Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

CISSP Study Guide Exam Questions, Exams of Nursing

CISSP Study Guide Exam Questions Containing 273 terms with Definitive Solutions 2023-2024.

Typology: Exams

2023/2024

Available from 01/06/2024

Pronurse1
Pronurse1 🇺🇸

3.8

(16)

2.5K documents

1 / 53

Toggle sidebar

Related documents


Partial preview of the text

Download CISSP Study Guide Exam Questions and more Exams Nursing in PDF only on Docsity!

CISSP Study Guide Exam Questions

Containing 273 terms with Definitive

Solutions 2023-2024.

CIA Triangle - Answer: Cornerstone of infosec. Confidentiality, Integrity, Availability Confidentiality (CIA Triangle) - Answer: prevention of unauthorized disclosure of information; prevention of unauthorized read access to data Integrity (CIA Triangle) - Answer: prevention of unauthorized modification of data; prevention of unauthorized write access to data Availability (CIA Triangle) - Answer: ensures data is available when needed to authorized users

Opposing forces to CIA - Answer: DAD: disclosure, alteration, destruction identification - Answer: the process by which a subject professes an identity and accountability is initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in), speaking a phrase, etc - always a two step process with authenticating authentication - Answer: verification that a person is who they say they are; ex: entering a password or PIN, biometrics, etc - always a two step process with identifying authorization - Answer: verification of a person's access or privileges to applicable data auditing (monitoring) - Answer: recording a log of the events and activities related to the system and subjects accounting (accountability) - Answer: reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

non-repudiation - Answer: a user cannot deny having performed a specific action subject - Answer: an entity that performs active functions to a system; usually a person, but can also be script or program designed to perform actions on data object - Answer: any passive data within the system ISC2 Code of Ethics Canons (4) - Answer: 1. protect society, commonwealth, infrastructure

  1. act honorably, justly, responsibly, legally
  2. provide diligent and competent service
  3. advance and protect the profession strictly applied in order; exam questions in which multiple canons could be the Answer: , choose the highest priority per this order policy - Answer: mandatory high level management directives; components of policy
  4. purpose: describes the need for policy
  1. scope: what systems, people, facilities, organizations are covered
  2. responsibilities: specific duties of involved parties
  3. compliance: effectiveness of policy, violations of policy procedure - Answer: low level step by step guide for accomplishing a task standard - Answer: describes the specific use of technology applied to hardware or software; mandatory guideline - Answer: discretionary recommendations (e.g. not mandatory) baseline - Answer: a uniform way of implementing a standard 3 access/security control categories - Answer: 1. administrative: implemented by creating org policy, procedure, regulation. user awareness/training also fall here
  4. technical: implemented using hardware, software, firmware that restricts logical access to a system
  5. physical: locks, fences, walls, etc preventive access control

(can be administrative, technical, physical) - Answer: prevents actions from occurring by applying restrictions on what a user can do. example: privilege level detective access control (can be administrative, technical, physical) - Answer: controls that alert during or after a successful attack; alarm systems, or closed circuit tv corrective access control (can be administrative, technical, physical) - Answer: repairing a damaged system; often works hand in hand with detective controls (e.g. antivirus software) recovery access control (can be administrative, technical, physical) - Answer: controls to restore a system after an incident has occurred; deterrent access control (can be administrative, technical, physical) - Answer: deters users from performing actions on a system compensating access control

(can be administrative, technical, physical) - Answer: additional control used to compensate for weaknesses in other controls as needed risk formula - Answer: risk = threat x vulnerability x impact market approach (for calculating intangible assets) - Answer: assumes the fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar circumstances income approach (for calculating intangible assets) - Answer: the value of an asset is the present value of the future earning capacity that an asset will generate over the rest of its lifecycle cost approach (for calculating intangible assets) - Answer: estimates the fair value based on cost of replacement exposure factor (EF) - Answer: percentage of value the asset lost due to incident single loss expectancy (SLE) - Answer: asset value (AV) times exposure factor AV x EF = SLE expressed in a dollar value

annual rate of occurrence (ARO) - Answer: number of losses suffered per year annualized loss expectancy (ALE) - Answer: yearly cost due to risk SLE x ARO = ALE legally defensible security - Answer: to obtain legal restitution a company must demonstrate a crime was committed, suspect committed that crime, and took reasonable efforts to prevent the crime files are accurate, policy in place, proper authentication, compliance with laws and regulation layering (defense in depth) - Answer: the use of multiple controls in a series (one after another, linearly); no one control can protect against all possible threats; top down approach - Answer: senior management responsible for initiating and defining policies; middle management fleshes out policy into standards, baselines, guidelines, and procedures; end users must comply with all policies

strategic plan - Answer: long term plan that is fairly stable; defines the org's security purpose; useful to forecast about 5 years and serves as a planning horizon

