Security Engineering Flashcards Preview

CISSP > Security Engineering > Flashcards

Flashcards in Security Engineering Deck (69)
Loading flashcards...
1
Q

Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following is the evaluation criteria framework most in use today for these types of purposes? A. ITSEC B. Common Criteria C. Red Book D. Orange Book

A

B. The Common Criteria was created in the early 1990s as a way of combining the strengths of both the Trusted Computer System Evaluation Criteria (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) while eliminating their weaknesses. The Common Criteria is more flexible than TCSEC and more straightforward than ITSEC. Because it is recognized globally, the Common Criteria helps consumers by reducing the complexity of the ratings and eliminating the need to understand the definition and meaning of different ratings within various evaluation schemes. This also helps manufacturers because now they can build to one specific set of requirements if they want to sell their products internationally instead of having to meet several different ratings with varying rules and requirements. Images A is incorrect because ITSEC, or the Information Technology Security Evaluation Criteria, is not the most widely used. ITSEC was the first attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. Furthermore, ITSEC separates functionality and assurance in its evaluation, giving each a separate rating. It was developed to provide more flexibility than TCSEC and addresses integrity, availability, and confidentiality in networked systems. While the goal of the ITSEC was to become the worldwide criteria for product evaluation, it did not meet that goal and has been replaced with the Common Criteria. Images C is incorrect because the Red Book is a U.S. government publication that addresses security evaluation topics for networks and network components. Officially titled the Trusted Network Interpretation, the book provides a framework for securing different types of networks. Subjects accessing objects on the network need to be controlled, monitored, and audited. Images D is incorrect because the Orange Book is a U.S. government publication that primarily addresses government and military requirements and expectations for operating systems. The Orange Book is used to evaluate whether a product contains the security properties the vendor claims it does and whether the product is appropriate for a specific application or function. The Orange Book is used to review the functionality, effectiveness, and assurance of a product during its evaluation, and it uses classes that were devised to address typical patterns of security requirements. It provides a broad framework for building and evaluating trusted systems with great emphasis on controlling which users can access a system. The other name for the Orange Book is the Trusted Computer System Evaluation Criteria (TCSEC).

2
Q

Certain types of attacks have been made more potent by which of the following advances to microprocessor technology? A. Increased circuits, cache memory, and multiprogramming B. Dual mode computation C. Direct memory access I/O D. Increases in processing power

A

D. Due to the increase of personal computer and server processing power, it is now possible to be more successful in brute-force and cracking attacks against security mechanisms that would not have been possible a few years ago. Today’s processors can execute an amazing number of instructions per second. These instructions can be used to attempt to crack passwords or encryption keys or instructions to send nefarious packets to victim systems. Images A is incorrect because increased circuits, cache memory, and multiprogramming do not make certain types of attacks more potent. Multiprogramming means that more than one program or process can be loaded into memory at the same time. This is what allows you to run your antivirus software, word processor, firewall, and e-mail client simultaneously. Cache memory is a type of memory used for high-speed writing and reading activities. When the system assumes (through its programmatic logic) that it will need to access specific information many times throughout its processing activities, it will store the information in cache memory so that it is easily and quickly accessible. Images B is incorrect because the answer is a distracter. There is no real dual-mode computation when examining the advances in microprocessors. Images C is incorrect because direct memory access (DMA) is a way of transferring instructions and data between I/O (input/output) devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. DMA basically offloads work from the CPU by ensuring that more simple instructions are interpreted and executed through other processing capabilities within the computer system. This is not an advancement to microprocessor technology.

3
Q

CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode? A. The user and application B. The program that is loaded into memory C. The operating system D. The CPU and user

A

C. Operating systems started out as cooperative and then evolved into preemptive multitasking. With preemptive multitasking, used in Windows 9x and later versions and in Unix systems, the operating system controls how long a process can use a resource. The system can suspend a process that is using the CPU (or other system resources) and allow another process access to it through the use of time sharing. Thus, operating systems that use preemptive multitasking run the show, and one application does not negatively affect another application if it behaves badly. In operating systems that used cooperative multitasking, the processes had too much control over resource release, and when an application hung, it usually affected all the other applications and sometimes the operating system itself. Images A is incorrect because the user and application do not control access and the use of system resources in preemptive multitasking mode. The application, however, has more control over the use of system resources in cooperative multitasking mode. The operating system itself works in either preemptive or cooperative multitasking modes, not the applications or users. Images B is incorrect because, as described in answer A, a program does not run in a specific multitasking mode—the operating system does. Cooperative multitasking, used in Windows 3.1 and early Macintosh systems, required the processes to voluntarily release resources that they were using. This was not necessarily a stable environment because if a programmer did not write his code properly to release a resource when his application was done using it, the resource would be committed indefinitely to his application and thus unavailable to other processes. Images D is incorrect because the user and CPU do not control access and the use of system resources. Instead, the operating system controls the processor time slices that different processes can be allocated. Multitasking is the way that the operating system uses access to the CPU, which can be either cooperative or preemptive.

4
Q

Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage? A. More than one process uses the same resource. B. It allows cookies to remain persistent in memory. C. It allows for side-channel attacks to take place. D. Two processes can carry out a denial-of-service.

A

A. When RAM and secondary storage are combined, the result is virtual memory. The system uses hard drive space—called swap space—that is reserved for the purpose of extending its RAM memory space. When a system fills up its volatile memory space, it writes data from memory onto the hard drive. When a program requests access to this data, it is brought from the hard drive back into memory in specific units, called page frames. Accessing data that is kept in pages on the hard drive takes more time than accessing data kept in memory because physical disk read/write access has to take place. There are internal control blocks, maintained by the operating system, to keep track of what page frames are residing in RAM, and what is available “offline,” ready to be called into RAM for execution or processing, if needed. The payoff is that it seems as though the system can hold an incredible amount of information and program instructions in memory. A security issue with using virtual swap space is that two or more processes use the same resource and the data could be corrupted or compromised. Images B is incorrect because virtual storage is not related to cookies. Virtual storage uses hard drive space to extend its RAM memory space. Cookies are small text files used mainly by web browsers. The cookies can contain credentials for websites, site preference settings, or shopping histories. Cookies are also commonly used to maintain web server–based sessions. Images C is incorrect because a side-channel attack is a nonintrusive attack. In this type of attack, the attacker gathers information about how a mechanism (such as a smart card or encryption processor) works from the radiation that is given off, time taken to carry out processing, power consumed to carry out tasks, etc. This information is used to reverse-engineer the mechanism to uncover how it carries out its security tasks. This is not related to virtual storage. Images D is incorrect because the biggest threat within a system that has shared resources between processes, as operating systems have to share memory between all resources, is that one process will negatively interfere with the other process’s resource. This is especially true with memory, since all data and instructions are stored there, whether they are sensitive or not. While it is possible for two processes to work together to carry out a denial-of-service attack, this is only one type of attack that can be carried out with or without the use of virtual storage.

5
Q

Which of the following is a common association of the Clark-Wilson access model? A. Chinese Wall B. Access tuple C. Read up and write down rule D. Well-formed transactions

A

D. In the Clark-Wilson model, a subject cannot access an object without going through some type of application or program that controls how this access can take place. The subject (usually a user) is bound to the application and then is allowed access to the necessary objects based on the access rules within the application software that are defined as “well-formed transactions.” For example, when Kathy needs to update information held within her company’s database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to the software, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database, based on very well-defined rules in a step-by-step manner. Images A is incorrect because the Chinese Wall model is another name for the Brewer and Nash model, which was created to provide access controls that can change dynamically, depending upon a user’s previous actions, in an effort to protect against conflicts of interest by users’ access attempts. No information can flow between subjects and objects in a way that would result in a conflict of interest. The model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset. Images B is incorrect because the Clark-Wilson model uses access triple, not access tuple. The access triple is subject-program-object. It ensures that subjects can only access objects through authorized programs. Images C is incorrect because the Clark-Wilson model does not have read up and write down rules. These rules are associated with the Bell-LaPadula and Biba models. The Bell-LaPadula model includes the simple security rule, which is no read up, and the star property rule, which is no write down. The Biba model includes the simple integrity axiom, which is no read down, and the star-integrity axiom, which is no write up.

6
Q

Which of the following correctly describes the relationship between the reference monitor and the security kernel? A. The security kernel implements and enforces the reference monitor. B. The reference monitor is the core of the trusted computing base, which is made up of the security kernel. C. The reference monitor implements and enforces the security kernel. D. The security kernel, aka abstract machine, implements the reference monitor concept.

A

A. The trusted computing base (TCB) is the total combination of a system’s protection mechanisms. These are in the form of hardware, software, and firmware. These same components also comprise the security kernel. The reference monitor is an access control concept that is implemented and enforced by the security kernel via the hardware, software, and firmware. In doing so, the security kernel ensures that subjects have the appropriate authorization to access the objects they are requesting. The subject, be it a program, user, or process, should not be able to access a file, program, or resource it is requesting until it has proven that it has the appropriate access rights. Images B is incorrect because the reference monitor is not the core of the TCB. The core of the TCB is the security kernel, and the security kernel carries out the reference monitor concept. The reference monitor is a concept pertaining to access control. Since it is not a physical component, it is often referred to as an “abstract machine.” The reference monitor mediates access between subjects and objects in an effort to ensure that subjects have the necessary rights to access objects and to protect objects from unauthorized access and destructive changes. Images C is incorrect because the reference monitor does not implement and enforce the security kernel. Rather, the security kernel implements and enforces the reference monitor. The reference monitor is an abstract concept, while the security kernel is a combination of hardware, software, and firmware within the trusted computing base. The security kernel has three requirements, which are also the requirements of the reference monitor. The security kernel must tamperproof and isolate the processes executing the reference monitor concept. Likewise, the security kernel must be implemented so that it is invoked for every access attempt and cannot be circumvented. Finally, the security kernel must be small enough to enable its comprehensive testing and verification. Images D is incorrect because abstract machine is not another name for the security kernel. Abstract machine is another name for the reference monitor, which can also be referred to as the reference monitor concept. The concept states that an abstract machine serves as the mediator between subjects and objects to ensure that the subjects have the necessary rights to access the objects they are requesting and to protect the objects from unauthorized access and modification. The security kernel is responsible for carrying out these activities.

7
Q

The trusted computing base (TCB) ensures security within a system when a process in one domain must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner? A. I/O operational execution B. Process deactivation C. Execution domain switching D. Virtual memory to real memory mapping

A

C. Execution domain switching takes place when a CPU needs to move between executing instructions for a highly trusted process to a less trusted process or vice versa. The trusted computing base (TCB) allows processes to switch domains in a secure manner in order to access different levels of information based on their sensitivity. Execution domain switching takes place when a process needs to call upon a process in a higher protection ring. The CPU goes from executing instructions in user mode to privileged mode and back. Images A is incorrect because input/output (I/O) operations are not initiated to ensure security when a process in one domain must access another domain in order to retrieve sensitive information. I/O operations include control of all input/output devices. I/O operations are functions within an operating system that allow input devices (such as a mouse or keyboard) and output devices (such as a monitor or printer) to interact with applications and with itself. Images B is incorrect because process deactivation takes place when a process’s instructions are completely executed by the CPU or when another process with a higher priority calls upon the CPU. When a process is deactivated, the CPU’s registers must be filled with new information about the new requesting process. The data that is getting switched in and out of the registers may be sensitive, so the TCB components must make sure this takes place securely. Images D is incorrect because memory mapping takes place when a process needs its instructions and data processed by the CPU. The memory manager maps the logical address to the physical address so that the CPU knows where the data is located. This is the responsibility of the operating system’s memory manager.

8
Q

Which of the following best defines a virtual machine? A. A virtual instance of an operating system B. A piece of hardware that runs multiple operating system environments simultaneously C. A physical environment for multiple guests D. An environment that can be fully utilized while running legacy applications

A

A. A virtual machine is a virtual instance of an operating system. A virtual machine can also be called a guest, which runs in a host environment. The host environment—usually an operating system—can run multiple guests simultaneously. The virtual machines pool resources such as RAM, processors, and storage from the host environment. This offers many benefits, including enhanced processing power utilization. Other benefits include the ability to run legacy applications. For example, an organization may choose to run its legacy applications on an instance (virtual machine) of Windows 7 long after it has rolled out Windows 10. Images B is incorrect because a virtual machine is not a piece of hardware. A virtual machine is an instance of an operating system that runs on hardware. The host can run multiple virtual machines. So, basically, you can have one computer running different operating systems at the same time. One benefit of this is consolidation. Using virtual machines, you can consolidate the workloads of several underutilized servers on to one host, thereby saving money on hardware and administrative management tasks. Images C is incorrect because virtual machines provide and work within software emulation. The host provides the resources, such as memory, processor, buses, RAM, and storage for the virtual machines. The virtual machines share these resources but do not access them directly. The host environment, which is responsible for managing the system resources, acts as an intermediary between the resources and the virtual machines. Images D is incorrect because many legacy applications are not compatible with specific hardware and newer operating systems. Because of this, the application commonly underutilizes the server software and components. The virtual machines emulate an environment that allows legacy, and other, applications to fully use the resources available to them. This is a reason to use a virtual machine, but the answer does not provide its definition.

9
Q

Virtualization offers many benefits. Which of the following incorrectly describes virtualization? A. Virtualization simplifies operating system patching. B. Virtualization can be used to build a secure computing platform. C. Virtualization can provide fault and error containment. D. Virtual machines offer powerful debugging capabilities.

A

A. Virtualization does not simplify operating system patching. In fact, it makes it more complex because it adds at least an operating system. Each operating system commonly varies in version and configurations—increasing the complexity of patching. The operating systems for the servers themselves run as guests within the host environment. Not only do you have to patch and maintain the traditional server operating systems, but now you also have to patch and maintain the virtualization software itself. Images B is incorrect because virtualization can be used to build a secure computing platform. Untrusted applications can be run in secure, isolated sandboxes within a virtual machine. The virtualization software “compartmentalizes” the individual guest operating systems and ensures that the processes for each guest do not interact with the other guest processes in an unauthorized manner. Images C is incorrect because virtual machines can provide fault and error containment by isolating what is run within the specific guest operating systems. Developers and security researchers can proactively inject faults into software to study its behavior without impacting other virtual machines. For this reason, virtual machines are useful tools for research and academic experiments. Images D is incorrect because virtual machines enable powerful debugging, as well as performance monitoring, by allowing you to put debugging and performance monitoring tools in the virtual machine monitor. There’s no need to set up complex debugging scenarios, and the operating systems can be debugged without impacting productivity.

