CISSP Domain 1Lecture notes

Welcome to the first CBK Domain.

In this domain we cover:
➢ Confidentiality, Integrity, and Availability concepts.
We want the right balance; our data needs to be secure, while keeping
its integrity intact and availability high.
➢ Security Governance Principles.
What and how we grant data access to people, the frameworks we use
for it, and defense in depth.
➢ Legal and Regulatory Issues.
The laws and regulations we must adhere to, types of evidence, how we
handle it, intellectual property
➢ Professional Ethics
The ISC2 Code of Ethics and corporate code of ethics.
➢ Security Policies, Standards, Procedures and Guidelines
How we use policies, standards, guidelines, procedures, baselines what
each does.
➢ Risk Identification, Assessment, Response, Monitoring and Reporting
How we determine the quantitative and qualitative risks to our assets
and types of attackers.
➢ BCP and BIA
The considerations for our BCP (Business Continuity Plan) and our BIA
(Business impact analysis).

This domain is highly weighted on the exam (15%) and is the foundation of everything. Every other
knowledge domain builds on top of this chapter.

➢ Confidentiality, Integrity and Availability

• The CIA Triad (sometimes referred to as AIC)
▪ Confidentiality
⬥ This is what most people think IT Security is.
⬥ We keep our data and secrets secret.
⬥ We ensure no one unauthorized can access the data.
▪ Integrity
⬥ How we protect against modifications of the data and the systems.
⬥ We ensure the data has not been altered.
▪ Availability
⬥ We ensure authorized people can access the data they need, when they
need to.

1 | Page
[Link]
 CISSP Domain 1Lecture notes
• Confidentiality, Integrity and Availability.
▪ We use:
⬥ Encryption for data at rest (for instance AES256), full disk encryption.
⬥ Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
⬥ Best practices for data in use - clean desk, no shoulder surfing, screen
view angle protector, PC locking (automatic and when leaving).
⬥ Strong passwords, multi-factor authentication, masking, access control,
need-to-know, least privilege.
▪ Threats:
⬥ Attacks on your encryption (cryptanalysis).
⬥ Social engineering.
⬥ Key loggers (software/hardware), cameras, Steganography.
⬥ IoT (Internet of Things) – The growing number of connected devices we
have pose a new threat, they can be a backdoor to other systems.

• Confidentiality, Integrity and Availability.

▪ We use:
⬥ Cryptography (again).
⬥ Check sums (This could be CRC).
⬥ Message Digests also known as a hash (This could be MD5, SHA1 or
SHA2).
⬥ Digital Signatures – non-repudiation.
⬥ Access control.
▪ Threats:
⬥ Alterations of our data.
⬥ Code injections.
⬥ Attacks on your encryption (cryptanalysis).

• Confidentiality, Integrity and Availability.

▪ We use:
⬥ IPS/IDS.
⬥ Patch Management.
⬥ Redundancy on hardware power (Multiple power
supplies/UPS’s/generators), Disks (RAID), Traffic paths (Network
design), HVAC, staff, HA (high availability) and much more.
⬥ SLA’s – How much uptime do we want (99.9%?) – (ROI)

▪ Threats:
⬥ Malicious attacks (DDOS, physical, system compromise, staff).
⬥ Application failures (errors in the code).
⬥ Component failure (Hardware).

2 | Page
[Link]
 CISSP Domain 1Lecture notes
• Disclosure, Alteration, and Destruction
▪ The opposite of the CIA Triad is
DAD.
⬥ Disclosure – Someone
not authorized getting
access to your
information.
⬥ Alteration – Your data
has been changed.
⬥ Destruction – Your data
or systems have been
destroyed or rendered
inaccessible.

➢ IAAA (Identification and Authentication, Authorization and Accountability):

• Identification
▪ Your name, username, ID number, employee number, SSN etc.
▪ “I am Thor”.
• Authentication
▪ “Prove you are Thor”. – Should always be done with multi-factor
authentication!
⬥ Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).
⬥ Something you have - Type 2 Authentication (ID, passport, smart card,
token, cookie on PC, etc.).
⬥ Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, iris scan, facial geometry, etc.).
• Authorization
▪ What are you allowed to access?
▪ We use Access Control models. What and
how we implement depends on the
organization and what our security goals
are.
▪ More on this in later when we cover DAC,
MAC, RBAC, ABAC, and RUBAC.
• Accountability (also often referred to as Auditing)
▪ Trace an Action to a Subject’s Identity:
⬥ Prove who/what a given action was performed by (non-repudiation).

3 | Page
[Link]
 CISSP Domain 1Lecture notes
➢ Security Governance Principles
• Least Privilege and Need to Know.
▪ Least Privilege – (Minimum necessary access) Give users/systems exactly the
access they need, no more, no less.
▪ Need to Know – Even if you have access, if you do not need to know, then you
should not access the data.

• Non-repudiation.
▪ A user cannot deny having performed a certain action. This uses both
Authentication and Integrity.
• Subject and Object.
▪ Subject – (Active) Most often users, but can also be programs – Subject
manipulates Object.
▪ Object – (Passive) Any passive data (both physical paper and data) – Object is
manipulated by Subject.
▪ Some can be both at different times, an active program is a subject; when
closed, the data in program can be object.

• Governance vs. Management

▪ Governance – This is C-level Executives (Not you).
⬥ Stakeholder’s needs,
conditions and
options are
evaluated to define:
🢭 Balanced
agreed-
upon
enterprise
objectives
to be
achieved.
🢭 Setting
direction
through prioritization and decision making.
🢭 Monitoring performance and compliance against agreed-upon
direction and objectives.
🢭 Risk appetite – Aggressive, neutral, adverse.
▪ Management – How do we get to the destination (This is you).
⬥ Plans, builds, runs, and monitors activities in alignment with the
direction set by the governance to achieve the objectives.
⬥ Risk tolerance – How are we going to practically work with our risk
appetite and our environment.

4 | Page
[Link]
 CISSP Domain 1Lecture notes
• Top-Down vs. Bottom-Up Security Management and Organization structure.
▪ Bottom-Up: IT Security is seen as a nuisance and not a helper, often changes
when breaches happen.
▪ Top-Down: IT leadership is on board with IT Security, they lead and set the
direction. (The exam).

• C-Level Executives (Senior

Leadership) – Ultimately Liable.
▪ CEO: Chief Executive Officer.
▪ CIO: Chief Information Officer.
▪ CTO: Chief Technology
Officer.
▪ CSO: Chief Security Officer.
▪ CISO: Chief Information
Security Officer.
▪ CFO: Chief Financial Officer.
▪ Normal organizations
obviously have more C-Level
executives, the ones listed
here you need to know.

• Governance standards and control

frameworks.
▪ PCI-DSS - Payment Card Industry Data Security Standard
⬥ It is a standard but required if we want to handle or issue credit and
debit cards.
▪ OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation.
⬥ Self Directed Risk Management.
▪ COBIT - Control Objectives for Information and related Technology.
⬥ Goals for IT – Stakeholder needs are mapped down to IT related goals.
▪ COSO – Committee of Sponsoring Organizations.
⬥ Goals for the entire organization.
▪ ITIL - Information Technology Infrastructure Library.
⬥ IT Service Management (ITSM).
▪ FRAP - Facilitated Risk Analysis Process.
⬥ Analyzes one business unit, application or system at a time in a
roundtable brainstorm with internal employees. Impact analyzed,
threats and risks prioritized.
▪ ISO 27000 series:
⬥ ISO 27001: Establish, implement, control and improvement of the ISMS.
Uses PDCA (Plan, Do, Check, Act)
⬥ ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on
how to implement security controls. It has 10 domains it uses for ISMS
(Information Security Management Systems).
⬥ ISO 27004: Provides metrics for measuring the success of your ISMS.

5 | Page
[Link]
 CISSP Domain 1Lecture notes
⬥ ISO 27005: Standards based approach to risk management.
⬥ ISO 27799: Directives on how to protect PHI (Protected Health
Information).

Links on all these as well as ones from previous slides in the “Extras” lecture.

• Defense in Depth – Also called Layered Defense or Onion

Defense.
▪ We implement multiple overlapping security
controls to protect an asset.
▪ This applies both to physical and logical controls.
⬥ To get to a server, you may have to go
through multiple locked doors, security
guards, man traps.
⬥ To get to the data, you may need to get
past firewalls, routers, switches, the server,
and the applications security.
⬥ Each step may have multiple security controls.
▪ No single security control secures an asset.
▪ By implementing Defense in Depth, you improve your organization’s
Confidentiality, Integrity, and Availability.

➢ Legal and Regulatory Issues

• There are a handful types of laws covered on the exam and important to your job as an
IT Security Professional.
▪ Criminal Law:
⬥ “Society” is the victim and proof must be “Beyond a reasonable doubt”.
⬥ Incarceration, death, and financial fines to “Punish and deter”.
▪ Civil Law (Tort Law):
⬥ Individuals, groups or organizations are the victims and proof must be
”the majority of proof”.
⬥ Financial fines to “Compensate the victim(s)”.
▪ Administrative Law (Regulatory Law):
⬥ Laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws,
etc.)
▪ Private Regulations:
⬥ Compliance is required by contract (For instance PCI-DSS).
▪ Customary Law:
⬥ Mostly handles personal conduct and patterns of behavior and it is
founded in traditions and customs of the area or region.
▪ Religious Law:
⬥ Based on the religious beliefs in that area or country, they often include
a code of ethics and moralities which are required to be upheld.

6 | Page
[Link]
 CISSP Domain 1Lecture notes
• Liability:
▪ If the question is who is ULTIMATELY liable, the answer is Senior Leadership.
This does not mean you are not liable; you may be, that depends on Due Care.
Who is held accountable? Who is to blame? Who should pay?

• Due Diligence and Due Care:

▪ Due Diligence – The research to build the IT Security architecture of your
organization, best practices and common protection mechanisms, research of
new systems before implementing.
▪ Due Care – Prudent person rule – What would a prudent person do in this
situation?
⬥ Implementing the IT Security architecture, keep systems patched. If
compromised: fix the issue, notify affected users (Follow the Security
Policies to the letter).
▪ Negligence (and gross negligence) is the opposite of Due Care.
⬥ If a system under your control is compromised and you can prove you
did your Due Care, you are most likely not liable.
⬥ If a system under your control is compromised and you did NOT
perform Due Care, you are most likely liable.

• Evidence:
How you obtain and handle evidence is VERY important.
▪ Types of evidence:
⬥ Real Evidence: Tangible and physical objects in IT Security: Hard disks,
USB drives – NOT the data on them.
⬥ Direct Evidence: Testimony from a firsthand witness, what they
experienced with their 5 senses.
⬥ Circumstantial Evidence: Evidence to support circumstances for a point
or other evidence.
⬥ Collaborative Evidence: Supports facts or elements of the case: not a
fact on its own, but support other facts.
⬥ Hearsay: Not first-hand knowledge – normally inadmissible in a case.
🢭 Computer-generated records - For us, that means log files are
considered hearsay, but case law and updates to the Federal
Rule of Evidence have changed that.

