CISSPcrashcourseday

Welcome
to Day 1
Click to edit Master title style
CISSP Certification
Crash Course Day 1
Sari Greene
CISSP-ISSMP, CRISC, CISM, CISA
Sari Greene - @ Certifications
e: sari@sarigreenegroup.com t: @sari_greene
l: https://www.linkedin.com/in/sarigreene/
w: www.sarigreenegroup.com
Polling Question – Who are you?
o I’ve just begun studying for the CISSP exam.
o I am in the midst of studying for the CISSP exam.
o I am almost ready to take the CISSP exam.
o I am already a CISSP.
CISSP Crash Course Objectives
If you have just begun studying:
• Immersion into the eight (ISC)2 common body of knowledge (CBK) security
domains.
If you are in the midst of studying:
• Assess your strengths and weaknesses and perhaps modify your study plan.
If you are almost ready to take your exam:

• Reinforce your knowledge and fill in some gaps.
If you are already a CISSP:
• Enhance your skillset.
Certification Exam Outline
This course is based on the
April 2018 examination objectives.
Note: The exam is being refreshed on May 1,2021.
• ISC2 CISSP Exam Outline available at

https://www.isc2.org/Certifications/CISSP
• Number in the left-hand corner of each slide in
this deck maps to an exam objective.
• Course slides are available in the “Resource
List” window.
• This course is being recorded and will be
available to you within 24-48 hours
Comprehensive Study
This is a crash course and not a
comprehensive course.
• My Complete CISSP 26+hr. Video Course (2nd Edition)
covers in detail every 2018 exam objective.
• My Complete CISSP 28+hr. Video Course (3rd Edition)
which covers in detail every 2021 exam object (to be
published in Q2 2021).
Available to you on O’Reilly Media (SafariBooksOnline)!

CISSP Crash Course Outline
Domain 1 Domain 3 Domain 4
Domain 2
Security & Risk Security Architecture and Communication and
Asset Security
Management Engineering Network Security
10%
15% 13% 14%
Domain 5 Domain 6 Domain 8

Domain 7
Identity and Access Security Assessment and Software Development
Security Operations Security
Management Testing
13% 10%
13% 12%
Study Strategies (Day 1)
Preparing for the Exam (Day 2)

Day 1 Course Outline
Domain 1 Domain 3
Domain 2
Security & Risk Security Architecture
Asset Security
Management and Engineering
10%
15% 13%
Study Strategies
**Five Assessment questions at the end of each domain **

Domain 1 Domain 3
Domain 2
Asset Security
10%
15% 13%
Study Strategies
Domain 1 Security & Risk Management
1.1 Understand and apply the concepts of 1.7 Identify, analyze, and prioritize Business
confidentiality, integrity and availability Continuity (BC) requirements
1.2 Evaluate and apply security governance principles 1.8 Contribute to and enforce personnel security
policies and procedures
1.3 Determine compliance requirements 1.9 Understand and apply risk management concepts
1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
May 1, 2021 Changes
Change Description
Category Weight Unchanged
Objective Added or Understand requirements for investigation types(i.e., administrative,
Moved criminal, civil, regulatory, industry standards) [Moved from domain 7]
Objective Removed None
New Topics Privacy compliance and issues, candidate screening, employee privacy, risk
maturity modeling, gamification, SETA program effectiveness
1.1 CIA Triad
Confidentiality
Information
Security
Integrity Availability
1.1 CIA Foundational Principles
Confidentiality is the principle that only authorized people,
processes, or systems have access to information and that
information must be protected from unauthorized disclosure.
Integrity is the principle that data and systems should be
protected from intentional, unauthorized, or accidental
changes.
• Data integrity implies information is known to be good, and that the
information can be trusted as being complete, consistent, and accurate.
• System integrity implies that a system will work as it is intended to.
Availability is the principle that information and systems are
operating and accessible when needed.
1.1 Cybersecurity
Cybersecurity expands the traditional application of information
security by recognizing that we can no longer look at protecting
an organization in isolation.
• We have to recognize that every organization is part of a larger digital ecosystem.
In our connected world, what one organization does or doesn't do has a direct
impact on others.
• Cybersecurity requires that we apply a global framework to the fundamental
principles of confidentiality, integrity, and availability.
1.2 Strategic Alignment
Information security (cyber security) is not an isolated
discipline and absolutely should not be siloed.
• It's time to bury the myth that security is an IT issue!
• Every information security decision must be informed by organizational
goals and be in alignment with strategic objectives.
• When strategically aligned, security functions as a business enabler that
adds value.
1.2 Leadership and Governance
Designing and maintaining a secure environment that
supports the mission of the organization requires
enterprise-wide leadership involvement and commitment.
As applied to information security, governance is the
responsibility of leadership to:
• Determine and articulate the organization's desired state of security.
• Provide the strategic direction, resources, funding, and support to ensure
that the desired state of security is achieved and sustained.
1.2 Frameworks & Benchmarks
A framework is a logical structure. The intent of a
framework is to document and organize processes.
• Information security frameworks include ISO 27000 family, NIST
Cybersecurity Framework, and the HITRUST Common Security Framework.
A benchmark is intended to help an organization identify
their capabilities and compare those efforts to similar
peers or competitors.
• The CIS (Center for Internet Security) is the most widely accepted
information security configuration benchmark.
• http://www.cisecurity.org
1.2 Due Care and Due Diligence
Due care is the standard of care that a prudent person
would have exercised under the same or similar conditions.
• Actions taken by an organization to protect its stakeholders, investors,
employees, and customers from harm.
Due diligence is an investigation of a business or person
before entering a contract and during the lifetime of the
relationship.
1.3 Compliance
Organizations are responsible for complying with all local,
state, federal and union laws and regulations.
• Consideration should be given to local customs, traditions, and practices
(cultural, tribal, and religious).
Think global, obey local. Jurisdiction is related to location

of data and systems (processing, transmission, storage).
• Privacy and security regulations (or lack of)
• Access of local governments to stored or transmitted data
• Attitudes toward “foreigners”
• Law enforcement jurisdiction
1.3 Legislative & Regulatory Compliance
Regulation Focus
GLBA (U.S.) Security and privacy of financial records
HIPAA (U.S.) Security and privacy of medical records
FERPA (U.S.) Security and privacy of student educational records
COPPA (U.S.) Security and privacy related to the online collection and use of data for
minors under 13
State Data breach notification requirements (50 states, District of Columbia, Guam,
Puerto Rico and the Virgin Islands)
End of life destruction/disposal requirements (31 states and Puerto Rico)
Data protection requirements including encryption (growing number)
GDPR (EU) Data protection for all individuals within the European Union. GDPR (General
Data Protection Regulations – effective May 2018 also addresses the export
of personal data outside of the EU) as well as web cookies inform and
consent requirements
1.4 Intellectual Property Law
Element Protection
Patents Patents are designed to protect an invention. The invention must be novel, not
obvious, and has to provide some utility. A patentable invention must be
something that can be produced.
Trademarks A trademark is intended to protect recognizable names, icons, shape, color,
sound, or any combination used to represent a brand, product, service, or
company.
Copyrights A copyright covers the expression of an idea rather than the idea itself (which
is protected by a patent).
Trade secrets Trade secrets refer to proprietary business and technical information,
processes, designs, or practices that are confidential and critical to a business.
Trade secrets don't require any registration and remain the only legal control
for IP to remain undisclosed.
1.4 Privacy
Privacy is the right of an individual to control the use of his
personal information.
• Personal information (PI, PII, NPPI) may include discrete information such as a
Social Security number, financial account number, password and PIN, driver’s
license number, passport number, medical record, educational records, and
biometric data.
• Personal information can also include, but is not limited to, shopping habits,
search engine queries, browsing history, email, pictures, location, and GPS
travel.
OECD Privacy Principles is the most commonly used

