_______________ is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints.
(a) ISDN (b) Frame Relay (c) SMDS (d) ATM
Answer: (b)
Explanation: Frame Relay is a layer 2 connection mechanism that uses packet-switching technology or establishes virtual circuits between the communication endpoints. The Frame Relay network is a shared medium across which virtual circuits are created to provide point-to-point communications. All virtual circuits are independent of, and invisible to, each other.
What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy?
(a) IPsec tunnel (b) Static mode NAT (c) Static private IP address (d) Reverse DNS
Answer: (b)
Explanation: Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.
At which OSI model layer does the IPsec protocol function?
(a) Data Link (b) Transport (c) Session (d) Network
Answer: (d)
Explanation: IPsec operates at the Network layer (Layer 3).
When you’re designing a security system for internet-delivered email, which of the following is least important?
Explanation: Although availability is a key aspect of security in general, it is the least important aspect of security systems for internet-delivered email.
What is the function of the network access server in a RADIUS environment?
(a) Authentication server (b) Client (c) AAA server (d) Firewall
Answer: (b)
Explanation: The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server and provides authentication, authorisation & accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.
Accountability requires all of the following items except one. Which item is not required for accountability?
Who, or what, grants permissions to users in a DAC model?
(a) Administrators (b) Access control list (c) Assigned labels (d) The data custodian
Answer: (b)
Explanation: The data custodian (or owner) grants permissions to users in a Discretionary Access Control (DAC) model. Administrators grant permission for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The Mandatory Access Control (MAC) model uses labels.
Which of the following models is also known as an identity-based access control model?
(a) DAC (b) RBAC (c) Rule-based access control (d) MAC
Answer: (a)
Explanation: A Discretionary Access Control (DAC) model is as identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the the owner. The rule-based access control model is based on roles within an ACL. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
A central authority determines which files a user can access. Which of the following best describes this?
(a) An access control list (ACL) (b) An access control matrix (c) Discretionary Access Control model (d) Non-discretionary access control model
Answer: (d)
Explanation: A non-discretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant & reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.
Which of the following BEST describes a characteristic of the MAC model?
Explanation: The Mandatory Access Control (MAC) model is prohibitive (not permissive) and uses an implicit-deny (not explicity-deny) philosophy. It uses labels rather than rules.
Role-Based Access Control (RBAC)models use task-based roles; users gain privileges when administrators place their accounts into a role.
Rule-based access control models use a set of rules, restrictions or filters to determine access.
The Mandatory Access Control (MAC) model uses labels to identify security domains. Subject need matching labels to access objects
Understand basic risk elements
Risk is the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.
Asset valuation identifies the value of assets.
Threat modelling identifies threats against those assets.
Vulnerability analysis identifies weaknesses in an organisation’s valuable assets.
Access aggregation is a type of attack that combines (or aggregates) non-sensitive information to learn sensitive information, and is used in reconnaissance attacks.
Know how brute-force & dictionary attacks work
Brute-force and dictionary attacks are carried out against a stolen password database file or the logon prompt of a system. They are designed to discover passwords.
In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack.
Account lockout controls prevent their effectiveness against online attacks.
Understand the need for strong passwords
Strong passwords make password-cracking utilities less successful.
Strong passwords include multiple character types and are not words contained in a dictionary.
Password policies ensure that users create strong passwords.
Passwords should be encrypted when stored, and encrypted when sent over a network.
Authentication can be strengthened by using an additional factor beyond just passwords.
Understand how salt & pepper thwarts password attacks
Salts add additional bits to a password before hashing it, and help thwart rainbow table attacks.
Some algorithms, such as bcrypt and PBKDF2 (Password-Based Key Derivation Function 2) add the salt and repeat the hashing functions many times.
Salts are stored in the same DB as the hashed password.
A pepper is a large constant number used to further increase the security of the hashed password, and it is stored somewhere outside the database holding the hashed passwords.
Understand sniffer attacks
In a sniffer (or snooping) attack, an attacker uses a packet-capturing tool (such as a sniffer or protocol analyser) to capture, analyse and read data sent over a network.
Attackers can easily read data sent over a network in cleartext, but encrypting data in transit thwarts this type of attack.
Understand spoofing attacks
Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks.
Attackers often try to obtain the credentials of users so they can spoof the user’s identity. Spoofing attacks include email spoofing, phone number spoofing and IP spoofing.
Many phishing attacks use spoofing methods.
Understand social engineering
A social engineering attack is an attempt by an attacker to convince someone to provide information (such as a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link), resulting in a security compromise.
Social engineers often try to gain access to the IT infrastructure or the physical facility.
