this must match previsely; the C++ code looks for this
pattern
connectdata.dat
CISSP Concept review SDLC Phases Match the development lifecycle
characteristic to the stage Document outlines project objectives,
scope, strategies, estimate of cost and schedule. Management
approval based on plan. Security is considered, with activities
done in parallel with initiation activities and throughout project.
Comprehensive analysis of current/ future functional requirements
ensure that new system will meet end user needs, revisions to
project documents, formalized security requirements Designing the
system and software, system architecture, system outputs and
interfaces, data input, data flow, output requirements, security
features based on the overall security architecture for the
company. Source code generated, test scenarios and test cases
developed, unit and integration testing conducted, program and
system documented for maintenance and turnover acceptance, code is
analyzed to eliminate vulnerabilities Controls used when editing
the data within the program, logging, versioning, tests and
integrity checks program application, operating instructions,
utilities, privileged functions, job and system
documentation…(RunBook), parameter ranges, valid & legal
address reference… Data validation, bounds checking, sanitized test
data, used to achieve acceptance; strives to uncover design and
implementation flaws. Certification evaluates security stance
against predetermined standard or policies. Management authorizes
software. Provisional where some or full accreditation – where no
changes are required. New system is transitioned to live
production, security accreditation, training new users,
implementing system, installation and data conversion, parallel
operations Security planning, procedures to avoid future problems,
periodic application audits, documenting system failures,
justifying system enhancements. Project Initiation and planning
Functional requirements definition System design specification
Development and implementation Documentation and common program
controls Testing and evaluation control certification and
accreditation Transition to production (implementation) Operations
and maintenance support, AND, Revisions and system replacement
Match DES Modes and IV requirement Match IV DES Modes and their Use
Initialization Vector (IV) Electronic Code Book (ECB) Cypher Block
Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter
(CTR) Seed, ECB, DBC, DFB, OFB, CTR, Allows block ciphers to
provide better confidentiality. Each block is encrypted
independently - for non repeats >64 bits, DES key Ciphertext
from the previous block of data is XORed with the block of
ciphertext preceding before encrypting with DES algorithm – XORed
(not same) Real time, a stream cipher uses memory buffers of the
same block size, buffer becomes full, it isencrypted and then sent
to the recipient(s). Then the system waits for the next buffer to
be filled as the new data is generated before it is in turn
encrypted and then transmitted. Other than the change from
preexisting data to real-time data, CFB operates in the same
fashion as CBC. It uses an IV and it uses chaining. Keystream is
generated independently - DES XORs the plain text with a seed
value; there is no chaining function and transmission errors do not
propagate to affect the decryption of future blocks Formula Encrypt
(Base+N) keystream generator where base <64 and N is
incrementing function. DES that is run in Counter (CTR) mode uses a
stream cipher similar to that used in CFB and OFB modes. However,
instead of creating the seed value for each encryption/decryption
operation from the results of the previous seed values, it uses a
simple counter that increments for each operation. As with OFB
mode, errors do not propagate in CTR mode. Match protocols and
standards to OSI layer Match protocols and standards to OSI layer
Physical Data Link Network Transport Session Presentation
Application 802.11 Wi-Fi standards, Repeaters, Hubs, Co-Ax;
transmitting raw bits, Circuit switching, Multiplexing, Modulation,
repeaters, hubs Radius \ TACACS, NFS, remote procedure calls
(RPCs), full duplex or half-duplex, Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) ICMP, IPSec, NAT, RIP, IP, IGRP,
packet forwarding including routing through intermediate routers,
Distance Vector Multicast Routing Protocol, Shortest Path Bridging
Syntax, data translator for the network, Encryption, Compression,
JPEG, GIF, conversion of an EBCDIC-coded text computer file to an
ASCII-coded file Host-to-host communication services for
applications, UDP, TCP, SSL, TLS, SSH-2, RDP, connection-oriented
data stream; Multiplexing: Ports provide multiple endpoints on
single node PPP, FDDI, ARP, CHAP, ISDN, LAPD, 802.1x NAC, EAP,
EAPOL, is responsible for media access control, flow control and
error checking HTTP, Telenet, TFTP, POP3, SET, SMTP Order the steps
in a Penetration test Order the steps in a Penetration test Gather
Business Processes, Scope, Rules etc. Reconnaissance Scanning -
Vulnerability Assessment Exploitation Post Exploitation 1st 2nd 3rd
4th Final What is the order of steps for Servicer-side
Exploitabtion Order Steps in Server Side Exploitation Process
Perform reconnaissance Network enumeration Port scanning Determine
version of OS and services Determine vulnerable service versions
Exploit vulnerable services 1st 2nd 3rd 4th 5th Last Firewall type
and requirement Match benefit and requirement to firewall type
Quick packet inspection yes or no - layer 3, 1st gen Puts result in
state table, allows session to persist -layer 4, 3rd gen Two TCP
connections allow traversing layer 3 to 7, integrates into OS core
to provide multiple levels of session evaluation Examines all seven
layers via proxy but is slow Virtual connection between host and
destination, sits in session layer "socks" Looks at layer 7 header
to verify that port 80 is actually http traffic Static Packet
Filtering - no knowledge other than ACL, cannot trend, first
generation, Stateful Inspection (SI) - layer 4 firewall, third
generation, relationship between current and previous packet Kernel
Proxy Firewall - client to proxy, server to proxy - decreases
performance, fifth generation Circuit level gateway firewall
examines at layer 5, used to manage communication sessions
Application level Proxy - operates layer 7- hides origin of packet,
second generation (web application firewall) NGFW replacing
Stateful, allows any IP out on port 80, unified threat management –
packet AND stateful, filters malware using signature, whitelists,
blacklists, IDS/ IPS Path or Distance Vector Match Routing protocol
with classification RIPv1 (legacy) IGRP (legacy) RIPv2 EIGRP OSPF
IS-IS BGP IGP, distance vector, classful protocol IGP, distance
vector, classful protocol developed by CISCO IGP, distance vector,
classless protocol IGP, distance vector, classless protocol
developed by Cisco IGP, link-state, classless protocol IGP,
link-state, classless protocol EGP, path-vector, classless protocol
NIST or FIPS to Identifier Match NIST or FIPS reference ID to
corresponding title FIPS 199 FIPS 200 SP 800-18 SP 800-30 SP 800-37
SP 800-53 SP 800-53A SP 800-55 Standard for Security Categorization
of Federal Information and Information Systems Minimum Security
Requirements for Federal Information and Information Systems Guide
for Developing Security Plans for Federal Information and
Information Systems Risk Management Guide for Information
Technology Systems Guide for the Security Certification and
Accreditation of Federal Information Systems Recommended Security
Controls for Federal Information Systems Guide for Assessing the
Security Controls for Federal Information Systems Security Metrics
Guide for Information Technology Systems Incident handling order
Order the phases and match details in incident response Preparation
Identification (Detect/Respond) Containment (Mitigation)
Eradication (Mitigation & Reporting) Recovery (Recovery &
Remediation) Lessons Learned Continuous Preparation updates Post
Mortem Review Policy, Management Support, Team Selection, Identify
department - legal - law enforcement contacts (pre and post
incident.) emergency communication plans, password escrow,
training, jump bags. Criteria for incident, notification, tracking,
primary handler, initial clean backup of system – ISC2 starts at
“detect incident” Don't make things worse, secure area, multiple
backups, system pulled off network, change passwords - Respond and
Containment Fix problem, root cause determined, defenses improved,
vulnerability analysis - Mitigate Validate system to new authorized
configuration, do not restore compromised code, monitor to make
sure attacker cannot does not come back Report, post mortem,
meetings, recommendations to management (what we learned), follow
ups Continuous updates to DR Plan update, team management,
development of checklists Incident response plan, information
dissemination policy, incident reporting policy, audit trail
policy, warning banner, need for additional personnel security
controls Raid Summary Match Raid Level to attributes Striped set,
no redundancy Mirrored set, fully redundant Obsolete, bit
interleaved, hamming code Dedicated parity, byte-level striping
Dedicated parity, block-level striping Distributed Parity,
block-level striping Double Distributed Parity, block level
striping Raid Level 0 two or more disks and improves the disk
subsystemperformance, but it does not provide fault tolerance Raid
Level 1 two disks same data, one can recover for other Raid Level 2
– bit level 32 -39 – 7 drives, not used Raid Level 3 – byte level
Raid Level 4 – block level Raid Level 5 – data and parity
interleaved same drive, but not the same data and parity of same
source - striping with parity Raid Level 6 –data and parity is
written on two drives instead of one, so loosing multiple drives is
still safe SEI CMMI Maturity Rating Match properties of maturity to
CMM level Initial Repeatable Defined Managed Optimized
Disorganized, no defined software development process Basic life
cycle processes. Code reuse and repeatable results. Requirements
management, software project planning, project tracking and
oversight, subcontract management, quality assurance and
configuration management exist. developers operate according to a
set of formal documented software development processes. Dev takes
place within constraints of standardized management model.
