For Your Desk

Certified Information Systems Security

Professional (CISSP)
 Domain 1 – Security and Risk Management

(ISC)2 Code of Ethics Security Concepts

Preamble Authenticity Verifying the identity of a person or process

Canons Non-repudiation Inability to refute responsibility

CIA Triad

Preserving authorized restrictions on information access and disclosure,

Confidentiality including means for protecting personal privacy and proprietary
information
(ISC)2 Code of Ethics

Guarding against improper information modification and ensuring

Preamble
Integrity
information non-repudiation and authenticity
Canons
Ensuring timely and reliable access to and use of information by
Availability
authorized users

GDPR Privacy Principles

Personal data must be processed lawfully, fairly, and

Lawfulness, fairness, and transparency in a transparent manner in relation to the data
subject.

Personal data must be collected for specified, explicit,

Purpose limitation and legitimate purposes and not further processed in
a manner that is incompatible with those purposes.

Personal data must be adequate, relevant, and limited

Data minimization to what is necessary in relation to the purposes for
which they are processed.

Personal data must be accurate and, where necessary,

Accuracy
kept up to date.

Personal data must be kept in a form which permits

Storage limitations identification of data subjects for no longer than is
necessary.

Personal data must be processed to ensure

Integrity and confidentiality
appropriate security of the personal data.
 Domain 1 – Security and Risk Management

Intellectual Property

Patent Trademark Copyright Trade secret

Definition Provides legal Identifies the brand Protects a wide Protects information
protection for owner of a particular range of that derives
rights over product or service creative, independent
inventions intellectual, or economic value from
artistic works not being publicly
known

Requirements • Novelty • To distinguish the • Originality • Information not

• Usefulness goods or services of generally known
• Nonobvious a party to the public
ness (US) • To not confuse • Confers economic
• Inventive consumers about the benefits on its
step (EU) relationship between holder from not
one party and being publicly
another known
• To not deceive
consumers
concerning the
qualities

Symbol N/A ™ (unregistered © (copyright) N/A

trademark) ℗ (sound
℠ (unregistered service recording
mark) copyright)
® (registered
trademark)

Risk Terminology

Asset Anything of value to the company

Vulnerability A weakness or the absence of a safeguard

Threat The potential danger to systems or information

Threat agent The entity which carries out the attack

Impact The severity of the damage

Risk The likelihood that damage or harm will be realized

The process of identifying risks, analysing them, developing a

Risk management
response strategy for them, and mitigating their future impact

The level of risk that an organization is prepared to accept in pursuit

Risk appetite
of its objectives

Residual risk The risk remaining after risk treatment

 Domain 1 – Security and Risk Management

Quantitative Risk Analysis

Asset value (AV) The value of the asset that might be affected or lost

Exposure factor (EF) The percentage of the asset value that would be lost

The amount that would be lost in a single occurrence of

Single loss expectancy (SLE)
the risk factor

SLE = AV x EF

Annualized rate of occurrence (ARO) The number of times per year a given threat is expected

Annualized loss expectancy (ALE) The amount that would be lost over the course of a year

ALE = SLE x ARO

Threat Model: STRIDE

Threat Description Violation

Spoofing Impersonating something or someone else Authentication

Tampering Modifying data or system Integrity

Repudiation Claiming to have not performed an action Non-repudiation

Information disclosure Exposing information to an unauthorized party Confidentiality

Denial of service Deny or degrade service to users Availability

Elevation of privilege Gain capabilities without proper authorization Authorization

Security Control Security Control

Investigation Types
Functional Types Categories

Preventive control Administrative Criminal

control
Detective control Civil
Technical control
Deterrent control Administrative

Corrective control
Regulatory
Physical control
Compensating control
Industry
Recovery control
 Domain 2 – Asset Security

Privacy Terms

Personally identifiable information

Can be used to identify, locate, or contact an individual
(PII)

Can be used to identify an individual and to relate to that

Protected health information (PHI) individual's past, present, or future physical or mental health
care or health care payments

Must protect the material that a government body deems to

Classified information
be sensitive information

Classified Information EOL EOS

Exceptionally grave damage to

Top secret
national security
The date where a
The date where the
vendor no longer
Secret Serious damage to national security vendor no longer
manufactures a
provides support
particular product
Confidential Damage to national security for a particular
and does not take
product
orders for it
Restricted Undesirable effects

Data Destruction methods

Erasing For your Desk

A simple deletion process that removes only the catalog reference and not the files

Clearing A level of sanitization that renders media unreadable through normal means

An advanced level of sanitization that renders media unreadable even through an

Purging
advanced laboratory attack

Sanitizing A combination of processes that ensures data is removed

A method of destruction that generates heavy magnetic fields which realign the
Degaussing
magnetic fields in magnetic media

Data Roles and Responsibilities

Data Subject A natural individual who is the subject of personal data.