User education is an effective tool to prevent the success of social engineering attacks.
Understand phishing
Phishing attacks are commonly used to try to trick users into giving up personal information (such as user accounts & passwords), click a malicious link, or open a malicious attachment.
Spear phishing target specific groups of users, and whaling targets high-level executives.
Subjects are active entities (such as users) that access passive objects (such as files)
A user is a subject who accesses objects while performing some action or accomplishing a work task.
Know the various types of access controls
You should be able to identify the type of any given access control.
Access controls may be:
preventive (to stop unwanted or unauthorised activity from occurring)
detective (to discover unwanted or unauthorised activity)
corrective (to restore systems to normal after an unwanted or unauthorised activity has occurred)
deterrent (attempt to discourage violation of security policies, by encouraging people not to take an unwanted action)
recovery (attempt to repair/restore resources, functions & capabilities after a security policy violation)
directive (attempt to direct, confine or control the action of subjects to force or encourage compliance with security policy)
compensating (provide options or alternatives to existing controls to a aid in enforcement & support of a security policy)
Know the implementation methods of access controls
Controls are implemented as administrative, logical/technical or physical controls.
Administrative (or management) controls include policies or procedures to enforce overall access control.
Logical/technical controls include hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems.
Physical controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.
Understand the difference between identification & authentication
Access controls depend on effective identification & authentication, so it’s important to understand the differences between them.
Subjects claim an identity, and identification can be as simple as a username.
Subjects provide their identity by providing authentication credentials such as the matching password for a username.
Understand the difference between authorisation & accountability
After authenticating subjects, systems authorise access to objects based on their proven identity.
Auditing logs and audit trails record events including the identity of the subject that performed the action.
The combination of effective identification, authentication & auditing provides accountability.
Understand the details of primary authentication factors
The three primary factors of authentication are:
something you know (such as a password or PIN)
something you have (such as a smartcard or token)
something you are (based on biometrics)
Multi-factor authentication includes two or more authentication factors, and using it is more secure than using a single authentication factor.
Passwords are the weakest form of authentication, but password policies help increase their security by enforcing complexity and history requirements.
Smartcards include microprocessors and cryptographic certificates, and tokens create one-time passwords.
Biometric methods identify users based on characteristics such as fingerprints.
The crossover error rate (CER) identifies the accuracy of a biometric method. It shows where the false rejection rate (FRR) is equal to the false acceptance rate (FAR).
Understand single sign-on
Single sign-on (SSO) is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.
Kerberos is the most common SSO method used within organisations, and it uses symmetric cryptography and tickets to prove identification and provide authentication.
When multiple organisations want to use a common SSO system, they often use a federated identity management system, where the federation (group of organisations) agrees on a common method of authentication.
Security Assertion Markup Language (SAML) is commonly used to share federated identity information.
Other SSO methods are scripted access, SESAME and KryptoKnight.
OAuth and OpenID are two newer SSO technologies used on the Internet. OAuth 2.0 is recommended over OAuth 1.0 by many large organisations such as Google.
Understand the purpose of AAA protocols
Several protocols provide centralised authentication, authorisation and accounting services.
Network access (or remote access) systems use AAA protocols. For example, a network access server is a client to a RADIUS server, and the RADIUS server provides AAA services.
RADIUS uses UDP and encrypts the password only.
TACACS+ uses TCP and encrypts the entire session.
Diameter is based on RADIUS and improves many of its weaknesses, but is not cross-compatible
Diameter is becoming more popular with mobile IP systems such as smartphones.
Understand the identity & access provisioning lifecycle
The identity & access provisioning lifecycle refers to the creation, management & deletion of accounts.
Provisioning accounts ensures that they have appropriate privileges based on task requirements.
Periodic reviews ensure that accounts don’t have excessive privileges, and follow the principle of least privilege.
Revocation includes disabling accounts as soon as possible when an employee leaves the company, and deleting accounts when they are no longer needed.
Understand the issues around remote access security management
Remote access security management requires that security system designers address the hardware & software components of an implementation along with issues relating to policy, work tasks & encryption.
Be familiar with the various protocols and mechanisms that may be used on LANs and WANs for data communications [TODO]
These are:
SKIP
SWIPE
SET
PPP
SLIP
CHAP
PAP
EAP
S-RPC
VPN
TLS/SSL
VLAN
Know what tunnelling is
Tunnelling is the encapsulation of a protocol-deliverable message within a second protocol. The second protocol often performs encryption to protect the message contents.
VPNs are based on encrypted tunnelling.
They can offer authentication & data protection as a point-to-point solution.
Common VPN protocols are PPTP, L2F, L2TP and IPSec.