Rule 803 provides for the admissibility of a record or report that

was:
“made at or near the time by, or from information transmitted
by, a person with knowledge, if kept in the course of a regularly
conducted business activity, and if it was the regular practice of that
business activity to make the memorandum, report, record or data
compilation.”

7 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Best Evidence Rule – The courts prefer the best evidence possible.
⬥ Evidence should be accurate, complete, relevant, authentic, and
convincing.
▪ Secondary Evidence – This is common in cases involving IT.
⬥ Logs and documents from the systems are considered secondary
evidence.

▪ Evidence Integrity – It is vital that the evidence’s integrity cannot be

questioned.
⬥ We do this with hashes. Any forensics is done on copies and never the
originals.
⬥ We check hash on both original and copy before and after the
forensics.
▪ Chain of Custody – This is done to prove the integrity of the data; that no
tampering was done.
⬥ Who handled it?
⬥ When did they handle it?
⬥ What did they do with it?
⬥ Where did they handle it?

• Reasonable Searches:
▪ The Fourth Amendment to the United States Constitution protects citizens from
unreasonable search and seizure by the government.
▪ In all cases, the court will determine if evidence was obtained legally.
▪ Exigent circumstances apply if there is an immediate threat to human life or of
evidence destruction.
▪ Your organization needs to ensure that our employees are aware their actions
are monitored.
• Entrapment and Enticement:
▪ Entrapment (Illegal and unethical): When someone is persuaded to commit a
crime, they had no intention of committing and is then charged with it.
▪ Enticement (Legal and ethical): Making committing a crime more enticing, but
the person has already broken the law or at least has decided to do so.
⬥ Honeypots can be a good way to use Enticement.
🢭 If there is a gray area in some cases between Entrapment and
Enticement, it is ultimately up to the jury to decide which one it
was.
🢭 Check with your legal department before using honeypots. They
pose both legal and practical risks.
• Intellectual Property:
▪ Copyright © - (Exceptions: first sale, fair use).
⬥ Books, art, music, software.
⬥ Automatically granted and lasts 70 years after creator’s death or 95
years after creation by/for corporations.
▪ Trademarks ™ and ® (Registered Trademark).

8 | Page
[Link]
 CISSP Domain 1Lecture notes
⬥ Brand names, logos, slogans – Must be registered, is valid for 10 years at
a time, can be renewed indefinitely.
▪ Patents: Protects inventions for 20 years (normally) –
⬥ Cryptography algorithms can be patented.
⬥ Inventions must be:
🢭 Novel (New idea no one has had before).
🢭 Useful (It is actually possible to use and it is useful to
someone).
🢭 Nonobvious (Inventive work involved).
▪ Trade Secrets.
⬥ You tell no one about your formula, your secret sauce. If discovered,
anyone can use it; you are not protected.
▪ Attacks on Intellectual Property:
⬥ Copyright.
🢭 Piracy - Software piracy is by far the most common attack on
Intellectual Property.
🢭 Copyright infringement – Use of someone else’s copyrighted
material, often songs and images.
⬥ Trademarks.
🢭 Counterfeiting – Fake Rolexes, Prada, Nike, Apple products –
Either using the real name or a very similar name.
⬥ Patents.
🢭 Patent infringement – Using someone else’s patent in your
product without permission.
⬥ Trade Secrets.
🢭 While an organization can do nothing if their Trade Secret is
discovered, how it is done can be illegal.

⬥ Cyber Squatting – Buying a URL you know someone else will need (gray
area legally).
⬥ Typo Squatting – Buying a URL that is VERY close to real website name
(Can be illegal in certain circumstances).

• Privacy:
▪ You as a citizen and consumer have the right that your Personally Identifiable
Information (PII) is being kept securely.
⬥ There are a number of Laws and Regulations in place to do just that.
▪ US privacy regulation is a patchwork of laws, some overlapping, and some areas
with no real protection.
▪ EU Law – Very pro-privacy, strict protection on what is gathered, how it is used
and stored.
⬥ There are a lot of large lawsuits against large companies for doing what
is legal in the US (Google, Apple, Microsoft, etc.)

9 | Page
[Link]
 CISSP Domain 1Lecture notes
• Rules, Regulations and Laws you should know for the exam (US):
▪ HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
⬥ Strict privacy and security rules on handling of PHI (Protected Health
Information).
▪ Security Breach Notification Laws.
⬥ NOT Federal, all 50 states have individual laws, know your state.
▪ Electronic Communications Privacy Act (ECPA):
⬥ Protection of electronic communications against warrantless
wiretapping.
⬥ The Act was weakened by the Patriot Act.
▪ PATRIOT Act of 2001:
⬥ Expands law enforcement electronic monitoring capabilities.
⬥ Allows search and seizure without immediate disclosure.
▪ Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:
⬥ Most commonly used law to prosecute computer crimes.
▪ Gramm-Leach-Bliley Act (GLBA):
⬥ Applies to financial institutions; driven by the Federal Financial
Institutions
▪ Sarbanes-Oxley Act of 2002 (SOX):
⬥ Directly related to the accounting scandals in the late 90s.
▪ Payment Card Industry Data Security Standard (PCI-DSS)
Technically not a law, created by the payment card industry.
⬥ The standard applies to cardholder data for both credit and debit cards.
⬥ Requires merchants and others to meet a minimum set of security
requirements.
⬥ Mandates security policy, devices, control techniques, and monitoring.
⬥ NOT Federal, all 50 states have individual laws, know your state.
⬥
• General Data Protection Regulation (GDPR)
▪ Restrictions: Lawful Interception, national security, military, police, justice
▪ Personal data – covers a variety of data types including: Names, Email
Addresses, Addresses, Unsubscribe confirmation URLs that contain email and/or
names, IP Addresses
⬥ Right to access: Data controllers must be able to provide a free copy of
an individual’s data if requested.
⬥ Right to erasure: All users have a “right to be forgotten”.
⬥ Data portability: All users will be able to request access to their data “in
an electronic format”.
⬥ Data breach notification: Users and data controllers must be notified of
data breaches within 72 hours.
⬥ Privacy by design: When designing data processes, care must be taken
to ensure personal data is secure. Companies must ensure that only
data is “absolutely necessary for the completion of duties”.
⬥ Data protection officers: Companies whose activities involve data
processing and monitoring must appoint a data protection officer.

10 | Page
[Link]
 CISSP Domain 1Lecture notes
• Rules, Regulations and Laws you should know for the exam (EU):
▪ Legacy laws in the EU and between the EU and the US
⬥ EU Data Protection Directive
⬥ EU-US Safe Harbor
⬥ Privacy Shield

• Organization for Economic Cooperation and Development (OECD) Privacy Guidelines

(International):
▪ 30 member nations from around the world, including the U.S.
▪ OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data, issued in 1980, updated in 2013.
▪ Eight driving principles:
1. Collection limitation principle.
2. Data quality principle.
3. Purpose specification principle.
4. Use limitation principle.
5. Security safeguards principle.
6. Openness principle.
7. Individual participation principle.
8. Accountability principle.

• Wassenaar Arrangement – Export/Import controls for Conventional Arms and Dual-Use

Goods and Technologies.
▪ 41 countries are a part of the arrangement.
▪ Cryptography is considered “Dual-Use”.
⬥ Iran, Iraq, China, Russia, and others have import restrictions on strong
cryptography.
⬥ If it is too strong, it cannot be broken; they want to be able to spy on
their citizens.
⬥ Companies have to make “country specific” products with different
encryption standards.
▪ The arrangement is used both to limit what countries want to export and to
what some want to import.
▪ It is the responsibility of the organization to know what is permitted to
import/export from and to a certain country.
▪ The Arrangement covers 10 Categories:
1. Special materials and related equipment
2. Materials processing
3. Electronics
4. Computers
5.1– Telecommunications, 5.2 "Information security“
6. Sensors and "Lasers“
7. Navigation and avionics
8. Marine
9. Aerospace and propulsion.

11 | Page
[Link]
 CISSP Domain 1Lecture notes
• 3rd party, Acquisitions and Divesture.
▪ As our organizations rely more and more on 3rd party vendors for services and
applications, we need to ensure their security standards, measures, and controls
meet the security standards of our organization.
▪ Procurement: When we buy products or services from a 3rd party, security is
included and not an afterthought.
▪ A common agreement is a SLA (Service Level Agreement) where for instance a
99.9% uptime can be promised.
▪ Industry Standard Attestation should be used:
⬥ The 3rd party vendor must be accredited to the standards of your
industry. This could be ISO, SOC, PCI-DSS.
⬥ “Rights to penetration test” and ”Rights to audit” are often part of
agreement (clearly defined).
▪ Acquisitions: Your organization has acquired another.
⬥ How do you ensure their security standards are high enough?
⬥ How do you ensure data availability in the transition?
▪ Divestures: Your organization is being split up.
⬥ How do you ensure no data crosses boundaries it shouldn’t?
⬥ Who gets the IT Infrastructure?

➢ Professional Ethics
• ISC² Code of Ethics
▪ You agree to this before the exam, and the code of ethics is very testable.
▪ There are only four mandatory canons in the code. By necessity, such high-level
guidance is not intended to be a substitute for the ethical judgment of the
professional.
▪ Code of Ethics Preamble:
⬥ The safety and welfare of society and the common good, duty to our
principles, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
⬥ Therefore, strict adherence to this code is a condition of certification.
▪ Code of Ethics Canons:
⬥ Protect society, the common good, necessary public trust and
confidence, and the infrastructure.
⬥ Act honorably, honestly, justly, responsibly, and legally.
⬥ Provide diligent and competent service to principals.
⬥ Advance and protect the profession.

• Computer Ethics Institute

▪ Ten Commandments of Computer Ethics:
⬥ Thou shalt not use a computer to harm other people.
⬥ Thou shalt not interfere with other people’s computer work.
⬥ Thou shalt not snoop around in other people’s computer files.
⬥ Thou shalt not use a computer to steal.

12 | Page
[Link]
 CISSP Domain 1Lecture notes
⬥ Thou shalt not use a computer to bear false witness.
⬥ Thou shalt not copy or use proprietary software for which you have not
paid.
⬥ Thou shalt not use other people's’ computer resources without
authorization or proper compensation.
⬥ Thou shalt not appropriate other people's’ intellectual output.
⬥ Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
⬥ Thou shalt always use a computer in ways that ensure consideration
and respect for your fellow humans.

• IABs Ethics and the Internet

▪ Defined as a Request For Comment (RFC), #1087 - Published in 1987
▪ Considered unethical behavior:
⬥ Seeks to gain unauthorized access to the resources of the Internet.
⬥ Disrupts the intended use of the Internet.
⬥ Wastes resources (people, capacity, computer) through such actions :
🢭 Destroys the integrity of computer-based information.
🢭 Compromises the privacy of users.

• Your Organization’s Ethics:

▪ You need to know the Internal Code of Ethics of your organization
⬥ If you don’t, how can you adhere to it?

➢ Information Security Governance

• Security governance principles.
▪ Values:
⬥ What are our values? Ethics, Principles, Beliefs.
▪ Vision:
⬥ What do we aspire to be? Hope and Ambition.
▪ Mission:
⬥ Who do we do it for? Motivation and Purpose.
▪ Strategic Objectives:
⬥ How are we going to progress? Plans, goals,
and sequencing.