framework and is the foundation of global regulations.
• http://www.oecd.org
1.4 Security Incident vs. Data Breach
A security incident is an event or action that endangers the
confidentiality, integrity, or availability of information or
information systems.
• A data breach is when data is exfiltrated or extracted or there is a loss of
control. A data breach may trigger reporting and notification
requirements.
1.5 Professional Ethics
Organizational code of ethics (code of conduct).
Exercise (ISC)2 Code of Professional Ethics. There are four
mandatory canons in the Code:
• Protect society, the common good, necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principles.
• Advance and protect the profession.
1.6 Governance Communication
Policy
Agreement
Simple Step
Hierarchal
Guidelines
Graphic
Standard
Flow Chart
Procedure
1.6 Information Security Policies
The objective of a policy is to communicate management’s
expectations and requirements with the objective of
providing direction.
• Information security policies codify the high-level requirements for
protecting information and information assets and ensuring confidentiality,
integrity, and availability.
• Written information security policies may be a regulatory or contractual
compliance requirement.
1.6 Standards, Baselines and Guidelines
Standards serve as specifications for the implementation
of policy and dictate mandatory requirements.
• Baselines are the aggregate of standards for a specific category or
grouping such as a platform, device type, ownership, or location.
• Guidelines help people understand and conform to a standard. Guidelines
are customized to the intended audience and are not mandatory.
1.6 Procedures
Procedures are instructions for how a policy, standard,
baseline, or guideline is carried out in a given situation.
Procedures focus on discrete actions or steps, with a
specific starting and ending point.
Four commonly used formats:
• Simple step
• Hierarchy
• Graphic
• Flowchart
1.7 Business Continuity
In its simplest form, business continuity is the capability of
a business to operate in adverse conditions.
The objective of business continuity planning is to prepare
for the continued operation of essential functions and
services during disruption of normal operating conditions.
To support this objective:
• Essential services and processes are identified.
• Threat scenarios are evaluated.
• Response, recovery, and contingency plans are developed.
• Strategies, plans, and procedures are tested.
1.7 Business Impact Analysis
The objective of a Business Impact Analysis (BIA) is to identify
essential services, systems, and infrastructure.
• Essential means that the absence of or disruption of services would result in
significant, irrecoverable, or irreparable harm to the organization, employees,
business partners, constituents, community, or country.
• The outcome of BIA is a prioritized matrix of services, systems, and
infrastructure.
A Business Impact Analysis (BIA) is used by management to:
• make investment decisions.
• prioritize resources.
• guide the development of incident response, disaster recovery, and business
contingency (continuity) plans.
1.7 Business Impact Metrics
Abbr. Metric Definition
MTD Maximum Tolerable Downtime Maximum time a process/service can be unavailable
MTO Maximum Tolerable Outage without causing significant harm to the business
Amount of time allocated for system recovery
⁻ Must be less than the maximum amount of time
RTO Recovery Time Objective a system resource can be unavailable before
there is an unacceptable impact on other system
resources or business process
Acceptable data loss
RPO Recovery Point Objective ⁻ The point in time, prior to a disruption or system
outage that data can be recovered
1.7 RPO | RTO Timeline
Recovery Point Objective Failure Recovery Time Objective
Weeks Days Hours Minutes Minutes Hours Days Weeks

1.8 Employee Lifecycle (very simplified)
Hiring Process
Offboarding Onboarding
Employment
1.8 User Security Controls
Control Description
Policy/Agreements Confidentiality Agreement, Acceptable Use Policy and Agreement (AUP)
Training Ongoing education, training, and awareness programs
Job Rotation Rotating assignments
Mandatory Vacation Requiring employees to take a set amount of vacation time
Separation of Duties Breaking a task into processes so that no one subject is in complete
Segregation of Duties control or has decision making power.
Dual Control Requiring more than one subject or key to complete a specific task
Clean Desk Requirement to never leave confidential data (paper, monitor,

whiteboard) unattended or within view of unauthorized personnel
1.8 Personnel Agreements
Agreement Objective
Confidentiality / Protect data from unauthorized disclosure
Non-disclosure (NDA) • Establish data ownership
• Define handling standards including disposal
• Post-relationship requirements
Acceptable Use Policy Sets forth proper use of information systems, handling standards,
(AUP) and Agreement monitoring, violation consequences, and privacy expectations
• An AUP should be written in language that can be easily and
unequivocally understood
• By signing the associated agreement, the user
acknowledges, understands, and agrees to the stated rules
and obligations
1.8 Third-Party Relationships
Third parties include vendors, service providers, business
partners, consultants, and contractors.
Third-party oversight activities include:
• Conducting a due diligence investigation related to service provider selection
and subsequent business activities
• Conducting a risk assessment to ensure that the relationship is consistent
with the overall business strategy
• Requiring nondisclosure agreements
• Codifying service relationships
• Coordinating incident response protocols and contractual notification
• Monitoring the service provider through appropriate audits and testing
1.8 Third-party Agreements
Agreement Type Objective
Confidentiality / Non-disclosure (NDA) Protects data from unauthorized disclosure
Service Level Agreement (SLA) Codifies service and support requirements
Interconnection Security Agreement (ISA) Documents technical requirements

Memorandum of Understanding (MOU) Cooperative agreement—often a pre-contract
Also known as a MOA placeholder
Business Associate Agreement (BAA) HIPAA related agreement to protect personal
health information (PHI)
Business Partner Agreement (BPA) Business relationship contract
1.9 Risk
Risk is defined as uncertainty of outcome, whether positive
opportunity or negative threat, of actions and events.
• Risk assessment evaluates the combination of the likelihood of occurrence,
and the adverse impact if the circumstance or event occurs.
• Risk appetite is the level of risk that an organization is comfortable with.
• Risk tolerance is acceptable variation in outcomes related to specific
performance measures.
• Risk management implies that actions are being taken to either mitigate
the impact of a undesirable or unfavorable outcome and/or enhance the
likelihood of a positive outcome (inline with the risk appetite).
1.9 Risk Assessment Approaches
Type Description
Qualitative Qualitative risk assessments use descriptive terminology such as high,
medium, and low or normal, elevated, and severe
Quantitative Quantitative risk assessments assign numeric and monetary values to
all elements of the assessment
Key elements of both are likelihood of occurrence and impact
1.9 Risk Assessment Workflow
Determine the risk Identify the inherent
Assess the impact if
assessment approach risk based on relevant
the threat source was
(quantitative, threats and related
successful
qualitative, hybrid) vulnerabilities
Assess the likelihood

