Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CISSP
| Term | Definition |
|---|---|
| Access Value * Exposure Factor (AV * EF) | Single Loss Expectancy (SLE) |
| SLE * ARO | ALE |
| Analytic Attack | Focuses on algorithm structural weaknesses (ex |
| Statistical Attack | Focuses on algorithm statistical weaknesses (ex |
| Implementation Attack | Exploits the software code/methodology employed to program the encryption system |
| Ciphertext-Only | Attacker only has ciphertext to discover the key |
| Chosen-Ciphertext | Attacker has the ability to decrypt chosen portions of the ciphertext and compares it to the decrypted portion to discover the key |
| Chosen-Plaintext (differential) | Attacker has the ability to encrypt chosen portions of the plaintext and compares it to the encrypted portion to discover the key |
| Brute Force | Attempts every possible combination for a key or password; successful if given enough time |
| Birthday (aka Collision attack) | Based on the probability of two different messages having the same hash function that produces the same message digest |
| Known key | Attacker knows something about the key |
| Replay | Attacker intercepts traffic between two endpoints and retransmits or replays it later |
| Side channel | Use physical data such as CPU cycles to break encryption |
| Rainbow Tables | Precompiled list of plaintext with the associated ciphertext |
| Bell-LaPadula | Reading down and Writing Up |
| Bell-LaPadula | Simple Security Property and *Security Property |
| Simple Security Property | A subject at a specific classification level cannot read an object at a higher classification level. |
| *Security Property | a subject at a higher classification cannot write to a lower classification level. |
| Bell-LaPadula | This security model contains Strong and Weak Tranquility Property states. |
| Strong Tranquility Property | Security labels will not change while the system is operating. |
| Weak Tranquility Property | Security lables will not change in a way that conflicts with defined security properties. |
| Lattice-based access controls | Defined upper and lower access limits implemented by the system. Allows reaching higher and lower data classification depending on the need of the subject. |
| Biba Model | Simple Integrity Axiom and *Integrity Axiom |
| Biba Model | No read down and no write up. |
| Simple Integrity Axiom | A subject at a specific classification level cannot read data at a lower classification. |
| *Integrity Axiom | A subject at a specific classification level cannot write to data at a higher classification. |
| Clark-Wilson | Integrity model that requires subjects to access objects via programs. |
| Clark-Wilson | Integrity model that uses well-formed transactions and separation of duties. |
| Clark-Wilson | Integrity model that requires that users are authorized to access and modify data and that data is modified in only authorized ways. |
| Brewer-Nash | Also called the Chinese Wall model |
| Brewer-Nash | Conflicts of interest are identified so that once a consultant gains access that person cannot read or write to an opposing Conflict of Interest. |
| Noninterference | Ensures that data at different security domains remain separate from one another. |
| Noninterference | Model that ensures covert channel communication does not occur. |
| Take-grant protection model | Model that contains rules that govern the interactions between subjects and objects. Rules include take, grant, create and remove. |
| Zachman Framework for Enterprise Architecture | Six frameworks for providing information security asking what, how, where, who, when and why. |
| Graham-Denning Model | Model that has 8 rules and deals with objects, subjects and rules. |
| Harrison-Ruzzo-Ullman Model | Maps subjects, objects and access rights. |
| 4 Modes of Operation | Dedicated, System High, Compartmented, Multilevel. |
| Dedicated Mode | Systems contain objects of one classification label only. All subjects must posses a clearance equal to or greater than the label of the objects |
| System High Mode | System contains objects of mixed labels. All subjects must possess a clearance equal to the system's highest object. |
| Compartmented Mode | All subjects accessing the system have the necessary clearance, but do not have the appropriate formal access approval. |
| Multilevel Mode | Stores objects of differing sensitivity labels and allows system access by subjects with differing clearances. |
| Common Criteria | TCSEC, ITSEC, CTCPEC and the Federal Criteria were used to create this. |
| Bell-LaPadula | Operating systems that provide multilevel security and mandatory access control are based on this model. |
| Discretionary Protection | Classification C of TCSEC |
| Formal and Verified Protection | Classification A of TCSEC |
| Mandatory Protection | Classification B of TCSEC |
| Minimal Protection | Classification D of TCSEC |
| Multi-state | Permits two or more classification levels of information to be processed at the same time. |
| Bell-LaPadula | Security model that enforces the principle that the security levels of an object should never change. |
| Brewer-Nash | Ensures conflicts of interest are minimized through dynamic access control. |
| Valid, Revoked or Suspended | What are the valid statuses that a certificate can have on a CRL? |
| Single Authority Trust | A third-party central certifying authority signs a certificate and authenticates the owner of the key. |
| Hierarchical Trust | The Root CA is typically responsible for authentication outside the organization. Intermediate and Leaf CAs are distributed throughout the organization to facilitate registration and distribution of certificates. |
| Web of Trust | There is no CA to certify certificate owners. Good for a group of people who verify each other. |
| Hybrid-Cross Certification Trust | Combination of hierarchical and mesh models This is when two or more separate authorities establish a trust relationship among each other. This model is best suited for peer-to-peer relationships, such as business partners. |
| XML Key Information Service Specification (X-KISS) | Describes the syntax that allows a client to delegate tasks required to process XML signature elements to a trust service Minimizes the complexity of applications that use XML digital signatures |
| XML Key Registration Service Specification (X-KRSS) | Protocol for registration of public key information. Aids in key recovery |
| Program Status Word (PSW) | Holds different condition bits. One of the bits indicates whether the CPU should be working in user mode (also called problem state) or privileged mode (also called kernel or supervisory mode). |
