Professional Documents
Culture Documents
to Day 1
Click to edit Master title style
CISSP Certification
Crash Course Day 1
Sari Greene
CISSP-ISSMP, CRISC, CISM, CISA
Sari Greene - @ Certifications
Click to edit Master title style
e: sari@sarigreenegroup.com t: @sari_greene
l: https://www.linkedin.com/in/sarigreene/
w: www.sarigreenegroup.com
Polling Question – Who are you?
Click to edit Master title style
o I’ve just begun studying for the CISSP exam.
o I am in the midst of studying for the CISSP exam.
o I am almost ready to take the CISSP exam.
o I am already a CISSP.
CISSP Crash Course Objectives
Click to edit Master title style
If you have just begun studying:
• Immersion into the eight (ISC)2 common body of knowledge (CBK) security
domains.
If you are in the midst of studying:
• Assess your strengths and weaknesses and perhaps modify your study plan.
Domain 1 Domain 3
Domain 2
Security & Risk Security Architecture
Asset Security
Management and Engineering
10%
15% 13%
Study Strategies
Study Strategies
Domain 1 Security & Risk Management
Click to edit Master title style
1.1 Understand and apply the concepts of 1.7 Identify, analyze, and prioritize Business
confidentiality, integrity and availability Continuity (BC) requirements
1.2 Evaluate and apply security governance principles 1.8 Contribute to and enforce personnel security
policies and procedures
1.3 Determine compliance requirements 1.9 Understand and apply risk management concepts
1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
May 1, 2021 Changes
Click to edit Master title style
Change Description
Category Weight Unchanged
Objective Added or Understand requirements for investigation types(i.e., administrative,
Moved criminal, civil, regulatory, industry standards) [Moved from domain 7]
Objective Removed None
New Topics Privacy compliance and issues, candidate screening, employee privacy, risk
maturity modeling, gamification, SETA program effectiveness
1.1 CIA Triad
Click to edit Master title style
Confidentiality
Information
Security
Integrity Availability
1.1 CIA Foundational Principles
Click to edit Master title style
Confidentiality is the principle that only authorized people,
processes, or systems have access to information and that
information must be protected from unauthorized disclosure.
Integrity is the principle that data and systems should be
protected from intentional, unauthorized, or accidental
changes.
• Data integrity implies information is known to be good, and that the
information can be trusted as being complete, consistent, and accurate.
• System integrity implies that a system will work as it is intended to.
Availability is the principle that information and systems are
operating and accessible when needed.
1.1 Cybersecurity
Click to edit Master title style
Cybersecurity expands the traditional application of information
security by recognizing that we can no longer look at protecting
an organization in isolation.
• We have to recognize that every organization is part of a larger digital ecosystem.
In our connected world, what one organization does or doesn't do has a direct
impact on others.
• Cybersecurity requires that we apply a global framework to the fundamental
principles of confidentiality, integrity, and availability.
1.2 Strategic Alignment
Click to edit Master title style
Information security (cyber security) is not an isolated
discipline and absolutely should not be siloed.
• It's time to bury the myth that security is an IT issue!
• Every information security decision must be informed by organizational
goals and be in alignment with strategic objectives.
• When strategically aligned, security functions as a business enabler that
adds value.
1.2 Leadership and Governance
Click to edit Master title style
Designing and maintaining a secure environment that
supports the mission of the organization requires
enterprise-wide leadership involvement and commitment.
As applied to information security, governance is the
responsibility of leadership to:
• Determine and articulate the organization's desired state of security.
• Provide the strategic direction, resources, funding, and support to ensure
that the desired state of security is achieved and sustained.
1.2 Frameworks & Benchmarks
Click to edit Master title style
A framework is a logical structure. The intent of a
framework is to document and organize processes.
• Information security frameworks include ISO 27000 family, NIST
Cybersecurity Framework, and the HITRUST Common Security Framework.
A benchmark is intended to help an organization identify
their capabilities and compare those efforts to similar
peers or competitors.
• The CIS (Center for Internet Security) is the most widely accepted
information security configuration benchmark.
• http://www.cisecurity.org
1.2 Due Care and Due Diligence
Click to edit Master title style
Due care is the standard of care that a prudent person
would have exercised under the same or similar conditions.
• Actions taken by an organization to protect its stakeholders, investors,
employees, and customers from harm.
Due diligence is an investigation of a business or person
before entering a contract and during the lifetime of the
relationship.
1.3 Compliance
Click to edit Master title style
Organizations are responsible for complying with all local,
state, federal and union laws and regulations.
• Consideration should be given to local customs, traditions, and practices
(cultural, tribal, and religious).
Hierarchal
Guidelines
Graphic
Standard
Flow Chart
Procedure
1.6 Information Security Policies
Click to edit Master title style
The objective of a policy is to communicate management’s
expectations and requirements with the objective of
providing direction.
