Allison's Bad-to-the-Bone CISSP Flashcards (Domain 3 Security Architecture & Engineering)
The subject is the user or process that makes a request to access a resource. The object is the resource a user or process wants to access.
Exam Essentials: Be able to define object and subject in terms of access.
IPsec is a security architecture framework that supports secure communication over IP. IPsec establishes a secure channel in either transport mode of tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks. IPsec uses two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).
Exam Essentials: Be able to describe IPsec
Open systems are designed using industry standards and are usually easy to integrate with other open systems. Closed systems are generally proprietary hardware and/ or software. Their specifications are not normally published, and they are usually harder to integrate with other systems.
Exam Essentials: Be able to describe open and closed systems
Process isolation ensures that individual processes can access only their own data. Layering creates different realms of security within a process and limits communication between them. Abstraction creates "black-box" interfaces for programmers to use without requiring knowledge of an algorithm's or device's inner workings. Data hiding prevents information from being read from a different security level. Hardware segmentation enforces process isolation with physical controls.
Exam Essentials: Be able to describe process isolation, layering, abstraction, data hiding, and hardware segmentation
Brute-force attacks are attempts to randomly find the correct cryptographic key. Known plaintext, chosen ciphertext, and chosen plaintext attacks require the attacker to have some extra information in addition to the ciphertext. The meet-in-the-middle attack exploits protocols that use two rounds of encryption. The man-in-the-middle attack fools both parties into communicating with the attacker instead of directly with each other. The birthday attack is an attempt to find collisions in hash functions. The replay attack is an attempt to reuse authentication requests.
Exam Essentials: Be able to explain common cryptographic attacks
The Data Encryption Standard operates in 5 modes: 1. Electronic Code (ECB) mode 2. Cipher Block Chaining (CBC) mode 3. Cipher Feedback (CFB) mode 4. Output Feedback (OFB) mode 5. Counter (CTR) mode -ECB mode is considered the least secure and is used only for short messages. -3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively.
Exam Essentials: Be able to explain the basic operational modes of the Data Encryption (DES) and Triple DES (3DES)
Multitasking is the simultaneous execution of more than one application on a computer and is managed by the operating system. Multithreading permits multiple concurrent tasks to be performed within a single process. Multiprocessing is the use of more than one processor to increase computing power. Multiprogramming is similar to multitasking but takes place on mainframe systems and requires specific programming.
Exam Essentials: Be able to explain the differences between multitasking, multithreading, multiprocessing, and multiprogramming
A security perimeter is the imaginary boundary that separates the TCB from the rest of the system. TCB components communicate with non-TCB components using trusted paths.
Exam Essentials: Be able to explain what a security perimeter is
A covert channel is any method that is used to pass information but that is not normally used for information.
Exam Essentials: Be able to explain what covert channels are
Examples of administrative physical security controls are facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.
Exam Essentials: Be able to list administrative physical security controls
Firmware is software stored on a ROM chip. At the computer level, it contains the basic instructions needed to start a computer. Firmware is also used to provide operating instructions in peripheral devices such as printers.
Exam Essentials: Know the purpose of firmware
The classes of TCSEC include verified protection, mandatory protection, discretionary protection, and minimal protection. Table 8.4 (ISC2 Study Guide) covers and compares equivalent and applicable rankings for TCSEC, ITSEC, and the CC (remember that functionality ratings from F7 to F10 in ITSEC have no corresponding ratings in TCSEC).
Exam Essentials: Be able to list the classes of TCSEC, ITSEC, and the Common Criteria
Technical physical security controls can be access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.
Exam Essentials: Be able to list the technical physical security controls
Physical controls for physical security are fencing, lighting, locks, construction materials, mantraps, dogs, and guards.
Exam Essentials: Be able to name the physical controls for physical security.
When a sender wants to transmit a private message to a recipient, the sender takes the plaintext (unencrypted) message and encrypts it using an algorithm and a key. This produces a ciphertext message that is transmitted to the recipient. The recipient then uses a similar algorithm and key to decrypt the ciphertext and re-create the original plaintext message for viewing.
