Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
CISSP Study Guide Exam Questions Containing 273 terms with Definitive Solutions 2023-2024.
Typology: Exams
1 / 53
CIA Triangle - Answer: Cornerstone of infosec. Confidentiality, Integrity, Availability Confidentiality (CIA Triangle) - Answer: prevention of unauthorized disclosure of information; prevention of unauthorized read access to data Integrity (CIA Triangle) - Answer: prevention of unauthorized modification of data; prevention of unauthorized write access to data Availability (CIA Triangle) - Answer: ensures data is available when needed to authorized users
Opposing forces to CIA - Answer: DAD: disclosure, alteration, destruction identification - Answer: the process by which a subject professes an identity and accountability is initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in), speaking a phrase, etc - always a two step process with authenticating authentication - Answer: verification that a person is who they say they are; ex: entering a password or PIN, biometrics, etc - always a two step process with identifying authorization - Answer: verification of a person's access or privileges to applicable data auditing (monitoring) - Answer: recording a log of the events and activities related to the system and subjects accounting (accountability) - Answer: reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
non-repudiation - Answer: a user cannot deny having performed a specific action subject - Answer: an entity that performs active functions to a system; usually a person, but can also be script or program designed to perform actions on data object - Answer: any passive data within the system ISC2 Code of Ethics Canons (4) - Answer: 1. protect society, commonwealth, infrastructure
(can be administrative, technical, physical) - Answer: prevents actions from occurring by applying restrictions on what a user can do. example: privilege level detective access control (can be administrative, technical, physical) - Answer: controls that alert during or after a successful attack; alarm systems, or closed circuit tv corrective access control (can be administrative, technical, physical) - Answer: repairing a damaged system; often works hand in hand with detective controls (e.g. antivirus software) recovery access control (can be administrative, technical, physical) - Answer: controls to restore a system after an incident has occurred; deterrent access control (can be administrative, technical, physical) - Answer: deters users from performing actions on a system compensating access control
(can be administrative, technical, physical) - Answer: additional control used to compensate for weaknesses in other controls as needed risk formula - Answer: risk = threat x vulnerability x impact market approach (for calculating intangible assets) - Answer: assumes the fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar circumstances income approach (for calculating intangible assets) - Answer: the value of an asset is the present value of the future earning capacity that an asset will generate over the rest of its lifecycle cost approach (for calculating intangible assets) - Answer: estimates the fair value based on cost of replacement exposure factor (EF) - Answer: percentage of value the asset lost due to incident single loss expectancy (SLE) - Answer: asset value (AV) times exposure factor AV x EF = SLE expressed in a dollar value
annual rate of occurrence (ARO) - Answer: number of losses suffered per year annualized loss expectancy (ALE) - Answer: yearly cost due to risk SLE x ARO = ALE legally defensible security - Answer: to obtain legal restitution a company must demonstrate a crime was committed, suspect committed that crime, and took reasonable efforts to prevent the crime files are accurate, policy in place, proper authentication, compliance with laws and regulation layering (defense in depth) - Answer: the use of multiple controls in a series (one after another, linearly); no one control can protect against all possible threats; top down approach - Answer: senior management responsible for initiating and defining policies; middle management fleshes out policy into standards, baselines, guidelines, and procedures; end users must comply with all policies
strategic plan - Answer: long term plan that is fairly stable; defines the org's security purpose; useful to forecast about 5 years and serves as a planning horizon
commercial/private section classifications - Answer: confidential/private > sensitive > public senior manager role - Answer: person who is ultimately responsible for the security and protection of an orgs assets; signs off on all activities and policy; overall success and failure rests on this role data owner - Answer: responsible for classifying information for placement and protection within policy/solutions; often delegates actual management of the data to a custodian data custodian - Answer: responsible for implementing the prescribed protection defined by the security policy and senior management; responsible for the day to day tasks of maintaining the data/system COBIT 5 (control framwork) Control Objectives for Information and Related Technology - Answer: principles for governance and management of enterprise IT