Organization is process focused, training programs, integrated
software management, PEER REVIEWS Quantitative measures utilized to
gain detailed understanding. Quantitative Process management and
Quality Management Continuous improvement, sophisticated dev
process with feedback, defect prevention, technology change and
process change management. Order Military Data Classifications
Match Government classification to properties Top Secret Class 3
Secret Class 2 Confidential Class 1 Unclassified Class 0
Exceptionally grave damage to national security Serious damage to
national security Damage to national security that can be
identified and described No damage Select Symmetric Ciphers Select
Symmetric Ciphers AES RSA ECC DES IDEA, RC4, RC5 ElGamal Blowfish
and twofish Preventive v Detective technologies Select all
DETECTIVE technologies Anomaly Detection - an alarm for strange
system behavior Antivirus Application Whitelisting IDS SIEM NGFW
Signature Matching Protocol Behavior Detective v. Preventive Select
all PREVENTIVE technologies Antivirus Application whitelisting IPS
NGFW Packet Filter Stateful inspection Web proxy SEIM Select
Assymmetric ciphers Select: Asymmetric cryptography or public-key
cryptography (cryptography in which a pair of keys are used to
encrypt and decrypt a message so that it arrives securely) MD4 or
MD5 RSA - factoring large numbers into their prime El Gamal ECC
Blowfish AES RC4 Diffie-Hellman Weak cryptographic or hash
algorithms Select ciphers or hash algorithms that should not be
used today MD5 Sha-1 DES ECC SHA-256 RSA key size less than 2048
bits Match Exploit name to expoited protocol Match Exploit name to
exploited protocol Bash Bug ShellShock WinShock Heartbleed POODLE
(Padding Oracle On Downgraded Legacy Encryption) Freak Crime Beast
Bar Mitzvah RC4 - does not require MITM, passive sniffing or
eavesdropping, also vulnerable to MITM SSL 3.0 enables MITM - must
be disabled, was already replaced by TLS 1.0, only works while
victim is online and attacker is near OpenSSL - missing bound check
during TLS heartbeat, eavesdrop web, email, IM, VPN, reads system
memory to get secret keys used to encrypt traffic, names,
passwords, content. *NIX OS, exploited via CGI, attacker can
tack-on malicious code to the environment variable Factoring Attack
on RSA-EXPORT - weak cipher suite SSLv3 TLS 1.0 browser reveals
session id;java script compares block cipher msg hash and deduces
IV out of CBC-steal first block before XOR TLS 1.0 and SPDY
Compression Ratio Info-Leak Mass Exploitation Schannel - remote
code execution vulnerability The TCP header flag field values Order
TCP header flag field values following CWR Congestion Window
Reduced, and ECE ECN-Echo (Explicit Congestion Notification) which
are no longer widely used URG Urgent ACK Acknowledgement PSH Push
RST Reset SYN Synchronization FIN Finish 6 (0x06) Indicates urgent
data Acknowledges synchronization or Indicates need to push data
Causes immediate disconnect of Requests synchronization with
Requests graceful shutdown of IP header protocol field value for
TCP IP classes’ default subnet masks Assign class and CIDR
Equivalent 255.0.0.0 (0.0.0.0 to 127.255.255.255) 255.255.0.0
(128.0.0.0 to 191.255.255.255) 255.255.255.0 (192.0.0.0 to
223.255.255.255) Loopback Address 224.0.0.0 to 239.0.0.0 240.0.0.0
to 255.0.0.0 Class B /16 first octet 128–191 Class A /8 first octet
1-126 Class C /24 first octet is 192-223 Class A 127.0.0.0 Used for
multicast addresses Reserved for research Attack types and their
properties Match behaviors to attack type Smurf Replay Attacks
Modification Attacks Address Resolution Protocol Spoofing DNS
Poisoning, Spoofing, and Hijacking ICMP packets with forged source
and target address sending to local broadcast pointing to victim as
source IP. All devices on the broadcast network respond to the
spoofed ICMP ping packet which floods the target. DoS. offshoot of
impersonation eavesdropping on network traffic, attempt reestablish
session by replaying captured traffic against a system. Prevented
by using one-time authentication mechanisms and sequenced session
identification. captured packets altered then bypass authentication
and session sequencing mechanisms, prevented by and session
sequencing is a sub protocol of the TCP/IP protocol suite, layer 3,
discovers the MAC address, functions by broadcasting a request
packet with the target IP address - Spoofing provides false MAC
addresses for requested IP resolution attacks occur when attacker
alters the domain-name-to-IP-address mappings in a DNS systemto
redirect traffic to a rogue system or to simply perform a
denial-of-service against a system. Spoofing occurs when an
attacker sends false replies to a requesting system, beating the
real reply from the valid DNS server Matching Unshielded Twisted
Pair (UTP) cable to CAT level and attributes Match Unshielded
Twisted Pair (UTP) cable attributes to UTP Category ≤ 1 Mbps, any
length, old telephone cable; ISDN and PSTN services. ≤ 4 Mbps, any
length, token ring networks ≤ 10 Mbps, 100meters, Token Ring &
10Base-T Ethernet ≤ 16 Mbps, 100m, Token Ring Networks ≤ 100 Mbps,
100m, Ethernet, fastEhternet, Token Ring ≤ 1 Gbps, 100m, Ethernet,
fastEhternet, Gigbit Ethernet ≤ 10 Gbps, 100m, Gigabit Ethernet,
10G Ethernet 55meters ≤ 10 Gbps, 100m, Gigabit Ethernet, 10G
Ethernet 100meters CAT1 CAT2 CAT3 CAT4 CAT5 CAT5e CAT6 or 6a CAT7
IEEE 802.11 standard methods for wireless clients Match wireless
properties to named protocol, standard or technology Wired
Equivalent Privacy WEP Wi-Fi Protected Access WPA 802.11i WPA2 IEEE
802.11, provides same level of security and encryption on wireless
as wired. Prevent packet sniffing and eavesdropping. (RC4), weak
Prior to 802.11i,based on the LEAP and TKIP cryptosystems, single
static passphrase is downfall Counter Mode Cipher Block Chaining
Message Authentication Code Protocol, strong Evidence Lifecycle
Order the Evidence Lifecycle Collection and identification Analysis
Storage and preservation Presentation Return to victim 1 2 3 4 5
TSEC Levels of Assurance for secure computer operations Match
levels of assurance with definitions from Trusted Computer System
Evaluation Criteria (TCSEC) or Information Technology Security
Evaluation and Criteria (ITSEC) D C1 C2 B1 B2 B3 A1 Minimal
Protection - Reserved for systems that have been evaluated but do
not meet requirements to belong to any other category.
Discretionary Protection (Discretionary 1) Controlled Access
Protection (Discretionary 2) Labeled Security (Mandatory 1)
Structured Protection (Mandatory 2) Security Domains (Mandatory 3)
Verified Protection The highest level of security. TSEC Categories
Match the Category in TSEC to its description and levels Category A
Category B Category C Category D Verified protection, phases in
development formally controlled, documented, evaluated, EXTREME
security consciousness Mandatory, more granularity, Bell-LaPadula,
security based on labels, system grants access based on subject
object compared to permissions, no covert channels, operator admin
functions are separated Discretionary, some security controls,
lacking formality & sophistication, weak protection, media
cleansing, strict logon procedures must be enforced Minimal
protection - reserved for systems that have been evaluated but do
not meet requirements to belong to any other category US government
security modes for systems that process classificed information
Match attributes to the correct US government security mode has
clearance that permits access to all info, access approval for all
info, valid need to know for all info processed by the system has
clearance that permits access to all info, access approval for all
info, valid need to know for some, but not necessarily all info
processed by the system valid security clearance that permits
access to all informationprocessed by the system, access approval
and valid need to know for any information they will have access to
onthe system. (granted by subject) Some users do not have a valid
security clearance for all information processed by the system -
access is controlled by whether the subject’s clearance level
dominates the object’s sensitivity label. Dedicated Mode System
High Mode Compartmented mode Multilevel Mode Port Number Match
Service to Port FTP SSH Secure Shell Telnet SMTP Simple Mail
Transfer Protocol DNS HTTP POP3 NTP 21 22 23 25 53 80 110 123
Ports, more Match service to port HTTPS Microsoft SQL Server Oracle
H.323 call signaling, multimedia transport PPTP Point-to-Point
Tunneling Protocol RDP Remote Desktop Protocol 443 1433 1521 1720
1723 3389 Match roles attributes to role classification Match
responsibilities and behaviors with organization roles Business
Owner Data Owner Data Controller Data Processor System Owners Data
Custodians Senior Manager Auditor are responsible for ensuring
systems provide value to the organization assign a security label
to a resource; typically a high-level manager who is ultimately
responsible for data protection. the entity that controls
processing of the data and directs the data processor; EU Data
Protection law, data processor is not a computing system or
network. a natural or legal person which processes personal data
solely on behalf of the data controller responsible for ensuring
data processed on the system remains secure, identifying highest
level of data that the system processes, ensures that the system is
labeled accurately and that appropriate security user who is
responsible for all activities necessary to provide adequate
protection. the person ultimately responsible for security
maintained by organization, most concerned about protection of
assets, signs off on all policy issues. In fact, all activities
must be approved by and signed off on by the responsible for
reviewing and verifying that the security policy is enforced Match
Access Control types to their attributes Match Access Control types
to their attributes Compensating Corrective Recovery Directive
Deterrent various options to other existing controls to aid in
enforcement and support of security policies. They can be any
controls used in addition to, or in place of, another control. For
example, an organizational policy may dictate that all PII must be
encrypted. modifies the environment to return systems to normal
after an unwanted or unauthorized activity has occurred. It
attempts to correct any problems that occurred as a result of a
security incident. Corrective controls can be simple, such as
terminating an extension of corrective controls but have more
advanced or complex abilities. Examples of include backups and
restores, fault tolerant drive systems, system imaging, server
clustering, antivirus software, and database or virtual machine
shadowing. access control is deployed to confine or control the
actions of subjects to force or encourage compliance with security
policies. Examples include security policy requirements or
criteria, posted notifications, escape route exit signs,
monitoring, supervision is deployed to discourage violation of
security policies, similar to and preventive controls are similar,
but deterrent controls often depend on individuals deciding not to