• Action & KPIs

13 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ What do we need to do and how do we know when we achieved it? Actions,
Recourses, Outcomes, Owners, and Timeframes.

▪ Policies – Mandatory.
⬥ High level, non-specific.
⬥ They can contain “Patches, updates, strong encryption”
⬥ They will not be specific to “OS,
encryption type, vendor
Technology”
▪ Standards – Mandatory.
⬥ Describes a specific use of
technology (All laptops are W10,
64bit, 8gig memory, etc.)
▪ Guidelines – non-Mandatory.
⬥ Recommendations, discretionary
– Suggestions on how you would
to do it.
▪ Procedures – Mandatory.
⬥ Low level step-by-step guides,
specific.
⬥ They will contain “OS, encryption type, vendor Technology”
▪ Baselines (Benchmarks) - Mandatory.
⬥ Benchmarks for server hardening, apps, network. Minimum
requirement, we can implement stronger if needed.

• Personnel Security – Users often pose the largest security risk:

▪ Awareness – Change user behavior - this is what we want, we want them to
change their behavior.
▪ Training – Provides users with a skillset - this is nice, but if they ignore the
knowledge, it does nothing.
▪ Hiring Practices – We do background checks where we check: References,
degrees, employment, criminal, credit history (less common, more costly). We
have new staff sign a NDA (Non-Disclosure Agreement).
▪ Employee Termination Practices – We want to coach and train employees
before firing them. They get warnings.
⬥ When terminating employees, we coordinate with HR to shut off access
at the right time.
▪ Vendors, Consultants and Contractor Security.
⬥ When we use outside people in our environments, we need to ensure
they are trained on how to handle data. Their systems need to be
secure enough for our policies and standards.

14 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Outsourcing and Offshoring - Having someone else do part of your (IT in our
case) work.
⬥ This can lower cost, but a thorough and accurate Risk Analysis must be
performed. Offshoring can also pose problems with them not having to
comply with the same data protection standards.

➢ Access Control Defensive Categories and Types

• Access Control Categories:
▪ Administrative (Directive) Controls:
⬥ Organizational policies and procedures.
⬥ Regulation.
⬥ Training and awareness.
▪ Technical Controls:
⬥ Hardware/software/firmware – Firewalls, routers, encryption.
▪ Physical Controls:
⬥ Locks, fences, guards, dogs, gates, bollards.

• Access Control Types (Many can be multiple types – On the exam look at question
content to see which type it is).
▪ Preventative:
⬥ Prevents action from happening – Least privilege, drug tests, IPS,
firewalls, encryption.
▪ Detective:
⬥ Controls that Detect during or after an attack – IDS, CCTV, alarms, anti-
virus.
▪ Corrective:
⬥ Controls that Correct an attack – Anti-virus, patches, IPS.
▪ Recovery:
⬥ Controls that help us Recover after an attack – DR Environment,
backups, HA Environments .
▪ Deterrent:
⬥ Controls that Deter an attack – Fences, security guards, dogs, lights,
Beware of the dog signs.
▪ Compensating:
⬥ Controls that Compensate – other controls that are impossible or too
costly to implement.

15 | Page
[Link]
 CISSP Domain 1Lecture notes
➢ Risk Identification, Assessment, Response, Monitoring
and Reporting

• Risk Management - Identification:

Risk = Threat * Vulnerability

• The Risk Management lifecycle is iterative.

Identify our Risk Management team.
▪ What is in and what is out of scope?
▪ Which methods are we using?
▪ Which tools are we using?
▪ What are the acceptable risk levels, which type of risk appetite do we have in
our enterprise?
▪ Identify our assets.
⬥ Tangible: Physical hardware, buildings, anything you can touch.
⬥ Intangible: Data, trade secrets, reputation, etc.

• Risk Assessment.
▪ Quantitative and Qualitative Risk
Analysis.
▪ Uncertainty analysis.
▪ Everything is done using cost-benefit
analysis.
▪ Risk Mitigation/Risk Transference/Risk
Acceptance/Risk Avoidance.
▪ Risk Rejection is NEVER acceptable.
▪ We assess the current countermeasures.
⬥ Are they good enough?
⬥ Do we need to improve on
them?
⬥ Do we need to implement
entirely new countermeasures?

• Risk Analysis:
▪ Qualitative vs. Quantitative Risk Analysis.
For any Risk analysis we need to identify our assets. What are we
protecting?
▪ Qualitative Risk Analysis – How likely is it to happen and how bad is it if it
happens?
▪ Quantitative Risk Analysis – What will it actually cost us in $? This is fact based
analysis, Total $ value of asset, math is involved.
▪ Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, ... )
▪ Vulnerability – A weakness that can allow the Threat to do harm. Having a data
center in the tsunami flood area, not earthquake resistant, not applying patches
and anti-virus, …

16 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Risk = Threat x Vulnerability.
▪ Impact - Can at times be added to give a fuller picture. Risk = Threat x
Vulnerability x Impact (How bad is it?).
▪ Total Risk = Threat x Vulnerability x Asset Value.
▪ Residual Risk = Total Risk – Countermeasures.

• Qualitative Risk Analysis with the Risk

Analysis Matrix.
Pick an asset: A laptop.
▪ How likely is one to get stolen
or left somewhere?
I would think possible or likely.
▪ How bad is it if it happens?
That really depends on a
couple of things:
⬥ Is it encrypted? Where the L, M, H, E is for your organization can be different from this.
⬥ Does it contain classified or L = Low, M = Medium, H = High, E = Extreme Risk
PII/PHI content?
▪ Let’s say it is likely and a minor issue, that puts the loss the high risk category.
▪ It is normal to move high and extreme on the quantitative risk analysis. If
mitigation is implemented, we can maybe move the risk level to “Low” or
“Medium”.

• Risk Registers:
▪ A risk category to group similar risks.
▪ The risk breakdown structure identification number.
▪ A brief description or name of the risk to make the risk easy to discuss.
▪ The impact (or consequence) if event actually
occurs rated on an integer scale.
▪ The probability or likelihood of
its occurrence rated
on an integer scale.
▪ The Risk Score (or Risk Rating)
is the multiplication
of Probability and Impact, and
is often used to rank
the risks.
▪ Common mitigation steps (e.g.
within IT projects)
⬥ Identify
⬥ Analyze
⬥ Plan Response
⬥ Monitor
⬥ Control

17 | Page
[Link]
 CISSP Domain 1Lecture notes
• Quantitative Risk Analysis
This is where we put a number on our assets and risks.
▪ We find the asset’s value: How much of it is compromised, how much one
incident will cost, how often the incident occurs and how much that is per year.
⬥ Asset Value (AV) – How much is the asset worth?
⬥ Exposure factor (EF) – Percentage of Asset lost?
⬥ Single Loss Expectancy (SLE) = (AV x EF) – What does it cost if it happens
once?
⬥ Annual Rate of Occurrence (ARO) – How often will this happen each
year?
⬥ Annualized Loss Expectancy (ALE) – This is what it costs per year if we
do nothing.
▪ Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost
(Normally Operational

Let’s look at a few examples.

Laptop – Theft/Loss (unencrypted) Data Center – Flooding

The Laptop ($1,000) + PII ($9,000) per loss (AV) The Data Center is valued at $10,000,000 (AV)
It is a 100% loss, it is gone (EF) If a flooding happens 15% of the DC is compromised (EF)
Loss per laptop is $10,000 (AV) x 100% EF) = (SLE) Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
The organization loses 25 Laptops Per Year (ARO) The flooding happens every 4 years = 0.25 (ARO)
The annualized loss is $250,000 (ALE) The annualized loss is $375,000 (ALE)

Quantitative Risk Analysis

For the example, let’s use a 4-year tech refresh cycle.
▪ Full disk encryption software and support = $75,000 initial and $5,000 per year.
▪ Remote wipe capabilities for the laptop = $20,000 initial and $4,000 per year.
▪ Staff for encryption and help desk = $25,000 per year

Doing nothing costs us $1,000,000 per tech refresh cycle ($250,000 per year).
Implementing full disk encryption and remote wipe will cost $231,000 per tech refresh cycle ($57,750
per year).

18 | Page
[Link]
 CISSP Domain 1Lecture notes
The laptop hardware is a 100% loss, regardless. What we are mitigating is the 25 x $9,000 = $225,000 by
spending $57,750.

This is our ROI (Return On Investment): TCO ($57,750) < ALE ($250,000). This makes fiscal sense, we
should implement.

• Types of risk responses:

▪ Accept the Risk – We know the risk is there, but the mitigation is more costly
than the cost of the risk (Low risks).
▪ Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example –
acceptable level (Leftover risk = Residual).
▪ Transfer the Risk – The insurance risk approach.
▪ Risk Avoidance – We don’t issue employees laptops (if possible) or we build the
data center in an area that doesn’t flood.
▪ Risk Rejection – You know the risk is there, but you are ignoring it. This is never
acceptable. (You are liable).
▪ Secondary Risk – Mitigating one risk may open up another risk.

• This area is very testable. Learn the formula, the risk responses to differentiate
Qualitative and Quantitative Risk.
▪ Qualitative = Think “quality.” This concept is semi-vague, e.g., “pretty good
quality. “
▪ Quantitative = Think “quantity.” How many; a specific number.

19 | Page
[Link]
 CISSP Domain 1Lecture notes
• NIST 800-30 - United States National Institute of Standards and Technology Special
Publication
▪ A 9-step process for Risk Management.
1. System Characterization (Risk Management scope, boundaries, system
and data sensitivity).
2. Threat Identification (What are the threats
to our systems?).
3. Vulnerability Identification (What are the
vulnerabilities of our systems?).
4. Control Analysis (Analysis of the current
and planned safeguards, controls and
mitigations).
5. Likelihood Determination (Qualitative –
How likely is it to happen)?
6. Impact Analysis (Qualitative – How bad is it
if it happens? Loss of CIA).
7. Risk Determination (Look at 5-6 and determine Risk and Associate Risk
Levels).
8. Control Recommendations (What can we do to Mitigate, Transfer, … the
risk).
9. Results Documentation (Documentation with all the facts and
recommendations).

• KGIs, KPIs and KRIs

▪ KGI (Key Goal Indicators)
⬥ Define measures that tell management, after the fact – whether an IT
process has achieved its business requirements.
▪ KPI (Key Performance Indicators)
⬥ Define measures that determine how well the IT process is performing
in enabling the goal to be reached.
▪ KRI (Key Risk Indicators)
⬥ Metrics that demonstrate the risks that an organization is facing or how
risky an activity is.
⬥ They are the mainstay of measuring adherence to and establishing
enterprise risk appetite.
⬥ Key risk indicators are metrics used by organizations to provide an early
signal of increasing risk exposures in various areas of the enterprise.
⬥ KRI gives an early warning to identify potential event that may harm
continuity of the activity/project.

• Risk Response and Mitigation

▪ Risk mitigation, transference, acceptance or avoidance.
▪ We act on senior managements choices, which they made based on our
recommendations from the assessment phase.

