You are on page 1of 8

Domain 1: Security & Risk Management CISSP Cheat Sheet Series

CIA Triad Achieving CIA - Best Practices


Preserving authorized restrictions on information Separation Mandatory Job Least Need to
Dual Control
access and disclosure, including means for protecting of Duties Vacations Rotation Privileges know
Confidentiality
personal privacy and proprietary information. Note –
Encryption (At transit – TLS) (At rest - AES – 256) Availability
RTO/MTD/RPO, MTBF, SLA
Guarding against improper information modification or Measuring Metrics
Integrity destruction and includes ensuring information
non-repudiation and authenticity.
IAAAA
Ensuring timely and reliable access to and use of
Availability Identification Unique user identification
information by authorized users.
*Citation: https://www.isc2.org/Certifications/CISSP/CISSP-Student-Glossary Authentication Validation of identification
Verification of privileges and permissions for
Authorization
D.A.D. authenticated user
Only authorized users are accessing and use the
Disclosure Alteration Destruction Accountability
system accordingly
Opposite of Tools, processes, and activities used to achieve and
Confidentiality
Opposite of Integrity Opposite of Availability Auditing
maintain compliance

Plans Protection Mechanisms


Type Duration Example Layering Abstractions Data Hiding Encryption
Strategic Plan up to 5 Years Risk Assessment
Tactical Plan Maximum of 1 year Project budget, staffing etc Data classification
Patching computers Entails analyzing the data that the organization retains, determining its
Operational Plan A few months Updating AV signatures
importance and value, and then assigning it to a category.
Daily network administration

Risk Management Risk Terminology


● No risk can be completely avoided . Asset Anything of value to the company.
● Risks can be minimized and controlled to avoid
Vulnerability A weakness; the absence of a safeguard
impact of damages.
Threat Things that could pose a risk to all or part of an asset
● Risk management is the process of identifying,
examining, measuring, mitigating, or transferring Threat Agent The entity which carries out the attack
risk Exploit An instance of compromise
*Citation:https://resources.infosecinstitute.com/category/certifications-traini
ng/cissp/domains/security-and-risk-management/ Risk The probability of a threat materializing

Solution – Keep risks at a tolerable and acceptable level. *Citation:https://resources.infosecinstitute.com/category/certifications-training/cissp/domains


Risk management constraints – Time, budget /security-and-risk-management/

Risk Management Frameworks


Preventive Deterrent
Detective Corrective Recovery
Ex ISO 27001 Ex ISO 27000
Security Policies Security Personnel Logs Alarms Backups
Security Cameras Guards Security Cameras Antivirus Solutions Server Clustering
Callback Security Cameras Intrusion Detection Systems Intrusion Detection Systems Fault Tolerant Drive Systems
Security Awareness Training Separation of Duties Honey Pots Business Continuity Plans Database Shadowing
Job Rotation Intrusion Alarms Audit Trails Antivirus Software
Encryption Awareness Training Mandatory Vacations
Data Classification Firewalls
Risk Framework Types
Smart Cards Encryption
Security and Risk Management

Asset Security
Risk Management Life Cycle
Security Engineering
Assessment Analysis Mitigation / Response
Communications and Network Security
Categorize, Classify & Evaluate
Qualitative vs Quantitative Reduce, Transfer, Accept Identity and Access Management
Assets
Security Assessment and Testing
as per NIST 800-30: Qualitative – Judgments Reduce / Avoid
Security Operations
System Characterization Quantitative – Main terms Transfer Software Development Security
Threat Identification AV – Asset Value Accept / Reject

Vulnerability Identification EF – Exposure Factor


The 6 Steps of the Risk
Management Framework
Control Analysis ARO – Annual Rate of Occurrence Security
Governance Categorize
Likelihood Determination Single Loss Expectancy = AV * EF
Select
Annual Loss Expectancy = BS 7799
Impact Analysis Implement
SLE*ARO
ISO 17799 & 2700 Series
Risk Determination Risk Value = Probability * Impact Asses
COBIT & COSO

Control Recommendation OCTAVE Authorize

Results Documentation ITIL Monitor

Threat Identification Models


S.T.R.I.D.E. Spoofing - Tampering - Repudiation - Information Disclosure - Denial of Service - Escalation of Privilege

D.R.E.A.D. Damage - Reproducibility - Exploitability - Affected - Discoverability

M.A.R.T. Mitigate - Accept - Reject - Transfer

Disaster Recovery / Types of Law


Intellectual Property
Business Continuity Plan Criminal law

Continuity plan goals Civil Law Copyright


Statement of importance Administrative Law
Statement of priorities Comprehensive Crime Control Act (1984)
Trademarks
Statement of organization
Computer Fraud and Abuse Act (1986) Patents
responsibility
Computer Security Act (1987)
Statement of urgency and timing Trade Secrets
Government Information Security Reform Act (2000)
Risk assessment
Risk acceptance / mitigation Federal Information Security Management Act (2002) Licensing
Domain 2: Asset Security CISSP Cheat Sheet Series

Classification Levels Typical Data Retention Durations Data Security Controls


Military Sector Private Sector Business documents 7 years
Top Secret Sensitive Data in Use Scoping & tailoring
Invoices 5 years
Secret Confidential
Confidential Private Accounts Payable / Receivable 7 years Data at Rest Encryption
Company Human Resources - Hired 7 years
Sensitive but restricted
Human Resources - Unhired 3 years
unclassified Company Secure protocols e.g.
Tax records 4 years Data in Motion
confidential https
Unclassified Public Legal correspondence Permanently

Data Ownership
Data Ownership Data Custodian Systems Owners Administrators End User
Grant permissions on daily basis
Ensure compliance with data policy and
Top level/Primary responsibility for
data ownership guidelines Grant permission
data Apply Security Controls
for data handling
Ensure accessibility, maintain and
Define level of classification
monitor security
Define controls for levels of
Data archive
classification Data Remanence
Data documentation
Define baseline security standards Series of processes that removes data,
Take regular backups , restore to check Sanitizing
Impact analysis completely
validations
Decide when to destroy Erase form magnetic tapes etc to ensure not
Ensure CIA Degaussing
information recoverable
Conduct user authorization
Erasing Deletion of files or media
Implement security controls
Overwriting Writing over files, shredding
Zero fill Overwrite all data on drives with zeros
Data Classification Criteria Destruction Physical destruction of data hardware device
Value - Usefulness - Age - Association Make data unreadable without special keys or
Encryption
algorithm
Data Retention Policies
The State of Florida Electronic Records and Records Management Practices,
2010
Standards
The European Documents Retention Guide, 2012 National Institute of Standards
NIST
Technology
Security Policies, Standards & Guidelines NIST SP 800 Series Computer security in a variety of areas
Regulatory Required by law and industrial standards Securing Information Technology
800-14 NIST SP
systems
Advisory Not compulsory, but advisable
Informative As guidance to others 800-18 NIST Develop security plans

Define best practices for information handling and usage 800-27 NIST SP Baseline for achieving security
Information -Security policies: Technical details of the policies Guidelines for sanitation and disposition,
800-88 NIST
Policy i.e. SYSTEM security policy: lists hardware / software in prevents data remanence
use and steps for using policies Continuous monitoring program: define,
800-137
Standards Define usage levels establish, implement, analyze and report
Guidelines Non-compulsory standards 800-145 Cloud computing standards
Procedures Steps for carrying out tasls and policies Federal Information Processing
FIPS
Baseline Minimum level of security Standards
Domain 3: Security Engineering CISSP Cheat Sheet Series
Security Models and Concepts Security Models System Evaluation and Assurance Levels Hardware architecture
Security architecture frameworks - Provides access rights including discretionary access control Evaluates operating systems, application and systems. But not Simultaneous running of
Trusted Computer Multitasking
A 2D model considering interrogations such as what, where MATRIX to subjects for different objects. network part. Consider only about confidentiality. Operational two or more tasks.
System Evaluation
Zachman Framework and when with, etc. With various views such as planner, owner, (Access control model) - Read, write and execute access defined in ACL as matrix assurance requirements for TCSEC are: System Architecture, Simultaneous running of
Criteria Multi programming
designer etc. columns and rows as capability lists. System Integrity, Covert Channel analysis, Trusted Facility two or more programs
(TCSEC)
-A subject cannot read data at a higher security level. (A.K.A Management and Trusted recovery.
Sherwood Applied CPU consists or more
simple security rule) A collection of criteria based on the Bell-LaPadula model used Multi-processing
Business Security To facilitate communication between stakeholders than one processor
Architecture (SABSA) - Subject in a defined security level cannot write to a lower Orange Book to grade or rate the security offered by a computer system
Processing Types
security level unless it is a trusted subject. (A.K.A *-property product.
Information Technology One security level at a
BELL-LAPADULA (star property) rule Red Book Similar to the Orange Book but addresses network security. Single State
Infrastructure Library Set of best practices for IT service management time.
(Confidentiality model) - Access matrix specifies discretionary access control.
(ITIL) Green Book Password Management.
- subject with read and write access should write and read at Multiple security levels at
Evaluates operating systems, application and systems. But not Multi State
Security architecture documentation the same security level (A.K.A Strong star rule :) Trusted Computer a time.
network part. Consider only about confidentiality. Operational
Establish security controls published by Standardization (ISO) - Tranquility prevents security level of subjects change between System Evaluation Software built in to in the
ISO/IEC 27000 Series assurance requirements for TCSEC are: System Architecture, Firmware
and the Electrotechnical Commission (IEC) levels. Criteria ROM.
System Integrity, Covert Channel analysis, Trusted Facility
Control Objectives for - Cannot read data from a lower integrity level (A.K.A The (TCSEC) Base Input Output Set of instructions used to
Define goals and requirements for security controls and the Management and Trusted recovery.
Information and Related simple integrity axiom) System (BIOS) load OS by the computer.
mapping of IT security controls to business objectives. Consider all 3 CIA (integrity and availability as well as
Technology (CobiT) - Cannot write data to an object at a higher integrity level. ITSEC
Types of security models BIBA (A.K.A the * (star) integrity axiom)
confidentiality
Mobile Security
(Integrity model) - Cannot invoke service at higher integrity. (A.K.A The TCSEC Explanation
Check each of the possible system state and ensure the proper Device Encryption • Remote wiping • Remote lock out
invocation property) D Minimal protection
State Machine Models security relationship between objects and subjects in each • Internal locks (voice, face recognition, pattern, pin,
- Consider preventing information flow from a low security level
state. DAC; Discretionary Protection (identification, authentication, password) • Application installation control • Asset
to a high security level. C1
Allocate each security subject a security label defining the resource protection) tracking (IMIE) • Mobile Device Management •
User: An active agent Removable storage (SD CARD, Micro SD etc.)
highest and lowest boundaries of the subject’s access to the C2 DAC; Controlled access protection
Multilevel Lattice Models • Transformation Procedure (TP): An abstract operation, such
system. Enforce controls to all objects by dividing them into
as read, writes, and modify, implemented through B1 MAC; Labeled security (process isolation, devices) IoT & Internet Security
levels known as lattices.
Programming B2 MAC; Structured protection
Network Segmentation (Isolation) • Logical Isolation
Arrange tables known as matrix which includes subjects and • Constrained Data Item (CDI): An item that can be manipulated B3 MAC; security domain (VLAN) • Physical isolation (Network segments) •
Matrix Based Models objects defining what actions subjects can take upon another only through a TP A MAC; verified protection Application firewalls • Firmware updates
object. • Unconstrained Data Item (UDI): An item that can be
CLARK WILSON Common criteria assurance levels
Consider the state of the system at a point in time for a
Noninterference Models subject, it consider preventing the actions that take place at
(Integrity model)
manipulated by a user via read and write operations
EAL0 Inadequate assurance
Physical Security
- Enforces separation of duty
one level which can alter the state of another level. - Requires auditing EAL1 Functionality tested Internal vs external threat and mitigation