take an unwanted action. In contrast, a preventive control actually
blocks the action. Matching logical operators Pair the math to the
concept formula to establish number of needed symmetric keys
formula for needed asymmetric keys X ⊕ Y XOR function; exclusive OR
AND ^ OR v NOT ~ modulo function % n*(n-1)/2 n*2 Are they
different: 0+1 is 1; 1+1 is 0 on + on is on; on + off is not on,
two on or nothing checks to see whether at least one of the
represented by the ∼ or ! symbol) simply reverses the value of an
input Used in substitution cipher; C = (P + 3) mod 26, where 26 is
offset for running past z or the number of characters beyond the
unit of division
Study Exercises - CISSP Security Engineering Study Security
Engineering Study Concepts that need to be ordered for correct
answerGlossary reinforcementPeer Group contribution from Robin
Basham, Managing Partner, EnterpriseGRC Solutions Data Sources Data
Sources All slides are a summary of information directly located in
the study sources for the CISSP or CISCO, Windows certified online
technet training; The majority is directly summarized CISSP®
(ISC)2® Certified Information Systems Security Professional
Official Study Guide Seventh Edition CISSP Certified Information
Systems Security Professional Study Guide, 7th Edition has
completely been updated for the latest 2015 CISSP Body of
Knowledge. This Sybex Study Guide covers 100% of all exam
objectives. You'll prepare for the exam smarter and faster with
Sybex thanks to expert content, real-world examples, advice on
passing each section of the exam, access to the Sybex online
interactive learning environment, and much more. Reinforce what
you've learned with key topic exam essentials and chapter review
questions. Coverage of all of the exam topics in the book means
you'll be ready for Access Control, Application Development
Security, Business Continuity and Disaster Recovery Planning,
Cryptography, Information Security Governance and Risk Management,
Legal, Regulations, Investigations and Compliance, Operations
Security, Physical (Environmental) Security, Security Architecture
and Design, and Telecommunications and Network Security. MGT414:
SANS Training Program for CISSP Certification (A04_3877) MGT414:
SANS Training Program for CISSP Certification (A04_3877) The SANS
Institute was established in 1989 as a cooperative research and
education organization. Its programs now reach more than 165,000
security professionals around the world. A range of individuals
from auditors and network administrators, to chief information
security officers are sharing the lessons they learn and are
jointly finding solutions to the challenges they face. At the heart
of SANS are the many security practitioners in varied global
organizations from corporations to universities working together to
help the entire information security community.SANS is the most
trusted and by far the largest source for information security
training and security certification in the world. It
also develops, maintains, and makes available at no cost, the
largest collection of research documents about various aspects of
information security, and it operates the Internet's early warning
system - the Internet Storm Center. Match the development
lifecycle characteristic to the stage Match the development
lifecycle characteristic to the stage Characteristics of processes
Development lifecycle A.Project Initiation and planning
B.Functional requirements definition C.System design specification
D.Development and implementation E.Documentation and common program
controls ADocument outlines project objectives, scope, strategies,
estimate of cost and schedule. Management approval based on plan.
Security is considered, with activities done in parallel with
initiation activities and throughout project. BComprehensive
analysis of current/ future functional requirements ensure that new
system will meet end user needs, revisions to project documents,
formalized security requirements CDesigning the system and
software, system architecture, system outputs and interfaces, data
input, data flow, output requirements, security features based on
the overall security architecture for the company. DSource code
generated, test scenarios and test cases developed, unit and
integration testing conducted, program and system documented for
maintenance and turnover acceptance, code is analyzed to eliminate
vulnerabilities EControls used when editing the data within the
program, logging, versioning, tests and integrity checks program
application, operating instructions, utilities, privileged
functions, job and system documentation…(RunBook), parameter
ranges, valid & legal address reference… Correct - Click
anywhere to continue Incorrect - Click anywhere to continue You
answered this correctly! Your answer: The correct answer is: You
did not answer this question completely You must answer the
question before continuing Submit Clear F.Testing and evaluation
control certification and accreditation G.Transition to production
(implementation) H.Operations and maintenance support, AND,
Revisions and system replacement FData validation, bounds checking,
sanitized test data, used to achieve acceptance; strives to uncover
design and implementation flaws. Certification evaluates security
stance against predetermined standard or policies. Management
authorizes software. Provisional where some or full accreditation –
where no changes are required. GNew system is transitioned to live
production, security accreditation, training new users,
implementing system, installation and data conversion, parallel
operations HSecurity planning, procedures to avoid future problems,
periodic application audits, documenting system failures,
justifying system enhancements. <br> Match IV DES Modes and
their Use Match IV DES Modes and their Use Term Description A.Seed,
ECB, DBC, DFB, OFB, CTR, Allows block ciphers to provide better
confidentiality. B.Each block is encrypted independently - for non
repeats >64 bits, DES key C.Ciphertext from the previous block
of data is XORed with the block of ciphertext preceding before
encrypting with DES algorithm – XORed (not same) D.Real time, a
stream cipher uses memory buffers of the same block size, buffer
becomes full, it isencrypted and then sent to the recipient(s).
Then the system waits for the next buffer to be filled as the new
data is generated before it is in turn encrypted and then
transmitted. Other than the change from preexisting data to
real-time data, CFB operates in the same fashion as CBC. It uses an
IV and it uses chaining. E.Keystream is generated independently -
DES XORs the plain text with a seed value; there is no chaining
function and transmission errors do not propagate to affect the
decryption of future blocks F.Formula Encrypt (Base+N) keystream
generator where base <64 and N is incrementing function. DES
that is run in Counter (CTR) mode uses a stream cipher similar to
that used in CFB and OFB modes. However, instead of creating the
seed value for each encryption/decryption operation from the
results of the previous seed values, it uses a simple counter that
increments for each operation. As with OFB mode, errors do not
propagate in CTR mode. AInitialization Vector (IV) BElectronic Code
Book (ECB) CCypher Block Chaining (CBC) DCipher Feedback (CFB)
EOutput Feedback (OFB) FCounter (CTR) Correct - Click anywhere to
continue Incorrect - Click anywhere to continue You answered this
correctly! Your answer: The correct answer is: You did not answer
this question completely You must answer the question before
continuing Submit Clear <br> Match protocols and standards to
OSI layer Match protocols and standards to OSI layer Layer Protocol
or Device A.802.11 Wi-Fi standards, Repeaters, Hubs, Co-Ax;
transmitting raw bits, Circuit switching, Multiplexing, Modulation,
repeaters, hubs B.Radius \ TACACS, NFS, remote procedure calls
(RPCs), full duplex or half-duplex, Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) C.ICMP, IPSec, NAT, RIP, IP, IGRP,
packet forwarding including routing through intermediate routers,
Distance Vector Multicast Routing Protocol, Shortest Path Bridging
D.Syntax, data translator for the network, Encryption, Compression,
JPEG, GIF, conversion of an EBCDIC-coded text computer file to an
ASCII-coded file E.Host-to-host communication services for
applications, UDP, TCP, SSL, TLS, SSH-2, RDP, connection-oriented
data stream; Multiplexing: Ports provide multiple endpoints on
single node F.PPP, FDDI, ARP, CHAP, ISDN, LAPD, 802.1x NAC, EAP,
EAPOL, is responsible for media access control, flow control and
error checking APhysical FData Link CNetwork ETransport BSession
DPresentation GApplication Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear G.HTTP, Telenet, TFTP, POP3, SET, SMTP Order the steps
in a Penetration test Order the steps in a Penetration test Steps
in Process Order A.1st B.2nd C.3rd D.4th E.Final AGather Business
Processes, Scope, Rules etc. BReconnaissance CScanning -
Vulnerability Assessment DExploitation EPost Exploitation Correct -
Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear Order Steps in Server Side
Exploitation Process Order Steps in Server Side Exploitation
Process Step Order A.1st B.2nd C.3rd D.4th E.5th F.Last APerform
reconnaissance BNetwork enumeration CPort scanning DDetermine
version of OS and services EDetermine vulnerable service versions
FExploit vulnerable services Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear Match benefit and requirement to firewall type Match
benefit and requirement to firewall type Benefit or Requirement
Firewall Type A.Static Packet Filtering - no knowledge other than
ACL, cannot trend, first generation, B.Stateful Inspection (SI) -
layer 4 firewall, third generation, relationship between current
and previous packet C.Kernel Proxy Firewall - client to proxy,
server to proxy - decreases performance, fifth generation D.Circuit
level gateway firewall examines at layer 5, used to manage
communication sessions E.Application level Proxy - operates layer
7- hides origin of packet, second generation (web application
firewall) F.NGFW replacing Stateful, allows any IP out on port 80,
unified threat management – packet AND stateful, filters malware
using signature, whitelists, blacklists, IDS/ IPS AQuick packet
inspection yes or no - layer 3, 1st gen BPuts result in state
table, allows session to persist -layer 4, 3rd gen CTwo TCP
connections allow traversing layer 3 to 7, integrates into OS core
to provide multiple levels of session evaluation EExamines all
seven layers via proxy but is slow DVirtual connection between host
and destination, sits in session layer "socks" FLooks at layer 7
header to verify that port 80 is actually http traffic Correct -
Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear Match Routing protocol with
classification Match Routing protocol with classification Routing
Protocol Protocol Classification-Interior or External Gateway
Protocol A.IGP, distance vector, classful protocol B.IGP, distance
vector, classful protocol developed by CISCO C.IGP, distance
vector, classless protocol D.IGP, distance vector, classless
protocol developed by Cisco E.IGP, link-state, classless protocol
