Busy. Please wait.
or

show password
Forgot Password?

Don't have an account?  Sign up 
or

Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove Ads
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards




share
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

CISSP

TermDefinition
Access Value * Exposure Factor (AV * EF) Single Loss Expectancy (SLE)
SLE * ARO ALE
Analytic Attack Focuses on algorithm structural weaknesses (ex
Statistical Attack Focuses on algorithm statistical weaknesses (ex
Implementation Attack Exploits the software code/methodology employed to program the encryption system
Ciphertext-Only Attacker only has ciphertext to discover the key
Chosen-Ciphertext Attacker has the ability to decrypt chosen portions of the ciphertext and compares it to the decrypted portion to discover the key
Chosen-Plaintext (differential) Attacker has the ability to encrypt chosen portions of the plaintext and compares it to the encrypted portion to discover the key
Brute Force Attempts every possible combination for a key or password; successful if given enough time
Birthday (aka Collision attack) Based on the probability of two different messages having the same hash function that produces the same message digest
Known key Attacker knows something about the key
Replay Attacker intercepts traffic between two endpoints and retransmits or replays it later
Side channel Use physical data such as CPU cycles to break encryption
Rainbow Tables Precompiled list of plaintext with the associated ciphertext
Bell-LaPadula Reading down and Writing Up
Bell-LaPadula Simple Security Property and *Security Property
Simple Security Property A subject at a specific classification level cannot read an object at a higher classification level.
*Security Property a subject at a higher classification cannot write to a lower classification level.
Bell-LaPadula This security model contains Strong and Weak Tranquility Property states.
Strong Tranquility Property Security labels will not change while the system is operating.
Weak Tranquility Property Security lables will not change in a way that conflicts with defined security properties.
Lattice-based access controls Defined upper and lower access limits implemented by the system. Allows reaching higher and lower data classification depending on the need of the subject.
Biba Model Simple Integrity Axiom and *Integrity Axiom
Biba Model No read down and no write up.
Simple Integrity Axiom A subject at a specific classification level cannot read data at a lower classification.
*Integrity Axiom A subject at a specific classification level cannot write to data at a higher classification.
Clark-Wilson Integrity model that requires subjects to access objects via programs.
Clark-Wilson Integrity model that uses well-formed transactions and separation of duties.
Clark-Wilson Integrity model that requires that users are authorized to access and modify data and that data is modified in only authorized ways.
Brewer-Nash Also called the Chinese Wall model
Brewer-Nash Conflicts of interest are identified so that once a consultant gains access that person cannot read or write to an opposing Conflict of Interest.
Noninterference Ensures that data at different security domains remain separate from one another.
Noninterference Model that ensures covert channel communication does not occur.
Take-grant protection model Model that contains rules that govern the interactions between subjects and objects. Rules include take, grant, create and remove.
Zachman Framework for Enterprise Architecture Six frameworks for providing information security asking what, how, where, who, when and why.
Graham-Denning Model Model that has 8 rules and deals with objects, subjects and rules.
Harrison-Ruzzo-Ullman Model Maps subjects, objects and access rights.
4 Modes of Operation Dedicated, System High, Compartmented, Multilevel.
Dedicated Mode Systems contain objects of one classification label only. All subjects must posses a clearance equal to or greater than the label of the objects
System High Mode System contains objects of mixed labels. All subjects must possess a clearance equal to the system's highest object.
Compartmented Mode All subjects accessing the system have the necessary clearance, but do not have the appropriate formal access approval.
Multilevel Mode Stores objects of differing sensitivity labels and allows system access by subjects with differing clearances.
Common Criteria TCSEC, ITSEC, CTCPEC and the Federal Criteria were used to create this.
Bell-LaPadula Operating systems that provide multilevel security and mandatory access control are based on this model.
Discretionary Protection Classification C of TCSEC
Formal and Verified Protection Classification A of TCSEC
Mandatory Protection Classification B of TCSEC
Minimal Protection Classification D of TCSEC
Multi-state Permits two or more classification levels of information to be processed at the same time.
Bell-LaPadula Security model that enforces the principle that the security levels of an object should never change.
Brewer-Nash Ensures conflicts of interest are minimized through dynamic access control.
Valid, Revoked or Suspended What are the valid statuses that a certificate can have on a CRL?
Single Authority Trust A third-party central certifying authority signs a certificate and authenticates the owner of the key.
Hierarchical Trust The Root CA is typically responsible for authentication outside the organization. Intermediate and Leaf CAs are distributed throughout the organization to facilitate registration and distribution of certificates.
Web of Trust There is no CA to certify certificate owners. Good for a group of people who verify each other.
Hybrid-Cross Certification Trust Combination of hierarchical and mesh models This is when two or more separate authorities establish a trust relationship among each other. This model is best suited for peer-to-peer relationships, such as business partners.
XML Key Information Service Specification (X-KISS) Describes the syntax that allows a client to delegate tasks required to process XML signature elements to a trust service Minimizes the complexity of applications that use XML digital signatures
XML Key Registration Service Specification (X-KRSS) Protocol for registration of public key information. Aids in key recovery
