Covers all 8 domains!

CISSP
EXAM
CRAM Security Models, Processes,
and Frameworks
 I N T R O D U C T I O N : SERIES OVERVIEW

LESSONS IN THIS SERIES

1 2 3 4 5 6 7 8
1

one lesson for each exam domain

+ 5-10 shorter supplemental lessons

 HACK YOUR

CISSP
EXAM
Available on PREP!
CISSP
EXAM
CRAM How do I master the
“CISSP Mindset”?
QUANTITATIVE RISK ANALYSIS

CISSP
EXAM
CRAM
 MEMORIZATION TIPS

ULTIMATE GUIDE
CISSP
EXAM
Available on CRAM
CISSP
EXAM
CRAM
CRYPTOGRAPHY DRILL-DOWN
A pdf copy of the presentation is
available in the video description!

Subscribed
SUBSCRIBE
50 question CISSP practice
quiz now available FREE
(link in description)
 CISSP
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

link in the video description!

 CISSP
EXAM
Security and Risk
Management
CRAM
DOMAIN 1
D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

The primary risk management

framework referenced in CISSP is

Risk Management Framework for

Information Systems and Organizations
 repeat as STEP 1
necessary CATEGORIZE
Info Systems

STEP 6 STEP 2
MONITOR
Security Controls
Risk SELECT
Security Controls
Management
STEP 5 Framework STEP 3
AUTHORIZE IMPLEMENT
Security Controls Security Controls

STEP 4
ASSESS
6 stepS Security Controls
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

1. Prepare to execute the RMF

2. Categorize information systems
3. Select security controls
| 4. Implement security controls
5. Assess the security controls
6. Authorize the system
7. Monitor security controls
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

Consider the following RMFs “for use in the real world”:

OCTAVE
Operationally Critical Threat, Asset, and
Vulnerability Evaluation

FAIR
Factor Analysis of Information Risk

TARA Don’t worry about

Threat Agent Risk Assessment these for the exam!
 D O M A I N 1 : BUSINESS CONTINUITY

issues that
pertain to information security in
1. Strategy
2. Provisions and
3. Plan
4. Plan
5. Training and
 D O M A I N 1 : THREAT MODELING

Can be proactive or reactive, but in either

case, goal is to eliminate or reduce threats
 D O M A I N 1 : THREAT MODELING

Common approaches to threat modeling:

Focused on Assets . Uses results
to identify threats to the valuable assets.
Focused on Attackers . Identify potential attackers
and identify threats based on the
Focused on Software . Considers
against the software the org develops.
 D O M A I N 1 : THREAT MODELING

Spoofing
Tampering
Repudiation
Information disclosure
developed by
Microsoft Denial of service
Elevation of privilege
 D O M A I N 1 : THREAT MODELING

Stage I: Definition of Objectives

Stage II: Definition of Technical Scope
Stage III: App Decomposition & Analysis
Stage IV: Threat Analysis
Stage V: Weakness & Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management

focuses on developing countermeasures based on asset value

 D O M A I N 1 : THREAT MODELING

Visual
Agile
based on Agile
Simple
PM principles Threat

GOAL: Scalable integration of threat management

into an Agile programming environment
 D O M A I N 1 : THREAT MODELING

Damage potential
Reproducibility
Exploitability
based on answer Affected users
to 5 questions
Discoverability
 D O M A I N 1 : THREAT MODELING

An open-source threat modeling process

that implements a requirements model.

Ensures the assigned level of risk for each

asset is “acceptable” to stakeholders.
focused on
“acceptable risk”
COBIT security control framework

IT management and governance framework

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management

little coverage and no depth on CISSP !

 CISSP
EXAM
Asset Security
CRAM
DOMAIN 2
 D O M A I N 2 : DATA CLASSIFICATION

Top Secret Confidential/Proprietary

Exceptionally grave damage Class 3 Exceptionally grave damage

Secret Private
Class 2
Serious damage Serious damage

Confidential Sensitive
Damage
Class 1 Damage

Unclassified Class 0 Public

No damage No damage
CISSP
EXAM
CRAM Security Architecture
and Engineering
DOMAIN 3
D O M A I N 3 : TSCSEC, ITSEC, and COMMON CRITERIA

Common Criteria (ISO-IEC 15048)

The Common Criteria enable an objective evaluation to validate that a
particular product or system satisfies a defined set of security requirements.

TCSEC (Trusted Computer System Evaluation Criteria)

A structured set of criteria for evaluating computer security within products
and systems.