20 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Do we stop issuing laptops, or do we add full-disk encryption and remote wipe
capabilities?
▪ We update the risk register, with the mitigations, the risk responses we chose
and see if the new risk level is acceptable.

• Risk and Control Monitoring and Reporting

▪ The process is ongoing, we have to keep monitoring both the risk and the
controls we implemented.
▪ This is where we could use the KRIs (Key Risk Indicators)
▪ We would also use KPIs (Key Performance Indicators)
▪ You are the translating link, you have to be able to explain IT and IT Security to
Senior Management in terms they can understand.
▪ It is normal to do the Risk Management lifecycle on an annual basis, and do out-
of-cycle Risk Management on critical items.

• Risk Management Maturity Model

▪ Sponsor and Management

▪ Identify Risk
▪ Analyze Risk
▪ Plan Risk response
▪ Integrate risk management and project management systems
▪ Trust in and a culture of risk management

21 | Page
[Link]
 CISSP Domain 1Lecture notes
➢ RACI Chart
• Responsible, Accountable, Consulted, Informed
▪ R (Responsible) - The person or people that
does the actual work to complete the task.
▪ A (Accountable) - The person ultimately
accountable for the correct and thorough
completion of the task.
▪ C (Consulted) - The people who provide
information for the task and with whom
there is two-way communication.
▪ I (informed) - The people who are kept
informed about the task’s progress and
with whom there is one-way communication.

22 | Page
[Link]
 CISSP Domain 1Lecture notes
➢ Governance, Risk Management, Compliance
• GRC – aligning our risk management strategies to our business objectives and
compliance standards.
▪ Governance – ensures that IT goals and processes aligns with our business
objectives.
▪ Risk Management – the process of identifying, assessing, and responding to
risks.
▪ Compliance – conforming with a stated requirement.
⬥ Laws and regulations.
⬥ Auditing and monitoring.
⬥ Ethics and privacy.

➢ NIST 800-53 rev. 5

• Security and Privacy Controls for Information Systems and Organizations
▪ Provides detailed security controls for US federal systems.
▪ Guides us on how to create, operate, and maintain security systems.
▪ Gives us a comprehensive risk-based approach to information security.

• Control Families – focus on a specific aspect of security and privacy.

• Control Classes – Management, Operational, Technical.
• Baseline Controls – the minimum level of security in a system.

• The inclusion of privacy controls.

• Outcome-based approach.
• More focus on supply chain management.
• Protection against insider threats.

➢ NIST 800-37 Rev. 1 and 2

• Revision 1: Date Published: February 2010 (Updated 6/5/2014).
• Revision 2: Date Published: December 2018.

• There are seven major objectives for this update:

1. To provide closer linkage and communication between the risk management
processes and activities at the C-suite.
2. To institutionalize critical risk management preparatory activities at all risk
management levels.
3. To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be
aligned with the RMF and implemented using established NIST risk
management processes.

23 | Page
[Link]
 CISSP Domain 1Lecture notes
4. To integrate privacy risk management processes into
the RMF to better support the privacy protection
needs for which privacy programs are
responsible.
5. To promote the development of
trustworthy secure software and systems.
6. To integrate security-related, supply chain
risk management (SCRM) concepts into
the RMF.
7. To allow for an organization-generated
control selection approach to complement
the traditional baseline control selection
approach and support the use of the
consolidated control catalog in NIST Special
Publication 800-53, Revision 5.

➢ NIST Cyber Security Framework Rev. 1.1

24 | Page
[Link]
 CISSP Domain 1Lecture notes

• Types of attackers:
▪ Hackers:
⬥ Now: Anyone trying to get access to or disrupt any leg of the CIA Triad
(Confidentiality, Integrity, Availability).
⬥ Original use: Someone using something in a way not intended.
⬥ White Hat hackers: Professional pen testers trying to find flaws so we
can fix it (Ethical hackers).

⬥ Black Hat hackers: Malicious hackers, trying to find flaws to exploit

them (Crackers – they crack the code).
⬥ Gray/Grey Hat hackers: They are somewhere between the white and
black hats, they go looking for vulnerable code, systems or products.
⬥ Script Kiddies:
🢭 They have little or no coding knowledge, but many
sophisticated hacking tools are available and easy to use.
▪ Outsiders:
⬥ Unauthorized individuals - Trying to gain access; they launch the
majority of attacks, but are often mitigated if the organization has good
Defense in Depth.
⬥ Interception, malicious code (e.g. virus, logic bomb, trojan horse), sale
of personal information, system bugs, system intrusion, system
sabotage or unauthorized system access.
⬥ 48-62% of risks are from outsiders.

25 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Insiders:
⬥ Authorized individuals - Not necessarily to the compromised system,
who intentionally or unintentionally compromise the system or data.
⬥ This could be: Assault on an employee, blackmail, browsing of
proprietary information, computer abuse, fraud and theft, information
bribery, input of falsified or corrupted data.
⬥ 38-52% of risks are from insiders, another reason good Authentication
and Authorization controls are needed.
▪ Hacktivism/Hacktivist (hacker activist): Hacking for political or socially
motivated purposes.
⬥ Often aimed at ensuring free speech, human rights, freedom of
information movement.
▪ Governments:
⬥ State sponsored hacking is common; often you see the attacks
happening between the hours of 9 and 5 in that time zone; this is a day
job.
⬥ Approximately 120 countries have been developing ways to use the
internet as a weapon to target financial markets, government computer
systems and utilities.
⬥ Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet
(US/Israel), US Office of Personnel Management (China), …

▪ Bots and botnets (short for robot):

⬥ Bots are a system with malware
controlled by a botnet.
⬥ The system is compromised by an
attack or the user installing a remote
access trojan (game or application with
a hidden payload).
⬥ They often use IRC, HTTP, or HTTPS.
⬥ Some are dormant until activated.
⬥ Others are actively sending data from
the system (Credit card/bank
information for instance).
⬥ Active bots can also can be used to
send spam emails.
▪ Botnets is a C&C (Command and Control)
network, controlled by people (bot-herders).
⬥ There can often 1,000s or even
100,000s of bots in a botnet.

• Types of Attacks
▪ Phishing, spear phishing and whale phishing
(Fisher spelled in hacker speak with Ph not F).
⬥ Phishing (Social engineering email attack):

26 | Page
[Link]
 CISSP Domain 1Lecture notes
🢭 Click to win, Send information to get your inheritance …
🢭 Sent to hundreds of thousands of people; if just 0.02% follow
the instructions they have 200 victims.
⬥ Spear Phishing: Targeted phishing, not just random spam, but targeted
at specific individuals.
🢭 Sent with knowledge about the target (person or company);
familiarity increases success.
⬥ Whale Phishing (Whaling): Spear phishing targeted at senior leadership
of an organization.
🢭 This could be: “Your company is being sued if you don’t fill out
the attached documents (with trojan in them) and return them
to us within 2 weeks”.
⬥ Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP)
systems, bulk spam similar to phishing.
🢭 These are: “Your taxes are due”, “Your account is locked” or
“Enter your PII to prevent this” types of calls.

➢ Business Continuity Plan (BCP) and Business Impact Analysis (BIA)

• Business Continuity Plan (BCP)
▪ This is the process of creating the long-term strategic business plans, policies,
and procedures for continued operation after a disruptive event.
▪ It is for the entire organization, everything that could be impacted, not just IT.

▪ Lists a range of disaster scenarios and the steps the organization must take in
any particular scenario to return to regular operations.
▪ BCPs often contain COOP (Continuity of Operations Plan), Crisis
Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident
Response Plan, DRP (Disaster Recovery Plan), ISCP (Information System
Contingency Plan), Occupant Emergency Plan.
▪ We look at what we would do if a critical supplier closed, the facility was hit by
an earthquake, what if we were snowed in and staff couldn't get to work, ...
▪ They are written ahead of time, and continually improved upon, it is an iterative
process.
▪ We write the BCP with input from key staff and at times outside BCP
consultants.

• Developing our BCP:

Older versions of NIST 800-34 had these steps as a
framework for building our BCP/DRP, they are still very
applicable.
▪ Project Initiation: We start the project, identify
stakeholders, get C-level approval, and formalize the
project structure.
▪ Scope the Project: We identify exactly what we are
trying to do and what we are not.

27 | Page
[Link]
 CISSP Domain 1Lecture notes
▪ Business Impact Analysis: We identify and prioritize critical systems and
components.
▪ Identify Preventive Controls: We identify the current and possible preventative
controls we can deploy.
▪ Recovery Strategy: How do we recover efficiently? What are our options? DR
site, system restore, cloud, ...
▪ Plan Design and Development: We build a specific plan for recovery from a
disaster; procedures, guidelines, and tools.
▪ Implementation, Training, and Testing: We test the plan to find gaps and we
train staff to be able to act on the plan.
▪ BCP/DRP Maintenance: It is an iterative process. Our organization develops,
adds systems, facilities, or technologies and the threat landscape constantly
changes, we have to keep improving and tweaking our BCP and DRP.

• Business Impact Analysis (BIA)

▪ Identifies critical and non-critical organization systems, functions, and activities.
▪ Critical is where disruption is considered unacceptable, the acceptability is also
based on the cost of recovery.
▪ A function may also be considered critical if dictated by law.
⬥ For each critical (in scope) system, function or activity, two values are
then assigned:

▪ RPO (Recovery Point Objective): The acceptable amount of data that cannot be
recovered.
⬥ The RPO must ensure that the maximum tolerable data loss for the
system, function, or activity is not exceeded.
▪ MTD (Maximum Tolerable Downtime): MTD ≥ RTO + WRT:
⬥ System rebuild time, configuration, and reinsertion into production
must be less than or equal to our MTD.

28 | Page
[Link]
 CISSP Domain 1Lecture notes
⬥ The total time a system can be inoperable before our organization is
severely impacted.
⬥ RTO (Recovery Time Objective): The amount of time to restore the
system (hardware).
🢭 The recovery time objective must ensure that the MTD for each
system, function or activity is not exceeded.
⬥ WRT (Work Recovery Time): (software)
🢭 How much time is required to configure a recovered system.
▪ MTBF (Mean Time Between Failures): How long a new or repaired
system/component will function on average.
▪ MTTR (Mean Time to Repair): How long it will take to recover a failed system.
▪ MOR (Minimum Operating Requirements): The minimum requirements for our
critical systems to function.