Be able to explain NAT
NAT protects the addressing scheme of a private network, allows the use of private IP addresses, and enables multiple internal clients to obtain internet access through a few public IP addresses.
NAT is supported by many security border devices, such as firewalls, routers, gateways & proxies.
Understand the difference between packet switching & circuit switching
In circuit switching, a dedicated physical pathway is created between the two communicating parties.
Packet switching occurs when the message or communication is broken up into small segments and sent across the intermediary networks to the destination.
Within packet switching systems are two types of communication paths (or virtual circuits): permanent virtual circuits (PVCs) and switched virtual circuits (SVCs)
Understand the difference between dedicated and non-dedicated lines
A dedicated line is always on and is reserved for a specific customer. Examples of dedicated lines include T1, T3, E1, E3 and cable modems.
A non-dedicated line requires a connection to be established before data transmission can occur. It can be used to connect with any remote system that uses the same type of non-dedicated lines. Standard modems, DSL and ISDN are examples of non-dedicated lines.
Know various issues related to remote access security
Be familiar with:
remote access
dial-up connections
screen scrapers
virtual applications/desktops
general telecommuting security concerns.
Know the various types of WAN technologies
Know that most WAN technologies require a channel service unit/data service unit (CSU/DSU), sometimes called a WAN switch.
There are many types of carrier networks & WAN connection technologies, such as:
X.25
Frame Relay
ATM
SMDS
SDH
SONET
Some WAN connection technologies require additional protocols to support various types of specialised systems or devices.
Understand the differences between PPP & SLIP
The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links.
PPP includes a wide range of communication services, including:
assignment & management of IP addresses
management of synchronous communications
standardised encapsulation
multiplexing
link configuration
link quality testing
error detection
feature/option negotiation (e.g. compression)
PPP was originally designed to support CHAP & PAP for authentication. Recent versions also support MS-CHAP, EAP and SPAP.
PPP replaced SLIP (Serial Line Internet Protocol). SLIP offered no authentication, supported only half-duplex comms, had no error detection capabilities, and required manual link establishment & teardown.
Understand common characteristics of security controls
Security controls should be transparent to users.
Hash totals & CRC checks can be used to verify message integrity.
Record sequences are used to ensure sequence integrity of a transmission.
Transmission logging helps detect communication abuses.
Understand how email security works
Internet email is based on SMTP, POP3 and IMAP. It is inherently insecure.
It can be secured, but the methods used must be addressed in a security policy.
Email security solutions include using S/MIME, MOSS, PEM or PGP.
Know how fax security works
Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials.
The primary goal is to prevent interception. Activity logs and exception reports can be used to detect anomalies in fax activity that could be symptoms of attack.
Know the threats associated with PBX systems and the countermeasures to PBX fraud
Countermeasures to PBX fraud & abuse include many of the same precautions you would employ to protect a typical computer network:
logical or technical controls
administrative controls
physical controls.
Understand the security issues related to VoIP
VOIP is at risk for:
Caller ID spoofing
Vishing
SPIT
Call manager software/firmware attacks
Phone hardware attacks
DoS
MitM
Spoofing
Switch hopping
Recognise what a phreaker is
Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long-disstance calls, alter the function of telephone service, steal specialised services, or even cause service disruptions.
Common tools of phreakers include black, red, blue and white boxes.
Understand voice communications security
Voice communications are vulnerable to many attacks, especially as voice communications become an important part of network services.
You can obtain confidentiality by using encrypted communications.
Countermeasures must be deployed to protect against interception, eavesdropping, tapping and other types of exploitation.
Be familiar with voice comms topics, such as POTS/PSTN, PBX & VoIP.
Be able to explain what social engineering is
Social engineering is a means by which an unknown person gains the trust of someone inside your organisation by convincing employees that they are, for example, associated with upper management, technical support or the helpdesk.
The victim is often encouraged to make a change on the system, such as reset their password, so the attacker can use it to gain access to the network.
The primary countermeasure for this sort of attack is user training.
Explain the concept of security boundaries
A security boundary can be the division between one secured area and another secured area.
It can also be the division between a secured area and an unsecured area.
Both must be addressed in a security policy.
Understand the various network attacks & countermeasures associated with communications security [TODO]
Communication systems are vulnerable to many attacks, including:
DDoS
eavesdropping
impersonation
replay
modification
spoofing
ARP & DNS attacks
Be able to supply effective countermeasures for each.
By examining the source & destination addresses, the application usage, the source of origin and the relationship between current packets with previous packets of the same session, __________ firewalls are able to grant a broader range of access for authorised users and activities, and actively watch for and block unauthorised users & activities.
