CISSP ver 2.0 (2015-2016)_Part 2

jugehipe's version from 2017-06-04 02:18

Types of Security Models

Question Answer
State MachineDescribes a system at a point in time and behavior of a system as it moves between states, guarantee secure transmission
Multilevel Lattice ModelsAllow or disallows interactions between subjects and objects (subjects are assigned security clearances, objects are classified)
Noninterference ModelsLimits higher-classified information for being shared with lower-privileged subjects (Deal with effects of covert channels)
Matrix-Based ModelsProvide access rights to subjects and objects (Columns are ACL’s, Rows are capability lists, Supports discretionary access control, Access rights are read, write and execute)
Information Flow ModelFocus is on how information is allowed or not allowed between individual objects (can be used to identify covert channels/unintended information flow btw compartments)
TAKE-GRANTUses a direct graph to specify the rights that subjects can transfer to objects or that subjects can take from other subjec (Uses STATES and STATE TRANSTIONS)
Covert channelsIs a way to receive information in an unauthorized manner. (Storage covert channel: processes communicate via storage space on the system /Covert timing channel: one process relays to another by modulating its use of system resources)


Question Answer
Level 1-InitalChaotic, quality is unpredictable
Level 2-RepeatablePM exists, No formal method
Level 3-DefinedFormal processes in place
Level 4-ManagingProduct improvement, Process improvement
Level 5-OptimizingContinuous process improvement, Bugetized

Cloud Services Models

Question Answer
Software As A Service (SaaS)Customer uses providers applications
Platform As A Service (PaaS)Customer controls applications
Infrastructure As A Service (IaaS)Customer controls operating systems, storage and applications

Deployment Models

Question Answer
Private CloudFor one company only, May be manage by company or a third party
Community CloudShared by multiple companies, Usually companies with shared concerns, Mission, Security, Policy, and Compliance considerations
Public CloudCloud is made available to general public (Amazon EC2/Google)
Hybrid CloudComposed of two or more clouds, could be a mix of private, community, or public clouds

Essential Characteristics

Question Answer
On-demand self-serviceCan provision computing capabilities as needed automatically without SP
Broad network accessCapabilities available over the network accessed through standard mechanisms thin or thick client platforms (e.g., mobile phones, laptops, and PDAs)
Resource PoolingLocation Independence, Customer has no control of exact location of resources
Rapid elasticityCapabilities can be rapidly and elastically provisioned, In some cases automatically, to quickly scale out or in
Measured ServiceAutomatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).


Question Answer
1974 US Privacy ActProtection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)Provides for data collection, specifications, safeguards
1986 (amended in 1996) US Computer Fraud and Abuse ActTrafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.
1986 Electronic Communications Privacy ActProhibits eavesdropping or interception w/o distinguishing private/public
1987 US Computer Security ActSecurity training, develop a security plan, and identify sensitive systems on govt agencies.
1991 US Federal Sentencing GuidelinesResponsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations
1996 US Economic and Protection of Propriety Information Actindustrial and corporate espionage
1996 Health Insurance and Portability Accountability Act (HIPPA)
1996 US National Information Infrastructure Protection ActEncourage other countries to adopt similar framework. Interstate commerce clause: Federal government has power to regulate all trade between states.

Types Code Review and Testing

Question Answer
Black-box testingThe tested system is used as a black box, no internal details of the system implementation are used.
White-box testingTakes the internal system details (e.g source code) into account.
Dynamic testingthe system under test is executed and its behavior is observed.
Static testingtechniques analyze a system without executing the system under test.
Manual testingthe test scenario is guided by a human.
Automated testingthe test scenario is executed by a specialized application.
Regression testingIs used to validate updates to code by comparing the output of the new version with previous versions.
Interface testingDone to check different components of the application or system to be in sync with each other.
Integration testing Is aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions.
Unit testingIs the testing of a piece of on individual system components, such as code module.
Statistical testingProvide further assurance that a software product is dependable, uses randomly generated data
Negative testingensure your software can gracefully handle invalid input and unexpected behavior


