Certified Information Systems Security Professional (CISSP) Notes.docx, Exams of Biology

Certified Information Systems Security Professional (CISSP) Notes.docx

Typology: Exams

2024/2025

Available from 11/02/2024

tutor-lee-1
tutor-lee-1 šŸ‡ŗšŸ‡ø

4.3

(3)

11K documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Information
Systems Security
Professional (CISSP)
Notes
What is the ISC2 Code of Ethics Preamble? - answer - The safety and welfare
of society and the common good, duty to our principals, and to each other
requires that we adhere, and be seen to adhere, to the highest ethical
standards of behavior.
- Therefore, strict adherence to this code is a condition of certification.
What is the first canon of the Code of Ethics? - answer Protect society, the
common good, necessary public trust and confidence, and the infrastructure.
What is the second canon of the Code of Ethics? - answer Act honorably,
honestly, justly, responsibly, and legally.
What is the third canon of the Code of Ethics? - answer Provide diligent and
competent service to principals.
What is the fourth and final canon of the Code of Ethics? - answer Advance
and protect the profession.
What are some mechanisms of Confidentiality? - answer - Confidentiality
measures the attacker's ability to get unauthorized data or access to
information from an application or system.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Certified Information Systems Security Professional (CISSP) Notes.docx and more Exams Biology in PDF only on Docsity!

Certified Information

Systems Security

Professional (CISSP)

Notes

What is the ISC2 Code of Ethics Preamble? - answer - The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

  • Therefore, strict adherence to this code is a condition of certification. What is the first canon of the Code of Ethics? - answer Protect society, the common good, necessary public trust and confidence, and the infrastructure. What is the second canon of the Code of Ethics? - answer Act honorably, honestly, justly, responsibly, and legally. What is the third canon of the Code of Ethics? - answer Provide diligent and competent service to principals. What is the fourth and final canon of the Code of Ethics? - answer Advance and protect the profession. What are some mechanisms of Confidentiality? - answer - Confidentiality measures the attacker's ability to get unauthorized data or access to information from an application or system.
  • Involves using techniques, often cryptography, to allow only approved users the ability to view sensitive information.
  • Confidential information can include passwords, cryptographic keys, personally identifiable information (PII), personal health information (PHI), intellectual property (IP), or other secret or top-secret information. What are some High-level Confidentiality controls? - answer - Uses hybrid encryption involving combinations of symmetric and asymmetric cryptosystems.
  • Employs advanced post-quantum and homomorphic cryptosystems.
  • Combines secure compartmentalization with the most recent modes of encryption available. What are some mechanisms of Integrity? - answer - Integrity measures an attacker's ability to manipulate, change, or remove data at rest and data in transit.
  • Involves implementation controls that make certain only authorized subjects can change sensitive information.
  • Might also include affirming the identity of a communication peer (origin authentication).
  • Examples of integrity violations would be injection or hijacking attacks on data in transit, modifying files, changing access control lists, and DNS or ARP cache poisoning. What are some High-level Integrity goals and controls? - answer The advanced goals of the Clark-Wilson model are:
  • Can distribute through CDN services into metro areas. What is the opposite of the C.I.A. security triad? - answer D.A.D.
  • Disclosure is the unauthorized revealing of data and information.
  • Alteration is the unauthorized change or modification of data or systems.
  • Destruction involves rendering an entity inaccessible - can also add the element of lack of durability in some scenarios. What are the 3 additions to the CIA triad (according to the Parkerian Hexad)?
  • answer Authenticity - Refers to the accuracy and identity of the origin of the entity or the information. Utility - While an asset, such as data, would be confidential, controlled, integral, authentic, and available - it is not always useful or valuable in form. Possession - An attacker takes possession or control of a physical or logical asset - may still retain confidentiality. What are some elements of High-level Authenticity? - answer - Origin authentication is a basic form of authentication, as it only provides a degree of confidence that the correct password, passphrase, or private/secret key was used.
  • Additional levels of authentication rely on trusted third parties and certificates, digital signatures, and multi-factors, like biometrics.
  • A new trend is Knowledge-Based Authentication (KBA).

What is Non-Repudiation? - answer - The inability to refuse participation in a digital transaction, contract, or communication (S/MIME).

  • This is often accomplished with cryptosystems using a public/private key.
  • The owner/creator of the private key must protect the key
  • The owner/creator of the private key must notify a trusted third party when the key is lost, stolen, or compromised
  • FOR THE SAKE OF THE EXAM, REMEMBER THAT NON-REPUDIATION (in the context of information assurance) IS USUALLY ACCOMPLISHED USING DIGITALLY SIGNED CERTIFICATES. What are the seven layers of the OSI Reference model and their descriptions? - answer 1. Physical - Specifies connectors, data rates, and encoding bits. - binary transmission, voltages
  1. Data-Link - Communication across a single link, including media access control. - two sublayers - PPP/SLIP, ethernet, frame relay, ATM
  2. Network (or Internetwork) - Facilitate multi-hop communications across potentially different link networks. - IP, IPX, ICMP, ARP, BGP, OSPF
  3. Transport - Connecting multiple programs on same system. - TCP, UDP, SPX, AppleTalk
  4. Session - To accommodate multiple session connections. - SSL/TLS, SQL, RPC, NFS
  5. Presentation - Expressing and translating data formats. - ASCII, PNG, MPEG, AVI, MIDI

What is Least Privilege? - answer - An aspect of AAA and IAM where the subject has just the proper level or amount of permissions and rights to perform the job role or responsibility and nothing more.

  • Should be built into all access control architectures.
  • Any deviation (escalation or elevation), if allowed, should go through an established change control IT service or service desk implementation.
  • Also referred to as "need to know" or staying within one's "pay grade" or classification level. What are some elements of NIST SP 800-53 Least Privilege implementation? - answer - Authorize access to all security functions.
  • Use non-privileged accounts or roles when accessing non-security functions.
  • Prevent non-privileged users from executing privileged functions.
  • Audit the execution of secure functions. What are some elements that should be monitored in ISO/IEC 27001 Least Privilege implementation? - answer - Access to networks and network services.
  • Management of privileged access rights.
  • Use of privileged utility programs.
  • Access control to program source code.

What are some elements of Defense in Depth (DiD)? - answer - Also referred to as "Layered Defense".

  • Using the least privilege and DiD principles is a function of "due care".
  • Should be systematically planned and designed with outward-in or inward- out approach.
  • Can be applied to physical security or technical controls.
  • DiD is a common element of supply chain risk management (SCRM). What are some elements of Layered Security? - answer - End-to-end layered security with several components.
  • Can be a single appliance with multiple integrated engines.
  • Can be physical or logical (virtual).
  • Applies to networks, applications, and physical. What are some elements of Separation of Duties (SoD)? - answer - Also referred to as "segregation of duties".
  • A principle where more than one entity is required to complete a particular task such as a separate Backup Operators group and a Data Restoration group.
  • Rollback to secure state
  • Check return values and conditional code/filters for failure defaults
  • Ensure that even with loss of availability, confidentiality and integrity remain What is a Fail Open Firewall? - answer If there is a component failure or system crash of a firewall or IPS sensor, the traffic is still allowed to flow from the ingress interface to the egress interface in order to prevent inconvenience to users or productivity of data flows. What is a Fail Closed Firewall? - answer If there is a component failure or system crash of a firewall or IPS sensor, the traffic is NOT allowed to flow from the ingress interface to the egress interface in order to prevent an attacker from launching an exploit by forcing a failure. Which principle states that users and programs should only have the necessary rights to complete their tasks and nothing more? - answer Least privilege Which term describes a scenario where systems or software design considerations assume that the application is natively secure without any modifications or extra controls? - answer Security by default What is another term for the principle of defense in depth? - answer Layered security In the NIST Privacy Framework, which element provides an increasingly granular set of activities and outcomes that enable an organizational dialogue about managing privacy risk? - answer Core Which security principle also includes activities such as dual operator and duty rotation, where two or more subjects are needed to perform actions in various circumstances? - answer Separation of duties

Which term describes a policy in which traffic is not allowed to flow from the ingress interface to the egress interface in the event of a component failure of a firewall? - answer Fail closed Which security principle is often implemented by using advanced verification in the form of more stringent multi-factors such as biometric authentication?

  • answer Trust but verify What principle assumes there is no implicit trust given to subjects based merely on their physical or network location? - answer Zero trust Which password would likely take the longest to crack with a brute force attack? - answer Aspirin.Context.Dolphin What is defined as observing a rule, such as a policy, standard, specification, or law? - answer Compliance What would most likely be an activity of due care? - answer Performing the necessary patch management to keep a system or application available and secure What are some internal influences to consider when aligning security with business strategy? - answer Stakeholders, Functional or projectized, Value propositions, and Management structure Organizations will face cyber threats in three main areas. Which statement best describes deterioration? - answer Advances in smart technology will negatively impact the enterprise's ability to control information. Which statement best describes a data or asset custodian? - answer Maintains the assets from a technical perspective, such as securing CIA

In an information security policy lifecycle, which of these critical success factors means the policy can accommodate change and be adapted if necessary? - answer Flexible What is an inventory strategy used to increase efficiency and decrease waste by acquiring goods only as needed in the production process? - answer JIT Which data type is the least mature and most difficult to protect due to overhead from encryption/decryption? - answer Data in use You have restricted subjects and objects based on a mandatory access control model. What attribute have you used to establish an asset classification level? - answer Architecture What asset and data role is the keeper of the object from a technical perspective so that CIA is maintained? - answer Custodian Which phase of the data lifecycle is concerned with the residual risk from data, metadata, and artifacts that are left over after a software deletion process? - answer Remanence What is the best and most common destruction technique for microfilm (microfiche), laser discs, and document imaging applications? - answer Pulverizing What system plays a critical role in several IT management initiatives such as IT Service Management (ITSM) and IT Asset Management (ITAM) by storing metadata and modifications to items? - answer CMDB You have configured a network access control list to protect traffic coming into your virtual network at a popular cloud provider. Which type of control is this? - answer Technical

