Exam cram

Presented here is a revision of some of the important concepts from all the domains of CISSP CBK. They are provided in bullet points as snippets that are easy to revise. These snippets are for quick revision and reinforcement of the knowledge learned:

  • Risk is defined as an exposure of the asset to loss, injury, or damage due to threats, vulnerabilities, and attacks.
  • Asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment.
  • Risk analysis, risk evaluation, risk assessment, and risk mitigation strategies are the components of risk management.
  • Identifying threats and vulnerabilities, attacks, estimating potential impact, and establishing and implementing suitable controls to treat the risk are functional steps in risk management.
  • Risk analysis that provides risk values in numeric terms, such as monetary values, is known as quantitative.
  • Risk analysis that provides risk values in non-numeric terms, such as high-low-medium, is called qualitative.
  • Security controls are identified through risk mitigation strategies.
  • Risk treatment includes accepting, transferring, reducing, or avoiding the risk.
  • Monitoring, reviewing, communicating the results, and improving the security posture are continual improvement processes in the risk management cycle.
  • Security posture is the overall plan of the organization pertaining to its security. It includes security governance, policies, procedures, and compliance.
  • Information security is the preservation of the Confidentiality, Integrity, and Availability (CIA) of assets:
    • Confidentiality: Unauthorized users should not view the information
    • Integrity: Unauthorized users should not modify the information
    • Availability: To ensure authorized users can access the information whenever they need to
  • Threat is an event that could compromise the information security by causing loss or damage to assets. Vulnerability is a hole or weakness in the system.
  • Threat can exploit vulnerabilities through threat agents. A threat event, through its agents, exploiting a vulnerability is called an attack. The end result of an attack could be a security violation.
  • Security violation is a compromise of the confidentiality, integrity, and the availability requirement of the asset.
  • The information life cycle includes handling, processing, transporting, storing, archiving, and destroying the information.
  • Information protection includes risk management, risk reporting, and accountability.
  • Aligning and integrating information security with enterprise governance and IT governance frameworks is called information security strategy.
  • Information security policy states the management intent, support, and direction for security.
  • Procedures, guidelines, and standards are called administrative controls.
  • Technical controls are used to support management and administrative controls through information systems.
  • Due diligence is understanding risk and estimating the risk values, and Due care is implementing security governance.
  • Privacy is the protection of Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) of individuals.
  • A computer crime is a fraudulent activity that is perpetrated against computers or IT systems.
  • In computer crime, the term computer refers to the role it plays in different scenarios: crime committed against a computer, crime committed using the computer, and computer incidental in the crime.
  • Data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized entity.
  • Code of ethics is based on the safety of the commonwealth; duty to principals such as employers, contractors, people whom a professional works for; and duty to each other.
  • The (ISC)2code of professional ethics includes four clauses. They are:
    • Protect society, the commonwealth, and the infrastructure
    • Act honorably, honestly, justly, responsibly, and legally
    • Provide a diligent and competent service to principals
    • Advance and protect the profession
  • A personnel security policy concerns people associated with the organization such as employees, contractors, and consultants.
  • Risk mitigation strategies address risks in terms of availability of the assets are addressed through business continuity management processes.
  • An event that could impact regular operations for a prolonged period of time can be termed a disruptive event.
  • Addressing the risks by way of plans and procedures for the continuation of business operations during and after a disruptive event is called Business Continuity Planning (BCP).
  • Asset security is based on asset classification and CIA values; and asset classification helps to devise suitable security controls.
  • The need-to-know principle establishes that one has to demonstrate specific needs to know or access information that is classified as sensitive.
  • Core secret, top secret, secret, confidential, public trust, and unclassified are the types of information classification in the United States.
  • Private and public sector corporate entities classify information under four categories such as confidential, private, sensitive, and public.
  • Data that remains even after erasing or formatting from the digital media is called residual data, and the property to retain such kind of data is called data remanence.
  • Privacy laws stipulate data collection limitations pertaining to personal data.
  • The segregation of duties or the separation of duties is a security control measure used to ensure that mutually exclusive roles are not assigned to a single user concurrently.
  • Data can be traditionally grouped under three categories such as Personally Identifiable Information (PII), Intellectual Property (IP), and Non-Public Information (NPI).
  • Data in Motion refers to the information as it moves around the organization. Information that is stored within the organization is considered to be Data at rest. Information that is used by the staff and the data that is available in endpoints is considered as Data in Use.