Which wireless frequency access method offers the greatest throughput with the least interference?
(a) FHSS (b) DSSS (c) OFDM (d) OSPF
Answer: (c)
Explanation: Orthogonal frequency-division multiplexing (OFDM) offers the greatest throughput with the least interference. Frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS) are other wireless frequency access methods; OSPF is a routing method.
What function does ARP perform?
(a) It is a routing protocol (b) It resolves IP addresses into MAC addresses (c) It resolves physical addresses into logical addresses (d) It manages multiplex streaming
Answer: (b)
Explanation: ARP resolves IP addresses into MAC addresses (i.e. logical addresses into physical addresses.)
_______ firewalls are known as third-generation firewalls
Explanation: Routers operate at the Network layer (Layer 3) of the OSI model.
At what layer of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilised to gain a detailed understanding of the software development process?
(a) Repeatable (b) Defined (c) Managed (d) Optimising
Know the different cabling types, their lengths and maximum throughput rates (TODO)
This includes:
STP
10BaseT (UTP)
10Base2 (thinnet)
10Base5 (thicknet)
100BaseT
1000BaseT
Fibre-optic
You should also be familiar with UTP categories 1 to 7.
Be familiar with the common LAN technologies [TODO]
The most common LAN technology is Ethernet
Also be familiar with:
analog vs digital comms
synchronous vs asynchronous comms
baseband vs broadband comms
broadcast, multicast & unicast comms
CSMA, CSMA/CA and CSMA/CD [TODO]
token passing [TODO]
polling [TODO]
Understand secure network architecture & design
Network security should take into account:
IP and non-IP protocols
network access control
using security services & devices
managing multilayer protocols
implementing endpoint security
Understand the various types & purposes of network segmentation
Network segmentation can be used to manage traffic, improve performance and enforce security.
Examples of network segmentations or sub-networks include intranet, extranet & DMZ.
Understand the different wireless technologies
Mobile phones, Bluetooth (802.15) and Wi-Fi (802.11) are all called wireless technologies, even though they are very different. Be aware of their differences, strengths & weaknesses.
Understand 802.11, a, b, g, n and ac:
Original 802.11 (2 Mbps)
802.11a (54 Mbps)
802.11b (11 Mbps)
802.11g (54 Mbps)
802.11n (600 Mbps)
802.11ac (1+ Gbps)
The 802.11 standard also defines WEP.
TKIP (Temporal Key Integrity Protocol) was designed as the replacement for WEP without requiring replacement of legacy wireless hardware. TKIP was implemented as WPA (Wi-Fi Protected Access).
802.11i defines WPA2: a new encryption scheme known as the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which uses AES-128 encryption.
A captive portal is an authentication technique that redirects a newly-connected wireless Web client to a portal access control page.
Understand the basics of securing 802.11 networking
disabling SSID broadcast and/or changing the SSID to something unique
enabling MAC filtering
considering the use of static IPs or DHCP reservations
enabling the highest supported version of encryption
treating wireless as remote access and employing 802.1x, RADIUS or TACACS
separating WAPs from the LAN with firewalls
monitoring all wireless activity with an IDS
consider requiring wireless clients to connect with a VPN to gain LAN access
Understand Fibre Channel
Fibre Channel is a form of network data storage solution – i.e. SAN (storage area network)/NAS (network-attached storage) – that allows for high-speed file transfers.
FCoE (Fibre Channel over Ethernet) is used to encapsulate Fibre Channel communications over Ethernet networks.
Understand iSCSI
iSCSI (Internet Small Computer System Interface) is a network storage standard based on IP.
Understand EAP, PEAP & LEAP
EAP (Extensible Authentication Protocol) is an authentication framework rather than a specific mechanism of authentication.
Effectively, EAP allows for new authentication technologies to be compatible with existing wireless or point-to-point connection techniques.
PEAP (Protected EAP) encapsulates EAP methods within a TLS tunnel that provides authentication and potentially encryption.
LEAP (Lightweight EAP) is a Cisco proprietary alternative to TKIP for WPA. This was developed to address deficiences in TKIP before the 802.11i (WPA2) system was ratified as a standard.
Understand MAC filtering
A MAC filter is a list of authorised wireless client interface MAC addreses that is used by a WAP to block access to all non-authorised devices.
Understand SSID broadcast
Wireless networks traditionally announce their SSID on a regular basis within a special packet known as the beacon frame.
When the SSID is broadcast, any device with an automatic detect & connect feature is not only able to see the network, but can also initiate a connection with it.
Understand antenna types
A wide variety of antenna types can be used for wireless clients and base antennas.