• Information security policies codify the high-level requirements for
protecting information and information assets and ensuring confidentiality,
integrity, and availability.
• Written information security policies may be a regulatory or contractual
compliance requirement.
1.6 Standards, Baselines and Guidelines
Click to edit Master title style
Standards serve as specifications for the implementation
of policy and dictate mandatory requirements.
• Baselines are the aggregate of standards for a specific category or
grouping such as a platform, device type, ownership, or location.
• Guidelines help people understand and conform to a standard. Guidelines
are customized to the intended audience and are not mandatory.
1.6 Procedures
Click to edit Master title style
Procedures are instructions for how a policy, standard,
baseline, or guideline is carried out in a given situation.
Procedures focus on discrete actions or steps, with a
specific starting and ending point.
Four commonly used formats:
• Simple step
• Hierarchy
• Graphic
• Flowchart
1.7 Business Continuity
Click to edit Master title style
In its simplest form, business continuity is the capability of
a business to operate in adverse conditions.
The objective of business continuity planning is to prepare
for the continued operation of essential functions and
services during disruption of normal operating conditions.
To support this objective:
• Essential services and processes are identified.
• Threat scenarios are evaluated.
• Response, recovery, and contingency plans are developed.
• Strategies, plans, and procedures are tested.
1.7 Business Impact Analysis
Click to edit Master title style
The objective of a Business Impact Analysis (BIA) is to identify
essential services, systems, and infrastructure.
• Essential means that the absence of or disruption of services would result in
significant, irrecoverable, or irreparable harm to the organization, employees,
business partners, constituents, community, or country.
• The outcome of BIA is a prioritized matrix of services, systems, and
infrastructure.
A Business Impact Analysis (BIA) is used by management to:
• make investment decisions.
• prioritize resources.
• guide the development of incident response, disaster recovery, and business
contingency (continuity) plans.
1.7 Business Impact Metrics
Click to edit Master title style
Abbr. Metric Definition
MTD Maximum Tolerable Downtime Maximum time a process/service can be unavailable
MTO Maximum Tolerable Outage without causing significant harm to the business
Amount of time allocated for system recovery
⁻ Must be less than the maximum amount of time
RTO Recovery Time Objective a system resource can be unavailable before
there is an unacceptable impact on other system
resources or business process
Acceptable data loss
RPO Recovery Point Objective ⁻ The point in time, prior to a disruption or system
outage that data can be recovered
1.7 RPO | RTO Timeline
Click to edit Master title style
Offboarding Onboarding
Employment
1.8 User Security Controls
Click to edit Master title style
Control Description
Policy/Agreements Confidentiality Agreement, Acceptable Use Policy and Agreement (AUP)
Training Ongoing education, training, and awareness programs
Job Rotation Rotating assignments
Mandatory Vacation Requiring employees to take a set amount of vacation time
Separation of Duties Breaking a task into processes so that no one subject is in complete
Segregation of Duties control or has decision making power.
Dual Control Requiring more than one subject or key to complete a specific task
SLE ($) = AV ($) x EF (%) Revenue from one hour of e-commerce is $20,000 (AV).
Single Loss Expectancy = Asset Value A DDoS attack could disrupt 85% (EF) of online activity.
x Exposure Factor $20,000 (AV) * .85 (EF) = $17,000 (SLE)
The cost of an hour of DDoS disruption is $17,000
ALE ($) = SLE ($) x ARO (#) Single Loss Expectancy (for an hour of DDoS disruption)
Annualized Loss Expectancy = Single is $17,000.
Loss Expectancy x Annualized Rate of Based on the current threat and controls environment, it
Occurrence
is expected that there will be 5 hours (ARO) of DDoS
disruption per year.
$17,000 (SLE) * 5 (ARO) = $85,000 (ALE)
1.9 Risk Treatment Options
Click to edit Master title style
Option Description
Ignore Act as if the risk doesn’t exist
Avoid Eliminate the cause or terminate the associated activity
Mitigate Reduce the impact or likelihood by implementing controls or safeguards
Share Spread the risk among multiple parties
Assign the risk to another party via insurance or contractual agreement
Transfer
(subject to legal and regulatory constraints)
Accept Acknowledge the risk and monitor it
1.9 Controls, Countermeasures, and Safeguards
Click to edit Master title style
A control (sometimes called the countermeasure or
safeguard) is a tactic, mechanism, or strategy that either:
• Reduces or eliminates a vulnerability (weakness).
• Reduces or eliminates the likelihood that a threat agent will be able to
exploit a vulnerability.
• Reduces or eliminates the impact of an exploit.