  • Data Loss Prevention controls are based on who is causing the incident. What actions are carried out by the individual to cause such an incident? Who else is involved and where? And what action is taken?
  • Hashing is a method in which a cryptographic value is computed and periodically validated based on the contents of the document. Hashing uses mathematical algorithms to compare hashes, and it provides integrity.
  • Establishing the identity of the receiver or sender in a digital communication is accomplished through digital signatures.
  • A secure disposal of media, labeling, access restrictions, formal records of authorized recipients, the storage of media, data distribution, marking, the review of distribution lists, and the control of publicly available information are a few data handling controls.
  • Security engineering is based on design principles, practices, and models to ensure confidentiality, integrity and availability requirements of information assets.
  • Trusted Computer Systems refer to such systems that have a well-defined security policy, accountability, assurance mechanisms, and proper documentation.
  • Encapsulation is a technique to hide information from unauthorized entities.
  • Abstraction is the process of hiding the details and exposing only the essential features of a particular concept or object that are encapsulated.
  • Logical Security Guard is a security mechanism used to control the communication between entities that are labeled lower-sensitive and high-sensitive.
  • In information security, the term assurance means the level of trust or the degree of confidence in the satisfaction of security needs.
  • A computer security model Take-grant protection model specifies obtaining (taking) rights from one entity to another or transferring (granting) of rights by one entity to another.
  • The Bell LaPadula security model focus on confidentiality; this model prescribes access controls to classified or confidential information. A simple way to remember this model is-no read up and no write down.
  • The Biba model focuses on data integrity. A simple way to remember this model is—no read down and no write up.
  • The Clarke Wilson model focuses on integrity and aims to address multilevel security requirements in computing systems.
  • The primary purpose of vulnerability and penetration tests is to identify, evaluate, and mitigate the risks due to vulnerability exploitation.
  • Testing from an external network with no prior knowledge of the internal networks and systems is referred to as black-box testing.
  • Performing the test from an external network or within the network with the knowledge of networks and systems is referred to as white-box testing.
  • Testing from an external and/or internal network with some knowledge of internal networks and systems is referred to as gray-box testing. This is usually a combination of black-box testing and white-box testing.
  • An algorithm in cryptography is a series of well-defined steps that provide the procedure for encryption/decryption.
  • If only one key is used, then it is called symmetric key encryption; if two keys are used, then it is called asymmetric key encryption; and if no key is used, then it is called .
  • When the key stream algorithm operates on a single bit, byte, or computer word such that the information is changed constantly, then it is called stream cipher.
  • If the algorithm operates on a block of text (as opposed to a single bit or byte), then it is known as block cipher.
  • Digital signature is a type of public key cryptography where the message is digitally signed using the sender's private key.
  • Steganography refers to the art of concealing information within computer files such as documents, images, or any multimedia content.
  • IEEE 802.11 is set of standards for Wireless Local Area Networking (WLAN). Wired Equivalent Privacy (WEP) and Wireless (Wi-Fi) Protected Access (WPA) are some commonly used protocols for encryption in this communication standard.
  • Public Key Infrastructure (PKI) is a framework, which enables the integration of various services that are related to cryptography. This uses asymmetric cryptography and digital certificates.
  • When a specific key is authorized for use by legitimate entities for a period of time, or the effect of a specific key for given system is for a period of time, then the time span is known as a Crypto period.
  • Cryptanalysis is the science of analyzing and deciphering codes and ciphers.
  • The core structure of FIPS140 recommends four security levels for cryptographic modules that protect sensitive information in federal systems, such as computer and telecommunication systems that include a voice system as well.
  • Open System Interconnect (OSI) is an International Organization for Standardization (ISO) layered architecture standard that defines a framework for implementing protocols in seven layers.
  • The primary four layers of the TCP/IP model are the application layer, the transport layer, the network/internet layer, and the data link layer.
  • TCPSYN attacks technically establish thousands of half-open connections to consume server resources.
  • A tunnel in a computer network is a secure path or route for the datagram to pass through an insecure or untrusted network, such as VPN.
  • Snooping/eavesdropping, Theft of services, and the Denial-of-Service (DOS) are common attacks on communication systems.
  • The overall process of facilitating and managing identities and controlling access to assets while ensuring information security is termed Identity and Access Management (IAM).
  • Identity and access management consists of four distinctive principles and practices. They are Identification, Authentication, Authorization, and Accountability.
  • Authentication, Authorization, and Accountability are together referred to as Triple A of Access Control.