ITSEC (Information Technology Security Evaluation Criteria)

The ITSEC represents an initial attempt to create security evaluation criteria in
Europe. TSEC uses two scales to rate functionality and assurance.

CC Has replaced ITCSEC and ITSEC !

 D O M A I N 3 : COMMON CRITERIA (ISO-IEC 15048)

Description Assumptions &

repeat 1 of Assets Security Policies

Selection of Security
5 Functional Requirements 2 Identification
of Threats

System &
Environment
Objectives
Determination of
4 Security Objectives
3 Analysis & Rating
of Threats

TWO FLAVORS Safety Risk

community Protection Profile (cPP) black box Analysis
Evaluation Assurance Level (EAL) white box
D O M A I N 3 : TSCSEC, ITSEC, and COMMON CRITERIA

Comparison of security evaluation standards

TCSEC ITSEC CC Level

D F-D+E0 EAL0, EAL1 Minimal/no protection

C1 F-C1+E1 EAL2 Discretionary security mechanisms

C2 F-C2+E2 EAL3 Controlled access protection

B1 F-B1+E3 EAL4 Labeled security protection

B2 F-B2+E4 EAL5 Structured security protection

B3 F-B3+E5 EAL6 Security domains

A1 F-B3+E6 EAL7 Verified security design

D O M A I N 3 : TSCSEC, ITSEC, and COMMON CRITERIA

Comparison of security evaluation standards

CC Level Description

EAL0, EAL1 Functionally Tested

EAL2 Structurally Tested

EAL3 Methodically Tested & Checked

EAL4 Methodically Designed, Tested, and Reviewed

EAL5 Semi-Formally Designed and Tested

EAL6 Semi-Formally Verified Design and Tested

EAL7 Formally Verified Design and Tested

 D O M A I N 3 : SECURITY MODEL

WHAT IS THE PURPOSE OF A

Provides a way for designers to map

abstract statements into a security policy
 D O M A I N 3 : SECURITY MODEL

WHAT IS THE PURPOSE OF A

Determine how security will be implemented,

what subjects can access the system, and
what objects they will have access to.
security models
Three properties that will be mentioned
repeatedly when talking about security models.

Simple security property

Describes rules for read
Star * security property
Describes rules for write
Invocation property
Rules around invocations (calls), such as to subjects
security models

government (DoD)
Biba Bell-LaPadula
State machine model (SMM)
No read up, no write down

Clark-Wilson Brewer and Nash

Access control triple
aka “Chinese Wall”

Goguen-Meseguer Take Grant

THE noninterference model
Employs a “directed graph”

Sutherland
preventing interference
(information flow and SMM) chunking
 D O M A I N 3 : SECURITY MODELS

Bell-LaPadula is for government, the rest are

Bell-LaPadula is , the
others are generally the opposite of this.
 D O M A I N 3 : SECURITY MODELS

State machine model enforces confidentiality

Uses mandatory access control (mac) to enforce the
DoD multilevel security policy government!
Simple security property
subject cannot read data at a higher level of
classification. “no read up”
Star * security property
subject cannot write info to lower level of classification
“no write down”
security models

picmonic
acronym

Mnemonic: “No Running Under Nets With Dingos”

 D O M A I N 3 : SECURITY MODELS

A lattice-based model developed to address

concerns of integrity.
Simple integrity property—subject at one level of integrity is
not permitted to read an object of lower integrity. “no read down”
Star * integrity property—object at one level of integrity is not
allowed to write to object of higher integrity. “no write up”
Invocation property—prohibits a subject at one level of
integrity from invoking a subject at a higher level of integrity.

SIMPLE property = READ STAR property = WRITE

 D O M A I N 3 : SECURITY MODELS

A lattice-based model developed to address

concerns of integrity.
Simple integrity property—subject at one level of integrity is not
permitted to read an object of lower integrity. “no read down”
Star * integrity property—object at one level of integrity is not
allowed to write to object of higher integrity. “no write up”
Invocation property—prohibits a subject at one level of integrity
from invoking a subject at a higher level of integrity.

Features the “ACCESS CONTROL TRIPLE”

 D O M A I N 3 : SECURITY MODELS

. another confidentiality-based model that

supports four basic operations: take, grant, create, and revoke.

. also called the ”Chinese Wall model”.

It was developed to prevent conflict of interest (COI)
problems. (confidentiality-based)

. This model uses a formal set of

protection rules for which each object has an owner and a
controller.
It is focused on the secure creation and deletion of both
subjects and objects.
A collection of eight primary protection rules or actions that
define the boundaries of certain secure actions.
 D O M A I N 3 : SECURITY MODELS

Securely create an object.