1.9 Control Classifications
Click to edit Master title style
Deterrent Preventative Detective Corrective
Deterrent controls Preventative Detective controls identify Corrective controls
discourage a threat controls stop a and report a threat agent, minimize the impact of
agent from acting. threat agent from action, or incident. a threat agent or
being successful. modify or fix a situation
(recovery).
Note: A control can (and often does) have multiple classifications depending upon context
Compensating controls are alternate controls designed to accomplish the
Compensating intent of the original controls as closely as possible, when the originally
designed controls cannot be used due to limitations of the environment or
financial constraints.
1.9 Control Implementations
Click to edit Master title style
Administrative Technical
(Management) Physical (Logical)
Controls relating to the Controls that can have a Controls provided through
Description oversight, laws, rules, and material structure (seen, the use of technology
regulations heard, touched) and/or a digital device
Policies, procedures, Gate, alarm, guard, Encryption, ACLs, firewall
Example training, audits, barricade, door, lock, ID rules, anti-virus software,
compliance reporting card biometric authentication
1.9 Control Cross-Over Examples
Click to edit Master title style
Control Deterrent Preventative Detective Corrective
“Hardened”
Firewall appearance Rule-set blocks Activity is logged
Technical discourages certain ingress and alerts can be N/A
Control opportunistic and egress traffic configured
attacks
Security
Advises
Awareness
participants of
Training N/A N/A N/A
penalties and
Administrative
consequences
Control
Door Alarm Discourages use Reacts to the door Sounds an alarm
Physical of an alarmed N/A being opened or that might scare
Control door threshold crossed off the intruder
1.10 Threat & Attack Primer
Click to edit Master title style
Term Description
1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
Assessment Q1
Click to edit Master title style
How should the information security principles of
confidentiality, integrity, and availability be prioritized?
A. In compliance with regulatory requirements and legal obligations
B. Aligned with organizational strategic objectives
C. Based on industry trends
D. In response to customer demands
Assessment Q2
Click to edit Master title style
Which statement best describes data integrity?
A. The system works as intended.
B. Code is bug free.
C. Resource utilization is logged and monitored.
D. Information can be trusted to be complete, consistent, and accurate.
Assessment Q3
Click to edit Master title style
Which statement does not describe a control?
A. A tactic or strategy that reduces or eliminates vulnerability.
B. A tactic or strategy that reduces or eliminates likelihood of exploit.
C. A tactic or strategy that reduces or eliminates impact of exploit.
D. A tactic or strategy that reduces or eliminates expense.
Assessment Q4
Click to edit Master title style
Which of the following quantitative risk assessment
formulas is true?
A. AV=EF*Cost of Asset
B. ALE=SLE*ARO
C. SLE=EF*ARO
D. ARO=EF*SLE
Assessment Q5
Click to edit Master title style
Maximum tolerable downtime (MTD) relates to
_____________. Recovery point objective (RPO) relates to
____________.
A. business functions, system resources
B. system resources, data loss
C. length of outage, system resources
D. business functions, data loss
Click to edit Master title style
Domain 1 Domain 3
Domain 2
Security & Risk Security Architecture
Asset Security
Management and Engineering
10%
15% 13%
Study Strategies
Domain 2 Asset Security
Click to edit Master title style
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and asset 2.5 Determine data security controls
ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
May 1, 2021 Changes
Click to edit Master title style
Change Description
Category Weight Unchanged
Objective Added or • Provision resources securely [Previously in domain 7]
Moved • Manage data lifecycle
Objective Removed • Determine and maintain information and asset ownership.
• Protect privacy
New Topics Data roles, data collection, data location, end-of-life (EOL), end-of-support
(EOS)
2.1 Asset Classification
Click to edit Master title style
The purpose of asset classification is to ensure that assets
are properly identified and protected throughout their
lifecycle.
Asset classifications inform handling instructions, control
decisions, audit scope, and regulatory compliance
activities.
• Information assets are generally classified by content (e.g., top secret,
secret, classified, SBU).
• Infrastructure and physical assets are generally classified by criticality of
the services they provide.
2.1 Classification Schemas
Click to edit Master title style
Classification schemas vary by sector.
• Government and military classification schemes include:
• U.S. Federal government classification system (FIPS 199)
• Military and national security classification (systems and information)
• Classification schemes are discretionary for the private sector
2.2 Asset Ecosystem
Click to edit Master title style
Directors &
Executive
Management
Supporting Functional Roles
Owners
Custodians
Users
2.2 Asset-related Roles and Responsibilities
Click to edit Master title style
Role Responsibility
Directors & Responsible for governance and oversight. From a legal and regulatory
Executive Management perspective, they are ultimately responsible for the actions (or inaction)
of the organization.
Supporting Functional Responsibility varies by role and may include:
Roles: 1. Managing the Cybersecurity and/or Privacy programs.