Exam Essentials: Be familiar with the basic terminology of cryptography
The successors to the Secure Hash Algorithm (SHA), SHA-1 and SHA-2, make up the government standard message digest function. SHA-1 produces a 160-bit message digest whereas SHA-2 supports variable lengths, ranging up to 512 bits. SHA-3 improves upon the security of SHA-2 and supports the same hash lengths.
Exam Essentials: Be familiar with the major hashing algorithms
- RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the product of prime numbers. - El Gamal is the extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic. - The elliptic curve algorithm depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.
Exam Essentials: Be familiar with the three major public key cryptosystems
The Internet of Things (IoT) is a new subcategory or maybe even a new class of devices connected to the internet in order to provide automation, remote control, or AI processing to traditional or new appliances or devices in a home or office setting.
Exam Essentials: Comprehend IoT
A cloud access security broker (CASB) is a security policy enforcement solution that may be installed on-premises, or it may be cloud based
Exam Essentials: Define CASB
A TCB is the combination of hardware, software, and controls that form a trusted base that enforces the security policy.
Exam Essentials: Define a trusted computing base (TCB)
In addition to buffer overflows, programmers can leave back doors and privileged programs on a system after it is deployed. Even well-written systems can be susceptible to time-of-check-to-time-of-use (TOCTTOU) attacks. Any state change could be a potential window of opportunity for an attacker to compromise a system.
Exam Essentials: Describe common flaws to security architectures
Dedicated systems require that all users have appropriate clearance, access permissions, and need to know for all information stored on the system. System high mode removes the need-to-know requirement5. Compartmented mode removes the need-to-know requirement and the access permission requirement. Multilevel mode removes all three requirements.
Exam Essentials: Describe the 4 security modes approved by the federal government for processing classified information
Primary storage is the same as memory. Secondary storage consists of magnetic, flash, and optical media that must be first read into primary memory before the CPU can use the data. Random access storage devices can be read at any point, whereas sequential access devices require scanning through all the data physically stored before the desired location.
Exam Essentials: Describe the different characteristics of storage devices used by computers
ROM is nonvolatile and can't be written to by the end user. The end user can write data to PROM chips only once. EPROM/ UVEPROM chips may be erased through the use of ultraviolet light and then can have new data written to them. EEPROM chips may be erased with electrical current and then have new data written to them. RAM chips are volatile and lose their contents when the computer is powered off.
Exam Essentials: Describe the different types of memory used by a computer
User applications operate in a limited instruction set environment known as user mode. The operating system performs controlled operations in privileged mode, also known as system mode, kernel mode, and supervisory mode.
Exam Essentials: Explain the two layered operating modes used by most modern processors
Even on nonstatic carpeting, if the environment has low humidity it is still possible to generate 20,000-volt static discharges. Even minimal levels of static discharge can destroy electronic equipment.
Exam Essentials: Know about static electricity
A type I hypervisor is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside.
Exam Essentials: Know about the type I hypervisor
A type II hypervisor is a hosted hypervisor. In this configuration, a standard regular OS is prese4nt on the hardware, and the hypervisor is then installed as another software application.
Exam Essentials: Know about the type II hypervisor
For a one-time pad to be successful, the key must be generated randomly without any known pattern. The key must be - at least as long as the message to be encrypted - protected against physical disclosure - & each pad must be used only one time and then discarded
Exam Essentials: Know the requirements for successful use of a one-time pad
Some security issues surround memory components: the fact data may remain on the chip after power is removed and the control of access to memory in a multiuser system.
Exam Essentials: Know the security issues surrounding memory components
Know the access control models and their functions. The state machine model ensures that all instances of subjects accessing objects are secure. The information flow model is designed to prevent unauthorized, insecure, or restricted information flow. The noninterference model prevents the actions of one subject from affecting the system state or actions of another subject. The Take-Grant model dictates how rights can be passed from one subject to another or from a subject to an object. An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Bell-LaPadula subjects have a clearance level that allows them to access only those objects with the corresponding classification levels. This enforces confidentiality. Biba prevents subjects with lower security levels from writing to objects at higher security levels. Clark-Wilson is an integrity model that relies on auditing to ensure that unauthorized subjects cannot access objects and that authorized users access objects properly. Biba and Clark Wilson enforce integrity. Goguen-Meseguer and Sutherland focus on integrity. Graham-Denning focuses on the secure creation and deletion of both subjects and objects.
