CISSP Exam
3 access/security control categories - correct answer-1. administrative: implemented by
creating org policy, procedure, regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware that restricts logical access to
a system
3. physical: locks, fences, walls, etc
abstraction mechanism - correct answer-"block box" doctrine that says users of an object
don't necessarily need to know the details of how the object works
access control matrix - correct answer-table of subjects and objects that indicates the
actions or functions that each subject can perform on each object; each column is an access
control list and each row is a capabilities list
accounting (accountability) - correct answer-reviewing log files to check for compliance and
violations in order to hold subjects accountable for their actions
Address Resolution Protocol (ARP) / Reverse ARP - correct answer-ARP is used to resolve
IP addresses into MAC addresses (while RARP is used to resolve MAC addresses into IP
addresses); both function using caching and broadcasting; sometimes exploited using ARP
cache poisoning - bogus info is inserted into the ARP cache to trigger default gateway
transmission
administrators - correct answer-responsible for granting appropriate access to personnel,
assigning permissions is the key function; typically use a role based control model
advisory policy - correct answer-discusses behaviors and activities that are acceptable and
defines consequences of violations (most fall into this category)
analytic attack - correct answer-algebraic manipulation that attempts to reduce the
complexity of the algorithm; focus on the logic of the algorithm itself
AND operation - correct answer-AND requires both inputs to be true, represented with the ^
symbol
annual rate of occurrence (ARO) - correct answer-number of losses suffered per year
annualized loss expectancy (ALE) - correct answer-yearly cost due to risk
SLE x ARO = ALE
application layer (layer 7) - correct answer-interfaces user applications, network services, or
OS with the protocol stack;
application level gateway firewall - correct answer-also called a proxy firewall; copies
packets from one network into another; copy process changes the source and destination
,addresses to protect identities; filters traffic based on the internet service used to transmit or
receive the data
asynchronous communication - correct answer-relies on a stop and start delimiter to manage
the transmission of data; best suited for smaller amounts of data as a result
auditing (monitoring) - correct answer-recording a log of the events and activities related to
the system and subjects
authentication - correct answer-verification that a person is who they say they are; ex:
entering a password or PIN, biometrics, etc - always a two step process with identifying
authorization - correct answer-verification of a person's access or privileges to applicable
data
Availability (CIA Triangle) - correct answer-ensures data is available when needed to
authorized users
baseband - correct answer-supports only a single communication channel; uses a direct
current applied to the cable; form of a digital signal
baseline - correct answer-a uniform way of implementing a standard
Bell-LaPadula Model - correct answer-developed in the 1970s; focused primarily on
confidentiality; 3 principles
1. simple security property: a subject may not read information at a higher sensitivity level
(no read up)
2. star security property: a subject may not write to an object at a lower sensitivity (no write
down)
3. discretionary security property: the system uses an access matrix to enforce discretionary
access control
Biba Model - correct answer-inverted Bell-LaPadula model; focused more on integrity; 2
principles
1. simple integrity property: a subject cannot read an object at a lower integrity level (no read
down)
2. star integrity property: a subject cannot modify an object at a higher integrity level (no
write up)
birthday attack - correct answer-aka collision attack or reverse hash matching; seeks to find
flaws in the one to one nature of hash functions
Brewer and Nash Model - correct answer-created to change dynamically based on a user's
previous activity; applies to a single integrated database, it seeks to create security domains
that are sensitive to the notion of conflict of interest
, known as a Chinese wall
broadband - correct answer-can support multiple simultaneous signals; uses frequency
modulation to support numerous channels; suitable for high throughput rates
broadcast transmission - correct answer-supports communication to all possible recipients
brouter - correct answer-combination devices comprising a router and a bridge; attempts to
route first but defaults to bridging if that fails; systems on either side are part of different
collision domains; used to connect network segments that use the same protocol
brute force attack - correct answer-attempts every possible combination for a key or
password; requires massive amounts of processing power
business continuity planning (BCP) - correct answer-assessing the risks to organizational
processes and crafting policies, plans, and procedures to minimize the impact of those risks
capabilities list - correct answer-maintains a row of security attributes for each controlled
object; not as flexible as a token, but provide for quicker lookups when a request is made
cascading (composition theory) - correct answer-input for one system comes from the output
of another system
certificate authorities - correct answer-neutral organizations that offer notarization services
for digital certificates; identity must be proven; assisted by registration authorities (RAs)
certificate enrollment - correct answer-identity proven to CA, other identification documents
could be requested, X.509 certificate created, CA then digitally signs the certificate
certificate revocation - correct answer-1. compromise (private key disclosure)
2. erroneously issued (issued without proper verification)
3. details of the cert have changed
4. security association has changed (termination, etc)
certificate verification - correct answer-verified by checking the digital signature using the
public key; key is authentic if =
1. the digital signature of the CA is authentic
2. you trust the CA
3. the certificate is not on the certificate revocation list (CRL)
4. the certificate actually contains the data you are trusting
change management - correct answer-ensure that any change does not lead to reduced or
compromised security; also responsible for roll backs; make all changes subject to detailed
documentation and auditing
chosen ciphertext - correct answer-the attacker has the ability to decrypt chosen portions of
the ciphertext message and use the decrypted portion to discover the key
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Hkane. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.