These include:
omni-directional pole antennas
directional antennas such as Yagi, cantenna, panel & parabolic
Know the standard network topologies
These are:
ring
bus
star
mesh.
Know the common network devices
Common network devices are:
firewalls
routers
bridges
modems
repeaters
switches
gateways
proxies.
Understand the different types of firewalls
There are several types of firewalls:
Static packet filtering: First-gen. Operates at L3.
Application-level gateway: Second-gen. Operates at L7.
Circuit-level gateway: Also second-gen. Operates at L5. Example: SOCKS proxy
Stateful inspection (aka dynamic packet filtering): Third gen. Operates at L3 & L4.
Deep packet inspection: Typically operates at Application layer (L7). Often integrated with app-layer and/or stateful inspection firewalls
Next-gen: Multi-function device which can include IDS/IPS, TLS/SSL proxy, web filtering, QoS, NAT, VPN anchoring etc.
Know the protocol services used to connect to LAN & WAN communication technologies (TODO)
These are:
Frame Relay
SMDS
X.25
ATM
HSSI
SDLC
HDLC
ISDN
Understand problems with cabling, and their countermeasures
Attentuation: ensure that you don’t exceed length recommendations (otherwise use repeaters)
Using the wrong category of cable: check the cable specifications against throughput requirements, and err on the side of caution
Crosstalk: use shielded cables, place cables in separate conduits, or use cables of higher twists per inch
Cable breaks: avoid running cables in locations where movement occurs
Interference: use cable shielding, cables with higher twists per inch, or switch to fibre-optic.
Eavesdropping: maintain physical security over all cable runs
You have three applications running on a single-core, single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time?
(a) One (b) Two (c) Three (d) Four
Answer: (a)
Explanation: A good example of reading the question! There are four threads in total, but a system with only one single-core processor can only physically run one thread at a time.
What type of federal government computing system requires that all individuals accessing the system have a need-to-know for all the information processed by the system?
(a) Dedicated (b) System high (c) Compartmented (d) Multilevel
Answer: (a)
What is the most effecitive means of reducing the risk of losing the data on a mobile device, such as a notebook computer?
(a) Defining a strong logon password (b) Minimising sensitive data stored on the mobile device (c) Using a cable lock (d) Encrypting the hard drive
Answer: (b)
What type of electrical component serves as the building block for dynamic RAM chips?
Explanation: (c) Flip-flops are used in static RAM (SRAM).
In which of the following security nodes can you be assured that all users have access permissions for all information processed by the system, but not necessarily need-to-know for all the information?
(a) Dedicated (b) System high (c) Compartmented (d) Multilevel
Which of the following is a layer of the ring protection scheme that is not normally implemented in practice?
(a) Layer 0 (b) Layer 1 (c) Layer 3 (d) Layer 4
Answer: (b)
Explanation: The ring model is numbered from 0-3. Ring 0 contains the security kernel. Ring 1 & 2 contain device drivers but are not normally implemented in practice. Ring 3 contains user applications. Ring 4 does not exist!
What is the most common form of perimeter security device or mechanism?
No matter what form of physical access control is used, a security guard or other monitoring system may be deployed to prevent all but which of the following?
Explanation: Espionage cannot be prevented by physical access controls
Which of the following is NOT a disadvantage of using security guards?
(a) Security guards are usually unaware of the scope of the operations within a facility. (b) Not all environments & facilities support security guards (c) Not all security guards are themselves reliable (d) Prescreening, bonding & training do not guarantee effective and reliable security guards
Answer: (a)
Explanation: Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information.
Understand why there is no security without physical security
Without control over the physical environment, no amount of administrative or technical/logical controls can provide adequate security.
If a malicious person can gain physical access to your facility/equipment, they can do anything they want, including destruction, alteration & disclosure.
Know the three categories of security controls implemented to manage physical security
The controls implemented to manage physical security can be divided into three groups:
Administrative physical controls, including:
Facility construction & selection
Site management
Personnel controls
Awareness training
Emergency response procedures
Technical physical controls, which can be:
Access controls
Intrusion detection
Alarms
CCTV
Monitoring
HVAC
Power supplies
Fire detection & suppression
Physical controls for physical security, such as:
Fencing
Lighting
Locks
Construction materials
Mantraps
Dogs
Guards
Know when and how to use each, and be able to list examples of each kind.
Know the functional order of controls
The functional order of controls is:
Deter
Deny
Detect
Delay
Know the key elements in making a site selection and designing a facility for construction
Key elements in site selection:
Visibility
Composition of the surrounding area
Area accessibility
Effects of natural disasters
A key element in designing a facility is understanding the level of security needed by your organisation, and planning for it before construction begins
Know how to design & configure secure work areas
There should not be equal access to all locations within a facility.