10
Q

Which security architecture model defines how to securely develop access rights between subjects and objects? A. Brewer-Nash B. Clark-Wilson C. Graham-Denning D. Bell-LaPadula

A

C. The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a set of basic rights in terms of commands that a specific subject can execute on an object. This model has eight primitive protection rights, or rules, on how these types of functionalities should take place securely. They are as follows: how to securely create an object; how to securely create a subject; how to securely delete an object; how to securely delete a subject; how to securely provide the read access right; how to securely provide the grant access right; how to securely provide the delete access right; and how to securely provide transfer access rights. These things may sound insignificant, but when we are talking about building a secure system, they are very critical. Images A is incorrect because the Brewer-Nash model (also called the Chinese Wall model) is intended to provide access controls that can change dynamically depending upon a user’s previous actions. The main goal is to protect against conflicts of interest by users’ access attempts. For example, if a large marketing company provides marketing promotions and materials for two banks, an employee working on a project for Bank A should not be able to look at the information the marketing company has on its other bank customer, Bank B. Such action could create a conflict of interest because the banks are competitors. If the marketing company’s project manager for the Bank A project could view information on Bank B’s new marketing campaign, he may try to trump its promotion to please his more direct customer. The marketing company would get a bad reputation if it allowed its internal employees to behave so irresponsibly. Images B is incorrect because the Clark-Wilson model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place within applications. It works on the following premises: subjects can access objects only through authorized programs; separation of duties is enforced; auditing is required. The Clark-Wilson model addresses all three integrity goals: prevent unauthorized users from making modifications, prevent authorized users from making improper modifications, and maintain internal and external consistency. Images D is incorrect because the Bell-LaPadula model was developed to address the U.S. military’s concern with the security of its systems and the leakage of classified information. The model’s main goal is to prevent sensitive information from being accessed in an unauthorized manner. It is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject’s clearance is compared to the object’s classification and then specific rules are applied to control how subject-to-object interactions take place.

11
Q

Operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take place between two processes and no process can interact with the other’s internal programming code? A. Virtual mapping B. Encapsulation of objects C. Time multiplexing D. Naming distinctions

A

B. When a process is properly encapsulated, no other process understands or interacts with its internal programming code. When process A needs to communicate with process B, process A just needs to know how to communicate with process B’s interface. An interface defines how communication must take place between two processes. As an analogy, think back to how you had to communicate with your third-grade teacher. You had to call her Mrs. SoandSo, say please and thank you, and speak respectfully to get whatever it was you needed. The same thing is true for software components that need to communicate with each other. They have to know how to communicate properly with each other’s interfaces. The interfaces dictate the type of requests that a process will accept and the type of output that will be provided. So, two processes can communicate with each other, even if they are written in different programming languages, as long as they know how to communicate with each other’s interface. Encapsulation provides data hiding, which means that outside software components will not know how a process works and will not be able to manipulate the process’s internal code. This is an integrity mechanism and enforces modularity in programming code. Images A is incorrect because virtual mapping refers to how virtual to physical memory mapping takes place within an operating system. When an application needs memory to work with, it tells the operating system’s memory manager how much memory it needs. The operating system carves out that amount of memory and assigns it to the requesting application. The application uses its own address scheme, which usually starts at 0, but in reality, the application does not work in the physical address space that it thinks it is working in. Rather, it works in the address space that the memory manager assigns to it. The physical memory is the RAM chips in the system. The operating system chops up this memory and assigns portions of it to the requesting processes. Once the process is assigned its own memory space, then it can address this portion however it needs to, which is called virtual address mapping. Virtual address mapping allows the different processes to have their own memory space; the memory manager ensures that no processes improperly interact with another process’s memory. This provides integrity and confidentiality. Images C is incorrect because time multiplexing is a technology that allows processes to use the same resources through an interleaved method. A CPU has to be shared among many processes. Although it seems as though all applications are executing their instructions simultaneously, the operating system is splitting up time shares between each process. Multiplexing means that there are several data sources and the individual data pieces are piped into one communication channel. In this instance, the operating system is coordinating the different requests from the different processes and piping them through the one shared CPU. An operating system has to provide proper time multiplexing (resource sharing) to ensure that a stable working environment exists for software and users. Images D is incorrect because naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means that each process has its own unique PID value.

12
Q

Which of the following is not a responsibility of the memory manager? A. Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments. B. Limit processes to interact only with the memory segments assigned to them. C. Swap contents from RAM to the hard drive as needed. D. Run an algorithm to identify unused committed memory and inform the operating system that the memory is available.

A

D. This answer describes the function of a garbage collector. A garbage collector is a countermeasure against memory leaks. It is software that runs an algorithm to identify unused committed memory and then tells the operating system to mark that memory as “available.” Different types of garbage collectors work with different operating systems, programming languages, and algorithms. The portion of the operating system that keeps track of how different types of memory are used is called the memory manager. Its jobs are to allocate and deallocate different memory segments, enforce access control to ensure that processes are interacting only with their own memory segments, and swap memory contents from RAM to the hard drive. The memory manager has five basic responsibilities: relocation, protection, sharing, local organization, and physical organization. Images A is incorrect because as part of its sharing responsibilities, the memory manager uses complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments. This is critical to protecting memory and the data in it, since two or more processes can share access to the same segment with potentially different access rights. The memory manager is also responsible for allowing many users with different levels of access to interact with the same application running in one memory segment. Images B is incorrect because the memory manager is responsible for limiting process interactions to only those memory segments assigned to them. This responsibility falls under the protection category and helps prevent processes from gaining access to unpermitted segments. Another protection responsibility of the memory manager is to provide access control to memory segments. Images C is incorrect because swapping contents from RAM to the hard drive as needed is a responsibility of the memory manager that falls under the relocation category. When RAM and secondary storage are combined, the result is virtual memory. The system uses hard drive space to extend its RAM memory space. Another relocation responsibility is to provide pointers for applications if their instructions and memory segment have been moved to different location in main memory.

13
Q

Frank is responsible for the security of his company’s online applications, web servers, and web-based activities. The web applications have the capability of being dynamically “locked” so that multiple users cannot edit a web page at the same time and overwrite each other’s work. An audit uncovered that although this software-locking capability was properly configured, multiple users were still able to modify the same web page at the same time. Which of the following best describes what is taking place in this situation? A. Buffer overflow B. Blind SQL injection C. Cross-site request forgery D. Time-of-check/time-of-use attack

A

D. Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system. TOC/TOU is a class of software vulnerability that allows the checking of a condition (i.e., verifying a credential) and the use of the result from that condition-checking function. In the scenario of this question, the fact that the web application was most likely properly configured indicates that the programming code of this application has this type of vulnerability embedded in the code itself. Images A is incorrect because a buffer overflow takes place when too much data is accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. These types of attacks commonly result in exceptions, segmentation of faults, or sensitive data being provided to the attacker. This type of attack is not being described in this question. Images B is incorrect because a blind SQL injection attack is a type of SQL injection attack that sends a true-or-false question to a database. In a basic SQL injection, an attacker sends specific instructions in the SQL format to interrogate the associated database. In a blind SQL attack, the attacker is limited to only sending a series of true-or-false questions to the database with the hope of gleaning sensitive information from analyzing the database’s responses. This type of attack is not described in this question. Images C is incorrect because cross-site request forgery (CSRF) is an attack type that attempts to trick the victim into loading a web page that contains a malicious request or operation. The operation is carried out within the context of the victim’s access rights. The request inherits the identity of the victim and performs an undesired function on the behalf of the victim. In this type of attack, the attacker can make the victim’s system carry out an unintended activity, such as changing account information, retrieving account data, or logging out. While this type of attack could be involved with the scenario described in the question, the question is focusing on how a user is able to bypass the lock mechanism built into a web application. The lock function is being bypassed because the logic of the programming code was developed incorrectly and does not follow a strict series of check and use sequences properly.

14
Q

There are several different important pieces to the Common Criteria. Which of the following best describes the first of the missing components? A. Target of evaluation B. Protection profile C. Security target D. EALs

A

B. The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need of a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance-level expectations. Each relevant threat is listed, along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism that is expected to be in the new product. The protection profile basically says, “This is what we need out of a new product.” Images A is incorrect because the target of evaluation (ToE), the second of the three missing pieces in the graphic, is the actual product that is being evaluated against the Common Criteria. Where the protection profile states, “This is what we need out of a new product,” the ToE is the product that a vendor creates to meet the requirements outlined in the protection profile. When there is a need in the industry for a new product that provides specific functionality and security, someone develops the protection profile to outline this need. A vendor fulfills the need by creating a new product, referred to as the ToE. Images C is incorrect because the security target, the third piece missing in the graphic, is the vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed solution outlined in the protection profile and fulfilled by the ToE. Where the protection profile outlines, “This is what we need,” the ToE is the product that fulfills this need, and the security target is the explanation on how this ToE is mapped to the protection profile. The evaluators compare the ToE with these three constructs, along with the actual requirements of the Common Criteria before assigning it an evaluation assurance level. Images D is incorrect because evaluation assurance levels (EALs) outline the assurance ratings used in the Common Criteria. EALs are basically the grading system used in these criteria to describe the assurance and security required by a specific product. When an evaluator evaluates a product, after all of her tests she will assign an EAL value. This value is basically the grade that the product receives after all of the tests it is put through. The Common Criteria uses a different assurance rating system than the previously used criteria. It has packages of specifications that must be met for a product to obtain the corresponding rating. These ratings and packages are collectively called the EALs.

15
Q

Different access control models provide specific types of security measures and functionality in applications and operating systems. What model is being expressed in the graphic that follows? A. Noninterference B. Biba C. Bell-LaPadula D. Chinese Wall

A

D. The Chinese Wall model (also called the Brewer and Nash model) was created to provide access controls that can change dynamically depending upon a user’s previous actions. The main goal of the model is to protect against conflicts of interest by users’ access attempts. Suppose Maria is a broker at an investment firm that also provides other services to Acme Corporation. If Maria were able to access Acme information from the other service areas, she could learn of a phenomenal earnings report that is about to be released. Armed with that information, she could encourage her clients to buy shares of Acme, confident that the price will go up shortly. The Brewer and Nash Model is designed to mitigate the risk of this situation happening. Images A is incorrect because multilevel security properties can be expressed in many ways, one being noninterference. The Chinese Wall model does not focus on multilevel security properties and the Noninterference model does not focus on conflicts of interest. The concept of noninterference is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level and vice versa. This type of model does not concern itself with conflicts of interest, but rather with what a subject knows about the state of the system. So, if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. The Noninterference model is also focused on confidentiality. It works to ensure that subjects at a lower clearance level cannot access data or objects at a higher clearance level. Images B is incorrect because Biba is a state machine model that addresses the integrity of data within applications without the use of a wall construct. Although the Biba model is very similar to the Bell-LaPadula model, the Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data is only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. The Biba model uses a lattice of integrity levels. Biba compartmentalizes data based on integrity levels. It is an information flow model that controls information flow in a way that is intended to protect the integrity of the most trusted information. The Biba model was not built to address conflicts of interest. Images C is incorrect because a system that employs the Bell-LaPadula model is called a multilevel security system, meaning users with different clearances use the system, and the system processes data at different classification levels. The level at which data is classified determines the handling procedures that should be used. The Bell-LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject’s clearance is compared to the object’s classification and then specific rules are applied to control how subject-to-object interactions can take place. The Bell-LaPadula model was not developed to address conflicts of interest.

16
Q

There are many different types of access control mechanisms that are commonly embedded into all operating systems. Which of the following is the mechanism that is missing in this graphic? A. Trusted computing base B. Security perimeter C. Reference monitor D. Domain

A

C. The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. For a system to achieve a high level of trust, it must require subjects (programs, users, or processes) to be fully authorized prior to accessing an object (file, program, or resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the “reference monitor concept” or an “abstract machine.” The reference monitor is the access control concept, and the code that actually enforces this concept is the security kernel. Images A is incorrect because a security perimeter is a boundary that divides the trusted from the untrusted process access requests within software. The trusted processes within a system are referred to as being within the trusted computing base (TCB). The TCB is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure these components will enforce the security policy and not violate it. Not all components need to be trusted, and therefore not all components fall within the TCB. The security perimeter is the demarcation between what is within the TCB, the trusted processes, and what is not, the untrusted processes. Images B is incorrect because not every process and resource falls within the TCB, so some of these components fall outside of an imaginary boundary referred to as the security perimeter. A security perimeter is a boundary that divides the trusted from the untrusted. For the system to stay in a secure and trusted state, precise communication standards must be developed to ensure that when a component within the TCB needs to communicate with a component outside the TCB, the communication cannot expose the system to unexpected security compromises. This type of communication is handled and controlled through interfaces. The security perimeter is a concept that helps enforce this type of security. Images D is incorrect because a domain is defined as a set of objects that a subject is able to access. This domain can be all the resources a user can access, all the files available to a program, the memory segments available to a process, or the services and processes available to an application. A subject needs to be able to access and use objects (resources) to perform tasks, and the domain defines which objects are available to the subject and which objects are untouchable and therefore unusable by the subject. A common implementation of a domain is a networked Windows environment. Resources are logically partitioned within the network to ensure subjects can only access these resources.

17
Q

There are several security enforcement components that are commonly built into operating systems. Which component is illustrated in the graphic that follows? A. Virtual machines B. Interrupt C. Cache memory D. Protection rings

A

D. An operating system has several protection mechanisms to ensure processes do not negatively affect each other or the critical components. One security mechanism commonly used in operating systems is protection rings. These rings provide strict boundaries and definitions for what the processes that work within each ring can access and what operations they can successfully and securely execute. The processes that operate within the inner rings have more privileges than the processes operating in the outer rings, because the inner rings only permit the most trusted components and processes to operate within them. Protection rings support the availability, integrity, and confidentiality requirements of multitasking operating systems. The most commonly used architecture provides four protection rings: • Ring 0 Operating system kernel • Ring 1 Remaining parts of the operating system • Ring 2 I/O drivers and utilities • Ring 3 Applications and user activity Images A is incorrect because a virtual instance of an operating system is known as a virtual machine. A virtual machine is commonly referred to as a guest that is executed in the host environment. Virtualization allows a single host environment to execute multiple guests at once, with multiple virtual machines dynamically pooling resources from a common physical system. Computer resources such as RAM, processors, and storage are emulated through the host environment. The virtual machines do not directly access these resources; instead, they communicate with the host environment responsible for managing system resources. Virtual machines do not work in a circular framework as shown in the graphic. Images B is incorrect because an interrupt is a function used in operating systems that allows for slots of the CPU to be used. The most basic CPUs can do only one thing at a time. So the system has hardware and software interrupts. When a device needs to communicate with the CPU, it has to wait for its interrupt to be called upon. The same thing happens in software. Each process has an interrupt assigned to it. It is like pulling a number at a customer service department in a store. You can’t go up to the counter until your number has been called out. When a process is interacting with the CPU and an interrupt takes place (another process has requested access to the CPU), the current process’s information is stored in the process table, and the next process gets its time to interact with the CPU. Images C is incorrect because cache memory is a type of memory used for high-speed writing and reading activities and it is not necessarily a security mechanism. When the system assumes (through its programmatic logic) that it will need to access specific information many times throughout its processing activities, it will store the information in cache memory so it is easily and quickly accessible. Data in cache can be accessed much more quickly than data stored in real memory. Therefore, any information needed by the CPU very quickly, and very often, is usually stored in cache memory, thereby improving the overall speed of the computer system. Cache memory also does not work in a circular framework as illustrated in the graphic.

