CISSP6

Card Set Information

Author:
usma1976
ID:
307143
Filename:
CISSP6
Updated:
2015-09-03 23:38:32
Tags:
CISSP
Folders:

Description:
Final review
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user usma1976 on FreezingBlue Flashcards. What would you like to do?


  1. OLA
    Operating Level Agreement = an internal agreement that supports an SLA (internal SLA)

    SLA = quality of service provided by a 3rd party / provider; outsourcing
  2. Collusion
    Rotation of duties
  3. BPA
    • Business Partnership Agreement = used when a company operates as a partnership
    • helps avoid issues and conflicts
  4. MOU / ISA
    • MOU is used if 2 companies are going to connect together
    • ISA = details about the computer connection
  5. STRIDE
    microsoft's approach to threat modeling
  6. ISC2 Code of ethics - 4 canons (in order)
    • Protect society (promote trust)
    • Be a good person (act honorably)
    • Be a good CISSP (provide competent service)
    • Advance the profession (develop others)
  7. IAB
    What not to do
  8. ISO Standards (Memorize these)
    • 27001 = outline and AUDIT
    • 27002 = BEST PRACTICES and BS17799
  9. NIST (memorize)
    • 800-30 = Threats
    • 800-34 = BCP (Continuity Planning)
    • 800-37 = Risk Management
    • 800-53A = Controls
    • 800-115 = Testing
  10. What are the most important port numbers?
    • FTP port 20data and 21
    • SSH port 22
    • Telnet port 23
    • SMTP port 25
    • IPSEC ports 50 and 51
    • DNS port 53
    • TFTP port 69
    • HTTP port 80
    • LDAP port 389
    • HTTPS port 443
    • SNMP ports 161 and 162

    well-known ports = <1024; source ports >=1024

    • well known ports: 0 to 1023; commonly used services; only used by privileged or root system processes
    • Registered ports: 1,024 to 49,151 for proprietary software; must be registered with ICANN
    • Dynamic ports: 49,152 to 65,535; private ports available for ANY application

    • UDP: 
    • DNS = 53
    • NTP = 123
    • BOOTP = 67 and 68
    • SNMP = 161
  11. Memory types
    • ROM - read only; non-volatile; eg firmware; retained after power down; usually small amount; such as boot program; BIOS
    • RAM - random access; refreshed every few milliseconds; volatile; MAIN memory for OS, applications and data
    • DRAM - a dynamic RAM; cheapest
    • SRAM - a static RAM; very fast; used for cache; smaller amount; expensive
    • CACHE - a type of RAM that speeds access by storing frequently used information
    • Primary memory - a type of RAM; used for instructions
    • Secondary memory - slower, non-volatile storage
    • Sequential memory
  12. ISO Standards
    • ISO 27000 also referred to as BS7799, ISO 17799
    • ISO 27000 = overview and vocabulary for ISMS
    • 27001 = ISMS requirements
    • 27002 = code of pratice
    • 27003 = guideline for ISMS implementation
    • 27004 = metrics
    • 27005 = risk management
    • 27006 = audit
    • 27011 = telecommunications
    • 27031 = business continuity (BS 25999)
    • 27034 = software development
    • 27033-1 = network security
    • 27799 = health
    • 42010 = architectural standards for systems and software engineering
    • ISO 15408 = Common Criteria

    Plan - DO - Check - Act
  13. CMMI
    • Maturity Level 1 - Ad Hoc/Initial
    • Maturity Level 2 - Managed (basic)
    • Maturity Level 3 - Well Defined (documented, standardized, integrated)
    • Maturity Level 4 - Quantitatively Managed  
    • Maturity Level 5 - Optimizing (continuous improvement)
  14. types of ids systems (4)
    State-based - uses rules that outline transition sequences; compares patterns to several activities at once; a type of signature based ids

    • Anomaly-based - builds a profile over time of normal activities; compares future traffic to normal using complex statistical algorithms and scores each packet;
    • 3 types:
    • - statistical
    • - protocol
    • - traffic

    Misuse-detection system = same as signature based ids - uses signatures to detect; least effective on new malware; needs to be updated regularly