Areas that contain assets should be located in the heart (or centre of protection) provided by a facility.
Centralised servers or computer rooms need not be human-compatible.
Understand the security concerns of a wiring closet
A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment such as patch panels, switches, routers, LAN extenders & backbone channels.
Most of the security for a wiring closet focuses on preventing physical unauthorised access.
If an unauthorised intruder gains access to the area, they may be able to steal equipment, pull/cut cables, or even plant a listening device.
Understand how to handle visitors in a secure facility
If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required.
Often an escort is assigned to visitors, and their access & activities are monitoring closely.
Failing to track the actions of outsiders when they are granted access to a protected area can result in malicious activity against the most protected assets.
Understand security needs for media storage
Media storage facilities should be designed to securely store blank, reusable & installation media.
The concerns include theft, corruption & data remnant recovery.
Media storage facility protections include locked cabinets or safes, using a librarian/custodian, implementing a check-in/check-out process, and using media sanitisation.
Understand the concerns of evidence storage
Evidence storage is used to retain logs, drive images, VM snapshots and other datasets for recovery, internal & forensic investigations.
Know the common threats to physical access controls
No matter what form of physical access control is used, a security guard or other monitoring systems must be deployed to prevent abuse, masquerading & piggybacking.
Abuses of physical access controls include propping open secured doors and bypassing locks or access controls.
Masquerading is using someone else’s security ID to gain entry to a facility.
Piggybacking is following someone through a secured gate or doorway without being identified or authorised personally.
Understand the need for audit trails & access logs
Audit trails & access logs are useful tools even for physical access control.
They may need to be created manually by security guards, or they can be generated automatically if sufficiently automated access controls are in place (smartcards & certain proximity readers).
You should also consider monitoring entry points with CCTV; through CCTV, you can compare the audit trails & access logs with a visually-recorded history of the events.
Such information is critical to reconstructing the events of an intrusion, breach or attack.
Understand the need for clean power
Power supplied by electricity companies is not always consistent or clean.
Most electronic equipment demands clean power in order to function properly. Equipment damage because of power fluctuations is a common occurrence.
Many organisations opt to manage their own power through several means.
A UPS is a type of self-charging battery that can be used to supply consistent, clean power to sensitive equipment.
UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw by equipment.
Know the terms commonly associated with power issues
Fault
Blackout
Sag
Brownout
Spike
Surge
Inrush
Noise
Transient
Clean
Ground
Understand how to control the environment
In addition to power considerations, maintaining the environment involves control over HVAC mechanisms.
Rooms containing primarily computers sould be kept at 60-75°F (15-23°C).
Humidity in a computer room should be maintained between 40 and 60%.
Too much humidity can cause corrosion.
Too little humidity causes static electicity. Even on non-static carpeting, if the environment has low humidity, it’s still possible to generate static discharges of 20kV. Even minimal levels of static discharge can destroy electronic equipment.
Understand the need to manage water leaking & flooding
Water leaking and flooding should be addresses in your environmental safety policy & procedures.
Plumbing leaks can cause significant damage.
If your computer systems come into contact with water, especially while they are operating, damage is sure to occur; also there’s an obvious electrocution risk.
Whenever possible, locate server rooms & critical computer systems away from water source or transport pipes.
Understand the importance of fire detection & suppression
Protecting personnel from harm should always be the most important goal of any security or protection system.
In addtion to protecting people, fire detection & suppression is designed to keep damage caused by fire, smoke, heat & suppression materials to a minimum, especially in regard to IT infrastructure.
The destructive elements of a fire include smoke & heat, but also the suppression medium, such as water or soda acid.
Smoke is damaging to most storage devices.
Heat can damage any electronic or computer component.
Suppression media can cause short circuits, corrosion or otherwise render equipment useless.
All of these issues must be addressed when designing a fire response system.
Understand personnel privacy & safety
In all circumstances, and under all conditions, the most important aspect of security is protecting people. Thus, preventing harm to people is the most important goal for all security solutions.
Be able to explain the differences between multitasking, multithreading, multiprocessing & multiprogramming
Multitasking is the simultaneous execution of more than one application on one computer, and is managed by the OS.
Multithreading permits multiple concurrent tasks to be performed within a single process.
Multiprocessing is the use of more than one processor to increase computing power.
In symmetric multiprocessing (SMP), processors share a common OS, data bus & memory resources
Massively parallel processing (MPP) systems house hundreds or thousands of processors, each with its own OS and memory/bus resources. This is a type of asymmetric multiprocessing.
Multiprogramming is similar to multitasking but takes place on mainframe systems and requires specific programming.