18
Q

A multitasking operating system can have several processes running at the same time. What are the components within the processes that are shown in the graphic that follows? A. Threads B. Registers C. Address buses D. Process tables

A

A. A process is a program in memory. More precisely, a process is the program’s instructions and all the resources assigned to the process by the operating system. It is just easier to group all of these instructions and resources together and control them as one entity, which is a process. When a process needs to send something to the CPU for processing, it generates a thread. A thread is made up of an individual instruction set and the data that must be worked on by the CPU. Most applications have several different functions. Word processors can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processor process generates a thread that contains the instructions of how this document should be printed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this functionality is destroyed. Images B is incorrect because a register is a temporary storage location. Processing chips within the CPU cover only a couple of square inches but contain millions of transistors. All operations within the CPU are performed by electrical signals at different voltages in different combinations, and each transistor holds this voltage, which represents 0’s and 1’s to the computer. The CPU contains registers that point to memory locations that contain the next instructions to be executed and that enable the CPU to keep status information of the data that needs to be processed. While a register can hold the instructions that make up the thread before it is fed into the CPU, it is not a component of the processes themselves. Images C is incorrect because an address bus is a hardwired connection to RAM chips and the individual input/output (I/O) devices in a computer system. In a computer, memory addresses of the instructions and data to be processed are held in registers until needed by the CPU. The CPU is connected to the address bus. Memory is cut up into sections that have individual addresses associated with them. I/O devices (optical discs, USB device, hard drive, and so on) are also allocated specific unique addresses. If the CPU needs to access some data, either from memory or from an I/O device, it sends down the address of where the needed data is located. The circuitry associated with the memory or I/O device recognizes the address the CPU sent down the address bus and instructs the memory or device to read the requested data and put it on the data bus. So the address bus is used by the CPU to indicate the location of the instructions to be processed, and the memory or I/O device responds by sending the data that resides at that memory location through the data bus. Images D is incorrect because a process table is a way for an operating system to keep track of processes that are running. An operating system is responsible for creating new processes, assigning them resources, synchronizing their communication, and making sure nothing insecure is taking place. The operating system keeps a process table, which has one entry per process. The table contains each individual process’s state, stack pointer, memory allocation, program counter, and status of open files in use. The reason the operating system documents all of this status information is that the CPU needs all of it loaded into its registers when it needs to interact with, for example, process 1. When process 1’s CPU time slice is over, all of the current status information on process 1 is stored in the process table so that when its time slice is open again, all of this status information can be put back into the CPU registers. So, when it is process 2’s time with the CPU, its status information is transferred from the process table to the CPU registers; it is transferred back again when the time slice is over.

19
Q

Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities. Which of the following best describes the standard Charlie’s team needs to comply with? A. International standard on system design to allow for better quality, interoperability, extensibility, portability, and security B. International standard on system security to allow for better threat modeling C. International standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security D. International standard on system architecture to allow for better quality, extensibility, portability, and security

A

C. ISO/IEC 42010 has the goal of internationally standardizing the use of system architecture so that product developers don’t have to improvise and come up with their own individual approaches. A disciplined approach to system architecture allows for better quality, interoperability, extensibility, portability, and security. Images A is incorrect because the answer specifically states “design” instead of “architecture.” Some people mistakenly think that these are the same things, but architecture takes place before design. Architecture works at a higher, more strategic level compared to design. Software development is becoming a more disciplined industry and it is moving toward formal architecture requirements. Images B is incorrect because the standard identified in the question does not deal with threat modeling. ISO/IEC 42010 addresses system architecture requirements and guidelines. Images D is incorrect because it is not as complete as answer C; therefore, it is not the best answer. This standard does address interoperability issues, which is not listed in this answer.

20
Q

Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities. Which of the following is Charlie most likely concerned with in this situation? A. Injection attacks B. Memory block C. Buffer overflows D. Browsing attacks

A

C. The C programming language is susceptible to buffer overflow attacks because some of its commands allow for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking. Images A is incorrect because the C programming language does not have any more vulnerabilities pertaining to injection attacks than any other languages. Injection attacks usually do not take place at the code level, but happen because an interface accepts data that is not properly filtered and validated. Images B is incorrect because this is a distracter answer. There is no official programming language vulnerability referred to as “memory block.” Images D is incorrect because a browsing attack is when someone is reviewing various assets for sensitive data. This does not relate to a programming language, but how access control is implemented.

21
Q

Tim’s development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses. Which of the following best describes the type of protection that needs to be provided by this product? A. Hardware isolation B. Memory induction application C. Data execution prevention D. Domain isolation protection

A

C. Data execution prevention (DEP) is a security feature included in modern operating systems. It is intended to prevent a process from executing code from a nonexecutable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP can mark certain memory locations as “off limits,” with the goal of reducing the “playing field” for hackers and malware. Images A is incorrect because memory hardware isolation has to be done at the hardware level, not just in an operating system. Some systems that require a high level of security can be designed to ensure that memory is not shared in any fashion. This requires hardware design, and the operating system (or other software) has to then be designed to use that specific hardware environment. Images B is incorrect because this is a distracter answer. This is not an official term or security issue. Images D is incorrect because domain isolation does not deal specifically with memory protection as does DEP. Domain isolation is not a specific technology, but a goal that operating systems attempt to accomplish. A domain is a set of resources that is available to an entity. Most people think of network domains in the Microsoft world, but a domain is just a set of resources. It is a general and old term. Domain isolation just means isolating one set of resources from another set of resources. This is commonly done so that one process cannot compromise another process’s resources.

22
Q

Tim’s development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses. Which of the following best describes the type of technology the team should implement to increase the work effort of buffer overflow attacks? A. Address space layout randomization B. Memory induction application C. Input memory isolation D. Read-only memory integrity checks

A

A. Address space layout randomization (ASLR) is a control that involves randomly arranging the positions of a process’s address space and other memory segments. It randomly arranges the positions of key data areas, usually including the base of the executable and position of system libraries, memory heap, and memory stacks, in a process’s address space. ASLR makes it more difficult for an attacker to predict target addresses for specific memory attacks. Images B is incorrect because this is a distracter answer. This is not an official term or security item. Images C is incorrect because while memory isolation may help in protecting against buffer overflows, that is not the specific reason for its existence. Memory isolation is carried out to protect against many different memory attacks. ASLR has been specifically designed to try and outwit attackers and to make it more difficult for them to know a system’s memory address scheme for exploitation purposes. Images D is incorrect because this is a distracter answer. This is not an official term or security item.

23
Q

Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode. 23. Which of the following best describes the second operating system architecture described in the scenario? A. Layered B. Microkernel C. Monolithic D. Kernel based

A

B. In the microkernel architecture, a reduced amount of code is running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode. Traditional operating system functions, such as device drivers, protocol stacks, and file systems, are removed from the microkernel to run in user space. Images A is incorrect because a layered operating system architecture focuses on constructing the functions of the operating system into hierarchical layers. This architecture does not focus on what is or is not running in kernel mode. Images C is incorrect because the industry started with monolithic operating systems and evolved from there. A monolithic operating system does not segregate privileged and nonprivileged processes and does not use a kernel. MS-DOS is an example of a monolithic operating system. Images D is incorrect because while there is no official architecture called “kernel based,” this answer does not actually properly address the concept of reducing the amount of code that runs in kernel mode. The microkernel architecture specifically addressed this issue. A microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system.

24
Q

Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode. Which of the following best describes why there was a performance issue in the context of the scenario? A. Bloated programming code B. I/O and memory location procedures C. Mode transitions D. Data and address bus architecture

A

C. A mode transition is when the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit because all of the information on the new process has to be loaded into the registers for the CPU to work with. Transitions between modes are at the discretion of the executing thread when the transition is from a level of high privilege to one of low privilege (kernel to user mode), but transitions from lower to higher levels of privilege can take place only through secure, hardware-controlled “gates” that are carried out by executing special instructions or when external interrupts are received. Images A is incorrect. While bloated (extra) programming code can cause performance issues in many situations, that is not what this question is focusing on. When comparing operating system architectures and associated performance issues, the focus comes down to how specific functions are carried out and how efficient those procedures are—not the amount of code needed to carry out the function. Images B is incorrect because I/O and memory location do not have a direct correlation to operating system kernel architecture. The specific reason that many operating system vendors changed their products’ architecture had to do with the performance issues of mode transitions the CPU had to continually carry out. Images D is incorrect because data and address bus architecture was not the specific reason that vendors moved to a microkernel architecture. This question is zeroing in on how much code ran in kernel versus user mode and how transitions took place, which has nothing to do with the bus architectures.

25
Q

Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.

Which of the following best describes the last architecture described in this scenario? A. Hybrid microkernel B. Layered C. Monolithic D. Hardened and embedded

A

A. The hybrid microkernel architecture is a combination of monolithic and microkernel architectures. The critical operating system functionality is carried out in a microkernel construct, and the remaining functionality is carried out in a client/server model running within kernel mode. This architecture allows for the critical operating system functions to run in kernel mode and not experience the performance issues with previous architectures. Images B is incorrect because a layered operating system architecture focuses on constructing the functions of the operating system into hierarchical layers. This architecture does not focus on what is or is not running in kernel mode. Images C is incorrect because the industry started with monolithic operating systems and evolved from there. A monolithic operating system does not segregate privileged and nonprivileged processes and does not use a kernel. MS-DOS is an example of a monolithic operating system. Images D is incorrect because an operating system that is hardened and embedded is not a major architecture. The term “hardened” just means secured, and “embedded” means that the operating system’s functionalities are stripped down to only provide the basic and necessary functions required of the hardware the software is installed upon. Mobile phones and specialized hardware commonly have embedded operating systems.

26
Q

As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access? A. Unsuccessful access attempts should be logged but only need to be reviewed by a security guard. B. Only successful access attempts should be logged and reviewed. C. Only unsuccessful access attempts during unauthorized hours should be logged and reviewed. D. All unsuccessful access attempts should be logged and reviewed.

A

D. Physical access control systems can use software and auditing features to produce audit trails or access logs pertaining to access attempts. The following information should be logged and reviewed: the date and time of the access attempt, the entry point at which access was attempted, the user ID employed when access was attempted, and any unsuccessful access attempts, especially if they occur during unauthorized hours. Images A is incorrect because as with audit logs produced by computers, access logs are useless unless someone actually reviews them. A security guard may be required to review these logs, but a security professional or a facility manager should also review these logs periodically. Management needs to know where entry points into the facility exist and who attempts to use them. Audit and access logs are detective controls, not preventive. They are used to piece together a situation after the fact instead of attempting to prevent an access attempt in the first place. Images B is incorrect because unsuccessful access attempts should be logged and reviewed. Even though auditing is not an activity that will deny an entity access to a network, computer, or location, it will track activities so that a security professional can be warned of suspicious activity. This information can be used to point out weaknesses of other controls and help security personnel understand where changes must be made to preserve the necessary level of security in the environment. Images C is incorrect because all unauthorized access attempts should be logged and reviewed, regardless of when they occurred. Attempted break-ins can occur at any time. Operating parameters can be set up for some physical access controls to allow a certain number of failed access attempts to be accepted before a user is locked out; this is a type of clipping level. An audit trail of this information can alert security personnel to a possible intrusion.

27
Q

An outline for a physical security design should include program categories and the necessary countermeasures for each. What category do locks and access controls belong to? A. Assessment B. Deterrence C. Response D. Delay

A

D. The physical security program design phase should begin with a structured outline that lists each category of the program: deterrence, delaying, detection, assessment, and response. The outline evolves into a framework, which is fleshed out with the necessary controls and countermeasures. The intent behind the delay category is to stall intruders to help ensure they get caught. Examples of countermeasures that belong to this category are locks, defense-in-depth measures, and access controls. Other types of delaying mechanisms include reinforced walls and rebar. The idea is that it will take a bad guy longer to get through two reinforced walls, which gives the response force sufficient time to arrive at the scene and stop the attacker. Of the categories listed in the answer options, detection is missing. Detection refers to the determination or awareness that an intrusion has occurred. Examples of detection controls include external intruder sensors and internal intruder sensors. Images A is incorrect because assessment countermeasures include security guard procedures and communication structure (calling tree). When an incident occurs, the assessment team (or security guard) is first on the scene to determine what has taken place and what needs to happen next: for example, a call to the police or fire station, management, a security service, etc. The assessment determines what type of response is needed. Images B is incorrect because deterrence refers to those controls that will discourage potential intruders from conducting criminal activity. Examples include fences, warning signs, security guards, and dogs. Another example found in residential areas is a “Neighborhood Crime Watch” sign that is erected in neighborhoods or even in home windows. The idea is that a casual intruder will be less likely to attempt an intrusion if he thinks that the neighborhood is making a concerted effort to watch for criminals and that he may be caught. Images C is incorrect because response refers to an organization’s processes and the personnel it assigns to react to intrusions and disruptions. Controls in this category include a response force, emergency response procedures, and police, fire, and medical personnel.