tampering - Answer: any action resulting in the unauthorized changes or manipulation of data repudiation - Answer: the ability of a user or attacker to deny having performed a specific action or activity (plausible deniability) information disclosure - Answer: distribution of private, confidential, or controlled information to external or unauthorized entities denial of service (DoS) - Answer: attempts to prevent authorized use of a resource. can be accomplished through flaw exploitation, connection overloading, or traffic flooding elevation of privilege - Answer: a limited user account is transformed into an account with greater privileges and access DREAD threat rating system - Answer: damage potential, reproducibility, exploitability, affected users, discoverability security governance - Answer: collection of practices related to supporting, defining, and directing the security efforts of an organization
third party governance - Answer: system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing agreements compliance - Answer: the act of conforming to or adhering to rules, policies, regulations, standards, or requirements documentation review - Answer: the process of reading the exchanged materials and verifying them against standards and expectations business continuity planning (BCP) - Answer: assessing the risks to organizational processes and crafting policies, plans, and procedures to minimize the impact of those risks quantitative decision making - Answer: involves the use of numbers and formulas to reach a decision; often expressed in terms of dollar value qualitative decision making - Answer: non numerical factors such as emotion, investor/customer confidence, workforce stability, etc into account; often results in categories of prioritization (high medium low)
Computer Fraud and Abuse Act (1986) - Answer: changed the scope of the CCCA to include all "federal interest" computers; all government and financial systems Computer Abuse Amendments Act (1994) - Answer: amendment to the CFAA to be more encompassing; outlawed malicious code, expanded to any system used for interstate commerce, imprisonment, legal authority for victims Computer Security Act (1997) - Answer: mandated baseline security requirements for all federal systems National Information Infrastructure Protection Act (1996) - Answer: further extends the protections of the CFAA to systems used in international commerce Federal Information Security Management Act (FISMA - 2002) - Answer: requires federal agencies implement an information security program that covers the agency's operations - also requires the inclusion of contractors in their security management programs copyright - Answer: guarantees the creators of original works of authorship protection against unauthorized duplication of their work - 70 years after death
Digital Millennium Copyright Act (1998) - Answer: US bringing copyright law into compliance with the WIPO; covered attempts to circumvent copyright protection electronically, limited the liability of the IP trademarks - Answer: words, slogans, logos used to identify a company or its products; protection is automatic (tm), official registration grants the encircled 'R' notation patents - Answer: IP rights of inventors; good for 20 years at which it becomes public domain trade secrets - Answer: IP that is critical to their business and significant damage would result if disclosed espionage act of 1996 - Answer: specifically deals with trade secrets; foreign - 500k and 15 years, domestic - 250k and 10 years Uniform Computer Information Transactions Act - Answer: UCITA - designed for adoption by each state to provide a common framework for the conduct of computer related business transactions
personally identifiable information - Answer: any information that can identify an individual protected health information - Answer: any health related information that can be related to a specific person proprietary data - Answer: any data that helps an organization maintain a competitive edge top secret - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause exceptionally grave damage to national security secret - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause serious damage to national security confidential - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause damage to national security unclassified - Answer: refers to any data that doesn't meet one of the descriptions for an escalated classification
government/military data classifications - Answer: top secret, secret, confidential, unclassified civilian data classifications - Answer: confidential/proprietary, private, sensitive, public marking sensitive data - Answer: when users know the value of the data, they are more likely to take care of it
erasing data - Answer: performing a delete operation against a file(s); in most cases, deletion process only removes the directory or catalog link to the data (data still remains); not 100% reliable clearing data - Answer: also known as overwriting; unclassified data is written over all addressable locations to the media; single character repeated, characters compliment, finishes with random bits; not 100% reliable on some media purging data - Answer: more intense form of clearing that prepares media for reuse in less secure environments; performs the clearing process multiple times declassification - Answer: involves any process that purges media or a system in preparation for reuse in an unclassified envrinoment sanitization - Answer: combination of processes that removes data from a system of media; ensures data cannot be recovered by any means; can also refer to destruction or trusted purging degaussing - Answer: strong magnetic field that erases data; does not affect optical drives or SSDs