ISO / IAM 2. Identifying threats, vulnerabilties and risks.
Privacy Officer
3. Compliance with applicable regulatory and contractual obligations.
Compliance Officer
4. Authorization of data access and sharing.
Owners Responsible for decisions related to classification, and access control,
and oversight of protection mechanisms.
Custodians Responsible for implementing, managing, and monitoring controls.
Users Responsible for treating data and interacting with information systems
in accordance with organizational policy and standards.
2.3 Privacy Defined
Click to edit Master title style
Privacy is the right of the individual to control access to and
the use of their personal information (data).
• Individuals expect their privacy to be respected and their personal
information to be protected by the organizations with which they do
business.
• Individuals also expect that organizations will inform them what
information they collect, why they collect it, and how they update,
manage, export (sell and share) and delete their information.
2.3 Cybersecurity Humanized
Click to edit Master title style
2.3 Personal Information (Data)
Click to edit Master title style
Distinguish means that the
data can be used to identify
an individual. Distinguish
Data Quality Personal data should be relevant to the purposes for which they are to be used, and, to the
extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose The purposes for which personal data are collected should be specified not later than at the
Specification time of data collection and the subsequent use limited to the fulfilment of those purposes or
such others as are not incompatible with those purposes and as are specified on each occasion
of change of purpose.
Use Limitation Personal data should not be disclosed, made available or otherwise used for purposes other
than specified except with the consent of the data subject; or by the authority of law.
Security Personal data should be protected by reasonable security safeguards against such risks as loss
Safeguard or unauthorized access, destruction, use, modification or disclosure of data.
2.3 OECD Privacy Principles cont.
Click to edit Master title style
Principle Description
Openness There should be a general policy of openness about developments, practices and policies with
respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual
residence of the data controller.
Accountability A data controller should be accountable for complying with measures which give effect to the
principles stated above.
2.3 Privacy Threshold Assessment
Click to edit Master title style
The purpose of the Privacy Threshold Assessment (PTA) is
to identify PII that has been acquired by the organization
and to determine how to appropriately treat the data.
PTAs generally include the following information:
• Description of the system
• What PII is collected and from whom
• Why the PII is collected
• How the PII is used
• If the PII shared or sold
• Regulatory, contractual and ethical requirements
• Should the status quo be maintained or are changes necessary
2.3 Privacy Impact Assessment
Click to edit Master title style
A Privacy Impact Assessment (PIA) is a thoughtful decision-
making tool used to identify and mitigate privacy risks at
the beginning of and throughout the lifecycle of a program
or system.
PIAs generally include the following information:
• Description of the system
• What personal information might be collected and from whom?
• Why are we collecting this information (is it necessary)?
• How will it be used now and in the future?
• Do we plan to sell or share this information?
• Are there regulatory, contractual or ethics requirements or obligations?
• How it will be secured?
2.4 Information Lifecycle (Simplified)
Click to edit Master title style
Use
Collection Deletion
Destruction
http://www.oecd.org/
Retention
Archiving Legal Hold
2.4 Retention and Archiving
Click to edit Master title style
Retention is a protocol (set of rules) within an organization
that dictates the data sets that must be kept and for how
long.
• Legal and regulatory requirement must be considered.
Archiving is the process of securely storing pristine
unmodified data for later potential retrieval.
• Backup and replication is the process of making copies of data to ensure
recoverability. They are distinct processes.
2.4 Legal Hold and eDiscovery
Click to edit Master title style
A legal hold is the requirement for an organization to
preserve all forms of relevant information when litigation,
audit, or government investigation is reasonably
anticipated. The objective is to avoid evidence spoliation.
• A legal hold supersedes organizational retention policies.
• eDiscovery (also called electronic discovery) refers to any process in which
electronic data is sought, located, secured, and searched with the intent of
using it as evidence in a civil or criminal legal case.
2.4 Data Remanence
Click to edit Master title style
Data remanence is the residual representation of digital
data that remains even after attempts have been made to
remove or erase the data.
Methods to counter data remanence include:
• Clearing which is the removal of data is such a way that data cannot be
recovered using normal system functions of recovery utilities.
• Purging which is the removal of data that cannot be reconstructed by any
known technique.
• Destruction which is the physical act of destroying media in such as way
that it cannot be reconstructed.
2.5 Anti-Remanence Techniques
Click to edit Master title style
Technique Description Result
Wiping Overwrites all addressable storage and indexing Clearing
locations multiple times
Degaussing Using a electromagnetic field to destroy all Purging
magnetically recorded data
Shredding Physically breaking media into pieces Destruction
Pulverizing Reducing media to dust Destruction
Pulping Chemical altering media Destruction
Burning Incinerating media Destruction
2.5 Data Security Controls Decisions
Click to edit Master title style
Data security control decisions are generally related to:
• Data classification (e.g. protected, confidential, and public)
• Data state (point in time)
• Data at rest (persistent storage — e.g. disk, tape)
• Data in use (CPU processing or in RAM)
• Data in transit (transmission)
Common data protection controls include access
management, cryptography, and obfuscation.