    Rule-based = using expert systems, a knowledge base and rule based programming; compares data to be analyzed to facts
  15. 802.11a
    • uses OFDM
    • 5GHz
    • 54Mbps; much faster than 802.11b
    • shorter range
    • not backwards compatible with other 802.11
  16. protocols and layers
    • Application = TFTP or FTP, SMTP, HTTP; message; interface to the user
    • Presentation layer = syntax and format (TIFF, ASCII, GIF, JPEG); encryption, compression; translates; does encryption
    • Session layer = establishing a connection end-to-end; establish, data transfer, release; DIALOG management (SQL, NETBIOS, RPC); simplex, half-duplex
    • Transport = UDP, TCP, SSL, SPX; handshake; reliable data transfer; error detection; connection oriented; flow control; Segment; interacts with information and prepares for transmission
    • Network = IPSEC, IP, RIP, OSPF, BGP, IGMP, ICMP; routing; send and pray; DATAGRAM; packets
    • Data Link = ARP, PPP, L2TP, FDDI, Ethernet, Token Ring; has 2 sublayers = LLC (logical link control) and MAC (media access control); 802.11, 802.16 etc refers to protocols at the MAC sublayer; FRAMES; bridges and switches
    • Physical = electrical (bits)
  17. IEEE
    802.16

    • MAN wireless standard; extends wireless over a large geographic area
    • broadband wireless access
    • also called WIMAX

    802.15

    • wireless personal area network (WPAN)
    • short-range (bluetooth)

    802.11, 802.15 and 802.16 all deal with WiFi
  18. common criteria and assurance levels (7)
    • lowest is:
    • EAL 1 = functionally tested
    • EAL 2 = structurally tested
    • EAL 3 = METHODICALLY tested
    • EAL 4 = Methodically designed, tested and reviewed
    • EAL 5 = SEMIFORMALLY designed and tested
    • EAL 6 = semiformally VERIFIED design and tested
    • EAL 7 - FORMALLY VERIFIED design and tested

    uses protection profiles in the evaluation process; describes a real world need

    • has 5 elements:
    • - evaluation assurance requirements (type and intensity of the evaluation)
    • - descriptive elements
    • - rationale
    • - functional requirements
    • - development assurance requirements

    • common criteria
    • 1. Protection Profile: security requirements; and expected EAL
    • 2. Target of Evaluation: product manufactured to meet the profile
    • 3. Security Target: vendor's explanation of how the ToE meets the security requirements
    • 4. Evaluation
    • 5. Evaluation assurance level assigned - assigns the EAL
  19. Wassenaar Arrangement
    • implements export controls for conventional arms and dual-use goods (like encryption)
    • 40 countries; 9 categories of areas covered (category 4 covers computers)
  20. transport layer
    • Handshake
    • handles error detection, recovery and flow control
    • TCP (connection); UDP (connection-less); SSL (secure socket layer) AND SPX (sequenced packet exchange)
    • NOTE: IPX = IP = Network layer
  21. 802.1 (MAC layer of data link layer)
    • 802.1 AR unique ID per device
    • 802.1 AE data encryption
    • 802.1 AF key agreement
    • 802.1X EAP-TLS = port authentication
  22. LokI attack
    • ICMP
    • sets up a back door
    • client/server program that sets up a server portion to listen on a port
    • attacker sends commands inside on an ICMP packet
  23. TCP/IP Model (as compared to OSI)
    • Application = Application + Presentation + Session
    • Transport (TCP) = Host to host
    • Internet (IP) = Network (all routing protocols like BGP)
    • Network access = Physical + Data Link
  24. asymmetric encryption algorithms (6)
    • RSA
    • ECC
    • Diffie-Hellman
    • El Gamal
    • DSA
    • Knapsack
  25. Symmetric algorithms (6)
    • DES
    • 3DES
    • Blowfish/Twofish
    • IDEA
    • RC4, RC5, RC6
    • SAFER
  26. RSA
    • de facto asymmetric algorithm
    • difficulty of factoring large numbers
    • one way function = easy to do in one direction (multiply prime numbers)  but hard to impossible in the other direction (factoring into prime)
    • key size of 1,024 bits and larger should be used
    • encryption, key exchange and digital signatures