Try to avoid the flow of information from one entity to another - Commercial use EAL2 Structurally tested Hurricanes, tornadoes, earthquakes
Information Flow Models Natural threats
which can violate the security policy. - Data item whose integrity need to be preserved should be EAL3 Methodically tested and checked floods, tsunami, fire, etc
Read and Write are allowed or restricted using a specific audited EAL4 Methodically designed, tested and reviewed Politically
Confinement - An integrity verification procedure (IVP) -scans data items and motivated Bombs, terrorist actions, etc
memory location, e.g. Sandboxing. EAL5 Semi-formally designed and tested
confirms their integrity against external threats EAL6 Semi-formally verified, designed and tested threats
Data in Use Scoping & tailoring
Information is restricted to flow in the directions that are EAL7 Formally verified, designed and tested Power/utility General infrastructure damage
Security Modes Information flow model permitted by the security policy. Thus flow of information from
ITSEC security evaluation criteria - required levels
supply threats (electricity telecom, water, gas, etc)
one security level to another. (Bell & Biba). Man Made
Use a single classification level. All objects can access all D + E0 Minimum Protection Sabotage, vandalism, fraud, theft
- Use a dynamic access control based on objects previous threats
Dedicated Security Mode subjects, but users they must sign an NDA and approved prior C1 + E1 Discretionary Protection (DAC)
actions. Liquids, heat, gases, viruses,
to access on need-to-know basis C2 + E2 Controlled Access Protection (Media cleansing for reusability) Major sources
- Subject can write to an object if, and only if, the subject bacteria, movement: (earthquakes),
All users get the same access level but all of them do not get Brewer and Nash B1 + E3 Labelled Security (Labelling of data) to check
System High Security cannot read another object in a different dataset. radiation, etc
the need-to-know clearance for all the information in the (A.K.A Chinese wall B2 + E4 Structured Domain (Addresses Covert channel)
Mode - Prevents conflict of interests among objects.
system. model) Natural threat control measures
Citation B3 + E5 Security Domain (Isolation)
In addition to system high security level all the users should https://ipspecialist.net/fundamental-concepts-of-security-mod Hurricanes, Move or check location, frequency of
A + E6 Verified Protection (B3 + Dev Cycle)
Compartmented Security Tornadoes, occurrence, and impact. Allocate
have need-to-know clearance and an NDA, and formal approval els-how-they-work/ Common criteria protection profile components
Mode Earthquakes budget.
for all access required information. Lipner Model Commercial mode (Confidentiality and Integrity,) -BLP + Biba Descriptive Elements • Rationale • Functional Requirements • Development assurance
Use two classification levels as System Evaluation and Raised flooring server rooms and
Multilevel Security Mode Graham-Denning Model Rule 1: Transfer Access, Rule 2: Grant Access, Rule 3: Delete requirements • Evaluation assurance requirements Floods
Assurance Levels offices to keep computer devices .
Objects, subjects and 8 Access, Rule 4: Read Object, Rule 5: Create Object, Rule 6: Certification & Accreditation
rules destroy Object, Rule 7: Create Subject, Rule 8: Destroy Electrical UPS, Onsite generators
Virtualization Harrison-Ruzzo-Ullman Restricts operations able to perform on an object to a defined
Certification
Evaluation of security and technical/non-technical features to ensure
if it meets specified requirements to achieve accreditation.
Fix temperature sensors inside
Guest operating systems run on virtual machines and hypervisors run on one or more Model set to preserve integrity. server rooms , Communications -
Declare that an IT system is approved to operate in predefined
host physical machines.
Accreditation Temperature Redundant internet links, mobile
conditions defined as a set of safety measures at given risk level.
Virtualization security Web Security NIACAP Accreditation Process
communication links as a back up to
Trojan infected VMs, misconfigured hypervisor cable internet.
threats Open-source application security project. OWASP creates Phase 1: Definition • Phase 2: Verification • Phase 3: Validation • Phase 4: Post Man-Made Threats
Software as A Service (SaaS), Infrastructure As A Service OWASP guidelines, testing procedures, and tools to use with web Accreditation
Cloud computing models Avoid areas where explosions can
(IaaS), Platform As A Service (PaaS) security.
Accreditation Types Explosions occur Eg. Mining, Military training
Account hijack, malware infections, data breach, loss of data Injection / SQL Injection, Broken Authentication, Sensitive Data
Cloud computing threats Type Accreditation Evaluates a system distributed in different locations. etc.
and integrity Exposure, XML External Entity, Broken Access Control, Security
OWASP Top 10 Misconfiguration, Cross-Site Scripting (XSS), Insecure System Accreditation Evaluates an application system. Minimum 2 hour fire rating for walls,
Fire
Memory Protection Deserialization, Using Components with Known Vulnerabilities, Site Accreditation Evaluates the system at a specific location. Fire alarms, Fire extinguishers.
Insufficient Logging and Monitoring Deploy perimeter security, double
Register Directly access inbuilt CPU memory to access CPU and ALU. Vandalism
Stack Memory Segment Used by processors for intercommunication.
Attackers try to exploit by allowing user input to modify the Symmetric vs. Asymmetric Encryption locks, security camera etc.
back-end/server of the web application or execute harmful Use measures to avoid physical
Monolithic Operating SQL Injections: Use a private key which is a secret key between two parties.
All of the code working in kernel mode/system. code which includes special characters inside SQL codes Fraud/Theft access to critical systems. Eg.
System Architecture Each party needs a unique and separate private key.
results in deleting database tables etc. Fingerprint scanning for doors.
Symmetric Algorithms Number of keys = x(x-1)/2 where x is the number of users. Eg.
Memory Addressing Identification of memory locations by the processor. SQL Injection prevention: Validate the inputs and parameters. DES, AES, IDEA, Skipjack, Blowfish, Twofish, RC4/5/6, and
Register Addressing CPU access registry to get information. Cross-Site Scripting Attacks carryout by inputting invalidated scripts inside CAST.
Site Selection
Immediate Addressing Part of an instruction during information supply to CPU. (XSS) webpages. Stream Based Symmetric Encryption done bitwise and use keystream generators Eg. Deter Criminal Activity - Delay
Physical
Direct Addressing Actual address of the memory location is used by CPU. Attackers use POST/GET requests of the http web pages with Cipher RC4. Intruders - Detect Intruders - Assess
security goals
Indirect Addressing Same as direct addressing but not the actual memory location. HTML forms to carry out malicious activity with user accounts. Situation - Respond to Intrusion
Encryption done by dividing the message into fixed-length
Block Symmetric Cipher Visibility - External Entities -
Base + Offset Addressing Value stored in registry is used as based value by the CPU. Cross-Request Forgery Prevention can be done by authorization user accounts to carry blocks Eg. IDEA, Blowfish and, RC5/6. Site selection
the actions. Eg. using a Random string in the form, and store it Accessibility - Construction - Internal
*Citation CISSP SUMMARY BY Maarten De Frankrijker Use public and private key where both parties know the public issues
on the server. Compartments
and the private key known by the owner .Public key encrypts
Cryptographic Terminology Cryptography Asymmetric Algorithms
the message, and private key decrypts the message. 2x is total • Middle of the building (Middle
number of keys where x is number of users. Eg. Diffie-Hellman, floor)
Encryption Convert data from plaintext to cipher text. • Single access door or entry point
• P - Privacy (Confidentiality) RSA, El Gamal, ECC, Knapsack, DSA, and Zero Knowledge
Decryption Convert from ciphertext to plaintext. • A – Authentication Proof. Server room • Fire detection and suppression
Key A value used in encryption conversion process. Cryptography Goals • I - Integrity security systems
Symmetric Algorithms Asymmetric Algorithms Hybrid Cryptography
(P.A.I.N.) • N - Non-Repudiation. • Raised flooring
Synchronous Encryption or decryption happens simultaneously. Use of both Symmetric and
Use of private key which is a Use of public and private key • Redundant power supplies
Encryption or decryption requests done subsequently or after a • Key space = 2n. (n is number of key bits) Asymmetric encryption. Eg.
Asynchronous secret key pairs • Solid /Unbreakable doors
waiting period. • Confidentiality SSL/TLS
8 feet and taller with razor wire.
Symmetric Single private key use for encryption and decryption. • Integrity Provide integrity. One way Fences and
Provides confidentiality but Provides confidentiality, Remote controlled underground
Key pair use for encrypting and decrypting. (One private and • Proof of origin function divides a message Gates
Asymmetrical Use of Cryptography not authentication or integrity, authentication, and concealed gates.
one public key) • Non-repudiation or a data file into a smaller
nonrepudiation nonrepudiation Perimeter Infrared Sensors - Electromechanical
• Protect data at rest fixed length chunks.
Use to verify authentication and message integrity of the Intrusion Systems - Acoustical Systems -
Digital Signature sender. The message use as an input to a hash functions for • Protect data in transit One key encrypts and One key encrypts and other Encrypted with the private
Detection CCTV - Smart cards -
validating user authentication. decrypts key decrypts key of the sender.
A one-way function, convert message to a hash value used to
Codes vs. Ciphers Message Authentication
Systems Fingerprint/retina scanning
Continuous Lighting - Standby
Hash verify message integrity by comparing sender and receiver Substitution cipher, Transposition cipher, Caesar Cipher, Larger key size. Bulk Code (MAC) used to encrypt Lighting
Classical Ciphers Small blocks and key sizes Lighting - Movable Lighting -
values. Concealment. encryptions the hash function with a Systems
Emergency Lighting
Modern Ciphers Block cipher, Stream cipher, Steganography, Combination. symmetric key.
Digital Certificate An electronic document that authenticate certification owner. Offsite media storage - redundant
Cipher converts Plaintext to another written text to hide original Allows for more trade-offs Media storage
Plaintext Simple text message. Concealment Cipher Faster and less complex. Not backups and storage
text. Slower. More scalable. between speed, complexity,
Normal text converted to special format where it is unreadable scalable Faraday Cage to avoid
Ciphertext and scalability.
without reconversion using keys. Uses a key to substitute letters or blocks of letters with electromagnetic emissions - White
Substitution Ciphers different letters or block of letters. I.e. One-time pad, Hash Functions and Digital
The set of components used for encryption. Includes Electricity noise results in signal interference -