2.6 Labels and Handling Standards
Click to edit Master title style
Labels are used to identify assets so users can apply the
appropriate handling standard.
• Labeling is influenced by the intended audience.
• Labels can be digital, print, audio, or visual.
• Noted on or in a document (e.g. CONFIDENTIAL)
• Written on or attached to media
Handling standards inform custodians and users how to
interact with information assets.
• Handling standards are generally related to classification, data state, and
legal or regulatory requirements.
Domain 2 Asset Security
Click to edit Master title style
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and 2.5 Determine data security controls
asset ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
Assessment Q1
Click to edit Master title style
_________ is the right of an individual to control the use of
his or her personal information.
A. Security
B. First amendment
C. Habeas Corpus
D. Privacy
Assessment Q2
Click to edit Master title style
In the private sector, this group is most often responsible
for asset classification decisions and control oversight?
A. owner
B. executive
C. custodian
D. administrator
Assessment Q3
Click to edit Master title style
The process of securely storing original unmodified
documents is known as which of the following
A. Backup
B. Replication
C. Retention
D. Archiving
Assessment Q4
Click to edit Master title style
The residual representations of digital data even after
attempts to remove or erase is known as
_______________?
A. data clusters
B. data remanence
C. data bits
D. data slack
Assessment Q5
Click to edit Master title style
Which of the following is the most important reason an
information asset should have a visible data classification
label?
A. Inventory control
B. User recognition
C. Regulatory compliance
D. Asset management
Click to edit Master title style
Domain 1 Domain 3
Domain 2
Security & Risk Security Architecture
Asset Security
Management and Engineering
10%
15% 13%
Study Strategies
Domain 3 Security Architecture and Engineering
Click to edit Master title style
3.1 Implement and manage engineering processes
3.7 Assess and mitigate vulnerabilities in mobile
using secure design principles systems
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of information 3.10 Apply security principles to site and facility
systems design
3.5 Assess and mitigate vulnerabilities of security 3.11 Implement site and facility security controls
architectures, designs, and solution elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
May 1, 2021 Changes
Click to edit Master title style
Change Description
Category Weight Unchanged
Objective Added or • Select and determine cryptographic solution
Moved • Understand methods of cryptanalytic attacks
Objective Removed • Assess and mitigate vulnerabilities in web-based systems
• Assess and mitigate vulnerabilities in mobile systems
• Assess and mitigate vulnerabilities in web-based systems
Note: these have all been incorporated into the objective - Assess and
mitigate vulnerabilities of security architectures, designs, and solution
elements
• Apply Cryptography
New Topics Zero trust, privacy by design, trust but verify, microservices, containerization,
high-performance computing systems, edge computing, quantum
cryptography, Kerberos exploitation, ransomware, evidence storage, HVAC
controls.
3.1 Secure Design & Engineering Objectives
Click to edit Master title style
Security must be incorporated and addressed from the
initial planning and design phases through disposal of the
system.
• Without proper attention to security, an organization’s information
technology can become a source of significant risk.
• With careful planning from the earliest stages, however, security becomes
an enabler to achieve the organization’s mission.
3.1 NIST SP 800-160
Click to edit Master title style
Systems Security Engineering: Considerations for a
Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems
• SP 800-160 addresses the engineering-driven actions necessary to develop
more defensible and survivable systems—including the components that
compose and the services that depend on those systems.
• Aligned with the international standard ISO/IEC/IEEE 15288.
3.2 Information Security Models
Click to edit Master title style
Information security models focus on interactions and
provide structure and rules to be followed to accomplish a
specific objective (e.g. confidentiality, integrity, and
availability).
• Foundational (lower-level) models include State Machine, Non-
Interference, and Information Flow.
• Relationship (higher-level) models include Bell-LaPadula, Biba, Clark-
Wilson, and Brewer Nash.
• Subjects are active entities, generally in the form of a person, process,
or device that causes information to flow among objects or changes
the system state.
• Objects are passive entities that contain or receive information or
instructions.
3.2 Foundational Models (lower-level)
Click to edit Master title style
Model Description
State Conceptual model that ensures that no matter what activity is taking
place within a system, it is always trustworthy.
Non-interference Whatever happens at one security level does not directly or indirectly
(multilevel) affect the security environment of other levels.
Information Flow Information will flow only in ways that do not violate the security policy
(multilevel) of the system.
