CISSP Domain 3

# CISSP Domain 3 安全架構與工程 ## 3.1 - 使用安全設計原則研究、實施和管理工程流程 * Threat modeling * Least privilege * Defense in depth * Secure defaults * Fail securely * Segregation of Duties (SoD) * Keep it simple and small * Zero trust or trust but verify * Privacy by design * Shared responsibility * Secure access service edge ## 3.2 - 安全模型的基本概念 (e.g., Biba, Star Model, Bell-LaPadula) ### Biba：完整性;No write Up/No Read Down ### Bell-LaPadula: 機密性;No Read Up/No Write Down ### Clark-Wilson: 轉換程序 + 限制介面保完整性 ### Brewer-Nash: 動態控制（中國牆） ## 3.3 - 根據系統安全要求選擇控制措施 ## 3.4 - 資訊系統的安全功能（例如，記憶體保護、可信任平台模組 (TPM)、加密/解密） ### MDM * Mobile Device Management (MDM) products provide a consistent, centralized interface for applying security configuration settings to mobile devices. ## 3.5 - 評估並減輕安全架構、設計和解決方案元素的漏洞 Client-based systems Server-based systems Database systems Cryptographic systems Industrial Control Systems (ICS) Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) Distributed systems Internet of Things (IoT) Microservices (e.g., application programming interface (API)) Containerization Serverless Embedded systems High-Performance Computing systems Edge computing systems Virtualized systems ## 3.6 - 選擇並決定加密解決方案 ### 對稱式加密 * 區塊及串流 (block cipher and stream cipher) * 取代及換位 (Substitution and Permutation) * 作業模式 (Mode of Operations) => 區塊型加解密器 * 加解密速度快，適合大型文件 ### 非對稱式加密 * 數學理論：RSA用質因數，ElGamal用離散對數，ECC用楕圓曲線 * 量子電腦威脅及後量子密碼學 * 與對稱式加密搭配使用，除了補其不足外(金鑰交換)，還可以作數位簽章 * 加密速度慢，適合小型資料加密 ### 比較 * Cryptographic life cycle (e.g., keys, algorithm selection) Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum) Public key infrastructure (PKI) (e.g., quantum key distribution) ## 3.7 - 密碼分析攻擊的方法 Brute force Ciphertext only Known plaintext Frequency analysis Chosen ciphertext Implementation attacks Side-channel Fault injection Timing Man-in-the-Middle (MITM) Pass the hash Kerberos exploitation Ransomware ## 3.8 - 將安全原則應用於場地和設施設計 ## 3.9 - 設計場地和設施安全控制 Wiring closets/intermediate distribution facilities Server rooms/data centers Media storage facilities Evidence storage Restricted and work area security Utilities and Heating, Ventilation, and Air Conditioning (HVAC) Environmental issues (e.g., natural disasters, man-made) Fire prevention, detection, and suppression Power (e.g., redundant, backup) ## 3.10 - 管理資訊系統生命週期 Stakeholders needs and requirements Requirements analysis Architectural design Development /implementation Integration Verification and validation Transition/deployment Operations and maintenance/sustainment Retirement/disposal ## Security models與安全理論 ### DAC(Discretionary Access Control)：完全控制 ### MAC(Mandatory Access Control):基於主體的clearance及客體的label來判斷 ### RBAC(Role Based Access Control):基於主體角色來決定是否授權存取客體 ### ABAC(Attribute Based Access Control)基於主體、客體及環境因素（位置、時間等）來決定是否授權 ### RUBAC(Rule Based Access Control)：基於IF/THEN條件滿足 ## 存取控制 (Clark-Wilson、Biba、Bella-Lapadula) The Brewer‐Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients. ## 實體安全 ### 火災最早階段 Fires may be detected as early as the incipient stage. During this stage, air ionization takes place, and specialized incipient fire detection systems can identify these changes to provide early warning of a fire. ### 監視器 Closed‐circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities. ### 配線箱安全 * While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization. * 範例 * Do not store flammable items in the closet. * Use sensors on doors to log entries. * Perform regular inspections of the closet.  M of N控制 In an m of n control system, at least m of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database. ## 雲端服務 ### 雲端3、4、5 * 3服務模式：IaaS、PaaS、SaaS * 4部署模式：公有雲、私有雲、混合雲、社群雲 * 5種特徵：寬頻網路存取、快速彈性伸縮、服務可量測、隨選所需服務、共用資源池 ### IaaS、PaaS、SaaS定義與責任雲端Email服務 This is an example of a vendor offering a fully functional application as a web‐based service. Therefore, it fits under the definition of software as a service (SaaS). In infrastructure as a service (IaaS), compute as a service (CaaS), and platform as a service (PaaS), the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices is appropriate. ![image](https://hackmd.io/_uploads/Sklxvg6wex.png) ## 容器化與虛擬化 ![image](https://hackmd.io/_uploads/S1UfOeawle.png) ### 微服務（比較容器化與虛擬化） This is an example of a microservices architecture. Each of the component microservices performs a discrete task and then communicates with other microservices using APIs. This might be accomplished using function‐as‐a‐service (FaaS) cloud computing, containerization, and/or virtualization, but there is no indication whether those services are being used in the scenario. ![image](https://hackmd.io/_uploads/rJzIugpPel.png) ### 容器化 All of these terms accurately describe this use of technology. However, the use of Docker is best described as a containerization technology, so this is the best possible answer choice. Philip is developing a new security tool that will be used by individuals in many different subsidiaries of his organization. He chooses to use Docker to deploy the tool to simplify configuration. ### 無伺服器運算 Serverless(Function as a Service) Serverless服務廠商責任 In a serverless computing model, the vendor does not expose details of the operating system to its customers. Therefore, the vendor retains full responsibility for configuring it securely under the shared responsibility model of cloud computing. ![image](https://hackmd.io/_uploads/B1fSYepPxx.png) ### 數位簽章加密演算法 The Digital Signature Standard approves three encryption algorithms for use in digital signatures: the Rivest, Shamir, Adleman (RSA) algorithm; the Elliptic Curve DSA (ECDSA) algorithm, and the Edwards Curve Digital Signature Algorithm (EdDSA). HAVAL is a hash function, not an encryption algorithm. While hash functions are used as part of the digital signature process, they do not provide encryption. 