Download C725 Information Security and Assurance -with Answers 2022 and more Exams Communication in PDF only on Docsity! C725 Information Security and Assurance -with Answers 2022 two of the tools security specialists use to protect information systems - Ans cryptography and firewalls Security is synonymous with - Ans Protection, Armor, Shield terms that impact people. best represents the three objectives of information security - Ans Confidentiality, integrity, and availability Information Network Institute (INI) - Ans One major educational institution, Carnegie Mellon, established the Information Network Institute (INI) in 1989 as a leading research and education center in the field of information networking. The formal study of information security has accelerated primarily for what reason? - Ans Increasingly interconnected global networks Security administrators - Ans Security administrators work alongside system administrators and database administrators to ensure that an appropriate separation of duties can prevent abuse of privilege when new computer systems are implemented and users begin to access these systems. The security administrators help to establish new user accounts, ensure that auditing mechanisms are present and operating as needed, ensure that communications between systems are securely implemented, and assist in troubleshooting problems and responding to incidents that could compromise confidentiality, integrity, or availability of the systems. Access coordinators - Ans are delegated the authority on behalf of a system owner to establish and maintain the user base that is permitted to access and use the system in the normal course of their job duties. Security architects and network engineers - Ans design and implement network infrastructures that are built with security in mind. Skills needed here include understanding firewall designs, designing and developing intrusion detection/prevention systems and processes, and determining how to configure servers, desktop computers, and mobile devices to comply with security policies. Security consultants - Ans work with project-development teams to perform risk analysis of new systems by balancing the needs of business with the threats that stem from opening up access to data or managing new information that could compromise the business if it fell into the wrong hands. Security consultants are usually internal personnel who are assigned to project-development teams and remain with the project from inception to implementation. Security testers - Ans are the white-hat hackers paid to test the security of newly acquired and newly developed or redeveloped systems. Testers who can mimic the activities of outside hackers are hired to find software problems and bugs before the system is made available. Their work reduces the likelihood that the system will be compromised when it's in day-to-day operating mode. Policymakers and standards developers - Ans are the people who look to outside regulators and executive management to set the tone and establish the specific rules of the road when interacting with or managing information systems. Policymakers formally encode the policies or management intentions in how information will be secured. Compliance officers - Ans check to see that employees remain in compliance with security policies and standards as they use information systems in their daily work. Compliance officers usually work with outside regulators when audits are conducted and are often charged with employee security training and awareness programs to help maintain compliance. Incident response team members - Ans are alerted when an intrusion or security incident occurs. They decide how to stop the attack or limit the damage as they collect and analyze forensics data while interacting with law enforcement personnel and executive management. Governance and vendor managers - Ans are needed to ensure that outsourced functions are operating within security policies and standards. The IT industry continues to rely on off-shore developers, managed security services, and outsourced computer operations, so the growth of governance personnel is assured. Confidentiality - Ans is sometimes referred to as the principle of least privilege, meaning that users should be given only enough privilege to perform their duties, and no more. Some other synonyms for confidentiality you might encounter include privacy, secrecy, and discretion. Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs and passwords. The Three Security Goals Are - Ans Confidentiality, Integrity, and Availability CIA Triad - Ans these goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it Security management - Ans planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources. One of the most effective ways to tackle security management planning is to use a top- down approach. The best security plan is useless without one key factor: approval by senior management. A business case - Ans is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security. information security (InfoSec) - Ans team should be led by a designated chief information security officer (CISO) who must report directly to senior management. Placing the autonomy of the CISO and the CISO's team outside the typical hierarchical structure in an organization can improve security management across the entire organization. It also helps to avoid cross-department and internal political issues. chief security officer (CSO) or information security officer (ISO) - Ans is sometimes used as an alternative to CISO, but in many organizations the CSO position is a subposition under the CISO that focuses on physical security. Another potential term for the CISO is information security officer (ISO), but this also can be used as a subposition under the CISO. security management planning team should develop three types of plans - Ans Strategic Plan: A strategic plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions for the future are discussed in a strategic plan. A strategic plan should include a risk assessment. Tactical Plan: The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. A tactical plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of tactical plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans. Operational Plan: An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. Operational plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. Operational plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. Operational plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of operational plans are training plans, system deployment plans, and product design plans. Change Control/Management - Ans Another important aspect of security management is the control or management of change. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. Data Classification or categorization - Ans is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. These similarities could include value, cost, sensitivity, risk, vulnerability, power, privilege, possible levels of loss or damage, or need to know. The following are benefits of using a data classification scheme: It demonstrates an organization's commitment to protecting valuable resources and assets. It assists in identifying those assets that are most critical or valuable to the organization. It lends credence to the selection of protection mechanisms. It is often required for regulatory compliance or legal restrictions. It helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable. It helps with data lifecycle management which in part is the storage length (retention), usage, and destruction of the data. To implement a classification scheme, you must perform seven major steps, or phases: Identify the custodian, and define their responsibilities. Specify the evaluation criteria of how the information will be classified and labeled. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. Select the security controls that will be applied to each classification level to provide the necessary level of protection. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. Create an enterprise-wide awareness program to instruct all personnel about the classification system. Declassification - Ans is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. In other words, if the asset were new, it would be assigned a lower sensitivity label than it currently is assigned. Organizational Roles and Responsibilities - Ans Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. The senior manager must sign off on all policy issues. In fact, all activities must be approved by and signed off on by the senior manager before they can be carried out. There is no effective security policy if the senior manager does not authorize and support it. The senior manager's endorsement of the security policy indicates the accepted ownership of the implemented security within the organization. The senior manager is the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due diligence in establishing security for an organization. Even though senior managers are ultimately responsible for security, they rarely implement security solutions. In most cases, that responsibility is delegated to security professionals within the organization. Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. The security professional has the functional responsibility for security, including writing the security policy and implementing it. The role of security professional can be labeled as an IS/IT function role. The security professional role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy. Security professionals are not decision makers; they are implementers. All decisions must be left to the senior manager. Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. The data owner is typically a high-level manager who is ultimately responsible for data protection. However, the data owner usually delegates the responsibility of the actual data management tasks to a data custodian. Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. The data custodian performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. User: The user (end user or operator) role is assigned to any person who has access to the secured system. A user's access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (the principle of least privilege). Users are responsible for understanding and upholding the Understanding and applying concepts of confidentiality, integrity, and availability Developing and implementing security policies Managing the information life cycle (classification, categorization, and ownership) Managing third-party governance (on-site assessments, document exchange and review, process and policy reviews) Understanding and applying risk management concepts Managing personnel security Developing and managing security education, training, and awareness Managing the security function (budgets, metrics, and so on) The Security Architecture and Design domain - Ans one of the more technical areas of study within the CBK, discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. Understanding the fundamental concepts of security models (confidentiality models, integrity models, and multilevel models) Identifying the components of information systems security evaluation models (such as Common Criteria) Understanding security capabilities of information systems (memory protection, trusted platform modules, and so on) Pinpointing the vulnerabilities of security architectures Recognizing software and system vulnerabilities and threats Understanding countermeasure principles (such as defense in depth) information security Common Body of Knowledge - Ans The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals. How many domains are contained within the CBK - Ans 8 Domains: Security and Risk Management Asset Security Security Architecture and Engineering Communications and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security Business Continuity and Disaster Recovery Planning - Ans Business Continuity Planning (BCP), along with the Business Impact Assessment (BIA) and the Disaster Recovery Plan (DRP), is the core of this domain. The following topics are included in this domain: Understanding business continuity requirements Conducting business impact analysis Developing a recovery strategy Understanding the disaster recovery process Exercising, assessing, and maintaining the plans Legal Regulations, Investigations, and Compliance - Ans This domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Other topics included in this domain are Understanding legal issues that pertain to information security internationally Adopting professional ethics Understanding and supporting investigations Understanding forensic procedures Following compliance requirements and procedures Ensuring security in contractual agreements and procurement processes (such as cloud computing, outsourcing, and vendor governance) Physical (Environmental) Security - Ans Topics covered in this domain include securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Topics include Understanding site and facility design considerations Supporting the implementation and operation of perimeter security (physical access controls and monitoring, keys, locks, safes, and so on) Supporting the implementation and operation of facilities security (badges, smart cards, PINs, and so on) Supporting the protection and securing of equipment Understanding personnel privacy and safety (duress, travel, and so on) Operations Security - Ans This domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Specific topics include Understanding security operations concepts (need-to-know, separation of duties, and so on) Employing resource protection Managing incident response Implementing preventable measures against attacks Implementing and supporting patch and vulnerability management Understanding change and configuration management Understanding system resilience and fault-tolerant requirements Access Control - Ans Who may access the system, and what can they do after they are signed on? That is the focus of this CBK domain. Specific topics include Understanding