If any of the foundational models are proven false, then the security of the system cannot
be relied upon regardless of the implementation of higher-level security models.
3.2 Relationship Models (higher-level)
Click to edit Master title style
Model Description Objective
Bell- Subjects cannot read [simple] data that has a higher classification . Confidentiality
LaPadula Subjects cannot write [*] to an object at a lower security level.
No Read Up – No Write Down
Biba Subjects cannot read [simple] data that has a lower classification. Integrity
Subjects cannot write [*] to an object at a higher security level.
No Read Down – No Write Up
Clark Well-formed transactions ensure that a user cannot alter data Integrity
Wilson arbitrarily. Instead, data can be altered only in a specified way in
order to preserve its internal consistency (access triple).
Large Scale Disparate systems working Force multiplier effect Data aggregation
(Parallel) in concert (e.g. cluster) (increase in capability)
Grid Sharing of CPU and other Power (e.g. seti@home Distributed management
resources across a network project) and authentication
ICS /SCADA Embedded systems that Power complex systems Weak authentication,
monitor and control such as electric grid outdated OS, inability to
industrial processes patch, remote access
3.5 Cloud Deployment Models
Click to edit Master title style
Model Description Considerations
Location
Public Cloud Provisioned for public use
Multitenancy
Community Cloud Provisioned for the exclusive use by a well defined group Multitenancy
Private Cloud Provisioned for the exclusive use of a single organization Scalability
3.5 Cloud Service Models - SaaS
Click to edit Master title style
Model Provided Impact Considerations
The customer does not manage or control the • Availability
underlying cloud infrastructure including • Maintenance
SaaS Computing network, servers, operating systems, storage, • Vulnerability
Resources + or even individual application capabilities Management
Software Operating The customer uses the provider’s applications • Confidentiality
as a System + running on a cloud infrastructure • Privacy
Service Application The customer has control over limited user- • Data Ownership
specific application configuration • Multitenancy
• Testing
3.5 Cloud Service Models - PaaS
Click to edit Master title style
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure, operating • Availability
Computing system, programming languages, tools, and • Maintenance
PaaS Resources + platform • Vulnerability
Operating The customer deploys onto the cloud Management
Platform as System + infrastructure created or acquired applications • Confidentiality
a Service (optionally, The customer has control over deployed • Privacy
database) applications and possibly configuration settings • Data
for the application-hosting environment Ownership
3.5 Cloud Service Models—IaaS
Click to edit Master title style
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure
The customer can provision processing,
IaaS “Bare storage, networks, and other fundamental • Availability
metal” computing resources • Maintenance
Infrastructure Computing The customer has control over the operating • Vulnerability
as a Service Resources system, storage, and deployed applications Management
and possibly limited control of select
networking components (e.g. host firewalls)
3.5 Cloud Access Security Brokers
Click to edit Master title style
Cloud access security brokers (CASBs) are security policy
points (software or appliance) placed between “the cloud”
and enterprise users.
• Security policies are interjected as cloud-based resources are accessed. For
example, authentication, encryption, visibility, and DLP.
• Provides control over shadow IT applications.
• Shadow IT is used to describe the use of IT solutions that are managed
outside of and without the knowledge of the IT department.
• CASBs proxy traffic and use auto discovery to identify cloud applications.
3.5 Security-as-a-Service
Click to edit Master title style
Security-as-a-Service (SecaaS) is the delivery of managed
security services for public, private, and hybrid cloud
environments.
• SecaaS relieves the burden of relying on the SaaS, PaaS, or IaaS vendor for
security protection and enforcement.
• Services include encryption, activity monitoring, DLP, malware detection,
filtering, firewall, policy enforcement, email security, intrusion detection,
authentication, and more.
3.6 Web Vulnerabilities
Click to edit Master title style
Web systems are particularly vulnerable due to their level
of exposure, accessibility, and rapid rate of change.
• Security misconfiguration can happen at any level of an application stack,
including the platform, web server, application server, database,
framework, and custom code.
• System owners, developers, and system administrators need to work
together to ensure that the entire stack is configured properly.
• Resource http://www.owasp.org
3.6 Improper Input/Output Validation
Click to edit Master title style
Vulnerability Description Impact
Tricking an application into including
Can result in database,
unintended commands in the data
Injection schema, account, and/or
sent to an interpreter (e.g. OS, LDAP,
operating system access.
SQL).
Injection of malicious code into a Can result in user session
vulnerable web application or back- hijack, redirection to malware
Cross-Site Scripting
end database that will execute scripts distribution site, or bypassing
in a victim’s browser. access controls.
Tricking a web browser into executing
Can result in data theft,
Cross-Site Request a malicious action on a trusted site for
unauthorized funds transfers,
Forgery (CSRF/ XSRF) which the user is currently
credential modifications, or
authenticated. CSRF exploits the trust
stolen session cookies.
that a site has in a user's browser.