F.IGP, link-state, classless protocol G.EGP, path-vector, classless
protocol ARIPv1 (legacy) BIGRP (legacy) CRIPv2 DEIGRP EOSPF FIS-IS
GBGP Correct - Click anywhere to continue Incorrect - Click
anywhere to continue You answered this correctly! Your answer: The
correct answer is: You did not answer this question completely You
must answer the question before continuing Submit Clear Match NIST
or FIPS reference ID to corresponding title Match NIST or FIPS
reference ID to corresponding title Classification/ Identifier
Title A.Standard for Security Categorization of Federal Information
and Information Systems B.Minimum Security Requirements for Federal
Information and Information Systems C.Guide for Developing Security
Plans for Federal Information and Information Systems D.Risk
Management Guide for Information Technology Systems E.Guide for the
Security Certification and Accreditation of Federal Information
Systems F.Recommended Security Controls for Federal Information
Systems G.Guide for Assessing the Security Controls for Federal
Information Systems H.Security Metrics Guide for Information
Technology Systems AFIPS 199 BFIPS 200 CSP 800-18 DSP 800-30 ESP
800-37 FSP 800-53 GSP 800-53A HSP 800-55 Correct - Click anywhere
to continue Incorrect - Click anywhere to continue You answered
this correctly! Your answer: The correct answer is: You did not
answer this question completely You must answer the question before
continuing Submit Clear Order the phases and match details in
incident response Order the phases and match details in incident
response Phase Details A.Policy, Management Support, Team
Selection, Identify department - legal - law enforcement contacts
(pre and post incident.) emergency communication plans, password
escrow, training, jump bags. B.Criteria for incident, notification,
tracking, primary handler, initial clean backup of system – ISC2
starts at “detect incident” C.Don't make things worse, secure area,
multiple backups, system pulled off network, change passwords -
Respond and Containment D.Fix problem, root cause determined,
defenses improved, vulnerability analysis - Mitigate E.Validate
system to new authorized configuration, do not restore compromised
code, monitor to make sure attacker cannot does not come back
F.Report, post mortem, meetings, recommendations to management
(what we learned), follow ups G.Continuous updates to DR Plan
update, team management, development of checklists H.Incident
response plan, information dissemination policy, incident reporting
policy, audit trail policy, warning banner, need for additional
personnel security controls APreparation BIdentification
(Detect/Respond) CContainment (Mitigation) DEradication (Mitigation
& Reporting) ERecovery (Recovery & Remediation) FLessons
Learned GContinuous Preparation updates HPost Mortem Review Correct
- Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear Detect, b, cRespond,
cMitigate, dReport, eRecover, eRemediate, eLessons Learned, f Match
Raid Level to attributes Match Raid Level to attributes Attributes
Raid Level A.Raid Level 0 two or more disks and improves the disk
subsystemperformance, but it does not provide fault tolerance
B.Raid Level 1 two disks same data, one can recover for other
C.Raid Level 2 – bit level 32 -39 – 7 drives, not used D.Raid Level
3 – byte level E.Raid Level 4 – block level F.Raid Level 5 – data
and parity interleaved same drive, but not the same data and parity
of same source - striping with parity G.Raid Level 6 –data and
parity is written on two drives instead of one, so loosing multiple
drives is still safe AStriped set, no redundancy BMirrored set,
fully redundant CObsolete, bit interleaved, hamming code DDedicated
parity, byte-level striping EDedicated parity, block-level striping
FDistributed Parity, block-level striping GDouble Distributed
Parity, block level striping Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear 0-Stripping1-Mirroring2-Hamming code parity3-Byte
level parity4-Block level parity5-Interleave parity7-Single virtual
disk10-Striping and mirroring combined Match properties of maturity
to CMM level Match properties of maturity to CMM level CMMI Level
Attributes of maturity level A.Disorganized, no defined software
development process B.Basic life cycle processes. Code reuse and
repeatable results. Requirements management, software project
planning, project tracking and oversight, subcontract management,
quality assurance and configuration management exist. C.developers
operate according to a set of formal documented software
development processes. Dev takes place within constraints of
standardized management model. Organization is process focused,
training programs, integrated software management, PEER REVIEWS
D.Quantitative measures utilized to gain detailed understanding.
Quantitative Process management and Quality Management E.Continuous
improvement, sophisticated dev process with feedback, defect
prevention, technology change and process change management.
AInitial BRepeatable CDefined DManaged EOptimized Correct - Click
anywhere to continue Incorrect - Click anywhere to continue You
answered this correctly! Your answer: The correct answer is: You
did not answer this question completely You must answer the
question before continuing Submit Clear Match Government
classification to properties Match Government classification to
properties Classification Properties A.Exceptionally grave damage
to national security B.Serious damage to national security C.Damage
to national security that can be identified and described D.No
damage ATop Secret Class 3 BSecret Class 2 CConfidential Class 1
DUnclassified Class 0 Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear Select Symmetric Ciphers Select Symmetric Ciphers
Correct - Click anywhere to continue Incorrect - Click anywhere to
continue You answered this correctly! Your answer: The correct
answer is: You did not answer this question completely You must
answer the question before continuing Submit Clear A) AES B) RSA C)
ECC D) DES E) IDEA, RC4, RC5 F) ElGamal G) Blowfish and twofish
Select all DETECTIVE technologies Select all DETECTIVE technologies
Correct - Click anywhere to continue Incorrect - Click anywhere to
continue You answered this correctly! Your answer: The correct
answer is: You did not answer this question completely You must
answer the question before continuing Submit Clear A detective
access control is deployed to discover unwanted or unauthorized
activity. Often detective controls are after-the-fact controls
rather than real-time controls. Examples of detective access
controls include security guards, guard dogs, motion detectors,
recording and reviewing of events seen by security cameras or CCTV,
job rotation, mandatory vacations, audit trails, intrusion
detection systems, violation reports, honey pots, supervision and
reviews of users, incident investigations, and intrusion detection
systems. A) Anomaly Detection - an alarm for strange system
behavior B) Antivirus C) Application Whitelisting D) IDS E) SIEM F)
NGFW G) Signature Matching H) Protocol Behavior Select all
PREVENTIVE technologies Select all PREVENTIVE technologies Correct
- Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear A preventative access
control is deployed to stop unwanted or unauthorized activity from
occurring. Examples of preventative access controls include fences,
locks, biometrics, mantraps, lighting, alarm systems, separation of
duties, job rotation, data classification, penetration testing,
access control methods, encryption, auditing, presence of security
cameras or closed circuit television (CCTV), smart cards, callback,
security policies, security awareness training, and antivirus
software. A) Antivirus B) Application whitelisting C) IPS D) NGFW
E) Packet Filter F) Stateful inspection G) Web proxy H) SEIM
Select: Asymmetric cryptography or public-key cryptography
(cryptography in which a pair of keys are used to encrypt and
decrypt a message so that it arrives securely) Select: Asymmetric
cryptography or public-key cryptography (cryptography in which a
pair of keys are used to encrypt and decrypt a message so that it
arrives securely) Correct - Click anywhere to continue Incorrect -
Click anywhere to continue You answered this correctly! Your
answer: The correct answer is: You did not answer this question
completely You must answer the question before continuing Submit
Clear A) MD4 or MD5 B) RSA - factoring large numbers into their
prime C) El Gamal D) ECC E) Blowfish F) AES G) RC4 H)
Diffie-Hellman Select ciphers or hash algorithms that should not be
used today Select ciphers or hash algorithms that should not be
used today Correct - Click anywhere to continue Incorrect - Click
anywhere to continue You answered this correctly! Your answer: The
correct answer is: You did not answer this question completely You
must answer the question before continuing Submit Clear A) MD5 B)
Sha-1 C) DES D) ECC E) SHA-256 F) RSA key size less than 2048 bits
Match Exploit name to exploited protocol Match Exploit name to
exploited protocol Exploit Vulnerability A.RC4 - does not require
MITM, passive sniffing or eavesdropping, also vulnerable to MITM
B.SSL 3.0 enables MITM - must be disabled, was already replaced by
TLS 1.0, only works while victim is online and attacker is near
C.OpenSSL - missing bound check during TLS heartbeat, eavesdrop
web, email, IM, VPN, reads system memory to get secret keys used to
encrypt traffic, names, passwords, content. D.*NIX OS, exploited
via CGI, attacker can tack-on malicious code to the environment
variable E.Factoring Attack on RSA-EXPORT - weak cipher suite SSLv3
F.TLS 1.0 browser reveals session id;java script compares block
cipher msg hash and deduces IV out of CBC-steal first block before
XOR G.TLS 1.0 and SPDY Compression Ratio Info-Leak Mass
Exploitation H.Schannel - remote code execution vulnerability DBash
Bug ShellShock HWinShock CHeartbleed BPOODLE (Padding Oracle On
Downgraded Legacy Encryption) EFreak GCrime FBeast ABar Mitzvah
Correct - Click anywhere to continue Incorrect - Click anywhere to
continue You answered this correctly! Your answer: The correct
answer is: You did not answer this question completely You must
answer the question before continuing Submit Clear <b>OCSP
stapling vulnerability</b><br>When creating a
handshake, the client could send an incorrectly formatted
ClientHello message, leading to OpenSSL parsing more than the end
of the message. Titled CVE-2011-0014, this affected all OpenSSL
versions 0.9.8h to 0.9.8q and OpenSSL 1.0.0 to 1.0.0c. Since the
parsing could lead to a read on an incorrect memory address, it was
possible for the attacker to cause a DDOS. It was also possible
that some applications expose the contents of parsed OCSP
extensions, leading to an attacker being able to read the contents
of memory that came after the
ClientHello<br><br><b>SSL, TLS and DTLS Plaintext
Recovery Attack</b><br>In handling CBC cipher-suites in
SSL, TLS, and DTLS, OpenSSL was found to be vulnerable to a timing
attack which arises during the MAC processing. This was found by
Nadhem Alfardan and Kenny Paterson, who published their
findings on February 5, 2013, given the name CVE-2013-0169.