➢ Final Points to Remember

• Finding the right mix of Confidentiality, Integrity, and Availability is a balancing act.
▪ This is really the cornerstone of IT Security – finding the RIGHT mix for your
organization.
⬥ Too much Confidentiality and the Availability can suffer.
⬥ Too much Integrity and the Availability can suffer.
⬥ Too much Availability and both the Confidentiality and Integrity can
suffer.
• IT Security is there to Support the organization.
▪ We are there to enable the organization to fulfil its mission statement and the
business’ goals.
▪ We are not the most important part of the organization, but we span the entire
organization.
▪ We are Security leaders and Business leaders – Answer exam questions wearing
BOTH hats.
• GDPR is a regulation in EU law on data protection and privacy for all individuals within
the European Union (EU) and the European Economic Area (EEA).
▪ It does not matter where we are based, if we have customers in EU/EEA we
have to adhere to the GDPR.
▪ Violators of the GDPR may be fined up to €20 million or up to 4% of the annual
worldwide turnover of the preceding financial year in case of an enterprise,
whichever is greater.
▪ Unless a data subject has provided informed consent to data processing for one
or more purposes, personal data may not be processed unless there is at least
one legal basis to do so.
• Any organization will encounter disasters every so often. How we try to avoid them,
how we mitigate them and how we recover when they happen is very important.
▪ If we do a poor job, the organization may be severely impacted or have to close.
▪ Companies that had a major loss of data, 43% never reopen and 29% close
within two years.
• Senior management needs to be involved and committed to the BCP/DRP process.

29 | Page
[Link]
 CISSP Domain 1Lecture notes
They need to be part of at least the initiation and the final approval of the plans.
▪ They are responsible for the plan, they own the plan and since they are
ultimately liable, they must show due-care and due-diligence.
▪ We need top-down IT security in our organization (the exam assumed we have
that).
▪ In serious disasters, it will be Senior Management or someone from our legal
department who should talk to the press.
▪ Most business areas often feel they are the most important area and because of
that their systems and facilities should receive the priority, senior management
being ultimately liable and the leaders of our organization, obviously have the
final say in priorities, implementations, and the plans themselves.

• BCPs/DRPs are often built using the waterfall project management methodology.

➢ What we covered in the first CBK Domain:

✔ How we want our data to be confidential, keep its integrity, and have it available when
we need to access it.
✔ How we identify, authenticate, authorize our employees, and keep them accountable
(IAAA).
✔ Need to know, least privilege, non-repudiation, subjects, and objects.
✔ The governance structure we have in our organization, the control frameworks we use
how we use defense in depth.
✔ Laws and regulations in our field and in general.
✔ How we use due care, due diligence to avoid negligence, and who is liable when.
✔ What constitutes evidence, how we collect, and handle it properly.
✔ The different kinds of intellectual property, the laws around them, and the attacks on
them.
✔ The ISC2 code of ethics – You agree to them before taking the exam and they are very
testable.
✔ The qualitative risk analysis that then leads into the quantitative risk analysis, where we
put numbers, and dollars on the risks and then choose mitigation strategies.
✔ The attackers we need to protect ourselves against.
✔ How we build our BCP and do our BIA and what we have to consider for each of them.

Additional graphics are available on the next page.

30 | Page
[Link]
CISSP Domain 1Lecture notes

31 | Page
[Link]
 CISSP Domain 2 Lecture notes

Welcome to the second CBK Domain.

In this domain we cover:

 The Information Life Cycle.
 Information and Asset Classification:
How we classify our data, so we know what to protect and how? How do we
store and inventory the data?
 Ownership (Data owners, System owners, and Data custodians):
Who owns the data and what are the different roles?
 Protect Privacy:
How do we protect data privacy?
Memory and data remanence.
 Appropriate Retention:
We keep data as long as it is useful or required, whichever is longest.
 Data Security Controls:
How we protect our data in motion, at rest, and in use and how we securely
destroy hardware.
 Handling Requirements (e.g., markings, labels, storage):
How we label, store, and inventory our data so we can properly dispose of it
when it is no longer needed.

This domain is the smallest both in the concepts it covers and the percentage of the weighted exam
questions (10%).

➢ The Information Life Cycle

● Data acquisition.
▪ The information is either created or copied from
another location.
▪ Make it useful, index it, and store it.
● Data use.
▪ How do we ensure the data is kept confidential, the
integrity is intact, and it is available when needed
(The CIA triad).
● Data archival.
▪ Retention required by law, or the data will be used
later.
▪ Archival vs. backup.
● Data disposal.
▪ How do we dispose properly of the data once it is no
longer useful and required?

1 | Page
[Link]
 CISSP Domain 2 Lecture notes

➢ Data Classification Policies

• Labels: Objects have Labels assigned to them.
▪ The label is used to allow Subjects with the right clearance to access them.
▪ Labels are often more granular than just “Top Secret” they can be “Top Secret –
Nuclear.”

• Clearance: Subjects have Clearance assigned to them.

▪ A formal decision on a subject’s current and future trustworthiness.
▪ The higher the clearance, the more in-depth the background checks should be
(always in military, not always in the corporate world).
• Formal Access Approval:
▪ Document from the data owner approving access to the data for the subject.
▪ Subject must understand all requirements for accessing the data and the liability
involved if compromised, lost, or destroyed.
▪ Appropriate Security Clearance is required as well as the Formal Access
Approval.
● Need to know:
▪ Just because you have access does not mean you are allowed the data.
▪ You need a valid reason for accessing the data. If you do not have one you can
be terminated/sued/jailed/fined.
⬥ Leaked information about Octomom Natalie Suleman cost 15 Kaiser
employees fines or terminations because they had no valid reason for
accessing her file.

2 | Page
[Link]
 CISSP Domain 2 Lecture notes
⬥ We may never know who actually leaked the information. It may not be
one of the 15, but they violated HIPAA by accessing the data.
● Least privilege: Users have the minimum necessary access to perform their job duties.

➢ Sensitive Information and Media Security

● Sensitive information
Any organization has data that is considered
sensitive for a variety of reasons.
We want to protect the data from Disclosure,
Alteration and Destruction (DAD).

▪ Data has 3 States: We want to protect it as

well as we can in each state.
⬥ Data at Rest (Stored data): This is
data on disks, tapes, CDs/DVDs, USB sticks.
🢭 We use disk encryption (full/partial), USB encryption, tape
encryption (avoid CDs/DVDs).
🢭 Encryption can be hardware or software encryption.

⬥ Data in Motion (Data being transferred on a network).

🢭 We encrypt our network traffic, end to end encryption, this is
both on internal and external networks.
⬥ Data in Use: (We are actively using the files/data, it can’t be encrypted).
🢭 Use good practices: clean desk policy, print policy, allow no
‘shoulder surfing’, may be the use of view angle privacy screen
for monitors, locking computer screen when leaving
workstation.

▪ Data handling:
⬥ Only trusted individuals should handle our data; we should also have
policies on how, where, when, why the data was handled. Logs should
be in place to show these metrics.
▪ Data storage:
⬥ Where do we keep our sensitive data? It should be kept in a secure,
climate-controlled facility, preferably
geographically distant or at least far
enough away that potential incidents
will not affect that facility too.
🢭 Many older breaches were
from bad policies around
tape backups.
🢭 Tapes were kept at the
homes of employees instead
of at a proper storage facility

3 | Page
[Link]
 CISSP Domain 2 Lecture notes
or in a storage room with no access logs and no access
restrictions (often unencrypted).

▪ Data retention:
⬥ Data should not be kept beyond the period of
usefulness or beyond the legal requirements
(whichever is greater).
⬥ Regulation (HIPAA or PCI-DSS) may require a
certain retention of the data (1, 3, 7 years, or
infinity).
⬥ Each industry has its own regulations and
company policies may differ from the statutory
requirements.
⬥ Know your retention requirements!

➢ Data, system, mission ownership, custodians, and users

Each role is unique and has certain responsibilities to ensure our data is safe.

• Mission/business owners:
▪ Senior executives make the policies that govern our data security.
• Data/information owners:
▪ Management level, they assign sensitivity labels and backup frequency.
▪ This could be you or a data owner from HR, payroll, or other departments.
• Data custodians:
▪ These are the technical hands-on employees who do the backups, restores,
patches, and system configuration. They follow the directions of the data
owner.
• System owner: Management level and the owner of the systems that house the data.
▪ Often a data center manager or an infrastructure manager.
• Data controllers and data processors:
▪ Controllers create and manage sensitive data in the organization (HR/Payroll)
▪ Processors manage the data for controllers (Outsourced payroll).
• Security Administrators:
▪ Responsible for firewalls, IPS’ (Intrusion Prevention Systems), IDS’ (Intrusion
Detection Systems), security patches, create accounts, and assign access to the
data following the data owners’ directions.
• Supervisors:
▪ Responsible for user behavior and assets created by the users. Directly
responsible for user awareness and needs to inform the security administrator if
there are any changes to user employment status, user access rights, or any
other pertinent changes to an employees’ status.

4 | Page
[Link]
 CISSP Domain 2 Lecture notes
• Users:
▪ These are the users of the data. User awareness must be trained; they need to
know what is acceptable and what is not acceptable, and the consequences for
not following the policies, procedures, and standards.
• Auditors:
▪ Responsible for reviewing and confirming our security policies are implemented
correctly, we adhere to them, and that they provide the protection they should.

➢ Memory and Data Remanence

● Data Remanence: Data left over after normal removal and deletion of data.
● Memory: Is just 0s (off) and 1s (on); switches representing bits.
▪ ROM:
⬥ ROM (Read Only Memory) is nonvolatile (retains memory after power
loss); most common use
is the BIOS.
▪ PROM
(Programmable
read only
memory)
▪ EPROM
(Erasable
programmable
read only
memory)
▪ EEPROM
(Electrically erasable programmable read only memory)
⬥ PLD (Programmable logic devices) are programmable after they leave
the factory (EPROM, EEPROM and flash memory). Not PROM.

● Cache Memory: L1 cache is on the CPU (fastest), L2 cache is connected to the CPU, but
is outside it.
● RAM (Random Access Memory) is volatile memory. It loses the memory content after a
power loss (or within a few minutes). This can be memory sticks or embedded
memory.
▪ SRAM and DRAM:
⬥ SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-
Flops).
▪ Does not need refreshing to keep data, keeps data until power
is lost. This can be embedded on the CPU.
⬥ DRAM (Dynamic RAM) Slower and cheaper. Uses small capacitors.
▪ Must be refreshed to keep data integrity (100-1000ms).
▪ This can be embedded on graphics cards.
▪ SDRAM: (Synchronous DRAM):
→ What we normally put in the motherboard slots for the
memory sticks.

5 | Page
[Link]
 CISSP Domain 2 Lecture notes
→ DDR (Double Data Rate) 1, 2, 3, 4 SDRAM.

• Firmware and SSDs (Solid State Drives).

▪ Firmware:
⬥ This is the BIOS on a computer, router or switch; the low-level operating
system and configuration.
⬥ The firmware is stored on an embedded device.
⬥ PROM, EPROM, EEPROM are common firmware chips.

▪ Flash memory:
⬥ Small portable drives (USB sticks are an example); they are a type of
EEPROM.

▪ SSD drives are a combination of EEPROM and DRAM, can’t be degaussed.

⬥ To ensure no data is readable we must use ATA Secure Erase or/and
destruction of SSD drives.