Identify applicable
of occurrence, taking Determine the level
controls and their
into consideration the of residual risk
effectiveness
control environment
1.9 Quantitative Risk Assessment Elements
Quantitative risk assessment elements include:
• Asset value (AV) expressed in $.
• Exposure factor (EF) expressed as a %.
• Single loss expectancy (SLE) expressed in $.
• Annualized rate of occurrence (ARO) expressed as a #.
• Annualized loss expectancy (ALE) expressed in $.
1.9 Quantitative Formulas
Formula Example
SLE ($) = AV ($) x EF (%) Revenue from one hour of e-commerce is $20,000 (AV).
Single Loss Expectancy = Asset Value A DDoS attack could disrupt 85% (EF) of online activity.
x Exposure Factor $20,000 (AV) * .85 (EF) = $17,000 (SLE)
The cost of an hour of DDoS disruption is $17,000
ALE ($) = SLE ($) x ARO (#) Single Loss Expectancy (for an hour of DDoS disruption)
Annualized Loss Expectancy = Single is $17,000.
Loss Expectancy x Annualized Rate of Based on the current threat and controls environment, it
Occurrence
is expected that there will be 5 hours (ARO) of DDoS
disruption per year.
$17,000 (SLE) * 5 (ARO) = $85,000 (ALE)
1.9 Risk Treatment Options
Option Description
Ignore Act as if the risk doesn’t exist
Avoid Eliminate the cause or terminate the associated activity
Mitigate Reduce the impact or likelihood by implementing controls or safeguards
Share Spread the risk among multiple parties
Assign the risk to another party via insurance or contractual agreement
Transfer
(subject to legal and regulatory constraints)
Accept Acknowledge the risk and monitor it
1.9 Controls, Countermeasures, and Safeguards
A control (sometimes called the countermeasure or
safeguard) is a tactic, mechanism, or strategy that either:
• Reduces or eliminates a vulnerability (weakness).
• Reduces or eliminates the likelihood that a threat agent will be able to
exploit a vulnerability.
• Reduces or eliminates the impact of an exploit.
1.9 Control Classifications
Deterrent Preventative Detective Corrective
Deterrent controls Preventative Detective controls identify Corrective controls
discourage a threat controls stop a and report a threat agent, minimize the impact of
agent from acting. threat agent from action, or incident. a threat agent or
being successful. modify or fix a situation
(recovery).
Note: A control can (and often does) have multiple classifications depending upon context
Compensating controls are alternate controls designed to accomplish the
Compensating intent of the original controls as closely as possible, when the originally
designed controls cannot be used due to limitations of the environment or
financial constraints.
1.9 Control Implementations
Administrative Technical
(Management) Physical (Logical)
Controls relating to the Controls that can have a Controls provided through
Description oversight, laws, rules, and material structure (seen, the use of technology
regulations heard, touched) and/or a digital device
Policies, procedures, Gate, alarm, guard, Encryption, ACLs, firewall
Example training, audits, barricade, door, lock, ID rules, anti-virus software,
compliance reporting card biometric authentication
1.9 Control Cross-Over Examples
Control Deterrent Preventative Detective Corrective
“Hardened”
Firewall appearance Rule-set blocks Activity is logged
Technical discourages certain ingress and alerts can be N/A
Control opportunistic and egress traffic configured
attacks
Security
Advises
Awareness
participants of
Training N/A N/A N/A
penalties and
Administrative
consequences
Control
Door Alarm Discourages use Reacts to the door Sounds an alarm
Physical of an alarmed N/A being opened or that might scare
Control door threshold crossed off the intruder
1.10 Threat & Attack Primer
Term Description
Threat Potential danger

Threat Actor (Adversary) Adversaries with malicious intent
Vulnerability A weakness in a system, process, or person
Exploit Successfully taking advantage of a vulnerability
Targeted Attack Threat actor chooses a target for a specific objective
Opportunistic Attack Threat actor takes advantage of a vulnerable target (not

previously known to them)
Security Incident Event that potentially compromises the confidentiality, integrity,
and/or availability of information or information system
Threat Modeling Approach to identifying and categorizing potential threats
1.10 Threat Modeling
Threat modeling is an approach to identifying and
categorizing potential threats:
• Attacker-centric threat models starts with identifying an attacker and then
evaluates the attacker’s goals and potential techniques.
• Architecture-centric threat models focus on system design and potential attacks
against each component.
• Asset-centric threat models begin by identifying asset value and motivation of
threat agents.
1.10 Attack Vectors
Category Description
Disruption, manipulation, or compromise of network or host
hardware, services, application, data, or transmission
Digital
• Subset is cryptographic which is disruption, manipulation, or
Infrastructure
compromise of cryptographic algorithms, protocols, services,
applications, or data
Human Disruption, manipulation, or compromise of people
Physical
Disruption or destruction of physical structures and facilities
Infrastructure
1.2 Digital Infrastructure Attacks
Category Description Technique
IP Address
Impersonating an address, system, or person
Spoofing MAC Address
• Enables an attacker to act as the trusted source
Domain | URL
Manipulating a trusted source of data (e.g. DNS cache, ARP cache) ARP Cache
Poisoning
• Enables an attacker to control the trusted source of data DNS Cache
Intercepting communication between two or more systems MiTM / MiTB
Hijacking
• Enables an attacker to eavesdrop, capture, manipulate, and/or Replay
reuse data packets Clickjacking
Denial of Overwhelming system resources
DoS
Service • Enables an attacker to make services unavailable for their intended
DDoS
(DoS) use
Exploiting weaknesses in server- or client-side code or applications Injection
Code
• Enables an attacker to take control XSS
1.10 Social Engineering Attacks
Technique Description Vector
Pretexting Pretexts are used to conceal the true purpose of an activity. N/A
Phishing Pretexting using email Email
Spear Phishing Targeted version of phishing (mass vs. group/individual) Email
Vishing Pretexting using voice Phone
SMShising Pretexting using text Phone
Impersonation Pretexting in person In-person
Shoulder Surfing Covert observation In-person