Exam Essentials: Know details about each of the access control models
When straight-forward hashing is used to store passwords in a password file, attackers may use rainbow tables of precomputed values to identify commonly used passwords. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks. Common password hashing algorithms that use key stretching to further increase the difficulty of attack include PBKDF2, bcrypt, and scrypt.
Exam Essentials: Know how cryptographic salts improve the security of password hashing
Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric cryptosystems.
Exam Essentials: Know how cryptosystems can be used to achieve authentication goals
There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility. Also, centralized server or computer rooms need not be human compatible.
Exam Essentials: Know how to design and configure secure work areas
The Advanced Encryption Standard (AES) uses the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm.
Exam Essentials: Know the Advanced Encryption Standard (AES)
The emerging standard for encrypted messages in the S/MIME protocol. Another popular email security tool is Phil Zimmerman's Pretty Good Privacy (PGP). Most users of email encryption rely on having this technology built into their email client or their web-based email service.
Exam Essentials: Know the common applications of cryptography to secure email
The IPsec protocol standard provides a common framework for encrypting network traffic and is built into a number of common operating systems. In IPsec transport mode, packet contents are encrypted for peer-to-peer communication. In tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.
Exam Essentials: Know the common applications of cryptography to secure networking
The de facto standard for secure web traffic is the use of HTTP over Transport Layer Security (TLS) or the older Secure Sockets Layer (SSL). Most web browsers support both standards, but many websites are dropping support for SSL due to security concerns.
Exam Essentials: Know the common applications of cryptography to secure web activity
No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Abuses of physical access control include propping open secured doors and bypassing locks or access controls. Masquerading is using someone else's security ID to gain entry to a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.
Exam Essentials: Know the common threats to physical access controls
The Digital Signature Standard uses the SHA-1, SHA-2, and SHA-3 message digest functions along with one of three encryption algorithms: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; or the Elliptic Curve DSA (ECDSA) algorithm
Exam Essentials: Know the components of the Digital Signature Standard (DSS)
Certification is the technical evaluation of each part of a computer system to assess its concordance with security standards. Accreditation is the process of formal acceptance of a certified configuration from a designated authority.
Exam Essentials: Know the definitions of certification and accreditation
Symmetric key cryptosystems (or secret key cryptosystems) rely on the use of a shared secret key. They are much faster than asymmetric algorithms, but they lack support for scalability, easy key distribution, and nonrepudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.
Exam Essentials: Know the differences between symmetric and asymmetric cryptosystems
These are: deterrence > denial > detection > delay
Exam Essentials: Know the functional order of controls.
Good hash function have five requirements: 1. They must allow input of any length 2. Provide fixed-length output 3. Make it relatively easy to compute the hash function for any input 4. Provide one-way functionality 5. Be collision free
Exam Essentials: Know the fundamental requirements of a hash function
The key elements in making a site selection are visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters. A key element is designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.
Exam Essentials: Know the key elements in making a site selection and designing a facility for construction
Three are three main security issues surrounding secondary storage devices: removable media can be used to steal data, access controls and encryption must be applied to protect data, and data can remain on the media even after file deletion or media formatting.
Exam Essentials: Know the security issues surrounding secondary storage devices
Know the definitions of the following: - fault - blackout - sag - brownout - spike - surge - inrush - noise - transient - clean - ground
Exam Essentials: Know the terms commonly associated with power issues
The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical. Understand when and how to use each, and be able to list examples of each kind.
Exam Essentials: Know the three categories of security controls implemented to managed physical security and be able to name examples of each
Confinement restricts a process to reading from and writing to certain memory locations. Bounds are the limits of memory a process cannot exceed when reading or writing. Isolation is the mode a process runs in when it is confined through the use of memory bounds.
Exam Essentials: Know what confinement, bounds, and isolation are
The reference monitor is the logical part of the TCB that confirms whether a subject has the right to use a resource prior to granting access. The security kernel is the collection of the TCB components that implement the functionality of the reference monitor.