28
Q

What discipline combines the physical environment and sociology issues that surround it to reduce crime rates and the fear of crime? A. Layered defense model B. Target hardening C. Crime Prevention Through Environmental Design D. Natural access control

A

C. Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance in loss and crime prevention through proper facility construction and environmental components and procedures. The crux of CPTED is that the physical environment can be manipulated to create behavioral effects that will reduce crime and the fear of crime. It looks at the components that make up the relationship between humans and their environment. This encompasses the physical, social, and psychological needs of the users of different types of environments and predictable behaviors of these users and offenders. For example, CCTV cameras should be mounted in full view so that criminals know their activities will be captured and other people know the environment is well monitored and thus safer. Images A is incorrect because a layered defense model is a tiered architecture of physical, logical, and administrative security controls. The concept is that if one layer fails, other layers will protect the valuable asset. Layers should be implemented moving from the perimeter toward the asset. For example, you would have a fence, then your facility walls, then an access control card device, then a guard, then an IDS, and then locked computer cases and safes. This series of layers will protect the company’s most sensitive assets, which would be placed in the innermost control zone of the environment. So if the bad guy were able to climb over your fence and outsmart the security guard, he would still have to circumvent several layers of controls before getting to your precious resources and systems. Images B is incorrect because target hardening focuses on denying access through physical and artificial barriers (alarms, locks, fences, and so on). Traditional target hardening can lead to restrictions on the use, enjoyment, and aesthetics of an environment. Remember that security entails maintaining a delicate balance between ease of use and protection. A Parks and Recreation department could implement fences, intimidating signs, and barriers around its parks and green areas to discourage gangs from congregating, but who would want to play or have a picnic there? The same goes for an office building. You must provide the necessary levels of protection, but your protection mechanisms should be more subtle and unobtrusive. Images D is incorrect because natural access control is the guidance of people entering and leaving a space by the placement of doors, fences, lighting, and even landscaping. For example, an office building may have external bollards with lights in them. These bollards carry out different safety and security services. The bollards themselves protect the facility from physical destruction by preventing people from driving their cars into the building. The light emitted helps ensure that criminals do not have a dark place to hide. And the lights and bollard placement guides people along the sidewalk to the entrance, instead of using signs or railings.

29
Q

David is preparing a server room at a new branch office. What locking mechanisms should he use for the primary and secondary server room entry doors? A. The primary and secondary entrance doors should have access controlled through a swipe card or cipher lock. B. The primary entrance door should have access controlled through a security guard. The secondary doors should be secured from the inside and allow no entry. C. The primary entrance door should have access controlled through a swipe card or cipher lock. The secondary doors should have a security guard. D. The primary entrance door should have access controlled through a swipe card or cipher lock. Secondary doors should be secured from the inside and allow no entry.

A

D. Data centers, server rooms, and wiring closets should be located in the core areas of a facility, near wiring distribution centers. Strict access control mechanisms and procedures should be implemented for these areas. The access control mechanisms may be smart card readers, biometric readers, or combination locks. These restricted areas should have only one access door, but fire code requirements typically dictate there must be at least two doors to most data centers and server rooms. Only one door should be used for daily entry and exit and the other door should be used only in emergency situations. This second door should not be an access door, which means people should not be able to come in through this door. It should be locked, but it should have a panic bar that will release the lock if pressed from inside and used as an exit. Images A is incorrect because entrance should not be permitted through the secondary door—even with identification, authentication, and authorization processes. There should only be one entry point into a server room. Other doors should not provide entrance but can be used for emergency exits. Thus, the secondary doors should be secured from the inside to prevent entry. Images B is incorrect because the primary entrance door to a server room needs to carry out identification, authentication, and authorization processes. A swipe card or cipher lock fulfills these functions. A server room, ideally, should not be directly accessible from public areas like stairways, corridors, loading docks, elevators, and restrooms. This helps prevent foot traffic from casual passersby. Those who are by the doors to secured areas should have a legitimate reason for being there, as opposed to being on their way to a meeting room, for example. Images C is incorrect because the secondary door should not have a security guard. The door should simply be secured from the inside so that it cannot be used as an entry. The secondary door should serve as an emergency exit.

30
Q

Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps comes first in the process of rolling out a security program? A. Create countermeasure performance metrics. B. Conduct a risk analysis. C. Design the program. D. Implement countermeasures.

A

B. Of the steps listed, the first in the process of rolling out an effective physical security program is to carry out a risk analysis to identify the vulnerabilities and threats, and calculate the business impact of each threat. But before this is done, a team of internal employees and/or external consultants needs to be identified to build the physical security program. The team presents the risk analysis findings to management and works with them to define an acceptable risk level for the physical security program. From there, the team must develop baselines and metrics in order to evaluate and determine if the baselines are being met by the implemented countermeasures. Once the team identifies and implements the countermeasures, the performance of these countermeasures should be continually evaluated and expressed in the previously created metrics. These performance values are compared to the set baselines. If the baselines are continually maintained, then the security program is successful because the company’s acceptable risk level is not being exceeded. Images A is incorrect because of the steps listed, creating countermeasure performance metrics is not the first step in creating a physical security program. It is, however, a very important one because it is only possible to determine how beneficial and effective the program is if it is monitored through a performance-based approach. This means you should devise measurements and metrics to measure the effectiveness of the chosen countermeasures. This enables management to make informed business decisions when investing in the protection of the organization’s physical security. The goal is to increase the performance of the physical security program and decrease the risk to the company in a cost-effective manner. You should establish a baseline of performance and thereafter continually evaluate performance to make sure that the company’s protection objectives are being met. Examples of possible performance metrics include number of successful crimes, number of successful disruptions, and the time it took for a criminal to defeat a control. Images C is incorrect because designing the program should take place after the risk analysis. Once the level of risk is understood then the design phase can take place to protect from the threats identified in the risk analysis. The design will incorporate the controls required for each category of the program: deterrence, delaying, detection, assessment, and response. Images D is incorrect because implementing countermeasures is one of the last steps in the process rolling out a physical security program. Before countermeasures can be identified and implemented, it is important to conduct a risk analysis and work with management to define an acceptable level of risk. From the acceptable risk level, the team should derive the required performance baselines, and then create countermeasure performance metrics. Next, the team should develop criteria from the results of the analysis, outlining the level of protection and performance required for deterrence, delaying, detection, assessment, and response. Only after these steps are completed should the team identify and implement countermeasures for each of these categories.

31
Q

A number of measures should be taken to help protect devices and the environment from electric power issues. Which of the following is best to keep voltage steady and power clean? A. Power line monitor B. Surge protector C. Shielded cabling D. Regulator

A

D. When clean power is being provided, the power supply contains no interference or voltage fluctuation. Mechanisms should be in place to detect unwanted power fluctuations and protect the integrity of your data processing environment. Voltage regulators and line conditioners can be used to ensure a clean and smooth distribution of power. The primary power runs through a regulator or conditioner. They have the capability to absorb extra current if there is a spike, and to store energy to add current to the line if there is a sag. The goal is to keep the current flowing at a nice, steady level so neither motherboard components nor employees get fried. Images A is incorrect because power line monitors are employed to detect frequency and voltage amplitude changes. Interference interrupts the flow of an electrical current, and fluctuations can actually deliver a different level of voltage than what was expected. Each fluctuation can be damaging to devices and people. In order to effectively monitor frequency and voltage amplitude changes, you should understand what they are. Power excess can be described as a spike, which is momentary high voltage, or a surge, which is prolonged high voltage. Power loss can be experienced as a fault—momentary power outage—or a blackout—prolonged, complete loss of electric power. A sag or dip is a momentary low voltage condition, from one cycle to a few seconds. A brownout, also a type of power degradation, is a prolonged power supply that is below normal voltage. Finally, an in-rush current is an initial surge of current required to start a load. Images B is incorrect because a surge protector is used to move excess voltage to ground when a surge occurs. A surge is a prolonged rise in voltage from a power source. Surges can cause a lot of damage very quickly. A surge is one of the most common power problems and is controlled with surge protectors. A surge can come from a strong lightning strike, a power plant going online or offline, a shift in the commercial utility power grid, and electrical equipment within a business starting and stopping. Most computers have a built-in surge protector in their power supplies, but these are small surge protectors and cannot provide protection against the damage that larger surges (say, from storms) can cause. So, you need to ensure all devices are properly plugged into larger surge protectors, whose only job is to absorb any extra current before it is passed to electrical devices. Images C is incorrect because shielded cabling should be used for long cable runs and cables that run in buildings with fluorescent lighting or other interference mechanisms. Fluorescent lighting gives off radio frequency interference (RFI), which is disturbance to the flow of electric power while it travels across a power line. We could rip out all the fluorescent lighting in our buildings—or we can use shielded cabling where fluorescent lighting could cause a problem. If you were to climb up into your office’s dropped ceiling and look around, you would probably see wires bundled and tied up to the true ceiling. If your office is using fluorescent lighting, the power and data lines should not be running over, or on top of, the fluorescent lights. This is because the radio frequencies being given off can interfere with the data or power current as it travels through these wires.

32
Q

Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. Of CPTED’s three main components, what is illustrated in the following photo? [Open staircase in a prison] A. Natural surveillance B. Target hardening C. Natural access control D. Territorial reinforcement

A

A. CPTED provides three main strategies to bring together the physical environment and social behavior to increase overall protection: natural access control, natural surveillance, and territorial reinforcement. Surveillance can take place through organized means (security guards), mechanical means (CCTV), and natural strategies (straight lines of sight, low landscaping, raised entrances). The goal of natural surveillance is to make criminals feel uncomfortable by providing many ways observers could potentially see them and to make all other people feel safe and comfortable, by providing an open and well-designed environment. Natural surveillance is the use and placement of physical environmental features, personnel walkways, and activity areas in ways that maximize visibility. This photo shows a stairway in a building designed to be open and allow easy observation. Images B is incorrect because target hardening focuses on denying access through physical and artificial barriers (alarms, locks, fences, and so on). Target hardening is not a component of CPTED. Traditional target hardening can lead to restrictions on the use, enjoyment, and aesthetics of an environment. If your environment is a prison, this look might be just what you need. But if your environment is an office building, you’re not looking for Fort Knox décor. Nevertheless, you still must provide the necessary levels of protection, but your protection mechanisms should be more subtle and unobtrusive. Let’s say your organization’s team needs to protect a side door at your facility. The traditional target-hardening approach would be to put locks, alarms, and cameras on the door; install an access control mechanism, such as a proximity reader; and instruct security guards to monitor this door. Images C is incorrect because natural access control is the guidance of people entering and leaving a space by the placement of doors, fences, lighting, and even landscaping. For example, an office building may have external bollards with lights in them. These bollards actually carry out different safety and security services. The bollards themselves protect the facility from physical destruction by preventing people from driving their cars into the building. The light emitted helps ensure that criminals do not have a dark place to hide. And the lights and bollard placement guides people along the sidewalk to the entrance, instead of using signs or railings. They work together to give individuals a feeling of being in a safe environment and help dissuade criminals by working as deterrents. Images D is incorrect because the third CPTED strategy is territorial reinforcement, which creates physical designs that emphasize or extend the company’s physical sphere of influence so legitimate users feel a sense of ownership of that space. Territorial reinforcement can be implemented through the use of walls, fences, landscaping, light fixtures, flags, clearly marked addresses, and decorative sidewalks. The goal of territorial reinforcement is to create a sense of a dedicated community. Companies implement these elements so employees feel proud of their environment and have a sense of belonging, which they will defend if required to do so. These elements are also implemented to give potential offenders the impression that they do not belong there, that their activities are at risk of being observed, and that their illegal activities will not be tolerated or ignored.

33
Q

There are five different classes of fire. Each depends upon what is on fire. Which of the following is the proper mapping for the items missing in the provided table? A. Class D—combustible metals B. Class C—liquid C. Class B—electrical D. Class A—electrical

A

A. There are five classes of fire (A, B, C, D, and K). You need to know the differences among the types of fire so that you know how to properly extinguish each type. Portable fire extinguishers have markings that indicate what type of fire they should be used on. A fire is a Class D if there are combustible metals on fire. These metals can be magnesium, sodium, or potassium. These types of fires should be suppressed and extinguished with dry chemicals. Images B is incorrect because a fire is a Class C if there is something electrical on fire. This can be computers or any other types of devices that run on electricity. These types of fires should be suppressed and extinguished with a type of gas as in Halon or CO2. Images C is incorrect because a fire is a Class B if there is something liquid on fire. This can be petroleum, tars, or oils. These types of fires should be suppressed and extinguished with a type of gas as in FM-200 or CO2. Images D is incorrect because a fire is a Class A if there is a type of common combustible material on fire. This can be wood, paper, or cloth. These types of fires should be suppressed and extinguished with water or soda acid.

34
Q

Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response. Mike’s team has decided to implement new perimeter fences and warning signs against trespassing around the company’s facility. Which of the categories listed in the scenario do these countermeasures map to? A. Deterrent B. Delaying C. Detection D. Assessment

A

A. Fences, warning signs, and security guards are examples of countermeasures that can be put into place to deter unauthorized entry. A physical security program should contain controls in each of the following categories: deterrent, delaying, detection, assessment, and response. Images B is incorrect because reinforced walls, rebar, locks, and the use of double walls can be used as delaying mechanisms. The idea is that it will take the bad guy longer to get through these types of controls, which gives the response force sufficient time to arrive at the scene and stop the attacker. Deterrent controls reduce the likelihood of a vulnerability being exploited; a delaying control tries to ensure that if a bad thing happens, it will slow down the intruder. Images C is incorrect because detection tools are implemented not to deter malicious individuals but to detect their activities. Detection tools can be intrusion detection systems, sensors, and PIDAS fencing. Images D is incorrect because assessment controls pertain to how different situations will be identified and assessed. The most common control in this category is a security guard because he can connect the pieces of a situation together and determine what next steps should take place. It is important that there are controls in place that will carry out incident assessment and procedures that will be followed depending upon the outcome of the assessment.

35
Q

Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response. Mike’s team has decided to implement stronger locks on the exterior doors of the new company’s facility. Which of the categories listed in the scenario does this countermeasure map to? A. Deterrent B. Delaying C. Detection D. Assessment

A

B. Locks, defense-in-depth measures, and access controls are commonly used to delay potential intruders. A physical security program should contain controls in each of the following categories: deterrent, delaying, detection, assessment, and response. Images A is incorrect because fences, warning signs, and security guards are examples of countermeasures that can be put into place to deter unauthorized entry. The goal of these types of controls is for a potential attacker to not carry out his activities in the first place. Images C is incorrect because detection tools are implemented not to deter malicious individuals but to detect their activities. Detection tools can be intrusion detection systems, sensors, and PIDAS fencing. Images D is incorrect because assessment controls pertain to how different situations will be identified and assessed. The most common control in this category is a security guard because he can connect the pieces of a situation together and determine what next steps should take place. It is important that there are controls in place that will carry out incident assessment and procedures that will be followed depending upon the outcome of the assessment.