3.6 OWASP 2017 #1 Injection
Click to edit Master title style
Element Description
Vulnerability Injection
Tricking an application into including unintended commands in the data
Description
sent to an interpreter (e.g. OS, LDAP, SQL)
Flaw Improper input/output validation
Impact Can result in unauthorized access, data exfiltration, and data corruption
• Use of “safe” API
Mitigation
• Positive “whitelist” input and output validation
3.6 Injection Illustrated (SQL)
Click to edit Master title style
Algorithm
Plaintext Ciphertext
(3DES, AES, RC5)
Algorithm
Plaintext
(3DES, AES, RC5)
3.9 Asymmetric Illustration
Click to edit Master title style
Algorithm
Cleartext (RSA, ECC, Diffie- Ciphertext
Hellman, El Gamal)
Algorithm
(RSA, ECC, Diffie- Cleartext
Hellman, El Gamal)
3.9 Symmetric vs. Asymmetric Encryption
Click to edit Master title style
Feature Symmetric Asymmetric
# of Keys Single shared key Key pair
Block Sizes Large Small
Processing Computationally efficient Computationally intensive
Strength Difficult to break (large keys) Smaller key sizes
Scalability Not scalable Scalable
Collision Using mathematical technique to force two inputs into producing the same
hash value.
The hash method used cannot be relied upon anymore to identify different
data.
Birthday Exploits the mathematics behind the birthday problem in probability
theory to cause a collision.
Pass-the Hash Using captured hashed credentials from one machine to successfully gain
control of another machine.
3.9 Digital Signature
Click to edit Master title style
A digital signature is a message digest that has been encrypted
using a private key and digital signature algorithm (RSA, DSA).
3.9 Digital Signature in Action
Click to edit Master title style
3.9 Digital Certificates
Click to edit Master title style
Digital Certificates are the mechanism used to generate a private
key and to associate a public key with a collection of
components sufficient to authenticate the claimed owner.
• The X.509 standard defines the certificate format and fields for public keys.
• The X.509 standard defines the distribution procedures.
• The current version of X.509 for certificates is v3.
3.9 Types of Digital Certificates (Use)
Click to edit Master title style
Type Use
Personal Verifies a user identity (generally used for email)
Server
Verifies a server identity
(Machine/Computer)
Verifies a web domain
Domain Validation • Wildcard certificate can be used with multiple subdomains of a domain
(e.g. *.example.com)
Organization Verifies a web domain and an organization
Verifies a web domain and an organization subject to additional vetting
Extended Validation
(what used to be the “green bar”)
Certificate is
Certificate is
suspended/revoked Key is destroyed
received
or expired
3.9 Certificate Revocation
Click to edit Master title style
Action Description
Suspension Temporary revocation of a certificate until a certificate problem
can be resolved.
Revocation Permanent withdrawal of trust by issuing authority before
scheduled expiration date.
Certificate Revocation List CA-maintained list of certificates that have been revoked
(CRL) • Pull model – CRL is downloaded by the user or organization
• Push model – CRL is automatically sent out by the CA at
regular intervals
Online Certificate Status Process designed to query the status of certificate in real-time.
Protocol (OCSP) • OCSP stapling is a time-stamped (cached) OCSP response
3.9 Crypto Attack Categories
Click to edit Master title style
Intention is to break a cryptosystem and find the plaintext from the
ciphertext. The attacker’s objective is to identify the key.
Objective Description
Ciphertext Only A sample of ciphertext is available without the plaintext
associated with it.
Known Plaintext A sample of ciphertext and the corresponding known plaintext
is available.
Chosen Plaintext Can choose the plaintext to get encrypted and obtain the
corresponding ciphertext.
Chosen Ciphertext Can select the ciphertext and obtain the corresponding
plaintext
3.9 Key Attacks
Click to edit Master title style
Attack Description
Brute Force Every possible key is tested (online/offline)
Dictionary List of known keys tested
Frequency Looking for patterns to reveal the key
3.9 Cryptography Controls Review
Click to edit Master title style
Encryption is used to insure confidentiality
Hashing is used to prove integrity.
Digital signatures are used to provide non-repudiation.
Digital Certificates are used for authentication.
3.10 Building Security
Click to edit Master title style
Building and facility security focuses primarily on
preventive, deterrent, and detective access controls and
workplace safety.
Physical security is based upon a layered defense model.