Exam Essentials: Know what the reference monitor and the security kernel are
Bring your own device (BYOD) is a policy that allows employees to bring their own personal mobile devices to work and then use those devices to connect to (or through) the company network to business resources and/ or internet. Although BYOD may improve employee morale and job satisfaction, it increases security risks to the organization. Related issues include data ownership, support ownership, patch management, antivirus management, forensics, privacy, on-boarding/ off-boarding, adherence to corporate policies, user acceptance, architecture/ infrastructure considerations, legal concerns, acceptable use policies, and on-board cameras/ video.
Exam Essentials: Understand BYOD
Security as a service (SECaaS) is a cloud provider concept in which security is provided to an organization through or by an online entity.
Exam Essentials: Understand SECaaS
Cloud computing is the popular term referring to a concept of computing where processing and storage are performed else where over a network connection rather than locally. Cloud computing is often thought of as Internet-based computing
Exam Essentials: Understand cloud computing
Static environments, embedded systems, and other limited or single-purpose computing environments need security management. These techniques may include network segmentation, security layers, application firewalls, manual updates, firmware version control, wrappers, and control redundancy and diversity.
Exam Essentials: Understand embedded systems and static environment security concerns
An embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. Static environments are applications, OSs, hardware sets, or networks that are configured for a specific need, capability, or function, and then set to remain unaltered.
Exam Essentials: Understand embedded systems and static environments
The role of a security policy is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.
Exam Essentials: Understand how a security policy drives system design, implementation, testing, and deployment
To digitally sign a message, first use a hashing function to generate a message digest. Then encrypt the digest with your private key. To verify the digital signature on a message, decrypt the signature with the sender's public key and then compare the message digest to one you generate yourself. If they match, the message is authentic.
Exam Essentials: Understand how digital signatures are generated and verified
The principle of least privilege ensures that only a minimum number of processes are authorized to run in supervisory mode. Separation of privilege increases the granularity of secure operation. Accountability ensures that an audit trail exists to trace operations back to their source.
Exam Essentials: Understand how the principle of least privilege, separation of privilege, and accountability apply to computer architecture
In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained between 40 and 60 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity.
Exam Essentials: Understand how to control the environment
If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors, and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access to a protected area can result in malicious activity against the most protected assets.
Exam Essentials: Understand how to handle visitors in a secure facility
The hypervisor, also known as the virtual machine monitor (VMM), is the component of virtualization that creates, manages, and operates the virtual machines.
Exam Essentials: Understand hypervisors
The applications and functions used on a mobile device need to be secured. Related concepts include key management, credential management, authentication, geotagging, encryption, application whitelisting, and transitive trust/ authentication.
Exam Essentials: Understand mobile device application security
Device security involves the range of potential security options or features that may be available for a mobile device. Not all portable electronic devices (PEDs) have good security features. PED security features include full device encryption, remote wiping, lockout, screen locks, GPS, application control, storage segmentation, asset tracking, inventory control, mobile device management, device access control, removable storage, and the disabling of unused features.
Exam Essentials: Understand mobile device security
Media storage facilities should be designed to securely store bank media, reusable media, and installation media. The concerns include theft, corruption, and data remnant recovery. Media storage protections include locked cabinets or safes, using a librarian/ custodian, implementing a check-in/ check-out process, and using media sanitization.
Exam Essentials: Understand security needs for media storage
Input/ output devices can be subject to eavesdropping and tapping, used to smuggle data out of an organization, or used to create unauthorized, insecure points of entry into an organization's systems and networks. Be prepared to recognize and mitigate such vulnerabilities.
Exam Essentials: Understand security risks that input and output devices can pose
A smart device is a range of mobile devices that offer the user a plethora of customization options, typically through intalling apps, and may take advantage of on-device or in-the-cloud artificial intelligence (AI) processing
Exam Essentials: Understand smart devices
Split knowledge means that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment. M of N Control is an example of split knowledge.
Exam Essentials: Understand split knowledge
Zero-knowledge proof is a communication concept. A specific type of information is exchanged, but no real data is transferred, as with digital signatures and digital certificates.
Exam Essentials: Understand the concept of zero-knowledge proof
Evidence storage is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations. Protections include dedicated/ isolated storage facilities, offline storage, activity tracking, hash management, access restrictions, and encryption.
