SANS CISSP study guide Flashcards

Terms Definitions
Phone Line, killed by DSL, used for backups
Asynchronous DSL. Faster downloads than uploads
Faster than ADSL, faster downloads than uploads
Used for T1 lines
An active entity on an information system.
A passive data file.
Discretionary Access Control (DAC)
Gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.
Mandatory Access Control (MAC)
System-enforced access control based on subject’s clearances and object’s labels.
Role-Based Access Control (RBAC)
Subjects are grouped into roles, and each defined role has access permissions based upon the role, not the individual.
Least privilege
means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.
Centralized access control
concentrates access control in one logical point for a system or organization.
An unencrypted message in it's ORIGINAL FORM! Even executable can fall into this category
An encrypted message in it's encrypted form
The science of secure communications
Symmetric Encryption
Encryption that uses one key to encrypt and decrypt.
Asymmetric Encryption
Encryption that uses two keys; if you encrypt with one, you may decrypt with the other.
creates messages whose meaning is hidden
is the science of breaking encrypted messages (recovering their meaning
is a cryptographic algorithm.
Art and science of hiding the meaning of a communication from intended recipients. The word cryptography comes from the Greek words, Kryptos (hidden and graphein (to Write)
Encompasses cryptography and cryptanalisis
The art and science of proving an algorithm's strength. Trying to break it.
Situation in which a plaintext message generates identical ciphertext messages using the same transformation algorithm, but with different cryptovariables or keys
Block cipher
Obtained by segregation plaintext into blocks of n characters of bits of applying the identical encryption algorithm and key to each block
Coding a message in such a way that it's meaning is concealed
The process of transforming an encrypted message into it's ORIGINAL FORM
The secrecy of the cipher text is based on the secrecy of the <BLANK>
KEY, NOT!! the secrecy of the algorithm. The algorithm must be public and around for about 10 plus years to be considered strong.
In an algorithm, what does C =?
In an algorithm, what does D=?
What is a way that substitution can be used in an algorithm?
D(E(M,K),K)=M or E(D(c,k),K)=c
In what historical order did cryptography come in
Egyptions (Hyroglyphics), Spartan Scytale, Ceasar Cipher
Mono-Alphabetic Ciphers such as Rotation ciphers and the Caesar Cipher are subject to what type of attack?
Frequency Analysis
Example of Rotator or Hebern crypto machines
Red and Purple, Enigma, Sigaba
Example of an OTP(One Time Pad) Cipher
Vernam Cipher
Example of Mono-Alphabetic Cipher
Example of PolyAlphebetic Cipher
Enigma, Red and Purple, Sigaba
COCOM (Coordinationg Commitee for Multilateral Export Controls
17 members, 1991 allowed export of encryption, Prevent Crypto from being exported to dangerous countries
Wassenaar Arrangment
1995, 28 countries followed up to COCOM, Symmetric crypto free for export, export of other crypto still requires a license
European Union Controls
Regulated by the Council Regulations (EC)No. 1334/2000, Focused on Export of Encryption
United States Controls
No Import restrictions, signed Wassenaar Arrangment but stricter export controls, Looser export controls occurred on July 2000 - Retail Crypto, Crypto Source Code)
What are countries concerned with in Crypto
Focused on the Export mostly. But they are concerned about import, export and internal
What is the Crypto Life Cycle
Cryptography Limitations, Algorithm Selection, Protocol Governance, Key Managment
What are the core goals of Cryptography
Authentication, Confidentiality, Data Integrity, Non-Repudiation
What core goal of security does Cryptography not address?
What does non-repudiation mean
Cannot deny or dispute the validity of a contract or statement
Symmetric (Secret Key) algorithms
(TRRIAD) -> Triple Des, RC4, RC6,Idea,AES,DES
What does Symmetric (Secret Key) provide?
what does Hash (One way transformation) provide?
what does Asymmetric Encryption (Public Key Crypto) provide?
what does Digital Signatures Hash + Asymmetric provide?
What does Symmetric (Secret Key) require to happen?
Requires a secure channel
1) Pre-shared key
2) Asymmetric
3) Diffie Hellman Key exchange

Crypto attacks are focused on plaintext and the encryption process
What does RSA use?
RSA – factoring a large number into it’s prime
What does El Gamal use?
El Gamal – solving discrete logarithmic problem for finite fields
What does ECC use?
ECC (elliptic curve crypto) – solving the discrete logarithmic problem for elliptic curves
Asymetric Public Key Crypto Algorithms
(CLEEMR)-> Chor Rivest, LUC, ECC, El Gamal, Merkle-Hellman, RSA
What are symetric key focused attack?
Crypto attacks are focused on plaintext and the encryption process
What are asymetric key focused attacks?
Crypto attacks are focused on the ciphertext and the decryption process
Asymmetric Encryption (Public Key Crypto)
RSA, El Gamal, ECC
RSA – factoring a large number into it’s prime
El Gamal – solving discrete logarithmic problem for finite fields
ECC (elliptic curve crypto) – solving the discrete logarithmic problem for elliptic curves

Public keys are sent via digital certificates
Private keys are kept private

Crypto attacks are focused on the ciphertext and the decryption process
Symmetric (Secret Key)
Requires a secure channel
1) Pre-shared key
2) Asymmetric
3) Diffie Hellman Key exchange

Crypto attacks are focused on plaintext and the encryption process
Hash (One way transformation)
Collision – when 2 different inputs produce the same output
Acceptable because
1) No way to predict a collision
2) Similar items will not collide
Digital Signatures
Hash + Asymmetric
Message hash encrypted with senders private key
What are Hash (One way transformation) algorithms?
Electronic code book - native DES, block cipher. Weak because it uses the same key for each block. Predictable.
Cipher block chaining - more secure. Uses IV with key to XOR first block them uses next block to XOR with key to encrypt next block
What key length does IDEA use?
128bit key which operates on 64bit plaintext blocks
What is Counter Mode and what uses it?
It is used by ATM and IPSec. It uses a 64 bit random number to produce a different counter for every block. Incrementing by 1
What attack is Double Des vulnerable to?
What key length does double des have?
Only am effective key length of 57 bits
What is 2 key or downward compatible DES?
112bit key(56x56) EDE
What is default 3DES
168bit (56x3) EEE
What key lengths does AES support?
128, 192, 256
When was the contest for AES started?
January 1997 by NIST
AES is a block cipher?
What was AES in August of 1998?
It was called Reindal. There were 15 AES candidates in the NIST competition
What did NIST announce in 1999
There were 5 candidates in the AES competition. Reindal being one of them.
When was rijndeal selected as AES
October 2, 2000
What did FIPS approve on December 26, 2001?
NIST announced FIPS approval 197 which described AES as the official government standard
What is the key length of SAFER?
64 & 128 bit
What are characteristics of Blowfish?
- Symmetrical algorithm, considered in breakable using current technology
What is two fish?
Adaptive version of blowfish
What are characteristics of RC5
Block cipher, variable block length, typical block size of 32,64,128. Key range from 0 to 2048
How much faster is DES than RSA
1000 times in hardware and 100 times in software
Comparison of Asymetric and Symmetric key sizes
512->64, 1792->112, 2304->128
What attack are hashes vulnerable to?
The birthday attack
Brute force
Try every combination of keys and passwords
Man-in-the-middle attack
Attackers intercept messages between two parties, Intercept messages before passing into the intended receiver
Known plain text attack
Portions of the plaintext and corresponding portions of the ciphertext are known
Ciphertext only attack
Portion of the ciphertext is known. This is one that you can always expect can be done because they will always have access to your ciphertext
Chosen plaintext
Plaintext inserted into the device with unknown secret key corresponding ciphertext generated
Adaptive chosen plaintext
Chosen plaintext attack with iterations of input is based on knowledge about
Chosen ciphertext
With a portion of the ciphertext, attempt to obtain corresponding plaintext
Adaptive chosen ciphertext
Chosen ciphertext attack with iterations depend upon previous results
What type of attack target asymmetric algorithms?
Asymmetric attacks focus on ciphertext in the decryption process
What type of the tax focus on symmetric algorithms?
Attacks are focused on plaintext and the encryption process
Analytical Crypto attack
Using algorithms mathematics to deduce or reduced to space to be searched. Basically reducing the amount of week or invalid keys
Statistical crypto attack
This is the same as frequency analysis. Using statistical characteristics of language or weaknesses and keys
Differential crypto attack
Analyze results differences related to plaintext are encrypted using cryptographic
Linear crypto attack
A linear analysis of pairs of plaintext and ciphertext
Differential linear crypto attack
Applying different analysis with Linear analysis
What attack are hash's vulnerable to?
The birthday attack!:

Collisions will occur more than you think! but similar items will not collide. This is important.
When 23 people are put together, the odds are greater than half that two or more people share a birthday
What are the steps in the PKI SSL or any other use of PKI process?
1.) Client Web Request
2.) Server REsponds
3.) Client Validates certificate & crypto
4.) Client encrypts the session key
5.) session key exchange
6.) server decrypts the session key
7.) Encrypted messages are exchanged
What was Sylvio Micali Fair System?
different people in the orginization had a certain allotment of points. They would vote and if there were enough points then they could decrypt information.
what does IPSec AH offer?
Integrity and Authentication. Used for Non-Repudiation
What does IPSec ESP offer?
Integrity, Authentication and Confidentiality. It's authentication is limited. Used for VPN's over the Internet
What are some properties of IPSec SA's?
They are Uni-directional. Required between to entities. Example: If you have AH then you would need two, one per entity. If you are using ESP then you would need two, one per entity. If you have AH and ESP then you would need 4, two for each entity
What are the 3 types of Stego
1.) Injection - Find information that will be ignored and put it into the file: Size of the file can get large and noticble
2.) Substitution - Overwritting ifnormation that is insignificant. Size may not increase, but could result in data degradation
3.) Generate a new file - No host file, but generated on the fly based on the secret message
Thin Client and processing
gives more control over the system for security
What is Privileged or Kernel mode
It is a protected area of the OS responsible for memory, process, disk and task management. Only operate in this mode for minimum time for task to be accomplished.
What is user or un-privileged mode?
layer in the OS where user applications run. It is limited in what it can do and what hardware it can access or interact with. LEAST PRIVILEGE!!!
What are 4 OS protection mechanisms?
1.) Layering - Kernel layer, driver layer, app layer, user layer
2.) Abstraction - copy file example. Not showing what happens behind the scenes
3.) Process isolation - Example, if a process crashes it does not take down the whole system
4.) Hardware segmentation - Basically more than one computer within a computer. Separate physical hardware
What are the 4 layers in the Ring Layer Protection?
Ring 0: Operating System Kernel
Ring 1: Operating System Components that are not part of the Kernel
Ring 2: I/O drivers and utilities
Ring 3: Applications and Programs
what are the 3 general types of programming languages?
Lowest Level: Machine Code. Binary or hex data.
Assembly: Mnemonics that have ONE-TO-ONE correspondence to machine language. Can get direct use of the hardware
High Level: Easy to understand, ONE-TO-MANY translations to assembly language. Could not directly interact with the hardware
What is an assembler and disassembler
Assembler translates to assembly language program into machine language program

Dissassembler translates machine language into an assembly language program
Compiler vs Interpreter
A compiler translates high-level program language into machine language. Example: Java into java byte code. RUNS Quick after it is compiled. Issue: If you don't modify that frequently then this is good. For security purposes, this is just a compiled executable

An interpreter translates program commands one at a time: Example Python: If you are making a lot of changes to the code, this is the best to use. It is slower than compiled though. For security purposed, you have to give the source code.
Components of a CPU
ALU - Calculating. Controls all the mathematics and operations

Internal Communication

Registers - Temp Storage

Control Unit - Controls and coordinates activities during code execution (The coach of the CPU)
How does information flow logically in a computer architecture?
Fast --> Slow
Slow --> Fast

Register -> SRAM -> DRAM -> Hard Drive (Fast to slow)
Register <- SRAM <- DRAM <- Hard Drive (Slow to Fast)
CPU Fetch and Execute Phase
The Control Unit Fetch's instruction for the ALU to execute. The Execute is the ALU executing what is in the Registry
What is Pipelining
Combines the steps of different instructions
What is an Interrupt
allows for interruption of CPU execution
Complex-Instruction-Set-Computer (CISC)
Performs many operations per instruction
Reduced-Instruction-Set-Computer (RISC)
Simpler instructions using fewer cycles
Scalar Processesor
Executes one instruction at a time
Superscalar Processor
Enables concurrent execution of multiple instructions
Combines the steps of different instructions
Executes multiple tasks at the same time on ONE CPU
Executes multiple programs at the same time on multiple processors
Allows more than one user to utilize the system at the same time
Interweaves execution of more than one program
What are the 2 types of RAM
SRAM - very fast, more expensive. Used as cache. Directly accessed by the CPU

DRAM - Slower, Dynamic RAM. Directly accessed by the hard drive
What is ROM
Read Only Memory. During the running of the system, ROM cannot be modified. Can be modified, but not during the running of the system. This is typically used when the OS is first booted up.

Wakes the Kernel up, then the Kernel starts up the system from there
What is secondary memory?
Slower, non-volatile memory. Examples are Hard Drive, Sequential Memory (TAPE)
What is memory protection?
preventing on program from accessing and modifying the memory space contents that another program is using. KERNEL is an example of something that goes here.
What is Virtual Memory?
Using secondary memory in conjunction with primary memory to present a CPU with a larger, apparent address space of real memory locations
What is RAM?
Random Access Memory.

-Volatile memory
- Data lost when power is lost
- Dynamic versus static
DRAM (Dynamic RAM) - Accessed by the Hard Drive
- Refreshed on regular basis
- Cheapest and most common

SRAM ( Static RAM) - Accessed by the CPU $$$$$$$$$$$$$$$$$
- Very Fast
- Less amount
- Cache
What is the only rype memory addressing that does not go to main memory(RAM)
Direct Registry addressing. This goes to cache on the CPU, not the main memory.
What are the various ways the CPU can address memory?
CPUs can address memory in various ways:
— By directly specifying the address (direct or absolute
— By addressing the registers within a CPU (register direct
— By addressing the register for the data‘s address in main
memory (register indirect addressing)
— By using an index register (indexed addressing)
— By addressing the desired location of the program in
memory (indirect addressing)
What is Paging?
Paging occurs when the OS copies from virtual
memoryto main memory
What is Locked Memory?
Prevents data from being written to virtual memory. This is data that you do not want written to your Hard Drive. Example the OS and the KERNEL. This must never be paged out.

