CISSPrep.

net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

SAC/SOC has 2 P’s = SACPP(​security, confidentiality, availability, process integrity, privacy)

SOC I – financial reporting
SOC II – operations/compliance

Type I – snapshot
Type II – period of time
SOC III – public audience

Privacy Tenets: “please acquire or reveal some donuts.”

P​articipation – the data subject should have the option to opt in or opt out.
L​imitation – data can only use it for the purpose stated
S​cope – there must be a specific purpose (and it must be legal/ethical), the scope should be
include in the notification.
A​cquire - Accuracy – the data must be as accurate as possible, and the data subject should be
able to make corrections.
or
R​eveal - Retention – the data should be kept only as long as it’s needed.
S​ome - Security – the custodian must protect the data.
D​o - Dissemination – the custodian must not share the data without notifying the data subjec
N​uts - Notification – must notify the user that you’re collecting and creating their data before it’s
used, should include purpose of use.

OSI model: people don’t need to snap photos anymore (thanks to smartphones), starting w/phys
layer going up. (Copy the table below from bottom up)

PDU LAYER TITLE TCP/IP

d 7 A nymore A

d 6 P hotos A

d 5 S nap A

s 4 T o t

p 3 N eed i

f 2 D on’t N
 CISSPrep.net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

b 1 P eople N

PDU: big feet point straight downwards

TCP/IP: N2 + A3 (with “IT” in the middle)

Security Awareness:
● Education – formal Evaluation is also formal (notice E+E = formal)
● Training – semi-formal Review is casual
● Awareness – casual

BCDR (in the right order):

1. B​IA – objectives, critical asset values, threats
2. B​usiness continuity – mission critical – keeps stuff going (beware possible smerging of
BCP and BCP – continuity. vs. contingency.)
3. C​ontingency operations – also mission critical – recovers only critical stuff that failed
4. D​isaster ​R​ecovery – non-critical – recovers everything else after failed

Penetration testing:

Recovery components = RPCART

Response (declaration) – Personnel (to keep crit. bizops going), Communication (1voice),
Assessment (measure dmg), Restoration (from contingency to original site), Training/awareness

Security controls: Scoping is subtracting, Tailoring is tuning, Supplementing is supplanting

Cryptography services = CAINRA

● Confidentiality – encryption
● Authentication – digital signature, digital certificate, asymmetric (combined w/others),
MAC
● Integrity – hashing
 CISSPrep.net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

● Non-Repudiation – digital signature, digital certificate, PKI (needed)

● Access control – symmetric keys, hybrid encryption, PKI

Bell Lapadula – no read up, no write down; confidentiality

Biba – (opposite of Bell Lapadula); Integrity – Clarke Wilson; Integrity

Brewer Nash – Wall; conflict of interest

Properties: simple = read; star = *write (old-school files have star in titlebar when edited)

Asset classification process (cat paw):

● Create an Asset Inventory
● Assign Ownership
● Classify (Based on Value)
● Protect (Based on Classification)
● Assess and Review

Asset protection process (VCP):

● Identify, locate, and ​V​alue
● C​lassify (based on value)
● P​rotect (based on classification)

Remanence (CPSOW; cow, pig, sow):

● Clearing Can (be recovered)
● Purging is Permanent
● Sanitizing is the Same (as purging)
● Overwriting with Oh’s (0’s and 1’s)
● Wiping is Writing (overwriting, that is)

Type 1 error: False Rejection Rate (FRR) – Right person Rejected

Type 2 error: False Acceptance Rate (FAR) – number 2 is FARther from zero than number 1
Crossover Error Rate: when both error rates are equal, as one goes up, the other goes down.
Biometrics: vein patterns are most reliable and accurate. Iris vs. retina scans = Iris became
“The Flash” so iris scans are quicker.
 CISSPrep.net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

Pentesting (will be either internal or external):