Securely create a subject.
Securely delete an object.
Securely delete a subject.
Securely provide the read access right.
Securely provide the grant access right.
Securely provide the delete access right.
Securely provide the transfer access right.
state machine model
Describes a system that is always secure no
matter what state it is in.

Based on the computer science definition of a

finite state machine (FSM).

A state is a snapshot of a system at a specific

moment in time. All state transitions must be
evaluated.

If each possible state transition results in another

secure state, the system can be called a secure
state machine.
information flow model
Focuses on the flow of information

Information flow models are based on a state

machine model

Biba and Bell-LaPadula are both information flow

models

Bell-LaPadula preventing information flow from a

high security level to a low security level.

Biba focuses on flow from low to high security level

CISSP
EXAM
CRAM Communication and
Network Security
DOMAIN 4
THE OSI MODEL
Away 7 Application SSH, HTML All

Pizza 6 Presentation TLS, SSL People

Sausage 5 Session SMB, RPC Seem

Throw 4 Transport TCP, UDP To

|
Not 3 Network IP, NAT, RIP Need

Do 2 Data Link ARP, MAC Data

Please 1 Physical DSL, ISDN Processing

THE OSI MODEL
7 Application SSH, HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI,
POP3, IMAP, SNMP, NNTP, S-RPC, and SET

6 Presentation Encryption protocols and format types, such

as ASCII, EBCDICM, TIFF, JPEG, MPEG, MIDI

5 Session SMB, RPC, NFS, and SQL

4 Transport SPX, SSL, TLS, TCP, and UDP

| ICMP,
3 Network RIP, OSPF, BGP, IGMP, IP, IPSec,
IPX, NAT, and SKIP

2 Data Link ARP, SLIP, PPP, L2F, L2TP, PPTP, FDDI, ISDN

1 Physical EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET,

V.24, V.35, Bluetooth, 802.11 – Wifi, and Ethernet
CISSP
EXAM
CRAM Identity and Access
Management
DOMAIN 5
Identity and Access Provisioning Lifecycle

The identity and access provisioning lifecycle refers to

the creation, management, and deletion of accounts.

creation management deletion

accounts should be deprovisioned promptly on separation

CISSP
EXAM
CRAM Security Assessment
and Testing
DOMAIN 6
 D O M A I N 6 : SECURITY ASSESSMENT

NIST best practices for conducting

security & privacy assessments

Assessing Security and Privacy Controls in

Federal Information Systems and Organizations
security assessment
Under NIST 800-53A, assessments include four components.

Specifications Mechanisms
documents associated with controls used within an
the system being audited. information system to meet
the specifications.

Activities Individuals
actions carried out by people people who implement specifications,
within an information system. mechanisms, and activities.
CISSP
EXAM
CRAM Security Operations
DOMAIN 7
change management

1 Request the change

2 Review the change

3 Approve/reject the change

RRATSD
4 Test the change

5 Schedule and implement the change

6 Document the change

 Creation The Information Lifecycle

Destruction Classification

Can be created by users

a user creates a file

Can be created by systems

a system logs access
Archive Storage

Usage
 Creation The Information Lifecycle

Destruction Classification

To ensure it’s handled properly,

it’s important to ensure data is
classified as soon as possible.

Archive Storage

Usage
 Creation The Information Lifecycle

Destruction Classification

Data should be protected by

adequate security controls
based on its classification.

Archive Storage

Usage
 Creation The Information Lifecycle

Destruction Classification

refers to anytime data is in use

or in transit over a network

Archive Storage

Usage
 Creation The Information Lifecycle

Destruction Classification

archival is sometimes needed to

comply with laws or regulations
requiring the retention of data.

Archive Storage

Usage
 Creation The Information Lifecycle

Destruction Classification

When data is no longer needed,

it should be destroyed in such a
way that it is not readable.

Archive Storage

Usage
D O M A I N 7 : INCIDENT RESPONSE FRAMEWORK

The primary incident response

framework referenced in CISSP is

Computer Security Incident Handling Guide

managing INCIDENT response
1 Detection
DRMRRRL
2 Response

3 Mitigation

4 Reporting
|
5 Recovery

6 Remediation

7 Lessons Learned
managing INCIDENT response
Monitoring tools, IPS, firewalls, users, notification
Detection
to management and/or help desk

Response Triage (is it really an incident?) decision to declare

Mitigation First containment effort or step, create team.

Reporting To relevant stakeholders. (customers, vendors, law)

|
Recovery Return to normal operations.

Remediation Root cause is addressed.

Lessons Learned Helps prevent recurrence, improve IR process.