主體subject與客體object In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Harry is requesting resource access and is, therefore, the subject. 事件調查處理原則 Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site. 在安全環境測試程式（bounds、Confinement比較） Using a sandbox is an example of confinement, where the system restricts the access of a particular process to limit its ability to affect other processes running on the same system. 確信Assurance Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and reverified. 開發工程式最常埋的漏洞 Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls. If not removed prior to finalizing code, they pose a significant security vulnerability if an attacker discovers the maintenance hook. Simple Integrity Property簡單完整屬性 The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual’s security clearance. *‐Security Property * - 安全屬性 The *‐Security Property states that an individual may not write to a file at a lower classification level than that of the individual. This is also known as the confinement property. *‐Integrity Property Sally has a Secret security clearance, and the file is classified Top Secret. The *‐Integrity Property states that a subject cannot modify an object at a higher integrity level than that possessed by the subject. SCADA Supervisory control and data acquisition (SCADA) systems are used to control and gather data from industrial processes. They are commonly found in power plants and other industrial environments. Supervisory Control and Data Acquisition systems, or SCADA systems, provide a graphical interface to monitor industrial control systems (ICS). Joanna should ask about access to her organization’s SCADA systems. TPM與TCB比較 The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer. 驗證檔案完整性 Intentional collisions have been created with MD5, and a real‐world collision attack against SHA 1was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list. 非對稱式加密 1. Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. If Alice wants to send Bob a message that is encrypted for confidentiality, what key does she use to encrypt the message? In an asymmetric cryptosystem, the sender of a message encrypts the message using the recipient’s public key. The recipient may then decrypt that message using their own private key, which only they should possess. When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality. Each user retains their own private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user. Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice’s public key. HASH加密＋鹽值＋彩虹表 The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use precomputed hash values, such as rainbow tables. Hash演算法 Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key. 灑水系統(wet pipe、Dry pipe、Preaction) A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase. IPsec加密內文 The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks. CIA The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality processes protect against this risk. Nonrepudiation is when the recipient of a message can prove the originator’s identity to a third party. Authentication is a means of proving one’s identity. Integrity demonstrates that information has not been modified since transmission. 金鑰交換演算法 The Diffie‐Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network. IDEA and RSA are encryption algorithms. MD5 is a hashing function. 最小權限原則 The principle of least privilege says that an employee should have only the minimum necessary privileges required to perform their jobs. Privilege creep indicates that an employee has accumulated permissions that they no longer require, indicating a violation of the least privilege principle. The trust but verify principle says that organizations should use auditing to ensure that control objectives are met. The fail securely principle says that security controls should default to a secure state in the event of a control failure. The keep it simple and secure principle says that security controls and other technologies should remain as simple as possible while still completing their objectives. 不適合拿來作為驗證使用 In a zero trust network architecture, access control decisions should never be made based upon a system’s location on the network. Therefore, an IP address should never be used and would be the least appropriate of these options. While the other options have differing levels of security (two‐factor authentication is clearly stronger than a password or biometrics alone), they do not violate the principles of a zero trust network architecture.  Privacy by Design While defense in depth is a strong security principle, it is not a component of Privacy by Design. The following are the seven principles of the Privacy by Design model: 1. Proactive, not reactive; preventative not remedial 2. Privacy as the default 3. Privacy embedded into design 4. Full functionality—positive‐sum, not zero‐sum 5. End‐to‐end life‐cycle protection 6. Visibility and transparency 7. Respect for user privacy  Kerckhoffs’ Kerckhoffs’ principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.  