What is the standardized language developed by MITRE (in a collaborative way) to represent structured information about cyber threats? - answer STIX At what defense-in-depth layer would you deploy data loss prevention, HIPS, and patch management? - answer Endpoint security In which phase of the data lifecycle would you apply the Do and Check activities of the PDCA model? - answer Information What is a set of services and tools that allows organizations to simplify security operations in threat management, incident response, and security operations automation? - answer SOAR Your company's facility is built in a 100-year flood zone so your executive management decides not to get flood insurance. What type of risk treatment is this? - answer Acceptance Your SOC needs a risk management tool to use for a security audit. What is a unique, open-source threat modeling method focused on enhancing the security auditing process from a cyber risk management perspective? - answer TRIKE Which security framework offers the Cloud Control Matrix to ensure handling of requirements stemming from new technologies and controls? - answer CSA Which formal system evaluation methodology is performed with a full Security Test and Evaluation (ST&E) as part of an official security authorization? - answer SCA What security management model is needed due to the many risks that exist because vendors' employees can introduce cybersecurity vulnerabilities with hardware, software, and services? - answer SCRM

Which model handles the access decisions of subjects based on organization charts, responsibilities, or geographic location? - answer Role-based What access control model seeks to imitate real world decision making while also considering operational needs and vulnerability with every access control decision? - answer Risk-based What access model uses integrity verification procedures that run periodically to check the consistency of the integrity rules in the system? - answer Clark-Wilson In which access model is the owner of an object most likely to have some control over permissions and sharing? - answer Discretionary Which of these MAC models is a confidentiality model? - answer Bell- LaPadula Which form of access model is often used with infrastructure ACLs on routers and firewall devices? - answer Rule-based Which these security measures are used to specifically control physical access? - answer Fire suppression, Signage, Bollards, & Safes What is another term for a Type 1 hypervisor? - answer Native What access model would you choose if you wanted to make decisions based on weighing rules against the characteristics of the subject's actions and the request environment? - answer Attribute-based

Which type of organization is structured around traditional roles and departments such as Human Resources, IT, Sales, Marketing, and Finance? - answer Functional Which IdM process involves collecting attributes or digital documents to support a claim of identification for a specific subject to validate the veracity of the claim? - answer Proofing When provisioning resources using an identity management system, which component offers an accepted origination point or "system of record" for user identity data attributes? - answer Authorized sources Which of these are common activities of auditing account access? - answer Confirming the deployment of SSO best practices, Reviewing when a user's job requires new access, Assuring the proper removal of terminated users, & Confirming that roles are modified when a user changes jobs Which authentication and authorization protocol is used with IEEE 802.1X? - answer RADIUS Which type of SSO attack would involve secret cooperation between a principal and service provider system to launch an attack? - answer Collusion attack Which is a basic and common identity layer on top of the OAuth 2.0 protocol?

  • answer OIDC What takes place when a user gets access to resources and functionality that they are not authorized or generally allowed to access? - answer Privilege escalation

Which of these are valid reasons why a distributed system needs more security measures than centralized system? - answer Often many users, Distributed control, Multiple sites, & Differentiated data Which is a distributed computing standard that brings compute services and data storage close to the site commonly used in content delivery networking (CDN)? - answer Edge computing Which of these is a serious threat where a process running in the guest VM interacts directly with the host OS? - answer VM escape Which of these are specific physical best security practices for distribution frames and wiring closets? - answer No window access or use security windows with wire mesh, Use hardened management stations and environmental controls, Lock all doors to server rooms and frame rooms, & Cameras can be used along with other types of sensors and access alarms Which NIST special publication has guidelines for media sanitization? - answer 800- What are strategically placed physical controls meant to prohibit vehicles from entering certain areas as well as in parking lots or along sidewalks to guide pedestrian traffic? - answer Bollards On the CISSP exam, what category of control is physical security? - answer Operational

What is an intentional or unintentional sag, slump, or drop in electrical voltage? - answer Brownout What type of lighting, although slow to turn on, is a preferred outdoor security lighting? - answer Mercury vapor What is the recommend temperature and humidity respectively for a data center or server room expressed in Fahrenheit? - answer 72 to 76 degrees and 40 to 60% What are enclosures that block electromagnetic fields emanating from Electric Magnetic Interference (EMI), Carrington events, solar flares, and Electro-magnetic Pulses (EMP)? - answer Faraday cage What type of fire extinguisher is for electrical equipment and wires using inert gas, dry powders, powdered aerosols, foam, or carbon dioxide? - answer Type C What term describes the physical separation of the control network and the other networks? - answer Airgap Which service decouples the physical hardware from the network map in order to support virtualization and allow the data center network to be deployed programmatically? - answer VXLAN Which infrastructure devices have session level access control for management protocols and Management Frame Protection features? - answer Wireless LAN controllers Which AWS CDN feature controls who can download content directly from a CloudFront distribution? - answer Private Content Feature