Incident management: Drum roll, DRMRRRL

● Detection – finding, discovering, observing, and telling someone (ideally the proper
person/manager).
● Response – actions to determine/triage whether or not it’s a true incident. Includes
discussion with others to help decide, and declare the incident.
● Mitigation – this is the “stop the bleeding” step, such as disconnecting the network cable
when a device is compromised, or recording/capturing of logs (whatever your incident
response plan indicates is the first step).
● Reporting – alerting stakeholders of the incident. This includes clients/customers,
vendors, senior management, users, employees, the public/media, law enforcement.
● Recovery – return the environment to a state of normalcy, such as re-imaging the
infected Remediation – addressing the root cause. Even though a vulnerability may
have been exploited, perhaps the patch management process itself was the issue (in not
being timely or effective).
● Lessons Learned – in this phase the participants get together to “hash out” or discuss
openly the successes, failures, and areas where improvement is needed. This phase
helps deal with future similar incidents and helps to improve the process itself.

Investigation methods: AIME at the target!

● Automated capture –automated monitoring tools, such as system logs.

● Interviewing – soliciting information from witnesses. preserve the witness’ rights. done
in private.
● Manual capture –making copies of evidence such photo IDs or documents available, and
includes capturing photographic/video evidence from the incident/crime scene. Audio
recordings in this context would be open, at the scene, not private.
● External request –evidence from an external source.

Full backup – as the name indicates, this is a copy of all data in the environment.
Differential – copying of data that changed since the last backup. Faster than doing a full
backup.
Incremental – copying of data that has changed since the last backup (of any kind).

RAID – redundant array of independent disks, is a method used to prevent downtime when a
storage component fails.
Striping – divides the data between disks.
Raid 0 – stripes over 2 disks.
Raid 1 – mirrors 2 disks
 CISSPrep.net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

Raid 5 – data and parity info are striped (3 disk minimum) – data is striped across 2, and parity
stored on 1
Raid 10 – mirrored, then striped (4 disks)

Asymmetric types (all others will be symmetric) this mnemonic is from Kelly Handerhan from
Cybrary.it:
● E brothers: ECC and ElGamal
● SA brothers: RSA and DSA
● Doogie Howser has a Knapsack: DH (Diffie Hellman) and Knapsack

SDLC: PFSDATCTRM. “Please fry some dead animals to catch the right man.”

● Planning/initiation – creation of project, scope, budget/cost, objectives, strategies, and

schedules.
● Functional requirements definition – security controls and compliance defined.
Functional requirements as well.
● System design specifications – designing software / architecture, outputs, data
flows/interfaces.
● Development – source code.
● Acceptance – testing the system to make sure it performs within the environment. May
be part of the certification and accreditation process. Can include subphases such as:
● Testing/evaluation of controls – formal testing processes occur, choosing test data,
includes fuzzy testing (unexpected data), data validation, bounds checking, and
sanitizing any production data.
● Certification/Accreditation – authorization to put the system into production. Certification
is the technical analysis of controls. Accreditation is the authorizing official sign-off.
● Transition to production/implementation – moving from the acceptance phase into
production. includes training and awareness, accreditation, installation, parallel
operations with an old system that is being replaced.
● Revision/replacement – periodic evaluations for flaws and revisions, and to replace any
faulty components that have or could cause security incidents.
● Maintenance/operation – system usage across the enterprise. System performance
monitoring, regular change management process, backup and recovery procedures, risk
analysis that accompanies recertification/accreditation (due to a relocation, change in
data classification, or major system change).

Software capability maturity model – IRDMO:

 CISSPrep.net
Memorization Sheet
Copy this information down several times until it’s burned into memory
https://cissprep.net/

· Initial – good practices are disorganized and chaotic; poorly controlled.

· Repeatable – reactive practices and a bit more organized but not necessarily defined.

· Defined – formal practices/processes that are well-understood and proactive.

· Managed – quantitative, measured, calculatable, and assessable.

· Optimizing – practices/processes are continuously optimized and improved

Change management (Fellowship of the Ring movie): FASADIRR

· Frodo – Formal request for change

· And – Analysis of request

· Sam – Strategize for ways to implement

· Are – Approval/denial

· Definitely – Develop the change

· Intent on – Implement & test

· Relinquishing the – Reviews

· Ring – Reports and reporting on it

Due diligence – before decisions; research

Due care – the decisions; actions; prudent person rule

coVert channel – Violates security policy

backdOOr; trapdOOr; maintenance hOOk – are gOOd unless left in