Access control vestibule Access control vestibules use two sets of doors to control access to a facility. This may be used to prevent piggybacking by monitoring use of the vestibule to allow only a single individual to enter a facility at a time. They may also be used to allow manual inspection of individuals or perform other security screening. Access control vestibules are also commonly known as mantraps. SoD Segregation of duties The segregation of duties principle says that no employee should have permission to perform two tasks that, when combined, would pose a security risk. In this situation, an employee auditing their own work would create a conflict of interest, so Lana has implemented a segregation of duties. Two‐person control is closely related, but it requires that two different employees approve an action. If she required that two managers approve new accounts, that would be an example of two‐person control. 系統開發 The idea that systems should be designed to operate in a secure manner if the user performs no other configuration is the secure defaults principle. The idea that systems should be designed to fall back to a secure state if they experience an error is the fail securely principle. The idea that systems should be designed to incorporate security as a design feature is the security by design principle. The idea that systems should be designed in a manner that keeps their functionality as simple as possible is the keep it simple principle. EAL1驗證 EAL1 assurance applies when the system in question has been functionally tested. It is the lowest level of assurance under the Common Criteria. Isolation breach The system can be designed in a manner that protects the confidentiality, integrity, and availability of data. The research workstations included in the grid are from internal users, minimizing the risk of distributing the data. However, an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization. 存取控制清單（與RBAC差異在角色） Adam created a list of individual users who may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role‐based, and Adam was able to modify the list, so it is not mandatory access control. 緩衝區溢位預防的方法 Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack. 縱深防禦 The defense‐in‐depth principle suggests using multiple overlapping security controls to achieve the same control objective. Network and host firewalls are both designed to limit network traffic and therefore are an example of defense in depth. The encryption of email and network intrusion detection are unrelated controls and do not satisfy the same objective. The same is true for the combination of CASB and security awareness training and the combination of DLP and multifactor authentication. 同時處理不同等級資料 Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately. Security Clearance安全等級 For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system. Steganography隱寫術 Steganography is the art of using cryptographic techniques to embed secret messages within other content. Some steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files.   安全環 The kernel lies within the central ring, Ring 0. Conceptually, Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User‐level programs and applications run at Ring 3. Rings 0 through 2 run in privileged mode, while Ring 3 runs in user mode. It is important to note that many modern operating systems do not fully implement this model. 基礎設施外包的資料刪除 In an infrastructure‐as‐a‐service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer’s responsibility to validate that the vendor’s sanitization procedures meet their requirements prior to utilizing the vendor’s storage services. 發現金鑰放在S3 bucket外洩 The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list. 首要是Request a new certificate using a new key. 獨立第三方評估系統控制適當（比較Certification Verification Accreditation） The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third‐party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting a system, not evaluating the system itself. MTTR MTTF RTO MTO The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails. 非對稱密碼系統金鑰數2N Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys. 499,500 would be the correct answer for a symmetric system. 不可否認 Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender. ![image](https://hackmd.io/_uploads/BJ39UN0Pgx.png) Proximity card、Magnetic stripe card、 The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology. Van Eck radiation phenomenon to remotely read the contents of computer monitors The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations. ### Golden ticket、Kerberoasting、Pass the ticket Golden ticket attacks use the hash of the Kerberos service account to create tickets in an Active Directory environment. Kerberoasting attacks rely on collected TGS tickets. Pass the ticket attacks rely on tickets harvested from the LSASS process. Brute‐force attacks depend on random guessing without any additional information. ### MD5 The MD5 hashing algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments. The AES, PGP, and WPA3 algorithms are all still considered secure. ### Pass the hash The use of the Mimikatz tool is indicative of an attempt to capture user password hashes for use in a pass‐the‐hash attack against Microsoft Active Directory accounts. ### known plaintext attack In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext. In a chosen plaintext attack, the attacker has the ability to choose the plaintext to be encrypted. In a chosen ciphertext attack, the attacker can choose the ciphertext output. In a brute‐force attack, the attacker simply tries all possible key combinations. ### TOCTOU(time of check to time of use) In a time of check to time of use (TOCTOU) attack, the attacker exploits the difference in time between when a security control is verified and the data protected by the control is actually used. ### Edge Computing In