Understand the difference between single-state and multi-state processors
Single-state processors are capable of operating at only one security level at a time.
Multi-state processors can simultaneously operate at multiple security levels.
Relatively uncommon due to the expense of implementing the necessary additional controls, versus simply having multiple single-state processors/systems.
Describe the four security modes approved by federal government for processing classified information
Dedicated systems require that all users have appropriate clearance, access permissions, and need-to-know for all information stored on the system.
System high mode removes the need-to-know requirement.
Compartmented mode removes the need-to-know and access permission requirements.
Multilevel mode removes all three requirements.
Explain the two layered operating modes
User applications operate in a limited instruction set environment known as ‘user mode’.
In the ring model, ring 3 runs in user mode.
The OS performs controlled operations in privileged mode, also known as system mode, kernel mode & supervisory mode.
Rings 0-2 run in supervisory or privileged mode.
Rings 1 & 2 run device drivers but are not normally implemented in practice – most OSes use only rings 0 and 3.
Describe the different types of memory used by a computer
ROM is non-volatile and can’t be written to by the end user.
The end user can write to PROM chips only once.
EPROM/UVEPROM chips may be erases through the use of ultraviolet light and can then have new data written to them.
EEPROM chips may be erased with electrical current and then have new data written to them.
RAM chips are volatile and lose their contents when the computer is powered off
DRAM is based on capacitors and requires constant refreshing
SRAM is based on “flip flops” and do not need refreshing (but is more costly)
Describe the different characteristics of devices used by computers
Primary storage is the same as memory.
Secondary storage consists of magnetic, flash & optical media, that must first be read into primary memory before the CPU can use the data.
Random access storage devices can be read at any point.
Sequential access devices require physically scanning through all the data before the desired location.
Know the security issues surrounding secondary storage devices
There are three main issues:
Removable media can be used to steal data.
Access controls & encryption must be applied to protect data.
Data can remain on the media even after file deletion or media formatting.
Understand security risks than I/O devices can pose
Input/output devices can be:
subject to eavesdropping & tapping
used to smuggle data out of an organisation
used to create unauthorised, insecure points of entry into an organisation’s systems & networks
Be prepare to recognise & mitigate such vulnerabilities.
Know the purpose of firmware
Firmware is software stored on ROM chip.
At the computer level, it contains the basic instructions needed to start a computer. Firmware is also used to provide operating instructions in peripheral devices such as printers.
Be able to describe process isolation, layering, abstraction, data hiding & hardware segmentation
Process isolation ensures that individual processes can access only their own data.
Layering creates different realms of security within a process and limits communication between them
Abstraction creates “black box” interfaces for programmers to use without requiring knowledge of an algorithm’s or device’s inner workings.
Data hidingprevents information from being read from a different security level.
Hardware segmentation enforces process isolation with physical controls.
Understand how a security policy drives system design, implementation, testing & deployment.
The role of a security policy is to inform & guide the design, development, testing & maintenance of some particular system.
Understand cloud computing
Cloud computing is the popular term referring to a concept of computing where processing & storage are performed elsewhere over a network connection rather than locally.
Cloud computing is often thought of as Internet-based computing.
Understand the risks associated with cloud computing & virtualisation
Cloud computing & virtualisation, especially when combined, have serious risks associated.
Once sensitive, confidential or proprietary data leaves the confines of the organisation, it also leaves the protections imposed by the organisational security policy and resultant infrastructure.
Cloud services and their personnel might not adhere to the same security standards as your organisation.
Understand hypervisors
The hypervisor, also known as the virtual machine monitor (VMM), is the component of virtualisation that creates, manages & operates the virtual machines
In a Type I hypervisor (native or bare-metal) configuration, there is no host OS; instead the hypervisor installs directly onto the hardware where the host OS would normally reside.
In a Type II hypervisor (hosted hypervisor) configuration, a standard OS is present on the hardware, and the hypervisor is then installed as another software application.
Define CASB
A cloud access security broker (CASB) is a security policy enforcement solution that may be installed on-premise or be cloud-based.
Understand SECaaS
Security as a service (SECaaS) is a cloud provider concept in which security is provided to an organisation through or by an online entity.
Understand smart devices
A smart device is a range of mobile devices that offer the user a plethora of customisation options, typically through installing apps, and may take advantage of on-device or in-the-cloud artificial intelligence (AI) processing.
Comprehend IoT
The Internet of Things (IoT) is a new subcategory or maybe even a new class of devices connected to the Internet in order to provide automation, remote control or AI processing to traditional or new appliances/devices in a home or office setting.
