my (FREE) CISSP flashcards

/ / News, Security

I have used the below flashcards while preparing for the CISSP exam during fall 2018. Most of them are still relevant for the 2019 exam.


What are the responsibilities of the Security Professional?
Writes policies, implementer, has functional responsibility.

What do data flow paths facilitate?
The movement of data across trust boundaries.

The role which actually implements the protection of information is the…?
Data Custodian

What is the formula for calculating total risk?
Threats * Vulnerabilities * AV (* denotes combination rather than strict multiplication)

How is ALE calculated?

What does ALE stand for?
Annual Loss Expectancy

What is a Vital Records Program?
Identifying the set of records that would be required to rebuild the business in the event of a disaster.

Give the 5 sub-tasks which make up continuity planning?
1) Strategy development
2) Provisions and processes
3) Plan approval
4) Plan implementation
5) Training and Education

Risks in terms of BCP fall into 2 broad categories, what are they?
Natural and man-made.

What legislation requires that victims of data breaches (of healthcare information) are informed?
HITECH 2009.

What legislation requires federal agencies to implement an information security program?
Federal Information Security Management Act (FISMA) – this requirement also extends to contractors.

Give examples of what would constitute an offence under the Comprehensive Crime Control Act (CCA)?
Traffic password affecting interstate commerce
Damage federal computer (> $1000)

What is sanitization in basic terms?
The removal of data from a system.

Which classification system of data sensitivity would be used by a NGO (nongovermental organization)?
Business system (Confidential/Private/Sensitive/Public).

What is the combination of clearing and degaussing otherwise known as?

What are the benefits of using asymmetric key cryptography?
Easy to revoke keys, easy to distribute keys, provides non-repudiation/integrity and authentication.

The substitution cipher/Vigenere cipher is vulnerable to what type of attack?
Period analysis.

Which form of symmetric cryptography includes both a pre and post whitening operation?

What takes place in a Chosen Cipher-text Attack?
Portions of the cipher-text can be decrypted and used to find the key.

What are the 2 ways to check if a certificate has been revoked?
Revocation lists (subject to latency) and Online Certificate Status Protocol (OCSP).

If an RSA key were 1088 bits long how long would the key need to be using Elliptic Curve to achieve the same level of security?

What are Protection Profiles and Security Targets?
Protection Profiles – the security requirements, the ‘I want’. 
Security Targets – vendor claims, ‘I will provide’.

What are 4 major categories of TCSEC?
Cat A – Verified
Cat B – Mandatory
Cat C – Discretionary
Cat D – Minimal.

What are the 7 labels of TCSEC?
A1 – verified
B3 – security domains
B2 – structured
B1 – labeled
C2 – controlled access

What are 2 types of covert channel?
Timing channel – like morse code.
Storage channel – a process is written to an area of memory from which it is then read out by another process.

Describe the different types of addressing used by the CPU?
Register addressing – onboard CPU memory.
Immediate – references data supplied as part of the instruction.

What are the 3 requirements before ‘security modes’ can be deployed?
1) Hierarchical MAC environment 
2) Physical control over which subjects can access console 
3) Physical control over which subjects 

What does an auxiliary alarm do?
Notifies emergency services.

What is the recommended distance between perimeter lights?
The gap between the lights should be equal to the radius of the light generated (thereby generating an overlap).

What is an electrical surge?
Prolonged high voltage.

What protocols/technologies are you likely to see at layer 3?

Which layers of the OSI model are equivalent to the ‘link’ layer of the TCP/IP model?
Physical and data link.

What is a hub and does it split the collision and or broadcast domain?
Multiport repeater operating at OSI1. Has same broadcast and collision domains (does not separate them).

What superseded SSL and can operate at either the network or transport layer?

List the safeguards that can be used to protect against DoS attacks?
Firewalls/IDS, service provider filtering, disable echo replies, disable broadcasts, block spoofed packets, keep patches up to date, commercial DoS protection services.

What does IPSec ESP provide?
Encryption and limited authentication.

In biometrics what is a Type 1 Error?
A false negative – the correct user is not successfully identified.

What does password history avoid?
A user reusing a previous password or rotating between two.

In terms of biometric enrollment, what is the average maximum amount of time tolerated by users?
2 minutes.

The processors of graphics cards are often used in brute force attacks, why is this?
They are often faster.

Describe 3 types of MAC environment?
Hierarchical – e.g. Top Secret/Secret/etc, 
Compartmentalized – users must be granted specific access, 
Hybrid – combining requirement for relevant clearance and need-to-know.

What is phishing?
Social engineering attacks targeting sensitive information.

PCI DSS mandates a web application vulnerability scanning requirement what is it?
That scans are conducted at least annually (or that specific extra firewalls are implemented).

What is TCP Connect scanning?
An attempt is made to open a full TCP connection with a port (this may be done where it’s not possible to complete a half-open scan).

What are the differences between security testing, assessments and audits?
Testing – verifies that controls are working properly, 
Assessments – are a comprehensive review, 
Audits – are done by an independent entity.

What is a SDN?
Software Defined Network – a virtualization solution to networking which removes the need for many complicated networking protocols and decouples the control plane from the data/forwarding plane.

What is a VSAN?
Virtual Storage Area Networks – a virtualized high speed storage network which can combine multiple storage devices.

What size must a packet be for a Ping of Death?
Greater than 64kb.

What are ‘audit trails’?
Records created when information about events are stored in log files.

What are Honeypots?
‘Dummy’ computers with vulnerabilities – ‘low hanging fruit’.

How long as a rule of thumb would it take to be operational at a ‘warm site’?
12 hours.

In a ‘full’ backup what data is copies and how is the archive bit left?
All data is copied and the archive bit is reset to 0.

What does RAID 5 provide and what is it otherwise known as?
‘Striping with Parity’ – uses 3 disks where one disk provides the parity. The system will operate slower if one disk fails.

What are 3 ways to seize evidence?
1) Voluntarily 
2) Subpoena 
3) Search warrant

List the different types of computer crime?
Military/intelligence – seeks sensitive intelligence, 
Business – seeks business intelligence, 
Financial – targets money or to obtain services without paying,

What are the 4 canons of (ISC)2’s code of ethics?
1) Protect society, the common good, necessary public trust and confidence and the infrastructure. 
2) Act honorably, honestly, justly.

What are the 3 strands of DevOps?
Software development, operations and quality assurance.

What is NIDES?
Next-generation Intrusion Detection Expert System – an inference engine and knowledge base which uses logs from the system in question and notifies of apparent security incidents.

What does polymorphism allow an object to do in Object Oriented Programming?
Allows an object to respond with different behaviors to the same message dependent on differing external conditions.


Share this Post