  • When identity and access management applications and associated services are delivered through subscription-based cloud models, then such services are termed as Identity as a Service (IDaaS).
  • Access management is facilitated through authentication and authorization processes.
  • If access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, and access history, then it is known as context-dependent access control.
  • If the access is provided based on the attributes or content of an object, then it is called content-dependent access control.
  • A Role-Based Access Control (RBAC) is a non-discretionary access control based on the subject's role or position in the organization.
  • When an entity (subject) is validated against a single credential, then it is called a one-factor authentication and generally uses the what you know principle.
  • When an entity (subject) is validated against two different credentials, then it is called as two-factor authentication and generally uses what you have principle.
  • When an entity (subject) is validated against two or more different credentials, then it is called a multifactor authentication and generally uses the what you are principle.
  • When a Trojan horse is activated on a particular event (such as a particular date), then it is called a logic bomb.
  • Spoofing is a type of attack used to imitate a trusted entity, thereby making the system trust this imitated entity.
  • Vulnerability tests and assessments are performed to ascertain the presence of technical vulnerabilities or weakness in systems. When an identified vulnerability is not published by the application vendor, then it is called a zero-day vulnerability. When an exploit code is published by a security or malicious group before a patch released by the vendor, then it is called a zero-day exploits.
  • Penetration testing is often performed to ascertain break-in possibilities in systems.
  • Synthetic transactions are generally used for performance monitoring, and hence, they are directly associated with the availability tenet of the information security triad.
  • Concurrency tests are performed to test the application with a concurrent user activity.
  • The misuse case test is the reverse of a use case test. In other words, doing a malicious act against a system is a misuse case of normal act.
  • An API test involves the testing of functionality, performance, and the security of application programming interfaces.
  • Perimeter security relates to the security considerations pertaining to the boundaries. Securing the entry and exit points of the facility, networks, and more will fall under this perimeter security.
  • Interior security refers to the security considerations pertaining to the facilities that are inside the perimeter.
  • Based on the type of combustible material, fire is classified as Class A, Class B, Class C, and Class D.
  • Clean electrical power is a requirement for proper equipment functioning.
  • Some of the electrical power-related parameters that could affect equipment include Noise, Electromagnetic Interference (EMI), and Radio Frequency Interference (RFI).
  • For the proper functioning of computer systems, the humidity levels should be between 40 and 60 percent.
  • Auditing is a process to check and validate the effectiveness of controls. The primary tool that assists in the audit is an audit trial.
  • Mean Time Between Failure (MTBF) is a time measurement that specifies an average time between failures. This time is called the useful life of the device.
  • Mean Time to Repair (MTTR) indicates the downtime or the average time required to repair the device.
  • Degaussing is an effective method of destroying the data in magnetic media.
  • Information such as the location, time, discovery, securing, controlling, and maintenance of the evidence is called chain of evidence. The cycle of activities from the discovery of evidence to its preservation, transportation, admission in the court, and return to the owner is called the evidence life cycle.
  • An incident is an event that could possibly violate information security. The violation may breach the Confidentiality, Integrity, and Availability requirements of information assets.
  • When a systematic and procedural way of managing incidents is established in an organization, then it is called Incident Management. Incident management consists of incident reporting and responses to such reports.
  • Business Continuity Planning (BCP) is a process that proactively addresses the continuation of business operations during the aftermath of disruptive events. The aim is to prevent interruptions to operations.
  • Business Impact Analysis (BIA) is a type of Risk Assessment exercise that tries to assess qualitative and quantitative impacts on the business due to a disruptive event.
  • Recovery Time Objective (RTO) is time frame within which systems should be recovered (indicated in terms of hours/days).
  • Recovery Point Objective (RPO) is the maximum the period of time (or amount) of the transaction data that the business can afford to lose during a successful recovery.
  • Disaster recovery is a process that enables a business to recover from an event that affects normal business operations for a prolonged period of time.
  • Systems engineering is a term that connotes the application of engineering concepts while designing application systems that are complex and large.
  • A system development life cycle model consists of many processes. They start from establishing needs (initiation) to archival or destruction (disposal).
  • Software development models include simplistic models such as the waterfall model; iterative models such as incremental model, spiral model; and complex models such as agile framework.
  • Some of the important security controls in software development include the following:
    • The separation of development, test, and operational facilities
    • Change control processes and procedures
    • Security controls and the testing of vendor-supplied software packages
    • Checking and covert channels
  • Reliability is a quality parameter used to assure that application systems perform efficiently and effectively.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.136.17.12