CISSP ver 2.0 (2015-2016)_Part 2

jogoyedo's version from 2017-03-19 11:52

Types of Security Models

Question Answer
State MachineDescribes a system at a point in time and behavior of a system as it moves between states, guarantee secure transmission
Multilevel Lattice ModelsAllow or disallows interactions between subjects and objects (subjects are assigned security clearances, objects are classified)
Noninterference ModelsLimits higher-classified information for being shared with lower-privileged subjects (Deal with effects of covert channels)
Matrix-Based ModelsProvide access rights to subjects and objects (Columns are ACL’s, Rows are capability lists, Supports discretionary access control, Access rights are read, write and execute)
Information Flow ModelFocus is on how information is allowed or not allowed between individual objects (can be used to identify covert channels/unintended information flow btw compartments)
TAKE-GRANTUses a direct graph to specify the rights that subjects can transfer to objects or that subjects can take from other subjec (Uses STATES and STATE TRANSTIONS)
Covert channelsIs a way to receive information in an unauthorized manner. (Storage covert channel: processes communicate via storage space on the system /Covert timing channel: one process relays to another by modulating its use of system resources)


Question Answer
Level 1-InitalProcess unpredictable, poorly controlled and REACTIVE
Level 2-ManagedProcess characterized for PROJECTS and is MANAGED
Level 3-DefinedProcess characterized for the ORGANIZATION and is PROACTIVE
Level 4-Quantitatively ManagedProcess QUANTITATIVELY measured and controlled
Level 5-OptimizingFocus on CONTINUOUS process improvement

Cloud Services Models

Question Answer
Software As A Service (SaaS)Customer uses providers applications
Platform As A Service (PaaS)Customer controls applications
Infrastructure As A Service (IaaS)Customer controls operating systems, storage and applications

Deployment Models

Question Answer
Private CloudFor one company only, May be manage by company or a third party
Community CloudShared by multiple companies, Usually companies with shared concerns, Mission, Security, Policy, and Compliance considerations
Public CloudCloud is made available to general public (Amazon EC2/Google)
Hybrid CloudComposed of two or more clouds, could be a mix of private, community, or public clouds

Essential Characteristics

Question Answer
On-demand self-serviceCan provision computing capabilities as needed automatically without SP
Broad network accessCapabilities available over the network accessed through standard mechanisms thin or thick client platforms (e.g., mobile phones, laptops, and PDAs)
Resource PoolingLocation Independence, Customer has no control of exact location of resources
Rapid elasticityCapabilities can be rapidly and elastically provisioned, In some cases automatically, to quickly scale out or in
Measured ServiceAutomatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).


Question Answer
1974 US Privacy ActProtection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)Provides for data collection, specifications, safeguards
1986 (amended in 1996) US Computer Fraud and Abuse ActTrafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.
1986 Electronic Communications Privacy ActProhibits eavesdropping or interception w/o distinguishing private/public
1987 US Computer Security ActSecurity training, develop a security plan, and identify sensitive systems on govt agencies.
1991 US Federal Sentencing GuidelinesResponsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations
1996 US Economic and Protection of Propriety Information Actindustrial and corporate espionage
1996 Health Insurance and Portability Accountability Act (HIPPA)
1996 US National Information Infrastructure Protection ActEncourage other countries to adopt similar framework. Interstate commerce clause: Federal government has power to regulate all trade between states.

Types of Testing

Question Answer
Black-box testingobserves the system external behavior (definition-based).
White-box testing Is a detailed exam of a logical path, checking the possible conditions (code-based testing)
Compiled code Poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect.
Regression analysis testingIs the verification that what is being installed. Automated process to repeat tests previously undertaken.
Code comparisonIs normally used to identify the parts of the source code that have changed.
Integration testing Is aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions.
Unit testingIs the testing of a piece of code. It will only detect errors in the piece of code being tested.
Blue team had knowledge of the organization, can be done frequent and least expensive
Red team Is external and stealth
Cause-Effect testingSystematically identifies combination of inputs to a software product for inclusion testing
Statistical testingProvide further assurance that a software product is dependable, uses randomly generated data
Negative testingensure your software can gracefully handle invalid input and unexpected behavior
Interface testingDone to check different components of the application or system to be in sync with each other


Question Answer
F1-F5Mirror Funct of Orange Book
F6High Integrity Reqs (Databases)
F7High Availability
F8High Integrity for Communication
F9High Confidentiality
F10High Confidentiality and Integrity for Data Networks