    • VERSUS other algorithms that are based on discrete logarithm problem over finite fields
    • - El Gamal; Diffie Hellman; Schnorr signature; NIST's DSA (Digital signature algorithm)
  27. OS Protection mechanisms (4)
    • Layering - organization of functions into separate components
    • Abstraction - looks for common functions to simplify
    • Process isolation - prevents one software application from affecting another
    • Hardware segmentation
  28. CPU Terms
    • Scalar processor - one instruction at a time (older)
    • Superscaler processor - concurrent execution of multiple instructions (adds additional ALUs)
    • Pipelining - combines different instructions and sequencing; much faster
    • Multi-tasking - multiple tasks (Heavyweight process) (1 CPU) (execute more than one program at a time)
    • multithreading - multiple threads (Lightweight process)
    • multi-processing - multiple programs at the same time on multiple CPUs
    • - Windows NT/2000/XP are symmetrical multiprocessing (more than one cpu equally shared) (SMP)
    • - Asymmetrical multiprocessing Systems (AMP) have multiple CPUs running different functions

    • multi-programming
    • - similar to multiprocessing
    • - when an operating system and CPU can execute more than one program at a time
    • - different from multiprocessing as the OS has less control in releasing resources than in multiprocessing environments

    program counter = contains the memory address of the next instruction to be fetched (special register)
  29. Brewer and Nash
    • Chinese Wall
    • Integrity
    • conflict of interest
    • DYNAMIC changes to access controls
  30. Graham Denning model
    • addresses access rights between subjects and objects
    • defines eight primitive protection rights or rules
  31. Bell-LaPadula
    • Confidentiality
    • Mandatory Access Control; Lattice
    • No read up (SIMPLE Security rule)
    • No write down (* property rule)

    Example: Confidential......Secret......Top Secret

    • Weak Tranquility - labels of subjects and objects never change in a way that violates security
    • Strong Tranquility - labels never change during system operation

    STRONG STAR = No Read Down AND No Write Up; stuck at a single level
  32. Clark-Wilson
    • integrity model
    • INTERNAL consistency
    • Discretionary access model or RBAC
    • dictates that critical tasks should be split up between users (separation of duties) and
    • subject should only be able to access and modify an object by using an application (ACCESS TRIPLE)
    • also dictates that internal and external consistency should be in place
  33. ITSEC vs TCSEC mappings
    • itsec     TCSEC (low to high)
    • E0 = D
    • F1 + E1 = C1
    • F2 + E2 = C2
    • F3 + E3 = B1
    • F4 + E4 = B2
    • F5 + E5 = B3
    • F5 + E6 = A1
    • F6 = systems with high integrity
    • F7 = systems with high availability
    • F8 = systems with high integrity during communication
    • F9 = systems with high confidentiality (cryptographic)
    • F10 = networks with high confidentiality and integrity
  34. Modes
    • user mode = problem mode; least trusted
    • kernel mode = supervisory mode; trusted; privileged; executive
  35. Ionization = smoke; Infrared = flame
  36. Broadcast address
    • host portion is set to all 1's
    • 10.255.255.255 is broadcast for .10 network
  37. Limited broadcast
    • Stays on local segment
    • routers block limited broadcast by default
  38. IPV4
    • classful addressing
    • A thru E
    • Class A = 1.0.0.0 through 127.255.255.255
    • Class B = 128.0.0.0 through 191.255.255.255; 65,000 hosts
    • Class C = 192.0.0.0 through 223.255.255.255; 254 nodes
    • Class D = multicast 224 thru 239
    • Class E = reserved experimental; 240 thru 255 (darknet)

    • IPV4 = 32 bit address; IPv6=128 bits
    • IPV6 over IPv4 = tunneling
    • IPv4 thru IPv6 = translation

  39. Private addresses
    • 10.x.x.x
    • 172.16.0.0 thru 172.31.255.255
    • 192.168.x.x
    • not routed on the Internet