All versions of OpenSSL were affected, and it was only partially
mitigated by the use of the OpenSSL FIPS Object Module and the FIPS
mode of operation is
enabled<br><br><b>Heartbleed</b><br><i>Main
article: </i><i>Heartbleed</i><i></i><br>A
logo representing the Heartbleed bug<br>OpenSSL versions
1.0.1 through 1.0.1f had a severe memory handling bug in
their implementation of the TLS Heartbeat Extension that
could be used to reveal up to 64 KB of the application's
memory with every heartbeat.[24][25] By reading the
memory of the web server, attackers could access sensitive data,
including the server's private key.[26] This could allow
attackers to decode earlier eavesdropped communications if the
encryption protocol used does not ensure Perfect Forward
Secrecy. Knowledge of the private key could also allow an attacker
to mount a man-in-the-middle attack against any future
communications.[27] The vulnerability might also reveal
unencrypted parts of other users' sensitive requests and responses,
including session cookies and passwords, which might
allow attackers to hijack the identity of another user of
the service.[28]<br>At its disclosure on April 7, 2014,
around 17% or half a million of the Internet's secure web
servers certified by trusted authorities were
believed to have been vulnerable to the attack.[29] However,
Heartbleed can affect both the server and
client.<br><br><b>CCS Injection
Vulnerability</b><br><b></b><br><br><br>
Order TCP header flag field values following CWR Congestion Window
Reduced, and ECE ECN-Echo (Explicit Congestion Notification) which
are no longer widely used Order TCP header flag field values
following CWR Congestion Window Reduced, and ECE ECN-Echo (Explicit
Congestion Notification) which are no longer widely used Flag and
Name Description and Order A.Indicates urgent data B.Acknowledges
synchronization or C.Indicates need to push data D.Causes immediate
disconnect of E.Requests synchronization with F.Requests graceful
shutdown of G.IP header protocol field value for TCP AURG Urgent
BACK Acknowledgement CPSH Push DRST Reset ESYN Synchronization FFIN
Finish G6 (0x06) Correct - Click anywhere to continue Incorrect -
Click anywhere to continue You answered this correctly! Your
answer: The correct answer is: You did not answer this question
completely You must answer the question before continuing Submit
Clear Assign class and CIDR Equivalent Assign class and CIDR
Equivalent Subnet Mask or IP range Class CIDR Equivalent &
Decimal range first octet A.Class B /16 first octet 128–191 B.Class
A /8 first octet 1-126 C.Class C /24 first octet is 192-223 D.Class
A 127.0.0.0 B255.0.0.0 (0.0.0.0 to 127.255.255.255) A255.255.0.0
(128.0.0.0 to 191.255.255.255) C255.255.255.0 (192.0.0.0 to
223.255.255.255) DLoopback Address Correct - Click anywhere to
continue Incorrect - Click anywhere to continue You answered this
correctly! Your answer: The correct answer is: You did not answer
this question completely You must answer the question before
continuing Submit Clear The following lists current private IP
address ranges:• 10.0.0.0–10.255.255.255 Class A network•
172.16.0.0–172.31.255.255 Class B networks•
192.168.0.0–192.168.255.255 Class C networks E.Used for multicast
addresses F.Reserved for research E224.0.0.0 to 239.0.0.0
F240.0.0.0 to 255.0.0.0 Match behaviors to attack type Match
behaviors to attack type Attack type Attack Properties A.ICMP
packets with forged source and target address sending to local
broadcast pointing to victim as source IP. All devices on the
broadcast network respond to the spoofed ICMP ping packet which
floods the target. DoS. B.offshoot of impersonation eavesdropping
on network traffic, attempt reestablish session by replaying
captured traffic against a system. Prevented by using one-time
authentication mechanisms and sequenced session identification.
C.captured packets altered then bypass authentication and session
sequencing mechanisms, prevented by and session sequencing D.is a
sub protocol of the TCP/IP protocol suite, layer 3, discovers the
MAC address, functions by broadcasting a request packet with the
target IP address - Spoofing provides false MAC addresses for
requested IP E.resolution attacks occur when attacker alters the
domain-name-to-IP-address mappings in a DNS systemto redirect
traffic to a rogue system or to simply perform a denial-of-service
against a system. Spoofing occurs when an attacker sends false
replies to a requesting system, beating the real reply from the
valid DNS server ASmurf BReplay Attacks CModification Attacks
DAddress Resolution Protocol Spoofing EDNS Poisoning, Spoofing, and
Hijacking Correct - Click anywhere to continue Incorrect - Click
anywhere to continue You answered this correctly! Your answer: The
correct answer is: You did not answer this question completely You
must answer the question before continuing Submit Clear Match
Unshielded Twisted Pair (UTP) cable attributes to UTP Category
Match Unshielded Twisted Pair (UTP) cable attributes to UTP
Category Unshielded Twisted Pair (UTP) cable Twist Pair UTP
Categories - Copper Cable A.CAT1 B.CAT2 C.CAT3 D.CAT4 E.CAT5
F.CAT5e G.CAT6 or 6a H.CAT7 A≤ 1 Mbps, any length, old telephone
cable; ISDN and PSTN services. B≤ 4 Mbps, any length, token ring
networks C≤ 10 Mbps, 100meters, Token Ring & 10Base-T Ethernet
D≤ 16 Mbps, 100m, Token Ring Networks E≤ 100 Mbps, 100m, Ethernet,
fastEhternet, Token Ring F≤ 1 Gbps, 100m, Ethernet, fastEhternet,
Gigbit Ethernet G≤ 10 Gbps, 100m, Gigabit Ethernet, 10G Ethernet
55meters H≤ 10 Gbps, 100m, Gigabit Ethernet, 10G Ethernet 100meters
Correct - Click anywhere to continue Incorrect - Click anywhere to
continue You answered this correctly! Your answer: The correct
answer is: You did not answer this question completely You must
answer the question before continuing Submit Clear Match wireless
properties to named protocol, standard or technology Match wireless
properties to named protocol, standard or technology Properties
Protocol, Standard or Technology A.IEEE 802.11, provides same level
of security and encryption on wireless as wired. Prevent packet
sniffing and eavesdropping. (RC4), weak B.Prior to 802.11i,based on
the LEAP and TKIP cryptosystems, single static passphrase is
downfall C.Counter Mode Cipher Block Chaining Message
Authentication Code Protocol, strong AWired Equivalent Privacy WEP
BWi-Fi Protected Access WPA C802.11i WPA2 Correct - Click anywhere
to continue Incorrect - Click anywhere to continue You answered
this correctly! Your answer: The correct answer is: You did not
answer this question completely You must answer the question before
continuing Submit Clear Order the Evidence Lifecycle Order the
Evidence Lifecycle Evidence lifecycle step Order A.1 B.2 C.3 D.4
E.5 ACollection and identification BAnalysis CStorage and
preservation DPresentation EReturn to victim Correct - Click
anywhere to continue Incorrect - Click anywhere to continue You
answered this correctly! Your answer: The correct answer is: You
did not answer this question completely You must answer the
question before continuing Submit Clear Match levels of assurance
with definitions from Trusted Computer System Evaluation Criteria
(TCSEC) or Information Technology Security Evaluation and Criteria
(ITSEC) Operational Assurance:System architecture, System
integrity,Covert channel analysis, Trusted facility
management,Trusted recovery Match levels of assurance with
definitions from Trusted Computer System Evaluation Criteria
(TCSEC) or Information Technology Security Evaluation and Criteria
(ITSEC) Level Label Requirement A.Minimal Protection - Reserved for
systems that have been evaluated but do not meet requirements to
belong to any other category. B.Discretionary Protection
(Discretionary 1) C.Controlled Access Protection (Discretionary 2)
D.Labeled Security (Mandatory 1) E.Structured Protection (Mandatory
2) F.Security Domains (Mandatory 3) G.Verified Protection The
highest level of security. AD BC1 CC2 DB1 EB2 FB3 GA1 Correct -
Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear <b>Discretionary
Protection (Categories C1, C2) </b>Discretionary protection
systems provide basic access control. Systems in this category do
provide some security controls but are lacking in more
sophisticated and stringent controls that address specific needs
for secure systems. C1 and C2 systems provide basic controls and
complete documentation for system installation and
configuration.<br><b>Discretionary Security Protection
(C1) </b>A discretionary security protection system controls
access by user IDs and/or groups. Although there are some controls
in place that limit object access, systems in this category provide
only weak protection.<br><b>Controlled Access
Protection (C2) </b>Controlled access protection systems are
stronger than C1 systems. Users must be identified individually to
gain access to objects. C2 systems must also enforce media
cleansing. With media cleansing, any media that are reused by
another user must first be thoroughly cleansed so that no remnant
of the previous data remains available for inspection or use.