36
Q

Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response. Mike’s team has decided to hire and deploy security guards to monitor activities within the company’s facility. Which of the categories listed in the scenario does this countermeasure map to? A. Delaying B. Detection C. Assessment D. Recall

A

C. The assessment requirement of a physical security program pertains to how various situations will be assessed, triaged, and dealt with. The most common countermeasure to meet this need is the use of security guards. Images A is incorrect because locks, defense-in-depth measures, and access controls are commonly used to delay potential intruders. A physical security program should contain controls in each of the following categories: deterrent, delaying, detection, assessment, and response. Images B is incorrect because detection tools are implemented not to deter malicious individuals but to detect their activities. Detection tools can be intrusion detection systems, sensors, and PIDAS fencing. Images D is incorrect because it is a distracter answer.

37
Q

Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags. Which of the following is the best control that Greg should ensure is implemented to deal with his boss’s concern? A. Access and audit logs B. Mantrap C. Proximity readers D. Smart card readers

A

B. A mantrap can be used so unauthorized individuals entering a facility cannot get in or out if the mantrap is activated. A mantrap is a small room with two doors. The first door is locked; a person is identified and authenticated by a security guard, biometric system, smart card reader, or swipe card reader. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The first door locks and the person is trapped. The person must be authenticated again before the second door unlocks and allows him into the facility. This requires two different authentication and authorization processes to complete successfully before someone is allowed entrance. Images A is incorrect because access and audit logs are not controls that can be used to carry out secondary screening activities. These are detective controls that are commonly reviewed after an incident has occurred. Images C is incorrect because it is not necessarily the best answer to this question. Proximity cards are most commonly used to gain physical access to a facility or location. The question specifically points out a requirement of secondary authentication to take place before someone can enter a sensitive area within a facility, and this is the reason that mantraps exist. Images D is incorrect because it is not necessarily the best answer to this question. Smart cards can be used for authentication purposes in many different situations. The question specifically points out a requirement of secondary authentication to take place before someone can enter a sensitive area within a facility, and this is the reason that mantraps exist. The mantrap might use smart cards as one of its authentication steps.

38
Q

Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags. Which of the following best describes the situation that the network administrators are experiencing? A. Brownouts B. Surges C. In-rush current D. Power line interference

A

C. When a heavy electrical device is turned on, it can draw a large amount of current, which is referred to as in-rush current. If the device sucks up enough current, it can cause a sag in the available power for surrounding devices. This could negatively affect their performance. It is a good idea to have the data processing center and devices on a different electrical wiring segment from that of the rest of the facility, if possible, so the devices will not be affected by these issues. Images A is incorrect because when power companies are experiencing high demand, they frequently reduce the voltage in an electrical grid, which is referred to as a brownout. Constant-voltage transformers can be used to regulate this fluctuation of power. They can use different ranges of voltage and only release the expected 120 volts of alternating current to devices. Brownouts are not usually associated with HVAC systems. Images B is incorrect because a surge is a quick rise in voltage from a power source. Surges can cause a lot of damage very quickly. A surge is one of the most common power problems and is controlled with surge protectors. These protectors use a device called a metal oxide varistor, which moves the excess voltage to ground when a surge occurs. Images D is incorrect because when clean power is being provided, the power supply contains no interference or voltage fluctuation. The possible types of interference (line noise) are electromagnetic interference (EMI) and radio frequency interference (RFI), which is disturbance to the flow of electric power while it travels across a power line. This question does not address interference issues like these.

39
Q

Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags. Which of the following is a control that Greg’s team could implement to address the network administrators’ issue? A. Secondary feeder line B. Insulated grounded wiring C. Line conditioner D. Generator

A

C. Because these and other occurrences are common, mechanisms should be in place to detect unwanted power fluctuations and protect the integrity of data processing environments. Voltage regulators and line conditioners can be used to ensure a clean and smooth distribution of power. The primary power runs through a regulator or conditioner. They have the capability to absorb extra current if there is a spike, and to store energy to add current to the line if there is a sag. Images A is incorrect because a secondary feeder line from a transformer does not address the issue outlined in this scenario. A secondary line would be put into place for redundancy and failover purposes. Images B is incorrect because an insulated grounded wire does not address the issue outlined in the scenario. The issue in the scenario has to do with in-rush currents, which means that the voltage of the power supply is uneven and potentially damaging. Wires are grounded to ensure that an excessive current goes to the ground and not to a piece of equipment or person. Grounding wires does not address voltage and current fluctuation. Images D is incorrect because a generator is implemented in case there is a power outage. A generator does not have any effect on power voltage changes.

40
Q

There are several components involved with steganography. Which of the following refers to a file that has hidden information in it? A. Stegomedium B. Concealment cipher C. Carrier D. Payload

A

C. Steganography is a method of hiding data in another media type so that the very existence of the data is concealed. Only the sender and receiver are supposed to be able to see the message because it is secretly hidden in a graphic, WAV file, document, or other type of media. The message is not necessarily encrypted, just hidden. Encrypted messages can draw attention because it tells the bad guy, “This is something sensitive.” A message hidden in a picture would not attract this type of attention, even though the exact same secret message can be embedded into this image. Steganography is a type of security through obscurity. The components involved with steganography are the carrier, stegomedium, and payload. The carrier is a signal, data stream, or file that has hidden information inside of it. In other words, it carries the payload. Images A is incorrect because the stegomedium is the medium in which the information is hidden in steganography. If the message were held within a graphic, the stegomedium could be JPEG or TIFF. If the message were embedded within a file, the stegomedium could be a Word document. A stegomedium can be a graphic type, WAV file type, document type, or other type of media. Images B is incorrect because a concealment cipher is a type of steganography method that involves putting a message within a message. It is a way to hide a secret message within something familiar from the world around us. This answer does not specify a specific component of steganography but is a specific type of steganography. Images D is incorrect because the payload is the information that is to be concealed and transported through the use of steganography. The payload is the actual information that the sender wants to keep secret.

41
Q

Which of the following incorrectly describes steganography? A. It is a type of security through obscurity. B. Modifying the most significant bit is the most common method used. C. Steganography does not draw attention to itself like encryption does. D. Media files are ideal for steganographic transmission because of their large size.

A

B. Steganography is the method of hiding data in another media type so that the very existence of the data is concealed. One of the most common methods of embedding the message into some type of medium is using the least significant bit (LSB)—not the most significant bit. Many types of files have some bits that can be modified and not affect the file they are in, which is where secret data can be hidden without altering the file in a visible manner. In the LSB approach, graphics with a high resolution or an audio file that has many different types of sounds (high bit rate) are the most successful in hiding information within. There is commonly no noticeable distortion, and the file is usually not increased to a size that can be detected. A 24-bit bitmap file will have 8 bits representing each of the three color values, which are red, green, and blue. These 8 bits are within each pixel. If we consider just the blue, there will be 28 different values of blue. The difference between 11111111 and 11111110 in the value for blue intensity is likely to be undetectable by the human eye. Images A is incorrect because steganography is a type of security through obscurity. Security through obscurity means that instead of actually securing something with a countermeasure, someone uses secrecy as the way to protect the asset. An example of security through obscurity is if a network administrator changes his HTTP port from 80 to 8080 with the hopes that no one will figure this out. Security through obscurity means that you are trying to fool the potential attacker and you assume that the attacker will not be clever enough to figure out your trickery. Images C is incorrect because it is true that steganography does not draw attention to itself as does encryption. An encrypted message can draw attention because it tells the bad guy that the encrypted information is sensitive (otherwise, it wouldn’t be encrypted in the first place). An attacker may then be motivated to break the encryption and uncover the information. The goal of steganography is that the attacker not even know that the sensitive information exists and thus will not attempt to capture it. Images D is incorrect because it is true that larger media files are ideal for steganographic transmission because there are more bits to manipulate with a lower chance that anyone will notice. As a simple example, a sender might start with an innocuous image file and adjust the color of every hundredth pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it. The larger the file, the more obscurity can be accomplished because there are more bits to work with and manipulate.

42
Q

Which of the following correctly describes a drawback of symmetric key systems? A. Computationally less intensive than asymmetric systems B. Work much more slowly than asymmetric systems C. Carry out mathematically intensive tasks D. Key must be delivered via secure courier

A

D. In order for two users to exchange messages encrypted with a symmetric algorithm, they must first figure out how to distribute the key. If a key is compromised, then all messages encrypted with that key can be decrypted and read by an intruder. It is not safe to simply send the key in an e-mail message, because the key is not protected and can be easily intercepted and used by attackers. Thus, one user must send the key to the other using an out-of-band method. The user can save the key on a thumb drive and walk it over to the other person’s desk or have a secure courier deliver it. This is a disadvantage of symmetric cryptography because distribution is a hassle, as well as clumsy and insecure. Images A is incorrect because it describes an advantage of symmetric algorithms. Because they are less computationally intensive than asymmetric algorithms, symmetric algorithms tend to be much faster. They can encrypt and decrypt relatively quickly large amounts of data that would take an unacceptable amount of time to encrypt and decrypt with an asymmetric algorithm. Images B is incorrect because asymmetric systems work much more slowly than symmetric systems. The speed with which symmetric algorithms work is an advantage. Asymmetric algorithms are slower than symmetric algorithms because they use much more complex mathematics to carry out their functions, which requires more processing time. However, asymmetric algorithms can provide authentication and nonrepudiation, whereas symmetric algorithms cannot. Because both users employ the same key to encrypt and decrypt messages, symmetric cryptosystems can provide confidentiality but they cannot provide authentication or nonrepudiation. There is no way to prove through cryptography who actually sent a message if two people are using the same key. Images C is incorrect because asymmetric algorithms carry out mathematically intensive tasks. Symmetric algorithms, on the other hand, carry out relatively simplistic mathematical functions on the bits during the encryption and decryption processes. They substitute and scramble (transpose) bits, which is not overly difficult or processor intensive. The reason it is hard to break this type of encryption is that the symmetric algorithms carry out this type of functionality over and over again. So a set of bits will go through a long series of being substituted and transposed.

43
Q

Which of the following occurs in a PKI environment? A. The RA creates the certificate, and the CA signs it. B. The CA signs the certificate. C. The RA signs the certificate. D. The user signs the certificate.

A

B. A certificate authority (CA) is a trusted organization (or server) that maintains and issues digital certificates. When a person requests a certificate, the registration authority (RA) verifies that individual’s identity and passes the certificate request off to the CA. The CA constructs the certificate, digitally signs it, sends it to the requester, and maintains the certificate over its lifetime. The CA digitally signs it so that the receiver can verify that the certificate came from that specific CA. The CA digitally signs the certificate with its private key, and the receiver verifies this signature with the CA’s public key. Images A is incorrect because the RA does not create the certificate; the CA creates it and signs it. The RA performs the certification registration duties. The RA establishes and confirms the identity of the individual requesting the certificate, initiates the certification process with a CA on behalf of an end user, and can perform certificate life-cycle management functions. The RA cannot issue certificates but can act as a broker between the user and the CA. When users need new certificates, they make requests to the RA, and the RA verifies all necessary identification information before allowing a request to go to the CA. Images C is incorrect because the RA does not sign the certificate. The CA signs the certificate. The RA validates the user’s identity and then sends the request for a certificate to the CA. Images D is incorrect because the user does not sign the certificate. In a PKI environment, a user’s certificate is created and signed by the CA. The CA is a trusted third party that generates and maintains user certificates, which hold their public keys. The certificate is digitally signed to provide confidence to others that the certificate was created by that specific CA.

44
Q

Which of the following correctly describes the difference between public key cryptography and public key infrastructure? A. Public key cryptography is the use of an asymmetric algorithm, while public key infrastructure is the use of a symmetric algorithm. B. Public key cryptography is used to create public/private key pairs, and public key infrastructure is used to perform key exchange and agreement. C. Public key cryptography provides authentication and nonrepudiation, while public key infrastructure provides confidentiality and integrity. D. Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms.

A

D. Public key cryptography is asymmetric cryptography; the terms are used interchangeably. Public key cryptography is one piece in a public key infrastructure (PKI), which is made up of many different parts, including certificate authorities, registration authorities, certificates, keys, programs, and users. The infrastructure contains the pieces that will identify users, create and distribute certificates, maintain and revoke certificates, distribute and maintain encryption keys, and enable all technologies to communicate and work together for the purpose of encrypted communication and authentication. Images A is incorrect because PKI uses a hybrid system of symmetric and asymmetric key algorithms and methods. Public key cryptography is the use of an asymmetric algorithm. Thus, the terms asymmetric cryptography and public key cryptography are interchangeable and mean the same thing. Examples of asymmetric algorithms are RSA, elliptic curve cryptosystem (ECC), Diffie-Hellman, and El Gamal. Images B is incorrect because public key cryptography is the use of asymmetric algorithms, which are used to create public/private key pairs, perform key exchange or agreement, and generate and verify digital signatures. Public key infrastructure, on the other hand, is not an algorithm, a protocol, or an application—it is an infrastructure based on symmetric and asymmetric cryptography. Images C is incorrect because a PKI does not provide authentication, nonrepudiation, confidentiality, and integrity directly—it can use algorithms that provide these security services. A PKI uses asymmetric, symmetric, and hashing algorithms. Symmetric algorithms provide confidentiality, asymmetric algorithms provide authentication and nonrepudiation, and hashing algorithms provide integrity.

45
Q

Which of the following best describes Key Derivation Functions (KDFs)? A. Keys are generated from a master key. B. Session keys are generated from each other. C. Asymmetric cryptography is used to encrypt symmetric keys. D. A master key is generated from a session key.

A

A. For complex keys to be generated, commonly a master key is created and then symmetric keys (subkeys) are generated from it. Key Derivation Functions (KDFs) derive encryption keys from a secret value. The secret value can be a master key, passphrase, or password. KDFs are used to help ensure the randomness of the key values to make it harder for the attacker to uncover them. The KDF commonly uses a pseudorandom number generator with the secret value to make each encryption key unique. Images B is incorrect because session keys are commonly generated from the master key—not from each other. For example, if an application is responsible for creating a session key for each subject that requests one, it should not be giving out the same instance of that one key. Different systems need to have different symmetric keys to ensure that the window for the bad guy to capture and uncover that key is smaller than if the same key is used over and over again. When two or more keys are created from a master key, they are called subkeys. Images C is incorrect because the encryption of keys has nothing to do with KDFs. Use of KDFs pertains to the procedures of creating unique and strong encryption keys. KDFs help to ensure that enough randomness is involved when generating new keys so that the attacker has a harder time uncovering them. Images D is incorrect because the statement is backward. A session key is commonly generated from a master key. When keys are generated from an original value, as in a master key, the resulting keys are referred to as subkeys or subsession keys.