    NAT is Layer 3
  40. FQDN
    fully qualified domain name = host.enterprise.top level domain
  41. FTP
    sends username and pwd in cleartext
  42. DNP3
    • distributed network protoccol
    • multi-layer (like TCP/IP)
    • used for ICS/SCADA
    • IEEE 1815-2012
  43. Voice Protocols
    • H323 and SIP = setup and tear down calls
    • RTP = media; can be prioritized with QOS

    can use TCP or UDP but most SIP uses UDP

    SIP = user agent client and user agent server
  44. 802.11
    • 802.11b = 11Mbps at 2.4GHz
    • 802.11a = 54Mbps at 5 Ghz
    • 802.11g = 54Mbps at 2.4 Ghz
    • 802.11n = 144+ Mbps using both 2.4 Ghz and 5 Ghz

    • b,a,g good for 100 meters; n is good for a mile or two
    • 54Mbps=OFDM
  45. X.25 and Frame Relay
    • use High-level data link control (HDLC) and synchronous data link control (SDLC)
    • both operate at layer 2
  46. DSL
    • 1 to 2 Mbps
    • in order from slower to faster:

    • SDSL (last mile)
    • ADSL
    • HDSL
    • VDSL
  47. Devices
    • Repeater, Hub = Layer 1
    • Bridge = Layer 2
    • Switch = Layer 2 and Layer 3
    • Router = Layer 3
    • Proxy = circuit level = Layer 5 or 6
    • Application layer firewall = Layer 7
  48. Twisted Pair
    • Category 1 and 2 = voice and low-speed data
    • Category 3 = 10Mbps
    • Category 4 = 16Mbps
    • Category 5 = 100Mbps to 1GBps
    • Category 6 = 1GBps
  49. Routing
    • RIP = distance vector; # of hops
    • Link state = time; shortest path first
    • BGP = LARGE networks
    • MPLS
  50. IPSEC
    • protocol that creates a secure tunnel to send information across an insecure network
    • Simple Key Management for IP (SKIP) and Internet Security Association and Key Management Protocol (ISAKMP) are key exchange protocols used by IPSEC
    • defacto standard is IKE (Internet Key Excahnge) which is a combination of ISAKMP and OAKLEY
    • all work at the network layer

    • tunnel mode = secures payload and header; site to site
    • transport mode = only secures the payload; host to host
  51. PAP versus CHAP
    • PAP = sends the password
    • CHAP = uses challenge response to AUTHENTICATE; does not send pwd
  52. SLIP, PPP, EAP
    • SLIP = older; no error detection
    • PPP = improves on SLIP; uses PAP or CHAP; encryption, compression and dynamic addressing
    • EAP = extension to PPP; mutual authentication
  53. 802.1X
    layer 2 authentication
  54. Isochronous processes
    must deliver data within set time constraints
  55. Iterated association
    each tunnel can originate or terminate at different IPSEC site along the way; supports multiple layers of nesting
  56. ICMP Messages
    • 0 = echo reply
    • 3 = delivery failure (host unknown, network unreachable)
    • 3 = source quench
    • 8 = echo request
    • 11 = TTL expired
    • 12 = IP header was bad
    • 13 = communication administratively prohibited
  57. NIS+
    • Network Information Service is a directory service from Sun
    • designed to eliminate duplication of configuration data by using a central repository
  58. DCE
    • Distributed computing environment
    • similar to Kerberos
    • developed by Open Group
  59. Packet filtering firewall
    • low level of security BUT
    • application-independent
    • highly scalable
    • perform at a high level
  60. SIP
    IETF defined signalling protocol used for controlling multimedia sessions such as VOIP
  61. Kerberos main application
    • a single-sign on system for client server authentication systems
    • Massachusetts MIT Project Athena with symmetric keys and tickets

    • 3 principles:
    • trusted KDC
    • subject
    • object

    • authenticates with MSCHAP
    • symmetric keys
  62. DAC
    • easy to use and administer
    • performed at the discretion of any administrator
    • owners can change security attributes