Cryptosystem stenography. Certificates
algorithm, key and key management functions. Out-of-band key exchange In-band key exchange Control Zone: Faraday cage + White
Hashing use message
Reorder or scramble the letters of the original message where noise
Breaking decrypting ciphertext without knowledge of digests.
Cryptanalysis Transposition Ciphers the key used to decide the positions to which the letters are Use anti-static spray, mats and
cryptosystem used.
Cryptographic Algorithm Procedure of enciphers plaintext and deciphers cipher text.
moved.
Key Escrow and Recovery Static wristbands when handling electrical
Electricity equipment - Monitor and maintain
Cryptography
The science of hiding the communication messages from Common Algorithms Secret key is divided into two parts and handover to a third party.
humidity levels.
unauthorized recipients.
Cryptology Cryptography + Cryptanalysis
Symmetric/ PKI HVAC control
Heat - High Humidity - Low Humidity
Algorithm Asymmetric Key length Based on Structure levels
Decipher Convert the message as readable. confidentiality, message integrity, authentication, and nonrepudiation
64 bit cipher block size and 56 bit key • 100F can damage storage media
Encipher Convert the message as unreadable or meaningless. Receiver’s Public Key-Encrypt message
128-bit with 8 bits parity. such as tape drives.
One-time pad (OTP) Encipher all of the characters with separate unique keys. DES Symmetric 64 bit Lucifer • 16 rounds of transposition and Sender Private Key-Decrypt message • 175 F can cause computer and
Different encryption keys generate the same plaintext algorithm substitution Sender Private Key-Digitally sign electrical equipment damage.
Key Clustering • 350 F can result in fires due to
message. (ECB, CBC, CFB, OFB, CTR) Sender’s Public Key - Verify Signature
Key Space Every possible key value for a specific algorithm. 3 * 56 bit keys paper based products.
3 DES or
A mathematical function used in encryption and decryption of TDES Symmetric 56 bit*3 DES
• Slower than DES but higher security PKI Structure HVAC
• HVAC: UPS, and surge protectors
Algorithm (DES EE3, DES EDE3 ,DES EEE2, DES to prevent electric surcharge.
data; A.K.A. cipher. (Triple DES) Certificates Provides authorization between the parties verified by CA. Guidelines
EDE2) • Noise: Electromagnetic
Cryptology The science of encryption. Authority performing verification of identities and provides Interference (EMI), Radio Frequency
Use 3 different bit size keys Certificate Authority
Rearranging the plaintext to hide the original message; A.K.A. certificates. Interference
Transposition 128,192 or Rijndael Examples Bitlocker, Microsoft EFS
Permutation. AES Symmetric Registration Authority Help CA with verification. Temperatures, Humidity
256 bit algorithm Fast, secure 10,12, and 14
Exchanging or repeating characters (1 byte) in a message with Certification Path • Computer Rooms should have 15°
Substitution transformation rounds Certificate validity from top level.
another message. Validation C - 23°C temperature and 40 - 60%
64 bit cipher blocks (Humidity)
Key of a random set of non-repeating characters. A.K.A. One Certification Revocation
Vernam each block divide to 16 smaller Valid certificates list • Static Voltage
time pad. List
blocks • 40v can damage Circuits, 1000v
Confusion Changing a key value during each circle of the encryption. IDEA symmetric 128 bit Online Certificate status
Each block undergo 8 rounds of Used to check certificate validity online Flickering monitors, 1500v can
Diffusion Changing the location of the plaintext inside the cipher text. transformation protocol (OCSP) Voltage levels
cause loss of stored data, 2000v can
When any change in the key or plaintext significantly change Example PGP Cross-Certification Create a trust relationship between two CA’s control
Avalanche Effect cause System shut down or reboot,
the ciphertext. Skipjack Symmetric 80 bit 64 bit Block cipher 17000 v can cause complete
Split Knowledge Segregation of Duties and Dual Control.
Blowfish Symmetric 32-448bit 64 bit Block cipher
Digital Signatures electronic circuit damage.
Work factor The time and resources needed to break the encryption. • Sender’s private key used to encrypt hash value Fire proof Safety lockers - Access
128, 192, Equipment
Arbitrary number to provide randomness to cryptographic TwoFish Symmetric 128 bit blocks • Provides authentication, nonrepudiation, and integrity control for locking mechanisms
Nonce 256 safety
function. • Public key cryptography used to generate digital signatures such as keys and passwords.
Example SSL and WEP • Users register public keys with a certification authority (CA).
Dividing plaintext into blocks and assign similar encryption Maintain raised floor and proper
Block Cipher RC4 Symmetric 40-2048 • Stream cipher • Digital signature is generated by the user’s public key and validity period according to
algorithm and key. Water leakage drainage systems. Use of barriers
• 256 Rounds of transformation the certificate issuer and digital signature algorithm identifier.
Encrypt bit wise - one bit at a time with corresponding digit of such as sand bags
Stream Cipher 255 rounds transformation
the keystream. RC5 Symmetric 2048 Fire retardant materials - Fire
• 32, 64 & 128 bit block sizes Digital Certificate - Steps suppression - Hot Aisle/Cold Aisle
Dumpster Diving Unauthorized access a trash to find confidential information. Fire safety
CAST 128 Enrollment - Verification - Revocation Containment - Fire triangle (Oxygen -
Phishing Sending spoofed messages as originate from a trusted source. (40 to 128
64 bit block 12 transformation rounds Heat - Fuel) - Water, CO2, Halon
Social Engineering Mislead a person to provide confidential information. bit)
A moderate level hacker that uses readily found code from the
CAST Symmetric
CAST 256
128 bit block 48 rounds Cryptography Applications & Secure Protocols Fire extinguishers
Script kiddie transformation
internet. (128 to 256 Class Type Suppression
• BitLocker: Windows full volume encryption feature (Vista
bit)
Hardware -BitLocker and onward)
Requirements for Hashing Message Digest No confidentiality, authentication, or truecrypt • truecrypt: freeware utility for on-the-fly encryption A
Common Water , SODA
Diffie - combustible acid
Variable length input - easy to compute - one way function - digital signatures - fixed Asymmetric non-repudiation (discontinued)
Hellman
length output • Secure key transfer
CO2, HALON,
Uses 1024 keys A hardware chip installed on a motherboard used to manage B Liquid
MD Hash Algorithms • Public key and one-way function for Hardware-Trusted Symmetric and asymmetric keys, hashes, and digital
SODA acid
encryption and digital signature Platform Module (TPM) certificates. TPM protect passwords, encrypt drives, and
MD2 128-bit hash, 18 rounds of computations
verification manage digital permissions. C Electrical CO2, HALON
MD4 128-bit hash. 3 rounds of computations, 512 bits block sizes
RSA Asymmetric 4096 bit • Private key and one-way function for
128-bit hash. 4 rounds of computations, 512 bits block sizes, decryption and digital signature Encrypts entire packet components except Data Link Control
MD5 Link encryption D Metal Dry Powder
Merkle–Damgård construction generation information.
MD6 Variable, 0<d≤512 bits, Merkle tree structure • Used for encryption, key exchange End to end encryption Packet routing, headers, and addresses not encrypted.
and digital signatures Water based
Phased out, collision found with a complexity of 2^33.6 (approx
SHA-0 Privacy (Encrypt), Authentication (Digital signature), Integrity, suppression Wet pipes - Dry Pipe - Deluge
1 hr on standard PC) Retired by NIST Diffie - Used for encryption, key exchange
(Hash) and Non-repudiation (Digital signature) Email (Secure systems
160-bit MD, 80 rounds of computations, 512 bits block sizes, Elgamal Asymmetric Any key size Hellman and digital signatures
SHA-1 Merkle–Damgård construction (not considered safe against algorithm • Slower Email (PGP) MIME (S/MIME): Encryption for confidentiality, Hashing for • HI VIS clothes
well funded attackers) integrity, Public key certificates for authentication, and Personnel • Safety garments /Boots
Elliptic Used for encryption, key exchange
Message Digests for nonrepudiation. safety • Design and Deploy an Occupant
224, 256, 384, or 512 bits, 64 or 80 rounds of computations, Curve and digital signatures
Asymmetric Any key size Emergency Plan (OEP)
SHA-2 512 or 1024 bits block sizes, Merkle–Damgård construction Cryptosyste • Speed and efficiency and better Web application SSL/TLS. SSL encryption, authentication and integrity.
with Davies–Meyer compression function m (ECC) security
Cross-Certification Create a trust relationship between two CA’s • Programmable multiple control
Cryptographic Attacks (Privacy, authentication, Integrity, Non Repudiation).
locks
• Electronic Access Control - Digital
Use eavesdropping or packet sniffing to find or gain access to IPSEC Tunnel mode encrypt whole packet (Secure). Transport mode
Passive Attacks Algebraic Attack Uses known words to find out the keys scanning, Sensors
information. encrypt payload (Faster) Internal
• Door entry cards and badges for
Attacker tries different methods such as message or file modification Frequency Attacker assumes substitution and transposition ciphers use repeated Security
Active Attacks staff
Authentication Header (AH): Authentication, Integrity, Non
attempting to break encryption keys, algorithm. Analysis patterns in ciphertext. • Motion Detectors- Infrared, Heat
repudiation. Encapsulated Security Payload (ESP): Privacy,
Ciphertext-Only An attacker uses multiple encrypted texts to find out the key used for Assumes figuring out two messages with the same hash value is IPSEC components Based, Wave Pattern, Photoelectric,
Birthday Attack Authentication, and Integrity. Security Association (SA):
Attack encryption. easier than message with its own hash value Passive audio motion
Distinct Identifier of a secure connection.
Known Plaintext An attacker uses plain text and cipher text to find out the key used for
Dictionary Attacks Uses all the words in the dictionary to find out correct key
Attack encryption using reverse engineering or brute force encryption. Internet Security Association Key Management Protocol Create, distribute, transmission,
ISAKMP
Chosen Plaintext An attacker sends a message to another user expecting the user will Authentication, use to create and manage SA, key generation. storage - Automatic integration to
Replay Attacks Attacker sends the same data repeatedly to trick the receiver. Key application for key distribution,
Attack forward that message as cipher text.
Key exchange used by IPsec .Consists of OAKLEY and management storage, and handling. Backup keys
Social Engineering An attacker attempts to trick users into giving their attacker try to
Analytic Attack An attacker uses known weaknesses of the algorithm Internet Key Exchange Internet Security Association and Key Management Protocol should be stored secure by
Attack impersonate another user to obtain the cryptographic key used.
(IKE) (ISAKMP). IKE use Pre-Shared keys, certificates, and public key designated person only.