Exam Essentials: Understand the concerns of evidence storage
Codes are cryptographic systems of symbols that operate on words or phrases and are sometimes secret but don't always provide confidentiality. Ciphers, however, are always meant to hide the true meaning of a message. Know how the following types of ciphers work: transposition ciphers, substitution ciphers (including one-time pads), stream ciphers, and block ciphers.
Exam Essentials: Understand the difference between code and a cipher and explain the basic types of ciphers
Single-state processors are capable of operating at only one security level at a time, whereas multistate processors can simultaneously operate at multiple security levels.
Exam Essentials: Understand the differences between single-state processors and multistate processors
Cryptographic keys provide the necessary element of secrecy to a cryptosystem. Modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security. It's generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long to provide security.
Exam Essentials: Understand the importance of key security
Public keys are freely shared among communicating parties, whereas private keys are kept secret. To encrypt a message, use the recipient's public key. To decrypt a message, use you own private key. To sign a message, use your own private key. To validate a signature, use the sender's public key.
Exam Essentials: Understand the key types used in asymmetric cryptography
Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards. Or they can be generated automatically if sufficiently automated access control mechanisms are in place (in other words, smartcards and certain proximity readers). You should also consider monitoring entry points with CCTV. Through CCTV, you can compare the audit trails and access logs with a visually recorded history of the events. Such information is critical to reconstructing the events of an intrusion, breach, and attack.
Exam Essentials: Understand the need for audit trails and access logs
Power supplied by electric companies is not always consistent and clean. Most electronic equipment demands clean power in order to function properly. Equipment damage because of power fluctuations is a common occurrence. Many organizations opt to manage their own power through several means. A UPS is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw by equipment.
Exam Essentials: Understand the need for clean power
In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients verify a certificate using the CA's public key.
Exam Essentials: Understand the public key infrastructure (PKI)
Cloud computing and virtualization, especially when combined, have serious risks associated with them. Once sensitive, confidential, or proprietary data leaves the confines of the organization, it also leaves the protections imposed by the organizational security policy and resultant infrastructure. Cloud services and their personnel might not adhere to the same security standards as your organizations.
Exam Essentials: Understand the risks associated with cloud computing and virtualization
Confidentiality is one of the major goals of cryptography. It protects the secrecy of data while it is both at rest and in transit. Integrity provides the recipient of a message with the assurance that data was not altered (intentionally or unintentionally) between the time it was created and the time it was accessed. Nonrepudiation provides undeniable proof that the sender of a message actually authored it. It prevents the sender from subsequently denying that they sent the original message.
Exam Essentials: Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems
Common security capabilities include memory protection, virtualization, and Trusted Platform Module (TPM)
Exam Essentials: Understand the security capabilities of information systems
A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, and backbone channels. Most of the security for a wiring closet focuses on preventing physical unauthorized access. If an unauthorized intruder gains access to the area, they may be able to steal equipment, pull or cut cables, or even plant a listening device.
Exam Essentials: Understand the security concerns of a wiring closet
Digital rights management (DRM) solutions allow content owners to enforce restrictions on the use of their content by others. DRM solutions commonly protect entertainment content, such as music, movies, and e-books but are occasionally found in the enterprise, protecting sensitive information stored in documents.
Exam Essentials: Understand uses of digital rights management (DRM)
A buffer overflow occurs when the programmer fails to check the size of input data prior to writing the data into a specific memory location. In fact, any failure to validate input data could result in a security violation.
Exam Essentials: Understand what buffer overflows and input checking are
Without control over the physical environment, no amount of administrative or technical/ logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.
Exam Essentials: Understand why there is no security without physical security
Work function, or work factor, is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/ or time to decrypt messages. Usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents. The security and protection offered by a cryptosystem is directly proportional to the value of its work function/ factor.
Exam Essentials: Understand work function (work factor)
"There are no traffic jams along the extra mile" -Roger S.
Hey Remember:
The primary components of the trusted computing base (TCB) are the hardware and software elements used to enforce the security policy (these elements are called the TCB), the security perimeter distinguishing and separating TCB components from non-TCB components, and the reference monitor that serves as an access control device across the security perimeter.
Written Lab: Describe the primary components of TCB.