    • weaknesses:
    • processes are user surrogates and can run arbitrary code
    • processes can change access control attributes
    • DAC generally assumes a benign software environment
  63. Identification
    association of a unique identity with an individual presenting himself to an access control system
  64. SALT
    • random number hashed along with the password to ensure identical passwords will have different hashes
    • makes pre-computation attacks such as rainbow tables infeasible
  65. Iris scan versus retina scan
    • Iris scan = colors and patterns around a person's eye
    • retina scan = blood vessel patterns at the back of the eye
  66. Single sign-on (2)
    • Kerberos = default authentication model for most OS's
    • uses symmetric keys with shared secret keys
    • AS, KDC, TGS, TGT = creates a session key
    • does not need a PKI

    • sesame = extends Kerberos
    • uses both symmetric and asymmetric keys
    • PAC (privileged attribute certificates), PAS (privileged attribute server)
    • PAC is digitally signed so requires a PKI
  67. Server side attack
    • 1. reconnaissance
    • 2. network enumeration
    • 3. port scanning
    • 4. OS fingerprinting
    • 5. determine vulnerabilities
    • 6. exploit
  68. Scans / discovery
    • ARP scans for systems on same LAN
    • ICMP requests
    • TCP to common ports
    • IPv6 Neighbor Discovery
    • Sniffing
  69. Testing
    • White box = source code review
    • Black box = fuzzing against compiled code
    • Gray box = partial knowledge test

    • white box = static analysis against the source code
    • dynamic analysis is testing run-time code
  70. Web application testing
    • HTTP interception proxy intercepts web data in real time
    • primary tool for web testing
  71. Controlling your environment
    • Policy - tells a user what to do
    • Training - provides the skill set (how)
    • Awareness - changes user behavior

    • lack of awareness = user not doing what they should
    • awareness = educating about general information security issues
  72. Password guessing
    Attempting to authenticate repeatedly!
  73. Lifecycle
    Due diligence (plan) > Due Care (provision) > Maintain (operating) > Decommision
  74. Controls
    • Preventive = Firewalls, encryption, authentication, AV, IPS, NGFW
    • Detective = Log review, auditing, integrity checkers; firewall (can be both); IDS; anomaly identification; SIEM; protocol behavior; signature matching
  75. Firewall (in order)
    • Packet filtering = examines packets and compares to ACL
    • Stateful = maintains a state table of connections
    • Proxy (SOCKS is a circuit level proxy) = breaks the connection in two; application proxy (gateway) works at all 7 layers
    • Next Generation (NGFW) = layer 7; deep packet inspection; understands client, web and IP
  76. Bastion host
    • In DMZ
    • hardened machine
    • example: web, mail, FTP servers
  77. NIDS (PASSIVE) [Detective]
    Sniffer with rules:

    • Signature matching
    • Protocol behavior
    • Anomaly identification

    versus IPS which is active like a firewall

    • True positive = allow
    • True negative = deny
    • False positive = alerts wrongly on good traffic
    • False negative = fails to alert on malicious traffic (worst kind)
  78. Incident handling (PICERL)
    Preparation > Identification > Containment (stop losses, corrective) > Eradication (clean-up, reimage) > Recovery > Lessons Learned (fix failure)
  79. Evidence life cycle
    • Collection and identification
    • Storage, preservation and transportation
    • Presentation in court
    • Return to owner
  80. Exceptions to search and seizure without a warrant
    • 1. consent
    • 2. in plain sight (when legally searching for something else)
    • 3. employment policy
  81. RAID
    • = Failure Resistant Disk Systems (FRDS)
    • RAID 0 = striping across all disks
    • RAID 1 = mirroring (duplicate)
    • RAID 2 = bit-interleaved data (not used anymore) 39 disks
    • RAID 3 = byte level parity on dedicated parity drive
    • RAID 4 = block level parity on dedicated parity drive
    • RAID 5 = stripe set with parity across all drives
  82. Archive bit
    Gets turned off by full and incremental!
  83. DRP Testing
    • checklist = consistency test
    • walkthrough = validity test
    • simulation = walk-through with mock-up
    • parallel = recovery with main still active
    • full = actual failover to alternate site
  84. Policy
    • Policy = high level document; strategic
    • Standard = mandatory, compulsory rules
    • Procedure = step by step instructions
    • Baseline = consistent reference point
  85. Agile
    • PAIR Programming, continuous integration, continuous deployment
    • adaptive, flexible, customer feedback
    • Extreme Programming (PAIR plus User Story plus Unit Tests); SCRUM (Rugby team)
  86. CASE and IDE
    • Computer Aided Software Engineering (CASE) = pre-planned modules to improve productivity
    • Integrated Development Environment (IDE) = workspace for code editing, debugging, compiling; Eclipse; Visual Studio
  87. DevOps
    closer integration of development and operations
  88. Security Development Lifecycle (SDL) (new)
    • CMMI, SDLC and DevOps = faster development, reduced costs, fewer defects
    • SDL = security; MS SDL has 16 practices