  • long term goals and vision (high level) tactical plan - Answer: midterm plan developed to provide more details on accomplishing goals set forth in the strat plan; generally useful for a year; more granular than strat plan operational plan - Answer: short term, highly detailed plan based on strat and tactical plans; valid only for a short time; very low level and granular; provides direction for many areas and issues change management - Answer: ensure that any change does not lead to reduced or compromised security; also responsible for roll backs; make all changes subject to detailed documentation and auditing data classification - Answer: process of organizing items, objects, subjects, into groups, categories, or collections with similarities; formalize and stratify the process of securing data based on assigned labels of importance and sensitivity government/military classification - Answer: TS > Sec > Confidential > sensitive > unclassified

commercial/private section classifications - Answer: confidential/private > sensitive > public senior manager role - Answer: person who is ultimately responsible for the security and protection of an orgs assets; signs off on all activities and policy; overall success and failure rests on this role data owner - Answer: responsible for classifying information for placement and protection within policy/solutions; often delegates actual management of the data to a custodian data custodian - Answer: responsible for implementing the prescribed protection defined by the security policy and senior management; responsible for the day to day tasks of maintaining the data/system COBIT 5 (control framwork) Control Objectives for Information and Related Technology - Answer: principles for governance and management of enterprise IT

  1. meeting stakeholder needs
  1. covering the enterprise end to end
  2. applying a single framework
  3. enabling a holistic approach
  4. separating governance from management regulatory policy - Answer: required whenever industry or legal standards are applicable to your organization (NERC CIP, FISMA) advisory policy - Answer: discusses behaviors and activities that are acceptable and defines consequences of violations (most fall into this category) informative policy - Answer: provides information about a specific subject; ex: company goals, mission statements STRIDE threat categorization - Answer: Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege spoofing - Answer: goal of gaining access to a target system through the use of a falsified identity; can be used against IP addresses, MAC address, user names, system names, SSIDs, email addresses, etc

tampering - Answer: any action resulting in the unauthorized changes or manipulation of data repudiation - Answer: the ability of a user or attacker to deny having performed a specific action or activity (plausible deniability) information disclosure - Answer: distribution of private, confidential, or controlled information to external or unauthorized entities denial of service (DoS) - Answer: attempts to prevent authorized use of a resource. can be accomplished through flaw exploitation, connection overloading, or traffic flooding elevation of privilege - Answer: a limited user account is transformed into an account with greater privileges and access DREAD threat rating system - Answer: damage potential, reproducibility, exploitability, affected users, discoverability security governance - Answer: collection of practices related to supporting, defining, and directing the security efforts of an organization

third party governance - Answer: system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing agreements compliance - Answer: the act of conforming to or adhering to rules, policies, regulations, standards, or requirements documentation review - Answer: the process of reading the exchanged materials and verifying them against standards and expectations business continuity planning (BCP) - Answer: assessing the risks to organizational processes and crafting policies, plans, and procedures to minimize the impact of those risks quantitative decision making - Answer: involves the use of numbers and formulas to reach a decision; often expressed in terms of dollar value qualitative decision making - Answer: non numerical factors such as emotion, investor/customer confidence, workforce stability, etc into account; often results in categories of prioritization (high medium low)

Computer Fraud and Abuse Act (1986) - Answer: changed the scope of the CCCA to include all "federal interest" computers; all government and financial systems Computer Abuse Amendments Act (1994) - Answer: amendment to the CFAA to be more encompassing; outlawed malicious code, expanded to any system used for interstate commerce, imprisonment, legal authority for victims Computer Security Act (1997) - Answer: mandated baseline security requirements for all federal systems National Information Infrastructure Protection Act (1996) - Answer: further extends the protections of the CFAA to systems used in international commerce Federal Information Security Management Act (FISMA - 2002) - Answer: requires federal agencies implement an information security program that covers the agency's operations - also requires the inclusion of contractors in their security management programs copyright - Answer: guarantees the creators of original works of authorship protection against unauthorized duplication of their work - 70 years after death

