Polyinstantiation allows different records to
exist in the same table at various security levels.
Database models can be relational, using
) and tuples (rows); hierarchical, combining
records and fields in a logical tree structure; or distributed,
storing information in more than one database.
The system life cycle includes the following
stages: project initiation, functional design and planning, system
design, functional review, software development, product
installation, operation and maintenance, and disposal and
Operational security can be enhanced by
implementing good employee controls, such as new hire orientation,
, job rotation, least privilege, and mandatory
Penetration testing is the process of evaluating
the organization's security measures. These tests can be performed
in a number of ways, including internal, external, whitebox
Clipping levels are the thresholds implemented
for certain types of errors or mistakes that are allowed without
BUSINESS CONTINUITY PLANNING
The Business Continuity Planning (BCP) process as defined by ISC2 has the following five steps:
Project management and initiation
Business impact analysis (BIA)
Plan design and development
Testing, maintenance, awareness, and training
The BIA is the second step of the BCP process. Its role is to describe what impact a disaster would have on business operations.
BCP testing includes
— Copies of the plan are sent to different department managers and business unit managers for review.
— Members of the emergency management team and business unit managers meet in conference to discuss the plan.
— Actual simulation of the real thing takes place.
— Operations of the new and old site can be run in parallel.
— A complete a test of the BCP plan is performed.
Data center backup
— An empty room with only rudimentary electrical, power, and computing capability
— Partially configured
— Ready to go and an expensive option
LAW, INVESTIGATIONS, AND ETHICS
The ISC2 code of ethics states that CISSPs will
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly,
Provide diligent and competent service to
Advance and protect the profession
RFC 1087 states that the following activities
Seeking to gain unauthorized access to the
resources of the Internet
Disrupting the intended use of the Internet
Wasting resources (people, capacity, computer)
through such actions
Destroying the integrity of computer-based
Compromising the privacy of users
The Computer Ethics Institute lists the Ten
Commandments of Computer Ethics, which should also be reviewed
before the exam.
Two types of encryption algorithms exist: two-way and one-way functions. Two-way functions are used to
on plain text to encrypt it with the
of later operating on that cipher text in some way to decipher or decrypt it.
Two-way functions include symmetric and asymmetric algorithms.
Symmetric cryptography works by providing both parties the same key for encryption and decryption. It provides confidentiality and is hard to break. Its weakness is that the keys are subject to exposure and must be transmitted through a channel other than the message.
Data Encryption Standard (DES) is a block encryption algorithm that is based on IBM's 128-bit algorithm; 56 bits make up the key and 8 bits are used for parity. DES can be implemented in one of four modes:
Electronic Code Book (ECB)
— Native encryption mode that is used for small amounts of data. ECB is the weakest form of DES.
Cipher Block Chaining (CBC)
— Works by taking each data from the previous and applying it to the
Cipher Feedback Mode (CFB)
— Emulates a stream cipher and can be used when the encryption of individual
Output Feedback Mode (OFB)
— Also emulates a stream cipher and generates random binary bits that are combined with the plain text to create cipher text.
Asymmetric algorithms use two different keys. The advantage is that key distribution is easier. Asymmetric algorithms are not as fast as symmetric systems.
Asymmetric algorithms include Diffie-Hellman, El Gamal, and Elliptic Curve Cryptosystem algorithms.
Common hashing algorithms include MD2, MD4, MD5, HAVAL, and SHA-1.
A public key infrastructure (PKI) allows individuals using the Internet to obtain and share cryptographic keys from a trusted authority. The PKI consists of four basic
and is governed by the X.509 standards:
Certificate Authority (CA)
— Used to verify and issue digital certificates. The certificate includes the public key and information about it.
Registration Authority (RA)
— Verifies authenticity for the CA.
— Accepts certificates and distributes them to authorized parties.
— Responsible for the long-
storage of archived information distributed from the CA.