This message is decrypted by using the following function: P = (C-3) mod 26 C: F R Q J U D W X O D W L R Q V B R X J R W L W P: C O N G R A T U L A T I O N S Y O U G O T I T
Written Lab: Decrypt the message "FRQJUDWXODWLRQVBRXJRWLW" using the Caesar ROT3 substitution cipher
The first step in encrypting this message requires the assignment of numeric column values to the letters of the secret password: S E C U R E 5 2 1 6 4 3 Next, the letters of the message are written in order underneath the letters of the keyword: S E C U R E 5 2 1 6 4 3 I W I L L P A S S T H E C I S S P E X A M A N D B E C O M E C E R T I F I E D N E X T M O N T H Finally, the sender enciphers the message by reading down each column; the order in which the columns are read corresponds to the numbers assigned in the first step. This produces the following ciphertext: ISSMCRDOWSIAEEEMPEEDEFXHLHPNMIETIACXBCITLTSAOTNN
Written Lab: Encrypt the message "I will pass the CISSP exam and become certified next month" using columnar transposition with the keyword SECURE
Alice should encrypt the digital signature in Bob's message using Bob's public key. She should then create a message digest from the plaintext message using the same hashing algorithm Bob used to create the digital signature. Finally, she should compare the two message digests. If they are identical, the signature is authentic.
Written Lab: Explain the process Alice should use to verify the digital signature on the message in the previous question ("Explain the process Bob should use to digitally sign a message to Alice).
Alice should decrypt the message using her private key.
Written Lab: Explain the process Alice would use to decrypt the message Bob sent in question 1.
Bob should generate a message digest using Alice's public key and then transmit the encrypted message to Alice.
Written Lab: Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.
Bob should generate a message digest from the plaintext message using a hash function. He should then encrypt the message digest using his own private key to create the digital signature. Finally, he should append the digital signature to the message and transmit it to Alice.
Written Lab: Explain the process Bob should use to digitally sign a message to Alice.
Security model include: 1. state machine 2. information flow 3. noninterference 4. Take-Grant 5. access control matrix 6. Bell-LaPadula 7. Biba 8. Clark-Wilson 9. Brewer and Nash (aka Chinese Wall) 10. Goguen-Meseguer 11. Sutherland 12. Graham-Denning
Written Lab: Name at least 7 security models.
Some vulnerabilities found in distributed architecture include: - sensitive data found on desktops/ terminals/ notebooks - lack of security understanding among users - greater risk of physical component theft - compromise of a client leading to the compromise of the whole network - greater risk from malware because of user-installed software and removable media - data on clients less likely to be included in backups.
Written Lab: Name some vulnerabilities found in distributed architectures.
The three pairs of aspects or features used to describe storage are: - primary vs. secondary - volatile vs. nonvolatile - random vs. sequential
Written Lab: Name the three pairs of aspects or features used to describe storage.
The three standard cloud-based X as-a-service options are platform as a service (PaaS), software as a service (SaaS), and infrastructure as a service (IaaS). PaaS is the concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. SaaS is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. SaaS can be implemented as a subscription, a pay-as-you-go service, or a free service. IaaS takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/ filtered internet connectivity. Ultimately, IaaS allows an enterprise to scale up new software or data-based services/ solutions through cloud systems quickly and without having to install massive hardware locally.
Written Lab: Name the three standard cloud-based X as a service options and birefly describe them.
The four security modes are: - dedicated - system high - compartmented - multilevel
Written Lab: What are the four security modes for systems processing classified information?
The two primary rules of Bell-LaPadula are the simple rule of no read-up and the star rule of no write-down. The two rules of Biba are the simple rule of no read-down and the star rule of no write-up
Written Lab: What are the two primary rules or principles of the Bell-LaPadula security model? Also, what are the two rules of Biba?
An open system is one with published APIs that allow third parties to develop products to interact with it. A closed system is one that is proprietary with no-third party product support. Open source is a coding stance that allows others to view the source code of a program. Closed source is an opposing coding stance that keeps source code confidential.
Written Lab: What is the difference between open and closed systems and open and closed source?
The major obstacle to the widespread adoption of onetime pad cryptosystems is the difficulty in creating and distributing the very lengthy keys on which the algorithm depends.
Written Lab: What is the major hurdle preventing the widespread adoption of one-time pad cryptosystems to ensure data confidentiality?