CISSP Notes: Confidentiality, Integrity, Availability, and Authenticity, Exams of Information Systems

A comprehensive overview of key security concepts, including the cia triad, the parkerian hexad, and the principles of least privilege, defense in depth, and separation of duties. It also explores the osi and tcp/ip models, highlighting the layers and their functions. Particularly valuable for understanding the principles of confidentiality, integrity, availability, and authenticity in information security.

Typology: Exams

2024/2025

Available from 12/27/2024

doctorate01
doctorate01 🇺🇸

4.1

(18)

3.6K documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Information Systems Security Professional
(CISSP) Notes.
What is the ISC2 Code of Ethics Preamble? - Correct Answer - The safety and welfare of
society and the common good, duty to our principals, and to each other requires that we
adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this code is a condition of certification.
What is the first canon of the Code of Ethics? - Correct Answer Protect society, the
common good, necessary public trust and confidence, and the infrastructure.
What is the second canon of the Code of Ethics? - Correct Answer Act honorably,
honestly, justly, responsibly, and legally.
What is the third canon of the Code of Ethics? - Correct Answer Provide diligent and
competent service to principals.
What is the fourth and final canon of the Code of Ethics? - Correct Answer Advance and
protect the profession.
What are some mechanisms of Confidentiality? - Correct Answer - Confidentiality
measures the attacker's ability to get unauthorized data or access to information from an
application or system.
- Involves using techniques, often cryptography, to allow only approved users the ability to
view sensitive information.
- Confidential information can include passwords, cryptographic keys, personally
identifiable information (PII), personal health information (PHI), intellectual property (IP),
or other secret or top-secret information.
What are some High-level Confidentiality controls? - Correct Answer - Uses hybrid
encryption involving combinations of symmetric and asymmetric cryptosystems.
- Employs advanced post-quantum and homomorphic cryptosystems.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download CISSP Notes: Confidentiality, Integrity, Availability, and Authenticity and more Exams Information Systems in PDF only on Docsity!

Certified Information Systems Security Professional

(CISSP) Notes.

What is the ISC2 Code of Ethics Preamble? - Correct Answer - The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

  • Therefore, strict adherence to this code is a condition of certification. What is the first canon of the Code of Ethics? - Correct Answer Protect society, the common good, necessary public trust and confidence, and the infrastructure. What is the second canon of the Code of Ethics? - Correct Answer Act honorably, honestly, justly, responsibly, and legally. What is the third canon of the Code of Ethics? - Correct Answer Provide diligent and competent service to principals. What is the fourth and final canon of the Code of Ethics? - Correct Answer Advance and protect the profession. What are some mechanisms of Confidentiality? - Correct Answer - Confidentiality measures the attacker's ability to get unauthorized data or access to information from an application or system.
  • Involves using techniques, often cryptography, to allow only approved users the ability to view sensitive information.
  • Confidential information can include passwords, cryptographic keys, personally identifiable information (PII), personal health information (PHI), intellectual property (IP), or other secret or top-secret information. What are some High-level Confidentiality controls? - Correct Answer - Uses hybrid encryption involving combinations of symmetric and asymmetric cryptosystems.
  • Employs advanced post-quantum and homomorphic cryptosystems.
  • Combines secure compartmentalization with the most recent modes of encryption available. What are some mechanisms of Integrity? - Correct Answer - Integrity measures an attacker's ability to manipulate, change, or remove data at rest and data in transit.
  • Involves implementation controls that make certain only authorized subjects can change sensitive information.
  • Might also include affirming the identity of a communication peer (origin authentication).
  • Examples of integrity violations would be injection or hijacking attacks on data in transit, modifying files, changing access control lists, and DNS or ARP cache poisoning. What are some High-level Integrity goals and controls? - Correct Answer The advanced goals of the Clark-Wilson model are:
  • Prevent unauthorized users from making modifications.
  • Ensure separation of duties prevents authorized users from making improper modifications.
  • Ensure well-formed transactions; maintain internal and external consistency. What are some mechanisms of Availability? - Correct Answer - Availability measures an attacker's ability to disrupt or prevent access to services or data.
  • Controls will protect systems and services from spoofing, flooding, denial-of-service (DDoS), poisoning, and other attacks that negatively affect the ability to deliver data, content, or services.
  • Vulnerabilities that impact availability can affect hardware, software, and network resources, such as flooding network bandwidth, consuming large amounts of memory, CPU cycles, or unnecessary power consumption. What is an aspect of High-level Availability? - Correct Answer Availability zones of cloud service providers:
  • A new trend is Knowledge-Based Authentication (KBA). What is Non-Repudiation? - Correct Answer - The inability to refuse participation in a digital transaction, contract, or communication (S/MIME).
  • This is often accomplished with cryptosystems using a public/private key.
  • The owner/creator of the private key must protect the key
  • The owner/creator of the private key must notify a trusted third party when the key is lost, stolen, or compromised
  • FOR THE SAKE OF THE EXAM, REMEMBER THAT NON-REPUDIATION (in the context of information assurance) IS USUALLY ACCOMPLISHED USING DIGITALLY SIGNED CERTIFICATES. What are the seven layers of the OSI Reference model and their descriptions? - Correct Answer 1. Physical - Specifies connectors, data rates, and encoding bits. - binary transmission, voltages
  1. Data-Link - Communication across a single link, including media access control. - two sublayers - PPP/SLIP, ethernet, frame relay, ATM
  2. Network (or Internetwork) - Facilitate multi-hop communications across potentially different link networks. - IP, IPX, ICMP, ARP, BGP, OSPF
  3. Transport - Connecting multiple programs on same system. - TCP, UDP, SPX, AppleTalk
  4. Session - To accommodate multiple session connections. - SSL/TLS, SQL, RPC, NFS
  5. Presentation - Expressing and translating data formats. - ASCII, PNG, MPEG, AVI, MIDI
  6. Application - To accomplish a networked user task. - HTTP, FTP, SMTP, DNS, TELNET