You have to be careful. The more you lock, the more real memory is unavailable. Need to have as much real memory available to minimize movement from real to virtual memory.
What is a page fault?
the request to move data from virtual to real memory. The actual movement is called Paging.
Types of ROM
PROM - Programmable ROM
— Modifiable once
— Firmware

EPROM - Erasable and Programmable ROM
— Can be erased and reprogrammed
— Not the norm

EEPROM - Electrically Erasable ROM
— Flash memory
— Can be Written

Programmable Logic Devices (PLD)
— Integrated circuit that can be modified programmatically
— General technology for all EPROM
What is PROM?
PROM - Programmable ROM
— Modifiable once
— Firmware
What is EPROM?
EPROM - Erasable and Programmable ROM
— Can be erased and reprogrammed
— Not the norm
What is EEPROM?
EEPROM - Electrically Erasable ROM
— Flash memory
— Can be Written
What is Programmable Logic Devices (PLD)?
Programmable Logic Devices (PLD)
— Integrated circuit that can be modified programmatically
— General technology for all EPROM
What are the general storage types?
Types of storage devices: Have to ask what the duration of the storage will be?

- Primary

- Secondary

- Virtual

- Write once read memory (WORM) - You can only write info once here, read as many as you want though. Think of CD. Used to store logs for areas that are highly litigated.

- Volatile - If it is short, then use this

- Non-volatile - If it is long time storage, use this
What is the trusted Computing Base (TCB)
Anything that has anything to do with security is put in the Trusted Computing Base:

- Security-relevant parts
- Access control mechanisms
- Reference monitor
- Kernel
- Protective mechanisms
- Monitors
* Process activation
* Process execution domain switching
* Memory protection
* I/O operations
What are 4 types of Security Models?
Trick to remembering, the ones with the "I" in them deal with integrity, the ones without the "I" do not.
- Lattice
- Confidentiality: Bell-LaPadu|a
- Integrity: Biba
- Integrity within a Commercial: Clark-Wilson
What does the Lattice Security Model address?
Visual shows information flow for what you can or can't access. Formal way of doing a diagram to show information flow within a computer system.

*Deals with information flow
*Formaiizes network security models
*Shows how information can or cannot flow
* Drawn as a graph with directed arrows
- Greatest lower bound
- Least upper bound
What is Bell-LaPadula (BLP)?
* Deals with confidentiality
* Two key principles:
— No Read Up (Simple Security Property)
* Obvious for information leakage
— No Write Down (* Property)
*To prevent write-down trojans from de-classifying information
What is BIBA?
- Deals with integrity
- Opposite of BLP
- Two key principles:
*No Read Down (Simple Integrity Property)
* No Write Up (Integrity * Property)
What is the STRONG * Property?
You can only write data at your level. Only write at the level you are at.

You are not allowed to read down and you are not allowed to write up. You are stuck at a single level, and only within this level are you allowed to perform any operation.
What is Clark-Wilson?
Deals with integrity
— Unauthorized users cannot make changes.
— This model maintains internal and external consistency at the system level.
— Authorized users cannot make unauthorized changes.

— Internal consistency
— External consistency

Integrity enforced through:
— Well-formed transactions
— Separation of duties
What is the State Machine Model?
- Current security posture captured
- Policy dictates secure state changes
- Guarantees secure state changes
What does Noninterference mean?
This is the idea of Cryptography! This is a term they will refer to cryptographic systems. REMEMBER THIS!!!
Inputs do not determine outputs. No relationship between input and output.
What is Information Flow?
Similiar to Bell-LaPadula in that objects are labeled based on security classes in the form of a lattice. Information objects represent can flow in either direction.
What is an Access Matrix?
One of the best ways to understand what our Risk's are. All objects are across the top, subjects to the side. Like an excel spreadsheet. Best way to visual see all data flows.

Problems: Does not SCALE!!

The access matrix:

* Provides access rights to subjects for objects
* Access rights can be read, write, and execute
* Subject is an active entity that is seeking rights to a resource or
* A subject can be a person, a program, or a process
* An object is a passive entity such as a file or a storage resource
* In some cases, an item can be a subject in one context and an object in another
* Columns of the access matrix are called access control lists (ACLs)
* Rows are called capability lists
What is the Graham-Denning Model?
Wanted to simplify who had create and grant roles. Like an RBAC Model. High Level Roles are created. This can better control who is creating and granting rights to objects.

*Create object
*Create subject
*Grant access right
*Read access right
*Delete object
*Delete subject
*Delete access right
*Transfer access right
What is the Harrison-Ruzzo-Ullman Model?
Thought that Graham-Denning model was to high leve. They missed the point and added the below:

* Based off the Graham-Denning model
* Adds granular controls
What is the Chinese Wall Model?
Used in law firms today because of conflict of interest. Can only be in one conflict group. THINK OF BREWER AND NASH MODEL :-) You know what I mean.

Example was is large companies hiring out all the 50 top law firms so that they cannot be used against them.

* Proposed by Brewer and Nash
* Deals with conflict of interest
* No information flow allowed that could cause information leakage that could lead to a conflict of interest (COI)
What enforces security on a system?
* Security Kernel
*Reference Monitor
* Reference Monitor Concept


Security kernel
— The security kennel is the central part of a computer system (software and hardware) that implements the funclamental security proceclures for con trolling access to system resources. It is a most trusted portion of a system that enforces a fundamental property ancl on which other portions of the system depend

Reference monitor concept
— the reference monitor concept is an access control concept that refers to an abstract machine that mediates all accesses to objects by subjects

Reference monitor
— A reference monitor is a system component that enforces access controls on an object (files or programs). It is a design concept for an operating system to assure secrecy and integrity. The reference monitor should always be invoked; it is not capable of being bypassed and is capable of being evaluated.
What is a reference monitor?
The most trusted piece of software on your system. Enforces access controls on an object. Ensures secrecy and integrity.
What is Domain Separation?
Group of computers at the same trust level. You should never have a file with top secret and top secret in the same folder or directory. Separate out the sensitivity of information.

- Protects objects in the system
- Domain: set of objects that a subject is able to access
- Domain separation may be implemented by:
* Execution rings
* Base address registers
* Segmentation descriptors
What are the 4 classes of the Orange Book?
VMDM (Vim Dim) ORANGE!!. A is the best, D is the worst!

A: Verified protected
B: Mandatory Protected
C: Discretionary Protected
D: Minimal Security

Only need to know the above 4, but they are based on this:
— Security policy
— Object marking
— Subject identification
— Accountability
- Assurance
— Documentation
What was ITSEC?
The first attempt by European countries to establish a common standard for evaluation of computer security.
What are the levels of Evaluation Assurance Level (EAL)?
This is not a high priority item on the exam, but it could be covered. Use time on more important items. Here are the details:

— EAL 1: Functionally tested
— EAL 2: Structurally tested
— EAL 3: Methodically tested and checked
— EAL 4: Methodically designed, tested,and checked
— EAL 5: Semi-formally designed and tested
— EAL 6: Semi-formally verified, designed, and tested
— EAL 7: Formally verified, designed, and tested
ISO 17799
Originally BS 17799!! haha.. RISK BASED and HOLISTIC APPROACH. Close to the 10 domains.