Piggybacking | When an unauthorized person enters a checkpoint close behind,
In-person
Tailgating or in concert with authorized personnel
Dumpster
Rummaging through trash and recycling in search of information In-person
Diving
1.10 Defense-in-Depth | Layered Security
Controls are typically applied in multiple layers because no
single control can protect an asset from every type of
threat:
• This architecture is referred to as defense in depth or layered security.
1.11 Supply Chain Risk Management
A supply chain is an ecosystem of organizations, processes,
people, and resources involved in providing a product or
service. Critical supply chain vendors and service providers
should be included in the organizational risk management
program.
Expectations must be communicated.
• Use clear and consistent language in describing security requirements and
expectations.
• Provide baseline security requirements for products and services.
• Embed requirements in contracts and service-level agreements.
1.11 Supply Chain Assurance
Assurance mechanisms include due diligence, inspection,
assessment, and audit reports.
• Most common information technology and security-related independent
audit report is an AICPA SSAE 18 SOC (formally SAS70 / SSAE 16).
1.12 Shared Responsibility
No individual, business, or government entity is solely
responsible for cyber security. Everyone has a role to play.
• It is important to keep in mind that most individuals either aren’t aware of
potential dangers and/or security and privacy best practices.
• On-going education is essential.
• Educational programs should stress that individual actions matter and that
adherence to best practices, policies, and regulations are critical (and
expected).
• Educational programs should be tailored to roles and audience.
1.12 The NIST SETA Model (SP 800-50)
SETA - Security Education, Training, and Awareness
Security Education Training Awareness
Attribute Why How What
Level Insight Knowledge Information
Objective Understanding Skill Awareness
Teaching Method Discussion, seminar, Lecture, case study, Interactive, video,
reading hands-on posters, games
Test Measure Essay Problem solving True or false, multiple
choice
Impact Long-term Intermediate Short-term
Timeframe
Domain 1 Security & Risk Management
1.1 Understand and apply the concepts of 1.7 Identify, analyze, and prioritize Business
confidentiality, integrity and availability Continuity (BC) requirements
1.2 Evaluate and apply security governance principles 1.8 Contribute to and enforce personnel security
policies and procedures
1.3 Determine compliance requirements 1.9 Understand and apply risk management concepts
1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
Assessment Q1
How should the information security principles of
confidentiality, integrity, and availability be prioritized?
A. In compliance with regulatory requirements and legal obligations
B. Aligned with organizational strategic objectives
C. Based on industry trends
D. In response to customer demands
Assessment Q2
Which statement best describes data integrity?
A. The system works as intended.
B. Code is bug free.
C. Resource utilization is logged and monitored.
D. Information can be trusted to be complete, consistent, and accurate.
Assessment Q3
Which statement does not describe a control?
A. A tactic or strategy that reduces or eliminates vulnerability.
B. A tactic or strategy that reduces or eliminates likelihood of exploit.
C. A tactic or strategy that reduces or eliminates impact of exploit.
D. A tactic or strategy that reduces or eliminates expense.
Assessment Q4
Which of the following quantitative risk assessment
formulas is true?
A. AV=EF*Cost of Asset
B. ALE=SLE*ARO
C. SLE=EF*ARO
D. ARO=EF*SLE
Assessment Q5
Maximum tolerable downtime (MTD) relates to
_____________. Recovery point objective (RPO) relates to
____________.
A. business functions, system resources
B. system resources, data loss
C. length of outage, system resources
D. business functions, data loss
Domain 1 Domain 3
Domain 2
Asset Security
10%
15% 13%
Study Strategies
Domain 2 Asset Security
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and asset 2.5 Determine data security controls
ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
May 1, 2021 Changes
Change Description
Objective Added or • Provision resources securely [Previously in domain 7]
Moved • Manage data lifecycle
Objective Removed • Determine and maintain information and asset ownership.
• Protect privacy
New Topics Data roles, data collection, data location, end-of-life (EOL), end-of-support
(EOS)
2.1 Asset Classification
The purpose of asset classification is to ensure that assets
are properly identified and protected throughout their
lifecycle.
Asset classifications inform handling instructions, control
decisions, audit scope, and regulatory compliance
activities.
• Information assets are generally classified by content (e.g., top secret,
secret, classified, SBU).
• Infrastructure and physical assets are generally classified by criticality of
the services they provide.
2.1 Classification Schemas
Classification schemas vary by sector.
• Government and military classification schemes include:
• U.S. Federal government classification system (FIPS 199)
• Military and national security classification (systems and information)
• Classification schemes are discretionary for the private sector
2.2 Asset Ecosystem
Directors &
Executive
Management
Supporting Functional Roles
Owners
Custodians
Users
2.2 Asset-related Roles and Responsibilities
Role Responsibility
Directors & Responsible for governance and oversight. From a legal and regulatory
Executive Management perspective, they are ultimately responsible for the actions (or inaction)
of the organization.
Supporting Functional Responsibility varies by role and may include:
Roles: 1. Managing the Cybersecurity and/or Privacy programs.
ISO / IAM 2. Identifying threats, vulnerabilties and risks.
Privacy Officer
3. Compliance with applicable regulatory and contractual obligations.
Compliance Officer
4. Authorization of data access and sharing.
Owners Responsible for decisions related to classification, and access control,
and oversight of protection mechanisms.
Custodians Responsible for implementing, managing, and monitoring controls.
Users Responsible for treating data and interacting with information systems
in accordance with organizational policy and standards.
2.3 Privacy Defined
Privacy is the right of the individual to control access to and
the use of their personal information (data).
• Individuals expect their privacy to be respected and their personal
information to be protected by the organizations with which they do
business.
• Individuals also expect that organizations will inform them what
information they collect, why they collect it, and how they update,
manage, export (sell and share) and delete their information.
2.3 Cybersecurity Humanized
2.3 Personal Information (Data)
Distinguish means that the
data can be used to identify
an individual. Distinguish
Trace means the ability to

make a determination about
Trace
an individuals activities or
status.
Linked means that the data
is logically associated. Linked
2.3 Personal Information (Data)
Name
Physical movement
Government ID Distinguish
Digital interactions
Social Security Number
Travel
Biometric data
GeoIP
Date of Birth
Trace Facial Recognition
Gender
Race Medical records
Sexual Orientation Educational records
Linked Financial records
Criminal records
Employment history
Shopping habits
2.3 OECD Privacy Principles [http://www.oecd.org]
Principle Description
Collection There should be limits to the collection of personal data and any such data should be obtained
Limitation by lawful and fair means and, where appropriate, with the knowledge or consent of the data
subject.
Data Quality Personal data should be relevant to the purposes for which they are to be used, and, to the
extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose The purposes for which personal data are collected should be specified not later than at the
Specification time of data collection and the subsequent use limited to the fulfilment of those purposes or
such others as are not incompatible with those purposes and as are specified on each occasion
of change of purpose.
Use Limitation Personal data should not be disclosed, made available or otherwise used for purposes other
than specified except with the consent of the data subject; or by the authority of law.
Security Personal data should be protected by reasonable security safeguards against such risks as loss
Safeguard or unauthorized access, destruction, use, modification or disclosure of data.
2.3 OECD Privacy Principles cont.
Principle Description
Openness There should be a general policy of openness about developments, practices and policies with
respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual
residence of the data controller.
Individual An individual should have the right:

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data
Participation controller has data relating to him;
b) to have communicated to him, data relating to him
i) within a reasonable time; ii) at a charge, if any, that is not excessive; iii) in a reasonable
manner; and iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be
able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased,
rectified, completed or amended.
Accountability A data controller should be accountable for complying with measures which give effect to the
principles stated above.
2.3 Privacy Threshold Assessment
The purpose of the Privacy Threshold Assessment (PTA) is
to identify PII that has been acquired by the organization
and to determine how to appropriately treat the data.
PTAs generally include the following information:
• Description of the system
• What PII is collected and from whom
• Why the PII is collected
• How the PII is used
• If the PII shared or sold
• Regulatory, contractual and ethical requirements
• Should the status quo be maintained or are changes necessary
2.3 Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is a thoughtful decision-
making tool used to identify and mitigate privacy risks at
the beginning of and throughout the lifecycle of a program
or system.
PIAs generally include the following information:
• Description of the system
• What personal information might be collected and from whom?
• Why are we collecting this information (is it necessary)?
• How will it be used now and in the future?
• Do we plan to sell or share this information?
• Are there regulatory, contractual or ethics requirements or obligations?
• How it will be secured?
2.4 Information Lifecycle (Simplified)
Use
Collection Deletion
Destruction
http://www.oecd.org/
Retention
Archiving Legal Hold
2.4 Retention and Archiving
Retention is a protocol (set of rules) within an organization
that dictates the data sets that must be kept and for how
long.
• Legal and regulatory requirement must be considered.
Archiving is the process of securely storing pristine
unmodified data for later potential retrieval.
• Backup and replication is the process of making copies of data to ensure
recoverability. They are distinct processes.
2.4 Legal Hold and eDiscovery
A legal hold is the requirement for an organization to
preserve all forms of relevant information when litigation,
audit, or government investigation is reasonably
anticipated. The objective is to avoid evidence spoliation.
• A legal hold supersedes organizational retention policies.
• eDiscovery (also called electronic discovery) refers to any process in which
electronic data is sought, located, secured, and searched with the intent of
using it as evidence in a civil or criminal legal case.
2.4 Data Remanence
Data remanence is the residual representation of digital
data that remains even after attempts have been made to
remove or erase the data.
Methods to counter data remanence include:
• Clearing which is the removal of data is such a way that data cannot be
recovered using normal system functions of recovery utilities.
• Purging which is the removal of data that cannot be reconstructed by any
known technique.
• Destruction which is the physical act of destroying media in such as way
that it cannot be reconstructed.
2.5 Anti-Remanence Techniques
Technique Description Result
Wiping Overwrites all addressable storage and indexing Clearing
locations multiple times
Degaussing Using a electromagnetic field to destroy all Purging
magnetically recorded data
Shredding Physically breaking media into pieces Destruction
Pulverizing Reducing media to dust Destruction
Pulping Chemical altering media Destruction
Burning Incinerating media Destruction
2.5 Data Security Controls Decisions
Data security control decisions are generally related to:
• Data classification (e.g. protected, confidential, and public)
• Data state (point in time)
• Data at rest (persistent storage — e.g. disk, tape)
• Data in use (CPU processing or in RAM)
• Data in transit (transmission)
Common data protection controls include access
management, cryptography, and obfuscation.
2.6 Labels and Handling Standards
Labels are used to identify assets so users can apply the
appropriate handling standard.
• Labeling is influenced by the intended audience.
• Labels can be digital, print, audio, or visual.
• Noted on or in a document (e.g. CONFIDENTIAL)
• Written on or attached to media
Handling standards inform custodians and users how to
interact with information assets.
• Handling standards are generally related to classification, data state, and
legal or regulatory requirements.
Domain 2 Asset Security
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and 2.5 Determine data security controls
asset ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
Assessment Q1
_________ is the right of an individual to control the use of
his or her personal information.
A. Security
B. First amendment
C. Habeas Corpus
D. Privacy
Assessment Q2
In the private sector, this group is most often responsible
for asset classification decisions and control oversight?
A. owner
B. executive
C. custodian
D. administrator
Assessment Q3
The process of securely storing original unmodified
documents is known as which of the following
A. Backup
B. Replication
C. Retention
D. Archiving
Assessment Q4
The residual representations of digital data even after
attempts to remove or erase is known as
_______________?
A. data clusters
B. data remanence
C. data bits
D. data slack
Assessment Q5
Which of the following is the most important reason an
information asset should have a visible data classification
label?
A. Inventory control
B. User recognition
C. Regulatory compliance
D. Asset management
Domain 1 Domain 3
Domain 2
Asset Security
10%
15% 13%
Study Strategies
Domain 3 Security Architecture and Engineering
3.1 Implement and manage engineering processes
3.7 Assess and mitigate vulnerabilities in mobile
using secure design principles systems
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of information 3.10 Apply security principles to site and facility
systems design
3.5 Assess and mitigate vulnerabilities of security 3.11 Implement site and facility security controls
architectures, designs, and solution elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
May 1, 2021 Changes
Change Description
Objective Added or • Select and determine cryptographic solution
Moved • Understand methods of cryptanalytic attacks
Objective Removed • Assess and mitigate vulnerabilities in web-based systems
• Assess and mitigate vulnerabilities in mobile systems
• Assess and mitigate vulnerabilities in web-based systems
Note: these have all been incorporated into the objective - Assess and
mitigate vulnerabilities of security architectures, designs, and solution
elements
• Apply Cryptography
New Topics Zero trust, privacy by design, trust but verify, microservices, containerization,
high-performance computing systems, edge computing, quantum
cryptography, Kerberos exploitation, ransomware, evidence storage, HVAC
controls.
3.1 Secure Design & Engineering Objectives
Security must be incorporated and addressed from the
initial planning and design phases through disposal of the
system.
• Without proper attention to security, an organization’s information
technology can become a source of significant risk.
• With careful planning from the earliest stages, however, security becomes
an enabler to achieve the organization’s mission.
3.1 NIST SP 800-160
Systems Security Engineering: Considerations for a
Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems
• SP 800-160 addresses the engineering-driven actions necessary to develop
more defensible and survivable systems—including the components that
compose and the services that depend on those systems.
• Aligned with the international standard ISO/IEC/IEEE 15288.
3.2 Information Security Models
Information security models focus on interactions and
provide structure and rules to be followed to accomplish a
specific objective (e.g. confidentiality, integrity, and
availability).
• Foundational (lower-level) models include State Machine, Non-
Interference, and Information Flow.
• Relationship (higher-level) models include Bell-LaPadula, Biba, Clark-
Wilson, and Brewer Nash.
• Subjects are active entities, generally in the form of a person, process,
or device that causes information to flow among objects or changes
the system state.
• Objects are passive entities that contain or receive information or
instructions.
3.2 Foundational Models (lower-level)
Model Description
State Conceptual model that ensures that no matter what activity is taking
place within a system, it is always trustworthy.
Non-interference Whatever happens at one security level does not directly or indirectly
(multilevel) affect the security environment of other levels.
Information Flow Information will flow only in ways that do not violate the security policy
(multilevel) of the system.
If any of the foundational models are proven false, then the security of the system cannot
be relied upon regardless of the implementation of higher-level security models.
3.2 Relationship Models (higher-level)
Model Description Objective
Bell- Subjects cannot read [simple] data that has a higher classification . Confidentiality
LaPadula Subjects cannot write [*] to an object at a lower security level.
No Read Up – No Write Down
Biba Subjects cannot read [simple] data that has a lower classification. Integrity
Subjects cannot write [*] to an object at a higher security level.
No Read Down – No Write Up
Clark Well-formed transactions ensure that a user cannot alter data Integrity
Wilson arbitrarily. Instead, data can be altered only in a specified way in
order to preserve its internal consistency (access triple).
Brewer Context-oriented commercial model designed to defend against Conflict