identification, authentication, authorization, and logging and monitoring techniques and technologies Understanding access control attacks Assessing effectiveness of access controls formalized security policy structure - Ans Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization. A baseline defines a minimum level of security that every system throughout the organization must meet. All systems not complying with the baseline should be taken out of production until they can be brought up to the baseline. The baseline establishes a common foundational secure state on which all additional and more stringent security measures can be built. A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Guidelines are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures. A procedure or standard operating procedure (SOP) is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. Threat modeling - Ans Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat. A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches. A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. Identifying Threats - Ans Focused on Assets: This method uses asset valuation results and attempts to identify threats to the valuable assets. For example, a specific asset can be evaluated to determine if it is susceptible to an attack. If the asset hosts data, access controls can be evaluated to identify threats that can bypass authentication or authorization mechanisms. Focused on Attackers: Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals. For example, a government is often able to identify potential attackers and recognize what the attackers want to achieve. They can then use this knowledge to identify and protect their relevant assets. A challenge with this approach is that new attackers can appear that weren't previously considered a threat. Focused on Software: If an organization develops software, it can consider potential threats against the software. Although organizations didn't commonly develop their own software years ago, it's common to do so today. Specifically, most organizations have a web presence, and many create their own web pages. Fancy web pages drive more traffic, but they also require more sophisticated programming and present additional threats. STRIDE threat model - Ans Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against Internet Protocol (IP) addresses, MAC addresses, usernames, system names, wireless network service set identifiers (SSIDs), email addresses, and many other types of logical identification. When an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. Once a spoofing attack has successfully granted an attacker access to a target system, subsequent attacks of abuse, data theft, or privilege escalation can be initiated. Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability. Repudiation: The ability of a user or attacker to deny having performed an action or activity. Often attackers engage in repudiation attacks in order to maintain plausible deniability so as not to be held accountable for their actions. Repudiation attacks can also result in innocent third parties being blamed for security violations. Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. This could include customer identity information, financial information, or proprietary business operation details. Information disclosure can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client-visible content (such as comments in Hypertext Markup Language (HTML) documents), using hidden form fields, or allowing overly detailed error messages to be shown to users. Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. A DoS attack does not necessarily result in full interruption to a resource; it could instead reduce throughput or introduce latency in order to hamper productive use of a resource. Although most DoS attacks are temporary and last only as long as the attacker maintains the onslaught, there are some permanent DoS attacks. A permanent DoS attack might involve the destruction of a dataset, the replacement of software with malicious alternatives, or forcing a firmware flash operation that could be interrupted or that installs faulty firmware. Any of these DoS attacks would render a permanently damaged system that is not able to be restored to normal operation with a simple reboot or by waiting out the attackers. A full system repair and backup restoration would be required to recover from a permanent DoS attack. Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account. Process for Attack Simulation and Threat Analysis (PASTA) - Ans Stage I: Definition of the Objectives (DO) for the Analysis of Risks Stage II: Definition of the Technical Scope (DTS) Stage III: Application Decomposition and Analysis (ADA) Stage IV: Threat Analysis (TA) Stage V: Weakness and Vulnerability Analysis (WVA) Stage VI: Attack Modeling & Simulation (AMS) Stage VII: Risk Analysis & Management (RAM) Trike - Ans Trike is another threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) (see the "Prioritization and Response" section later in this lesson). Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions. Visual, Agile, and Simple Threat (VAST) - Ans is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment on a scalable basis. Performing Reduction Analysis - Ans reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater Separation of duties Pre-employment hiring practices Risk analysis and management Education, awareness, and training Who Is Responsible for Security - Ans Chief information security officer (CISO): Establishes and maintains security and risk-management programs for information resources. Information resources manager: Maintains policies and procedures that provide for security and risk management of information resources. Information resources security officer: Directs policies and procedures designed to protect information resources (identifies vulnerabilities, develops security awareness program, and so forth). Owners of information resources: Have the responsibility of carrying out the program that uses the resources. This does not imply personal ownership. These individuals might be regarded as program managers or delegates for the owner. Custodians of information resources: Provide technical facilities, data processing, and other support services to owners and users of information resources. Technical managers (network and system administrators): Provide technical support for security of information resources. Internal auditors: Conduct periodic risk-based reviews of information resources security policies and procedures. Users: Have access to information resources in accordance with the owner-defined controls and access rules. OSI Model - Ans Application, Presentation, Session, Transport, Network, Data Link, Physical Physical layer (layer 1) - Ans transmit bit streams on a physical medium. They manage the interfaces of physical devices with physical transmission media, such as coax cable. This layer has the fewest tasks to perform. It sends bit streams across the network to another device and receives a bit stream response in return. The High Speed Serial Interface (HSSI) is one example of a standard interface working at the Physical Layer level. Data Link Layer (layer 2) - Ans transfers units of information to the other end of the physical link. Protocols at this level establish communication links between devices over a physical link(physical devices) or channel, converting data into bit streams for delivery to the lowest layer, the Physical Layer. 802.11 wireless LANs operate at Layer 2 and Layer 1 protocol - Ans is a set of rules and restrictions that define how data is transmitted over a network medium (e.g., twisted-pair cable, wireless transmission) Encapsulation / Deencapsulation - Ans is the addition of a header, and possibly a footer, to the data received by each layer from the layer above before it's handed off to the layer below. As the message is encapsulated at each layer, the previous layer's header and payload combine to become the payload of the current layer. Encapsulation occurs as the data moves down through the OSI model layers from Application to Physical. The inverse action occurring as data moves up through the OSI model layers from Physical to Application is known as deencapsulation. The encapsulation /deencapsulation process is as follows: Application layer (layer 7) - Ans is called the data stream. the highest layer in the stack, is the one most directly related to the computer user. It provides several application services, such as file transfer, resource allocation, and the identification and verification of computer availability. Each time you send an email, you are invoking protocols at the Application Layer level. Transport layer (layer 4) - Ans Protocols at this level provide the point-to-point integrity of data transmissions. They determine how to address the other computer, establish communication links, handle the networking of messages, and generally control the session. The Transmission Control Protocol (TCP) operates at this level. TCP allows two computers to connect with each other and exchange streams of data while guaranteeing delivery of the data and maintaining it in the same order. Although the context of communications works at the higher layers of the protocol stack, the transport of this context over the network occurs at Layer 4. Transport Layer (host-to-host) protocols: Transmission Control Protocol: TCP is a reliable service that maintains the proper sequence of incoming packets and acknowledges receipt to the user. User Datagram Protocol (UDP): UDP is a less robust version of TCP. It does not acknowledge receipt of packets and is a connectionless and less reliable service. Its advantage over TCP is its faster speed and lower overhead. Network layer (layer 3) - Ans decides how small bundles, or packets, of data route between destination systems on the same network or interconnected networks. Routers and bridge routers (brouters) are among the network hardware devices that function at layer 3 Network (Internet) Layer protocols: Internet Protocol: The protocol of protocols, IP addresses are assigned by the Internet Assigned Numbers Authority to each host computer on the network. This serves as a logical ID. The IP address assists with the routing of information across the Internet. Outgoing data packets have the originator's IP address and the IP address of the recipient. Address Resolution Protocol (ARP): ARP matches an IP address to an Ethernet address, which is a physical device (network adapter) that has a unique media access control (MAC) address assigned by the manufacturer of the device. MAC addresses are much longer numbers than IP addresses, and humans tend to work better with IP addresses than with MAC addresses. Thus, ARP and RARP (covered next) exist to help with network addressing tasks. Reverse Address Resolution Protocol (RARP): If ARP translates an IP address to a MAC address, then RARP translates hardware interface (MAC) addresses to IP protocol addresses. Internet Control Message Protocol (ICMP): The ICMP is tightly integrated with the IP protocol. Some of its functions include announcing network errors and congestion, troubleshooting, and reporting timeouts. ICMP is the management protocol for TCP/IP and is often the source of security issues; network hackers use it to select targets and determine network level information about these targets. For example, the common ping command, used to determine whether an IP or host name is online, is an ICMP command. Session layer (layer 5) - Ans is responsible for establishing, maintaining, and terminating communication sessions between two computers. When you request information about your checking account balance from your bank's web application, the Session Layer makes the initial contact with the host computer, formats the data you are sending for transmission, establishes the necessary communication links, and handles recovery and restart functions. Trusted Computing Base (TCB) - Ans is the totality of protection mechanisms within a computer system, including hardware, firmware, and software. based on the need-to-know or least privilege principle, and for audit control mechanisms that enforce the personal accountability of subjects for the actions they take while using the system. In the commercial world, discretionary protection shelters objects from unauthorized subjects through the assignment of privilege to the subject by the object's owner. In other words, a data owner (human being) gets to decide who is authorized to access his or her objects (data, programs, and so forth). Class C1: Discretionary Security ProtectionThe TCB of a Class C1 system satisfies the discretionary access control requirements by separating users and data. It incorporates mechanisms that are capable of enforcing access limitations on an individual basis. Class C2: Controlled Access ProtectionSystems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation. Trusted Computer System Evaluation Criteria (TCSEC): Mandatory Protection (Categories B1, B2, B3) - Ans Mandatory Protection (Categories B1, B2, B3): Mandatory protection systems provide more security controls than category C or D systems. More granularity of control is mandated, so security administrators can apply specific controls that allow only very limited sets of subject/object access. This category of systems is based on the Bell-LaPadula model. Mandatory access is based on security labels. Class B1: Labeled Security ProtectionClass B1 systems require all the features Class C2 systems require. In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. Class B2: Structured ProtectionIn Class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires extending the discretionary and mandatory access control enforcement in Class B1 systems to all subjects and objects in the system. Class B3: Security DomainsFor Class B3, the TCB must satisfy the reference monitor requirements to do the following: Mediate all accesses of subjects to objects Resist tampering Have a small enough size that it can be subjected to analysis and tests