Question Answer
F1-F5Mirror Funct of Orange Book
F6High Integrity Reqs (Databases)
F7High Availability
F8High Integrity for Communication
F9High Confidentiality
F10High Confidentiality and Integrity for Data Networks


Question Answer
E0Inadequate assurance
E1General Description
E2Configuration and Process Control
E3Source Code Analysis
E4Formal Model of Security Policy
E5Vuln Analysis
E6Formal Specs

Network attacks – Denial of Service

Question Answer
DOSperformed by sending malformed packets to a system
DDOSBotnet, zombie, massive dos attack using multiple computers
SMURFICMP requires three players (attacker, victim and amplifying network)
FRAGGLESimilar to Smurf but uses UDP
Land AttackThe attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address
SYN FLOODTCP packets requesting a connection (SYN bit set) are sent to the target network with a spoofed source address.
NFS AttackExports of parts of the file system that were not intended for publication.
TeardropThe length and fragmentation offset fields of sequential IP packets are modified
Source Routing ExploitationIP allows the sender to explicitly specify the path. Could allow an external attacker access to internal network.
Overlapping Fragment AttackUsed to subvert packet filters that only inspect the first fragment of a fragmented packet.
XMAS ScanAll TCP flags are set
NULL ScanNo Flags are set on the initiating TCP packet
FIN ScanA request to close a connection is sent to the target machine

802.11 Wireless

Question Answer
802.111 or 2 mbps, 2.4Ghz, (FHSS or DSSS)
802.11b11 Mbps at 2.4 Ghz (DSSS)
802.11a54 Mbps at 5 Ghz (OFD)
802.11g20-54 Mbps at 2.4 Ghz
802.11n144 Mbps at both 2.4 Ghz and 5 Ghz (MIMO)
802.11iWifi Protected Access 2 (WPA2) - AES
802.15Wireless Personal Area Networks
802.16Wireless MAN

Database terms/jargon

Question Answer
ElementData in a cell
TupleA row in a database
AttributeA column in a database
SchemaHolds data that describes a database
Primary keyField that links all the data in a row
Candidate KeyIdentifier that is unique to the record
Foreign keyAttribute of one table that is the primary key of another table (column)
ViewVirtual relation defined by the database to control subjects from viewing certain data
CellIntersection of a row and column
Data dictionaryCentral repository for metadata and data relationships.
CardinalityThe number of rows in the relation.

OOP Concepts

Question Answer
OORA / Object-Oriented Requirements AnalysisDefines classes of objects and their interactions.
OOA / Object-Oriented AnalysisIn terms of object-oriented concepts, understanding and modelling a particular problem within a problem domain.
DA / Domain AnalysisSeeks to identify the classes and objects that are common to all applications within a given domain.
OOD / Object-Oriented DesignObject is the basic unit of modularity; objects are instantiations of a class.
OOP / Object-Oriented ProgrammingEmphasizes the employment of objects and methods rather than types or transformations as in other programming approaches.
ORB / Object Request BrokersManages all communication between components and enables them to interact in a heterogeneous and distributed environment.
CORBA / Common Object Request Broker ArchitectureProvides interoperability among the vast array of different software, platforms and hardware in environments. Enables applications to communicate with one another no matter where the application is located or who developed it. To implement this compatible interchange, a user develops a small amount of initial code and an Interface Definition Language (IDL) file.
COM / Common Object ModelSupports the exchange of objects among programs.
DCOM / Distributed Common Object ModelDefines the standard for sharing objects in a networked environment. Uses a globally unique identifier, GUID, to uniquely identify users, resources and components within an environment.
ODBC / Open Database ConnectivityProvides a standard SQL dialect that can be used to access many types of relational databases.
DDE / Dynamic Data ExchangeEnables different applications to share data by providing IPC. Is a communication mechanism that enables direct conversation between two applications.