to a component without changing other parts of the system
  93. Checkpoint
    • used to recover data if there is a system failure
    • periodically saves the state of the application and the user's information
    • like a word processor working with a "recovered" document
  94. ISO 27034
    standard that provides guidance for secure applications

    27005 provides standards for Information Security RISK management
  95. Software configuration management (SCM) system
    • during development within SDLC, ensures that software integrity, changes and traceability is maintained 
    • can also provide concurrency management, versioning and synchronization
  96. Purging
    • makes the information unrecoverable, even with extraordinary effort
    • required if the media is to be reused in a different compartment or removed from the original area
    • can be done with degaussing, zeroization and destruction
  97. System cold start
    Usually requires intervention by an administrator or user
  98. RAID
    • RAID 0 = striping only
    • RAID 3 = byte level striping and dedicated parity disk
    • RAID 5 = BLOCK level striping and parity across ALL disks; most common
    • RAID 10 = combination of 1 and 0; striping and mirroring; can survive multiple drive failures
  99. Address spoofing
    • can be done with tools like Juggernaut and HUNT
    • can not be done if running SSL and IPSEC or Kerberos
  100. Double blind test
    • stealth assessment
    • double-blind is when the network and security staff is not aware of the test
    • (blind, double-blind or targeted)
  101. Mirroring vs. duplexing
    • Mirroring = uses the same controller to simultaneously write to separate disks
    • Duplexing = uses two or more controllers
Author
usma1976
ID
306999
Card Set
CISSP5
Description
review set
Updated