Digital Millennium Copyright Act (1998) - Answer: US bringing copyright law into compliance with the WIPO; covered attempts to circumvent copyright protection electronically, limited the liability of the IP trademarks - Answer: words, slogans, logos used to identify a company or its products; protection is automatic (tm), official registration grants the encircled 'R' notation patents - Answer: IP rights of inventors; good for 20 years at which it becomes public domain trade secrets - Answer: IP that is critical to their business and significant damage would result if disclosed espionage act of 1996 - Answer: specifically deals with trade secrets; foreign - 500k and 15 years, domestic - 250k and 10 years Uniform Computer Information Transactions Act - Answer: UCITA - designed for adoption by each state to provide a common framework for the conduct of computer related business transactions

personally identifiable information - Answer: any information that can identify an individual protected health information - Answer: any health related information that can be related to a specific person proprietary data - Answer: any data that helps an organization maintain a competitive edge top secret - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause exceptionally grave damage to national security secret - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause serious damage to national security confidential - Answer: applied to information, the unauthorized disclosure of which reasonable could be expected to cause damage to national security unclassified - Answer: refers to any data that doesn't meet one of the descriptions for an escalated classification

government/military data classifications - Answer: top secret, secret, confidential, unclassified civilian data classifications - Answer: confidential/proprietary, private, sensitive, public marking sensitive data - Answer: when users know the value of the data, they are more likely to take care of it

  1. physical - labels that indicate classification on the data or system that processes it
  2. digital - header/footer, embed as a watermark; these would appear on a printout. storing sensitive data - Answer: storage should protect against any type of loss, backups should be protected the same as original data; encryption data remanence - Answer: data that remains on a hard drive as residual magnetic flux; can only be removed by degaussing

erasing data - Answer: performing a delete operation against a file(s); in most cases, deletion process only removes the directory or catalog link to the data (data still remains); not 100% reliable clearing data - Answer: also known as overwriting; unclassified data is written over all addressable locations to the media; single character repeated, characters compliment, finishes with random bits; not 100% reliable on some media purging data - Answer: more intense form of clearing that prepares media for reuse in less secure environments; performs the clearing process multiple times declassification - Answer: involves any process that purges media or a system in preparation for reuse in an unclassified envrinoment sanitization - Answer: combination of processes that removes data from a system of media; ensures data cannot be recovered by any means; can also refer to destruction or trusted purging degaussing - Answer: strong magnetic field that erases data; does not affect optical drives or SSDs

destruction (of data) - Answer: final stage in the life cycle of media and the most secure method of sanitizing media; incineration, crushing, shredding, disintegration, dissolving using caustic/acidic chemicals record retention - Answer: involves retaining and maintaining important information as long as it's needed and destroying it when it is no longer needed system owner - Answer: person who owns the system that processes sensitive data; develops the system security plan, maintains the plan, ensures proper security training, updates documentation as needed; typically the same person as the data owner, but not always data processors - Answer: any system used to process data; EU Data Protection Law defines as a natural or legal person which processes personal data solely on behalf of the data controller Safe Harbor Program - Answer: regulatory program that includes a set of overarcing principles; notice, choice, onward transfer, security, data integrity, access, enforcement administrators - Answer: responsible for granting appropriate access to personnel, assigning permissions is the key function; typically use a role based control model

security baselines - Answer: provide a starting point and ensure a minimum security standard; often a standardized control framework scoping - Answer: refers to reviewing baseline security controls and selecting only those that are applicable to the system you are trying to protect tailoring - Answer: refers to modifying the list of security controls within a baseline so that they align with the mission of the organization data at rest - Answer: stored data, resides in a permanent location awaiting access data in motion - Answer: "on the wire", data being transmitted across a network between two systems cryptographic key - Answer: the object in which crypto algorithms rely on to maintain their security; usually a large number (often binary), key space is the range of numbers the binary can represent defined by its bit size AND operation - Answer: AND requires both inputs to be true, represented with the ^ symbol