➢ Data Destruction
When we no longer need a certain media, we must dispose of it in a manner that ensures the
data can’t be retrieved. This pertains to both electronic media and paper copies of data.
• Paper disposal – It is highly encouraged to dispose of ANY
paper with any data on it in a secure manner. This also has
standards and cross shredding is recommended. It is easy to
scan and have a program re-assemble documents from normal
shreds like this one.
• Digital disposal – The digital disposal procedures are
determined by the type of media.
▪ Deleting, formatting, and overwriting (Soft
destruction):
⬥ Deleting a file just removes it from the table; everything is still
recoverable.
⬥ Formatting does the same, but it also puts a new file structure over the
old one. Still recoverable in most cases.
⬥ Overwriting (Clear) is done by writing 0s or random characters over the
data.
⬥ Sanitization is a process of rendering target data on the media
infeasible for a given level of recovery effort.
⬥ Purge is removing sensitive data from a system or device to a point
where data recovery is no longer feasible even in a laboratory
environment.

6 | Page
[Link]
 CISSP Domain 2 Lecture notes

• Degaussing destroys magnetic media by exposing it to a very strong

magnetic field. This will also most likely destroy the media integrity.

• Full physical destruction is safer than soft destruction:

▪ Disk crushers do exactly what their name implies: they crush
disks (often used on spinning disks).
▪ Shredders do the same thing as paper shredders do; they
just work on metal. These are rare to have at normal
organizations, but you can buy the service.
▪ Incineration, pulverizing, melting, and acid are also (very
rarely) used to ensure full data destruction.

It is common to do multiple types of data destruction on sensitive

data (both degaussing and disk crushing/shredding).

➢ Data Security Controls and Frameworks

• We use standards, baselines, scoping and tailoring to decide which controls we use, and
how we deploy them.
• Different controls are deployed for data at rest and data in motion.
• Some of the standards and frameworks used could be PCI-DSS, ISO27000, OCTAVE,
COBIT, or ITIL.
• Scoping is determining which portion of a standard we will deploy in our organization.
▪ We take the portions of the standard that we want or that apply to our industry
and determine what is in scope and what is out of scope for us.
• Tailoring is customizing a standard to your organization.
▪ This could be, we will apply this standard, but we use a stronger encryption (AES
256bit).
• Certification: A system, and the security measures to protect it, meet the security
requirements set by the data owner or by regulations/laws.
• Accreditation: The data owner accepts the certification and the residual risk. This is
required before the system can be put into production.

➢ Data protection
• Digital Rights Management (DRM) - Uses technology and systems to protect
copyrighted digital media.

▪ Encryption – Regional DVDs.

▪ Permissions management and limiting access.
▪ Serial numbers, limit installations, expiry dates, IP addresses, geolocation, VPN.
▪ Copy restrictions: Copy, edit, saving, screenshots, screen recording, printing.
▪ Persistent authentication and audit trails.
▪ Tracking – watermarks or meta data embedded in files.

7 | Page
[Link]
 CISSP Domain 2 Lecture notes
• Cloud Access Security Broker (CASB) – on-premises or cloud software between our
users and our cloud applications.
▪ Monitors user activity, warns admins about possible malicious/dangerous
actions, malware prevention, protects against shadow IT, and enforces security
policy compliance.
• Data Loss Prevention (DLP)
▪ Loss vs. leak.
▪ Data in use, in motion, and at rest.
▪ Network and endpoint DLP.

➢ What we covered in the second CBK Domain:

• In this domain, we covered how we classify our data, how objects have labels and
subjects have clearance.
• The different roles of mission, data and system owner, custodians, and users.
• The 3 different states of data (at rest, in use, or in motion).
• We looked at volatile and non-volatile memory, the different types of each and where
they are used.
• How we ensure there is no data remanence and destroying our media properly to not
expose the data on it.

8 | Page
[Link]
 CISSP Domain 3 Lecture notes

Welcome to the third CBK Domain.

⮚ In this domain we cover:
The domain has 3 major knowledge areas (prior to the 2015 exam update, each
had their own domain).
🞂 Security Architecture and Design
● The common security models
● The architecture, design, virtualization, cloud and solutions we use
to protect our assets
● How computers work (basic), and how they are logically segmented.
● Threats to our applications, systems and devices
🞂 Cryptography
● The common security models
● The architecture, design, virtualization, cloud and solutions we use
to protect our assets
● How computers work (basic), and how they are logically segmented.
● Threats to our applications, systems and devices
🞂 Physical Security
● Site and facility secure design principles, perimeter defense, HVAC,
power, fire suppression

CBK 3 makes up 13% of the exam questions, being so broad it contains close to 25% of the exam
materials.

⮚ Security Models Fundamental Concepts

Security models provide the rules for how we secure our data, while focusing on
different goals and what they provide.
▪ DAC - (Discretionary Access Control) gives subjects full control of objects they
have created or been given access to.
▪ MAC - (Mandatory Access Control) is system-enforced access control based on a
subject’s clearance and an object’s labels.
▪ RBAC - (Role Based Access Control) is where access to objects is granted based
on the role of the subject.
▪ ABAC - (Attribute Based Access Control) is where access to objects is granted
based on subjects, objects, and environmental conditions.
⬥ Attributes could be:
🞂 Subject (user) – Name, role, ID, clearance, etc.
🞂 Object (resource) – Name, owner, and date of creation.
🞂 Environment – Location, and/or time of access, and threat
levels.

1 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ RUBAC - (Rule Based Access Control) is access that’s granted based on IF/THEN
statements.

▪ Bell-LaPadula: (Confidentiality) (Mandatory Access Control):

⬥ Simple Security Property “No Read UP”.
🞂 Subjects with Secret clearance can’t read Top
Secret data.

⬥ * Security Property: “No Write DOWN”.

🞂 Subjects with Top Secret clearance can’t write
Top Secret information to Secret folders.

⬥ Strong * Property: “No Read or Write UP and DOWN”.

🞂 Subjects can ONLY access data on their own
level.

▪ BIBA: Integrity (Mandatory Access Control):

⬥ Simple Integrity Axiom: “No Read DOWN”.
🞂 Subjects with Top Secret clearance can’t read
Secret data.
🞂 Remember that integrity is the purpose here;
we don’t want to have wrong or lacking lower
clearance level data confuse us.

⬥ * Integrity Axiom: “No Write UP”.

🞂 Subjects with Secret clearance can’t write Secret
information to Top Secret folders.
🞂 We don’t want wrong or lacking lower level
information to propagate to a higher level.

⬥ Invocation Property: “No Read or Write UP”.

🞂 Subjects can never access or alter data on a
higher level.

2 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Lattice Based Access Control (LBAC) (MAC):
▪ A subject can have multiple access rights.
⬥ A Subject with “Top Secret” {crypto,
chemical} would be able to access
everything in this lattice.
⬥ A Subject with “Secret” {crypto}
would only have access to that level.
⬥ A subject with “Top Secret”
{chemical} would have access to only
{chemical} in Top Secret and Secret.
▪ These are obviously vastly more complex in
real life.
▪ For the exam, just know what they are and
how they work.

▪ We will cover Access Models more in depth in Domain 5.

● Graham-Denning Model – uses Objects, Subjects, and Rules.

▪ The 8 rules that a specific subject can execute on an object are:
1. Transfer Access.
2. Grant Access.
3. Delete Access.
4. Read Object.
5. Create Object.
6. Destroy Object.
7. Create Subject.
8. Destroy Subject.

● HRU model (Harrison, Ruzzo, Ullman):

▪ An operating system level computer security model that deals with the integrity
of access rights in the system.
▪ It is an extension of the Graham-Denning model, based around the idea of a
finite set of procedures being available to edit the access rights of a subject on
an object.
▪ Considers Subjects to be Objects too (unlike Graham-Denning).
▪ Uses six primitive operations:
⬥ Create object.
⬥ Create subject.
⬥ Destroy subject.
⬥ Destroy object.
⬥ Enter right into access matrix.
⬥ Delete right from access matrix.

3 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Clark-Wilson - Integrity:
▪ Separates end users from the back-end data through
‘Well-formed transactions’ and ‘Separation of Duties’.
▪ The model uses Subject/Program/Object.
⬥ We have discussed the Subject/Object
relationship before, but this puts a program
between the two.
⬥ We don’t allow people access to our inventory
when they buy from us.
⬥ We give them a limited functionality interface they can access.
▪ Separation of duties:
⬥ The certifier of a transaction and the implementer are different
entities.
⬥ The person making purchase orders should not be paying the invoices.
▪ Well-formed transactions are a series of operations that transition a
system from one consistent state to another consistent state.

● Brewer-Nash (Chinese Wall or Information Barriers):

▪ Designed to provide controls that mitigate conflict of interest in
commercial organizations, and is built upon an information flow model.
▪ No information can flow between the subjects and objects
in a way that would create a conflict of interest.
● Non-Interference Model:
▪ Ensures that any actions that take place at a higher
security level do not affect, or interfere with actions that
take place at a lower level.
▪ The model is not concerned with data flow, but with what
a subject knows about the state of the system.
▪ Any changer by a higher-level subject will never be noticed by a lower level
subject.

● Take-Grant Protection Model:

▪ Uses rules that govern the interactions between subjects and objects.
▪ It uses permissions that subjects can grant to (or take
from) other subjects.
▪ It has 4 rules:
⬥ Take rule allows a subject to take rights of another
object.
⬥ Grant rule allows a subject to grant own rights to
another object.
⬥ Create rule allows a subject to create new objects.

⬥ Remove rule allows a subject to remove rights it has over another

object.

4 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Thor can Take (t) Jane’s rights for the object.
🞂 Jane can Create (c) and Remove (r) rights for the object.
🞂 Jane can Grant (g) any of her rights to Bob.

● Access Control Matrix:

▪ Model describing the rights of every subject for every object in the system.
▪ An access matrix is like an Excel sheet.
⬥ One row per subject.
⬥ One column per
object.
⬥ The rows are the
rights of each
subject, each row is
called a capability list.
⬥ The columns show the ACL (Access Control List) for each object or
application.

● Zachman Framework (for Enterprise

Architecture):
▪ Provides six frameworks:
⬥ What, How, Where,
Who, When, and Why.
▪ Mapping those frameworks to rules
for:
⬥ Planner, Owner, Designer,
Builder, Programmer, and
User.

● Security Modes - can be MAC or DAC (Mandatory or Discretionary Access Control):

The systems contain information at various levels of security classification.
▪ The mode is determined by:
⬥ The type of users who will be directly or indirectly accessing the
systems.
⬥ The type of data, including classification levels, compartments, and
categories that are processed on the system.
⬥ The type of levels of users, their need to know, and formal access
approvals that the users will have.
▪ Dedicated security mode - All users must have:
⬥ Signed NDA for ALL information on the system.
⬥ Proper clearance for ALL information on the system.
⬥ Formal access approval for ALL information on the system.
⬥ A valid need to know for ALL information on the system.
⬥ All users can access ALL data (continued).

5 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ System High Security Mode - All users must
have:
⬥ Signed NDA for ALL information on
the system.
⬥ Proper clearance for ALL information
on the system.
⬥ Formal access approval for ALL
information on the system.
⬥ A valid need to know for SOME
information on the system.
⬥ All users can access SOME data,
based on their need to know.

▪ Compartmented Security Mode - All users must have:

⬥ Signed NDA for ALL information on the system.
⬥ Proper clearance for ALL information on the system.
⬥ Formal access approval for SOME information they will access on the
system.
⬥ A valid need to know for SOME information on the system.
⬥ All users can access SOME data, based on their need to know and formal
access approval.