Understand mobile device security
Device security involves the range of potential security options/features that may be available for a mobile device.
PED (portable electronic device) security features include:
Full device encryption
Remote wiping
Lockout
Screen locks
GPS
Application control
Storage segmentation
Asset tracking
Inventory control
Mobile device management (MDM)
Device access control
Removable storage
Disabling of unused features
Not all PEDs have good security features.
Understand mobile application security
The apps & functions used on a mobile device need to be secured. Related concepts include:
Key management
Credential management
Authentication
Geotagging
Encryption
Application whitelisting
Transitive trust/authentication
Understand BYOD
Bring your own device (BYOD) is a policy that allows employees to bring their own personal mobile devices to work, and use them to connect to (or through) the company to business resources and/or the Internet.
Although BYOD may improve employee morale & job satisfaction, it increases security risks to the organisation.
Related issues include:
Data ownership
Support ownership
Patch management
Anti-virus management
Forensics
Privacy
On-boarding/off-boarding
Aderence to corporate policies
User acceptance
Architecture/infrastructure considerations
Legal concerns
Acceptable use policies
On-board cameras/video.
Understand embedded systems and static environments
An embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component.
Static environments are applications, OSes, hardware sets or networks that are configured for a specific need, capability or function, and then set to remain unaltered.
Static environments, embedded systems and other limited or single-purpose computing environments need security management. Techniques may include:
Network segmentation
Security layers
Application firewalls
Manual updates
Firmware version control
Wrappers
Control redundancy & diversity.
Understand how the principles of least privilege, separation of privilege & accountability apply to computer architecture
The principle of least privilege ensures that only a minimum number of processes are authorised to run in supervisory mode.
Spearation of privilege increases the granularity of secure operations.
Accountability ensures that an audit trail exists to trace operations back to their source.
Be able to explain what covert channels are
A covert channel is any method thta is used to pass information, but that is not normally used for information
Covert storage channel
Covert timing channel
Understand what buffer overflows & input checking are
A buffer overflow occurs when the programmer fails to check the size of input data prior to writing the data into a memory location.
In fact, any failure to valid input data could result in a securtiy violation.
Describe common flaws in security architectures
In addition to buffer overflows, programmers can leave back doors and privileged programs on a system after it is deployed
Even well-written systems can be susceptible to time-of-check to time-of-use (TOCTTOU) attacks.
Any state change could be a potential window of opportunity for an attacker to compromise a system.
Which of the following are primary components of TCB? (Select all that apply)
(a) Reference monitor (b) Security kernel (c) Security perimeter (d) Hardware & software elements used to enforce the security policy
Answers: (a), (c), (d)
Explanation: The primary components of the trusted computing base (TCB) are the hardware and software elements used to enforce the security policy (these elements are called the TCB), the security perimeter distinguishing & separating TCB components from non-TCB components, and the reference monitor that serves as an access control device across the security perimeter.
What best describes a confined or constrained process?
(a) A process that can run only for a limited time (b) A process that can run only during certain times of the day (c) A process that can access only certain memory locations (d) A process that controls access to an object
Answer: (c)
What is a security perimeter? (Choose all that apply)
(a) The boundary of the physically secure area surrounding your system (b) The imaginary boundary that separates the TCB from the rest of the system (c) The network where your firewall resides (d) Any connections to your computer system
Answers: (b), (a)
Explanation: (b) is the best answer in the context of the Trusted Computing Base, but (a) is also true in the world of physical security.
What is the implied meaning of the simple property of Biba?
(a) Write down (b) Read up (c) No write up (d) No read down
Answer: (b)
Explanation: The stated meaning of the simple integrity axiom is “no read down”, which implies that “read up” is allowed.
What security model has a feature that in theory has one name or label, but when implemented into a solution, takes on the name or label of the security kernel
(a) Graham-Denning model (b) Deployment modes (c) Trusted computing base (d) Chinese Wall
Answer: (c)
Explanation: The TCB has a component known as the reference monitor in theory, which becomes the security kernel in implementation.
What is system certification?
(a) Formal acceptance of a stated system configuration (b) A technical evaluation of each part of a computer system to assess its compliance with security standards (c) A functional evaluation of the manufacturer’s goals for each hardware & software component to meet integration standards (d) A manufacturer’s certificate stating that all components were installed & configured correctly.
Answer: (b)
What is system accreditation?
(a) Formal acceptance of a stated system configuration (b) A technical evaluation of each part of a computer system to assess its compliance with security standards (c) A functional evaluation of the manufacturer’s goals for each hardware & software component to meet integration standards (d) A manufacturer’s certificate stating that all components were installed & configured correctly.
My CISSP Notes 