(Please Do Not Throw Sausage Pizza Away) What are the four layers of the TCP/IP Model? What OSI layers does each TCP/IP layer consist of? - Correct Answer 1. Network Access Layer - combines Data-Link and Physical layer.

  1. Internet Layer - consists of Network layer.
  2. Transport Layer - consists of Transport layer.
  3. Application Layer - consists of Session, Presentation, and Application layers. (Nuts Include Tasty Almonds) Which statement is the best definition of non-repudiation? - Correct Answer An inability to deny previous participation in a digital transaction, contract, or communication. Which statement is the best definition of confidentiality? - Correct Answer An attacker's ability to get unauthorized read or write access to data from an application or system. Which statement is the best definition of authenticity? - Correct Answer A degree of confidence that the correct password, passphrase, or private/secret key has been used. What is Least Privilege? - Correct Answer - An aspect of AAA and IAM where the subject has just the proper level or amount of permissions and rights to perform the job role or responsibility and nothing more.
  • Should be built into all access control architectures.
  • Any deviation (escalation or elevation), if allowed, should go through an established change control IT service or service desk implementation.
  • Also referred to as "need to know" or staying within one's "pay grade" or classification level. What are some elements of NIST SP 800 - 53 Least Privilege implementation? - Correct Answer - Authorize access to all security functions.

What are some elements of Separation of Duties (SoD)? - Correct Answer - Also referred to as "segregation of duties".

  • A principle where more than one entity is required to complete a particular task such as a separate Backup Operators group and a Data Restoration group.
  • SoD may also involve dual operator principles where to or more subjects are needed to modify or approve.
  • Rotation of duties is also a related principle. What are some elements of Zero Trust? - Correct Answer - Is an evolving paradigm moving focus to users, assets, and resources.
  • Uses zero trust principles to design industrial and enterprise infrastructure and workflows.
  • Assumes no implicit trust given to subjects based merely on their physical or network location.
  • Performs authentication and authorization as distinct tasks before a session is established.
  • Focuses on protecting resources and not network segments or location. What is Fail Securely? - Correct Answer Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing.
  • Involves the implementation of a mode of system termination functions that prevents loss of the secure state when a failure occurs or is detected in the system or application.
  • The failure still might cause damage to some system resource or system entity, but doesn't create a vulnerability.
  • Implement secure defaults
  • Rollback to secure state
  • Check return values and conditional code/filters for failure defaults
  • Ensure that even with loss of availability, confidentiality and integrity remain What is a Fail Open Firewall? - Correct Answer If there is a component failure or system crash of a firewall or IPS sensor, the traffic is still allowed to flow from the ingress interface to the egress interface in order to prevent inconvenience to users or productivity of data flows. What is a Fail Closed Firewall? - Correct Answer If there is a component failure or system crash of a firewall or IPS sensor, the traffic is NOT allowed to flow from the ingress interface to the egress interface in order to prevent an attacker from launching an exploit by forcing a failure. Which principle states that users and programs should only have the necessary rights to complete their tasks and nothing more? - Correct Answer Least privilege Which term describes a scenario where systems or software design considerations assume that the application is natively secure without any modifications or extra controls?
  • Correct Answer Security by default What is another term for the principle of defense in depth? - Correct Answer Layered security In the NIST Privacy Framework, which element provides an increasingly granular set of activities and outcomes that enable an organizational dialogue about managing privacy risk? - Correct Answer Core Which security principle also includes activities such as dual operator and duty rotation, where two or more subjects are needed to perform actions in various circumstances? - Correct Answer Separation of duties Which term describes a policy in which traffic is not allowed to flow from the ingress interface to the egress interface in the event of a component failure of a firewall? - Correct Answer Fail closed Which security principle is often implemented by using advanced verification in the form of more stringent multi-factors such as biometric authentication? - Correct Answer Trust but verify