Nash conflicts of interest. Access controls that change dynamically
depending upon a user’s previous actions.
3.3 Security Evaluation Objectives
A Trusted System has undergone sufficient benchmark
testing, verification, and validation (by an independent
third party) to ensure that the product meets the users
requirements.
• Functionality is verification that a security control exists and that it works
correctly at least once.
• Assurance is a degree of confidence that the system will act in a correct
and predictable manner in every computing situation (trustworthy
computing).
3.3 Security Evaluation Criteria
Criteria Description Function
TCSEC Developed in 1983, Trusted Computing System Evaluation Original publication as
Criteria (TCSEC) was used to evaluate, classify, and select the orange book.
systems for the DoD based upon confidentiality Expanded to 20+ books
requirements. Superseded by the Common Criteria. known as the rainbow
series.
ITSEC Developed in 1991 by a consortium of European nations, IT Functionality and
Security Evaluation Criteria (ITSEC) is used to evaluate the assurance evaluated
functionality and assurance of a computer system based independently and
upon a vendor-defined set of requirements. Generally separately.
replaced by the Common Criteria.
Common Developed in 1993 by the ISO, the Common Criteria provides The Common Criteria
Criteria a universal structure and language for expressing product evaluates products
and system requirements against a protection
profile and results are
published.
3.4 Trusted Computing Base
Trusted Computing Base is the combination of all the security
mechanisms within a computer including hardware, software, and
firmware.
3.4 Hardware/Firmware Security Components
Acronym Name Description
BIOS Basic Input Output System Non-volatile firmware
BIOS replacement. Requires firmware
UEFI Unified Extensible Firmware Interface
updates to be digitally signed
Secure Boot Secure Boot Requires trusted attestation
Chip that protects cryptographic keys,
TPM Trusted platform module
hashes, and certificates
HSM Hardware security module Device used for cryptoprocessing
Full disk encryption/self-encrypting Hardware-based mechanism for
FDE / SED
drives automatically encrypting magnetic media
Controls how processes are executed and
CPU Rings Conceptual boundaries
level of trust
3.4 Single Point of Failure
Single point of failure (SPOF) can be any technology
component whose failure impacts the availability of the
entire system.
• SPOFs can be anywhere in the dependency chain
• Need to identify SPOF and their business impact
• Investments in system survivability using high availability and fault-tolerant
technologies
3.5 Architecture Vulnerability
Configuration Description Advantage Vulnerability
Centralized Centralized processing Tightly controlled Impact to entire platform
Client/ Inherent trust Flexibility Every connection a
Server potential attack conduit
Distributed No central authority Distributed ownership Distributed management
Large Scale Disparate systems working Force multiplier effect Data aggregation
(Parallel) in concert (e.g. cluster) (increase in capability)
Grid Sharing of CPU and other Power (e.g. seti@home Distributed management
resources across a network project) and authentication
ICS /SCADA Embedded systems that Power complex systems Weak authentication,
monitor and control such as electric grid outdated OS, inability to
industrial processes patch, remote access
3.5 Cloud Deployment Models
Model Description Considerations
Location
Public Cloud Provisioned for public use
Multitenancy
Community Cloud Provisioned for the exclusive use by a well defined group Multitenancy
Private Cloud Provisioned for the exclusive use of a single organization Scalability
3.5 Cloud Service Models - SaaS
Model Provided Impact Considerations
The customer does not manage or control the • Availability
underlying cloud infrastructure including • Maintenance
SaaS Computing network, servers, operating systems, storage, • Vulnerability
Resources + or even individual application capabilities Management
Software Operating The customer uses the provider’s applications • Confidentiality
as a System + running on a cloud infrastructure • Privacy
Service Application The customer has control over limited user- • Data Ownership
specific application configuration • Multitenancy
• Testing
3.5 Cloud Service Models - PaaS
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure, operating • Availability
Computing system, programming languages, tools, and • Maintenance
PaaS Resources + platform • Vulnerability
Operating The customer deploys onto the cloud Management
Platform as System + infrastructure created or acquired applications • Confidentiality
a Service (optionally, The customer has control over deployed • Privacy
database) applications and possibly configuration settings • Data
for the application-hosting environment Ownership
3.5 Cloud Service Models—IaaS
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure
The customer can provision processing,
IaaS “Bare storage, networks, and other fundamental • Availability
metal” computing resources • Maintenance
Infrastructure Computing The customer has control over the operating • Vulnerability
as a Service Resources system, storage, and deployed applications Management
and possibly limited control of select
networking components (e.g. host firewalls)
3.5 Cloud Access Security Brokers
Cloud access security brokers (CASBs) are security policy
points (software or appliance) placed between “the cloud”
and enterprise users.
• Security policies are interjected as cloud-based resources are accessed. For
example, authentication, encryption, visibility, and DLP.
• Provides control over shadow IT applications.
• Shadow IT is used to describe the use of IT solutions that are managed
outside of and without the knowledge of the IT department.
• CASBs proxy traffic and use auto discovery to identify cloud applications.
3.5 Security-as-a-Service
Security-as-a-Service (SecaaS) is the delivery of managed
security services for public, private, and hybrid cloud
environments.
• SecaaS relieves the burden of relying on the SaaS, PaaS, or IaaS vendor for
security protection and enforcement.
• Services include encryption, activity monitoring, DLP, malware detection,
filtering, firewall, policy enforcement, email security, intrusion detection,
authentication, and more.
3.6 Web Vulnerabilities
Web systems are particularly vulnerable due to their level
of exposure, accessibility, and rapid rate of change.
• Security misconfiguration can happen at any level of an application stack,
including the platform, web server, application server, database,
framework, and custom code.
• System owners, developers, and system administrators need to work
together to ensure that the entire stack is configured properly.
• Resource http://www.owasp.org
3.6 Improper Input/Output Validation
Vulnerability Description Impact
Tricking an application into including
Can result in database,
unintended commands in the data
Injection schema, account, and/or
sent to an interpreter (e.g. OS, LDAP,
operating system access.
SQL).
Injection of malicious code into a Can result in user session
vulnerable web application or back- hijack, redirection to malware
Cross-Site Scripting
end database that will execute scripts distribution site, or bypassing
in a victim’s browser. access controls.
Tricking a web browser into executing
Can result in data theft,
Cross-Site Request a malicious action on a trusted site for
unauthorized funds transfers,
Forgery (CSRF/ XSRF) which the user is currently
credential modifications, or
authenticated. CSRF exploits the trust
stolen session cookies.
that a site has in a user's browser.
3.6 OWASP 2017 #1 Injection
Element Description
Vulnerability Injection
Tricking an application into including unintended commands in the data
Description
sent to an interpreter (e.g. OS, LDAP, SQL)
Flaw Improper input/output validation
Impact Can result in unauthorized access, data exfiltration, and data corruption
• Use of “safe” API
Mitigation
• Positive “whitelist” input and output validation
3.6 Injection Illustrated (SQL)
Attacker sends an Application forwards

Application presents
attack string (SQL the attack string to
a form to the
query) in the form the DB in a SQL
attacker
data query
DB runs the query

and sends the results Application sends
back to the results to the
Attacker
Application
3.7 OWASP Mobile Top 10 Vulnerabilties
M3: Insufficient
M1: Weak Server M2: Insecure Data M4: Unintended
Transport Layer
Side Controls Storage Protection Data Leakage
M5: Poor M8: Security

M6: Broken M7: Client-Side
Authorization and Decision via
Cryptography Injection
Authentication Untrusted Inputs
M9: Improper M10: Lack of

Session Handling Binary Protections
3.8 Embedded System (IoT)
An embedded system is an electronic product that contains
a microprocessor and software designed to perform a
specific task. An embedded system can be either fixed or
programmable.
• Embedded systems are found in consumer, cooking, industrial, automotive,
medical, commercial, and military applications.
• Embedded systems range from very small personal devices to large-scale
environments. For example, digital watches, health meters, printers/MFDs,
camera systems, routers, sensor traffic lights, automotive safety, and
industrial control systems.
• The Internet of Things (IoT) sensors and actuators embedded in physical
objects—from roadways to pacemakers—are linked through wired and
wireless networks provide a pathway for attack.
3.9 Cryptography
Cryptography is the practice and study of techniques for
secure communication.
Primary cryptographic use cases and corresponding
techniques include:
• Obfuscation (steganography [non-crypto])
• Confidentiality (encryption)
• Integrity (hashing)
• Non-repudiation (digital signatures)
• Authentication (digital certificate)
3.9 Steganography
Steganography is the art of hiding information.
• The goal of steganography is to obfuscate (hide) or conceal.
• Digital steganography is the practice of concealing a file within another file.
• Hidden binary files are most often found embedded in image and audio
files
3.9 Steganography Illustrated
Copy /b image1.jpg+text1.txt final1.jpg