Brute Force Try all possible patterns and combinations to find correct key. Statistical Attack An attacker uses known statistical weaknesses of the algorithm authentication.
Differential Calculate the execution times and power required by the cryptographic Pilot testing for all the backups and
Factoring Attack By using the solutions of factoring large numbers in RSA
Cryptanalysis device. A.K.A. Side-Channel attacks Wired Equivalent Privacy (WEP): 64 & 128 bit encryption. Wi-Fi safety systems to check the
Testing
Linear Reverse Wireless encryption Protected Access (WPA): Uses TKIP. More secure than WEP working condition and to find any
Uses linear approximation Use a cryptographic device to decrypt the key WPA2: Uses AES. More secure than WEP and WPA. faults.
Cryptanalysis Engineering
Common TCP Protocols CISSP Cheat Sheet Series
Port Protocol
OSI Reference Model IP Addresses Port Ranges
20,21 FTP
7 layers, Allow changes between layers, Standard hardware/software interoperability. • Class A: 0.0.0.0 – 127.255.255.255 Authentication methods:
22 SSH Public IPv4
Tip, OSI Mnemonics • Class B: 128.0.0.0 – 191.255.255.255 • PAP=Clear text, unencrypted
23 TELNET address space Point to Point Tunneling Protocol (PPTP)
All People Seem To Need Data Processing • Class C: 192.0.0.0 – 223.255.255.255 • CHAP=unencrypted, encrypted
25 SMTP • Class A: 10.0.0.0 – 10.255.255.255 • MS-CHAP=encrypted, encrypted
Please Do Not Throw Sausage Pizza Away Private IPv4
53 DNS • Class B: 172.16.0.0 – 172.31.255.255
Layer Data Security address space Challenge-Handshake Authentication Encrypt username/password and
110 POP3 • Class C: 192.168.0.0 – 192.168.255.255 Protocol (CHAP) re-authenticate periodically. Use in PPP.
Application Data C, I, AU, N
80 HTTP • Class A: 255.0.0.0
Presentation Data C, AU, Encryption Subnet Masks • Class B: 255.255.0.0 Layer 2 Tunneling Protocol (L2TP) Use with IPsec for encryption.
143 IMAP
Session Data N • Class C: 255.255.255.0
389 LDAP Provide authentication and integrity, no
Transport Segment C, AU, I IPv4 32 bit octets Authentication Header (AH)
443 HTTPS confidentiality.
Network Packets C, AU, I IPv6 128 bit hexadecimal
636 Secure LDAP Encapsulating Security Payload (ESP) Encrypted IP packets and preserve integrity.
Data link Frames C
Physical Bits C
445 ACTIVE DIRECTORY Network Types Shared security attributes between two
1433 Microsoft SQL Security Associations (SA)
C=Confidentiality, AU=Authentication, I=Integrity, N=Non repudiation Geographic Distance and are is limited to one network entities.
3389 RDP Local Area
building. Usually connect using copper wire or Transport Mode Payload is protected.
Hardware / Network (LAN)
Layer (No) Functions Protocols 137-139 NETBIOS fiber optics
Formats Tunnel Mode IP payload and IP header are protected.
Campus Area Multiple buildings connected over fiber or
Cables, HUB, Attacks in OSI layers Network (CAN) wireless
Internet Key Exchange (IKE) Exchange the encryption keys in AH or ESP.
Electrical signal USB, DSL Remote Authentication Dial-In User Service Password is encrypted but user
Physical (1) Layer Attack Metropolitan
Bits to voltage Repeaters, (RADIUS) authentication with cleartext.
ATM Phishing - Worms - Area Network Metropolitan network span within cities
SNMP v3 Encrypts the passwords.
Application Trojans (MAN)
Frames setup
PPP - PPTP - L2TP - - ARP - Dynamic Ports 49152 - 65535
Error detection and control Wide Area Interconnect LANs over large geographic area
RARP - SNAP - CHAP - LCP - Layer 2 Phishing - Worms -
Data Link Check integrity of packets network (WAN) such as between countries or regions.
Presentation Trojans
Layer (2) Destination address, Frames
MLP - Frame Relay - HDLC -
ISL - MAC - Ethernet - Token
Switch -
bridges Session Session hijack
Intranet A private internal network Remote Access Services
use in MAC to IP address connects external authorized persons access to Telnet Username /Password authentication. No encryption.
Ring - FDDI Transport SYN flood - fraggle Extranet
conversion. intranet Remote login (rlogin) No password protection.
Routing, Layer 3 switching, Layer 3 smurfing flooding -
Network ICMP - BGP - OSPF - RIP - IP - Internet Public network SSH (Secure Shell) Secure telnet
segmentation, logical Switch - Network ICMP spoofing - DOS
layer BOOTP - DHCP - ICMP
addressing. ATM. Packets. Router Collision - DOS /DDOS Networking Methods & Standards Terminal Access Controller
Access-Control System
User credentials are stored in a server known as a
TACACS server. User authentication requests are
TCP - UDP datagrams. Data link - Eavesdropping
Routers - Software Decoupling the network control and the (TACACS) handled by this server.
Reliable end to end data Signal Jamming -
Segment - Connection VPN defined forwarding functions. More advanced version of TACACS. Use two factor
Transport transfer - Physical Wiretapping networking Features -Agility, Central management, TACACS+
oriented concentrato authentication.
Segmentation - sequencing -
rs - Gateway (SDN) Programmatic configuration, Vendor neutrality.
and error checking Hardware Devices Converged
Remote Authentication Dial-In Client/server protocol use to enable AAA services for
TCP - UDP - NSF - SQL - Transfer voice, data, video, images, over single User Service (RADIUS) remote access servers.
Session Data, simplex, half duplex, full Layer 1 device forward protocols for
RADIUS - and RPC - PPTP - Gateways HUB network. Secure and encrypted communication channel
Layer dupl Eg. peer connections. frames via all ports media transfer
PPP between two networks or between a user and a
digital to analog Fibre Channel Virtual private network (VPN)
Modem network. Use NAT for IP address conversion. Secured
Data Gateways conversion over Ethernet Running fiber over Ethernet network.
Presentation with strong encryptions such as L2TP or IPSEC.
compression/decompression TCP - UDP messages JPEG - TIFF - Routers Interconnect networks (FCoE)
layer
and encryption/decryption MID - HTML Multiprotocol
Interconnect networks in
TCP - UDP - FTP - TELNET -
Bridge
Ethernet Label
Transfer data based on the short path labels VPN encryption options
instead of the network IP addresses. No need of
Application TFTP - SMTP - HTTP CDP - Inbound/outbound data Switching • PPP for authentication
Data Gateways Gateways route table lookups.
layer SMB - SNMP - NNTP - SSL - entry points for networks (MPLS) • No support for EAP
HTTP/HTTPS. Internet Small Standard for connecting data storage sites such Point-to-Point Tunneling Protocol • Dial in
Frame forward in local
Switch Computer as storage area networks or storage arrays. (PPTP) • Connection setup uses plaintext
network.
TCP/IP Model Interface (ISCI) Location independent. • Data link layer
Share network traffic
Encryption and different protocols at different • Single connection per session
Layers Action Example Protocols load by distributing
Load balancers Multilayer
levels. Disadvantages are hiding coveted channels • Same as PPTP except more secure
Token ring • Frame Relay • FDDI traffic between two Protocols Layer 2 Tunneling Protocol (L2TP)
Network access Data transfer done at this layer and weak encryptions. • Commonly uses IPsec to secure L2TP packets
• Ethernet • X.25 devices
Voice over • Network layer
Create small data chunks called Hide internal public IP Allows voice signals to be transferred over the
Internet • Multiple connection per session
Internet datagrams to be transferred via IP • RARP • ARP • IGMP • ICMP address from external public Internet connection. Internet Protocol Security (IPsec)
Protocol (VoIP) • Encryption and authentication
network access layer Proxies public internet
Packet switching technology with higher • Confidentiality and integrity
Transport Flow control and integrity TCP • UDP /Connection caching and
Asynchronous
filtering. bandwidth. Uses 53-byte fixed size cells. On
Application
Convert data into readable Telnet • SSH • DNS • HTTP • FTP transfer mode
demand bandwidth allocation. Use fiber optics.
Communication Hardware Devices
format • SNMP • DHCP Use to create VPN or (ATM)
aggregate VPN Popular among ISPs Divides connected devices into one input signal for transmission over
VPNs and VPN Concentrator
TCP 3-way Handshake concentrators
connections provide PTP connection between Data terminal equipment one output via network.
using different internet X25 (DTE) and data circuit-terminating equipment Multiplexer Combines multiple signals into one signal for transmission.
SYN - SYN/ACK - ACK links (DCE) Hubs Retransmit signal received from one port to all ports.
Use with ISDN interfaces. Faster and use multiple
LAN Topologies Protocol analyzers
Capture or monitor
network traffic in PVCs, provides CIR. Higher performance. Need to
Repeater Amplifies signal strength.
Frame Relay
Topology Pros Cons real-time ad offline have DTE/DCE at each connection point. Perform
WAN Transmission Types
• No redundancy New generation error correction.
Unified threat • Dedicated permanent circuits or communication paths required.
BUS • Simple to setup • Single point of failure vulnerability scanning Synchronous Circuit-switched
management IBM proprietary protocol use with permanent • Stable speed. Delay sensitive.
• Difficult to troubleshoot application Data Link networks
dedicated leased lines. • Mostly used by ISPs for telephony.
Create collision Control (SDLC)
RING • Fault tolerance • No middle point • Fixed size packets are sending between nodes and share
domains. Routers High-level Data
Start • Fault tolerance • Single point of failure VLANs Use DTE/DCE communications. Extended Packet-switched bandwidth.
separate broadcast Link Control
• Redundant protocol for SDLC. networks • Delay sensitive.
Mesh • Fault tolerance domains (HDLC)
• Expensive to setup • Use virtual circuits therefore less expensive.
Intrusion detection and Domain name Map domain names /host names to IP Address
IDS/IPS
system (DNS) and vice versa.
Types of Digital Subscriber Lines (DSL) prevention.
Wireless Networking
Asymmetric Digital • Download speed higher than upload
Firewall and Perimeter Leased Lines Wireless personal area network (WPAN) standards
Subscriber Line • Maximum 5500 meters distance via telephone lines. T1 1.544Mbps via telephone line IEEE 802.15 Bluetooth
(ADSL) • Maximum download 8Mbps, upload 800Kbps. Security T3 45Mbps via telephone line IEEE 802.3 Ethernet
Rate Adaptive DSL • Upload speed adjust based on quality of the transmission line
DMZ Secure network between ATM 155Mbps IEEE 802.11 Wi-Fi
(RADSL) • Maximum 7Mbps download, 1Mbps upload over 5500 meters.
(Demilitarized external internet facing and ISDN 64 or 128 Kbps REPLACED BY xDSL IEEE 802.20 LTE
Symmetric Digital • Same rate for upstream and downstream transmission rates.
zone) internal networks. Reserved 1024-49151
Subscriber Line • Distance 6700 meters via copper telephone cables Wi-Fi
(SDSL) • Maximum 2.3Mbps download, 2.3Mbps upload. Bastion Host - Dual-Homed - Three-Legged - BRI B-channel 64 Kbps
Standard Speed Frequency (GHz)
• Higher speeds than standard ADSL Screened Subnet - Proxy Server - PBX - Honey BRI D-channel 16 Kbps
Very-high-bit-rate DSL 802.11a 54 Mbps 2.4
• Maximum 52Mbps download, 16 Mbps upload up to 1200 Pot - IDS/IPS PRI B & D channels 64 Kbps
(VDSL) 802.11b 11 Mbps 5
Meters
802.11g 54 Mbps 2.4
High-bit-rate DSL
(HDSL)
T1 speed for two copper cables for 3650 meters Network Attacks 802.11n 200+ Mbps 2.4/5