1.) Security Policy
2.) Security Organization
3.) Assets Classification and Control
4.) Personnel Security
5.) Physical and Environmental Security
6.) Computer and network management
7.) Systems access control
8.) Systems Development and Maintenance
9.) Business Continuity Planning
10.) Compliance
What is Certification?
Detailed assessment and analysis of the security of the system.

* Comprehensive evaluation of the technical and non-technical security features of an information system and other safeguards

*Establishes the extent to which a particular design and implementation meets the set of specified security requirements
What is Accreditation?
Approval by the DAA for a system to be in a secure environment

* Formal declaration by a designated approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk
Accreditors are responsible for what?
* Evaluating certification evidence
* Deciding on acceptability of application security safeguards
* Approving & Insuring corrective actions are accomplished
* Issuing accreditation statement
What are the PCI-DSS dirty Dozen?
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain securer systems and applications
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
What language are applets written in?
How is JAVA byte code interpreted?
Generates Byte Code which is interpreted into machine code by Java Virtual Machine
What does security like JAVA?
because of sandboxing
What are some JAVA security releases?
* JASS - Java authentication & Authorization Service
*JSSE - Java Secure Socket Extension
* JCE - Java Cryptography Extension
Java VS ActiveX
*Cannot Sandbox. Needs full access to entire system
*Active X does not have any security releases
*Java has more control than ActiveX
What is a DBMS
Database management system...mysql, MSSQL, Oracle...etc..

*Stores data and provides operations on the database, such as create, delete, update and search.
* Provides security and integrity controls
What is Data Definition Language (DDL)?
Defines database schema
What is Data Manipulation Language (DML)?
Examines and manipulates contents of a database
In terms of databases, what in Concurrency?
Updates by more than one person at the same time. This is solved by LOCKING
In terms of databases, what is Semantic Integrity?
Ensures that we have the right data types

Ensures that data types, logical values, uniqueness constraints, and operations are enforced
What enforces Semantic Integrity?
The DMBS, Database management system
In terms of databases, what is Referential Integrity?
Checks for inconsistencies. Prevents users from entering inconsistent data
What is a Database?
Collection of related data about an organization intended for sharing by multiple users
What are 4 types of data models?
* Hierarchical - Like a spreadsheet

* Mesh - Multiple tables that can all interact and update from multiple sources

* Object-oriented - Small tables of info which all the data if correlated together

* Relational
What is a Data warehouse?
Old saying for Big Data. Storing of the data is Data warehouse

Data warehouse
— Storage facility where data from heterogeneous databases
are brought together for users to make queries against
— Purpose is information retrieval and data analysis
— Redundant and inconsistent data are removed from
databases (normalizing)
What is Data mining?
Correlation and analysis of the Big Data or Data Warehouse is Data Mining.

Data mining
— By detecting abnormal patterns, can be used for:
— Intrusion detection
— Fraud detection
— Auditing the database
What are some database vulnerabilities & Threats?
Security issues:
— Aggregation
*User has a right to only certain data items in a larger collection of data items.
*Obtains knowledge that he/she does not have a right to about the larger collection

— Inference
*User deduces information of higher sensitivity from lower sensitivity information.

— Inference controls
*Enforced during query processing
*Content-dependent access rules
What are Web App Threats & Protection?
Web Attacks:
* Information gathering
* Parameter Manipulation
* Cross Site Scripting (XSS)

Application Management Affords the best protecion
What is the best protection from threats for Web Apps?
Application Management Affords the best protection
End to End Encryption such as SSL/TSL
What is Asymmetrical Multiprocessing (AMP)?
One processor will take care of the system processes and the other processor(s) will run the applications
What is Symmetrical multiprocessing (SMP)?
Two processors, system tasks and application tasks are divided equally between both CPUs
What are the two main rules in Bell-Lapadula (BLP)?
*The Simple Security property, which is No Read Up (NRU)
*The * property, which is No Write Down (NWD)

The easy way to remember the rules of BLP is to put yourself in the middle. Take the following example:

SECRET -----------> This is the level you are at.

Being at the secret level, are you allowed to read documents at the top secret level? (No!) (No Read Up)

Being at the secret level, are you allowed to write a secret document into the confidential level? (No!) (No Write Down)
What are the 5 steps in the CMM?
1.) Initial: The software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics.
2.) Repeatable: Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3.) Defined: The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.
4.) Managed: Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
5.) Optimizing: Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
In Object Oriented Development, what is a class?
A class is a blueprint or prototype that defines the variables (data) and methods (code)
common to all objects of a certain kind. The class sen/es as a user-defined type. A class thus
defines a data type that behaves like the built-in types of a programming language.
In Object Oriented Development, what is an Object?
An object is a concrete instance of a class. The data within an object is referred to as
variables or attributes.
In Object Oriented Development, what is a Method?
Methods are functions within an object that can perform functions or manipulate the object
variable and perform an operation relevant to the object.
In Object Oriented Development, what is are Messages?
Objects communicate with one another by sending messages from a statement in one object
to a method in another object. They are often requests for an object to perform some
operation on the data stored within the object.
In an Object oriented system how can an object reviewed?
An object can be viewed as a black box whose internal details are hidden from outside observation he cannot normally be modified
In an Object oriented system what is Delegation?
The fowarding of a request by an object to another object or delegate
- Necessitated by the fact that the object receiving the request
does not have a method to service the request
In an Object oriented system what is Polymorphism?
An object that is able to respond to some common set of operations in
a different way"
Ability to use the same syntax for objects of different types, for
instance! "+" for addition of reals and intggrs
In an Object oriented system what is Binding?
Dynamic- Association of a method with a message during run time
Static- Association of a method with a message during compile time
An object oriented system what is Polyinstantiation
Pollyinstantiation is used to generate two versions of the same object to be presented to subjects according to their security level.
In an object-oriented system what is cohesion?
An object needing little or no interaction with other objects is said to a high or tight cohesion
Cohesion and Coupling
Cohesion and coupling are directly related. Objects are self contained and can perform a single task with little or no help from other objects (low coupling). Because of the low level of interaction necessary with other objects, it is said that they have a high or tight cohesion level. An object that has a need to interact with multiple objects to perform a task has a high coupling level and inversely a low cohesion level. Having interactions is sometime necessary and not always a bad design decision; however. too many dependencies can make a program or application less reliable.
In an object-oriented system what is Coupling?
An object that has a need to interact with multiple objects to perform a task has a high coupling level and inversely a low cohesion level.
Service Level Agreements (SLA) address which aspect of the security TRIAD?
What are general security controls?
Recovery,Compensating, Corrective
RCC or R Double C Yo!
What are specific security controls
Preventive ,Directive, Detective, Deterrent
PDD or Be Specific, Ptripple D YO
What is the length of the TCP header?
20 bytes
What is the length of a UDP header?
8 bytes
How many bytes are in an ATM header?
53. 48 for the payload and 5 for the header
What layer do HDLC and SDLC reside?
Layer 2 - Data link layer
What is used to calculate risk?
Risk=threat x vulnerability
What do you always use to calculate the risk?
Threat. Threat drives risk.
How can you reduce risk?
Reduce vulnerability. Out if the equation risk = threat x vulnerability it is the only thing you have control over.
What is a directive that gives a point of enforcement?
Contractual Agreements give a point of enforcement
What are some types of employment agreements
1.) General Clauses
2.) Work Hours and overtime
3.) Holidays, sick leave, and other leave
4.) Non-competition and non-solicitation
5.) Confidentiality
6.) Non-Disclosure agreement (NDA)
How do you reduce insider threat?
Through Administrative Management such as the ones below:

- Job Requirements clearly defined
- Background Checking
- Separation of duties
- Job Rotation
- Vacation and leave
- Terminations
What role do the following items apply to?