• Obstacles to frustrate trivial attackers and delay serious ones
• Detective controls make it likely that attacks will be noticed
• Response mechanisms to repel, catch, or frustrate attackers
3.10 Building Security
Click to edit Master title style
Control Description
Lighting Lighting for personnel safety and intruder deterrence
• Intruders are less likely to enter well-lit areas
• Lighting can be continuous, motion triggered, random, timed, or standby
• Lighting should be tamper-proof and have a backup power supply
Signs Signs for personnel safety and intruder deterrence
• Warning signs indicate surveillance (“someone is paying attention”)
Physical Barrier Fences, walls, gates, barricades, bollards, and mantraps define the perimeter.
• They serve to prevent, deter, or delay (increase workfactor) an attack.
Surveillance Surveillance technologies such as IDS/IPS, closed-circuit TV (CCTV) and camera
systems can be used to monitor, detect (and report) suspicious, abnormal, or
unwanted behavior.
Security Guards Security personnel may be stationed at checkpoints, patrol the area, manage
surveillance, and respond to breaches and/or suspicious activity.
3.11 Environmental Impact
Click to edit Master title style
Computers, electronic equipment, and transmission media
are sensitive to environmental factors such as heat,
humidity, air flow, and power quality.
• Environmental imbalance can impact stability, availability, and integrity.
3.11 Environmental Security
Click to edit Master title style
Element Description
Heat Acceptable temperature is between 70–74 degrees.
Humidity Acceptable relative humidity is between 45–60%.
Fire Fire protection is comprised of four elements – prevention, detection,
containment and suppression
EMI\RFI Equipment should have limited exposure to magnets, fluorescent lights, electric
motors, space heaters, and wireless access points. Copper and coax cable should
be shielded.
Air Flow Hot Aisle / Cold Aisle configuration for data center racks
Power Electrical power supplied to electronic devices must have consistent voltage and
a minimum of interference. Devices need to be protected against surges, spikes,
sags, brownouts, and blackouts.
3.9 Power Protection
Click to edit Master title style
Category Description Mitigating Control
Battery backup (UPS)
Blackout Prolonged period without power Alternate power supply (generator)
Supplier diversity
Brownout Prolonged period of low voltage
Sag Moment of low voltage Voltage regulator
Surge protectors
Surge Prolonged period of high voltage Power line conditioners
Battery backups (UPS)
Spike Moment of high voltage
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of information 3.10 Apply security principles to site and facility
systems design
3.5 Assess and mitigate vulnerabilties of security 3.11 Implement site and facility security controls
architectures, designs, and solution elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
Assessment Q1
Click to edit Master title style
The purpose of this device is to provide control over
shadow IT applications.
A. SecaaS
B. DLP
C. CASB
D. IaaS
Assessment Q2
Click to edit Master title style
The rules for this conceptual model are – no read up and
no write down. This is the _______ model and the
objective is ___________.
A. Biba, integrity
B. Bell-LaPadula, confidentiality
C. Biba, confidentiality
D. Bell-LaPadula, integrity
Assessment Q3
Click to edit Master title style
Which system(s) are particularly vulnerable to exploit due
to weak authentication, outdated operating systems, and
limited (if any) maintenance window.
A. Cloud
B. Client/Server
C. ICS/SCADA
D. Parallel
Assessment Q4
Click to edit Master title style
Mary wants to use asymmetric encryption for a session key
exchange with Bob. Which cryptovariable should she use to
encrypt the session key?
A. Mary’s public key
B. Mary’s private key
C. Bob’s public key
D. Bob’s private key
Assessment Q5
Click to edit Master title style
A __________________ is a message digest that has been
encrypted using a private key.
A. cipher
B. digital certificate
C. digital signature
D. salt
Click to edit Master title style
Domain 1 Domain 3
Domain 2
Security & Risk Security Architecture
Asset Security
Management and Engineering
10%
15% 13%
Study Strategies
Study Plan
Click to edit Master title style
Schedule your exam!
• Create a study plan and stick to it.
• Watch my videos – The Complete CISSP 2nd Edition available on O’Reilly
Media (SafariBooksOnline)!
• Study with a buddy.
• Make flash cards.
• Talk to yourself, seriously.
The Zen of Studying
Click to edit Master title style
Relax. Breathe deeply. Enjoy
• Remind yourself you can do this.
• Approach the material and the exam with a positive, can-do attitude.
• Don’t think of preparing for and taking the exam as chore – envision it is an
opportunity to validate your knowledge and experience.
• Promise yourself a wonderful indulgence at the completion of this journey.
Day -2
Click to edit Master title style
Join me tomorrow for Part II of the CISSP Crash Course.
• Segment 1: Domain 4 Communication and Network Security
• Segment 2: Domain 5 Identity and Access Management (IAM)
• Segment 3: Domain 6 Security Assessment and Testing
• Segment 4: Domain 7 Security Operations
• Segment 5: Domain 8 Software Development Security
• Segment 6: Preparing for Test Day!