this case, most cloud service models (including IaaS, SaaS, and serverless/FaaS) would require transmitting most information back to the cloud. The edge computing service model would be far more appropriate, as it places computing power at the sensor, minimizing the data that must be sent back to the cloud over limited connectivity network links. ### Disk Encryption Wear leveling is about writing to the disk evenly. Encrypting the data would protect against the disclosure of data on portions of the disk that have remnants due to too much wear and having been set aside as no longer usable. Disk formatting does not effectively remove data from any device. Degaussing is effective only for magnetic media. Physically destroying the drive would not permit reuse. ### Aggregation(Inference) In an aggregation attack, individual(s) use their access to specific pieces of information to piece together a larger picture that they are not authorized to access. ### White noise(Faraday cage) While all of the controls mentioned protect against unwanted electromagnetic emanations, only white noise is an active control. White noise generates false emanations that effectively “jam” the true emanations from electronic equipment. ### 雲端責任共享模型 In a software‐as‐a‐service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model. ### Grant Rule The grant rule allows a subject to grant rights that it possesses on an object to another subject. ### 重新安裝OS並補丁套用安全模版後依然連線C2 The system Charles is remediating may have a firmware or BIOS infection, with malware resident on the system board. While uncommon, this type of malware can be difficult to find and remove. Since he used original media, it is unlikely that the malware came from the software vendor. Charles wiped the system partition, and the system would have been rebooted before being rebuilt, thus clearing system memory. ### ASLR(address space layout randomization) Lauren has implemented address space layout randomization, a memory protection methodology that randomizes memory locations, which prevents attackers from using known address spaces and contiguous memory regions to execute code via overflow or stack smashing attacks. ### Transposition cipher(Substitution) This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language. This type of attack, where the attacker only has access to an encrypted message, is also known as a ciphertext‐only attack. ### PDP PEP In a zero trust network architecture, the policy engine is responsible for making policy decisions based upon rules and external data sources. It uses a trust algorithm to decide whether to grant, deny, or revoke access, considering factors like identity management, threat intelligence, and security information and event management (SIEM) data. The policy administrator, on the other hand, acts based on the decisions made by the policy engine, establishing or removing communication paths and managing session‐specific credentials. The policy enforcement point enforces these decisions by controlling access to resources based on instructions from the policy administrator. Lastly, the subject refers to users, services, or systems that request access or attempt to use rights and is not involved in decision‐making. ### 用戶可以安裝任何程式，但對已知惡意程式封鎖 The blacklisting approach to application control allows users to install any software they want except for packages specifically identified by the administrator as prohibited. This would be an appropriate approach in a scenario where users should be able to install any nonmalicious software they want to use. ### 中斷會發出告警 Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted. ### 零知識證明 ![image](https://hackmd.io/_uploads/rJYtuDD_xl.png) In a zero‐knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information. ### iOS無法升級至安全版本 When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue. ### 中間人攻擊 In a man‐in‐the‐middle attack, the attacker tricks the user into establishing a connection with the attacker. The attacker then establishes a connection to the legitimate server and relays communications between the two, eavesdropping on the contents. A meet‐in‐the‐middle attack is an attack against cryptographic algorithms that use multiple rounds of encryption. There is no indication in the scenario that the attacker used an exhaustive brute‐force attack or a specialized timing attack to achieve their goals. ### 數字簽章演算法 RSA Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities. ### OWASP Top 10 vs CVE The Open Worldwide Application Security Project (OWASP) produces an annual list of the top 10 web application security issues that developers and security professionals around the world rely upon for education and training purposes. The OWASP vulnerabilities form the basis for many web application security testing products. ### Bell‐LaPadula and Biba models The information flow model applies state machines to the flow of information. The Bell‐LaPadula model applies the information flow model to confidentiality, while the Biba model applies it to integrity. ### 大樓嵌入式系統有遠端登入漏洞，製造商已經不更新 The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide. ### 電磁場偵測中動作偵測 Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion. ### IoT惡意程式 Mirai targeted “Internet of Things” devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasingly important. ### Biba model The Biba model focuses only on protecting integrity and does not provide protection against confidentiality or availability threats. It also does not provide protection against covert channel attacks. The Biba model focuses on external threats and assumes that internal threats are addressed programmatically. ### Web與client間加密使用？ In TLS, both the server and the client communicate using an ephemeral symmetric session key. They generate this key using the Diffie‐Hellman key exchange algorithm and then communicate using it throughout the rest of the session. ### electromagnetic emanations A Faraday cage is a metal skin that prevents electromagnetic emanations from exiting. It is a rarely used technology because it is unwieldy and expensive, but it is quite effective at blocking unwanted electromagnetic radiation. ### hypervisor The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform. ### PaaS Cloud computing systems where the customer only provides application code for execution on a vendor‐supplied computing platform are examples of platform‐as‐a‐service (PaaS) computing. ### 備援系統 A well‐designed data center should have redundant systems and capabilities for each critical part of its infrastructure. That means that power, cooling, and network connectivity should all be redundant. Kim should determine how to ensure that a single system failure cannot take her data center offline. ### black out / power fault/ sag UPSs are designed to protect against short‐term power losses, such as power faults. When they conduct power conditioning, they are also able to protect against sags and noise. UPSs have limited‐life batteries and are not able to maintain continuous operating during a sustained blackout. ### 機房濕度 UPSs are designed to protect against short‐term power losses, such as power faults. When they conduct power conditioning, they are also able to protect against sags and noise. UPSs have limited‐life batteries and are not able to maintain continuous operating during a sustained blackout. ### 支付贖金 Payment of a ransom often results in the release of a decryption key, but this is not guaranteed by any means. There is also no link between the payment of a ransom and a future data breach, as an attacker may choose to release confidential information regardless of whether the ransom was paid. Depending upon applicable jurisdictions, payment of a ransom may be illegal under corrupt practices laws or embargoes against terrorist organizations. For example, the U.S. Office of Foreign Assets Control (OFAC) issued an advisory in 2020 stating that ransom payments may violate sanctions. Payment of a ransom may also cause attackers to consider the victim a “mark” and demand future payments in exchange for continued access to their data. ### DRM著作權管理 Alex can use digital rights management technology to limit use of the PDFs to paying customers. While DRM is rarely a perfect solution, in this case, it may fit his organization’s needs. EDM is electronic dance music, which his customers may appreciate but which won’t solve the problem. Encryption and digital signatures can help to keep the files secure and to prove who they came from but won’t solve the rights management issue Alex is tackling. ### 證物監管鏈 chain of custody Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible. ### CRL Certificate revocation list The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked. ### Alison is examining a digital certificate presented to her by her bank’s website. Which one of the following requirements is not necessary for her to trust the digital certificate? The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA’s digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank. ### 隱匿通道 Covert channels use surreptitious communications’ paths. Covert timing channels alter the use of a resource in a measurable fashion to exfiltrate information. If a user types using a specific rhythm of Morse code, this is an example of a covert timing channel. Someone watching or listening to the keystrokes could receive a secret message with no trace of the message left in logs. ### 字簽憑證 Self‐signed digital certificates should be used only for internal‐facing applications, where the user base trusts the internally generated digital certificate. ### 使用乾冰冷凍加密器 In a fault injection attack, the attacker attempts to compromise the integrity of a cryptographic device by causing some type of external fault. For example, they might use high‐voltage electricity, high or low temperature, or other factors to cause a malfunction that undermines the security of the device. Side‐channel attacks seek to use information about system activity and retrieve information that is actively being encrypted. Brute‐force attacks attempt every possible valid combination for a key or password. In a timing attack, the attacker measures precisely how long cryptographic operations take to complete, gaining information about the cryptographic process that may be used to undermine its security. ### 存取控制模型 1. Clark‐Wilson: This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.; 2. Bell‐LaPadula: This model blocks lower‐classified objects from accessing higher‐classified objects, thus ensuring confidentiality.; 3. Biba: The * property of this model can be summarized as “no write‐up.” 1. Time of check： The time at which the subject checks whether an object is available; 2. Covert channel： A method used to pass information over a path not normally used for communication; 3. Time of use： The time at which a subject can access an object; 4. Maintenance hooks： An access method known only to the developer of the system; 5. Parameter checking： A method that can help prevent buffer overflow attacks; 6. Race condition： The exploitation of the reliance of a system’s behavior on the sequence of events that occur externally