Trusted Computer System Evaluation Criteria (TCSEC):Verified Protection (Category A1): - Ans Verified protection systems are similar to B3 systems in the structure and controls they employ. The difference is in the development cycle. Each phase of the development cycle is controlled using formal methods. Each phase of the design is documented, evaluated, and verified before the next step is taken. This forces extreme security consciousness during all steps of development and deployment and is the only way to formally guarantee strong system security. Class A1: Verified DesignSystems in Class A1 are functionally equivalent to those in Class B3, with no additional architectural features or policy requirements added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. Rainbow Series - Ans The Orange Book classifications, from most to least secure, are Division A, Division B, Division C, and Division D. Orange Book: Under the DOD Trusted Computer System Evaluation Criteria (TCSEC) both divisions A and B require mandatory protection. Orange Book: In Class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires extending the discretionary and mandatory access control enforcement in Class B1 systems to all subjects and objects in the system. In addition, covert channels are addressed. Orange Book: Class B1 systems require all the features Class C2 systems require. In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. Orange Book: Leonard J. LaPadula and David E. Bell developed this early and popular security model in the 1970s. It forms the basis of the TCSEC. Orange Book: ITSEC added other specialized classes including integrity and availability. Trusted Computer System Evaluation Criteria (TCSEC):Division D: Minimal Protection - Ans TCSEC reserves Division D for systems that have been formally evaluated but fail to meet the requirements for a higher evaluation class. This classification is also used for unrated or untested systems. TCSEC does not contain specific requirements for Division D evaluations, but some of the TCSEC interpretation documents (including other Rainbow Series documents) do permit specifying Division D levels of evaluation. The Trusted Network Interpretation of the TCSEC - Ans The Trusted Network Interpretation (TNI) of the TCSEC is also referred to as the Red Book of the Rainbow Series. The TNI restates the requirements of the TCSEC in a network context as contrasted with TCSEC on stand-alone and non-networked environments. For more information on the purpose and meaning of TNI, consult the Rainbow Books description of TNI at Trusted Network Interpretation. Information Technology Security Evaluation Criteria (ITSEC) - Ans is a European- developed criterion that fills a role roughly equivalent to the TCSEC for use throughout the European Community. Although the ITSEC and TCSEC have many similar requirements, they also have some important distinctions. The ITSEC places increased emphasis on integrity and availability and attempts to provide a uniform approach to the evaluation of both products and systems. ITSEC introduces the concept of the target of evaluation (TOE), which refers to the product or system under evaluation. It adds to the TCB security-relevant functions in addition to security-enforcing functions (such as TCSEC). ITSEC provides for functionality classes, assurance classes, and profiles for systems. It also introduces the security target (ST), a written document that contains these components: A system security policy Required security-enforcing functions Required security mechanisms Claimed ratings of minimum strength Target evaluation levels, expressed as both functional and evaluation (F-xx and E-yy) ITSEC and TCSEC - Ans ITSEC classes are hierarchical; each class adds to the class above it and contains specific functions and mechanisms that correspond to TCSEC. ITSEC also supports other specialized classes that stand alone (nonhierarchical): F-IN for high-integrity F-AV for high-availability F-DI for high data integrity F-DC for high data confidentiality F-DX for networks that require high demands for confidentiality and integrity during data exchanges ITSEC Assurance Classes - Ans E0 - Inadequate assurance; fails to meet E1 requirements E1 - Security target document that provides an informal description of the TOE's architectural design and functional testing that the TOE satisfies target requirements E2 - E1 requirements, plus an informal description of detailed designs, testing evidence, configuration control requirements, and approved distribution procedures assured security in conventional off-the-shelf TOEs. Additional security-specific engineering costs could be involved. Evaluation Assurance Level 5: EAL5 permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. EAL5 is applicable when developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs for special security engineering techniques. Evaluation Assurance Level 6: EAL6 permits developers to gain high assurance from applying security engineering techniques to a rigorous development environment, to produce a premium TOE for protecting high-value assets against significant risks. EAL6 is applicable to developing security TOEs in high-risk situations, when the value of the protected assets justifies additional costs. Evaluation Assurance Level 7: EAL7 applies to the development of security TOEs for application in extremely high-risk situations, when the value of such assets justifies the costs for higher assurance levels. Common Evaluation Methodology (CEM) - Ans The CEM contains three parts: Part 1: Introduction and General Model: This part describes agreed-upon principles of evaluation and introduces agreed-upon evaluation terminology dealing with the process of evaluation. Part 2: CC Evaluation Methodology: This part is based on CC Part 3 evaluator actions. It uses well-defined assertions to refine CC Part 3 evaluator actions and tangible evaluator activities to determine requirement compliance. In addition, it offers guidance to further clarify the intent evaluator actions. Part 2 provides for methodologies to evaluate the following: PPs, STs, EAL1, EAL2, EAL3, EAL4, EAL5, EAL6, EAL7. Components not included in an EAL Part 3: Extensions to the Methodology: These extensions are needed to take full advantage of the evaluation results. This part includes topics such as guidance on the composition and content of evaluation document deliverables. Bell-LaPadula Model - Ans is a confidentiality model intended to preserve the principle of least privilege. It is a formal description of allowable paths of information flow in a secure system and defines security requirements for systems handling data at different sensitivity levels. The model defines a secure state and access between subjects and objects in accordance with specific security policy. Biba Integrity Model - Ans The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. The Bell-LaPadula model is a confidentiality model intended to preserve the principle of least privilege. The Biba model uses a read-up, write-down approach. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Think of CIA analysts and the information they need to perform their duties. Under the Biba model, an analyst with Top Secret clearance can see only information that's labeled as Top Secret with respect to integrity (confirmed by multiple sources, and so forth); likewise, this analyst can contribute information only at his or her clearance level. People with higher clearances are not "poisoned" with data from a lower level of integrity and cannot poison those with clearances higher than theirs. Advanced Models - Ans Clark and Wilson model: Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties. Noninterference model: Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. State machine model: Acts as an abstract mathematical model consisting of state variables and transition functions. Access matrix model: Acts as a state machine model for a discretionary access control environment. Information flow model: Simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy. business impact analysis (BIA) - Ans valuates risks to the organization and prioritizes the systems in use for purposes of recovery. Mission-critical systems—systems that are essential for the ongoing operation of the business—are at the top of the list, followed by less critical systems and then "nice to have" systems that are nonessential for the business to remain in business. business continuity plan (BCP) - Ans describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. The formal implementation of the BCP requires a close examination of business practices and services that constitute the boundaries and define the scope of the plan. The steps of the BCP are identify the scope of the BCP, create the BIA, write the BCP, and obtain signoff of the tested BCP. The BCP reduces the risk to the business in case of a disruption in the continuity of business. Three categories of assets must be protected through BCP provisions and processes: people, buildings/facilities, and infrastructure. disaster recovery plan (DRP) - Ans describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations. Types of Disruptive Events (BIA Risks) - Ans Natural events capable of disrupting a business include these: Earthquakes, fires, floods, mudslides, snow, ice, lightning, hurricanes, and tornadoes Explosions, chemical fires, hazardous waste spills, and smoke and water damage Power outages caused by utility failures, high heat and humidity, and solar flares Events for which man, not nature, is directly responsible for disruptive events can include these: Strikes, work stoppages, and walkouts Sabotage, burglary, and other forms of hostile activity Massive failure of technology, including utility and communication failure caused by human intervention or error Business Impact Analysis - Ans The BIA identifies the risks that specific threats pose to the business, quantifies the risks, establishes priorities, and performs a cost/benefit analysis for countering risks. In pursuit of these goals, these are the three most important steps: Prioritize the business processes After critical processes have been identified and prioritized, determine how long each process can be down before business continuity is seriously compromised. Identify the resources required to support the most critical processes. single loss expectancy (SLE) - Ans is the monetary loss that is expected each time the risk materializes. You can compute the SLE using the following formula: SLE = AV x EF Annualized Loss Expectancy (ALE) - Ans is the monetary loss that the business expects to occur as a result of the risk harming the asset over the course of a year. You already have all the data necessary to perform this calculation. The SLE is the amount of damage you expect each time a disaster strikes, and the ARO (from the likelihood analysis) is the number of times you expect a disaster to occur each year. You compute the ALE by simply multiplying those two numbers: ALE = SLE x ARO four steps of the business continuity planning process - Ans Business continuity planning involves four distinct phases: project scope and planning, business impact assessment, continuity planning, and approval and implementation. Describe how to perform the business organization analysis. - Ans In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis is used as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development. List the necessary members of the business continuity planning team - Ans he BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization. Know the legal and regulatory requirements that face business continuity planners. - Ans Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that must be met before and after a disaster. Explain the steps of the business impact assessment process. - Ans The five steps of the business impact assessment process are identification of priorities, risk identification, likelihood assessment, impact assessment, and resource prioritization. Describe the process used to develop a continuity strategy. - Ans During the strategy development phase, the BCP team determines which risks will be mitigated. In the provisions and processes phase, mechanisms and procedures that will mitigate the risks are designed. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process. Explain the importance of fully documenting an organization's business continuity plan. - Ans Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the "it's in my head" syndrome and ensures the orderly progress of events in an emergency. single point of failure (SPOF) - Ans is any component that can cause an entire system to fail. If a computer has data on a single disk, failure of the disk can cause the computer to fail, so the disk is a single point of failure. If a database-dependent website includes multiple web servers all served by a single database server, the database server is a single point of failure. Fault tolerance - Ans is the ability of a system to suffer a fault but continue to operate. Fault tolerance is achieved by adding redundant components such as additional disks within a redundant array of inexpensive disks (RAID) array, or additional servers within a failover clustered configuration. System resilience refers - Ans to the ability of a system to maintain an acceptable level of service during an adverse event. This could be a hardware fault managed by fault- tolerant components, or it could be an attack managed by other controls such as effective intrusion detection and prevention systems. In some contexts, it refers to the ability of a system to return to a previous state after an adverse event. For example, if a primary server in a failover cluster fails, fault tolerance ensures that the system fails over to another server. System resilience implies that the cluster can fail back to the original server after the original server is repaired RAID configurations - Ans fault tolerance and system resilience RAID-0: This is also called striping. It uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance. RAID-1: This is also called mirroring. It uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails. Depending on the hardware used and which drive fails, the system may be able to continue to operate without intervention, or the system may need to be manually configured to use the drive that didn't fail. RAID-5: This is also called striping with parity. It uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower. RAID-10: This is also known as RAID 1 + 0 or a stripe of mirrors, and is configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration. It uses at least four disks but can support more as long as an even number of disks are added. It will continue to operate even if multiple disks fail, as long as at least one drive in each mirror continues to function. For example, if it had three mirrored sets (called M1, M2, and M3 for this example) it would have a total of six disks. If one drive in M1, one in M2, and one in M3 all failed, the array would continue to operate. However, if two drives in any of the mirrors failed, such as both drives in M1, the entire array would fail. Both software and hardware-based RAID solutions are available. Software-based systems require the operating system to manage the disks in the array and can reduce overall system performance. They are relatively inexpensive since they don't require any additional hardware other than the additional disk(s). Hardware RAID systems are generally more efficient and reliable. While a hardware RAID is more expensive, the benefits outweigh the costs when used to increase availability of a critical component. Denial of service (DoS) attacks: - Ans This tactic overloads a computer's resources (particularly the temporary storage area in computers, called the buffers) from any number of sources (referred to as a distributed denial of service, or DDoS, attack) until the system is so bogged down that it cannot honor requests. The DDoS attack in February 2000 on Yahoo! took the site down for 3 hours. A day later, eBay, Amazon.com, Buy.com, and CNN.com were hit with the same type of attack. The following day, E*TRADE and ZDNet were struck. Rogue code: - Ans The user inadvertently launches software that can log a user's keystrokes and either send them to a remote server or perform other undesirable activities, such as deleting files or destroying the operating system, rendering the computer useless. Software piracy: - Ans The attacker copies or downloads software and uses it without permission. Social engineering: - Ans Using deception, the attacker solicits information such as passwords or personal identification numbers (PINs) from unwitting victims. For example, a thief might call a help desk pretending to be a user whose password needs resetting. Dumpster diving: - Ans This no-tech criminal technique is the primary cause of ID theft. A criminal simply digs through trash and recycling bins looking for receipts, checks, and other personal and sensitive information. (If you don't shred all your receipts or lock up your recycling bin where you dispose of protected information, someone might be rummaging through your personal or proprietary information at this very moment.) Spoofing of Internet Protocol (IP) addresses: - Ans The attacker sends a message with a false originating IP address to convince the recipient that the sender is someone else. Every computer on the Internet is assigned a unique IP address. In this case, the attacker masquerades as a legitimate Internet site by using that site's IP address. Emanation eavesdropping: - Ans The attacker intercepts radio frequency (RF) signals emanated by wireless computers to extract sensitive or classified information. This U.S. government's TEMPEST program addresses this problem by requiring shields on computers transmitting such data. Operated by the U.S. Department of Defense (DOD), National Data Conversion Institute (NDCI) - Ans makes a case for using expert investigative services to solve computer crimes. ISC2 Code of Ethics - Ans helps certificate holders resolve dilemmas related to their practice, provides guidance on encouraging good behavior and discouraging poor behavior. is expected of all IS specialists, helps define a high moral code of professional behavior, and speaks to the credibility of the individual. ISC2 Code of Ethics includes Provide thorough and competent service to your customers and peers, Judge not, lest you be judged, Strive to protect society and its components. Ten Commandments of Computer Ethics - Ans Thou Shalt Not Use a Computer to Harm Other People. Thou Shalt Not Interfere with Other People's Computer Work. Thou Shalt Not Snoop Around in Other People's Computer Files. Thou Shalt Not Use a Computer to Steal. Thou Shalt Not Use a Computer to Bear False Witness. Thou Shalt Not Copy or Use Proprietary Software for Which You Have Not Paid. Thou Shalt Not Use Other People's Computer Resources Without Authorization or Proper Compensation. Thou Shalt Not Appropriate Other People's Intellectual Output. Thou Shalt Think About the Social Consequences of the Program You Are Writing or the System You Are Designing. Thou Shalt Always Use a Computer in Ways That Ensure Consideration and Respect for Your Fellow Humans. ethical conduct - Ans is expected of all IS specialists, helps define a high moral code of professional behavior, and speaks to the credibility of the individual. Computer Fraud and Abuse Act(CFAA) - Ans The major provisions of the original CCCA made it a crime to perform the following: Access classified information or financial information in a federal system without authorization or in excess of authorized privileges Access a computer used exclusively by the federal government without authorization Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) Cause malicious damage to a federal computer system in excess of $1,000 Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system CFAA Amendments - Ans Collectively, these changes are referred to as the Computer Abuse Amendments Act of 1994 and included the following provisions: Outlawed the creation of any type of malicious code that might cause damage to a computer system Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages Since the initial CFAA amendments in 1994, Congress passed additional amendments in 1996, 2001, 2002, and 2008 as part of other cybercrime legislation. National Information Infrastructure Protection Act of 1996 - Ans Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony Federal Information Security Management Act (FISMA) - Ans requires that federal agencies implement an information security program that covers the agency's operations. FISMA also requires that government agencies include the activities of contractors in their security management programs. FISMA repealed and replaced two earlier laws: the Computer Security Act of 1987 and the Government Information Security Reform Act of 2000. The National Institute of Standards and Technology (NIST), responsible for developing the FISMA implementation guidelines NIST Cybersecurity Framework (CSF) - Ans is a set of standards designed to serve as a voluntary risk-based framework for securing information and systems. intellectual property - Ans and a whole host of laws exist to protect the rights of their owners. Copyright and the Digital Millennium Copyright Act - Ans Copyright law guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. Eight broad categories of works qualify for copyright protection. Literary works Musical works Dramatic works Pantomimes and choreographic works Pictorial, graphical, and sculptural works Motion pictures and other audiovisual works Sound recordings Architectural works Licensing - Ans Four common types of license agreements are in use today. Contractual license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each. These agreements are commonly found for high-priced and/or highly specialized software packages. Shrink-wrap license agreements are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package. One of the major changes prompted by the PATRIOT Act revolves around the way government agencies obtain wiretapping authorizations. Previously, police could obtain warrants for only one circuit at a time, after proving that the circuit was used by someone subject to monitoring. Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant. Another major change is in the way the government deals with Internet service providers (ISPs). Under the terms of the PATRIOT Act, ISPs may voluntarily provide the government with a large range of information. The PATRIOT Act also allows the government to obtain detailed information on user activity through the use of a subpoena (as opposed to a wiretap). Finally, the USA PATRIOT Act amends the Computer Fraud and Abuse Act (yes, another set of amendments!) to provide more severe penalties for criminal acts. The PATRIOT Act provides for jail terms of up to 20 years and once again expands the coverage of the CFAA. Family Educational Rights and Privacy Act - Ans he Family Educational Rights and Privacy Act (FERPA) is another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools). It grants certain privacy rights to students older than 18 and the parents of minor students. Identity Theft and Assumption Deterrence Act - Ans In 1998, the president signed the Identity Theft and Assumption Deterrence Act into law. In the past, the only legal victims of identity theft were the creditors who were defrauded. This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law. Know the definition of computer crime - Ans Computer crime is a crime (or violation of a law or regulation) that is directed against, or directly involves, a computer. Be able to list and explain the six categories of computer crimes - Ans Computer crimes are grouped into six categories: military and intelligence attack, business attack, financial attack, terrorist attack, grudge attack, and thrill attack. Be able to explain the motive of each type of attack. Know the importance of collecting evidence. - Ans As soon you discover an incident, you must begin to collect evidence and as much information about the incident as possible. The evidence can be used in a subsequent legal action or in finding the identity of the attacker. Evidence can also assist you in determining the extent of damage. Understand the eDiscovery process. - Ans Organizations that believe they will be the target of a lawsuit have a duty to preserve digital evidence in a process known as electronic discovery, or eDiscovery. The eDiscovery process includes information governance, identification, preservation, collection, processing, review, analysis, production, and presentation activities. Know how to investigate intrusions and how to gather sufficient information from the equipment, software, and data. - Ans You must have possession of equipment, software, or data to analyze it and use it as evidence. You must acquire the evidence without modifying it or allowing anyone else to modify it. Know the three basic alternatives for confiscating evidence and when each one is appropriate. - Ans First, the person who owns the evidence could voluntarily surrender it. Second, a subpoena could be used to compel the subject to surrender the evidence. Third, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it. Know the importance of retaining investigatory data. - Ans Because you will discover some incidents after they have occurred, you will lose valuable evidence unless you ensure that critical log files are retained for a reasonable period of time. You can retain log files and system status information either in place or in archives. Know the basic requirements for evidence to be admissible in a court of law - Ans To be admissible, evidence must be relevant to a fact at issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected. Explain the various types of evidence that may be used in a criminal or civil trial. - Ans Real evidence consists of actual objects that can be brought into the courtroom. Documentary evidence consists of written documents that provide insight into the facts. Testimonial evidence consists of verbal or written statements made by witnesses. Understand the importance of ethics to security personnel. - Ans Security practitioners are granted a very high level of authority and responsibility to execute their job functions. The potential for abuse exists, and without a strict code of personal behavior, security practitioners could be regarded as having unchecked power. Adherence to a code of ethics helps ensure that such power is not abused. Know the (ISC)2 Code of Ethics and RFC 1087, "Ethics and the Internet." - Ans All CISSP candidates should be familiar with the entire (ISC)2 Code of Ethics because they have to sign an agreement that they will adhere to it. In addition, be familiar with the basic statements of RFC 1087. What are the major categories of computer crime? - Ans The major categories of computer crime are military/intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, and thrill attacks. What is the main motivation behind a thrill attack? - Ans Thrill attacks are motivated by individuals seeking to achieve the "high" associated with successfully breaking into a computer system. What is the difference between an interview and an interrogation? - Ans Interviews are conducted with the intention of gathering information from individuals to assist with your investigation. Interrogations are conducted with the intent of gathering evidence from suspects to be used in a criminal prosecution. What are the three basic requirements that evidence must meet in order to be admissible in court? - Ans To be admissible, evidence must be reliable, competent, and material to the case secure facility plan - Ans outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security. Such a plan is developed through a process known as critical path analysis. Critical path analysis - Ans is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements. For example, an e-commerce server used to sell products over the web relies on internet access, computer hardware, electricity, temperature control, storage facility, and so on. Technology