Data Owner Holds legal rights and complete control over data elements.

Responsible for the safe custody, transport, and storage of the data and
Data Custodian
implementation of business rules.

Data Steward Responsible for data content, context, and associated business rules.

Determines the purposes for which and the means by which personal data is
Data Custodian
processed.

Data Processor Processes personal data only on behalf of the controller.

 Domain 3 – Security Architecture and Engineering

Secure Design Principles

A process by which developers can understand security threats to a

Threat modeling system, determine risks from those threats, and establish appropriate
mitigations

The practice of only granting a user the minimal permissions necessary

Least privilege
to perform their explicit job function

A design principle in which multiple layers of security controls are placed

Defence in depth
throughout an information technology system

A secure design principle that ensures the default configuration settings

Secure defaults of the system are the as secure as possible even if they are not
necessarily the most user-friendly

A design feature that, in the event of a failure, should fail to a state that
Fail securely
prevents further operations

The practice of ensuring that no organizational process can be

Separation of duties (SoD) completed by a single person; forces collusion as a means to reduce
insider threats

A design principle which states that most processes or systems work

Keep it simple
best if they are kept simple rather than made overly complicated

A design principle that promotes the idea that system components

Trust but verify
should not blindly trust each other

A security model based on the principle of trust nothing and verify

Zero Trust
everything

A design-thinking approach to proactively embed into the design and

Privacy by design operation of IT systems, networked infrastructure, and business
practices by default

A cloud security framework that describes the security responsibilities of

Shared responsibility
the cloud provider and the cloud customer

Security Models

State Multileve Noninterfer Information Bell-LaPadula BIBA Clark– Brewer and Graham- Take-grant
machine l lattice ence flow Wilson Nash Denning
integrity

Block Ciphers

Key sizes Block size Deprecated?

DES 56 bits 64 bits Yes

3DES 56 bits 64 bits Yes

AES 128, 192, or 256 bits 128 bits No

 Domain 3 – Security Architecture and Engineering

Water-Based Fire Suppression Systems

Wet pipe Dry pipe Pre-action Deluge

Classes of Fires

Type of fire Elements of fire Suppression method

Class A: Ordinary
Paper and wood Water and foam
combustibles

Class B: Flammable
Petroleum products Dry chemical and foam
liquids

Class C: Electrical Energized equipment CO2 and dry powders

Class D: Flammable
Magnesium lithium Dry powders
metals

Class K: Commercial
Cooking oils and greases Wet chemical
kitchens

Cloud

Software as a service Platform as a service Infrastructure as a service

Service models
(SaaS) (PaaS) (IaaS)

Public Private Community Hybrid Development models

Block Ciphers

Key sizes Block size Deprecated?

DES 56 bits 64 bits Yes

3DES 56 bits 64 bits Yes

AES 128, 192, or 256 bits 128 bits No

 Domain 4 – Communication and Network Security

OSI Model Encapsulation TCP/IP Model

• Provides services or
SMTP, FTP Application Data Application
protocols to applications

• Data formatting – Segment Transport

JPEG, ASCII compression or Presentation
encryption Packet (TCP) Internet
Datagram (UDP)
RPC, • Establish, maintain and
Session
AppleTalk manage sessions Frame
Network interface
• End-to-end Bits
communication
TCP, UDP Transport
• Segmentation or
sequencing of data IPv6 vs. IPv4

Router • Logical addressing Address 128 bits 32 bits

Network size
IP, ICMP • Routing

Switch • Physical addressing Range 340 undecillion 4.3 billion

Data-link possible possible
ARP • Error detection
addresses addresses
• Send bits and receive bits
Hubs
• Define standard Physical
Ethernet Scalability Improved by No options
interfaces
adding a scope for
field to the scalability
multicast address
TCP UDP
Anycast Used to send a Doesn’t
address packet to any one have an
Sends the data
node in a group anycast
Establishes a directly to the
of nodes address
connection between destination
the computers computer without
before transmitting checking whether TCP and UDP Ports
the data the system is ready
Well-known 0 - 1023 Reserved for
to receive or not
ports privileged
applications