3.9 Cryptographic Terminology — Cipher
Term Description
Plaintext (cleartext) Human readable text
Ciphertext Encrypted and/or human unreadable text
Cipher A technique that transforms plaintext into ciphertext and back to plaintext
Stream Cipher Cipher that works with one bit at a time
Block Cipher Cipher that works with blocks of data
Algorithm A mathematically complex modern cipher
3.9 Cipher Terminology - Techniques
Technique Description
Substitution cipher replaces one character or bit for another character or
Substitution Cipher
bit.
Transposition cipher moves characters or bits to another place within the
Transposition Cipher
message block.
Confusion is the process of changing the values
Confusion
Complex substitution functions are used to create confusion
Diffusion is the process of changing the order
Diffusion Sending bits through multiple rounds of transposition is used to create
diffusion.
3.9 Cryptographic Terminology - Key
Term Description
Secret value used with an algorithm
Key /
• The key dictates what parts of the algorithm will be used, in what order, and
Cryptovariable
with what values
Number of possible key combinations
Key Space
• e.g. 256-bit = 2256 = 1.1578 x 1077 possible keys
Key Stretching The initial key is fed into an algorithm that outputs an enhanced (stronger) key.
Symmetric Using a single key
Asymmetric Using two mathematically related keys (public / private)
Public Key Key that is publicly distributed
Private key Corresponding key that is secured by the owner.
3.9 Symmetric Encryption Illustration
Algorithm
Plaintext Ciphertext
(3DES, AES, RC5)
Algorithm
Plaintext
(3DES, AES, RC5)
3.9 Asymmetric Illustration
Algorithm
Cleartext (RSA, ECC, Diffie- Ciphertext
Hellman, El Gamal)
Algorithm
(RSA, ECC, Diffie- Cleartext
Hellman, El Gamal)
3.9 Symmetric vs. Asymmetric Encryption
Feature Symmetric Asymmetric
# of Keys Single shared key Key pair
Block Sizes Large Small
Processing Computationally efficient Computationally intensive
Strength Difficult to break (large keys) Smaller key sizes
Scalability Not scalable Scalable
Key Exchange Key exchange is inherently Key exchange distribution system

insecure
3.9 Key Pairs in Action for Encryption
Alice has a key pair.
‒ She freely distributes her public key.
‒ She securely stores her private key.
Bob has a key pair.

‒ He freely distributes his public key.
‒ He securely stores his private key.
3.9 Message Flow – Hybrid Solution
Symmetric Symmetric
Plaintext Encrypted Plaintext
Algorithm Algorithm
message message message
[Session Key] [Session Key]
Alice wants to send Bob a encrypted message:
Asymmetric Algorithm Encrypted Asymmetric Algorithm

Session Key Session Key
+ Bob’s Public Key Session Key + Bob’s Private Key
3.9 Hashing
Hashing produces a visual representation of a data set.
The original message remains intact.

Salts are values appended to the input to strengthen the output.
3.9 Hash Calculation
3.9 Message Digest in Action
Alice puts message
through a hashing Alice sends message
algorithm and and message digest to
generates a message Bob
digest (hash) value
Bob puts message

Bob receives the through a hashing
Bob compares both
message and the algorithm and generates
message digests
message digest a message digest (hash)
value
If the message digests

If the message digests
are the same—the
are different—the
message was not
message was modified
modified in
in transmission
transmission
3.9 Hashed MAC
A hashed message authentication code (HMAC) is a hashed value
that includes a symmetric key.
• An HMAC cannot be reproduced without knowing the key.
• An HMAC provides integrity and data origin authentication.
• HMAC is used by cryptographic protocols such as the TLS and IPsec to
verify the integrity of transmitted data during secure communications.
3.9 Hash Attacks
Attack Description
Collision Using mathematical technique to force two inputs into producing the same
hash value.
The hash method used cannot be relied upon anymore to identify different
data.
Birthday Exploits the mathematics behind the birthday problem in probability
theory to cause a collision.
Pass-the Hash Using captured hashed credentials from one machine to successfully gain
control of another machine.
3.9 Digital Signature
A digital signature is a message digest that has been encrypted
using a private key and digital signature algorithm (RSA, DSA).
3.9 Digital Signature in Action
3.9 Digital Certificates
Digital Certificates are the mechanism used to generate a private
key and to associate a public key with a collection of
components sufficient to authenticate the claimed owner.
• The X.509 standard defines the certificate format and fields for public keys.
• The X.509 standard defines the distribution procedures.
• The current version of X.509 for certificates is v3.
3.9 Types of Digital Certificates (Use)
Type Use
Personal Verifies a user identity (generally used for email)
Server
Verifies a server identity
(Machine/Computer)
Verifies a web domain
Domain Validation • Wildcard certificate can be used with multiple subdomains of a domain
(e.g. *.example.com)
Organization Verifies a web domain and an organization
Verifies a web domain and an organization subject to additional vetting
Extended Validation
(what used to be the “green bar”)
Code / Object signing Verifies origination/ownership as well as object integrity
Trusted/Intermediate Identifies root and intermediate Certificate Authorities