Program Status Word (PSW) Holds different condition bits. One of the bits indicates whether the CPU should be working in user mode (also called problem state) or privileged mode (also called kernel or supervisory mode).
Multitasking multiple tasks run simultaneously on one CPU.
Multiprocessing multiple processes run on multiple CPUs
Symmetric Multiprocessing One OS manages all CPUs
Asymmetric Multiprocessing One OS per CPU
Multithreading multiple tasks running simultaneously on one CPU.
Multiprogramming multiple programs running on on CPU
Watchdog Timer Designed to recover a system by rebooting after critical processes hang or crash.
Respond, Activate Team, Communicate, Assess, Reconstitution What are the steps of the disaster recovery process?
Business Continuity Plan (BCP) Provide procedures for sustaining essential business operations while recovering from a significant disruption.
Business Recover (or Resumption) Plan (BRP) Provide procedures for recovering business operations immediately following a disaster.
Continuity of Operations Plan (COOP) Provide procedures and capabilities to sustain an organizations's essential strategic functions at an alternate site for up to 30 days.
Continuity of Support Plan/IT Contingency Plan Provide procedures and capabilities for recovering a major application or general support system.
Crisis Communications Plan Provides procedures for disseminating status reports to personnel and the public.
Cyber Incident Response Plan Provide strategies to detect, respond to, and limit consequences of malicious cyber incident.
Disaster Recovery Plan (DRP) Provide detailed procedures to facilitate recovery of capabilities at an alternate site.
Occupant Emergency Plan (OEP) Provide coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat.
Recovery Time Objective (RTO) the amount of time allowed for recovery of a business function or resource after a disaster occurs
Maximum Tolerable Downtime (MTD) the maximum length of time a business function can be unavailable without causing irreparable harm to the business
Work Recovery Time (WRT) time required to configure a recovered system
Mean Time Between Failures (MTBF) how long a new or repaired part will run before failing
Mean Time to Repair (MTTR) how long it takes to recover a failed system
Minimum Operating Requirements (MOR) minimum environmental and connection required to operate
Recovery time objective (RTO) and Work recovery time (WRT)- (MTD = RTO + WRT) MTD composed of what two metrics
Critical need in minutes to hours
Urgent need in 24 hours or less
Important need in 72 hours
Normal need in 7 days
Nonessential need in 30 days
Recovery Point Objective (RPO) the moment in time in which data must be recovered and made available to users in order to resume business operations
Discretionary Access Control (DAC) Access control model where subjects have full control over objects they have been given access to.
Mandatory Access Control (MAC) Access control model that is system enforced based on subject clearance and object labels.
Non-Discretionary Access Control RBAC and Text-based access control are examples.
Content-dependent access control that allows access to content directly related to the subject, but not the same content related to someone else.
Context-dependent access control that applies additional context before granting access, such as a time constraint.
Access aggregation additional access that occurs as users gain more access to more systems. Can result in authorization creep.
Authorization creep Users gaining more access without shedding old entitlements.
Formal access approval documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all of the rules and requirements.
Rule-based access control access control system where rules are in the form of if/then statements.
Hashing one way encryption using an algorithm and no key.
Synchronous dynamic token use time or counters to synchronize with authentication server.
asynchronous dynamic token token that is not synchronized with a central server. Challenge-response token
Enrollment Registering with a biometric system.
Biometric response time or throughput process of authenticating to a biometric system.
Zero Knowledge or black box testing penetration test that begins with no external or trusted information.
Full knowledge or crystal box testing penetration test that begins with internal information including network diagrams, polices and procedures.
Partial knowledge penetration test that is somewhere between zero knowledge and full knowledge.
meta-directory identity management create to gather the necessary information from multiple sources and store in one central directory.
virtual directory similar to meta-directory, but the identity data points to where the data resides instead of physically storing the data in its directory.
memory card a card that holds information, but cannot process information.
smart card a card that holds information and has the necessary hardward and software to process information.
Blackout Prolonged loss of power
Brownout Prolonged low voltage
Fault Short loss of power
Surge Prolonged high voltage
Spike Temporary high voltage
Sag Temporary low voltage
Plenum space above dropped ceilings and wall cavities and space under raised floors.
Locard's principle A criminal leaves something behind and takes something with them. Evidence dynamics.
The Open Source Security Testing Methodology (OSSTMM) Pentesting instructions
Policy Mandatory high-level management directive.
Procedure Step-by-step guide for accomplishing a task.
Standard Describes the specific use of technology. Mandatory
Guideline recommendations that can be a useful piece of advice.
Baseline Uniform way to implement a safeguard.
Due Care Doing what a reasonable person would do. Sometimes called the "prudent man" rule.
Due Diligence A step beyond due care. Management of due care.
OCTAVE (Operationally Critical Threat, Asset, ad Vulnerability Evaluation) Three phase process for managing risk put out by the Carnegie Mellon University.
Web of Trust PGP relies on this approach in it's key management. Each user generates and distributes his or her public key, and users sign each other's public keys, which creates a community of users who trust each other.
GNU Privacy Guard The free replacement for PGP
IGMP Used to report multicast group membership to routers.
Created by: mikehance