- Securty involves all personnel
- End User Plays a critical role
- Users must be aware of their role
- Awareness is key
- Ensure proper training
User roles and responsibilities
What role do the following items apply to?
- Usually the immediate supervisor of an employee
- Responsible for user ID's
- Responsible for contractors
- Looks after terminiation proceedurs
- Looks after passwords
Manager/Custodian Roles and responsibilities
What role do the following items apply to?
- Final say towards security
- Decides what is appropriate
- Ultimately responsible
- Determines what backup to use
- Determines who can access
Owner roles and responsibilites
What is a threat?
An event that could cause harm through violation of operations security
What is a vulnerability
A weakness in a system that could be exploited to cause harm to a system
What is an asset?
Computer resources, hardware, software, information, personell, etc..
What is the most important thing about disaster recovery?
IS someone in charge! Does not matter who, but is someone in charge?
What is the most important thing in audit trails?
They must be reviewed! They are a detective control.
Can you have just a snapshot of an audit trail?
No, they must be complete, not just snapshots. It is taking the audit logs out of context.
For accurate logs you need a consistent time source?
True....very true!! One of the most important pieces
What components do your audit trails need?
- Time
- Location (Workstation) used to process the transaction
It is important to lock down and protect the audit trail?
Very true. There is a lot of sensitive information there. Need to control who has access and how it is protected.
What are proper audit log backups?
- No Log, No Audit!
- Central Logging: Prevents attackers from covering their tracks
- Make sure you use NTP!!!! server.
What is the primary purpose of centralized logging?
Get the logs off the box so that the attacker cannot cover their tracks.
You also get event correlation.
What are some threats to security operations?
- Errors and Omissions
- Fraud and theft
- Employee sabotage
- Malicious hackers and crackers
- Malicious code
What is the number one threats that cause damage?
- The accident insider
- Errors and Omissions.
What are some employee sabotage threats?
- Destruction of hardware
- Destruction of facility
- Planting bombs
- Deleting or modifying data
- Holding systems or data hostage
What are some loss of infrastructure threats?
- Power Failures
- Spike and Brownouts
- Loss of communications
- Water outage or leaks
- Lack of transportation
- Fire, flood, civil unrest, and strike
What is one of the most important parts of security operations?
Data Classification. This is a fundamental piece that you have to have.
How do you treat sensitive information?
- Marking
- Handling - data classification
- Storage
- Destruction
How can you do least privilege without data classification?
You can't!
What are directive controls?
Anything where you are directing or telling them to do something or implying a business process that have to be done. Policies, background checks, signs on fences.

Directive controls are the equivalent of administrative controls. This category includes items
such as policies, standards, guidelines, personnel screening, and security awareness training.
Directive controls are important and form the foundation for enterprise security.
What are preventative controls?
Locks and Firewalls! Subset of a lock is a man trap

Preventive controls are the equivalent of technical controls. These contain the methods
tools, practices, and the techniques used to ensure that systems remain secure and highly
available. They also include logical access control, encryption, security devices,
identification, authentication, firewalls, antivirus, separation of duties, access rights, data
classifications, physical access controls, and many more.
What are detective controls?
Looking for attacks that are in progress. Alarm Systems, CCTV, Video surveillance, IDS

Detective controls are used to validate that the preventive controls and the directive controls
perform adequately. This is how computer abuse, fraud, or crime is detected with both
automated and manual tools. This type of control area contains log review, surveillance,
auditing, and integrity checkers, to name a few.
What are deterrent controls?
Meant to discourage you. Guards with guns, dogs..etc..

Deterrent controls are intermediary controls, normally requiring nothing more than an
identification and authentication.
What are corrective controls?
General Control Type:

Corrective controls provide information, procedures, and instructions for correcting detected
shortcomings. These shortcomings can include attacks that have been detected, errors, or
system misuse. In this category are procedures, instruction manuals, audit trails, and many
What is a Recovery Control?
General Control Type:
Recovery conrrois are those ensuring systems are restored to a normal or previous state
normally following an incident of destruction or damage.
What is compensating control?
General type of control:
Compensatory controls are used when existing capabilities of a system cannot implement
controls and must be covered by alternate means, generally by managerial or procedure
Who response to incidents and IDS alerts?
CIRT : Computer incident Response team
What are the steps in setting up IDS?
1.) Creation and maintenance of IDS
2.) Creation of a CIRT team: Computer Incident Response Team
What are the different types of IDS?
- Network Based
- Host Based
What are the methods of operations of and IDS?
- Pattern matching
- Anomaly Detection
- Protocol behavior
What is the benefit of a NIDS over an HIDS?
What is the Negative of a NIDS?
False Positives
What modes do NIDS operate in?
- Passive: Sends alert but does not stop traffic. DEFAULT MODE
- Active: Stops attack, usually by sending resets.
Anything deployed inline in ISC2 world is what?
A firewall. NIDS are only installed as passive by default.
What is the challenge and problem with HIDS?
IT is hard to manage and does not scale well. Many host's reporting back.
What are the 4 types of IDS Events?
True positive - When the IDS sets off an alert and it is a real attack
True negative - When the IDS does not set oli‘ an alert and it is normal traffic
False positive - When the IDS sets of an alert and it is normal traffic
False negative - When the IDS does not set 01°F an alert and it is attack traffic
What are the 6steps of incident handling?
PICERL (Pick Earl)
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
0- Striping
1- Mirroring
2- bit level- Code Parity - Exact number of disk: 39. 2,3,4 data on one set and parity on the other
3- Byte-level parity
4- Block-level parity
5- Interleave Parity - Data and parity interleaved
6- Second independent parity - Don't really need to know this one
7- Single virtual disk
Attributes of RAID level 0
- Creates one large disk by using several disks
- Essentially it creates a duplicate copy of your data across two disks
- Separates the data into multiple units and stores it on multiple disks by using a process called striping
- Stripes data across all disks (but provides no redundancy) by using all the available drive space to create the maximum usable data volume size and to increase read/write performance
Attributes of RAID level 1
- Commonly called mirroring
- Duplicates the data from one disk or set of disks to another disk or set of disks
- Often implemented by a one-for-one disk ratio
- Each drive is mirrored to an equal drive partner, which is continually updated with current data If one drive fails, the system automatically gets the data from the other drive
Attributes of RAID level 2
- Only RAID level were a specific set of disks are specified
- Consists of bit-interleaved data on multiple disks
- Parity information is created using a hamming code, which detects errors and establishes the part of the drive in error
- Defines a specific disk drive system with 39 disks 32 disks of user storage and 7 disks of error-recovery coding
Attributes of RAID 3 & 4
- Data is striped across several drives
- Parity check bit is written to a dedicated parity
- Level 3 is implemented at the byte level, and level 4 at the block level
- If a hard disk fails, the data can be reconstructed by using the bit information on the parity drive
- Spare drives can be used to replace crashed drives
Attributes of RAID level 5
- It stripes the data and the parity information at the block level across all the drives in the set. WRITTEN ACROSS BOTH DRIVE SETS!!
- Parity information is written to the next available drive rather than a dedicated drive using an interleave parity
- RAID 5 allows for more flexibility in the implementation and increases fault tolerance because the parity drive is not a single point of failure now
- Disk reads and writes are performed concurrently, increasing performance over levels 3 and 4
Attributes of RAID level 7
- Single Virtual Disk
- Variation on RAID 5, but the array functions as single virtual disk in hardware
- Sometimes simulated by software running over a RAID level 5 hardware implementation
- Allows the drive array to continue to operate if any disk or any path to any disk fails
- Also provides parity protection
What is a Full Backup?
- Makes a complete backup of every file on the server every time it's run
- Primarily run when time and tape space permits, and is used for system archive or BASELINE tape sets
What is an Incremental Backup?
- Copies only files that have recently been added or changed THAT DAY and ignores any other backup set
- Usually RESETS ARCHIVE BIT on the files after they have been backed up
- Used if time and tape space is at an extreme premium, but has inherent vulnerabilities
What is a Differential Backup?
- Makes backup of anything that has changed of ANYTIME! LESS TAPES
- Copies only files that have changed since a full backup was last performed
- Backup is "ADDITIVER" because the time and tape space required for each night's backup grows during the week as it copies the day's
changed files and the previous days‘ changed files up to the last full backup
- File‘s archive bit is NOT RESET until the next full
Steps of a security operations assessment
1.) Identify critical information
2.) Assess the threat
3.) Assess vulnerabilities of critical information to the threat
4.) Conduct risk versus benefit analysis
5.) Implement appropriate countermeasures
6.) Repeat
Incident Handling Preparedness phase
-Planning is everything
-— Organizational approach
-— Interorganization
-Obtain management support
-Select team members identify contacts in other organizations
(legal, law enforcement)
-Update disaster recovery plan
-Compensate team members
-Provide checklists and procedures
-Have emergency communications plan
-Escrow passwords and encryption keys
-Provide training
-Have a jump bag with everything you need to handle an incident
Incident Handling Identification phase
-How do you identify an incident?
-Be willing to alert early, but do not jump to a conclusion
--- "Boy who cried wolf" syndrome
—-- Look at all the facts
- Notify the correct people
- Use the help desk to track trouble tickets to track the problem
- Assign a primary handler
- Determine whether an event is an incident
— SMART guidelines
- Identify possible witnesses and evidence
- Make a clean backup of the system
Incident Handling Containment phase
-An incident handler should not make things worse (liability and negligence)
- Secure the area
- Make a backup
- Pull the system off the network(optional)
- Change passwords
Incident Handling Eradication phase
- Fix the problem before putting the system back online
- Determine cause and symptom
- Improve defenses
- Perform vulnerability analysis
Incident Handling Recovery phase
- Make sure you do not restore compromised code
- Validate the system
- Decide when to restore operations
- Monitor the systems
---- Make sure the attacker does not come back in!!
Incident Handling Lessons Learned (Follow up) phase
- Develop a report
—Try to get consensus
- Conduct a lessons-learned meeting
- Send recommendations to management
- Conduct a follow—up meeting
VPN Advantages
* Improved flexibility
— A VPN "tunnel" over the Internet can be set up
rapidly. A frame circuit can take weeks.
— A good VPN will also support quality of sewice
* Lower cost
— There are documented cases of a VPN paying for
itself in Weeks or months.
— There are also cases Where the hidden costs sunk
the project!
What are the Private Network address ranges?
— 10.X.X.X
— 192.168.X.X
What are the IP Address class ranges?
A Ending:, B Ending:, C Ending:
Intrusion Detection Cheat Sheet:
- Intrusion Prevention = Before - This is not an IPS. It is asking if there are other preventing technologies or controls in place
- Intrusion Detection = During
- Intrusion Response = After- Involves your CSIRT Computer security incident response team
Sanitizing media
- Removing - trash bin
- Overwriting - 1's and 0's
- Degaussing
- Destruction
Does ALL RAID guarantee protection against Disk loss?
NO, RAID 0 is only for performance, not redundency
What focuses on a higher level than RAID
Server Fault-Tolerant Systems: Server Clustering. Any server can use any other server as a backup.
What is Change Control?
Change control is the process of tracking and approving of changes to a system, including identifying, controlling, and auditing all system changes.

Change control is also concerned with changes that might affect security.

That process includes hardware, software, and networks.
What are patches issued?
• A fault exists in an application or operating system and must be updated
• A security threat has been found
• A tightening of services or function is required
If it is not documented, did it happen?
NO!! if it was not documented, it did not happen! This is a key role in Security Operations.
Centralized Control
Organized, controlled and performed from one location
Has multiple independent locations with essentially no communications among them
Implies communications and coordination among multiple locations
Steps in monitoring
- Review
- Watch
- Take Action
Popular Monitoring Types
- Real-time
- Ad hoc
- Passive
Types of Monitoring
- Keystroke
---Hardware: Keyboard Adapter vs. Software monitoring: Trojan Horse - Can be seen in processes
- Illegal Software
- Traffic Analysis
- Trend Analysis
Traffic Analysis
A type of security threat that occurs when an outside entity is able to monitor and analyze traffic patterns on a network
Type I Error
False reject rate
Type II Error
False acceptance rate
BIO Response time and accuracy chart
System Type | Response Time | Accuracy (CER)
Palm Scan | 2-3 Seconds | 0%
Hand Geometry | 3-5 Seconds | 0.1 %
Iris Scan | 2-4 Seconds | 0.5 %
Retina Scan | 4-7 Seconds | 1.5 %
Fingerprint | 5-7 Seconds | 5 %
Voice Pattern | 0-14 Seconds | 8 %
Facial Recognition | 2 Seconds | TBD
Signature Dynamics | 5-10 Seconds | TBD
BIO Metric user acceptability
Remeber 6102....6-10 seconds through put and 2 minute enrollment