Additionally, strict logon procedures must be enforced that
restrict access for invalid or unauthorized
users.<br><b>Mandatory Protection (Categories B1, B2,
B3) </b>Mandatory protection systems provide more security
controls than category C or D systems. More granularity of control
is man-<br>dated, so security administrators can apply
specific controls that allow only very limited sets of
subject/object access. This category of systems is based on the
Bell-LaPadula model.<br>Mandatory access is based on security
labels.<br><br><b>Labeled Security (B1)
</b>In a labeled security system, each subject and each
object has a security label. A B1 system grants access by matching
up the subject and object labels and comparing their permission
compatibility. B1 systems support sufficient security to house
classified data.<br><b>Structured Protection (B2)
</b>In addition to the requirement for security labels (as in
B1 systems), B2 systems must ensure that no covert channels exist.
Operator and administrator functions are separated, and process
isolation is maintained. B2 systems are sufficient for classified
data that requires more security functionality than a B1 system can
deliver.<br><b>Security Domains (B3) </b>Security
domain systems provide more secure functionality by further
increasing the separation and isolation of unrelated processes.
Administration functions are clearly defined and separate from
functions available to other users. The focus of B3 systems shifts
to simplicity to reduce any exposure to vulnerabilities in unused
or extra code. The secure state of B3 systems must also be
addressed during the initial boot process. B3 systems are difficult
to attack successfully and provide sufficient secure controls for
very sensitive or secret data.<br><b>Verified
Protection (Category A1) </b>Verified protection systems are
similar to B3 systems in the structure and controls they employ.
The difference is in the development cycle. Each phase of the
development cycle is controlled using formal methods. Each phase of
the design is documented, evaluated, and verified before the next
step is taken. This forces extreme security consciousness during
all steps of development and deployment and is the only way to
formally guarantee strong system
security.<br><br><br> Match the Category in TSEC
to its description and levels Match the Category in TSEC to its
description and levels Category Category Description and associated
levels A.Verified protection, phases in development formally
controlled, documented, evaluated, EXTREME security consciousness
B.Mandatory, more granularity, Bell-LaPadula, security based on
labels, system grants access based on subject object compared to
permissions, no covert channels, operator admin functions are
separated C.Discretionary, some security controls, lacking
formality & sophistication, weak protection, media cleansing,
strict logon procedures must be enforced D.Minimal protection -
reserved for systems that have been evaluated but do not meet
requirements to belong to any other category ACategory A BCategory
B CCategory C DCategory D Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear Match attributes to the correct US government security
mode Match attributes to the correct US government security mode
User attributes Mode A.Dedicated Mode B.System High Mode
C.Compartmented mode D.Multilevel Mode Ahas clearance that permits
access to all info, access approval for all info, valid need to
know for all info processed by the system Bhas clearance that
permits access to all info, access approval for all info, valid
need to know for some, but not necessarily all info processed by
the system Cvalid security clearance that permits access to all
informationprocessed by the system, access approval and valid need
to know for any information they will have access to onthe system.
(granted by subject) DSome users do not have a valid security
clearance for all information processed by the system - access is
controlled by whether the subject’s clearance level dominates the
object’s sensitivity label. Correct - Click anywhere to continue
Incorrect - Click anywhere to continue You answered this correctly!
Your answer: The correct answer is: You did not answer this
question completely You must answer the question before continuing
Submit Clear four security modes according to security clearances
required, need to know, and the ability to process data from
multiple clearance levels (abbreviated PDMCL) Match Service to Port
Match Service to Port Service Port A.21 B.22 C.23 D.25 E.53 F.80
G.110 H.123 AFTP BSSH Secure Shell CTelnet DSMTP Simple Mail
Transfer Protocol EDNS FHTTP GPOP3 HNTP Correct - Click anywhere to
continue Incorrect - Click anywhere to continue You answered this
correctly! Your answer: The correct answer is: You did not answer
this question completely You must answer the question before
continuing Submit Clear Match service to port Match service to port
Service Port A.443 B.1433 C.1521 D.1720 E.1723 F.3389 AHTTPS
BMicrosoft SQL Server COracle DH.323 call signaling, multimedia
transport EPPTP Point-to-Point Tunneling Protocol FRDP Remote
Desktop Protocol Correct - Click anywhere to continue Incorrect -
Click anywhere to continue You answered this correctly! Your
answer: The correct answer is: You did not answer this question
completely You must answer the question before continuing Submit
Clear IPSec ESP/AH 50 and 51 well known ports 0 to 1023 Match
responsibilities and behaviors with organization roles Match
responsibilities and behaviors with organization roles Role type or
classification Responsibilities and behaviors A.are responsible for
ensuring systems provide value to the organization B.assign a
security label to a resource; typically a high-level manager who is
ultimately responsible for data protection. C.the entity that
controls processing of the data and directs the data processor; EU
Data Protection law, data processor is not a computing system or
network. D.a natural or legal person which processes personal data
solely on behalf of the data controller E.responsible for ensuring
data processed on the system remains secure, identifying highest
level of data that the system processes, ensures that the system is
labeled accurately and that appropriate security F.user who is
responsible for all activities necessary to provide adequate
protection. G.the person ultimately responsible for security
maintained by organization, most concerned about protection of
assets, signs off on all policy issues. In fact, all activities
must be approved by and signed off on by the H.responsible for
reviewing and verifying that the security policy is enforced
ABusiness Owner BData Owner CData Controller DData Processor
ESystem Owners FData Custodians GSenior Manager HAuditor Correct -
Click anywhere to continue Incorrect - Click anywhere to continue
You answered this correctly! Your answer: The correct answer is:
You did not answer this question completely You must answer the
question before continuing Submit Clear Match Access Control types
to their attributes Match Access Control types to their attributes
Access Control Type Access control properties A.various options to
other existing controls to aid in enforcement and support of
security policies. They can be any controls used in addition to, or
in place of, another control. For example, an organizational policy
may dictate that all PII must be encrypted. B.modifies the
environment to return systems to normal after an unwanted or
unauthorized activity has occurred. It attempts to correct any
problems that occurred as a result of a security incident.
Corrective controls can be simple, such as terminating C.an
extension of corrective controls but have more advanced or complex
abilities. Examples of include backups and restores, fault tolerant
drive systems, system imaging, server clustering, antivirus
software, and database or virtual machine shadowing. D.access
control is deployed to confine or control the actions of subjects
to force or encourage compliance with security policies. Examples
include security policy requirements or criteria, posted
notifications, escape route exit signs, monitoring, supervision
E.is deployed to discourage violation of security policies, similar
to and preventive controls are similar, but deterrent controls
often depend on individuals deciding not to take an unwanted
action. In contrast, a preventive control actually blocks the
action. ACompensating BCorrective CRecovery DDirective EDeterrent
Correct - Click anywhere to continue Incorrect - Click anywhere to
continue You answered this correctly! Your answer: The correct
answer is: You did not answer this question completely You must
answer the question before continuing Submit Clear Pair the math to
the concept Pair the math to the concept Formula Steps or
description A.n*(n-1)/2 B.n*2 C.Are they different: 0+1 is 1; 1+1
is 0 D.on + on is on; on + off is not on, two on or nothing
E.checks to see whether at least one of the F.represented by the ∼
or ! symbol) simply reverses the value of an input G.Used in
substitution cipher; C = (P + 3) mod 26, where 26 is offset for
running past z or the number of characters beyond the unit of
division Aformula to establish number of needed symmetric keys
Bformula for needed asymmetric keys CX ⊕ Y XOR function; exclusive
OR DAND ^ EOR v FNOT ~ Gmodulo function % Correct - Click anywhere
to continue Incorrect - Click anywhere to continue You answered
this correctly! Your answer: The correct answer is: You did not
answer this question completely You must answer the question before
continuing Submit Clear CISSP Concept review CISSP Concept review
Your ScoreMax ScoreNumber of Quiz Attempts Question Feedback/Review
Information Will Appear Here Review Quiz Continue
Study Exercises - CISSP Robin Basham Founder, EnterpriseGRC
Solutions spk10110.jpg
[email protected] Professional Summary
A creative thought leader with exceptionally diversified skills
spanning network, enterprise and cloud applications, business,
data, and regulatory, with proven ability to drive security
strategy and enterprise management through continuous integrated
audit, secure configuration and business technology optimization.
Enterprise ICT GRC and compliance expert and early adopter in both
certifying and offering certification programs for Cloud and
Virtualization, with industry experience including SaaS (IaaS and
PaaS), Finance, Healthcare, Banking, and High Tech, is a “hands on
executive” known for surprising depth across the entire technical
and regulatory landscape. Ellie Mae, Inc. Pleasanton, CA May 2012 –
October 2015 Director Enterprise Compliance (Reporting CIO &
CSO) 2013 to 2015 GRC Consultant – EnterpriseGRC Solutions, May
2012 to May 2013 ?Implemented robust enterprise GRC at zero
software cost ?Lead Integrated Audit and reduced consulting
overhead in excess of 75% ?Built successful Enterprise Security
& Compliance Program ?Delivered Security Program Information
security management system (ISMS) and supporting Security Policy
?Collaborated with Internal Audit, CSO, CIO and CTO to set and
achieve high business-driven security standards – examples PCI and
ISO27001 Readiness Assessments, Continuous Controls Monitoring and
Risk Reporting ?Produced Quarterly Executive Enterprise Risk
Management reporting, monthly SaaS / Cloud Operations GRC Metrics,
Internal Control Assessment supporting SOX, SOC2, FFIEC, ISO27001,
FedRamp, NIST RFM, and continuous customer Due Diligence Requests,
?Implemented enterprise Information Asset Management program
EnterpriseGRC Solutions, Inc., Launched October 2011 Managing
Partner, Founder http://enterprisegrc.com EnterpriseGRC Solutions
achieved partnership with ITpreneurs, Ryma Technologies, named a
channel partner to EMC, and named to the Cloud Credential Council.
