CISSP Domain 3 Practice Flashcards

Comprehensive practice flashcards covering Domain 3: Security Architecture and Engineering for the CISSP exam, including cloud models, security models, cryptography, and physical security.

What are the three main properties mentioned in relation to security models?

Simple security property (rules for read), Star * security property (rules for write), and Invocation property (rules around calls to subjects).

According to secure design principles, how should components fail?

They should fail in a state that denies rather than grants access (fail securely).

What is the core assumption of the Zero Trust model regarding requests?

It assumes compromise/breach in verifying every request and that no entity is trusted by default.

How many principles of Privacy by Design are listed from the IAPP?

$7$ principles: Proactive not reactive, Privacy as the Default, Privacy embedded in design, Positive-sum approach, End-to-end data protection, Visibility and transparency, and User-centric privacy.

In the Shared Responsibility Model, who is responsible for the physical networking and servers in an IaaS environment?

The Cloud Service Provider (CSP).

How is Serverless (FaaS) different from PaaS in terms of scaling?

In Serverless, the application scales automatically and code only executes when invoked, whereas in PaaS, the application must be configured to auto-scale.

What is a Cloud Access Security Broker (CASB)?

A security policy enforcement solution that may be installed on-premises or in the cloud.

What effect does Grover’s algorithm have on shared key encryption?

It speeds up attacks to effectively halve the key length (e.g., a $256-bit$ key becomes as strong as a $128-bit$ key against a conventional computer).

Which specific public key algorithm type is considered "quantum resistant"?

LATTICE.

What is the difference between a Stream cipher and a Block cipher?

A stream cipher encrypts one digit/bit at a time using a keystream, while a block cipher applies a key and algorithm to a group of data (e.g., $64$ bits) at once.

What are the four requirements for a one-time pad to be successful?

The key must be randomly generated, must be at least as long as the message, must be protected against physical disclosure, and must be used only once.

Define "Zero-knowledge proof."

A communication concept that enables one to prove knowledge of a fact to another individual without revealing the fact itself.

What is the "Work function" (or work factor) in cryptography?

A measure of the strength of a system by measuring the effort (time and/or cost) required to perform a complete brute-force attack.

What is the primary goal of the Bell-LaPadula security model?

Confidentiality, specifically for government/DoD multilevel security policies.

State the Simple security property and the Star * security property of Bell-LaPadula.

Simple security property: "no read up" (cannot read data at a higher classification). Star * security property: "no write down" (cannot write info to a lower classification).

What mnemonic is provided for the Bell-LaPadula properties?

"No Running Under Nets With Dingos."

What are the rules for the Biba security model?

"No read down" (Simple integrity property) and "no write up" (Star * integrity property).

What are the components of the Clark-Wilson "access control triple"?

Authenticated Principal (user), Programs (transformational procedures), and Data Items (UDIs and CDIs).

What is the purpose of the Brewer and Nash model (Chinese Wall)?

It is developed to prevent conflict of interest (COI) problems through a formal set of protection rules.

Differentiate between the Reference Monitor and the Security Kernel.

The Reference Monitor is the logical part of the TCB that confirms access rights; the Security Kernel is the collection of TCB components that implements the reference monitor functionality.

What are the two types of Covert Channels?

Covert timing channel and covert storage channel.

What is the role of a Trusted Platform Module (TPM)?

A chip on the motherboard that manages and stores keys for full disk encryption (FDE) and prevents data access if the drive is removed.

How do Single-state and Multistate processors differ?

Single-state processors operate at only one security level at a time, while multistate processors can simultaneously operate at multiple security levels.

What are the two subcategories of EPROM?

Ultraviolet EPROM (UVEPROM) and Electronically Erasable PROM (EEPROM).

What are the fire classes A, B, C, D, and K?

A: Common combustibles (Ash); B: Liquids (Boil); C: Electrical (Conductive); D: Metal (Dilythium/Burning metals); K: Kitchen (Grease/Oil).

What is the ideal humidity range for a computer facility?

$40\% - 60\%$. Too much causes corrosion; too little causes static electricity.

Define the power issues: Blackout, Brownout, and Surge.

Blackout: Prolonged loss of power; Brownout: Prolonged low voltage; Surge: Prolonged high voltage.

What is the main difference between a Wet pipe and a Dry pipe fire suppression system?

Wet pipes are filled with water; dry pipes contain compressed air until the system is triggered, then they fill with water (often used where water may freeze).

What are the height requirements for fences to deter different types of intruders?

$3-4$ feet deters casual trespassers; $6-7$ feet is too hard to climb easily; $8$ feet (with barbed wire) deters intruders.

What are the three categories of fire detection systems?

Smoke sensing, flame sensing, and heat sensing.