2 minute enrollment per user, average implementation speed are 6-10 seconds
What is the most influential part of choosing a bio metric solution?
Dictionary attack
-Easiest and quickest attack
-no guaranteed to find all passwords
- relies on the fact that most users pick easy password
- Tries every word in the dictionary to see if there is a match
Brute Force Attack
- All passwords are is just a matter of time
- Brute force takes the longest time to perform, but will find every password
Hybrid attack
- Most users append special character to the end of their passwords
- Hybrid starts with a dictionary attack and performs a brute force attack of 2-3 characters at the end
what are 4 types of tokens?
- Static password tokens
- Synchronous dynamic password tokens
- Asynchronous dynamic password tokens
- Challenge response tokens
Static Password Tokens
- Owner authenticates himself to the token
- Token authenticates the owner to an information system
Synchronous Dynamic Password Tokens
- The token generates a new, unique password value at a fixed time intervals (Time of day encrypted with a secret key)
- The password is entered into the workstation along with the owner's pin
- The authentication system knows the owners secret key and pin
- The authenticator verifies that the entered password is valid and that it was entered during the valid time window
Asynchronous Dynamic Password Tokens
- The tokens are similar to the synchronous dynamic password
- A new password is generated asynchronously
- The new password does not have to fit into a time window for authenticaion
Challenge-Response Token
1. The workstation generates a random challenge string.
2. The owner enters the string into the token along with the proper pin.
3. The token generates a response.
4. The response is entered into the workstation.
5. The authentication mechanism in the workstation determines access.
War Dialing
- attempts to attack the systems via dialing all the phone numbers in an exchange.
- passively monitors network traffic for network knowledge, such as passwords.
- involves listening to phone conversations.
Radiation Monitoring
- is the process of receiving images, data, or audio from an unprotected source by listening to radiation signals.
Dumpster Diving
- obtains passwords and corporate directories by searching through discarded media.
Social Engineering
- is a euphemism for non-technical or low-technology means, such as lies, impersonation, tricks, bribes, blackmail, and threats. These are used to attack information systems.
Security Assessment
- More complete view of a company's network security
- Analyzes the entire network from inside and tries to find the weaknesses
- Offers a complete list of risks against critical assets
Role-Based Access Control
assigns users to roles or groups based on their organizational functions. Groups are assigned authorization to perform functions on certain data.
Rule Set-Based Access Control
(RSBAC) targets actions based on rules for subjects (entities) operating on objects (data or other resources). RSBAC is implemented in a variety of software programs and operating systems (including Linux) and is based on the Generalized Framework for Access Control by Abrams and LaPadula. Form of DAC
List-Based Access Control
associates a list of users and their privileges with each
object. Each object has a default set of privileges that applies to unlisted users. Form of DAC
Access Control Matrix (ACM)
can be useful in determining required access per role for system and application designs
Role-Based Access Control
- Non-RBAC: user granted access via ACLs
- Limited RBAC: user access mapped to applications
- Hybrid RBAC: user assigned a role which is assigned access to applications or systems.
- Full RBAC: access controlled by roles and applied to applications and systems. Full RBAC access determined on job function not application or system.
Domain 8 Starts Here:
BCP vs DRP (Important Discriminators)
Strategic | Tatical
Business PRocess | IT Infrastructer
Proactive | Reactive
What is your organizational stance on security?
(security policy)
What happens if a disaster occurs?
(The disaster recovery plan)
How do you ensure that your company can continue operations?
(business continuity planning)
What is considered a disaster?
Anything that interrupts normal business operations
On the exam, what mind set should you have in regards to disaster?
Think a fire in your data center. Can't use it when it is happening, but you can recover and move back into your datacenter
Cold Site
Basic infrastructure, some cables, shell of a building, electrical but NO SERVERS
Warm Site
Basic infrastructure, some cables, shell of a building, electrical but WITH SERVERS, but not the latest data. Need to get it from a backup tape or facility
Hot Site
Fully redundant data center. Server, latest current data...a literal fail over.
What is a DRP?
A disaster recovery plan (DRP) covers the recovery of IT systems in the event of a disruption or disaster.
A disaster recovery plan (DRP) involves what steps?
1.) Recovery of the data center
2.) Recovery of business operations
3.) Recovery of business location
4.) Recovery of business processes
What is an easy distinction between disaster recovery planning and business continuity planning is?
• Disaster recovery is short-term focused
• Business continuity is long-term focused
DRP is a subset of what?
What is the reconstitution phase?
Fix the primary data center and move back to primary. This leads to complete recover. DRP is closed and BCP continues.
You can think of a BCP as what?
A will!!! which I need to get done.
What is your Businesses last line of defense?
What are the BCP Plan phases?
1.) Project Initiation Phase
2.) Current State Assessments
3.) Design and Development Phase
4.) Implementation Phase
5.) Management Phase
Step 1 of BCP?
Project Initiation phase:
• Assess: Identify and triage all threats (BIA).
• Evaluate: Assess the likelihood and impact of each threat.
• Prepare: Plan for contingent operations.
• Mitigate: Identify actions that might eliminate risks in advance.
• Respond: Take actions that are necessary to minimize the impact of risks that materialize.
• Recover: Return to normal as soon as possible.

Finer steps:
• Appointing a project manager
• Establishing executive support
• Building a team
• Scoping the project (prioritizing)
• Defining the objectives and deliverables
Who is the model of a BCP project manager?
Michael Carter....Think of him
Who's plan should the BCP be?
The CEO! You need executives to be on board for resources, money and people
How do you build a team for the BCP?
Reflect the ORG chart as much as possible. Need representatives from all parts of the Organization. Example, people from IT, HR, Sales, Marketing....etc
Who signs off and is responsible for the BCP?
What will ultimately determine the scope of the BCP?
MONEY of course!!!
What are the defined BCP Objective deliverables?
— Risk analysis and impact
— Disaster recovery steps
— Plan for testing
— Plan for training
— Procedure to keep the plan up-to-date
What are risk analysis questions?
- What are the specific threats to your organization?
- What would you do to protect your information resources?
- More importantly, what are your critical business systems and processes?
How is risk calculated?
Risk(Due to threat) = Threat x Vulnerability(To that threat)
How does ISO 17779 express risk?
RISK = threat x vulnerability(To that threat) x IMPACT
What are the steps of Risk analysis?
• Identifying your critical business systems and processes.
• Identifying the specific threats to your organization, especially to those critical systems and processes.
• Evaluating the vulnerability of an asset and the probability of an attack or disruption to occur.
• Determining what you would do to protect your information resources.
• Weighing the loss of assets versus the cost of implementing mitigating controls.
What are the 6 steps to the Continuity Process?
1. Identify assets.
2. What threatens those assets?
3. How can we protect and recover those assets?
4. Document the results.
5. Test and review.
6. Provide training and raise awareness.
What is Risk Avoidance?
When you decide not to become involved in the risk situation.
What is Risk Acceptance?
When you acknowledge and accept that the risk is something that could happen. You intentionally or unintentionally retain or assume the responsibility for loss or the financial burden of loss within the organization.
What is Risk Transfer?
When you shift the responsibility or burden to someone else. An example would be getting insurance to cover the damage.
What is Risk Reduction?
When you apply the appropriate controls to mitigate the effects of the disaster, thereby reducing the risk.
What does the BIA (Business Impact Analysis) Cover?
- Determine the tolerable impact levels your system can have
— How long can your systems be compromised?
— What is the maximum allowable or tolerable downtime?
- Evaluate the effect of a disaster over a period of time
Who is involved in the process of developing a BIA?
It typically involves interviewing key users of the various computer systems. For example, payroll, accounts, payable and accounting to better understanding of how a disaster could impact the ability to continue operations.
how is a BIA Risk analyst Vulnerability assessment differ from a normal Vulnerability assessment?
- It is focused on a smaller than full risk assessment. Looking and identifying critical business functions. THINK STEPHO's EMAIL TO HIS BUSINESS
What type of recovery site is particularly suited to work group recovery options?
Mobile site
In which phase of the Software Capability Maturity Model do you often find hardworking people charging ahead in a disorganized fashion?
In which phase of the Software Capability Maturity Model do you often find hardworking people charging ahead in a disorganized fashion?
What process brings order to the chaotic events surrounding the interruption of an organization's normal activities by an emergency?
Disaster recovery planning (DRP)
What is Electronic Vaulting?
- Batch Process
- Transmitting data through communication lines to storage on a remote server
- Example: Performed every evening at a specific time
What is remote journaling?
- Transmitting data in real-time or near real-time to back-up storage at a remote location
What is Database shadowing?
- Similar to remote journaling
- Provides additional robust backup by storing duplicate data on multiple remote storage devices
What is Disk Duplexing?
- Disk controller duplicated
- If one controller fails, other controller operates
What is the most common document type used for emergency response plans?
Checklists - The most basic consistency walk-through
What are DRP training and testing strategies?
Map up the C's Checklist = Consistency
Structured Walk through = Table Top exercise
Simulation is actually simulating in a test environment to try a test recovery