46
Q

An elliptic curve cryptosystem is an asymmetric algorithm. What sets it apart from other asymmetric algorithms? A. It provides digital signatures, secure key distribution, and encryption. B. It computes discrete logarithms in a finite field. C. It uses a larger percentage of resources to carry out encryption. D. It is more efficient.

A

D. Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) differs from other asymmetric algorithms due to its efficiency. ECC is more efficient than any other asymmetric algorithm because of less intensive mathematics. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. And fewer resources make for a more efficient algorithm. Images A is incorrect because ECC is not the only asymmetric algorithm that provides digital signatures, secure key distribution, and encryption. These services are also provided by RSA and other asymmetric algorithms. Using its one-way function, ECC provides encryption and signature verification, and the inverse direction performs decryption and signature generation. It can also be used as a key exchange protocol, meaning it is used to encrypt the symmetric key to get it securely to its destination. Images B is incorrect because Diffie-Hellman and El Gamal calculate discrete logarithms in a finite field. In the field of mathematics that deals with elliptic curves, points on the curves compose a structure called a group. These points are the values used in mathematical formulas for ECC’s encryption and decryption processes. The algorithm computes discrete logarithms of elliptic curves, which is different from calculating discrete logarithms in a finite field. Images C is incorrect because ECCs use much fewer resources when compared to other asymmetric algorithms. Some devices, like wireless devices and cellular phones, have limited processing capacity, storage, power, and bandwidth. With these types of devices, efficiency of resource use is very important.

47
Q

If implemented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation? A. The pad must be securely distributed and protected at its destination. B. The pad must be made up of truly random values. C. The pad must always be the same length. D. The pad must be used only one time.

A

C. A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly. It was invented by Gilbert Vernam in 1917, so sometimes it is referred to as the Vernam cipher. The pad must be at least as long as the message. If it is not as long as the message, the pad will need to be reused to cover the whole message. This would be the same thing as using a pad more than one time, which could introduce patterns. Images A is incorrect because it is true that the pad must be securely distributed and protected at its destination. This is a very cumbersome process to accomplish, because the pads are usually just individual pieces of paper that need to be delivered by a secure courier and properly guarded at each destination. One-time pads have been used throughout history to protect different types of sensitive data. Today, they are still in place for many types of militaries as a backup encryption option if current encryption processes (that require computers and a power source) are unavailable for reasons of war or attacks. Images B is incorrect because it is true that the pad must be made up of truly random values. This may not seem like a difficult task, but even our computer systems today do not have truly random number generators; rather, they have pseudorandom number generators. These generators are seeded by an initial value from some component within the computer system (time, CPU cycles, etc.). Although a computer system is complex, it is a predictable environment, so if the seeding value is predictable in any way, the resulting values created are not truly random—but pseudorandom. Images D is incorrect because it is true that the pad must be used only one time. If the pad is used more than one time, this might introduce patterns in the encryption process that will aid an evildoer in his goal of breaking the encryption. Although the one-time pad approach to encryption can provide a very high degree of security, it is impractical in most situations because of all of its different requirements. Each possible pair of entities that might want to communicate in this fashion must receive, in a secure fashion, a pad. This type of key management can be overwhelming and may require more overhead than it is worth. The distribution of the pad can be challenging, and the sender and receiver must be perfectly synchronized so that each is using the same pad.

48
Q

Sally is responsible for key management within her organization. Which of the following incorrectly describes a principle of secure key management? A. Keys should be backed up or escrowed in case of emergencies. B. The more a key is used, the shorter its lifetime should be. C. Less secure data allows for a shorter key lifetime. D. Keys should be stored and transmitted by secure means.

A

C. Key management is critical for proper protection. Part of key management is determining the lifespan of keys. The key’s lifetime should correspond with the sensitivity of the data it is protecting. Less secure data may allow for a longer key lifetime, whereas more sensitive data might require a shorter key lifetime. Keys should be properly destroyed when their lifetime comes to an end. The processes of changing and destroying keys should be automated and hidden from the user. They should be integrated into software or the operating system. It only adds complexity and opens the doors for more errors when processes are done manually and depend upon end users to perform certain functions. Images A is incorrect because it is true that keys should be backed up or escrowed in case of emergencies. Keys are at risk of being lost, destroyed, or corrupted. Backup copies should be available and easily accessible when required. If data is encrypted and then the user accidentally loses the necessary key to decrypt it, this information would be lost forever if there were not a backup key. The application being used for cryptography may have key recovery options, or it may require copies of the keys to be kept in a secure place. Images B is incorrect because it is true that the more a key is used, the shorter its lifetime should be. The frequency of use of a cryptographic key has a direct correlation to how often the key should be changed. The more a key is used, the more likely it is to be captured and compromised. If a key is used infrequently, then this risk drops dramatically. The necessary level of security and the frequency of use can dictate the frequency of key updates. A mom-and-pop diner might only change its cryptography keys every month, whereas an information warfare military unit might change them every day or every week. Images D is incorrect because it is true that keys should be stored and transmitted by secure means. Keys are stored before and after distribution. When a key is distributed to a user, it needs a secure place within the file system to be stored and used in a controlled method. The key, the algorithm that will use the key, configurations, and parameters are stored in a module that also needs to be protected. If an attacker is able to obtain these components, she could masquerade as another user and decrypt, read, and re-encrypt messages not intended for her.

49
Q

Mandy needs to calculate how many keys must be generated for the 260 employees using the company’s PKI asymmetric algorithm. How many keys are required? A. 33,670 B. 520 C. 67,340 D. 260

A

B. With asymmetric algorithms, every user must have at least one pair of keys (private and public). In public key systems, each entity has different keys, or asymmetric keys. The two different asymmetric keys are mathematically related. If a message is encrypted by one key, the other key is required in order to decrypt the message. The formula for determining the number of keys needed in this environment is N × 2, which is the number of people (N) multiplied by the number of keys each person would need (2). In a public key system, the pair of keys is made up of one public key and one private key. The public key can be known to everyone, and the private key must be known and used only by the owner. Images A is incorrect because 33,670 is the number of keys needed in a symmetric key cryptosystem. Each pair of users who want to exchange data using symmetric key encryption must have two instances of the same key. This means that if Dan and Bob want to communicate, both need to obtain a copy of the same key. If Dan also wants to communicate using symmetric encryption with Norm and Dave, he needs to have three separate keys, one for each friend. This might not sound like a big deal until Dan realizes that he may communicate with hundreds of people over a period of several months, and keeping track and using the correct key that corresponds to each specific receiver can become a daunting task. If 10 people needed to communicate securely with each other using symmetric keys, then 45 keys would need to be kept track of. If 100 people were going to communicate, then 4,950 keys would be involved. The equation used to calculate the number of symmetric keys needed is: N(N – 1) / 2 = number of keys. Images C is incorrect because 67,340 is the total derived from N(N – 1), which is part of the formula used to determine the number of keys needed in a symmetric key cryptosystem. The complete formula is N(N – 1) / 2. The question, however, asked for the number of keys that would be used in a public key infrastructure’s asymmetric algorithms. Asymmetric—not symmetric—keys are used in a public key cryptosystem. The formula for determining the number of asymmetric keys that are needed is N × 2. Images D is incorrect because each user in a public key infrastructure requires at least one key pair—a public key and a private key. One key cannot encrypt and decrypt the same message. So each user requires at least two keys. Thus, the formula for determining the number of asymmetric keys that are needed is N × 2.

50
Q

Which of the following works similarly to stream ciphers? A. One-time pad B. AES C. Block D. RSA

A

A. Stream ciphers were developed to provide the same type of protection one-time pads do, which is why they work in such a similar manner. In reality, stream ciphers cannot provide the level of protection one-time pads do, but because stream ciphers are implemented through software and automated means, they are much more practical. A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly. This cipher uses a pad made up of random values. A plaintext message that needs to be encrypted is converted into bits, and a one-time pad is made up of random bits. This encryption process uses a binary mathematical function called exclusive-OR, usually abbreviated as XOR. XOR is an operation that is applied to two bits and is a function commonly used in binary mathematics and encryption methods. Stream ciphers also encrypt at the bit level, which is how they are similar to one-time pad encryption schemes. Images B is incorrect because AES is a symmetric block cipher. When a block cipher is used for encryption and decryption purposes, the message is divided into blocks of bits. These blocks are then put through mathematical functions, one block at a time. Stream ciphers encrypt data one bit at a time, whereas a block cipher encrypts data one block of bits at a time. Suppose you need to encrypt a message you are sending to your friend and you are using a block cipher that uses a 64-bit block size. Your message of 640 bits is chopped up into 10 individual blocks of 64 bits. Each block is put through a succession of mathematical formulas, and what you end up with is 10 blocks of encrypted text. You send this encrypted message to your friend. He has to have the same block cipher and key, and those 10 ciphertext blocks go back through the algorithm in the reverse sequence and end up in your plaintext message. Images C is incorrect because, as stated in the preceding answer, when a block cipher is used for encryption and decryption purposes, the message is divided into blocks of bits. These blocks are then put through mathematical functions, one block at a time. Images D is incorrect because RSA is a public key algorithm that is the most popular when it comes to asymmetric algorithms. Asymmetric algorithms use a different type of mathematics than symmetric algorithms and are nothing similar to one-time pad encryption schemes. The security of this algorithm comes from the difficulty of factoring large numbers into their original prime numbers.

51
Q

There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher? A. Statistically unbiased keystream B. Statistically predictable C. Long periods of no repeating patterns D. Keystream not linearly related to key

A

B. The two main types of symmetric algorithms are block ciphers and stream ciphers. A block cipher performs mathematical functions on blocks of bits at a time. A stream cipher, on the other hand, does not divide a message into blocks. Instead, a stream cipher treats the message as a stream of bits and performs mathematical functions on each bit individually. Good stream ciphers offer the following: unpredictable statistical results, long periods of no repeating patterns, a statistically unbiased keystream, and a keystream that is not linearly related to the key. If a stream cipher is statistically predictable, then it will be possible for an attacker to uncover the key and break the cipher. Images A is incorrect because a statistically unbiased keystream is an attribute of a good stream cipher. A statistically unbiased keystream means that there are as many zeros as there are ones. There should be no dominance in the number of zeros or ones in the keystream. Images C is incorrect because long periods of no repeating patterns within keystream values is a characteristic of a good stream cipher. The ultimate goal of any encryption is to provide a high level of randomness so that an attacker cannot reverse-engineer and uncover the key that was used during the encryption process. Images D is incorrect because a keystream not linearly related to a key is an attribute of a good stream cipher. This means that if someone figures out the keystream values, that does not mean he now knows the key value. This is important because the key provides the randomness of the encryption process. Most encryption algorithms are public, so people know how they work. The secret to the secret sauce is the key. The key provides randomness, so that the stream of bits that is XORed to the plaintext is as random as possible.

52
Q

Which of the following best describes how a digital signature is created? A. The sender encrypts a message digest with his private key. B. The sender encrypts a message digest with his public key. C. The receiver encrypts a message digest with his private key. D. The receiver encrypts a message digest with his public key.

A

A. A digital signature is a hash value that has been encrypted with the sender’s private key. The act of digital signing means encrypting the message’s hash value with a private key. If Sam wants to ensure that the message he sends to Debbie is not modified and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Sam would encrypt that hash value with his private key. When Debbie receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Sam’s public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Sam because the value was encrypted with his private key. Images B is incorrect because if the sender encrypts the message digest with his public key, the recipient will not be able to decrypt it. The recipient would need access to the sender’s private key, which should never happen. The private key should always be kept secret. Images C is incorrect because the receiver should decrypt the message digest with the sender’s public key. The message digest is encrypted with the sender’s private key, which can only be decrypted with the sender’s public key. Images D is incorrect because the receiver should decrypt the message digest with the sender’s public key. The message digest is encrypted with the sender’s private key, which can only be decrypted with the sender’s public key.

53
Q

In cryptography, different steps and algorithms provide different types of security services. Which of the following provides only authentication, nonrepudiation, and integrity? A. Encryption algorithm B. Hash algorithm C. Digital signature D. Encryption paired with a digital signature

A

C. A digital signature is a hash value that has been encrypted with the sender’s private key. The act of signing means encrypting the message’s hash value with a private key. A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation. Images A is incorrect because encryption algorithms provide confidentiality. Encryption is most commonly carried out with the use of symmetric algorithms. Symmetric algorithms can only provide confidentiality and not authentication, nonrepudiation, and integrity. Images B is incorrect because hashing algorithms provide data integrity. Hashing algorithms generate message digests (also called hash values) to detect whether modification has taken place. The sender and receiver independently generate their own digests, and the receiver compares these values. If they differ, the receiver knows the message has been altered. A hashing algorithm cannot provide authentication or nonrepudiation. Images D is incorrect because encryption and a digital signature provide confidentiality, authentication, nonrepudiation, and integrity. The encryption alone provides confidentiality. And the digital signature provides authentication, nonrepudiation, and integrity. The question asks for which can only provide authentication, nonrepudiation, and integrity.

54
Q

Advanced Encryption Standard is an algorithm used for which of the following? A. Data integrity B. Bulk data encryption C. Key recovery D. Distribution of symmetric keys

A

B. The Advanced Encryption Standard (AES) is a data encryption standard that was developed to improve upon the previous de facto standard—the Data Encryption Standard (DES). As a symmetric algorithm, AES is used to encrypt bulk data. Symmetric algorithms of any kind are used to encrypt large amounts of data (bulk), while asymmetric algorithms are used to encrypt a small amount of data as in keys and hashing values. Images A is incorrect because AES is an encryption algorithm and therefore provides confidentiality, not data integrity. Hashing algorithms, such as SHA-1, MD2, MD4, MD5, and HAVAL, provide data integrity. Images C is incorrect because AES is not used for key recovery. However, AES generates and makes use of keys, which require key recovery procedures. Keys are at risk of being lost, destroyed, or corrupted. Backup copies should be available and easily accessible when required. If data is encrypted and then the user accidentally loses the necessary key to decrypt it, this information would be lost forever if there were not a backup key to save the day. The application being used for cryptography may have key recovery options, or it may require copies of the keys to be kept in a secure place. Images D is incorrect because asymmetric algorithms are used to protect symmetric keys while being distributed. AES is a symmetric algorithm. In a hybrid system, the symmetric algorithm creates a secret key that will be used to encrypt the bulk, or the message, and the asymmetric key encrypts the secret key for transmission.