destruction (of data) - Answer: final stage in the life cycle of media and the most secure method of sanitizing media; incineration, crushing, shredding, disintegration, dissolving using caustic/acidic chemicals record retention - Answer: involves retaining and maintaining important information as long as it's needed and destroying it when it is no longer needed system owner - Answer: person who owns the system that processes sensitive data; develops the system security plan, maintains the plan, ensures proper security training, updates documentation as needed; typically the same person as the data owner, but not always data processors - Answer: any system used to process data; EU Data Protection Law defines as a natural or legal person which processes personal data solely on behalf of the data controller Safe Harbor Program - Answer: regulatory program that includes a set of overarcing principles; notice, choice, onward transfer, security, data integrity, access, enforcement administrators - Answer: responsible for granting appropriate access to personnel, assigning permissions is the key function; typically use a role based control model
security baselines - Answer: provide a starting point and ensure a minimum security standard; often a standardized control framework scoping - Answer: refers to reviewing baseline security controls and selecting only those that are applicable to the system you are trying to protect tailoring - Answer: refers to modifying the list of security controls within a baseline so that they align with the mission of the organization data at rest - Answer: stored data, resides in a permanent location awaiting access data in motion - Answer: "on the wire", data being transmitted across a network between two systems cryptographic key - Answer: the object in which crypto algorithms rely on to maintain their security; usually a large number (often binary), key space is the range of numbers the binary can represent defined by its bit size AND operation - Answer: AND requires both inputs to be true, represented with the ^ symbol
OR operation - Answer: OR requires one or both inputs to be true, represented with the v symbol XOR operation - Answer: XOR requires only one or the other input to be true, but cannot be both; represented with the plus sign enclosed in a circle NOT operation - Answer: NOT reverses the value of an input, represented with the ~ or! symbol modulo function - Answer: division in which the Answer: is shown in terms of the remainder between the two numbers. e.g. 8 mod 6 = 2 or 8 mod 12 = 8 (since 12 can't divide into 8) RSA algorithm - Answer: Rivest, Shamir, Adleman public key algorithm in 1977; computed by factoring large prime numbers; key length 1088 bits
message digest - Answer: the output of a has function; usually 128 bits or larger; can also be shorter when used as a function of parity checksum hash function requirements (5) - Answer: - the input can be of any length
MD2 - Answer: Message Digest 2 developed by the same Rivest from RSA in 1989; secure hash function for 8 bit processors, pads the message so the length is a multiple of 16 bytes, produces checksum and 128 bit message digest MD4 - Answer: enhanced version of MD2 to support 32 bit processors; first pads the message up to 64 bits smaller than a multiple of 512 bits; processes 512 bit blocks in 3 rounds of computations to produce 128 bit MD MD5 - Answer: yet another enhancement of MD2/4; 4 rounds of computations with 512 bit block size digital signatures - Answer: combination of public key cryptography and hash functions with 2 goals:
digital certificates - Answer: provide assurance that the people they are communicating with are who they claim to be, endorsed copies of an individual's public key (verified by a certificate authority), governed by the international standard X.509 digital certificate standard X.509 - Answer: certificates contain the following:
certificate verification - Answer: verified by checking the digital signature using the public key; key is authentic if =
disk encryption by OS - Answer: Windows - Bit Locker, Encrypting File System (EFS) OSX - FileVault Multiplatform - TrueCrypt Pretty Good Privacy - Answer: secure email system created by Phil Zimmerman in 1991; centered around the 'web of trust' concept Secure Multipurpose Internet Mail Extensions (SMIME) - Answer: protocol that uses RSA encryption and relies on X.509 certificates; already integrated into Outlook and Outlook Web Access, Mozilla Thunderbird, and Mac OSX Mail secure sockets layer (SSL) - Answer: developed by Netscape; used in conjunction with HTTP over port 443 to negotiate encrypted communications between servers/clients; hybrid of asymmetric and symmetric transport layer security (TLS) - Answer: proposed replacement for SSL (1999); uses TCP over port 443; based on SSL but with enhancements link encryption - Answer: protects an entire comm circuit; creates a secure tunnel between two points using either a hardware or software solution that encrypts all