convergence - Ans is the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Often this results in multiple systems performing similar or redundant tasks or one system taking over the feature and abilities of another. While in some instances this can result in improved efficiency and cost savings, it can also represent a single point of failure and become a more valuable target for hackers and intruders. Crime Prevention through Environmental Design (CPTED) - Ans The guiding idea is to structure the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts. processes of designing facility security: - Ans Site selection Natural disaster Visibility Facility design three groups of physical security - Ans administrative, technical, and physical. Administrative physical security controls - Ans include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures. Fixed-temperature detection systems - Ans trigger suppression when a specific temperature is reached. The trigger is usually a metal or plastic component that is in the sprinkler head and melts at a specific temperature. Rate-of-rise detection systems - Ans trigger suppression when the speed at which the temperature changes reaches a specific level. Flame-actuated systems trigger suppression based on the infrared energy of flames. Smoke-actuated systems - Ans use photoelectric or radioactive ionization sensors as triggers. four main types of water suppression systems - Ans A wet pipe system (also known as a closed head system) is always full of water. Water discharges immediately when suppression is triggered. A dry pipe system contains compressed air. Once suppression is triggered, the air escapes, opening a water valve that in turn causes the pipes to fill and discharge water into the environment. A deluge system is another form of dry pipe system that uses larger pipes and therefore delivers a significantly larger volume of water. Deluge systems are inappropriate for environments that contain electronics and computers. A preaction system is a combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected, and then the pipes are filled with water. The water is released only after the sprinkler head activation triggers are melted by sufficient heat. If the fire is quenched before sprinklers are triggered, pipes can be manually emptied and reset. This also allows manual intervention to stop the release of water before sprinkler triggering occurs. Gas discharge systems - Ans are usually more effective than water discharge systems. However, gas discharge systems should not be used in environments in which people are located. Gas discharge systems usually remove the oxygen from the air, thus making them hazardous to personnel. why there is no security without physical security - Ans Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration. list administrative physical security controls - Ans Examples of administrative physical security controls are facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures. list the technical physical security controls - Ans Technical physical security controls can be access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression. name the physical controls for physical security - Ans Physical controls for physical security are fencing, lighting, locks, construction materials, mantraps, dogs, and guards. the functional order of controls - Ans These are deterrence, then denial, then detection, and then delay. key elements in making a site selection and designing a facility for construction. - Ans The key elements in making a site selection are visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters. A key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins. how to design and configure secure work areas - Ans There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility. Also, centralized server or computer rooms need not be human compatible. Understand the security concerns of a wiring closet - Ans A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, and backbone channels. Most of the security for a wiring closet focuses on preventing physical unauthorized access. If an unauthorized intruder gains access to the area, they may be able to steal equipment, pull or cut cables, or even plant a listening device. Understand how to handle visitors in a secure facility - Ans . If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors, and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access to a protected area can result in malicious activity against the most protected assets. three categories of security controls implemented to manage physical security - Ans The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical. Understand when and how to use each, and be able to list examples of each kind. security needs for media storage - Ans Media storage facilities should be designed to securely store blank media, reusable media, and installation media. The concerns include theft, corruption, and data remnant recovery. Media storage facility protections include locked cabinets or safes, using a librarian/custodian, implementing a check-in/check-out process, and using media sanitization. concerns of evidence storage - Ans Evidence storage is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations. Protections include dedicated/isolated storage facilities, offline storage, activity tracking, hash management, access restrictions, and encryption. common threats to physical access controls. - Ans No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Abuses of physical access control include propping open secured doors and bypassing locks or access controls. Masquerading is using someone else's security ID to gain entry to a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally. need for audit trails and access logs - Ans Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards. Or they can be generated automatically if sufficiently automated access control mechanisms are in place (in other words, smartcards and certain proximity readers). You should also consider monitoring entry points with CCTV. Through CCTV, you can compare the audit trails and access logs with a visually recorded history of the events. Such information is critical to reconstructing the events of an intrusion, breach, or attack. need for clean power - Ans Power supplied by electric companies is not always consistent and clean. Most electronic equipment demands clean power in order to function properly. Equipment damage because of power fluctuations is a common occurrence. Many organizations opt to manage their own power through several means. A UPS is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw by equipment. terms commonly associated with power issues - Ans Know the definitions of the following: fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, and ground. control the environment - Ans In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained between 40 and 60 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity. static electricity - Ans Even on nonstatic carpeting, if the environment has low humidity it is still possible to generate 20,000-volt static discharges. Even minimal levels of static discharge can destroy electronic equipment. Integrity is the principle that objects retain their veracity and are intentionally modified by only authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects. Know why these are important, the mechanisms that support them, the attacks that focus on each, and the effective countermeasures. Be able to explain how identification works - Ans Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability. Understand the process of authentication - Ans Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated. Know how authorization fits into a security plan - Ans Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity. Understand security governance. - Ans Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Be able to explain the auditing process - Ans Auditing, or monitoring, is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Auditing is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis. Understand the importance of accountability - Ans An organization's security policy can be properly enforced only if accountability is maintained. In other words, security can be maintained only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities. Be able to explain nonrepudiation - Ans Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. Understand security management planning - Ans Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization's goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans. Know the elements of a formalized security policy structure - Ans To create a comprehensive security plan, you need the following items in place: security policy, standards, baselines, guidelines, and procedures. Such documentation clearly states security requirements and creates due diligence on the part of the responsible parties. Understand key security roles - Ans The primary security roles are senior manager, organizational owner, upper management, security professional, user, data owner, data custodian, and auditor. By creating a security role hierarchy, you limit risk overall. Know how to implement security awareness training - Ans Before actual training can take place, awareness of security as a recognized entity must be created for users. Once this is accomplished, training, or teaching employees to perform their work tasks and to comply with the security policy, can begin. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion. Know how layering simplifies security - Ans Layering is the use of multiple controls in series. Using a multilayered solution allows for numerous controls to guard against threats Be able to explain the concept of abstraction. - Ans Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan. Understand data hiding. - Ans Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming. Understand the need for encryption - Ans Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It can take many forms and be applied to every type of electronic communication, including text, audio, and video files, as well as programs themselves. Encryption is an important element in security controls, especially in regard to the transmission of data between systems. Be able to explain the concepts of change control and change management - Ans Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Know why and how data is classified. - Ans Data is classified to simplify the process of assigning security controls to groups of objects rather than to individual objects. The two common classification schemes are government/military and commercial business/private sector. Know the five levels of government/military classification and the four levels of commercial business/private sector classification. Understand the importance of declassification - Ans Declassification is required once an asset no longer warrants the protection of its currently assigned classification or sensitivity level. Know the basics of COBIT - Ans Control Objectives for Information and Related Technologies (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies. Know the basics of threat modeling. - Ans Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, PASTA, Trike, VAST, diagramming, reduction/decomposing, and DREAD. Understand the need to apply risk-based management concepts to the supply chain - Ans Applying risk-based management concepts to the supply chain is a means to ensure a more robust and successful security strategy in organizations of all sizes. When purchases and acquisitions are made without security considerations, the risks inherent in those products remain throughout their deployment life span. Discuss and describe the CIA Triad. - Ans The CIA Triad is the combination of confidentiality, integrity, and availability. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, information, or resources. Integrity is the concept of protecting the reliability and correctness of data. Availability is the concept that authorized subjects are granted timely and uninterrupted access to objects. The term CIA Triad is used to indicate the three key components of a security solution What are the requirements to hold a person accountable for the actions of their user account? - Ans The requirements of accountability are identification, authentication, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accountable for their actions Describe the benefits of change control management. - Ans The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome. effective patch management program, it will often experience outages and incidents from known issues that could have been prevented. Explain vulnerability management - Ans Vulnerability management includes routine vulnerability scans and periodic vulnerability assessments. Vulnerability scanners can detect known security vulnerabilities and weaknesses such as the absence of patches or weak passwords. They generate reports that indicate the technical vulnerabilities of a system and are an effective check for a patch management program. Vulnerability assessments extend beyond just technical scans and can include reviews and audits to detect vulnerabilities. Define the difference between need-to-know and the principle of least privilege. - Ans Need to know focuses on permissions and the ability to access information, whereas the principle of least privilege focuses on privileges. Privileges include both rights and permissions. Both limit the access of users and subjects to only what they need. Following these principles prevents and limits the scope of security incidents. Name the common methods used to manage sensitive information. - Ans Managing sensitive information includes properly marking, handling, storing, and destroying it based on its classification. Describe the purpose of monitoring the assignment and usage of special privileges. - Ans Monitoring the assignment of special privileges detects when individuals are granted higher privileges such as when they are added to an administrator account. It can detect when unauthorized