Connection-oriented Connectionless
Connection
protocol protocol
Registered 1024 - Assigned by IANA
ports 49151 for specific service
Takes
Neither takes upon application by
acknowledgment of
Acknowledg acknowledgment a requesting entity
data and can
ment nor retransmits the
retransmit if the
lost data
user requests

Reliability Highly reliable Unreliable Dynamic 49152 - Used by any

ports 65535 application for
temporary
Header Size 20 bytes 8 bytes purposes and
cannot be
Speed Slow Fast registered
 Domain 5 – Identity and Access Management (IAM)

Access Control AAA

An active component that needs access to an object Identification Claiming identity

Subject
or the data within it
Authentication Verifying identity
A passive component that contains data or
Object
information
Authorization Granting access
The flow of information between a subject and an
Access Accounting Tracking activity
object

Multi-Factor Authentication

Something you know Authentication by knowledge Password or PIN

Something you have Authentication by ownership A token device or passport

Something you are Authentication by characteristic Biometrics

Access Control Models

Access control based on Used in

Discretionary access control

Owner’s discretion Operating systems
(DAC)

Mandatory access controls

Subject’s security clearance level Military and government sectors
(MAC)

Role-based access control

Subject’s roles Organizations
(RBAC)

Rule-based access control

Predefined rules ACL in routers and firewalls
(RuBAC)

Attributes of the subject, object,

Attribute-based access
and environment and set of Complex environment
control (ABAC)
policies

Security risk value related to

Risk-based access control Retail banking
each access request
 Domain 6 – Security Assessment and Testing

Testing Levels Testing Methods

Unit test Static testing

Integration test Dynamic testing

System test Use case testing

User acceptance test Abuse case testing

SOC Reports

Scope Purpose Users

Financial reporting Audit the financial statements Restricted to customers and

SOC 1
controls of customers their auditors

Managing regulations GRC programs, oversight, and Restricted to management,

SOC 2
and four optional due diligence regulators, and auditors
criteria:
• Confidentiality Freely available to anyone
• Availability who needs confidence in the
SOC 3 • Processing integrity Marketing purposes
controls of the service
• Privacy organization
 Domain 7 – Security Operations

IPS IDS IDS Detected It IDS Didn’t Detect It

Detects and prevents Detects any True positive False negative

unauthorized Malicious
any malicious traffic or (attack and (attack and no
intrusion in a traffic
alert) alert)
activity to gain access network, server, or
to the target system False positive True negative
Normal
(no attack and (no attack and no
traffic
alert) alert)

Incident Response Life Cycle

Alternate Location Sites

Mirror Hot Warm Cold

RTO 0 0 to 24 hours 1 to 7 days 1 to 2 weeks

Cost $$$$ $$$ $$ $

Equipment
Yes Yes Not fully No
available

Connectivity
Yes Yes Yes No
available

Active before
Yes Yes Yes No
failover

Backups

Data backed Restoration Archive bit set

Back up speed Storage space
up speed to 0

Full backup All data Slowest Fastest Maximum Yes

Differential All data since

Moderate Moderate Moderate No
backup last full backup

Incremental Only new or

Fastest Slowest Minimum Yes
backup modified data
 Domain 8 – Software Development Security

Software Capability Maturity Model Software Development Models

Process is unpredictable,
Waterfall model
Level 1: Initial poorly controlled, and
reactive
Spiral model
Processes are more
Level 2: Repeatable organized and are often Rapid-application development
reactive

Processes are well- Extreme programming

characterized,
Level 3: Defined
understood, and
Prototyping
proactive

Processes are controlled Modified prototyping model

Level 4: Managed using quantitative
techniques Joint analysis development
Processes are continually
Level 5: Optimizing
improved, and optimized
Certification Accreditation

Systems Development Life Cycle A technical evaluation The formal

Prepare a security plan of a system’s security management
capabilities against a authorization to move
Development or acquisition predetermined set of the system into
security standards or production
Implementation policies

Operation or maintenance

Disposal