▪ Multilevel Security Mode - (Controlled Security Mode) - All users must have:
⬥ Signed NDA for ALL information on the system.
⬥ Proper clearance for SOME information on the system.
⬥ Formal access approval for SOME information on the system.
⬥ A valid need to know for SOME information on the system.
⬥ All users can access SOME data, based on their need to know, clearance
and formal access approval.

6 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ Evaluation Methods, Certification, and Accreditation
Choosing the security systems and products we implement in our
organization can be a daunting task. How do we know the
vendor is trustworthy, how do we know the systems and
products were tested well and what the tests revealed?

⬥ There are many evaluation models in use today.

🞂 The earliest one, which most security
models are based on today is "The
Orange Book" - The Trusted Computer
System Evaluation Criteria – (TCSEC).
🞂 It was developed by the U.S. Department
of Defense in the 1980s.
⬥ The Orange book was part of a Rainbow Series (or
Rainbow Books).
🞂 The series also had a “The Red Book”
Trusted Network Interpretation - (TNI).
It addresses Network systems, whereas “The Orange Book”
does not address Network Systems.

▪ ITSEC (The European Information Technology Security Evaluation Criteria):

⬥ Was the first successful international model. Contains a lot of
references from The Orange Book, but both are retired now.
▪ The International Common Criteria (ISO/IEC 15408):
⬥ Common Criteria evaluations are performed on computer security
products and systems.
⬥ To be of practical use, the evaluation must verify the target's security
features. This is done through the following:
🞂 Target Of Evaluation (TOE) – The product or system that is the
subject of the evaluation.
🞂 Protection Profile (PP) – A document which identifies security
requirements for a class of security devices. Products can
comply with more than one PP. Customers looking for particular
types of products can focus on those products certified against
the PP that meet their requirements.
🞂 Security Target (ST) – The document that identifies the security
properties of the target of evaluation. The ST may have one or
more PPs.

7 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Evaluation Assurance Level (EAL) – How did the system or product
score on the testing?
🞂 EAL Level 1-7:
🞂 EAL1: Functionally Tested.
🞂 EAL2: Structurally Tested.
🞂 EAL3: Methodically Tested and Checked.
🞂 EAL4: Methodically Designed, Tested and Reviewed
🞂 EAL5: Semi-formally Designed and Tested.
🞂 EAL6: Semi-formally Verified Design and Tested.
🞂 EAL7: Formally Verified Design and Tested.

⮚ Secure Design Principles

● Least Privilege:
▪ We give employees the minimum necessary access
they need, no more, no less.
● Need to Know:
▪ Even if you have access, if you do not need to know,
then you should not access the data (Kaiser
employees).
● Separation of Duties:
▪ More than one individual in one single task is an
internal control intended to prevent fraud and error.
▪ We do not allow the same person to enter the
purchase order and issue the check.
▪ For the exam assume the organization is large
enough to use separation of duties, in smaller
organizations where that is not practical, compensating controls should be in
place.
● Defense in Depth – Also called Layered Defense or Onion Defense:
▪ We implement multiple overlapping security controls to protect an asset.
▪ This applies to physical, administrative, and logical controls.
● Secure Defaults:
▪ A program or a system is as secure as possible when implemented.
▪ We can then remove security for usability.
▪ What is secure and usability is determined by risk analysis and usability tests.
● Fail Securely:
▪ Systems are designed to prevents or mitigates unsafe consequences if the
system fails.
▪ If the system fails it stays at least as secure as it was before the failure.
▪ Open/safe vs. closed/secure.
● Keep It Simple:
▪ Keeping our security simple makes it better understood and accepted.
▪ The more complex our security is the harder it is to control, troubleshoot, and
manage.

8 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Threat Modeling:
▪ PASTA (Attacker Focused):
⬥ Process for Attack Simulation and Threat Analysis)
⬥ A seven-step process to aligning business objectives and
technical requirements.
⬥ Gives us a dynamic threat identification, enumeration,
and scoring process.
⬥ Provide an attacker-centric view of the application and
infrastructure, we can then use that to develop an asset-
centric mitigation strategy.
⬥ Definition of the Objectives (DO), Definition of the
Technical Scope (DTS), Application Decomposition and
Analysis (ADA), Threat Analysis (TA), Weakness and
Vulnerability Analysis (WVA), Attack Modeling &
Simulation (AMS), Risk Analysis & Management (RAM)
▪ STRIDE (Developer Focused)
▪ Threat modeling methodology developed by
Microsoft for security threats of six categories:
⬥ Spoofing, tampering, repudiation,
information disclosure, Denial of Service
(DoS), elevation of privilege.
▪ Trike (Acceptable Risk Focused)
▪ Dread
⬥ Disaster/Damage, Reproducibility,
Exploitability, Affected Users, and
Discoverability (DREAD)
⬥ Each category is given a rating from 1 to
10.
⬥ Abandoned by Microsoft in 2008 who
made it, still in use in other places.

● Trust but Verify:

▪ Implicit trust but we verify you.
▪ A majority of serious compromises are from privileged users (admins accounts).
● Zero Trust (never trust, always verify) - NIST SP 800-207 - Zero Trust Architecture:
▪ We do by default not trust devices on our network, even if they have been
verified.
▪ We change our defenses from static, network-based perimeters to focus on
users, assets, and resources.
▪ With ZT there is no implicit trust given to assets or users based on their physical
or logical location.
▪ We use authentication and authorization of both subject and device that is done
before a session to an enterprise resource can be established.

9 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Privacy by Design:
▪ Proactive not reactive, Privacy as the default setting, Privacy embedded into
design, Full functionality, End-to-end security, Visibility and transparency,
Respect for user privacy
● Shared Responsibility:
▪ With cloud computing the provider and customer share responsibility for the
security.

⮚ Secure System Design Concepts

● Layering: Separates hardware and software functionality into layers.
▪ Layers can influence layers next to themselves, but not
past that.
▪ The change of a hard disk or memory to another of the
same type or to a different type, has no influence on the
applications.
▪ The hard disk change may change the drivers in the
“Kernel and device driver” level, but nothing past that.
▪ The change of an OS (Operating System) may change
which applications work or how the device drivers work,
but it will not affect the hardware.

Not to be confused with the OSI model, this model is not

as standardized, but you need to understand the concepts.

● Abstraction: Hiding unnecessary details from the user, it provides a seamless experience
for the user; they don’t see the millions of background calculations.
● Security Domains: A list of Objects a Subject is allowed to access, groups of Objects and
Subjects with similar security requirements.
▪ Kernel mode (Supervisor mode) is where the kernel lives, allowing low-level
unrestricted access to memory, CPU, disk, etc. This is the most trusted and
powerful part of the system. Crashes are not recoverable.
▪ User mode (Problem mode) has no direct access to hardware, it is directed
through an API (Application programming interface). Crashes are recoverable.
This is most of what happens on a PC.
▪ Open and closed systems:
⬥ Open systems use open standards and can use standard components
from multiple vendors.
🞂 Hard disks are built and evaluated to a certain standard.
🞂 This is what most organizations use and is considered more
secure.
⬥ Closed Systems use proprietary hardware and software. This is “security
through obscurity.”
⬥ You may not get hit with the latest Windows Server 2016 vulnerability,
but your systems and software have not been as rigorously tested and
audited for flaws as open systems and may be easy to gain access to.

10 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Security Domains:
▪ The Ring Model:
▪ 4 ring model that separates Users
(Untrusted) from the Kernel (Trusted).
▪ The full model is slow and rarely used;
most OSs only use rings 0 and 3.
▪ There is a new addition to the Ring
Model:
⬥ Hypervisor mode is called Ring -1
and is for VM Hosts. Ring -1 sits
below the Client kernel in Ring 0.

⮚ Secure Hardware Architecture

⚫ System unit – The case and all internal
hardware.
⚫ Motherboard - Motherboard and CPU, memory
slots, firmware, PCI slots.
⚫ Peripherals - Mouse, keyboard, monitors,
anything plugged into the system unit.
⚫ Regular computer bus – The primary
communications channel on a computer.
▪ Communicates between internal
hardware and I/O devices
(Input/Output), keyboards,
mice, monitors, webcams, etc.

● Northbridge and Southbridge

▪ This design is more common on newer
computers and replaces the regular
computer bus.
▪ The Northbridge (Host bridge) is much
faster than the Southbridge.
▪ There are no North/Southbridge
standards, but they must be able to
work with each other.
▪ There is a move towards integrating the
Northbridge onto the CPU itself (Intel
Sandy Bridge / AMD Fusion).

11 | Page
[Link]
 CISSP Domain 3 Lecture notes
● CPU (Central Processing Unit)
▪ CPU (Central Processing Unit) is the brains of the system.
⬥ It performs millions of
calculations; everything a
computer does is math.
⬥ CPUs are rated on their clock
cycles per minute. Example: a
4.2GHz processor has 4.2 billion
clock cycles per second.
▪ Arithmetic logic unit (ALU) performs
arithmetic and logic operations.
⬥ It’s a processor that registers the
supply operands (Object of a
mathematical operation) to the
ALU and stores the results of
ALU operations.
⬥ It does all the math.
▪ Control unit (CU) handles fetching (from memory) and execution of instructions
by directing the coordinated operations of the ALU, registers and other
components. It also sends instructions to the ALU.
▪ Fetch, Decode, Execute, and Store
⬥ Fetch - Gets the instructions from memory into the processor.
⬥ Decode - Internally decodes what it is instructed to do.
⬥ Execute - Takes the add or subtract values from the registers.
⬥ Store - Stores the result back into another register (retiring the
instruction).
▪ Pipelining – Combining multiple steps into one process; can Fetch, Decode,
Execute, Store in same clock cycle.

🞂 Cycle 1. Fetch 1
🞂 Cycle 2. Fetch 2, Decode 1
🞂 Cycle 3. Fetch 3, Decode 2, Execute 1
🞂 Cycle 4. Fetch 4, Decode 3, Execute 2, Write 1
🞂 Cycle 5. Fetch 5, Decode 4, Execute 3, Write 2
🞂 ,…

▪ Interrupt:
⬥ An interrupt is a signal to the processor emitted by hardware or
software indicating an event that needs immediate attention.
⬥ An interrupt alerts the processor to a high-priority condition requiring
the interruption of the current code the processor is executing.
⬥ When the higher priority task is complete the lower priority tasks will
continue/be completed.

12 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Processes and Threads:
⬥ Process:
🞂 An executable program and its associated data loaded and
running in memory.
🞂 A heavy weight process (HWP) is also called a task.
🞂 A parent process may spawn additional child processes called
threads.
⬥ Thread – Light Weight Process (LWP).
🞂 Threads can share memory, resulting in lower overhead
compared to heavy weight processes.
🞂 Processes may exist in multiple states:
🞂 New: a process being created.
🞂 Ready: a process waiting to be executed by the CPU.
🞂 Running: a process being executed by the CPU.
🞂 Blocked: waiting for I/O.
🞂 Terminate: a completed process.
● Multithreading, Processing, Tasking, and Programming.
▪ Multithreading is the ability of a central processing unit (CPU) or a single core in
a multi-core processor to execute multiple processes or threads concurrently,
appropriately supported by the operating system.
▪ Multiprocessing - A computer using more than one CPU at a time for a task.
▪ Multitasking - Tasks sharing a common resource (1 CPU).
▪ Multiprogramming - A computer running more than one program at a time
(Word and Chrome at the same time).