Prepared East Bay SaaS company for PCI and ISO27001 review,
accomplished support to public sale of startup through SOC2 and
Third Party Information Security Assessment process. Customers
served NetSuite, Ellie Mae, and Walmart by way of Inkiru purchase.
SOAProjects, Inc., July 2008 to September 2011 Senior Director,
Enterprise Technology and GRC ?Launched practices for Cloud
Security, Green Audit, BCP DR, Web Footprint Analysis, Automated
Work Papers via SharePoint, Archer GRC and integrated Microsoft
tools; Facilitated corporate recognition in raising to ninth
largest Accounting firm in Bay Area; Implemented Hosted Exchange
and Security for all information and communication; ?BCP/ DR
guidance – Multiple SaaS and telecoms US & Canada ?Datacenter
Information Security regulatory compliance review multiple major
telecoms US & Canada ?Director, Process Transformation, Brocade
Communications, resulting in successful integration and migration
of Foundry systems and process for unified CRM and Technology
Support Operations, 2010 ?McKesson Enterprise GRC product
development and implementation, Archer Platform and modules Control
Solutions International, 2005 to 2008 Director IT Regulatory and
Compliance Some Clients Served: Citistreet, CA, Adselas, Assurant,
Haemonetics, Informa, Options Clearing Corporation, Sharp ?SOX
ITGCC PM utilizing team of 10 consultants to achieve legally
mandated remediation; Design and Implementation ERM Application for
Health Services and Publishing Services; SOC TYPE II Preparation,
Exposure Analysis Review (Major Bank), Determination of law suit
for poor performance by vendor in due care examination of systems
?Security Policy Program Implementation, Risk Program Management,
Options Clearing Corporation Phoenix Business & Systems
Process, Inc., Needham, MA, 2002—2005 Managing Partner, Founder,
Controls Assurance and IT Risk Management for Telecom, SaaS and
Finance Some clients served: Siemens Corporation, Raytheon,
Financial Times Interactive Data, Journal Communications, Options
Clearing Corporation, and Pershing; Annual Revenue 1 Million by
years 2 and 3. Established Strategy, tools, program, process
architecture and audit evidence for more than a dozen fortune five
hundred companies, 100% big four success rate ?Facilitated
Compliance framework mapping PCI, CobiT, ISO/IEC 17799 and SAS 70
Type II requirements to all areas in Documentation of key financial
reporting processes ?Produced strategies for evaluation of security
and internal control processes, recommendation for enhanced policy
implemented globally by Raytheon and Siemens, cost savings of 11
Million in audit fees per client Develop and implement compliance
monitoring, tracking and reporting tools and incorporate new
regulatory requirements into threat management and risk modelling
CTC Communications Corporation, Waltham, MA 1998 to 2002 Manager
Process Engineering, Manager Change Management, (Hired as INS:
Network Services Engineer – Converted) ?Network Operations Center
Management, Provisioning Management, Security Management, POP/LAN
Build Out and Operations Procedures ?Data Migration and Systems
Integration, Network Management Architecture Team, OSS
implementations, CIC integration automated trouble ticketing Remedy
- Reconcile Customer Network Services to Order and Revenue
Collections ?Developer and implementation engineer for Integrated
Access Device Configuration Management System, and Enterprise
Change Management System, Process Development and Tracking System –
three full applications delivered in Remedy and hybrid Unix Apache
environment State Street Bank, FMG, Boston, MA 1997 to 1998 Systems
Officer, Technology Operations Controls Program Owner for Y2K and
FFIEC Audit Readiness, Support Operations ?SLA’s across multiple
trading floors, CMDB and DR plan for Financial Markets Group,
Remedy Implementation ?IT Standardization Corporate Trust, Project
Manager, Staff Profiles, Service Level Agreement Program
Coordination, ?Restructuring support organizations, reducing vendor
dependency and cost Select Instructor Experience ?Cloud Ready
Professional (CRP) and Virtualization Ready Profession (VRP)
Certification and Trainer Certification ?CISA, CRISC, CGEIT,
Volunteer Instructor ISACA Multiple Regions(continuous) ?ISACA LA
Keynote Governance in the Cloud ?IMA Palo Alto Speaker, The Next
Great Outage – Business Recovery – Not so Virtual ?McKesson End
User Security On Line Training, Content Implementation Education
?Master of Information Technology – 2003 AIU, Chicago, IL GPA 4.0
(inclusive CCNA, CCDA, Network+ Certification) ?Masters Education,
Lesley College, Cambridge - 1989 ?Bachelors Multicultural
Education, University Massachusetts, Amherst 1984 (inclusive 4
teaching licenses) ?Bachelors Science – Special Programs BDIC,
University Massachusetts, Amherst 1983 Select Professional
Certifications ?CRP Cloud Ready Professional ?VRP Virtualization
Ready Professional Master Trainer 2012 ?HISP Holistic Information
Security Practitioner 2012 ?CRISC Certified in Risk and Information
Systems Control 2011 ?ACC Archer Certified Consultant 2010 ?CGEIT
Certification – 2008 ?CISA Certification – 2005 ?ITIL Foundations
Certificate– 2004 ? (Multiple Platforms Oracle, SAP, Remedy,
MetaSolv etc.) Select Publications and Conference Speaking
?Interconnecting the Building Blocks of a Cyber Secure Ecosystem:
Speaker “Does Audit Make Us Secure? NIST Cybersecurity Framework to
GRC”– ISACA SV Spring 2015 ?Workday Rising, presenting “Identity
Access Controls Automation using Workday, RemedyForce and Active
Directory” – earned highest rated and attended session for Workday
2014 ?OASIS International TC Open Architecture and IT Compliance
2005 http://www.oasis-open.org ?Co-creator Holistic Information
Security Practitioner Certification Training Guide Board of
Directors ?Conference Director, ISACA SV ?Education Director, HISPI
Holistic Information Security Practitioner Institute 2011 to 2014
?President & Education Director, ACGTA Association for
Certified Green Technology Auditors, Director Control Objectives
for Sustainable Business 2009 – 2011 ?President, AWC Associations
Women in Computing 1997 – 2003 ?CSA Cloud Security Alliance, Editor
for CSA GRC Cloud Stack ?OMG Object Management Group, Advisory
Board ?OASIS Open Architecture Standard Information Systems –
Configuration Compliance TC founding member ?OCEG as technology
council liaison to ISACA, Open Compliance Ethics Group Graduate and
Public Education (Full resume avail.) ?1985 – 1997 High School
Teacher, Malden Public Schools, Lesley College, Professor, Master
Program lgo10110.swf Security Engineering Study Data Sources Match
the development lifecycle characteristic to the stage <br>
Match IV DES Modes and their Use <br> Match protocols and
standards to OSI layer Order the steps in a Penetration test Order
Steps in Server Side Exploitation Process Match benefit and
requirement to firewall type Match Routing protocol with
classification Match NIST or FIPS reference ID to corresponding
title Order the phases and match details in incident response Match
Raid Level to attributes Match properties of maturity to CMM level
Match Government classification to properties Select Symmetric
Ciphers Select all DETECTIVE technologies Select all PREVENTIVE
technologies Select: Asymmetric cryptography or public-key
cryptography (cryptography in which a pair of keys are used to
encrypt and decrypt a message so that it arrives securely) Select
ciphers or hash algorithms that should not be used today Match
Exploit name to exploited protocol <b>OCSP stapling
vulnerability</b><br>When creating a handshake, the
client could send an incorrectly formatted ClientHello message,
leading to OpenSSL parsing more than the end of the message. Titled
CVE-2011-0014, this affected all OpenSSL versions 0.9.8h to 0.9.8q
and OpenSSL 1.0.0 to 1.0.0c. Since the parsing could lead to a read
on an incorrect memory address, it was possible for the attacker to
cause a DDOS. It was also possible that some applications expose
the contents of parsed OCSP extensions, leading to an attacker
being able to read the contents of memory that came after the
ClientHello<br><br><b>SSL, TLS and DTLS Plaintext
Recovery Attack</b><br>In handling CBC cipher-suites in
SSL, TLS, and DTLS, OpenSSL was found to be vulnerable to a timing
attack which arises during the MAC processing. This was found by
Nadhem Alfardan and Kenny Paterson, who published their
findings on February 5, 2013, given the name CVE-2013-0169.
All versions of OpenSSL were affected, and it was only partially
mitigated by the use of the OpenSSL FIPS Object Module and the FIPS
mode of operation is
enabled<br><br><b>Heartbleed</b><br><i>Main
article: </i><i>Heartbleed</i><i></i><br>A
logo representing the Heartbleed bug<br>OpenSSL versions
1.0.1 through 1.0.1f had a severe memory handling bug in
their implementation of the TLS Heartbeat Extension that
could be used to reveal up to 64 KB of the application's
memory with every heartbeat.[24][25] By reading the
memory of the web server, attackers could access sensitive data,
including the server's private key.[26] This could allow
attackers to decode earlier eavesdropped communications if the
encryption protocol used does not ensure Perfect Forward
Secrecy. Knowledge of the private key could also allow an attacker
to mount a man-in-the-middle attack against any future
communications.[27] The vulnerability might also reveal
unencrypted parts of other users' sensitive requests and responses,
including session cookies and passwords, which might
allow attackers to hijack the identity of another user of
the service.[28]<br>At its disclosure on April 7, 2014,
around 17% or half a million of the Internet's secure web
servers certified by trusted authorities were
believed to have been vulnerable to the attack.[29] However,
Heartbleed can affect both the server and
client.<br><br><b>CCS Injection
Vulnerability</b><br><b></b><br><br><br>
Order TCP header flag field values following CWR Congestion Window
Reduced, and ECE ECN-Echo (Explicit Congestion Notification) which
are no longer widely used Assign class and CIDR Equivalent Match
behaviors to attack type Match Unshielded Twisted Pair (UTP) cable
attributes to UTP Category Match wireless properties to named
protocol, standard or technology Order the Evidence Lifecycle Match
levels of assurance with definitions from Trusted Computer System
Evaluation Criteria (TCSEC) or Information Technology Security
Evaluation and Criteria (ITSEC) <b>Discretionary Protection
(Categories C1, C2) </b>Discretionary protection systems
provide basic access control. Systems in this category do provide
some security controls but are lacking in more sophisticated and
stringent controls that address specific needs for secure systems.