OR operation - Answer: OR requires one or both inputs to be true, represented with the v symbol XOR operation - Answer: XOR requires only one or the other input to be true, but cannot be both; represented with the plus sign enclosed in a circle NOT operation - Answer: NOT reverses the value of an input, represented with the ~ or! symbol modulo function - Answer: division in which the Answer: is shown in terms of the remainder between the two numbers. e.g. 8 mod 6 = 2 or 8 mod 12 = 8 (since 12 can't divide into 8) RSA algorithm - Answer: Rivest, Shamir, Adleman public key algorithm in 1977; computed by factoring large prime numbers; key length 1088 bits

  1. two prime numbers labeled p q
  2. product of those numbers: n = p * q
  3. select a number e such that; e < n, e and (n-1)(q-1) are relatively prime
  4. find a number d such that (ed -1)mod(p-1)(q-1)=

message digest - Answer: the output of a has function; usually 128 bits or larger; can also be shorter when used as a function of parity checksum hash function requirements (5) - Answer: - the input can be of any length

  • the output has a fixed length
  • relatively easy to compute
  • one way
  • collision free SHA hash family - Answer: SHA-1 SHA-2: government standard hash functions developed by NIST; SHA-1 > 160 bit message digest, processes in 512 bit blocks, pads as needed SHA-2 has 4 variants: SHA-256 > 256 bit MD using 512 block size SHA-224 > truncated 256 version to produce 256 bit MD and 512 block size SHA-512 > 512 bit MD using 1024 block size SHA-384 > truncated 512 version produces 384 bit MD in 1024 block size

MD2 - Answer: Message Digest 2 developed by the same Rivest from RSA in 1989; secure hash function for 8 bit processors, pads the message so the length is a multiple of 16 bytes, produces checksum and 128 bit message digest MD4 - Answer: enhanced version of MD2 to support 32 bit processors; first pads the message up to 64 bits smaller than a multiple of 512 bits; processes 512 bit blocks in 3 rounds of computations to produce 128 bit MD MD5 - Answer: yet another enhancement of MD2/4; 4 rounds of computations with 512 bit block size digital signatures - Answer: combination of public key cryptography and hash functions with 2 goals:

  1. enforce nonrepudiation
  2. assure the recipient that the message was not altered while in transit digital signature standard - Answer: various specifications for a digital signature infrastructure as directed by NIST; SHA-2 for hashing - DSA, RSA, Elliptic Curve DSA for encryption

digital certificates - Answer: provide assurance that the people they are communicating with are who they claim to be, endorsed copies of an individual's public key (verified by a certificate authority), governed by the international standard X.509 digital certificate standard X.509 - Answer: certificates contain the following:

  • version of X.509
  • serial number
  • signature algorithm identifier
  • issuer name (the CA)
  • validity period
  • subject's name
  • subject's public key certificate authorities - Answer: neutral organizations that offer notarization services for digital certificates; identity must be proven; assisted by registration authorities (RAs) certificate enrollment - Answer: identity proven to CA, other identification documents could be requested, X.509 certificate created, CA then digitally signs the certificate

certificate verification - Answer: verified by checking the digital signature using the public key; key is authentic if =

  1. the digital signature of the CA is authentic
  2. you trust the CA
  3. the certificate is not on the certificate revocation list (CRL)
  4. the certificate actually contains the data you are trusting certificate revocation - Answer: 1. compromise (private key disclosure)
  5. erroneously issued (issued without proper verification)
  6. details of the cert have changed
  7. security association has changed (termination, etc) public key infrastructure best practices - Answer: 1. choose your encryption system wisely
  8. select your keys in an appropriate manner (length, performance, etc)
  9. keep your private key secret
  10. retire keys when they've served a useful life
  11. back up your key

disk encryption by OS - Answer: Windows - Bit Locker, Encrypting File System (EFS) OSX - FileVault Multiplatform - TrueCrypt Pretty Good Privacy - Answer: secure email system created by Phil Zimmerman in 1991; centered around the 'web of trust' concept Secure Multipurpose Internet Mail Extensions (SMIME) - Answer: protocol that uses RSA encryption and relies on X.509 certificates; already integrated into Outlook and Outlook Web Access, Mozilla Thunderbird, and Mac OSX Mail secure sockets layer (SSL) - Answer: developed by Netscape; used in conjunction with HTTP over port 443 to negotiate encrypted communications between servers/clients; hybrid of asymmetric and symmetric transport layer security (TLS) - Answer: proposed replacement for SSL (1999); uses TCP over port 443; based on SSL but with enhancements link encryption - Answer: protects an entire comm circuit; creates a secure tunnel between two points using either a hardware or software solution that encrypts all