entities are granted higher privileges. Monitoring the usage of special privileges detects when entities are using higher privileges, such as creating unauthorized accounts, accessing or deleting logs, and creating automated tasks. This monitoring can detect potential malicious insiders and remote attackers. List the three primary cloud-based service models and identify the level of maintenance provided by the cloud service provider in each of the models. - Ans The three models are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The cloud service provider (CSP) provides the most maintenance and security services with SaaS, less with PaaS, and the least with IaaS. While NIST SP 800-144 provides these definitions, CSPs sometimes use their own terms and definitions in marketing materials How do change management processes help prevent outages? - Ans Change management processes help prevent outages by ensuring that proposed changes are reviewed and tested before being deployed. They also ensure that changes are documented. Operations security - Ans is primarily concerned with the processes, personnel, and technology of data center operations. It is needed to protect assets from threats during normal use. Know the various types of access controls - Ans You should be able to identify the type of any given access control. Access controls may be preventive (to stop unwanted or unauthorized activity from occurring), detective (to discover unwanted or unauthorized activity), or corrective (to restore systems to normal after an unwanted or unauthorized activity has occurred). Deterrent access controls attempt to discourage violation of security policies, by encouraging people to decide not to take an unwanted action. Recovery controls attempt to repair or restore resources, functions, and capabilities after a security policy violation. Directive controls attempt to direct, confine, or control the action of subjects to force or encourage compliance with security policy. Compensating controls provide options or alternatives to existing controls to aid in enforcement and support of a security policy. implementation methods of access controls - Ans Controls are implemented as administrative, logical/technical, or physical controls. Administrative (or management) controls include policies or procedures to implement and enforce overall access control. Logical/technical controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Physical controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility. difference between identification and authentication - Ans Access controls depend on effective identification and authentication, so it's important to understand the differences between them. Subjects claim an identity, and identification can be as simple as a username for a user. Subjects prove their identity by providing authentication credentials such as the matching password for a username. Configuration management - Ans is used to keep track of an organization's hardware, software, documentation, and related information. It tracks and, if needed, approves changes to the system. common authorization mechanisms - Ans Authorization ensures that the requested activity or object access is possible, given the privileges assigned to the authenticated identity. For example, it ensures that users with appropriate privileges can access files and other resources. Common authorization mechanisms include implicit deny, access control lists, access control matrixes, capability tables, constrained interfaces, content- dependent controls, and context-dependent controls. These mechanisms enforce security principles such as the need-to-know, the principle of least privilege, and separation of duties. basic risk elements - Ans Risk is the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets. Asset valuation identifies the value of assets, threat modeling identifies threats against these assets, and vulnerability analysis identifies weaknesses in an organization's valuable assets. Access aggregation is a type of attack that combines, or aggregates, nonsensitive information to learn sensitive information and is used in reconnaissance attacks. Know how brute-force and dictionary attacks work - Ans Brute-force and dictionary attacks are carried out against a stolen password database file or the logon prompt of a system. They are designed to discover passwords. In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack. Account lockout controls prevent their effectiveness against online attacks. Understand the need for strong passwords. - Ans Strong passwords make password- cracking utilities less successful. Strong passwords include multiple character types and are not words contained in a dictionary. Password policies ensure that users create strong passwords. Passwords should be encrypted when stored and encrypted when sent over a network. Authentication can be strengthened by using an additional factor beyond just passwords. Understand how salt and pepper thwarts password attacks - Ans Salts add additional bits to a password before salting it and help thwart rainbow table attacks. Some algorithms such as bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) add the salt and repeat the hashing functions many times. Salts are stored in the same database as the hashed password. A pepper is a large constant number used to further increase the security of the hashed password, and it is stored somewhere outside the database holding the hashed passwords. Understand sniffer attacks. - Ans In a sniffer attack (or snooping attack) an attacker uses a packet-capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network. Attackers can easily read data sent over a network in cleartext, but encrypting data in transit thwarts this type of attack. Understand spoofing attacks. - Ans Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of users so that they can spoof the user's identity. Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing. Many phishing attacks use spoofing methods. Understand social engineering - Ans A social-engineering attack is an attempt by an attacker to convince someone to provide information (such as a password) or perform an action they wouldn't normally perform (such as clicking on a malicious link), resulting in a security compromise. Social engineers often try to gain access to the IT infrastructure or the physical facility. User education is an effective tool to prevent the success of social-engineering attacks. Understand phishing - Ans Phishing attacks are commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment. Spear phishing targets specific groups of users, and whaling targets high-level executives. Vishing uses VoIP technologies. authored it. It prevents the sender from subsequently denying that they sent the original message. Know how cryptosystems can be used to achieve authentication goals - Ans Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric cryptosystems. Be familiar with the basic terminology of cryptography - Ans When a sender wants to transmit a private message to a recipient, the sender takes the plaintext (unencrypted) message and encrypts it using an algorithm and a key. This produces a ciphertext message that is transmitted to the recipient. The recipient then uses a similar algorithm and key to decrypt the ciphertext and re-create the original plaintext message for viewing. Understand the difference between a code and a cipher and explain the basic types of ciphers. - Ans Codes are cryptographic systems of symbols that operate on words or phrases and are sometimes secret but don't always provide confidentiality. Ciphers, however, are always meant to hide the true meaning of a message. Know how the following types of ciphers work: transposition ciphers, substitution ciphers (including one-time pads), stream ciphers, and block ciphers. Know the requirements for successful use of a one-time pad. - Ans For a one-time pad to be successful, the key must be generated randomly without any known pattern. The key must be at least as long as the message to be encrypted. The pads must be protected against physical disclosure, and each pad must be used only one time and then discarded. Understand the concept of zero-knowledge proof. - Ans Zero-knowledge proof is a communication concept. A specific type of information is exchanged, but no real data is transferred, as with digital signatures and digital certificates. Understand split knowledge. - Ans Split knowledge means that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment. M of N Control is an example of split knowledge. Understand work function (work factor) - Ans Work function, or work factor, is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages. Usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents. The security and protection offered by a cryptosystem is directly proportional to the value of its work function/factor. Understand the importance of key security. - Ans Cryptographic keys provide the necessary element of secrecy to a cryptosystem. Modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security. It's generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long to provide security. Be able to explain the basic operational modes of the Data Encryption Standard (DES) and Triple DES (3DES) - Ans The Data Encryption Standard operates in five modes: Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode. ECB mode is considered the least secure and is used only for short messages. 3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively. Know the Advanced Encryption Standard (AES) - Ans The Advanced Encryption Standard (AES) uses the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm. What is the major hurdle preventing the widespread adoption of one-time pad cryptosystems to ensure data confidentiality? - Ans The major obstacle to the widespread adoption of onetime pad cryptosystems is the difficulty in creating and distributing the very lengthy keys on which the algorithm depends. Encrypt the message "I will pass the CISSP exam and become certified next month" using columnar transposition with the keyword SECURE. - Ans The first step in encrypting this message requires the assignment of numeric column values to the letters of the secret keyword: S E C U R E 5 2 1 6 4 3 Next, the letters of the message are written in order underneath the letters of the keyword: S E C U R E 5 2 1 6 4 3 I W I L L P A S S T H E C I S S P E X A M A N D B E C O M E C E R T I F I E D N E X T M O N T H Finally, the sender enciphers the message by reading down each column; the order in which the columns are read corresponds to the numbers assigned in the first step. This produces the following ciphertext: I S S M C R D O W S I A E E E M P E E D E F X H L H P N M I E T I A C X B C I T L T S A O T N N Decrypt the message "F R Q J U D W X O D W L R Q V B R X J R W L W" using the Caesar ROT3 substitution cipher. - Ans This message is decrypted by using the following function: P = (C - 3) mod 26 C: F R Q J U D W X O D W L R Q V B R X J R W L W P: C O N G R A T U L A T I O N S Y O U G O T I T The hidden message is "Congratulations You Got It." Congratulations, you got it! When encryption happens at the higher OSI layers, it is usually end-to-end encryption, and if encryption is done at the lower layers of the OSI model, it is usually link encryption. - Ans Understand the key types used in asymmetric cryptography. - Ans Public keys are freely shared among communicating parties, whereas private keys are kept secret. To encrypt a message, use the recipient's public key. To decrypt a message, use your own private key. To sign a message, use your own private key. To validate a signature, use the sender's public key Be familiar with the three major public key cryptosystems. - Ans RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the product of prime numbers. El Gamal is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic. The elliptic curve algorithm depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length. Know the fundamental requirements of a hash function. - Ans Good hash functions have five requirements. They must allow input of any length, provide fixed-length output, make it relatively easy to compute the hash function for any input, provide one-way functionality, and be collision free. Be familiar with the major hashing algorithms. - Ans The successors to the Secure Hash Algorithm (SHA), SHA-1 and SHA-2, make up the government standard message digest function. SHA-1 produces a 160-bit message digest whereas SHA-2 supports variable lengths, ranging up to 512 bits. SHA-3 improves upon the security of SHA-2 and supports the same hash lengths. Know how cryptographic salts improve the security of password hashing. - Ans When straightforward hashing is used to store passwords in a password file, attackers may use rainbow tables of precomputed values to identify commonly used passwords. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks. Common password hashing algorithms that use key stretching to further increase the difficulty of attack include PBKDF2, bcrypt, and scrypt. Understand how digital signatures are generated and verified. - Ans To digitally sign a message, first use a hashing function to generate a message digest. Then encrypt the digest with your private key. To verify the digital signature on a message, decrypt the signature with the sender's public key and then compare the message digest to one you generate yourself. If they match, the message is authentic. Know the components of the Digital Signature Standard (DSS). - Ans The Digital Signature Standard uses the SHA-1, SHA-2, and SHA-3 message digest functions along with one of three encryption algorithms: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; or the Elliptic Curve DSA (ECDSA) algorithm. Understand the public key infrastructure (PKI) - Ans In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of hash - Ans is a transformation of data into distilled forms that are unique to the data. This is a one-way function—it's easy to do and nearly impossible to undo. digital signature - Ans can be attached to an electronically transmitted message that uniquely identifies the sender. The purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. X.509 is a widely used standard for defining digital certificates. X.509 certificates attach a person's identity to a pair (or pairs) of cryptographic keys. Secure Hash Algorithm (SHA) - Ans creates a fixed-length message digest from a variable-length input message. The input to a hash function is called the message, and the output is called the message digest or hash value. The digest often serves as a condensed representation of the message. cryptosystems - Ans Hashing functions (SHA-1 and SHA-3) Block ciphers (DES, 3DES, and AES) Implementations of RSA Public-Private Key (PPK) Hashing Functions - Ans Secure Hashing Algorithm (SHA) variants are the most common forms of hashing functions you'll encounter with most commercial software Block Ciphers - Ans Block ciphers (DES, 3DES, and AES) ES uses a 56-bit (7 bytes plus a checksum byte) key, which is considered weak today. Triple DES uses a 112-bit (14 bytes plus 2 checksum bytes) key, and AES uses a variable-length key (256 bits, 512 bits, and so on). Block ciphers are important for encrypting/decrypting data in bulk, such as files or batches of data. They're also useful for encrypting data in storage systems to prevent unauthorized access. Block ciphers can be used to encrypt data fields (attributes) in records and tables, entire records of data, or entire files or database tables. Implementations of RSA Public-Private Key (PPK) - Ans Public-private key cryptography has found its way into numerous implementations intended to better secure Internet communications and prove identities, including these systems: Secure Sockets Layer (SSL) Transport Layer Security (TLS) Pretty Good Privacy (PGP) Secure Multipurpose Internet Mail Extensions (S/MIME) Secure Electronic Transactions (SET) Secure Sockets Layer (SSL) - Ans a standard security technology for establishing an encrypted link between a web server and a browser, ensuring that all data passed between them remain private Transport Layer Security (TLS) - Ans a cryptographic protocol that ensures data security and integrity over public networks, such as the Internet Pretty Good Privacy (PGP) - Ans is an encryption program that provides cryptographic privacy and authentication for data communication. PGP supports message authentication and integrity checking. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. PGP computes a hash called a message digest from the plaintext and then creates the digital signature from that hash using the sender's private key. A web of trust in cryptography is a concept used in PGP. The compatible system establishes the authenticity of the binding between a public key and its owner. Secure/Multipurpose Internet Mail Extensions (S/MIME) - Ans offers another standard for electronic mail encryption and digital signatures. S/MIME, along with a version of PGP called Open PGP, were implemented in the original Netscape Communications Corporation web browsers. Unfortunately, the dual electronic mail encryption standards created problems with users. Secure Electronic Transactions (SET) - Ans as developed in 1997 to provide protection from electronic payment fraud. SET uses Data Encryption Standard (DES) to encrypt credit card information transfers and RSA for key exchange. SET provides the security for both internet-based credit card transactions and credit card swipe systems in retail stores. Cryptography relies on two basic methods: - Ans transposition and substitution. With transposition, ciphertext is created by scrambling a message based on a shared secret key. In substitution, letters are exchanged with other letters based on a substitution pattern known to both sender and receiver. Cloud computing - Ans is the popular term referring to a concept of computing where processing and storage are performed elsewhere over a network connection rather than locally. type I hypervisor - Ans is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside. Type 1 hypervisors are often used to support server virtualization. This allows for maximization of the hardware resources while eliminating any risks or resource reduction caused by a host OS. type II hypervisor - Ans is a hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application. Type II hypervisors are often used in relation to desktop deployments, where the guest OSs offer safe sandbox areas to test new code, allow the execution of legacy applications, support apps from alternate OSs, and provide the user with access to the capabilities of a host OS. Platform as a service (PaaS) - Ans s the concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. Software as a service(SaaS) - Ans is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. SaaS can be implemented as a subscription service (for example, Microsoft Office 365), a pay-as- you-go service, or a free service (for example, Google Docs). Infrastructure as a service(IaaS) - Ans takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/filtered internet connectivity. Ultimately, IaaS allows an enterprise to scale up new software or data-based services/solutions through cloud systems quickly and without having to install massive hardware locally. cloud access security broker (CASB) - Ans is a security policy enforcement solution that may be installed on-premises, or it may be cloud-based. The goal of a CASB is to enforce and ensure that proper security measures are implemented between a cloud solution and a customer organization. Security as a service (SECaaS) - Ans is a cloud provider concept in which security is provided to an organization through or by an online entity. The purpose of SECaaS solutions are to reduce the cost and overhead of implementing and managing security locally. SECaaS often implements software-only security components that do not need dedicated on-premises hardware. SECaaS security components can include a wide range of security products, including authentication, authorization, auditing/accounting, anti-malware, intrusion detection, compliance and vulnerability scanning, penetration testing, and security event management. cloud shared responsibility model - Ans is the concept that when an organization uses a cloud solution, there is a division of security and stability responsibility between the provider and the customer. The different forms of cloud service (such as SaaS, PaaS, and IaaS) may each have different levels or division points of shared responsibility. A SaaS solution places most of the management burden on the shoulders of the cloud technologies, such as X.25, Frame Relay, ATM, SMDS, SDH, and SONET. Some WAN connection technologies require additional specialized protocols to support various types of specialized systems or devices. Understand the differences between PPP and SLIP. - Ans The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links. PPP includes a wide range of communication services, including assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing, error detection, and feature or option negotiation (such as compression). PPP was originally designed to support CHAP and PAP for authentication. However, recent versions of PPP also support MS-CHAP, EAP, and SPAP. PPP replaced Serial Line Internet Protocol (SLIP). SLIP offered no authentication, supported only half-duplex communications, had no error-detection capabilities, and required manual link establishment and teardown. Understand common characteristics of security controls. - Ans Security controls should be transparent to users. Hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. Transmission logging helps detect communication abuses. Understand how email security works - Ans Internet email is based on SMTP, POP3, and IMAP. It is inherently insecure. It can be secured, but the methods used must be addressed in a security policy. Email security solutions include using S/MIME, MOSS, PEM, or PGP. Know how fax security works - Ans Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The primary goal is to prevent interception. Activity logs and exception reports can be used to detect anomalies in fax activity that could be symptoms of attack. Know the threats associated with PBX systems and the countermeasures to PBX fraud - Ans Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls, and physical controls. Understand the security issues related to VoIP - Ans VoIP is at risk for caller ID spoofing, vishing, SPIT, call manager software/firmware attacks, phone hardware attacks, DoS, MitM, spoofing, and switch hopping. Recognize what a phreaker is - Ans Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long-distance calls, to alter the function of telephone service, to steal specialized services, or even to cause service disruptions. Common tools of phreakers include black, red, blue, and white boxes. Understand voice communications security - Ans Voice communications are vulnerable to many attacks, especially as voice communications become an important part of network services. You can obtain confidentiality by using encrypted communications. Countermeasures must be deployed to protect against interception, eavesdropping, tapping, and other types of exploitation. Be familiar with voice communication topics, such as POTS, PSTN, PBX, and VoIP. Be able to explain what social engineering is - Ans Social engineering is a means by which an unknown person gains the trust of someone inside your organization by convincing employees that they are, for example, associated with upper management, technical support, or the help desk. The victim is often encouraged to make a change to their user account on the system, such as reset their password, so the attacker can use it to gain access to the network. The primary countermeasure for this sort of attack is user training. Explain the concept of security boundaries - Ans A security boundary can be the division between one secured area and another secured area. It can also be the division between a secured area and an unsecured area. Both must be addressed in a security policy. Understand the various network attacks and countermeasures associated with communications security - Ans Communication systems are vulnerable to many attacks, including distributed denial of service (DDoS), eavesdropping, impersonation, replay, modification, spoofing, and ARP and DNS attacks. Be able to supply effective countermeasures for each. Describe the differences between transport mode and tunnel mode of IPsec. - Ans IPsec's transport mode is used for host-to-host links and encrypts only the payload, not the header. IPsec's tunnel mode is used for host-to-LAN and LAN-to-LAN links and encrypts the entire original payload and header and then adds a link header Discuss the benefits of NAT - Ans Network Address Translation (NAT) allows for the identity of internal systems to be hidden from external entities. Often NAT is used to translate between RFC 1918 private IP addresses and leased public addresses. NAT serves as a one-way firewall because it allows only inbound traffic that is a response to a previous internal query. NAT also allows a few leased public addresses to be used to grant internet connectivity to a larger number of internal systems. What are the main differences between circuit switching and packet switching? - Ans Circuit switching is usually associated with physical connections. The link itself is physically established and then dismantled for the communication. Circuit switching offers known fixed delays, supports constant traffic, is connection oriented, is sensitive only to the loss of the connection rather than the communication, and was most often used for voice transmissions. Packet switching is usually associated with logical connections because the link is just a logically defined path among possible paths. Within a packetswitching system, each system or link can be employed simultaneously by other circuits. Packet switching divides the communication into segments, and each segment traverses the circuit to the destination. Packet switching has variable delays because each segment could take a unique path, is usually employed for bursty traffic, is not physically connection oriented but often uses virtual circuits, is sensitive to the loss of data, and is used for any form of communication. What are some security issues with email and options for safeguarding against them? - Ans Email is inherently insecure because it is primarily a plaintext communication medium and employs non-encrypted transmission protocols. This allows for email to be easily spoofed, spammed, flooded, eavesdropped on, interfered with, and hijacked. Defenses against these issues primarily include having stronger authentication requirements and using encryption to protect the content while in transit. OSI Data Flow Layers - Ans Presentation Layer (Layer 6) - Ans translates or "presents" data to the Application Layer. Data encryption and decryption occur in this layer along with data translation. Whenever you view a photograph in JPEG format on the Internet, watch a video someone has sent you in MPEG format, or listen to an MP3 file , you are interacting with OSI Presentation Layer protocol services. TCP/IP mapped to the OSI model - Ans ISO Security Services - Ans six security services to protect networks from attack Authentication: Access to documents can be restricted in one of two ways: by asking for a username and password or by using the hostname of the browser. The former, referred to as user authentication, requires creating a file of user IDs and passwords (an access control list—see Lesson 5, "Security Architecture and Design") and defining critical resources (such as files and documents) to the server. Access control: Unlike authentication, which is security based on the user's identity, restricting access based on something other than identity is called access control. "Allow and deny" directives allow or deny access to network services based on hostname or address (see Lesson 5). Data confidentiality: This service protects data against unauthorized disclosure and has two components: content confidentiality and message flow confidentiality. The former protects the plain-text message from unauthorized disclosure; the latter allows the originating network to conceal the path or route that the message followed on its way to the recipient. Message flow confidentiality is useful in preventing an attacker from obtaining information from observing the message. Data integrity: The goal is to protect data from accidental or malicious modification, whether during data transfer, during data storage, or from an operation performed on it, and to preserve it for its intended use. What is the main purpose of a primary key in a database table? - Ans The primary key uniquely identifies each row in the table. For example, an employee identification number might be the primary key for a table containing information about employees What is polyinstantiation? - Ans Polyinstantiation is a database security technique that appears to permit the insertion of multiple rows sharing the same uniquely identifying information. Explain the difference between static and dynamic analysis of application code. - Ans Static analysis performs assessment of the code itself, analyzing the sequence of instructions for security flaws. Dynamic analysis tests the code in a live production environment, searching for runtime flaws. How far backward does the waterfall model allow developers to travel when a development flaw is discovered? - Ans One phase Understand the propagation techniques used by viruses - Ans Viruses use four main propagation techniques—file infection, service injection, boot sector infection, and macro infection—to penetrate systems and spread their malicious payloads. You need to understand these techniques to effectively protect systems on your network from malicious code Know how antivirus software packages detect known viruses - Ans Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge. Behavior-based detection is also becoming increasingly common, with antivirus software monitoring target systems for unusual activity and either blocking it or flagging it for investigation, even if the software does not match a known malware signature. Explain the techniques that attackers use to compromise password security - Ans Passwords are the most common access control mechanism in use today, and it is essential that you understand how to protect against attackers who seek to undermine their security. Know how password crackers, dictionary attacks, and social engineering attacks, such as phishing, can be used to defeat password security. Be familiar with the various types of application attacks attackers use to exploit poorly written software - Ans Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, back doors, time-of-check-to-time-of-use vulnerabilities, and rootkits to gain illegitimate access to a system. Security professionals must have a clear understanding of each of these attacks and associated countermeasures Understand common web application vulnerabilities and countermeasures - Ans As many applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The two most common examples are cross-site scripting (XSS) and SQL injection attacks. Know the network reconnaissance techniques used by attackers preparing to attack a network - Ans Before launching an attack, attackers use IP sweeps to search out active hosts on a network. These hosts are then subjected to port scans and other vulnerability probes to locate weak spots that might be attacked in an attempt to compromise the network. You should understand these attacks to help protect your network against them, limiting the amount of information attackers may glean. What is the major difference between a virus and a worm? - Ans Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible. However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate. Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well- connected network. Explain how an attacker might construct a rainbow table. - Ans To construct a rainbow table, the attacker follows this process: a. Obtain or develop a list of commonly used passwords. b. Determine the hashing function used by the password mechanism. c. Compute the hash value of each password on the commonly used list and store it with the password. The result of this operation is the rainbow table. What are the actions an antivirus software package might take when it discovers an infected file? - Ans If possible, antivirus software may try to disinfect an infected file, removing the virus's malicious code. If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection. Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities. - Ans Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system. If a file infector virus strikes the system, this would result in a change in the affected file's hash value and would, therefore, trigger a file integrity alert software development life cycle (SDLC) - Ans is an outline of tasks performed at each step in the software development process. SDLC is a structure followed by a development team with a detailed plan describing how to develop, maintain, and replace specific software. Open Web Application Security Project (OWASP) - Ans has the goal of improving security for software applications and products. It is a community project with different types of initiatives such as incubator projects, laboratory projects, and flagship projects intended to evolve the software process. It is also an organization that provides unbiased, practical, and cost-effective information about computer and internet applications. Open Software Assurance Maturity Model (OpenSAMM) - Ans is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. OpenSAMM offers a roadmap and well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning. Building Security in Maturity Model (BSIMM) - Ans is designed to help you understand, measure, and plan a software security initiative. It was created through a process of understanding and analyzing real-world data from nine leading software security initiatives; it was then validated and adjusted with data from 21 additional leading software security initiatives. is a benchmarking tool that gives you an objective, data-driven view into your current software security initiative. Botnets - Ans Botnets are quite common today. The computers in a botnet are like robots (referred to as bots and sometimes zombies). Multiple bots in a network form a botnet and will do whatever attackers instruct them to do. A bot herder is typically a criminal who controls all the computers in the botnet via one or more command-and- control servers zero-day exploit - Ans refers to an attack on a system exploiting a vulnerability that is unknown to others. However, security professionals use the term in different contexts and it has some minor differences based on the context. man-in-the-middle (MITM) - Ans attack occurs when a malicious user can gain a position logically between the two endpoints of an ongoing communication. There are two types of man-in-the-middle attacks. One involves copying or sniffing the traffic between two parties, which is basically a sniffer attack as described in Lesson 14. The other type involves attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism security information and event management (SIEM) - Ans also collects data from many other sources within the network. It provides real-time monitoring of traffic and analysis and notification of potential attacks. Additionally, it provides long-term storage of data, allowing security professionals to analyze the data. host-based IDS (HIDS) - Ans monitors a single computer or host network-based IDS (NIDS) - Ans monitors a network by observing network traffic patterns. Pseudo flaws - Ans are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate well-known operating system vulnerabilities. It's important to remember that penetration tests should not be done without express consent and knowledge from management. Additionally, since penetration tests can result in damage, they should be done on isolated systems whenever possible. You should also recognize the differences between black-box testing (zero knowledge), white-box testing (full knowledge), and gray-box testing (partial knowledge). Know the types of log files - Ans Log data is recorded in databases and different types of log files. Common log files include security logs, system logs, application logs, firewall logs, proxy logs, and change management logs. Logs files should be protected by centrally storing them and using permissions to restrict access, and archived logs should be set to read-only to prevent modifications. Understand monitoring and uses of monitoring tools - Ans Monitoring is a form of auditing that focuses on active review of the log file data. Monitoring is used to hold subjects accountable for their actions and to detect abnormal or malicious activities. It is also used to monitor system performance. Monitoring tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events. Understand audit trails - Ans Audit trails are the records created by recording information about events and occurrences into one or more databases or log files. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals. Understand sampling - Ans Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data. Clipping is a form of nonstatistical sampling that records only events that exceed a threshold. Understand how to maintain accountability - Ans Accountability is maintained for individual subjects through the use of auditing. Logs record user activities and users can be held accountable for their logged actions. This directly promotes good user behavior and compliance with the organization's security policy. Understand the importance of security audits and reviews - Ans Security audits and reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices to prevent violations with least privilege or need-to-know principles. However, they can also be performed to oversee patch management, vulnerability management, change management, and configuration management programs. Understand auditing and the need for frequent security audits - Ans Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as a primary type of detective control used within a secure environment. The frequency of an IT infrastructure security audit or security review is based on risk. An organization determines whether sufficient risk exists to warrant the expense and interruption of a security audit. The degree of risk also affects how often an audit is performed. It is important to clearly define and adhere to the frequency of audit reviews. Understand that auditing is an aspect of due care - Ans Security audits and effectiveness reviews are key elements in displaying due care. Senior management must enforce compliance with regular periodic security reviews, or they will likely be held accountable and liable for any asset losses that occur. Understand the need to control access to audit reports - Ans Audit reports typically address common concepts such as the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. They often include other details specific to the environment and can include sensitive information such as problems, standards, causes, and recommendations. Audit reports that include sensitive information should be assigned a classification label and handled appropriately. Only people with sufficient privilege should have access to them. An audit report can be prepared in various versions for different target audiences to include only the details needed by a specific audience. For example, senior security administrators might have a report with all the relevant details, whereas a report for executives would provide only high-level information. Understand access review and user entitlement audits - Ans An access review audit ensures that object access and account management practices support the security policy. User entitlement audits ensure that the principle of least privilege is followed and often focus on privileged accounts. Audit access controls - Ans Regular reviews and audits of access control processes help assess the effectiveness of access controls. For example, auditing can track logon success and failure of any account. An intrusion detection system can monitor these logs and easily identify attacks and notify administrators. List the different phases of incident response identified in the CISSP Security Operations domain. - Ans Incident response steps listed in the CISSP Security Operations domain are detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Describe the primary types of intrusion detection systems. - Ans Intrusion detection systems can be described as host based or network based, based on their detection methods (knowledge based or behavior based), and based on their responses (passive or active). Host-based IDSs examine events on individual computers in great detail, including file activities, accesses, and processes. Network-based IDSs examine general network events and anomalies through traffic evaluation. A knowledge-based IDS uses a database of known attacks to detect intrusions. A behavior-based IDS starts with a baseline of normal activity and measures network activity against the baseline to identify abnormal activity. A passive response will log the activity and often provide a notification. An active response directly responds to the intrusion to stop or block the attack. Describe the relationship between auditing and audit trails. - Ans Auditing is a methodical examination or review of an environment and encompasses a wide variety of activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially are what make auditing and subsequent detection of attacks and misbehavior possible. What should an organization do to verify that accounts are managed properly? - Ans Organizations should regularly perform access reviews and audits. These can detect when an organization is not following its own policies and procedures related to account management. They can be performed manually or using automation techniques available in some identity and access management (IAM) systems