The Types of testing:
- Checklists - The most basic consistency walk-through
- Structered Walk Through - Validity Testing
- Simulations
- Parallel
- Full Interruption
DRP plan should be very what?
Terse, clear and direct
In a DRP, what is a table top exercise
Everyone is in a room and you read through the plan.
Structured Walk Through - Validity Testing
What are key areas of Training for DRP?
- How to operate the alternate site
- How to start emergency power
- How to perform an restorative backup
What is the BCP-DRP planning life cycle?
PRBBTMA (Pretty Rough Boy Bands Teach Me Abstinence)

1.) Project Initiation
2.) Risk Analysis
3.) Business Impact Analysis
4.) Build the Plan
5.) Test and Validate the Plan
6.) Modify and update the plan
7.) Approve and implement the plan
Who acts as the enterprise-wide contact for BCP issues?
BCP Project Manager
What is a hyprid backup site?
Multiple Processing Sites: Multiple internal processing locations geographically dispersed to assist in the back-up and recovery of vital company data. AKA (Mirror or hybrid).
What is the common goal of BCP and DRP?
The goal of BCP/DRP is to make the response time to a disruption as short as possible and the time required for completely recovery.
What are the two key drivers for determining the disaster recovery (DR) strategy for a given business function?
Maximum allowable downtime and resourced required to continue to preform that function.
What does a business impact analysis (BIA) determine?
The maximum allowable downtime for any given system
Domain 8 end
What is the last line of defense a business has against risks that cannot be controlled or avoided?
BCP Business continuity plan
Domain 9 Starts Here
Domain 9 Starts Here
What is a law?
A mandatory directive that you must follow. They are requirements and restrictions.
what nations are involved in key international efforts dealing with computer crime?
- United Nations (UN)
- The G8 Nations
- Mutual Legal Assistance Treaties (MLAT)
- European Union Border Controls (Iterpol)
Do Japan, Taiwan, Korea and Thailand enforce patent law on computer programs?
No, they are silent on the issue.
Does Japanese law enforce source code and object copyright law?
Yes, they enforce copyrightable protection.
Who is the only pacific rim country that provides trade secret law?
Are trade secrets protected by trade in the European community?
Yes, the uphold trade secret protection
All countries play by the same copy right, trademark, and patent laws?
False, not all countries play by the same rules.
What is the Federal Privacy Act?
The Federal Privacy Act is meant to keep information on individuals private and protected. Any information that is kept on a person cannot be revealed or disclosed without their consent.
IN the United States, all privacy laws are consistent in all states?
False, all states have different privacy laws.
When dealing with privacy expectations and laws, all individuals must be treated consistently and applied to all?
International privacy vs US privacy
International privacy laws are more strictly controlled than in the US.
Personal Employee Privacy Rights?
— Electronic Mail: Expectation of privacy
— Drug Testing: Limited to sensitive positions only
— Freedom from hostile work environment
International Employee Privacy Rights?
— European statutes cover both government and private corporate records
— Application primarily to computerized data banks
— Strict rules on disclosure
— Prohibitions of transfer of information across national boundanes
What is a Patent?
-Protects inventions for 20 years
What 3 things do you need to file a patent?
1.) Have Utility
2.) Novelty
3.) Be Non-Obvious
To File a patent you must reduce the invention to practice and cover a single idea?
What is a copyright?
It protects an instance of a work. Like a book, you can read a book and produce a similar version. An example is:
- Paper
- Vynl
- Magnetic Media
- Or other
What is a Trademark?
A trademark is a word, name, symbol or device that is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others.
- Sum of marketing efforts
- Sum of good-will efforts
What is a Trade Secret?
Think of the Coca Cola formula

- Protects Critical intellectual property that is not publicly available
- Must provide "due care" protection to claim a trade secret
- Usually covered by an NDA
What are different types of software licensing?
- Site License
- Per-server license
- Per-personal computer license
- Number-of-users license
What are different types of software distribution?
- Crippleware
- Shareware
What is Criminal Law?
- Crimes against Society.
- Only Law can bring charges
- Must be 100% without doubt
- Felonies: Jail > One Year
- Misdemeanor: Jail < one year

Criminal law governs individual conduct as it pertains to laws, both federal and state, that were designed to protect the public. Examples include unauthorized use of a system, denial of service attacks, and Web site defacement. Violation of these laws can result in monetary penalties and/or imprisonment.
What is Civil(Tort) law?
Civil law refers to an action against a company that causes damage or financial loss. Examples of incidents that could be tried under civil law include worm attacks, denial of service, or any other attack that affects the availability of a system. Violation of civil law can result in punitive or compensatory damages being rewarded to the organization affected by the incident.
What is Civil(Regulatory) Law?
Regulatory law, by its very definition, deals with the governing regulations of a particular country and is especially important for government workers or those computer professionals in highly-regulated environments, such as banking, finance, healthcare, and pharmaceuticals. An example of this type of law is the Health Insurance Portability and Accountability Act (HIPAA).
What is Administrative Law?
Grievances against government itself
What is Customary Law?
Laws based on values of regionalized society, pulling from tradition
In Criminal law, what burden of proof do you need to convict?
If there is any doubt, they are not guilty...99% sure. In Civil law you do not need this.
In Civil law what burden of proof do you need?
Preponderance evidence....meaning 51%
Categories of Cyber Crime
White collar Financial Fraud
Corporate Espionage
Child Pornography
Organized Crime
Identity Theft
Social Engineering
insider Theft
Example of Computer Crimes
- Kevin Mitnick's phone attacks
- 414 Teenagers, 192 kettering cancer hospital medical record system attack
- Morris Jr. Internet worm. Event that caused the Computer Incident Response Team in November 1988
What caused the Computer Emergency Response Team to be created in 1988?
Morris Jr. Worm that he wrote in 1988
What is the Council of Europe Convention on Cybercrime?
- Establishes law
- Provides law enforcement authority
- Provides international cooperation
What are the steps of an investigation?
- Detection and Containment
- Report to Management
- Preliminary Investigation
- Disclosure Determination
- Courses of Action
- Conducting the Investigation
* Investigative Responsibility
* Factors
What is the investigation process?
- Identify potential Suspects
- Identify Potential Witnesses
Computer Forensics
- Binary Backup of Disk
- Create hash digest of filesystem
- Analyze restored data
What is the Chain of Evidence?
Accountability and protection
- Who obtained evidence?
- Where and when it was obtained?
- Who secured it?
- Who controlled it
- Account for everyone who had access to or handled the evidence
- Assurance against tampering
Evidence Life Cycle
-Collection and identification
-Storage, preservation, and transportation
- Presentation in court
- Return to victim (owner)
Domain 10 starts here
Domain 10 starts here
What are the Evacuation Roles?
- Safety Warden
- Meeting-point leader
Access Control Types for physical security
- Deterrent: Guard with weapon
- Detective: Video Surveillance
- Preventitive: Locks
/ 413

Leave a Comment ({[ getComments().length ]})

Comments ({[ getComments().length ]})


{[ comment.comment ]}

View All {[ getComments().length ]} Comments
Ask a homework question - tutors are online