| Multitasking | multiple tasks run simultaneously on one CPU. |
| Multiprocessing | multiple processes run on multiple CPUs |
| Symmetric Multiprocessing | One OS manages all CPUs |
| Asymmetric Multiprocessing | One OS per CPU |
| Multithreading | multiple tasks running simultaneously on one CPU. |
| Multiprogramming | multiple programs running on on CPU |
| Watchdog Timer | Designed to recover a system by rebooting after critical processes hang or crash. |
| Respond, Activate Team, Communicate, Assess, Reconstitution | What are the steps of the disaster recovery process? |
| Business Continuity Plan (BCP) | Provide procedures for sustaining essential business operations while recovering from a significant disruption. |
| Business Recover (or Resumption) Plan (BRP) | Provide procedures for recovering business operations immediately following a disaster. |
| Continuity of Operations Plan (COOP) | Provide procedures and capabilities to sustain an organizations's essential strategic functions at an alternate site for up to 30 days. |
| Continuity of Support Plan/IT Contingency Plan | Provide procedures and capabilities for recovering a major application or general support system. |
| Crisis Communications Plan | Provides procedures for disseminating status reports to personnel and the public. |
| Cyber Incident Response Plan | Provide strategies to detect, respond to, and limit consequences of malicious cyber incident. |
| Disaster Recovery Plan (DRP) | Provide detailed procedures to facilitate recovery of capabilities at an alternate site. |
| Occupant Emergency Plan (OEP) | Provide coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. |
| Recovery Time Objective (RTO) | the amount of time allowed for recovery of a business function or resource after a disaster occurs |
| Maximum Tolerable Downtime (MTD) | the maximum length of time a business function can be unavailable without causing irreparable harm to the business |
| Work Recovery Time (WRT) | time required to configure a recovered system |
| Mean Time Between Failures (MTBF) | how long a new or repaired part will run before failing |
| Mean Time to Repair (MTTR) | how long it takes to recover a failed system |
| Minimum Operating Requirements (MOR) | minimum environmental and connection required to operate |
| Recovery time objective (RTO) and Work recovery time (WRT)- (MTD = RTO + WRT) | MTD composed of what two metrics |
| Critical | need in minutes to hours |
| Urgent | need in 24 hours or less |
| Important | need in 72 hours |
| Normal | need in 7 days |
| Nonessential | need in 30 days |
| Recovery Point Objective (RPO) | the moment in time in which data must be recovered and made available to users in order to resume business operations |
| Discretionary Access Control (DAC) | Access control model where subjects have full control over objects they have been given access to. |
| Mandatory Access Control (MAC) | Access control model that is system enforced based on subject clearance and object labels. |
| Non-Discretionary Access Control | RBAC and Text-based access control are examples. |
| Content-dependent | access control that allows access to content directly related to the subject, but not the same content related to someone else. |
| Context-dependent | access control that applies additional context before granting access, such as a time constraint. |
| Access aggregation | additional access that occurs as users gain more access to more systems. Can result in authorization creep. |
| Authorization creep | Users gaining more access without shedding old entitlements. |
| Formal access approval | documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all of the rules and requirements. |
| Rule-based access control | access control system where rules are in the form of if/then statements. |
| Hashing | one way encryption using an algorithm and no key. |
| Synchronous dynamic token | use time or counters to synchronize with authentication server. |
| asynchronous dynamic token | token that is not synchronized with a central server. Challenge-response token |
| Enrollment | Registering with a biometric system. |
| Biometric response time or throughput | process of authenticating to a biometric system. |
| Zero Knowledge or black box testing | penetration test that begins with no external or trusted information. |
| Full knowledge or crystal box testing | penetration test that begins with internal information including network diagrams, polices and procedures. |
| Partial knowledge | penetration test that is somewhere between zero knowledge and full knowledge. |
| meta-directory | identity management create to gather the necessary information from multiple sources and store in one central directory. |
| virtual directory | similar to meta-directory, but the identity data points to where the data resides instead of physically storing the data in its directory. |
| memory card | a card that holds information, but cannot process information. |
| smart card | a card that holds information and has the necessary hardward and software to process information. |
| Blackout | Prolonged loss of power |
| Brownout | Prolonged low voltage |
| Fault | Short loss of power |
| Surge | Prolonged high voltage |
| Spike | Temporary high voltage |
| Sag | Temporary low voltage |
| Plenum | space above dropped ceilings and wall cavities and space under raised floors. |
| Locard's principle | A criminal leaves something behind and takes something with them. Evidence dynamics. |
| The Open Source Security Testing Methodology (OSSTMM) | Pentesting instructions |
| Policy | Mandatory high-level management directive. |
| Procedure | Step-by-step guide for accomplishing a task. |
| Standard | Describes the specific use of technology. Mandatory |
| Guideline | recommendations that can be a useful piece of advice. |
| Baseline | Uniform way to implement a safeguard. |
| Due Care | Doing what a reasonable person would do. Sometimes called the "prudent man" rule. |
| Due Diligence | A step beyond due care. Management of due care. |
| OCTAVE (Operationally Critical Threat, Asset, ad Vulnerability Evaluation) | Three phase process for managing risk put out by the Carnegie Mellon University. |
| Web of Trust | PGP relies on this approach in it's key management. Each user generates and distributes his or her public key, and users sign each other's public keys, which creates a community of users who trust each other. |
| GNU Privacy Guard | The free replacement for PGP |
| IGMP | Used to report multicast group membership to routers. |
Created by:
mikehance
Popular Computers sets