    SD3+C = Security by Design, Default, Deployment + Communications
  89. RPC; CORBA
    • object request broker exposes access to data
    • CORBA is cross-platform
  90. Privilege excalation
    • SETuid root
    • ring 3 to ring 0
  91. Buffer overflow
    • write arbitrary code to memory
    • improper bounds checking of input
  92. Integer overflows
    • normal fixed-length memory
    • overflow can corrupt nearby memory
  93. Stack with Canary
    • value in the stack before the return pointer
    • can warn of a stack-smach
  94. RAD (Rapid Application Development)
    • less emphasis on planning tasks and more emphasis on development
    • In contrast to the waterfall model, which emphasizes rigorous specification and planning
    • RAD approaches emphasize the necessity of adjusting requirements in reaction to knowledge gained as the project progresses
  95. Key variable = key = cryptovariable
  96. MD5 = 128 bit digest
    SHA = 160 bit digests
  97. collision vs Key Clustering
    • collision - same HASHING algorithm hashes different messages yields the same message digest
    • Key Clustering = same plaintext message encrypted with 2 different keys yields the same ciphertext
  98. TCSEC (The orange Book)
    • Trusted Computer Security Evaluation Criteria
    • part of rainbow series
    • 4 classes:
    • A: verified protected
    • B: Mandatory protected
    • C: Discretionary protected
    • D: Minimal security

    • ITSECless rigid than the orange book
    • Evaluated Functionality (F) and Assurance (E)
    • 10 Functionality Levels
    • E0 thru E6 Assurance Levels
  99. Registers
    • Dedicated = program counters that point to memory locations
    • Status = hold state information
  100. Process states (4)
    • Run
    • Wait
    • Sleep = stopped and waiting for a time allotment or for an event to occur
    • Masked/interruptible
  101. SDRAM
    synchronous DRAM syncs with clock speed
  102. Process
    collection of instructions and assigned resources
  103. Isolation
    • Hardware = TCB keeps separate from untrusted areas
    • Software = subject and objects are isolated
  104. TCB
    defines the level of security ASSURANCE a system provides
  105. Multi
    • Multiprogramming - OS can load more than one program in memory
    • Multitasking - OS can handle several different processes
    • Multithreading - application can run multiple threads simultaneously
    • Multiprocessing - more than one CPU
  106. Clark-Wilson
    • Integrity
    • Well formed transactions and separation of duties
    • Application oriented as opposed to general (like BLP or biba)
    • SUBJECT/PROGRAM Binding

    Dash means separation of duties

    • Focused on commercial applications
    • Unauthorized users cannot make changes;
    • authorized users cannot make unauthorized changes
  107. biba
    • Deals with Integrity
    • Opposite of Bell LaPadula
    • No Read Down (simple integrity)
    • No Write Up (Integrity * property)
    • Invocation property = a subject cannot request service (invoke) of higher integrity
    • Private.....Captain........General
  108. Forensic science (3)
    • Media
    • software
    • network

    Computer forensics = media analysis
  109. Direct evidence
    • based on 5 senses
    • ORAL testimony
    • can prove or disprove a fact by itself
  110. COBIT (4 domains)
    • Plan and Organize
    • Acquire and Implement
    • Deliver and Support
    • Monitor and Evaluate

    • Provides:
    • control objectives
    • control practices
    • goal indicators
    • performance indicators
    • success factors
    • maturity models
  111. Transaction persistent
    Database state is preserved before and after a transaction
  112. RAID 0
    performance!

What would you like to do?

Home > Flashcards > Print Preview