Committed Virus Malicious software, code and executables 802.11ac 1Gbps 5


Minimum guaranteed bandwidth provided by service provider. Worms Self propagating viruses
Information Rate (CIR) • 802.11 use CSMA/CA protocol as DSSS or FHSS
Logic Bomb Time or condition locked virus • 802.11b uses only DSSS
LAN Packet Transmission Code and/or executables that act as legitimate software, but are not legitimate and are Wireless Security Protocols
Trojan
Unicast Single source send to single destination malicious Directly connects peer-to-peer mode clients without a
Backdoor Unauthorized code execution entry Ad-hoc Mode
Multicast Single source send to multiple destinations central access point.
Broadcast Source packet send to all the destinations. A series of small attacks and network intrusions that culminate in a cumulative large Infrastructure Mode Clients connect centrally via access point.
Salami, salami slicing
scale attack WEP (Wired Equivalent
Carrier-sense Multiple One workstations retransmits frames until destination
Data diddling Alteration of raw data before processing Confidentiality, uses RC4 for encryption.
Access (CSMA) workstation receives. Privacy)
CSMA with Collision Terminates transmission on collision detection. Used by Sniffing Unauthorized monitoring of transmitted data WPA (Wi-Fi Protected Uses Temporal Key Integrity Protocol (TKIP) for data
Detection (CSMA/CD) Ethernet. Monitor and capture of authentication sessions with the purpose of finding and hijacking Access) encryption.
Session Hijacking
Upon detecting a busy transmission, pauses and then credentials WPA2 Uses AES, key management.
CSMA with Collision
re-transmits delayed transmission at random interval to DDoS (Distributed Denial of Overloading a server with requests for data packets well beyond its processing capacity WPA2-Enterprise Mode Uses RADIUS
Avoidance (CSMA/CA)
minimise two nodes re-sending at same time. Service) resulting in failure of service TKIP (Temporal Key Integrity
Combination of a DDoS attack and TCP 3-way handshake exploit that results in denial of Uses RC4 stream cipher.
Sender sends only if polling system is free for the Protocol)
Polling SYN Flood
destination. service EAP (Extensible Utilizes PPP and wireless authentication. Compatible with
Sender can send only when token received indicating free to Particular kind of DDoS attack using large numbers of Internet Control Message Authentication Protocol) other encryption technologies.
Token-passing Smurf
send. Protocol (ICMP) packets PEAP (Protected Extensible Encapsulates EAP within an encrypted and authenticated
Broadcast Domain Set of devices which receive broadcasts. Fraggle Smurf with UDP instead of TCP Authentication Protocol) TLS tunnel.
Set of devices which can create collisions during LOKI Uses the common ICMP tunnelling program to establish a covert channel on the network Port Based Authentication 802.1x, use with EAP in switching environment
Collision Domain
simultaneous transfer of data.
Wireless Spread Spectrum
Layer 2 Switch Creates VLANs A type of DDoS attack that exploits a bug in TCP/IP fragmentation reassembly by
Teardrop FHSS (Frequency Hopping Uses all available frequencies, but only a single frequency
Layer 3 Switch Interconnects VLANs sending fragmented packets to exhaust channels
Spectrum System) can be used at a time.
Zero-day Exploitation of a dormant or previously unknown software bug
LAN / WAN Media DSSS (Direct Sequence
Spread Spectrum)
Parallel use of all the available frequencies leads to higher
throughput of rate compared to FHSS.
Land Attack Caused by sending a packet that has the same source and destination IP
Pair of twisted copper wires. Used in ETHERNET. Cat5/5e/6. Cat5 OFDM (Orthogonal
Twisted Pair Anonymously sending malicious messages or injecting code via bluetooth to
speed up to 100Mbps over 100 meters. Cat5e/6 speed 1000Mbps. Bluejacking, Bluesnarfing Frequency-Division Orthogonal Frequency-Division Multiplexing
unprotected devices within range Multiplexing)
Unshielded Twisted DNS Spoofing, DNS The introduction of corrupt DNS data into a DNS servers cache, causing it to serve
Less immune to Electromagnetic Interference (EMI)
Pair (UTP)
Shielded Twisted
Poisoning corrupt IP results Firewall Generation Evolution
Similar to UTP but includes a protective shield. Session hijacking Change TCP structure of the packet to show the source as trusted to gain access to
Pair (STP) • Packet Filter Firewalls: Examines source/destination address,
(Spoofing) targeted systems. First Generation
protocol and ports of the incoming packets. And deny or permit
Thick conduit instead of two copper wires. 10BASE-T, 100BASE-T, A TCP sequence prediction A successful attempt to predict a TCP number sequence resulting in an ability to Firewalls
Coaxial Cable according to ACL. Network layer, stateless.
and 1000BASE-T. / number attack compromise certain types of TCP communications
Uses light as the media to transmit signals. Gigabit speed at long Second Generation • Application Level Firewall / Proxy Server: Masks the source
Fiber Optic distance. Less errors and signal loss. Immune to EMI. Multimode Email Security Firewalls during packet transfer. Operating at Application layer, stateful.
and single mode. Single mode for outdoor long distance. LDAP (Lightweight Directory Access
Active directory based certificate management for email authentication. Third Generation • Stateful Inspection Firewall: Faster. State and context of the
Over a public switched network. High Fault tolerance by relaying Protocol) Firewalls packets are inspected.
Frame Relay WAN
fault segments to working. SASL (Simple Authentication and
Secure LDAP authentication. • Dynamic Packet Filtering Firewall: Dynamic ACL modification
Security Layer) • Packet Filtering Routers: Located in DMZ or boundary networks.
Secure Network Design - Components Client SSL Certificates Client side certificate to authenticate against a server. Includes packet-filter router and a bastion host. Packet filtering and
Network address S/MIME Certificates Used for signed and encrypted emails in single sign on (SSO) Fourth Generation proxy
Hide internal public IP address from external internet
translation (NAT) Uses the multipart/signed and multipart/encrypted framework to apply Firewalls • Dual-homed Host Firewall: Used in networks facing both internal
MOSS (MIME Object Security Services) and external
Port Address Allow sharing of public IP address for internal devices and digital signatures.
• Screened-subnet Firewall: Creates a Demilitarized Zone (DMZ) -
Translation (PAT) applications using a given single public IP address assigned by ISP A sequence of RfCs (Request for Comments) for securing message
PEM (Privacy-Enhanced Mail) network between trusted and untrusted
authenticity.
Stateful NAT Keeps track of packets transfer between source and destinations Fifth Generation • Kernel Proxy Firewall: Analyzes packets remotely using virtual
One to one private to public IP address assigned between two end DKIM (Domainkeys Identified Mail) Technique for checking authenticity of original message. Firewalls network
Static NAT
devices Next-generation
An open protocol to allow secure authorization using tokens instead of • Deep packet inspection (DPI) with IPS: Integrated with IPS/IDS
Dynamic NAT Pool of internal IP maps one or several public IP address OAuth Firewalls (NGFW)
passwords.
Domain 5: Identity & Access Management CISSP Cheat Sheet Series

Three-factor Authentication (3FA) Terminology Access Control Requirements


Access Action required to allow information flow between objects. CIA Triad: Confidentiality - Integrity - Availability (See Domain 1 cheat
Knowledge factor Something that is known by the user Control Security measures taken to restrict or allow access to systems. sheet!!!!!)

Ownership factor Something that the user possesses, like a key or a token.
Subject An entity which requires access to an object or objects. Identity Management
Object Entity which consists information. IAAA – Identification - Authentication - Authorization - Accountability.
Characteristic A user characteristic, such as biometrics; fingerprints, face
• Registration verification of user identity and add an
factor scan, signature. Levels of Access & Control identifier to system.
Identification
Centralized Only one component can control access. Highly restricted • Assign user the proper controls
Knowledge –Type/category 1 – something you know administration level where control done centrally. • Commonly use user ID or username.

Password authentication, Secret questions such as mother’s maiden name, Decentralized Access is controlled by information owners, Can be less • User verification process
Authentication
favorite food, date of birth, key combination / PIN. administration consistent. • Commonly used passwords
Hybrid Combination of centralized and decentralized. Authorization • Defining resources for user access
Terminology and concepts Accountability • Person responsible for the controls, uses logs.
Access stances allow-by-default or deny-by-default
Random data added to a password before hashing and
• A.K.A federated ID management
SESAME (Secure European System for Applications in
storing in a database on a server. Used instead of
Salted hash
plaintext storage that can be verified without revealing
Single • Pros – ComplEg. passwords, easy administration, faster a Multi-vendor Environment)
password. Sign-On authentication. Public Key cryptology only authenticates initial segment without
(SSO) • Cons – Risk of all systems comprised by unauthorized authenticating full message. Two separate tickets are in use one for
Alphanumeric, more than 10 characters. Includes a access of a key or keys. authentication and other one defines the access privileges for user. Both
ComplEg.
combination of upper and lower case letters, numbers symmetric and asymmetric encryptions are used.
password
and symbols. Authorization Exchange authentication and authorization information
between security domains and systems.
One-time password Dynamically generated to be used for one session or SAML -
(OTP) transaction.
Access control policies: Level of access and controls granted for a user. • Components: Principal User • Identity provider • Service
(SOAP/XML)
provider.
Static password Password does not change. To be avoided. Separation of Assigning different users different levels of access to • Use in directory federation SSO.
duties protect privacy and security.
Something used to identify a person, i.e. pets name,
Access to perform specific functions is granted to two or
Authorization Concepts
Cognitive password favorite color, mother’s maiden name etc, place of birth Dual Controls
more users. Security
etc. Set of resources having the same security policies.
domain
Password Hacking Unauthorized access of a password file Split Knowledge No single user can have full information to perform a task. Federated Organization having a common set of policies and standards
Identity within the federation.
Multiple attempts using all possible password or pin Principle of Least User is given minimum access level needed to perform a
Brute force attack Privilege task.
combinations to guess the password. Federation Models
Type of brute force attack that uses all the words from Need-to-Know Minimum knowledge level to perform a task. Every organization is certified and trusted by the other
Dictionary attack Cross-Certification
the dictionary. organizations within the standards defined internally by
No Access User is not assigned any access for any object. Model
said organizations.
Gain access by impersonating a user by establishing Trusted
Social engineering Centrally managed database for user objects management. Every organization adheres to the standards set by a third
legitimate user credentials through social manipulation of Directory Service Third-Party /
attack i.e. LDAP party.
trusted parties or authorities. Bridge Model
Client /server model authentication protocol. IDaaS (Identity as Identity and access management is provided by a third
Precomputed table for reversing cryptographic hash
Rainbow Tables • Symmetric Key Cryptography a Service) party organization.
functions and cracking passwords.
Kerberos • Key Distribution Center (KDC) Access management for multiple similar, yet independant
• Confidentiality and integrity and authentication, SSO (Single
Ownership –Type/category 2 – Something you have systems. Primarily used for the cloud and SaaS based
symmetric key cryptography sign-on)
system access.
Synchronous token Create password at regular time intervals. Cloud Identity User account management (Office 365)
Authentication administrative domain. Uses symmetric-key
Realm Directory
cryptography On-premises identity provider (Microsoft Active directory)
Asynchronous Generate a password based on the challenge-response Synchronization
token technique. Issues tickets to client for server authentication
KDC (Key On-premises identity provider for managing login request.
• Stores secret keys of all clients and servers in the network Federated Identity
Memory card A swipe card containing user information. Distribution (MS AD)
• AS (Authentication Server)
Center)
Smart Cards or
A card or dongle that includes a chip and memory, like
• TGS (Ticket Granting Server) Access Control Models
Integrated Circuit
bank cards or credit cards. • User input username/password in client PC/Device. By default access to an object is denied unless explicitly
Card (ICC) Implicit Deny
• Client system encrypts credentials using AES to submit granted.
Contact Cards Swiped against a hardware device. for KDC. Access Control Table which included subjects, objects, and access
• KDC match input credentials against database. Matrix controls / privileges.
The Kerberos
Contactless Cards • KDC create a symmetric key and time-stamped TGT to be List access controls and privileges assigned to a subject.
Simply need to be within proximity to the reader device. logon process
or Proximity Cards used by the client and the Kerberos server. Capability Tables • ACLs focus on objects whereas capability lists focus on
• Key and TGT are encrypted using client password hash. subjects.
Allows a card to be used in both contact and contactless • Client installs the TGT and decrypts the symmetric key
Hybrid Cards Permissions Access granted for an object.
systems. using a hash.
Rights Ability/access to perform an action on an object.
USB drive Bespoke USB with access credentials Privileges Combination of rights and permissions.
Authorization Methods
Static password
token
Simplest type of security token where the password is
stored within the token. Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Access Control Categories
Role-based Access Control (role-BAC) • Rule-based Access Control (Rule-BAC). Category Scope / Purpose Example
Challenge/respons Two keys or key and
A challenge has to be met by the correct user response. Discretionary Access Control Uses access control lists (ACLs -
e token Compensative Risk mitigation action. combination to open a safety
(DAC) Access-control lists).
locker.
Characteristic –Type/category 3 – Something you do / are Subject authorize according to security labels.
Having fire extinguishers, having
Mandatory Access Control Used by owners to grant or deny access to Corrective Reduce attack impact.
offsite data backups.
Biometric technology allows the user to be authenticated based on (MAC) other users. ACL defines the level of access
physiological behavior or characteristics. Detect an attack before CCTV, intrusion detection
granted or denied to subjects. Detective
• Physiological i.e. Iris, retina, and fingerprints. happens. systems (IDS).
Task-based access controls - subjects require User identification and
• Behavioral i.e. Voice pattern
Role-BAC (RBAC) access an object based on its role or Deterrent Discourages an attacker.
authentication, fences
assigned tasks.
Physiological Characteristics Define and document
Uses a set of rules or filters to define what Directive acceptable practices within Acceptable Use Policy (AUP)
Fingerprint Scans the thumb or edge of the finger. Rule-BAC
can or cannot be done on a system. an organization.
Locks, biometric systems,
Size, shape, bone length, finger length, or other layout Hybrid RBAC Limited RBAC Preventative Stop an attack.
Hand Geometry encryption, IPS, passwords.
attributes of a user’s hand are taken.
Objects are classified based on control level Recovery of a system after Disaster recovery plans, data
Lattice based / Label Recovery
Hand Topography Hand peaks and valleys pattern. using a label. an attack. backups etc.