55
Q

SSL is a de facto protocol used for securing transactions that occur over untrusted networks. Which of the following best describes what takes place during an SSL connection setup process? A. The server creates a session key and encrypts it with a public key. B. The server creates a session key and encrypts it with a private key. C. The client creates a session key and encrypts it with a private key. D. The client creates a session key and encrypts it with a public key.

A

D. Secure Sockets Layer (SSL) uses public key encryption and provides data encryption, server authentication, message integrity, and optional client authentication. When a client accesses a website, that website may have both secured and public portions. The secured portion would require the user to be authenticated in some fashion. When the client goes from a public page on the website to a secured page, the web server will start the necessary tasks to invoke SSL and protect this type of communication. The server sends a message back to the client, indicating a secure session should be established, and the client in response sends its security parameters. The server compares those security parameters to its own until it finds a match. This is the handshaking phase. The server authenticates to the client by sending it a digital certificate, and if the client decides to trust the server, the process continues. The client generates a session key and encrypts it with the server’s public key. This encrypted key is sent to the web server, and they both use this symmetric key to encrypt the data they send back and forth. Images A is incorrect because the server does not create the session key; the client creates a session key and encrypts it with the server’s public key. SSL is commonly used in web transactions and works in the following way: client creates session key, client encrypts session key with server’s public key and sends it to the server, server receives session key and decrypts it with its private key. Images B is incorrect because the server does not create the session key, and it is not encrypted with the private key. The client creates a session key and encrypts it with the server’s public key. The server receives the session key and decrypts it with its private key. The session key is then used to encrypt the data that is transmitted between the client and server. Images C is incorrect because the client uses the server’s public key to encrypt the session key it generates. If the client encrypted the session key with the private key, then any entity that possessed the client’s public key would be able to decrypt the session key. This does not provide any security. By encrypting the session key with the server’s public key, only the server—which possesses the corresponding private key—can decrypt it.

56
Q

The CA is responsible for revoking certificates when necessary. Which of the following correctly describes a CRL and OCSP? A. The CRL was developed as a more streamlined approach to OCSP. B. OCSP is a protocol that submits revoked certificates to the CRL. C. OCSP is a protocol developed specifically to check the CRL during a certificate validation process. D. CRL carries out real-time validation of a certificate and reports to the OCSP.

A

C. The certificate authority (CA) is responsible for creating and handing out certificates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certificate information is stored on a certificate revocation list (CRL). This is a list of every certificate that has been revoked. This list is maintained and updated periodically. A certificate may be revoked because the key holder’s private key was compromised or because the CA discovered the certificate was issued to the wrong person. If the certificate becomes invalid for some reason, the CRL is the mechanism for the CA to let others know this information. The Online Certificate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL approach. When using just a CRL, the user’s browser must check a central CRL to find out if the certification has been revoked or the CA continually pushes out CRL values to the clients to ensure they have an updated CRL. If OCSP is implemented, it does this work automatically in the background. It carries out real-time validation of a certificate and reports back to the user whether the certificate is valid, invalid, or unknown. Images A is incorrect because a CRL is actually a cumbersome approach to managing and validating revoked certificates. OCSP is increasingly being used to address this. OCSP does this work in the background, doing what the user’s web browser would do when just using CRL. OCSP checks a central CRL to see if a certification has been revoked. Images B is incorrect because OCSP does not submit revoked certificates to the CRL. The CA is responsible for the creation, distribution, and maintenance of certificates. This includes revoking them when necessary and storing the information on a CRL. Images D is incorrect because OCSP, not the CRL, carries out real-time validation of a certificate. In addition, OCSP reports back to the user whether the certificate is valid, invalid, or unknown.

57
Q

There are several different types of technologies within cryptography that provide confidentiality. What is represented in the graphic that follows? 1 XOR 0 = 1 A. Running key cipher B. Concealment cipher C. Steganography D. One-time pad

A

D. A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly. A one-time pad uses a pad with random values that are XORed against the message to produce ciphertext. The plaintext message shown in the graphic that needs to be encrypted has been converted into bits, and our one-time pad is made up of random bits. This encryption process uses a binary mathematical function called exclusive-OR, usually abbreviated as XOR. The receiver must have the same one-time pad to decrypt the message by reversing the process. Images A is incorrect because a running key cipher uses a key that does not require an electronic algorithm and bit alterations but cleverly uses components in the physical world around you. For instance, the algorithm could be a set of books agreed upon by the sender and receiver. The key in this type of cipher could be a book page, line number, and column count. If you get a message from your supersecret spy buddy and the message reads “149l6c7.299l3c7.911l5c8,” this could mean for you to look at the 1st book in your predetermined series of books, the 49th page, 6th line down the page, and the 7th column. So you write down the letter in that column, which is h. The second set of numbers starts with 2, so you go to the 2nd book, 99th page, 3rd line down, and then to the 7th column, which is o. The last letter you get from the 9th book, 11th page, 5th line, 8th column, which is t. So now you have come up with your important secret message, which is hot. Images B is incorrect because a concealment cipher is a message within a message. If your spy buddy and you decide your key value is every third word, then when you get a message from him, you will pick out every third word and write it down. Suppose he sends you a message that reads, “The saying, ‘The time is right’ is not cow language, so is now a dead subject.” Because your key is every third word, you come up with “The right cow is dead.” Images C is incorrect because steganography is a method of hiding data in another media type so that the very existence of the data is concealed. Only the sender and receiver are supposed to be able to see the message because it is secretly hidden in a graphic, WAV file, document, or other type of media. The message is not encrypted, just hidden. Encrypted messages can draw attention because it tells the bad guy, “This is something sensitive.” A message hidden in a picture would not attract this type of attention, even though the exact same secret message can be embedded into this image. Steganography is a type of security through obscurity

58
Q

There are several different types of important architectures within public key infrastructures. Which architecture does the graphic that follows represent? A. Cross-certification B. Cross revocation list C. Online Certificate Status Protocol D. Registration authority

A

A. When independent PKIs need to interconnect to allow for secure communication to take place (either between departments or different companies), there must be a way for the two root CAs to trust each other. The two CAs do not have a CA above them they can both trust, so they must carry out cross-certification. A cross-certification is the process undertaken by CAs to establish a trust relationship in which they rely upon each other’s digital certificates and public keys as if they had issued them themselves. When this is set up, a CA for one company can validate digital certificates from the other company and vice versa. Images B is incorrect because a certificate revocation list (CRL) contains all of the revoked certifications within a PKI. The CA is responsible for creating and handing out certificates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certificate information is stored on a CRL. This is a list of every certificate that has been revoked. This list is maintained and updated periodically. A certificate may be revoked because the key holder’s private key was compromised or because the CA discovered the certificate was issued to the wrong person. An analogy for the use of a CRL is how a driver’s license is used by a police officer. If an officer pulls over Sean for speeding, the officer will ask to see Sean’s license. The officer will then run a check on the license to find out if Sean is wanted for any other infractions of the law and to verify the license has not expired. The same thing happens when a person compares a certificate to a CRL. If the certificate became invalid for some reason, the CRL is the mechanism for the CA to let others know this information. Images C is incorrect because the Online Certificate Status Protocol (OCSP) carries out real-time validation of a certificate and reports back to the user whether the certificate is valid, invalid, or unknown. When using just a CRL, the user’s browser must either check a central CRL to find out if the certification has been revoked or a CA must continually push out CRL values to the clients to ensure they have an updated CRL. If OCSP is implemented, it does this work automatically in the background. OCSP checks the CRL that is maintained by the CA. So the CRL is still being used, but now we have a protocol developed specifically to check the CRL during a certificate validation process. Images D is incorrect because the registration authority (RA) performs the certification registration duties. The RA establishes and confirms the identity of an individual and initiates the certification process with a CA on behalf of an end user. The RA cannot issue certificates but can act as a broker between the user and the CA. When users need new certificates, they make requests to the RA, and the RA verifies all necessary identification information before allowing a request to go to the CA.

59
Q

There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that follows? A. One-way hash B. Digital signature C. Birthday attack D. Collision

A

B. When a hash algorithm is applied to a message, it produces a message digest, and this value is signed with a private key to produce a digital signature. It provides authentication, data integrity, and nonrepudiation. The act of signing is the actual encryption of the value with the private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevin’s public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key. Images A is incorrect because a one-way hash is a function that takes a variable-length string and a message and produces a fixed-length value called a hash value. For example, if Kevin wants to send a message to Maureen and he wants to ensure the message does not get altered in an unauthorized fashion while it is being transmitted, he would calculate a hash value for the message and append it to the message itself. When Maureen receives the message, she performs the same hashing function Kevin used and then compares her result with the hash value sent with the message. If the two values are the same, Maureen can be sure the message was not altered during transmission. If the two values are different, Maureen knows the message was altered, either intentionally or unintentionally, and she discards the message. Images C is incorrect because a birthday attack is an attack on hashing functions through brute force. The attacker tries to create two messages with the same hashing value. A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. Hash algorithms usually use message digest sizes (the value of n) that are large enough to make collisions difficult to accomplish, but they are still possible. An algorithm that has 160-bit output, like SHA-1, may require approximately 280 computations to break. This means there is a less than 1 in 280 chance that someone could carry out a successful birthday attack. A hashing algorithm that has a larger bit output is less vulnerable to brute-force attacks such as a birthday attack. Images D is incorrect because a collision is when two hashed messages result in the same value. A strong one-hash function should not provide the same hash value for two or more different messages. If a hashing algorithm takes steps to ensure it does not create the same hash value for two or more messages, it is said to be collision free. If a hashing algorithm generates a message digest of 60 bits, there is a high likelihood that an adversary can find a collision using only 230 inputs.

60
Q

A widely used family of symmetric algorithms is called block ciphers. When these types of algorithms are being used, a message that needs to be encrypted is segmented into individual blocks and each block is encrypted. These algorithms work in different modes, and each mode has a specific use case. Which mode is being represented in the graphic and what is its most common use case? A. Electronic Code Book mode is used when individual and unique keys are needed to encrypt each block. B. Counter mode is used when encryption and decryption need to take place in parallel and independent block recovery is available. C. Cipher Block Chaining mode is used when added complexity is required by incorporating subkeys for each block encryption function. D. Output Feedback mode is used when segmented ciphertext blocks are required for inline encryption functionality.

A

B. Unlike most of the other block cipher modes, Counter (CTR) mode does not incorporate any chaining between blocks that are being encrypted. This means that the receiving end does not have to wait and receive all of the message blocks before starting to decrypt the message. The individual blocks are not coupled or dependent upon each other. Since the receiving end can decrypt the blocks as soon as they are received, the decryption process happens faster compared to other modes. Since the blocks are not chained and dependent upon each other, the individual message blocks can be independently recovered if necessary. Encryption modes that chain the blocks together do not allow for independent recovery—if one block gets corrupted, subsequent blocks become irrecoverable. For these reasons, CTR is most commonly used in newer versions of protocols such as IPSec and in technologies such as Wi-Fi. CTR mode is used when data within multiple packets needs to be transmitted between two systems over a network connection; thus, it is used by networking protocols. Other block modes, such as Electronic Code Book, are most often used within applications, not protocols. Images A is incorrect because Electronic Code Book (ECB) is not being represented in the graphic and this mode is not used for the stated reason of requiring unique keys per block. ECB mode is commonly used when a small amount of data (e.g., PIN value) needs to be encrypted. CTR mode is used when larger amounts of data need to be encrypted (e.g., e-mail, document) and transmitted over a network. CTR uses incremental counters, as shown in the top of the graphic (00000000, 00000001, 00000002). These counter values are used in conjunction with a key to carry out encryption and decryption. ECB does not use any counter values because the amount of data that is being encrypted is smaller and not optimized for network-based transmission. Images C is incorrect because Cipher Block Chaining (CBC) mode is not being represented in the graphic and the stated use case for CBC is not correct. CBC mode is used when large amounts of data need to be encrypted. The chaining effect adds more randomness to the encryption process because each block is used to encrypt the next block. (One block of bits is used to scramble the next block of bits to make it harder to reverse engineer.) CTR does not incorporate this chaining property; instead, it uses sequence counter values (1, 2, 3, etc.). The sequence counter values do not provide as much randomness as the chaining function, but these are used when data needs to be decrypted quickly. So CBC mode is commonly used within applications that will reside on one system, and CTR mode is used by protocols that need to transmit encrypted data to different nodes on a network. Images D is incorrect because Output Feedback (OFB) mode is not being represented in the graphic and the stated use case for OFB is not correct. OFB mode is used when a block cipher needs to emulate a stream cipher. This means that an encryption algorithm (e.g., DES, AES) is being used to encrypt blocks of data one bit at a time (stream) instead of one block at a time. OFB mode is used when the amount of data that needs to be encrypted is small (e.g., 8 bits) and the data needs to be transmitted (e.g., synchronous link). While all of these modes might sound confusing, each exists for a specific purpose. ECB mode is used to encrypt small data sets, such as a PIN value on the magnetic strip of your credit card. CBC mode is used when encrypting items such as Word documents on your laptop. CTR mode is used when a transmission protocol such as VPN needs to transmit encrypted data over a network. OFB mode is used when data sets such as keystrokes need to be encrypted and transmitted to a back-end system. When a programmer develops software that uses block algorithms, these modes are configurations for the algorithm and are passed into the block algorithm (e.g., AES) as parameters. This is how a developer “configures” an algorithm. For example, if a developer is using AES in a VPN, she would configure the algorithm to use CTR mode. If a developer is using AES to encrypt a PIN for a credit card, she would configure the algorithm to work in ECB mode.

61
Q

If Marge uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her private key with George, what is it an example of? A. Key clustering B. Avoiding a birthday attack C. Providing data confidentiality D. Zero knowledge proof

A

D. Zero knowledge proof means that someone can tell you something without telling you more information than you need to know. In cryptography, it means proving that you have a specific key without sharing that key or showing it to anyone. A zero knowledge proof is an interactive method for one party to prove to another that a (usually mathematical) statement is true without revealing anything sensitive. Images A is incorrect because key clustering is an instance when two different keys generate the same ciphertext from the same plaintext. This is caused by a logical flaw in an algorithm. Images B is incorrect because if the algorithm does produce the same value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. This attack is based on the mathematical birthday paradox that exists in standard statistics. It is a cryptographic attack that exploits the mathematics behind the birthday problem in the probability theory. This is not what is being addressed in the question. Images C is incorrect because confidentiality provided through cryptography is usually in place when data is encrypted with a key. If the data is considered bulk data, then a symmetric key is used. Not showing others a private key keeps the private key secret, but this is not necessarily confidentiality.