Interface with the human resources group, & Review the acceptable use policy. What is a best practice when terminating an employee? - Correct Answer Conduct an exit interview What are similar to standards but are more flexible and not usually mandatory? - Correct Answer Guidelines At the start of an interview, it is not uncommon to sign which kind of agreement? - Correct Answer Non-disclosure agreement Which topics would most likely be covered during end-user security awareness education and training? - Correct Answer Social engineering tactics, Anti-phishing measures, Tailgating policy, & Clean desk policy In an information security policy lifecycle, which of these critical success factors means the policy can accommodate change and be adapted if necessary? - Correct Answer Flexible What is an inventory strategy used to increase efficiency and decrease waste by acquiring goods only as needed in the production process? - Correct Answer JIT Which data type is the least mature and most difficult to protect due to overhead from encryption/decryption? - Correct Answer Data in use You have restricted subjects and objects based on a mandatory access control model. What attribute have you used to establish an asset classification level? - Correct Answer Architecture What asset and data role is the keeper of the object from a technical perspective so that CIA is maintained? - Correct Answer Custodian

Which phase of the data lifecycle is concerned with the residual risk from data, metadata, and artifacts that are left over after a software deletion process? - Correct Answer Remanence What is the best and most common destruction technique for microfilm (microfiche), laser discs, and document imaging applications? - Correct Answer Pulverizing What system plays a critical role in several IT management initiatives such as IT Service Management (ITSM) and IT Asset Management (ITAM) by storing metadata and modifications to items? - Correct Answer CMDB You have configured a network access control list to protect traffic coming into your virtual network at a popular cloud provider. Which type of control is this? - Correct Answer Technical What is the standardized language developed by MITRE (in a collaborative way) to represent structured information about cyber threats? - Correct Answer STIX At what defense-in-depth layer would you deploy data loss prevention, HIPS, and patch management? - Correct Answer Endpoint security In which phase of the data lifecycle would you apply the Do and Check activities of the PDCA model? - Correct Answer Information What is a set of services and tools that allows organizations to simplify security operations in threat management, incident response, and security operations automation? - Correct Answer SOAR Your company's facility is built in a 100 - year flood zone so your executive management decides not to get flood insurance. What type of risk treatment is this? - Correct Answer Acceptance Your SOC needs a risk management tool to use for a security audit. What is a unique, open-source threat modeling method focused on enhancing the security auditing process from a cyber risk management perspective? - Correct Answer TRIKE Which security framework offers the Cloud Control Matrix to ensure handling of requirements stemming from new technologies and controls? - Correct Answer CSA

What access control model seeks to imitate real world decision making while also considering operational needs and vulnerability with every access control decision? - Correct Answer Risk-based What access model uses integrity verification procedures that run periodically to check the consistency of the integrity rules in the system? - Correct Answer Clark-Wilson In which access model is the owner of an object most likely to have some control over permissions and sharing? - Correct Answer Discretionary Which of these MAC models is a confidentiality model? - Correct Answer Bell-LaPadula Which form of access model is often used with infrastructure ACLs on routers and firewall devices? - Correct Answer Rule-based Which these security measures are used to specifically control physical access? - Correct Answer Fire suppression, Signage, Bollards, & Safes What is another term for a Type 1 hypervisor? - Correct Answer Native What access model would you choose if you wanted to make decisions based on weighing rules against the characteristics of the subject's actions and the request environment? - Correct Answer Attribute-based Which type of organization is structured around traditional roles and departments such as Human Resources, IT, Sales, Marketing, and Finance? - Correct Answer Functional Which IdM process involves collecting attributes or digital documents to support a claim of identification for a specific subject to validate the veracity of the claim? - Correct Answer Proofing When provisioning resources using an identity management system, which component offers an accepted origination point or "system of record" for user identity data attributes?

  • Correct Answer Authorized sources

Which of these are common activities of auditing account access? - Correct Answer Confirming the deployment of SSO best practices, Reviewing when a user's job requires new access, Assuring the proper removal of terminated users, & Confirming that roles are modified when a user changes jobs Which authentication and authorization protocol is used with IEEE 802.1X? - Correct Answer RADIUS Which type of SSO attack would involve secret cooperation between a principal and service provider system to launch an attack? - Correct Answer Collusion attack Which is a basic and common identity layer on top of the OAuth 2.0 protocol? - Correct Answer OIDC What takes place when a user gets access to resources and functionality that they are not authorized or generally allowed to access? - Correct Answer Privilege escalation Which authentication protocol relies on a Key Distribution Center (KDC)? - Correct Answer Kerberos Which of these AAA accounting services involves performing showback against departmental budgets and business unit allocations? - Correct Answer Chargeback Which common type of system is often powered by specialized chips or system-on-a-chip as well as older unpatched versions of Linux or Microsoft Windows? - Correct Answer IoT Which database security control involves modifying the baseline to become more applicable, such as changing the data application timeout requirement from 20 minutes of inactivity to 10? - Correct Answer Tailoring Which is a specific service-oriented application component that represents an architectural approach to software development where the results are made up of small independent services that communicate over well-defined APIs? - Correct Answer Microservices