Non-discretionary access / Based on policies defined by a central


Palm or Hand Scan Fingerprint and geometry combination of palm.
Mandatory-Access control authority. Role based or task based. Vulnerability Assessment
Facial features such as bone, eye length, nose, chin shape Personnel Testing • Physical Testing • System and Network Testing
Facial Scan
etc.
Authorization Methods / Concepts Penetration Testing and Threat Modeling
Retina Scan Retina blood vessel scan. Constrained Interface Restrict actions which can be performed with given Simulate an attack to determine the probability of the attack to the application
Applications privileges. systems
Retina blood vessel 1. Record information about the system
Scans the colored part of the eye around the pupil. Restrict access to data depends on the content of an
scan Content-Dependent
object. 2. Collect information about attack against the system
Vascular Scans Scans the pattern of the veins in the users hand or face. Granting users access after a specific condition. Eg. 3. Discover known system vulnerabilities
Context-Dependent Steps
after specific date/time.
4. Perform attacks against the system attempting to gain
Voice print Verify speech sound patterns. Work Hours Context-dependent control access
Subjects are given access to object only to perform
Scanning Behaviors 5. Document the outcome of the penetration test
Least Privilege what they need to have.
• No more or no less! Penetration Test Types
Signature Dynamics Pen pressure and acceleration is measured.
Separation of Duties Organization knows about possible attack but very limited
Tasks split to be performed by two or more people. Blind Test
and Responsibilities knowledge.
Keystroke
Scan the typing pattern.
Dynamics Auditing and Reporting • Vulnerability Assessment • Organization doesn’t know about incoming attack except for
User Accountability Double-Blind
Penetration Testing • Threat Modeling very few people in the organization who do not exchange
Test
Voice Pattern / Measures the sound pattern of a user read particular Users are responsible for what actions they have information.
Print word. performed. Organization has prior knowledge of the attack, including
Target Test
Auditing and Reporting Events to be monitored for reporting: Network Events • key details
Biometric Does not change throughout human life and unique. High
Application Events • System Events • User Events •
Considerations accuracy rate. Penetration Strategies
Keystroke Activity
Zero-Knowledge Test team doesn’t know any information about the target
Enrollment Time Sample processing for use by the biometric system. Test network A.K.A. black box testing.
Access Control Types Partial The testing team knows public knowledge about the
The process of obtaining the information from a
Feature Extraction Knowledge Test organization’s network.
collected sample. Type Scope / Purpose Example
Full Knowledge The testing team knows all available information regarding
Accuracy Scan the most important elements for correctness. Administration of Data classification, data
Administrative Test the organization’s network.
organization assets and labeling, security awareness
Controls
Throughput Rate The rate which the system can scan and analyze. personal. training.
Password types
False Rejection The percentage of valid users that will be falsely rejected. Firewalls, IDS’s/ IPS’s,
Logical / Single word usually a mixture of upper
Rate (FRR) Type 1 error. Restrict access. encryption, biometrics, smart Simple Passwords
Technical Controls and lowercase letters.
cards, and passwords.
False Acceptance The percentage invalid users that will be falsely accepted. Combination / Composition Combination of two unmatching
Protect organization’s
Rate (FAR) Type 2 error. Perimeter security, Passwords dictionary words.
Physical Controls infrastructure and
biometrics and cabling. Passphrase Passwords Requires that a long phrase be used.
Crossover Error The point at which FRR equals FAR. This is expressed as personnel.
Rate (CER) a percentage - lower CER is better. Passwords that are valid for a single
One-Time or Dynamic Passwords
session login.
Procedure for user account management
Order of effectiveness and accuracy: Iris Scan • Retina Uses of character images or graphics
Graphical Passwords (CAPCHA)
Biometric scans Scan • Fingerprint • Hand Geometry • Voice Pattern • Regular user account review and password changes, track access authorization as a part of the authentication.
Keystroke Pattern • Signature Dynamics. using a procedure, regularly verify the accounts for active status. Numeric Passwords A password that only uses numbers.
Domain 6: Security Assessment & Testing CISSP Cheat Sheet Series

Software Testing Software Development Security Best Practices


Software security analysis using automated tools. WASC Web Application Security Consortium
Static Testing Do not analyze either the source code or the OWASP Open Web Application Security Project
compiled application. Eg. Buffer overflow
BSI the Build Security In initiative
Analyze and test using running environment. Use
IEC The International Electrotechnical Commission
to test software provided by third parties where no
Dynamic Testing
access to software code. Eg. cross-site scripting,
SQL injection
Security Testing
Type of dynamic testing which use specific inputs To make sure security controls are properly applied and in use. Automated scans,
Fuzz Testing to detect flaws under stress/load. Eg. input invalid vulnerability assessments and manual testing.
parameters to test Software Threats
Mutation / Dumb Fuzzing Using already modified input values to test. Stealth virus • Polymorphic virus • Macro virus •
Viruses
Generational / Intelligent • Spyware/Adware • Botnet • worm
Inputs models of expected inputs.
Fuzzing Kernel-mode Rootkit • Bootkit • User-mode Rootkit •
Rootkit
Virtual Rootkit • Firmware Rootkit
Evaluate the vulnerability of known risks and
Misuse Case Testing Source Code Issues Buffer Overflow • Escalation of Privileges • Backdoor
attacks.
Evaluate performance of software modules Antivirus software • Antimalware software • Security
Malware Protection
Interface Testing against the interface specifications to validate Policies
working status. Considerations
Application Programming Test APIs to verify web application meets all • Resources availability
Interfaces (APIs) security requirements. • Level of critical and sensitiveness of the system under testing
Includes graphic user interfaces (GUIs) and • Technical failures
User Interfaces (UIs) command-line interfaces (CLI). Review of user • Control misconfigurations result in security loopholes
interfaces against requirement specifications. • Security attack risks
• Risk of performance changes
Eg. in physical machines such as ATM, card
Physical Interfaces • Impact on normal operations
readers etc.
Verification & Validation
Testing a small part of the system to test units are
Unit Testing • Verification – SDLC design output meets requirements
good for integration into final product.
• Validation – Test to ensure software meets requirements
Transfer of data and control between program
Integration Level Testing Security Software
interfaces.
Verify system has all the required specifications • Antimalware and Antivirus – Scan and log malware and virus detection
System Level Testing • IDS/IPS = Real time and promiscuous monitoring for attacks
and functions.
• Network-based IDS
Log Management System • Local network monitoring and passive and header level scanning .No host level
scan.
Analyze daily operations and review possible attacks to • HOST BASED
OPSEC process
apply countermeasures. • Monitor hosts using event logs
Pen-test Testing of network security in view of a hacker. • Intrusion prevention system (IPS) – Attack detects and prevent
Port scanner Check any port or port range open in a computer. • Remote Access Software Should be access via a VPN
• Vulnerability assessment Software – should be updated and patched
Ring zero Internal code of the system.
• Routers – policy based access control
Operational assurance Verify software meets security requirements.
Logs
Supervisor mode Processes running in internal protected ring.
Network Flow Network traffic capture
Audit logging Events related to hardware device login and access
Threat Assessment Modeling
Network Time Protocol Should synchronize across entire network to have correct
Evaluate threats against applications or operating (NTP) and consistent time in logs and device traffic flows.
STRIDE
systems. Syslog Device event message log standard.
Use of false identity to gain access to system identity. Event types Errors, Warnings, Information, Success Audits, Failure
Spoofing Can use IP/ MAC address, usernames, wireless network Simple Network
SSIDs. Management Protocol Support for different devices such as Cisco.
Cause unauthorized modifications of data in transit or in (SNMP)
Tampering storage. Results in violation of integrity as well as Monitoring and auditing
availability. Define a clipping level. A.K.A BASELINE
Repudiation Deny an action or activity carried out by an attacker. • Audit trails – event/transaction date/time, author /owner of the event
• Availability – Log archival
Distribution of private/confidential or restricted
Information disclosure • Log Analysis – examine logs
information to unauthorized parties.
Code Review and Testing
Attack result in increase the level privileges for a limited
Elevation of privilege Person other than the code writer/developer check the code to find errors
user account.
Fagan inspections – Planning • Overview • Preparation • Inspection • Rework •
Regular monitoring of Number of open vulnerabilities and compromised
steps Follow-up
key performance and accounts, vulnerability resolve time, number of detected
Code Coverage Report Details of the tested code structure
risk indicators including software flaws etc.
Use cases Percentage of the tested code against total cases
Automatically probe systems, applications, and
Vulnerability scans Code Review Report Report create in manual code testing
networks.
Black-box testing Test externally without testing internal structure
Sends a packet with SYN flag set. Also known as
TCP SYN Scanning Dynamic Testing Test code in run time
“half-open” scanning.
White-box testing Detailed testing by accessing code and internal structure
Perform when a user running the scan does not have the
TCP Connect Scanning CVE Common Vulnerability and Exposures dictionary
necessary permissions to run a half-open scan.
CVSS Common Vulnerability Scoring System
TCP ACK Scanning Sends a packet with the ACK flag set.
NVD National Vulnerability Database
Xmas Scanning Sends a packet with the FIN, PSH, and URG flags set.
Verify the installations required for testing do not have
Regression Testing
Passive Scanning Detect rogue scanning devices in wireless networks. any issues with running system
Authenticated scans Read-only account to access configuration files. Integration Testing Test using two or more components together
Domain 7: Security Operations CISSP Cheat Sheet Series
Incident Scene Characteristics of Evidence Evidence Lifecycle Configuration Management (CM)
Assign ID to the scene • Incident environment protection • ID and possible Sufficient Validity can be acceptable. 1. Discovery An ITILv2 and an ITSM process that tracks all of the individual Configuration Items
sources of evidence • Collect evidence • Avoid or minimize evidence Reliable Consistent facts. Evidence not tampered or modified. 2. Protection (CI)
contamination Reasonable facts, with proof of crimes, acts and methods used, 3. Recording Configuration Version: state of the CI, Configuration - collection of component
Relevant Items (CI) CI’s that makes another CI
Locard’s event documentation 4. Collection and identification
In a crime the suspected person leaves something and takes
Exchange Permissible Evidence obtained lawfully Building Assembling a component with component CI’s Build list
something. The leftovers can be used to identify the suspect. 5. Analysis
Principle Recovery procedures. Eg. system restart. Should be accessed
6. Storage, preservation, transportation Artifacts
Interviewing and Interrogation by authorized users from authorized terminals.
Live Evidence Interviewing Collect facts to determine matters of the incident.
7. Present in court