62
Q

There are two main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best describes these two functions? A. Sealing a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Binding is when data pertaining to the system’s state is hashed and stored on the TPM. B. Binding a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Sealing is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated. C. Sealing a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Binding is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated. D. Binding a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Sealing is when data pertaining to the system’s state is hashed and stored on the TPM.

A

D. The essence of the TPM lies in a protected and encapsulated microcontroller security chip that provides a safe haven for storing and processing security-intensive data such as keys, passwords, and digital certificates. “Binding” a hard disk drive is the most common usage scenario of the TPM—where the content of a given hard disk drive is affixed with a particular computing system. Another application of the TPM is “sealing” a system’s state to a particular hardware and software configuration. Images A is incorrect because binding a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Sealing is when data pertaining to the system’s state is hashed and stored on the TPM. Images B is incorrect because binding a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Sealing is when data pertaining to the system’s state is hashed and stored on the TPM. The content of the hard disk drive is encrypted, and the decryption key is stored away in the TPM chip. To ensure safe storage of the decryption key, it is further “wrapped” with another encryption key. Binding a hard disk drive makes its content basically inaccessible to other systems, and any attempt to retrieve the drive’s content by attaching it to another system will be very difficult. Images C is incorrect because sealing a system is fairly straightforward. The TPM generates hash values based on the system’s configuration files and is stored. A sealed system will only be activated once the TPM verifies the integrity of the system’s configuration by comparing it with the original “sealing” value.

63
Q

Jack has been told that successful attacks have been taking place and data that have been encrypted by his company’s software systems have leaked to the company’s competitors. Through Jack’s investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company’s software exposed patterns and allowed for successful reverse engineering. 64. Which of the following is most likely the item that is the root of the problem when it comes to the necessary randomness explained in the scenario? A. Asymmetric algorithm B. Out-of-band communication compromise C. Number generator D. Symmetric algorithm

A

C. A number generator is used to create a stream of random values and must be seeded by an initial value. This piece of software obtains its seeding value from some component within the computer system (time, CPU cycles, etc.). Although a computer system is complex, it is a predictable environment, so if the seeding value is predictable in any way, the resulting values created are not truly random, but pseudorandom. If the values from a number generated illustrate patterns and those patterns are recognizable during cryptographic processes, this weakness could allow an attacker to reverse-engineer the algorithm and gain access to confidential data. Images A is incorrect because an asymmetric algorithm carries out cryptographic functions through the use of two different key types, public and private. This is also called public key cryptography. Components, as in number generators, can be used with asymmetric algorithms, but they are a class of algorithms and do not necessarily integrate randomness issues. Images B is incorrect because out-of-band communication just means that communication data is being sent through a channel that is different from the encrypted data that is traveling. It does not have any direct correlation with randomness issues. Images D is incorrect because a symmetric algorithm carries out cryptographic functions through the use of two instances of the same key. Components, as in number generators, can be used with symmetric algorithms, but they are a class of algorithms and do not necessarily cause randomness issues.

64
Q

Jack has been told that successful attacks have been taking place and data that have been encrypted by his company’s software systems have leaked to the company’s competitors. Through Jack’s investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company’s software exposed patterns and allowed for successful reverse engineering. Which of the following best describes the role of the values that is allowing for patterns as described in the scenario? A. Initialization vector B. One-time password C. Master symmetric key D. Subkey

A

A. Initialization vectors (IVs) are random values that are used with algorithms to ensure patterns are not created during the encryption process. They are used with keys and do not need to be encrypted when being sent to the destination. If IVs are not used, then two identical plaintext values that are encrypted with the same key will create the same ciphertext. Providing attackers with these types of patterns can make their job easier in breaking the encryption method and uncovering the key. Images B is incorrect because a one-time pad is an encryption method created by Gilbert Vernam that is considered impossible to crack if carried out properly. A one-time pad uses a pad with random values that are XORed against the message to produce ciphertext. The pad is at least as long as the message itself and is used once and then discarded. This technology is not addressed in this scenario. Images C is incorrect because for complex keys to be generated, commonly a master key is created, and then symmetric keys are generated from it. For example, if an application is responsible for creating a session key for each subject that requests one, it should not be giving out the same instance of that one key. Different subjects need to have different symmetric keys to ensure that the window for the attack to capture and uncover that key is smaller than if the same key were to be used over and over again. When two or more keys are created from a master key, they are called subkeys. This is not a component of the randomness issue addressed in the scenario. Images D is incorrect because when two or more keys are created from a master key, they are called subkeys. This is not a component of the randomness issue addressed in the scenario.

65
Q

Sometimes when studying for an industry certification exam as in the CISSP, people do not fully appreciate that the concepts and technologies that they need to learn to pass the test directly relate to real-world security issues. To enforce how exam-oriented theoretical concepts directly relate to the practical world of security, choose the correct answer that best describes the Heartbleed SSL/TLS vulnerability, which is considered to be one of the most critical attack vectors in the history of the Internet. A. Digital certificates were stolen through a tunneled attack within the SSL and TLS protocols. B. Certificate authorities were compromised when their SSL and TLS connections were hijacked through the use of TCP hijacking sessions. C. Bounds checking was not implemented and allowed for sensitive data to be obtained by attackers from memory segments on web servers. D. Cross-site scripting was allowed to take place on web servers that ran a vulnerable version of Java.

A

C. OpenSSL implemented an SSL/TLS extension outlined by the IETF in RFP 6520 that allows a connection to remain active between two systems communicating over this security protocol. The way that OpenSSL implemented this extension allows the sending system to request data that it is not authorized to access—such as web server private keys. When an attacker obtains a web server’s private key, this circumvents all of the security provided by a public key infrastructure (PKI) environment that the SSL/TLS protocol is based upon. The point is that if you do not really understand how a PKI works and how private and public keys work, the role of digital certificates in security protocols—such as SSL/TLS, bounds checking, and buffer over-reads—you won’t understand straightforward vulnerabilities such as Heartbleed. While you will not be asked about a specific vulnerability on the CISSP exam, you will be expected to understand all of the components and technologies involved that allow for this vulnerability to be so dangerous and powerful. Images A is incorrect because this vulnerability did not involve the stealing of digital certificates and there is actually no security issue involved with digital certificates being “stolen.” Digital certificates commonly reside in open and accessible directories and are shared between entities that participate in a PKI, so there is no threat of them being stolen. Digital certificates are created by certificate authorities, which generate a hash and a digital signature on each individual digital certificate. This digital signature protects the integrity of the certificate and allows a receiver to detect if a certificate has been modified. It is the fact that each digital certificate is protected with a digital signature created by the originating certificate authority that allows us to store these certificates in locations that do not require controls against theft. Images B is incorrect because this vulnerability does not have anything to do with a certificate authority being compromised, and TCP hijacking is not a successful way of compromising any SSL/TLS connection. TCP hijacking is an attack that takes advantage of the fact that TCP packet sequence numbers can be predicted, which allows an attacker to insert himself within an active TCP session and take over the connection and use it for his nefarious purposes. SSL/TLS works at a higher level of the network stack compared to TCP, and the hijacking of a TCP session does not equate to compromising a secure connection using this security protocol. It is important to understand not only how attacks such as TCP hijacking take place, but also what attack types can and cannot accomplish. Images D is incorrect because the Heartbleed vulnerability does not have anything to do with cross-site scripting or Java. Rather, it is a vulnerability within the implementation of the SSL/TLS protocol. Cross-site scripting (XSS) is a vulnerability within a web application that allows an attacker to compromise the web application and then have the capability of injecting malicious client-side scripts into web pages viewed by potential victims. XSS relates to a vulnerability within a web app running on a web server, not the SSL/TLS protocol. As a security professional, it is important to understand where specific vulnerabilities reside and what they are able to accomplish. An XSS vulnerability cannot lead to a compromise that a Heartbleed attack can accomplish, and the Heartbleed vulnerability cannot accomplish the same outcome as a compromised XSS vulnerability.

66
Q

What type of exploited vulnerability allows more input than the program has allocated space to store it? A. Symbolic links B. File descriptors C. Kernel flaws D. Buffer overflows

A

D. Poor programming practices allow more input than the software has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes it allows the attacker to inject program code and then cause the processor to execute it in what is called a buffer overflow. This gives the attacker the same level of access as that held by the software that was successfully attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system. Good programming practice, automated source code scanners, enhanced programming libraries, and strongly typed languages that disallow buffer overflows are all ways of reducing this type of vulnerability. Images A is incorrect because a symbolic link is a stub file that redirects access to system files or data to another place. If an attacker can compromise the symbolic link, then the attacker may be able to gain unauthorized access. (Symbolic links are used in Unix- and Linux-type systems.) This may allow the attacker to damage important data and/or gain privileged access to the system. A historical example of this was to use a symbolic link to cause a program to delete a password database, or replace a line in the password database with characters that, in essence, created an password-less root-equivalent account. Programs, and especially scripts, must be written to assure that the full path to the file cannot be circumvented. Images B is incorrect because file descriptors are exploited if a program makes unsafe use of a file descriptor and an attacker is able to cause unexpected input to be provided to the program, or cause output to go to an unexpected place with the privileges of the executing program. File descriptors are numbers many operating systems use to represent open files in a process. Certain file descriptor numbers are universal, meaning the same thing to all programs. Good programming practices, automated source code scanners, and application security testing are all ways of reducing file descriptor attacks. Images C is incorrect because kernel flaws are problems that occur below the level of the user interface, deep inside the operating system. Flaws in the kernel that can be reached by an attacker, if exploitable, give the attacker the most powerful level of control over the system. It is important to ensure that security patches to operating systems—after sufficient testing—are promptly deployed in the environment to keep the window of vulnerability as small as possible.

67
Q

There are common cloud computing service models. __________________ usually requires companies to deploy their own operating systems, applications, and software onto the provided infrastructure. __________________ is the software environment that runs on top of the infrastructure. In the __________________ model the provider commonly gives the customers network-based access to a single copy of an application. A. Platform as a Service, Infrastructure as a Service, Software as a Service B. Platform as a Service, Platform as Software, Application as a Service C. Infrastructure as a Service, Application as a Service, Software as a Service D. Infrastructure as a Service, Platform as a Service, Software as a Service

A

D. The most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Images A is incorrect because these items are not in the correct order. Infrastructure as a Service (IaaS) is when cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them. Images B is incorrect because the most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). There are no models called Platform as Software or Application as a Service. These are distracters. Platform as a Service (PaaS) is when cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the “raw IT network,” PaaS is the software environment that runs on top of the IT network. Images C is incorrect because the most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). There is no model called Application as a Service. With Software as a Service (SaaS), the provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network-based access to a single copy of an application created specifically for SaaS distribution and use.

68
Q

A company has decided that it no longer wants to maintain its own servers and network environment because of increasing costs and liabilities. The company wants to move to a cloud-based solution, but needs to determine which type of solution best fits its needs. Which of the following provides a correct definition and mapping of a typical cloud-based solution? A. Infrastructure as a Service is provided when a cloud provider delivers a computing platform that includes operating system, database, and web servers. B. Software as a Service is provided when a cloud provider delivers an infrastructure environment similar to a traditional data center. C. Platform as a Service is provided when a cloud provider delivers a computing platform that can include operating system, database, and web servers. D. Software as a Service is provided when a cloud provider delivers a software environment in the form of a computing platform.

A

C. Cloud computing is a general term that describes how network and server technology can be aggregated and virtualized and then partitioned to provide individual customers specific computing environments. This centralized aggregation and centralized control provides end users with on-demand self-service, broad access across multiple devices, resource pooling, rapid elasticity, and service metering capability. There are different types of cloud computing offerings. Platform as a Service (PaaS) is in place when a cloud provider delivers a computing platform, such as an operating system, database, and web server, as a holistic execution environment. Where Infrastructure as a Service (IaaS) is the “raw IT network,” PaaS is the software environment that runs on top of the IT network. Images A is incorrect because Infrastructure as a Service (IaaS) is in place when a cloud provider offers the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them. IaaS cloud solutions often include additional resources, such as storage, firewalls, VLANs, load balancing, and other traditional network functionality. Images B is incorrect because Software as a Service (SaaS) is in place when a cloud provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network-based access to a specified number of copies of an application created specifically for SaaS distribution and use. In this type of offering, the cloud provider manages the infrastructure and platforms that the applications run within. Access to applications is commonly sold in an on-demand and subscription fee model. Cloud providers install and maintain the application, and end users access the software remotely from cloud clients. Cloud end users do not manage the cloud infrastructure and platform where the application runs. Images D is incorrect because Software as a Service (SaaS) is in place when a cloud provider gives users access to specific application software (CRM, e-mail, games) as described earlier. Software applications that are offered through a cloud provider are commonly virtualized to allow them to be scalable to meet high demands and run times. If the company in the question has business requirements for commonly used applications, then SaaS might be the best solution. In this type of situation, each employee would be provided credentials to interact with an instance of the needed application, and the cloud provider would carry out all of the “behind the scenes” maintenance and operation responsibilities.

69
Q

Sally is carrying out a software analysis on her company’s proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place? A. Back door B. Maintenance hook C. Race condition D. Data validation error

A

C. A race condition is when processes carry out their tasks on a shared resource and there is a potential that the sequence is carried out in the wrong order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on the data before process 1, the result will be much different than if process 1 carried out its tasks on the data before process 2. If authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. Images A is incorrect because a back door is a service that is available and “listening” on a specific port. Back doors are implemented by attackers so that they can gain easy access to compromised systems without having to authenticate as a regular system user. Images B is incorrect because a maintenance hook is specific software code that allows easy and unauthorized access to sensitive components of a software product. Software programmers commonly use maintenance hooks to allow them to get quick access to a product’s code so that fixes can be carried out, but this is dangerous. If an attacker uncovered this type of access, compromises could take place that would most likely not require authentication and would probably not be logged. Images D is incorrect because data validation errors do not commonly allow an attacker to manipulate process execution sequences. An attacker would enter invalid data through a specific interface, with the goals of having their code execute on the victim machine or carry out a buffer overflow.