C1 and C2 systems provide basic controls and complete documentation
for system installation and
configuration.<br><b>Discretionary Security Protection
(C1) </b>A discretionary security protection system controls
access by user IDs and/or groups. Although there are some controls
in place that limit object access, systems in this category provide
only weak protection.<br><b>Controlled Access
Protection (C2) </b>Controlled access protection systems are
stronger than C1 systems. Users must be identified individually to
gain access to objects. C2 systems must also enforce media
cleansing. With media cleansing, any media that are reused by
another user must first be thoroughly cleansed so that no remnant
of the previous data remains available for inspection or use.
Additionally, strict logon procedures must be enforced that
restrict access for invalid or unauthorized
users.<br><b>Mandatory Protection (Categories B1, B2,
B3) </b>Mandatory protection systems provide more security
controls than category C or D systems. More granularity of control
is man-<br>dated, so security administrators can apply
specific controls that allow only very limited sets of
subject/object access. This category of systems is based on the
Bell-LaPadula model.<br>Mandatory access is based on security
labels.<br><br><b>Labeled Security (B1)
</b>In a labeled security system, each subject and each
object has a security label. A B1 system grants access by matching
up the subject and object labels and comparing their permission
compatibility. B1 systems support sufficient security to house
classified data.<br><b>Structured Protection (B2)
</b>In addition to the requirement for security labels (as in
B1 systems), B2 systems must ensure that no covert channels exist.
Operator and administrator functions are separated, and process
isolation is maintained. B2 systems are sufficient for classified
data that requires more security functionality than a B1 system can
deliver.<br><b>Security Domains (B3) </b>Security
domain systems provide more secure functionality by further
increasing the separation and isolation of unrelated processes.
Administration functions are clearly defined and separate from
functions available to other users. The focus of B3 systems shifts
to simplicity to reduce any exposure to vulnerabilities in unused
or extra code. The secure state of B3 systems must also be
addressed during the initial boot process. B3 systems are difficult
to attack successfully and provide sufficient secure controls for
very sensitive or secret data.<br><b>Verified
Protection (Category A1) </b>Verified protection systems are
similar to B3 systems in the structure and controls they employ.
The difference is in the development cycle. Each phase of the
development cycle is controlled using formal methods. Each phase of
the design is documented, evaluated, and verified before the next
step is taken. This forces extreme security consciousness during
all steps of development and deployment and is the only way to
formally guarantee strong system
security.<br><br><br> Match the Category in TSEC
to its description and levels Match attributes to the correct US
government security mode Match Service to Port Match service to
port Match responsibilities and behaviors with organization roles
Match Access Control types to their attributes Pair the math to the
concept CISSP Concept review
DRAFT XSD for IMS Content Packaging version 1.1 DRAFT Copyright (c)
2001 IMS GLC, Inc. 2000-04-21, Adjustments by T.D. Wason from CP
1.0. 2001-02-22, T.D.Wason: Modify for 2000-10-24 XML-Schema
version. Modified to support extension. 2001-03-12, T.D.Wason:
Change filename, target and meta-data namespaces and meta-data
fielname. Add meta-data to itemType, fileType and organizationType.
Do not define namespaces for xml in XML instances generated from
this xsd. Imports IMS meta-data xsd, lower case element names. This
XSD provides a reference to the IMS meta-data root element as
imsmd:record If the IMS meta-data is to be used in the XML instance
then the instance must define an IMS meta-data prefix with a
namespace. The meta-data targetNamespace should be used.
2001-03-20, Thor Anderson: Remove manifestref, change resourceref
back to identifierref, change manifest back to contained by
manifest. --Tom Wason: manifest may contain _none_ or more
manifests. 2001-04-13 Tom Wason: corrected attirbute name
structure. Was misnamed type. 2001-05-14 Schawn Thropp: Made all
complexType extensible with the group.any Added the anyAttribute to
all complexTypes. Changed the href attribute on the fileType and
resourceType to xsd:string Changed the maxLength of the href,
identifierref, parameters, structure attributes to match the
Information model. 2001-07-25 Schawn Thropp: Changed the namespace
for the Schema of Schemas to the 5/2/2001 W3C XML Schema
Recommendation. attributeGroup attr.imsmd deleted, was not used
anywhere. Any attribute declarations that have use = "default"
changed to use="optional" - attr.structure.req. Any attribute
declarations that have value="somevalue" changed to
default="somevalue", attr.structure.req (hierarchical). Removed
references to IMS MD Version 1.1. Modified attribute group
"attr.resourcetype.req" to change use from optional to required to
match the information model. As a result the default value also
needed to be removed Name change for XSD. Changed to match version
of CP Spec Inclusions and Imports Attribute Declarations element
groups Any namespaced element from any namespace may be included
within an "any" element. The namespace for the imported element
must be defined in the instance, and the schema must be
imported.
ADL SCORM 1.2 Adobe Presenter Course Adobe_Presenter_Quiz_ID 1.0
LOMv1.0 Final ADL SCORM 1.2 text/html . LOMv1.10 no LOMv1.10 no
LOMv1.0 Idea Adobe Presenter Adobe_Presenter
Adobe_Presenter_Quiz
2001-04-26 T.D.Wason. IMS meta-data 1.2 XML-Schema. 2001-06-07
S.E.Thropp. Changed the multiplicity on all elements to match the
Final 1.2 Binding Specification. Changed all elements that use the
langstringType to a multiplicy of 1 or more Changed centity in the
contribute element to have a multiplicity of 0 or more. Changed the
requirement element to have a multiplicity of 0 or more. 2001-07-25
Schawn Thropp. Updates to bring the XSD up to speed with the W3C
XML Schema Recommendation. The following changes were made: Change
the namespace to reference the 5/2/2001 W3C XML Schema
Recommendation,the base type for the durtimeType, simpleType, was
changed from timeDuration to duration. Any attribute declarations
that have use="default" had to change to use="optional" -
attr.type. Any attribute declarations that have value ="somevalue"
had to change to default = "somevalue" - attr.type (URI) 2001-09-04
Schawn Thropp Changed the targetNamespace and namespace of schema
to reflect version change Any namespaced element from any namespace
may be used for an "any" element. The namespace for the imported
element must be defined in the instance, and the schema must be
imported.
function sanitizeForbiddenHTMLTextChars(in_s) { var out_s =
in_s.toString();//We are sometimes called to sanitize
non-strings...like document.location out_s =
out_s.split("<").join("<"); out_s =
out_s.split(">").join(">"); out_s =
out_s.split("'").join("'"); out_s =
out_s.split('"').join("""); return out_s; } function
removeExtraURLParams(in_s) { var inp = in_s.toString(); var
indexOfAmp = in_s.indexOf("&"); var outp = inp;
if(indexOfAmp!=-1) outp = inp.substring(0, indexOfAmp); return
outp; } function showFlash(swf, w, h, loop) { var isMSIE =
navigator.appName.indexOf("Microsoft") != -1; var s = ''; var
protocol = 'http';//safe default var url =
document.location.toString(); indexOfColon = url.indexOf(":");
if(indexOfColon>0) protocol = url.substring(0, indexOfColon);
if(protocol!='http' || protocol!='https') protocol='https'; var
location = document.location; location =
(location==unescape(location))?escape(location):location; s +=
'<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="' + protocol +
'://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,65,0"
width="'+w+'" height="'+h+'" id="SlideContent" align=""
VIEWASTEXT>' s += '<param name="movie"
value="'+sanitizeForbiddenHTMLTextChars(swf)+'" />' s +=
'<param name="menu" value="false" />' s += '<param
name="quality" value="best" />' s += '<param name="loop"
value="'+loop+'" />' s += '<param name="FlashVars"
value="initialURL='+
removeExtraURLParams(sanitizeForbiddenHTMLTextChars(location))+
'&isMSIE='+isMSIE+'&useBSM=false" />' s += '<param
name="allowScriptAccess" value="sameDomain"/>' s += '<embed
src="'+sanitizeForbiddenHTMLTextChars(swf)+'"
FlashVars="initialURL='+
removeExtraURLParams(sanitizeForbiddenHTMLTextChars(location))+
'&isMSIE='+isMSIE+'&useBSM=false" menu="false"
quality="best" width="'+w+'" height="'+h+'" loop="'+loop+'"
name="SlideContent" align="" type="application/x-shockwave-flash"
pluginspage="' + protocol +
'://www.macromedia.com/go/getflashplayer" swLiveConnect="true"
allowScriptAccess="sameDomain"></embed>' s +=
'</object>' // in theory, we should always embed in a table,
but in practice, IE6 malfunctions // when width