 D O M A I N 7 : INCIDENT RESPONSE STEPS

The CISSP study guide lists incident response steps as

— detection
— response limiting damage

— mitigation contain an incident

— reporting
management decisions
— recovery
— remediation include root cause analysis

— lessons learned
 D O M A I N 1 : BUSINESS CONTINUITY

issues that
pertain to information security in
1. Strategy
2. Provisions and
3. Plan
4. Plan
5. Training and
Business Continuity Planning (BCP)

Project scope and

planning

Business impact The 4 main steps of

assessment
Business Continuity Planning
Continuity
planning
assessment of business
Approval and impact happens within BCP
implementation
Business Continuity Planning (BCP)

Project scope and

planning

Business impact The 4 main steps of

assessment
Business Continuity Planning
Continuity
planning GOAL:
efficient response to enhance a
Approval and company’s ability to recover
implementation
from a disruptive event promptly
BCP vs DRP
Business Continuity Planning (BCP) vs Disaster Recovery
Planning (DRP) – what’s the difference?

BCP focuses on the whole business

DRP focuses more on the technical aspects of recovery
BCP will cover communications and process more broadly
BCP is an umbrella policy…DRP is part of it
patch management lifecycle

Scan networks
vulnerability
Identify vulnerable systems scans

Download and deploy patches

Generate status reports

Update vulnerability details from
Update vulnerability details from vendors
vendors
CISSP
EXAM
CRAM Software Development
Security
DOMAIN 8
 D O M A I N 8 : SW DEVELOPMENT MATURITY MODELS

help software organizations improve maturity and

quality of their software processes by implementing
an evolutionary path from ad hoc, chaotic processes
to mature, disciplined software processes
know SW-CMM, CMMI and IDEAL models for the exam
Capability Maturity Model (SW-CMM)
a 5-step model for measuring software development orgs

Level 1: Initial
No plan.
Level 2: Repeatable.
Basic lifecycle mgmt.
Level 3: Defined.
Formal, documented SW development processes.
Level 4: Managed.
Quantitative measures to gain detailed understanding.
Level 5: Optimizing. CI/CD
Continuous development process, w/ feedback loops.
Capability Maturity Model Integration (CMMI)

Focused on CONTINIOUS
LEVEL 5 OPTIMIZING process improvement
REQUIRE PEER
process QUANTITATIVELY
REVIEWS LEVEL 4 QUANTITATIVELY
MANAGED measured and controlled

Characterized for the

LEVEL 3 DEFINED ORGANIZATION and PROACTIVE

Characterized for
LEVEL 2 REPEATABLE PROJECTS and MANAGED

LEVEL 1 INITIAL Unpredictable, poorly

controlled, and REACTIVE
ideal model
model for software development which
implements many of the SW-CMM attributes
LOW
Initiating. Business reasons outlined, support &
infrastructure for initiative put in place.
Diagnosing. Engineers analyze current state of org
& make recommendations for change.
Establishing. Org takes recommendations &
maturity
develops plan to achieve those changes.
Acting. Plan put into action. Org develops solutions,
tests, refines & implements
Learning. Org continuously analyzes efforts and
results, proposes new actions to drive better results. HIGH
software development lifecycle ( SDLC )
Systems development lifecycle ( SDLC )
software development lifecycle ( SDLC )

REQUIREMENTS ANALYSIS

DESIGN

repeat !
IMPLEMENTATION

TESTING

EVOLUTION
software development lifecycle ( SDLC )

REQUIREMENTS ANALYSIS

DESIGN
Real
Developers
IMPLEMENTATION
Ideas
TESTING
Take
Effort
EVOLUTION
agile model software development model

model for software development

based on the following four principles

Individuals and interactions over processes and tools

Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan

First described in the Manifesto for Agile Software

Development (http://agilemanifesto.org) in 2001.
waterfall model software development model

SYSTEM REQUIREMENTS 7-stage process that allows return

to previous stage for corrections
SOFTWARE REQUIREMENTS

PRELIMINARY DESIGN

DETAILED DESIGN

CODE AND DEBUG

Analysis for entire project
Design for entire project
TESTING

lacks feedback loops

OPS & MAINTENANCE
changes more difficult and costly
spiral model software development model

lifecycle model that allows for multiple

iterations of a waterfall-style process.

known as a metamodel , or a “model of

models.”

each “loop” of the spiral results in the

development of a new system prototype

provides a solution to the major

criticism of the waterfall model:
it allows developers to return to the
planning stages as demands change

in a word – “iterative”
INSIDE CLOUD

THANKS
F O R W A T C H I N G!