• Most reliable and used by trial Obtain a confession by evidence retrieval method.
8. Return to owner
Incident Response
Primary Interrogation
• Original documents–Eg. Legal contracts Response Capability • Incident response and handling •
Evidence
• No copies or duplicates
• The Process: Prepare questions and topics, summarize information
Digital Evidence Lifecycle
Recovery • Feedback
Opinion Rule Witnesses test only the facts of the case, not used as evidence.
• Less powerful and reliable than primary evidence. Mitigation Limit the impact of an incident.
Expert Six principles to guide digital evidence
Secondary • Eg. Copies of originals, witness oral evidence. Can be used as evidence.
Witnesses technicians
Evidence • If primary evidence is available secondary of the same content
is not valid.
Root Cause Analysis (RCA)
Can prove without a backup support.
Network Analysis • All general forensic and procedural
principles apply. Fault tree analysis (FTA) Top down deductive failure analysis using boolean logic.
Direct Evidence Use of existing controls to inspect a security breach incident. Eg. IDS/IPS, firewall
• Eg. witness testimony by his/her own 5 senses.
logs • Upon seizure, all actions should not Review of as many components, assemblies, and
• Cannot contradict, conditional evidence, no other supportive Failure mode and
Conclusive • Software Analysis: Forensic investigation of applications which was running while change the data. subsystems as possible to identify potential failure
evidence requires effects analysis (FMEA)
Evidence the incident happened. modes.
• Cannot be used to directly prove a fact • All people accessing the data should
• Hardware/ Embedded Device Analysis: Eg. review of Personal computers & Looks at the predominant likely causes to deal with them
Corroborative be trained Pareto Analysis
• Use as substantiate for other evidence Smartphones first.
Evidence
• All actions performed on the data Connects individual cause-and-effect relationships to give
Cause mapping
Hearsay
• Something heard by the witness where another person told Governing Laws should be fully documented and insights into the system of causes within an issue.
Evidence
• Common law - USA, UK Australia, Canada accessible.
Asset Management • Civil law - Europe, South America Disaster Recovery Methods
• Islamic and other Religious laws – Middle East, Africa, Indonesia, USA • Anyone that possesses evidence is
A real-time mirror of your system and network activity
Preserve Availability • Authorization and Integrity • Redundancy and Fault Tolerance • responsible for all actions taken with it
• Legislative: Statutory law - Make the laws Hot Site running in sync. Allows for minimum disruption and
Backup and Recovery Systems • Identity and Access Management while in their possession.
The 3 Branches of Law • Executive: Administrative law - Enforce the laws downtime.
• Hierarchical Storage Management (HSM): continuous online • Juridical: Interpret the laws • Any agency that possesses evidence An alternative workspace with power and HVAC setup, but
backup system Using optical storage. Cold Site
Storage • Criminal law –violate government laws result in is is responsible for compliance with no hardware. All recovery efforts will be technician heavy.
• Media History: Media usage log
Management commonly imprisonment these principles. A middle-ground solution which includes skeletal hardware,
• Media Labeling and Storage: safe store of media after labeling Warm Site
Issues • Civil law – Wrong act against individual or organization software and connectivity to restore critical functionality.
sequentially
which results in a damage or loss. Result in financial
• Environment: Temperature and heat Eg. Magnetic media Categories of law
penalties. Media Analysis Service Bureau Contract with a service bureau to provide backup services.
• Data Purging: degaussing Archived data not usable for • Administrative/Regulatory law – how the industries, Multiple centers /
Sanitizing and Process between multiple data centers
forensics organizations and officers should act. Punishments can Part of computer forensic analysis sites
Disposing of
• Data Clearing: Cannot recover using keyboard be imprisonment or financial penalties used for identification and extraction
Data Rolling / mobile sites Mobile homes or HVAC trucks.
• Remanence: Data left in media deleted of information from storage media.
Uniform Computer
• Redundant hardware Common framework for the conduct of computer-related Eg. Magnetic media, Optical media, • Hot site RTO: 5 minutes or hours
Information
Network and • Fault-tolerant technologies business transactions. A federal law Eg. Use of software Memory (e.g., RAM) Recovery Time • Warm site RTO: 1-2 days
Transactions Act
Resource • Service Level Agreements (SLA’s) licensing Objectives (RTOs) • Mobile site RTO: 3-5 days
(UCITA)
Management • MTBF and MTTR
• Unauthorized intrusion Admissible Evidence • Cold site RTO: 1 to 2 weeks
• Single Point of Failure (SPOF) Computer Crime Laws
Incident 3 types of harm
• Unauthorized alteration or destruction
Relevant to the incident. The evidence RAID, SAN, & NAS
1. Detect • 2. Respond • 3. Report • 4. Recover • 5. Remediate • 6. • Malicious code
Response - must be obtained legally. RAID Redundant Array of Independent / Inexpensive Disks
Review • Relevant, sufficient, reliable, does not have to be
steps Admissible evidence Writing the same data across multiple hard disks, slower as
tangible Disk Mirroring
• Changes should be formally requested
Hearsay • Second hand data not admissible in court Digital Forensics data is written twice, doubles up on storage requirements
• Analyze requests against goals to ensure validity Writes data across multiple disks simultaneously, provides
Change • Cost and effort estimation before approval • Is the legal action of luring an intruder, like in a Five rules of evidence: Disk Striping
Enticement higher write speed.
Management • Identify the change steps after approval honeypot Be authentic • Be accurate • Be complete
• Be convincing • Admissible • Writes files in stripes across multiple disks without using
• Incremental testing during implementation • Is the illegal act of inducing a crime, the individual had
Entrapment parity information
• Complete documentation no intent of committing the crime at first RAID 0
• Clipping levels: Define a baseline for normal user errors, Investigation - To • 2 or more disks required
• Fast reading and writing but no redundancy
Threats and • Modification from Standards Eg. DDOS Data Loss Prevention (DLP) Determine Suspects • Creates identical copies of drives - has redundancy
Preventative • Unusual patterns or events Scans data for keywords and data patterns. Protects before an incident occurs.
Types: • Space is effectively utilized, since half will be given to
Measures • Unscheduled reboots: Eg. Hardware or operating system issue RAID 1
Network-bas Data in motion. Scans all outbound data looking for anomalies. Place Operational • Criminal • Civil • eDiscovery another disk
• Input/output Controls
ed DLP in edge of the network to scan all outgoing data. • Expensive
Endpoint-bas Data in use. Scans all internal end-user workstations, servers and Security Incident and RAID 3 Byte level data striping across multiple
Intrusion Detection & Prevention Systems (IDS & ed DLP devices. RAID 4 Block level data striping across multiple
Event Management
IPS) Digital Data States RAID 5
Data and parity Information is striped together across all
(SIEM) drives
Automated inspection of logs and real-time system events Data at Rest Data that is stored on a device or a backup medium. Stripes data across available drives and mirrors to a seperate
IDS (Intrusion Log review automating RAID 0+1
to detect intrusion attempts and system failures. IDSs are an Data in Data that is currently travelling across a network or on a device's Real‐time analysis of events occurring set of disks
Detection System)
effective method of detecting many DoS and DDoS attacks. Motion RAM ready to be read, updated, or processed. on systems Each drive in a set is mirrored to an equivalent drive in
RAID 1+0 (RAID 10)
Data in Use Data that is being inputted, processed, used or altered. another set
IPS (Intrusion
A IDS with additional caabilities to stop intrusions. Transaction Redundancy Storage Area Typically use Fibre Channel and iSCSI. High speed blick level
Prevention System)
Backup Types Implementations
Network (SAN) storage.
Full All files backed up, archive bit and modify bit will be deleted Network-Attached Typically an NFS server, file-level computer data storage
Firewalls Incremental Backup files changed after last full backup, archive bit deleted.
Electronic Vaulting • Remote Journaling Storage (NAS) server connected to a computer network.
• Database shadowing
Only modified files are backed up, do not delete archive bit.
HIDS
Monitor and analyze the internals of a computing system, Disaster Recovery Terminology & Concepts
(Host-based IDS)
including its network connection points. Eg. Mainframe Differential Need last full backup and last incremental backup for a full System Hardening
computer restore. MTTF Mean Time To Failure
" • Uninstall unnecessary applications
Redundant servers Eg. RAID, adding disks for increased fault tolerance. MTTR Mean Time To Repair
Hardware based device or software applications used to • Disable unnecessary services
NIDS Server clustering Set of servers that process traffic simultaneously. MTBF Mean Time Between Failures, MTTF + MTTR
monitor and analyse network activity, specifically scanning • Deny unwanted ports
(Network-based IDS)
for malicious activities and policy violations. • External storage device restriction Transaction Redundancy Electronic Vaulting • Remote Journaling • Database
• Monitoring and Reporting Implementations shadowing
Disaster Recovery Test • Vulnerability Management System
Hierarchical Recovery Types of System Failure • IDP/IPS: Attack signature engine
Desk Check Review contents of the plan
should be updated regularly Business Continuity Planning
Types Table-top exercise
Disaster recovery team members gather and roleplay a
• System reboot disaster scenario Concerns the preservation and recovery of business in the
• Emergency restart More intense than a roleplay, all support and tech staff meet
System Recovery Business Continuity
event of
1. Manual Simulation test Plan (BCP)
• System cold start and practice against disaster simulations 1. Rebooting system in single user outages to normal business operations.
2. Automatic Recovery
mode, recovery console
Personnel are taken to an alternative site and commence Business Impact The process of assessing the impact of an IT disruption.
2. Recovering all file systems active
Parallel tests operations of critical systems, while original site continues Analysis (BIA) BIA is part of BCP
Data Destruction and Reuse operating
before crash
3. Restore missing / damaged files A framework of steps and actions that need to be taken
Object reuse Use after initial use Full-implementation Personnel are taken to an alternative site and commence
4. Recover security and access to achieve business continuity and disaster recovery
Remaining data after erasure Format magnetic media 7 tests operations of all systems, main site is shut down
Data remanence controls Disaster Recovery Plan goals.
times (orange book (DRP) End Goal – Revert back to normal operations - planning
Clearing Overwriting media to be reused BCP Plan Development and development must be done before the disaster - BIA
Purging Degaussing or overwriting to be removed • Computing: strategy to protect - hardware, software, communication links, applications, data should be complete
Destruction Complete destruction, preferably by burning Define the continuity • Facilities: use of primary or alternate/remote site buildings 1. Scope and plan initiation
strategy • People: operational and management 2. BIA - assess impact of disruptive processes
• Supplies and equipment
Disaster Recovery Planning Business Continuity
3. Business Continuity Plan development - Use BIA to
Roles and • BCP committee: senior staff, business units, information systems, security administrator, officials from all develop BCP -
Disaster Steps
Teams responsible for DR implementation - Salvage team - Work responsibilities departments Testing
recovery
on normal /primary site to make suitable for normal operations • CCTV 4. Plan approval and implementation - management
process
• Fences-Small mesh and high gauge approval
• Interfacing with other groups • Alarms
• Fraud and Crime: Eg. vandalism, looting
• Financial disbursement
• Intrusion detection: electromechanical, photoelectric, passive infrared, acoustical detection Trusted Recovery
• Motion: wave pattern motion detectors, proximity detector
• Documenting the Plan - Required documentation Physical security • Locks: warded lock, combination lock, cipher lock, device lock, preset / ordinary door lock, programmable Breach Confirmation Confirm security breach not happen during system failure.
Other recovery • Activation and recovery procedures locks, raking lock
issues • Plan management • Audit trails: date and time stamps, successful/unsuccessful attempts, who attempted, who Failure Preparation Backup critical information to enable recovery
• HR involvement granted/modified access controls After a failure of operating system or application, the
• Costs • Security access cards: Photo ID card, swipe cards, smartcards System Recovery system should work enough to have the system in a
• Internal /external communications • Wireless proximity cards: user activated or system sensing field powered device secure state
• Detailed plans by team members
Domain 8: Software Development Security CISSP Cheat Sheet Series
Software Development Lifecycle (SDLC) Programming Language Types Data Warehousing and Data Mining Change Management Process
Understand and integrate security throughout the software development Machine Data Develop organizational framework where users can
Direct instructions to processor - binary representation Combine data from multiple sources. Request
lifecycle (SDLC) Languages Warehousing request modifications, conduct cost/ benefit analysis by
Control
Assembly Use of symbols, mnemonics to represent binary codes - Arrange the data into a format easier to make business management, and task prioritization by developers
Data Mining
Development Methodologies Language ADD, PUSH and POP decisions based on the content. Develop organizational framework where developers can
Change
Processor independent programming languages - use create and test a solution before implementation in a
• No key architecture design
• Problems fixed as they occur
High-Level
IF, THEN and ELSE statements as
Database Threats Control
production environment.
Build and fix Language
• No formal feedback cycle part of the code logic Aggregation The act of combining information from various sources. Release
Change approval before release
• Reactive not proactive Generation 4 languages further reduce amount of code Inference Process of information piecing Control
Very high-level
• Linear sequential lifecycle required - programmers can focus on algorithms. • Content Dependent Access Control: access is based on
• Each phase is completed before moving on
language
Python, C++, C# and Java Access the sensitivity of the data
Configuration Management Process
Waterfall
• No formal way to make changes during cycle Natural Generation 5 languages enable system to learn and Control • Context Dependent Access Control: access via Software Version A methodology for storing and tracking changes
• Project ends before collecting feedback and re-starting language change on its own - AI location, time of day, and previous access history. Control (SVC) to software
• Based on the waterfall model • Database Views: set of data a user or group can see Configuration The labelling of software and hardware
Access
V-shaped
• Each phase is complete before moving on Database Architecture and Models Control
• Database Locks: prevent simultaneous access Identification configurations with unique identifiers
• Verification and validation after each phase • Polyinstantiation: prevent data interference violations Verify modifications to software versions
Uses attributes (columns) and tuples (rows) to Mechanisms
• No risk analysis phase Relational Model in databases Configuration Control comply with the change control and
organize data
• Rapid prototyping - quick sample to test the current configuration management policies.
project Hierarchical Parent child structure. An object can have one child, A•C•I•D Ensure that the production environment is
• Evolutionary prototyping - incremental improvements to Model multiple children or no children. Configuration Audit
Database roll back if all operations are not completed, consistent with the accounting records
Prototyping Atomicity
a design Similar to hierarchical model but objects can have transactions must be completed or not completed at all
• Operational prototypes - incremental improvements Network Model
multiple parents. Consistency Preserve integrity by maintaining consistent transactions Capability Maturity Model
intended for production
Transaction keeps separate from other transactions until 1. Initiating – informal processes,
• Multiple cycles (~ multiple waterfalls) Object-Oriented Has the capability to handle a variety of data types Isolation Reactive
complete 2. Repeatable – project management processes
• Restart at any time as a different phase Model and is more dynamic than a relational database.
Incremental Durability Committed transaction cannot be roll backed 3. Defined – engineering processes, project planning,
• Easy to introduce new requirements
quality assurance, configuration management practices
• Delivers incremental updates to software Object-Relational Combination of object oriented and relational Traditional SDLC Proactive
4. Managed – product and process improvement
• Iterative Model models. 5. Optimizing – continuous process improvement
Analysis, High-level design, Detail Design, Construction,
• Risk analysis during development Steps
testing, Implementation
Spiral • Future information and requirements considered for risk Project Management Tools
analysis Database Interface Languages • Initiation: Feasibility, cost analysis, risk analysis,
• Allows for testing early in development Management approval, basic security controls Type of bar chart that illustrates the relationship
Gantt chart
Open Database • Functional analysis and planning: Requirement between projects and schedules over time.
Rapid • Rapid prototyping Local or remote communication via API
Connectivity (DOBC) definition, review proposed security controls Program Evaluation Project-scheduling tool used to measure the
Application • Designed for quick development
• System design specifications: detailed design specs, Review Technique capacity of a software product in development
Development • Analysis and design are quickly demonstrated Java Database Java API that connects to a database, Phases
Examine security controls (PERT) which uses to calculate risk.
(RAD) • Testing and requirements are often revisited Connectivity (JDBC) issuing queries and commands, etc • Software development: Coding. Unit testing Prototyping,
• Umbrella term - multiple methods
DB API allows XML applications to interact Verification, Validation Phases of object-oriented design
• Highlights efficiency and iterative development XML
Agile with more traditional databases • Acceptance testing and implementation: security OORA (Requirements
• User stories describe what a user does and why Define classes of objects and interactions
testing, data validation Analysis)
• Prototypes are filtered down to individual features Object Linking and
Embedding Database (OLE is a replacement for ODBC Object-oriented technology (OOT) - Identify classes and objects which are common
DevOps (Development & Operations) DB) OOA (Analysis) to any applications in a domain - process of
Terminology discovery
Software Development • Quality Assurance • IT
OOD (Design) Objects are instances of classes
Operations Knowledge Management Objects contain both data and the instructions that work
OOP (Programming) Introduce objects and methods
on the data.
Two main components: 'Knowledge base' and the ORBs (Object Request Work as middleware locators and distributors
Software Development Methods
Encapsulation Data stores as objects
'Inference engine' Brokers) for the objects
Message Informs an object to perform an action.
Expert • Use human reasoning Architecture and standards that use ORBS to
Performs an action on an object in response to a CORBA (Common
Systems • Rule based knowledge base Method allow different systems and software on a
Database Systems • If-then statements message. object request)
system to interfce with eachother
• Interference system Results shown by an object in response to a Work independently without help from other
Database Define storing and manipulating data message. Defined by its methods, which are the programs
Behavior
• Forward chaining: Begins with known facts and applies functions and subroutines defined within the object • High cohesion – No integration or interaction
DBMS (database inference rule to extract more data unit it reaches to the class. Cohesion with other modules
Software program control access to data stored
management goal. A bottom-up approach. Breadth-first search Set of methods which defines the behavior of • Low cohesion – Have interaction with other
in a database. Expert Class
system) strategy. objects modules
Systems (Two
• Backward chaining: Begins with the goal, works • Coupling - Level of interaction between objects
Modes) Object An instance of a class containing methods
Hierarchical • Network • Mesh • Object-orientated backward through inference rules to deduce the
DBMS Types Inheritance Subclass accesses methods of a superclass
• Relational required facts that support the goal. A top-down
approach. Depth-first search strategy. Multiple Inherits characteristics from more than one parent Virus Types
Data definition language defines structure and Inheritance class
DDL
schema DML Accumulates knowledge by observing events, Two or more rows in the same relational database Boot record infectors, gain the most privaleged
Boot sector
Neural measuring their inputs and outcome, then predicting Polyinstantiation table appear to have identical primary key elements access and can be the most damaging
Degree of Db number of attributes (columns) in table Networks outcomes and improving through multiple iterations but contain different data
over time. Infects executable system files, BIOS and system
Object users do not need to know the information System infector
Tuple row Abstraction commands
about how the object works
DDE Dynamic data exchange Covert Channels (Storage & Timing) Process isolation
Allocation of separate memory spaces for process’s UEFI Infects a system's factory installed UEFI (firmware)
instructions and data by the operating system.
DCL Data control language. Subset of SQL. Executable content Virus stored in a specific location other than in the
ActiveX controls, Java applets, browser scripts Companion
Mobile code Trusted Computer Base (TCB) main system folder. Example NOTEPAD.EXE
ensure semantic rules are enforced between data
Semantic integrity Virus Propagates with help from the host Any modifications to files or boot sector are hidden
types The set of all hardware, firmware, and/or software components that are Stealth
Worm Propagates without any help from the host by the virus
critical to its security. Any compromises here are critical to system
Referential integrity all foreign keys reference existing primary keys Logic Bomb/Code security.
Run when a specific event happens Multipart Infects both boot sector and executable files
Bomb
an attribute that is a unique identifier within a May need to interact with higher rings of
Input/output Attempts to hide from anti-virus by changing the
Candidate Key given table, one of the candidates key becomes Buffer Overflow Memory buffer exhaustion protection - such communications must be Self-garbling
operations encoding of its own code, a.k.a. 'garbling'
primary key and others are alternate keys Malicious code install at back end with the monitored
Backdoor
help of a front end user Execution domain Applications that invoke applications or Polymorphic The virus modifies the "garble" pattern as it spreads
Primary Key unique data identification
Covert Channel Unauthorized information gathering switching services in other domains
Resident Loads as and when a program loads to the memory
reference to another table which include primary Zombie code used to compromise thousands Monitoring of memory references to verify
Foreign Key key. Foreign and primary keys link is known as Botnet Memory protection Master boot
of systems confidentiality and integrity in storage
referential integrity. record / sector Infects the bootable section of the system
Malicious code that outwardly looks or Monitor registers, process status information, (MBR)
Trojan Process activation
behaves as harmless or necesary code and file access lists for vulnerabilities
• Incorrect Summaries • Dirty Reads • Lost
Updates Security Assessment & Testing Terms Anti-Virus Types
• Dynamic Lifetime Objects: Objects developed Browser site trust is exploited by trying to
Cross-site request A process of identifying and determining the Not able to detect new malware a.k.a. Zero-day
using software in an Object Oriented submit authenticated requests forcefully to Penetration Testing Signature based
forgery (CSRF / XSRF ) true nature if system vulnerabilities attacks
Programming environment. third-party sites.
• ODBC - Open Database Connectivity. Database Heuristic based Static analysis without relying on signatures
Cross-site scripting Uses inputs to pretend a user’s browser to Patch management Manages the deployment of patches to
feature where applications to communicate with
(XSS) execute untrusted code from a trusted site system prevent known attack vectors
different types of databases without a program
DBMS terms Attempts to obtain previously authenticated
code.
• Database contamination - Mixing data with
Session Hijacking sessions without forcing browser requests Open system
System with published APIs - third parties can Protection Rings
use system
submission
different classification levels
Proprietary system - no third-party Layer 0 Operating system kernel
• Database partitioning - splitting a single SQL Injection Directly attacks a database through a web app Closed system
database into multiple parts with unique contents involvement
Layer 1 Parts of the operating system other than the kernel
• Polyinstantiation - two or more rows in the same Hotfix / Update / Updates to operating systems and Source code can be viewed, edited and
Open-source
relational database table appear to have identical Security fix applications distributed free or with attribution or fees
Layer 2 I/O drivers and utilities
primary key and different data in the table. Collection of patches for a complete operating Used to access API. Highly sensitive - same
Service Pack API Keys
system as passwords Layer 3 Applications and programs

You might also like