3.9 Self-signed Certificate
A self-signed certificate is signed by the person creating it.
• The advantage is that there is no additional expense.
• The disadvantages are that a self-signed certificate can easily be
impersonated, will present the user with a warning message and cannot be
revoked.
• Use cases include an internal development server.
3.9 Trust Models (Chain of Trust)
A Trust Model defines how users trust other users, organizations, CAs and RAs within the PKI.
Model Description
Web of Trust No central authority. Each user creates and signs their own certificate. Users
sign each others’ public key indicating “trust”
Third party (Single A central third-party Certificate Authority (CA) signs a key and authenticates
Authority) Trust the owner.
Hierarchical Model Extension of third party in which root CAs issue certificate to lower-level
“intermediate” CAs who can then issue certificates. Trust is inherited.
• Offline root CA is one that is isolated from a network and is often kept
powered down to prevent compromise.
• A Registration Authority (RA) offloads some of the work from the CA.
The RA can accept and process registration requests and distribute
certificates.
• A Local Registration Authority (LRA) requires physical identification.
3.9 Certificate Lifecycle
CSR – Certificate
Certificate is
Signing Request Certificate is issued
published
(CSR)
Certificate is
Certificate is
suspended/revoked Key is destroyed
received
or expired
3.9 Certificate Revocation
Action Description
Suspension Temporary revocation of a certificate until a certificate problem
can be resolved.
Revocation Permanent withdrawal of trust by issuing authority before
scheduled expiration date.
Certificate Revocation List CA-maintained list of certificates that have been revoked
(CRL) • Pull model – CRL is downloaded by the user or organization
• Push model – CRL is automatically sent out by the CA at
regular intervals
Online Certificate Status Process designed to query the status of certificate in real-time.
Protocol (OCSP) • OCSP stapling is a time-stamped (cached) OCSP response
3.9 Crypto Attack Categories
Intention is to break a cryptosystem and find the plaintext from the
ciphertext. The attacker’s objective is to identify the key.
Objective Description
Ciphertext Only A sample of ciphertext is available without the plaintext
associated with it.
Known Plaintext A sample of ciphertext and the corresponding known plaintext
is available.
Chosen Plaintext Can choose the plaintext to get encrypted and obtain the
corresponding ciphertext.
Chosen Ciphertext Can select the ciphertext and obtain the corresponding
plaintext
3.9 Key Attacks
Attack Description
Brute Force Every possible key is tested (online/offline)
Dictionary List of known keys tested
Frequency Looking for patterns to reveal the key
3.9 Cryptography Controls Review
Encryption is used to insure confidentiality
Hashing is used to prove integrity.
Digital signatures are used to provide non-repudiation.
Digital Certificates are used for authentication.
3.10 Building Security
Building and facility security focuses primarily on
preventive, deterrent, and detective access controls and
workplace safety.
Physical security is based upon a layered defense model.
• Obstacles to frustrate trivial attackers and delay serious ones
• Detective controls make it likely that attacks will be noticed
• Response mechanisms to repel, catch, or frustrate attackers
3.10 Building Security
Control Description
Lighting Lighting for personnel safety and intruder deterrence
• Intruders are less likely to enter well-lit areas
• Lighting can be continuous, motion triggered, random, timed, or standby
• Lighting should be tamper-proof and have a backup power supply
Signs Signs for personnel safety and intruder deterrence
• Warning signs indicate surveillance (“someone is paying attention”)
Physical Barrier Fences, walls, gates, barricades, bollards, and mantraps define the perimeter.
• They serve to prevent, deter, or delay (increase workfactor) an attack.
Surveillance Surveillance technologies such as IDS/IPS, closed-circuit TV (CCTV) and camera
systems can be used to monitor, detect (and report) suspicious, abnormal, or
unwanted behavior.
Security Guards Security personnel may be stationed at checkpoints, patrol the area, manage
surveillance, and respond to breaches and/or suspicious activity.
3.11 Environmental Impact
Computers, electronic equipment, and transmission media
are sensitive to environmental factors such as heat,
humidity, air flow, and power quality.
• Environmental imbalance can impact stability, availability, and integrity.
3.11 Environmental Security
Element Description
Heat Acceptable temperature is between 70–74 degrees.
Humidity Acceptable relative humidity is between 45–60%.
Fire Fire protection is comprised of four elements – prevention, detection,
containment and suppression
EMI\RFI Equipment should have limited exposure to magnets, fluorescent lights, electric
motors, space heaters, and wireless access points. Copper and coax cable should
be shielded.
Air Flow Hot Aisle / Cold Aisle configuration for data center racks
Power Electrical power supplied to electronic devices must have consistent voltage and
a minimum of interference. Devices need to be protected against surges, spikes,
sags, brownouts, and blackouts.
3.9 Power Protection
Category Description Mitigating Control
Battery backup (UPS)
Blackout Prolonged period without power Alternate power supply (generator)
Supplier diversity
Brownout Prolonged period of low voltage
Sag Moment of low voltage Voltage regulator
Surge protectors
Surge Prolonged period of high voltage Power line conditioners
Battery backups (UPS)
Spike Moment of high voltage
Power Supply Failure of internal power supply or Redundant power supply

Failure fan
Domain 3 Security Architecture and Engineering
3.1 Implement and manage engineering processes
3.7 Assess and mitigate vulnerabilities in mobile
using secure design principles systems
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of information 3.10 Apply security principles to site and facility
systems design
3.5 Assess and mitigate vulnerabilties of security 3.11 Implement site and facility security controls
architectures, designs, and solution elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
Assessment Q1
The purpose of this device is to provide control over
shadow IT applications.
A. SecaaS
B. DLP
C. CASB
D. IaaS
Assessment Q2
The rules for this conceptual model are – no read up and
no write down. This is the _______ model and the
objective is ___________.
A. Biba, integrity
B. Bell-LaPadula, confidentiality
C. Biba, confidentiality
D. Bell-LaPadula, integrity
Assessment Q3
Which system(s) are particularly vulnerable to exploit due
to weak authentication, outdated operating systems, and
limited (if any) maintenance window.
A. Cloud
B. Client/Server
C. ICS/SCADA
D. Parallel
Assessment Q4
Mary wants to use asymmetric encryption for a session key
exchange with Bob. Which cryptovariable should she use to
encrypt the session key?
A. Mary’s public key
B. Mary’s private key
C. Bob’s public key
D. Bob’s private key
Assessment Q5
A __________________ is a message digest that has been
encrypted using a private key.
A. cipher
B. digital certificate
C. digital signature
D. salt
Domain 1 Domain 3
Domain 2
Asset Security
10%
15% 13%
Study Strategies
Study Plan
Schedule your exam!
• Create a study plan and stick to it.
• Watch my videos – The Complete CISSP 2nd Edition available on O’Reilly
Media (SafariBooksOnline)!
• Study with a buddy.
• Make flash cards.
• Talk to yourself, seriously.
The Zen of Studying
Relax. Breathe deeply. Enjoy
• Remind yourself you can do this.
• Approach the material and the exam with a positive, can-do attitude.
• Don’t think of preparing for and taking the exam as chore – envision it is an
opportunity to validate your knowledge and experience.
• Promise yourself a wonderful indulgence at the completion of this journey.
Day -2
Join me tomorrow for Part II of the CISSP Crash Course.
• Segment 1: Domain 4 Communication and Network Security
• Segment 2: Domain 5 Identity and Access Management (IAM)
• Segment 3: Domain 6 Security Assessment and Testing
• Segment 4: Domain 7 Security Operations
• Segment 5: Domain 8 Software Development Security
• Segment 6: Preparing for Test Day!
Day 1 feedback - I encourage you to send me an email –

sari@sarigreenegroup.com.
Until tomorrow ….. Have a great day/evening.

CISSPcrashcourseday

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSPcrashcourseday

Uploaded by

Copyright:

Available Formats

Welcome

If you are almost ready to take your exam:

• ISC2 CISSP Exam Outline available at

Available to you on O’Reilly Media (SafariBooksOnline)!

Domain 5 Domain 6 Domain 8

Study Strategies (Day 1)

Preparing for the Exam (Day 2)

**Five Assessment questions at the end of each domain **

Think global, obey local. Jurisdiction is related to location

OECD Privacy Principles is the most commonly used

Recovery Point Objective Failure Recovery Time Objective

Weeks Days Hours Minutes Minutes Hours Days Weeks

Clean Desk Requirement to never leave confidential data (paper, monitor,

Service Level Agreement (SLA) Codifies service and support requirements

Interconnection Security Agreement (ISA) Documents technical requirements

Assess the likelihood

Threat Potential danger

Vulnerability A weakness in a system, process, or person

Exploit Successfully taking advantage of a vulnerability

Targeted Attack Threat actor chooses a target for a specific objective

Opportunistic Attack Threat actor takes advantage of a vulnerable target (not

Vishing Pretexting using voice Phone

SMShising Pretexting using text Phone

Impersonation Pretexting in person In-person

Shoulder Surfing Covert observation In-person

Trace means the ability to

Individual An individual should have the right:

Brewer Context-oriented commercial model designed to defend against Conflict

Attacker sends an Application forwards

DB runs the query

M5: Poor M8: Security

M9: Improper M10: Lack of

Copy /b image1.jpg+text1.txt final1.jpg

Key Exchange Key exchange is inherently Key exchange distribution system

Bob has a key pair.

Alice wants to send Bob a encrypted message:

Asymmetric Algorithm Encrypted Asymmetric Algorithm

The original message remains intact.

Bob puts message

If the message digests

Code / Object signing Verifies origination/ownership as well as object integrity

Trusted/Intermediate Identifies root and intermediate Certificate Authorities

Power Supply Failure of internal power supply or Redundant power supply

Day 1 feedback - I encourage you to send me an email –

You might also like

Five Assessment questions at the end of each domain