Which NIST special publication has guidelines for media sanitization? - Correct Answer 800 - 88 What are strategically placed physical controls meant to prohibit vehicles from entering certain areas as well as in parking lots or along sidewalks to guide pedestrian traffic? - Correct Answer Bollards On the CISSP exam, what category of control is physical security? - Correct Answer Operational What is an intentional or unintentional sag, slump, or drop in electrical voltage? - Correct Answer Brownout What type of lighting, although slow to turn on, is a preferred outdoor security lighting? - Correct Answer Mercury vapor What is the recommend temperature and humidity respectively for a data center or server room expressed in Fahrenheit? - Correct Answer 72 to 76 degrees and 40 to 60% What are enclosures that block electromagnetic fields emanating from Electric Magnetic Interference (EMI), Carrington events, solar flares, and Electro-magnetic Pulses (EMP)? - Correct Answer Faraday cage What type of fire extinguisher is for electrical equipment and wires using inert gas, dry powders, powdered aerosols, foam, or carbon dioxide? - Correct Answer Type C What term describes the physical separation of the control network and the other networks? - Correct Answer Airgap Which service decouples the physical hardware from the network map in order to support virtualization and allow the data center network to be deployed programmatically? - Correct Answer VXLAN Which infrastructure devices have session level access control for management protocols and Management Frame Protection features? - Correct Answer Wireless LAN controllers Which AWS CDN feature controls who can download content directly from a CloudFront distribution? - Correct Answer Private Content Feature

Which is the most common S/MIME service for providing authentication, data integrity, and non-repudiation? - Correct Answer Digital signatures Which WPA3 protocol and feature set specifically replaces WPA2 PSK? - Correct Answer SAE Which technology has the goal of delivering bandwidths of up to 10 Gbps by using higher- frequency radio waves than current cellular networks? - Correct Answer 5G Which is a document specifying constraints and practices that a user must agree to for access to a corporate network or the Internet? - Correct Answer AUP Which TCP port does Transport Layer Security operate on? - Correct Answer 443 What is a structured language developed by MITRE for a collaborative way to represent cyber threat intelligence and observable data? - Correct Answer STIX In which phase of the incident response lifecycle, also called "eradication", would most likely involve determining the root cause of the incident and applying immediate remedies if available? - Correct Answer Mitigation What type of lower risk change follows a specific process for scheduling, assessment, and an approval/authorization process? - Correct Answer Normal Which of these represents the initial phase of patch management? - Correct Answer Develop inventory and patch management plan Which of these security principles is closely related to separation of duties (SoD)? - Correct Answer Dual operator Which of these components would be considered the most volatile as a data storage medium? - Correct Answer Routing table What is a set of data, tools, utilities, and processes used to support configuration management? - Correct Answer CMS

At which phase of the SCM would you establish software code baselines? Result: Correct. Great job! - Correct Answer Version Control Which CCM level is also referred to as early explicit, when an enterprise has developed its own standard software process through greater attention to documentation, standardization, and integration? - Correct Answer Level 3 What is defined as a multidisciplinary team of people who are collectively responsible for delivering a well-defined software solution by maintaining different subject matter experts leveraged throughout the entire development lifecycle? - Correct Answer Integrated Product Teams Which application security testing model can detect up to 100% of the OWASP benchmark in real-time with no false positives and has the flexibly to be used in QA and production environments, analyzing dependencies as well as legacy components? - Correct Answer IAST Which of the following would be an aspect of mobile application management? - Correct Answer Securing and removing corporate data within mobile apps Which organization would offer "API1:2019 Broken Object Level Authorization" as an API top ten vulnerability? - Correct Answer OWASP Which software products are intended to be easily installed and to interoperate tightly with existing system components? - Correct Answer COTS (Commercial-Off-The-Shelf) Which of these would be considered poor coding practices? - Correct Answer Improper input validation, Unsecure usage of repositories, Leaving inoperative dead code, Not relying on stored procedures Which is an application development methodology where two or more functionally duplicate versions of the app are developed from the same specification? - Correct Answer Software diversity

Which secure coding practice involves writing code that attackers and other people have a hard time understanding? - Correct Answer Obfuscation