Question Answer
E0Inadequate assurance
E1General Description
E2Configuration and Process Control
E3Source Code Analysis
E4Formal Model of Security Policy
E5Vuln Analysis
E6Formal Specs

Network attacks – Denial of Service

Question Answer
DOSperformed by sending malformed packets to a system
DDOSBotnet, zombie, massive dos attack using multiple computers
SMURFICMP requires three players (attacker, victim and amplifying network)
FRAGGLESimilar to Smurf but uses UDP
Land AttackThe attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address
SYN FLOODTCP packets requesting a connection (SYN bit set) are sent to the target network with a spoofed source address.
NFS AttackExports of parts of the file system that were not intended for publication.
TeardropThe length and fragmentation offset fields of sequential IP packets are modified
Source Routing ExploitationIP allows the sender to explicitly specify the path. Could allow an external attacker access to internal network.
Overlapping Fragment AttackUsed to subvert packet filters that only inspect the first fragment of a fragmented packet.
XMAS ScanAll TCP flags are set
NULL ScanNo Flags are set on the initiating TCP packet
FIN ScanA request to close a connection is sent to the target machine

802.11 Wireless

Question Answer
802.111 or 2 mbps, 2.4Ghz, (FHSS or DSSS)
802.11b11 Mbps at 2.4 Ghz (DSSS)
802.11a54 Mbps at 5 Ghz (OFD)
802.11g20-54 Mbps at 2.4 Ghz
802.11n144 Mbps at both 2.4 Ghz and 5 Ghz (MIMO)
802.11iWifi Protected Access 2 (WPA2) - AES
802.15Wireless Personal Area Networks
802.16Wireless MAN

Database terms/jargon

Question Answer
RecordCollecion of related data items
FileCollection of record of the same type
DatabaseCross-referenced collection of files
DBMSManages and controls the database
Base relationA table stored in a database
TupleA row in a database
AttributeA column in a database
Primary keyColumns that make each row unique
ViewVirtual relation defined by the database to control subjects from viewing certain data
Foreign keyAttribute of one table that is the primary key of another table (column)
CellIntersection of a row and column
SchemaHolds data that describes a database
Data dictionaryCentral repository of data element and their relationships.
CardinalityThe number of rows in the relation.
DegreeThe number of columns in the relation.
DomainIs a set of allowable values that an attribute can take.
Concurrency problemsMaking sure that different subjects receive the most up-to-date information.
Semantic integrityMakes sure that structural and semantic rules are enforced. These rules pertain to data types, logical values, uniqueness constraints and operations that could adversely affect the structure of the database.
Referential integrityMechanism would ensure that no record would contain a reference to a primary key of a nonexisting record or a NULL value.
Entity integrityEnsure that an attribute is not NULL.
RollbackIs a statement that ends a current transaction and cancels all other changes to the database.
CommitTerminates a transaction and executes all changes that were just made by the user.
CheckpointAre used to make sure that if a system failure occurs or if an error is detected, the user can always return to a point in time before the system crashed.
OORA / Object-Oriented Requirements AnalysisDefines classes of objects and their interactions.
OOA / Object-Oriented AnalysisIn terms of object-oriented concepts, understanding and modelling a particular problem within a problem domain.
DA / Domain AnalysisSeeks to identify the classes and objects that are common to all applications within a given domain.
OOD / Object-Oriented DesignObject is the basic unit of modularity; objects are instantiations of a class.
OOP / Object-Oriented ProgrammingEmphasizes the employment of objects and methods rather than types or transformations as in other programming approaches.
ORB / Object Request BrokersManages all communication between components and enables them to interact in a heterogeneous and distributed environment.
CORBA / Common Object Request Broker ArchitectureProvides interoperability among the vast array of different software, platforms and hardware in environments. Enables applications to communicate with one another no matter where the application is located or who developed it. To implement this compatible interchange, a user develops a small amount of initial code and an Interface Definition Language (IDL) file.
COM / Common Object ModelSupports the exchange of objects among programs.
DCOM / Distributed Common Object ModelDefines the standard for sharing objects in a networked environment. Uses a globally unique identifier, GUID, to uniquely identify users, resources and components within an environment.
ODBC / Open Database ConnectivityProvides a standard SQL dialect that can be used to access many types of rational databases.
DDE / Dynamic Data ExchangeEnables different applications to share data by providing IPC. Is a communication mechanism that enables direct conversation between two applications.
Token ringMedia access technology devices are not allowed to send data over the network until the device/station is in possession of a token.
CSMA/CDMedia access technology a transmitting data station detects other signals while transmitting a frame, and stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame