CISSP Temas de preguntas
Five types of BCP testing are
- Checklist - Structured Walk-through - Simulation - Parallel - Full interruption
Simulation
- Simulation—This is a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency.
Script Kiddies (Type of attacker)
As script kiddies are low to moderately skilled hackers using available scripts and tools to easily launch attacks against victims.
Conclusive evidence
Conclusive evidence is incontrovertible and overrides all other evidence
Photo-electric beams detector
Detect the presence of an intruder by transmitting visible or infrared light beams across an area, where these beams may be obstructed.
What access control technique is also known as multilevel security?
Mandatory access control
Tailgating
Piggybacking also called Tailgating is a particularly interesting type of information attack, as it can be done both electronically and physically.
In Operations Security trusted paths provide:
Provide trustworthy interfaces into privledged user functions and are intended to provide a way to ensure that any communications over that path cannot be intercepted or corrupted.
Secondary evidence
Secondary evidence is a copy of evidence or oral description of its contents.
In Mandatory Access Control, sensitivity labels attached to object contain what information?
The item's classification and category set
- Repeatable
The process is at least documented sufficiently such that repeating the same steps may be attempted.
Opportunity
When Opportunity is used to indicate when and where a crime occurred.
Three concepts are used to create a level of fault tolerance and redundancy in transaction processing.
- Electronic vaulting - Remote journaling - Database shadowing
The correct sequence of levels within the Capability Maturity Model (CMM)?
- Initial/Performed - Repeatable - Defined - Quantitatively managed - Optimized
Passive infrared detectors
- Is one of the most common detectors found in household and small business environments because it offers affordable and reliable functionality. The term passive means the detector is able to function without the need to generate and radiate its own energy (unlike ultrasonic and microwave volumetric intrusion detectors that are "active" in operation) - Able to distinguish if an infrared emitting object is present by first learning the ambient temperature of the monitored space and then detecting a change in the temperature caused by the presence of an object.
Parallel
- Parallel—This is similar to simulation testing, but the primary site is uninterrupted and critical systems are run in parallel at the alternative and primary sites. The systems are then compared to ensure all systems are in sync.
types of sensors are designed for indoor use
- Passive infrared detectors. - Ultrasonic detectors. - Microwave detectors. - Photo-electric beams. - Glass break detectors.
Evidence gathering:
- exclusionary rule. - best evidence. - hearsay rule.
- Initial/Performed
Initial / Performed (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
- Journaling or Remote Journaling
Journaling or Remote Journaling is another technique used by database management systems to provide redundancy for their transactions. When a transaction is completed, the database management system duplicates the journal entry at a remote location.
Examples of MTD(maximum tolerable downtime) values
NonEssential 30 Days Normal 7 Days Important 72 Hours Urgent 24 Hours Critical Minutes to hours
The Physical Security domain focuses on three areas:
Physical security encompasses a different set of threats, vulnerabilities, and risks than the other types of security that have been addressed so far.
Physical security is accomplished through:
The challenges of securing the physical space, its systems and the people who work within it by use of administrative, technical and physical controls.
The only difference between RAID 3 and RAID 4 is that level 3 is implemented at the byte level while level 4 is usually implemented at which of the following?
The only difference is that level 3 is implemented at the byte level and level 4 is usually implemented at the block level.
hamming code
The parity information is created using a hamming code that detects errors and establishes which part of which drive is in error.
- Defined
The process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2 (the last being Work Instructions).
lattice-based access control (LBAC)
complex access control based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). the subject has an upper bound equal or higher than the upper bound of the object being accessed.
- Database shadowing
database shadowing may be used where a database management system updates records in multiple locations. This technique updates an entire copy of the database at a remote location.
Circumstantial evidence
defined as inference of information from other, intermediate, relevant facts.
Exclusionary rule
evidence must be gathered legally or it can't be used.
Interface or integration testing
hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design.
Media Viability Controls?
marking, handling and storage.
Neural Network based IDS
monitors the general patterns of activity and traffic on the network, and create a database of normal activities within the system. This is similar to statistical model but with added self-learning functionality.
Honeynet
network of computers, virtualized or real that mimics a real organization's network that is designed to delay and log attackers' activity while the organization's real network is safely elsewhere
Glass break detectors
used for internal perimeter building protection. When glass breaks it generates sound in a wide band of frequencies. These can range from infrasonic, which is below 20 hertz (Hz) and can not be heard by the human ear
Constrained user interfaces
user interface that limits the functions that can be selected by a user. This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack and system failure by restricting the processing options that are available to the user.
Checklist
- Checklist—Copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests.
Fail mode of systems
- Fail closed - all accesses blocked. - Fail open - all accesses permitted. - Fail over - The system automatically transfers processing to a hot backup component, such as a clustered server. - Fail safe -Program execution is terminated, and the system is protected from compromise. - Fail soft (or resilient) - Certain, noncritical processing is terminated, and the computer or network continues to function in a degraded mode. - Fault tolerant - A system that continues to operate following failure of a computer or network component.
Fail mode of systems on Physical Security as well:
- Fail-safe • Door defaults to being unlocked • Dictated by fire codes - Fail-secure • Door defaults to being locked
Full interruption
- Full interruption—This test involves all facets of the company in a response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including internal and external organizations, participate in the test. This test is the most detailed, time-consuming, and expensive all of these.
There are two basic IDS analysis methods
- Pattern matching (also called signature analysis) - Anomaly detection. There are two complementary approaches: - Knowledge-based approaches. - Behavior-based approaches (Profile-based systems)
Structured Walk-through
- Structured Walk-through—Team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors or assumptions.
There are seven phases of forensic investigations:
1) Identification 2) Preservation 3) Collection 4) Examination 5) Analysis 6) Presentation 7) Decision
The seven main categories of access control are:
1. Directive: Controls designed to specify acceptable rules of behavior within an organization 2. Deterrent: Controls designed to discourage people from violating security directives 3. Preventive: Controls implemented to prevent a security incident or information breach 4. Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5. Detective: Controls designed to signal a warning when a security control has been breached 6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7. Recovery: Controls implemented to restore conditions to normal after a security incident
chain of event in regards to evidence handling in computer forensics?
1. Identifying Evidence. 2. Preserve Evidence. 3. Examining or Analyzing the Evidence. 4. Presentation of Findings.
Using the order of volatility to preserve the evidence, the evidence should be preserved in the following order:
1. Memory (MOST volatile) 2. Network processes 3. System processes 4. Hard drive 5. Backup tapes 6. DVDs (LEAST volatile)
Capability Maturity Model (CMM)?
A maturity model can be viewed as a set of structured levels that describe how well the behaviors, practices and processes of an organization can reliably and sustainable produce required outcomes.
parallel test
A parallel test is a full test of the recovery plan, utilizing all personnel. The difference between this and the full-interruption test is that the primary production processing of the business does not stop; the test processing runs in parallel to the real processing. This is the most common type of disaster recovery plan testing.
is a proximity identification device that does not require action by the user and works by responding with an access code to signals transmitted by a reader
A transponder is a proximity identification device that does not require action by the user. The reader transmits signals to the device and the device responds with an access code. These transponder devices contain a radio receiver and transmitter, a storage place for the access code, control logic, and a battery.
Access control list (ACL) & Capability table
ACL: Defined as a list of subjects along with their access rights that are authorized to access a specific object Capabilities Tables are bound to a subject while and Access Control List (ACL) is bound to an object
Active monitors
Active monitors interpret DoS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.
Operations security and security operations
Are two halves of the same coin. Operations security is primarily concerned with the protection and control of information processing assets in centralized and distributed environments. Security operations are primarily concerned with the daily tasks required to keep security services operating reliably and efficiently. Operations security refers to a quality of other services that must be maintained. Security operations are a set of services in its own right. Operations Security - Ensures the proper and secure operation of data processing facilities by protecting software, communications, data, and the supporting infrastructure.
hearsay rule
Concerns computer-generated evidence, which is considered second-hand evidence. Is information gathered by one person from another concerning some event, condition, or thing of which the first person had no direct experience. For example, a witness says "Susan told me Tom was in town".
Best evidence
Concerns limiting potential for alteration. Best evidence provides the most reliability in a trial. Any original signed contracts are considered best evidence.
apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier?
Continuous authentication is a type of authentication
Corroborative evidence
Corroborative evidence helps to prove a point. It is supplementary to help support best evidence.
DAM - Database Activity Monitoring
DAM is designed to monitor databases and report on suspicious activities and is widely used by organizations who are concerned about security breaches or attacks which could be costly in terms of availability of data disclosure.
Data diddling attack
Data diddling is an active attack that involves manipulation of data while the data is being entered into an application. Data diddling techniques, such as a salami attack, involve alteration of small amounts of data while it enters an application.
Direct Evidence
Direct evidence can prove a fact all by itself and does not need backup information to refer to. When using direct evidence, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness's five senses.
- Electronic vaulting
Electronic vaulting is accomplished by backing up system data over a network. The backup location is usually at a separate geographical location known as the vault site Is defined as "a method of transferring bulk information to off-site facilities for backup purposes". Remote Journaling is the same concept as electronic vaulting, but has to do with journals and transaction logs, not the actual files.
Final Acceptance Testing
Final Acceptance Testing - It has two major parts: Quality Assurance Testing (QAT) focusing on the technical aspect of the application User acceptance testing (UAT) focusing on functional aspect of the application.
Hierarchical Storage Management (HSM).
Hierarchical Storage Management (HSM) provides a continuous on-line backup by using optical or tape "jukeboxes," similar to WORMs (Write Once, Read Many).
Means
How Means is used to indicate how a criminal committed the crime.
A smart card containing two chips and has the capability of using both contact and contactless formats is called a:
Hybrid card
types of testing:
Interface testing Unit Testing System Testing Final Acceptance Testing
recovery time objective (RTO)
Is a period of time within which business and / or technology capabilities must be restored
An acoustic-seismic detection system
Is an intrusion detection system (IDS) that monitors changes in the noise level of a facility zone. Acoustic-seismic detectors listen to the sound patterns and raise an alarm in the event of an intrusion. The problem with these systems is that vibrations can often cause false alarms.
recovery point objective (RPO)
Is the maximum acceptable level of data loss following an unplanned "event". The RPO represents the point in time, prior to such an event or incident, to which lost data can be recovered
Which IEEE series of computer networking standards covering electronic directory services did Microsoft implement when producing their implementation of Active Directory?
Microsoft's implementation of AD - Active Directory uses X.500 recommendations developed by the IEEE. AD is a directory service that manages authentication and authorizations across domains and enterprise networks.
the three crime tenets that are investigated when a crime occurs.
Motive, opportunity, and means (MOM)
Physical piggybacking
Occurs as the exploitation of a false association to gain any type of advantage. Basically, an attacker can slip behind a legitimate employee (who is cleared for access) and gaining access to a secure area that would usually be locked or need some type of biometric for entrance.
The ultrasonic detector
Operates by the transmitter emitting an ultrasonic signal into the area to be protected. The sound waves are reflected by solid objects. The Doppler shift principle is the underlying method of operation, in which a change in frequency is detected due to object motion.
Operations security and security operations
Operations security aims at continuous maintenance of security infrastructure through implementation of routine activities that keep the infrastructure up and running in a secure manner. Operations security also depends on the routine procedures and processes of other types of security. For example, to enable operations security, physical security controls should be implemented and maintained, thereby ensuring the confidentiality, integrity, and availability of business operations. Operations security examines the countermeasures used to protect resources, information, and the hardware on which the resources and information reside.
Kind of Power Problems:
Power Excess Spike --> Too much voltage for a short period of time. Surge --> Too much voltage for a long period of time. Power Loss Fault --> A momentary power outage. Blackout --> A long power interruption. Power Degradation Sag or Dip --> A momentary low voltage. Brownout --> A prolonged power supply that is below normal voltage.
defines add-on security
Protection mechanisms implemented after an information system has become operational.
Software Capability Maturity Model (CMM)
Software Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. It introduces five maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes.
Types of IDS includes:
Statistical Based IDS - These system need a comprehensive definition of the known and expected behavior of system Neural Network - An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality. Signature Based IDS - These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.
Evidence must be:
Sufficient, Reliable, Relevant, - To be sufficient, the evidence must convince a reasonable person of its validity. - To be reliable, the evidence must be consistent with the facts of the case. - To be relevant, the evidence must have a relationship to the findings.
System Testing
System Testing - A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly.
The black-box test design
The black-box test design typically focuses on testing functional requirements. Black-box testing implies that the selection of test data and the interpretation of test results are performed on the basis of the functional properties of software rather than its internal structure.
Chain of custody
The chain of custody of the evidence must show who collected, secured, controlled, handled, transported the evidence, and that it was not tampered with. Refers to the who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction or permanent archiving.
- Quantitatively managed
The process is quantitatively managed in accordance with agreed-upon metrics.
The white-box technique
The white-box technique focuses only on testing the design and internal logical structure of the software product rather than its functionality. In general, the software testing should be planned, and the results of the tests should be documented throughout the software development life cycle as permanent records.
Capacitance detectors
They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate and alarm.
Microwave detectors
This device emits microwaves from a transmitter and detects any reflected microwaves or reduction in beam intensity using a receiver. Microwave detectors respond to a Doppler shift in the frequency of the reflected energy, by a phase shift, or by a sudden reduction of the level of received energy. Any of these effects may indicate motion of an intruder.
clipping level
This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. That action may be to log the activity, lock a user account, temporarily close a port, etc. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.
Dual Data Center
This strategy is employed for applications, which cannot accept any downtime without negatively impacting the organization. The applications are split between two geographically dispersed data centers and either load balanced between the two centers or hot swapped between the two centers.
Unit Testing
Unit Testing - The testing of an individual program or module. Testing performed to debug the code instructions. Unit testing is performed by the developer rather than by the quality assurance team. Unit testing can use test design methods, such as white box and black box.
Content-dependent access control
When access control is based on the content of an object, it is considered to be content dependent access control. Content-dependent access control is based on the content itself.
Motive
Why Motive is the term used to indicate why a crime is committed.
Hearsay evidence
hearsay evidence is evidence that is not based on personal, first-hand knowledge of the witness, but was obtained from another source. Is oral or written evidence that is second hand. Disks are considered hearsay evidence because they are only copies of the original evidence. However, computer-generated evidence, such as audit logs and event logs, are considered second-hand evidence, not hearsay evidence.
Maximum Tolerable Downtime (MTD)
is the maximum length of time a BUSINESS FUNCTION can endure without being restored, beyond which the BUSINESS is no longer viable
Redundant Site.
owned by the company and are mirrors of the original production environment
Electronic piggybacking
take place in an environment where access to computer systems is limited to those individuals who have the proper user ID and password (or other means of authentication). Once the terminal or workstation has been successfully logged into, it can be compromised by an attacker on a covert workstation that is connected to the same line. Another form of electronic piggybacking takes place when a user fails to properly terminate a session, the logoff is unsuccessful or attends to other business while still logged on. In this case, the attacker can take advantage of the active session.
Phreakers (Type of attacker)
they are telephone/PBX (private branch exchange) hackers.
The Operations Security domain is concerned with triples:
threats, vulnerabilities and assets.
Rate-of-rise temperature sensors
usually provide a quicker warning than fixed-temperature sensors because they are more sensitive, but they can also cause more false alarms. Placing a sensor under the raise floor is also a good choice. fixed-temperature sensor is not as sensitive as a rate-of-rise sensor and therefore does not warn you as quickly.
How are memory cards and smart cards different?
›Memory cards have no processing power
requirements for the admissibility of evidence:
■ Be authentic ■ Be accurate ■ Be complete ■ Be convincing ■ Be admissible