● Memory protection prevents one process from affecting the confidentiality, integrity, or
availability of another. Used to protect user/process
data in multi-user and multitasking environments.
● Process isolation is a logical control that tries to
prevent one process from Interfering with another.
● Hardware segmentation takes that a step further by
mapping processes to specific memory locations.
● Virtual Memory provides virtual address mapping
between applications and hardware memory. Virtual
memory is used for many things: multitasking,
multiprocessing, swapping, to name a few.
● Swapping moves entire processes from primary
memory (RAM) from/to secondary memory (Disk).
● Paging copies a block from primary memory (RAM)
from/to secondary memory (Disk).
● BIOS – Basic Input Output System (Low level OS):

13 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ The BIOS runs a basic POST (Power On Self Test), including verifying the integrity
of the BIOS, testing the memory, identifying
system devices, and more.
⬥ Once the POST process is complete
and successful, it locates the boot
sector for the OS.
⬥ The kernel loads and executes, and
the OS boots.
⬥ BIOS is stored on ROM - most likely
EEPROM now (or EPROM on older
systems).
● WORM Media (Write Once Read Many):
▪ ROM is a WORM Media (not in use, though).
▪ CD/DVDs can be WORM Media (R) if they are not R/W (Read/Write).

● TPM (Trusted Platform Module):

▪ Is an international standard for a secure cryptoprocessor which is a dedicated
microcontroller designed to secure hardware by integrating cryptographic keys
into devices.
▪ TPM can be used for RNG (Random Number Generation), Symmetric Encryption,
Asymmetric Encryption, Hashing Algorithms, and secure storage of
cryptographic keys and message digests.
▪ It is most commonly used to ensure boot integrity.
● Data Execution Prevention (DEP) is a security feature that can prevent damage to your
computer from viruses and other security threats.
▪ Harmful programs can try to attack Windows by attempting to execute code
from system memory locations reserved for Windows and other authorized
programs; DEP prevents that.
● Address Space Layout Randomization (ASLR) is a memory-protection process for OS’s; it
guards against buffer-overflow attacks by randomizing the location where system
executables are loaded into memory.

● Microservices:
▪ There is no single definition for microservices. A consensus view has evolved
over time in the industry. Some of the defining characteristics that are
frequently cited include:
⬥ Services in a microservice architecture (MSA) are often processes that
communicate over a network to fulfill a goal using technology-agnostic
protocols such as HTTP.
⬥ Services are organized around business capabilities.
⬥ Services can be implemented using different programming languages,
databases, hardware and software environments, depending on what
fits best.

14 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Services are small in size, messaging-enabled, bounded by contexts,
autonomously developed, independently deployable, decentralized and built
and released with automated processes.
▪ A microservice is not a layer within a monolithic application (for example, the
web controller, or the backend-for-frontend). Rather it is a self-contained piece
of business functionality with clear interfaces, and may, through its own internal
components, implement a layered architecture.

● Containerization (OS-level Virtualization):

▪ Removing redundant OS elements on a VM.
▪ Applications are placed in containers. They only have the required resources
needed to support that application.
▪ They use a shared OS and unlike normal applications they can only see their
container’s content and the
devices assigned to the container.
▪ Pros:
⬥ Portability, scalability,
deployment speed,
enhanced security, easy
to manage, cost-effective
(between 10 and 100
times more application
density per server than
normal virtualization).

● Serverless (Function as a Service (FaaS)):

▪ Similar to microservices, each function is made to
work independently and autonomously.
▪ Does not hold resources in volatile memory;
computing in short bursts with the results
persisted to storage.
▪ Pros:
⬥ Cost is based on actual use. When the app
is not in use, no compute resources are
used.
⬥ Elasticity vs. Scalability.
🞂 Elasticity; resources expand or
contract based on the need.
🞂 Scalability; we scale resources to
meet expected needs.

15 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ Secure OS and Software Architecture
● The Kernel
▪ At the core of the OS is the Kernel. At ring 0 (or 3), it interfaces between the
operating system (and applications) and the hardware.
⬥ A monolithic kernel is one static executable and the kernel runs in
supervisor mode. All functionality required by a monolithic kernel must
be precompiled in.
⬥ Microkernels are modular kernels. A
microkernel is smaller and has less
native functionality than a monolithic
kernel. They can add functionality via
loadable kernel modules.
Microkernels may also run kernel
modules in user mode ring 3, instead
of supervisor mode. If a non-
precompiled piece of hardware is
added the Microkernel can load it,
making the hardware work.

⬥ The reference monitor is a core function of the kernel; it handles all

access between subjects and objects. It is always on and can't be
bypassed.

● Users and File Permissions

▪ Linux/UNIX
⬥ Read (r), Write (w) and Execute (x) permissions which can be set at an
owner, group or world level.
▪ Windows NTFS (New Technology File System)
⬥ Read, Write, Read and Execute, Modify, Full Control (Read, Write,
Execute, Modify, Change Permissions).
⬥ It is a type of DAC (Discretionary Access Control) – Who can access and
how they can access it is at the owner’s discretion.

16 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ Virtualization and Distributed Computing
● Virtualization
Virtualization poses a new whole set of standards, best practices and security
concerns.
🞂 With Virtualization, we have
many servers (clients) on the
same hardware platform (host).
🞂 Virtualization is software running
under the OS and above the
Hardware (Ring -1).
🞂 Traffic between the clients on
the host doesn't have to traverse
our network.
🞂 Common Virtualization software
could be VMWare, Hyper-V, or
Xen.
🞂 With Distributed Computing we
use either multiple local or remote clients for our needs, most
commonly cloud computing. How do we ensure the cloud Data
Center meets our security posture, how do they segment their
network?

▪ Virtualization holds a ton of benefits:

⬥ Virtualized environments cost a
lot less than all physical servers.
⬥ It is much easier to stand up
new servers (don't need to buy
hardware, wait 2 weeks, rack it,
run power/internet).
⬥ You can easily back up servers
with snapshots; server builds
can be done with images.
⬥ You can instantly reallocate
resources.
⬥ They have lower power and cooling costs, a much smaller rack footprint
(50-100 servers in the space of 5-8).

17 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Hypervisor - Controls the access between the virtual guest/clients and the host
hardware.
⬥ Type 1 hypervisor (Bare
Metal) is a part of
a Virtualization OS that
runs on top of the
host hardware (Think Data
Center).
⬥ Type 2 hypervisor runs on
top of a regular OS like
Windows 10 - (Think your
PC).

▪ VM Escape (Virtualization escape)

is when an attacker can jump from
the host or a client to another
client, this can be even more of a
concern if you have different Trust
Level Clients on the same host.
They should ideally be on separate
hosts.

▪ Hypervisor Security - If an attacker

can get access to the hypervisor,
they may be able to gain access to
the clients.

▪ Resource Exhaustion - Admins oversubscribe the CPU/Memory and do not

realize more is needed (availability).

● Cloud Computing
▪ Cloud Computing can be divided into 3 main types:
⬥ Private Cloud Computing - Organizations build and run their own cloud
infrastructure (or they pay someone to do it for them).
⬥ Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS,
Microsoft, Google, IBM).
⬥ Hybrid Cloud Computing – A mix of Private and Public Cloud
Computing. An organization can choose to use Private Cloud for
sensitive information and Public Cloud for non-sensitive data.
⬥ Community Cloud Computing – Only for use by a specific community of
consumers from organizations that have shared concerns. (Mission,
policy, security requirements, and/or compliance considerations.)

18 | Page
[Link]
 CISSP Domain 3 Lecture notes
As with any other outsourcing, make sure you have the right to audit, pen test (clearly agreed upon
criteria), conduct vulnerability assessment, and check that the vendor is compliant with your industry
and the standards you adhere to.

▪ Platforms are normally offered as:

⬥ IaaS - (Infrastructure as a Service) The vendor provides infrastructure up

to the OS, the customer adds the OS and up.

⬥ PaaS - (Platform as a Service) The vendor provides pre-configured OSs,

then the customer adds all programs and
applications.

⬥ SaaS - (Software as a
Service) The vendor
provides the OS and
applications/programs.
Either the customer
interacts with the
software manually by
entering data on the SaaS
page, or data is
automatically pushed from your other applications to the SaaS
application (Gmail, Office 365, Dropbox, Payroll).

Grid Computing – can make use of resources not

currently in use from 100 or 100,000s of computers to
perform very complex tasks.

▪ Each node has a smaller subtask but leveraging

the entire Grid can make it very powerful and
fast.

▪ Often used in problems so complex that they

need that many nodes to be solved.

▪ BOINC (Berkeley Open Infrastructure for Network

Computing) has over 4,000,000 machines
enrolled, used for a wide variety of scientific
research.

19 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Peer to Peer (P2P) - Any system can be a client and/or a server.
⬥ Most commonly used on torrent
networks to share music, movies,
programs, pictures, and more (The
majority without the copyright
holder’s consent).
⬥ Older versions had centralized index
servers making it easier to disrupt a
sharing network, but the current
version uses no centralized
infrastructure.

⬥ Each client is often also a server and has the index. Taking down 10,000
in a network of 100,000 will just result in a network of 90,000 with no
other discernable impact.

● Thin Clients (Boot sequence - BIOS > POST > TCP/IP > BOOTP or DHCP)
▪ Diskless Workstation (Diskless node) has all the normal hardware/firmware
except the disk, and the low-level OS (BIOS), which performs the POST. It then
downloads the kernel and higher-level OS.
▪ Thin Client Applications - We use a Web Browser to connect to the application
on a server on port 80 (HTTP) or port 443 (HTTPS). The full application is housed
and executed on the server vs. on your PC.
● Distributed systems
▪ Can also be referred to as:
⬥ Distributed computing environment (DCE), concurrent computing,
parallel computing, and distributed computing.
▪ A collection of individual systems that work together to
support a resource or provide a service.
▪ Most end-users see the DCE as a single entity and not as
multiple systems.
▪ Why do we use DCEs?
⬥ They can give us horizontal scaling (size, geography,
and administration), modular growth, fault
tolerance, cost-effectiveness, low latency (users
connect to the closest node).
▪ Where do we use DCEs?
⬥ All over the place (The internet, websites, cell
networks, research, P2P networks, blockchain, …).

20 | Page
[Link]
 CISSP Domain 3 Lecture notes
● High-Performance Computing (HPC) systems:
▪ Most often aggregates of compute nodes in a
system designed to solve complex calculations or
manipulate data at very high speeds.
▪ HPCs have 3 components. Compute, network,
and storage.
⬥ All 3 must have enough resources to not
become a bottleneck.
▪ Most well-known versions are super computers.
● Edge computing systems:
▪ The processing of data is done as close as
possible to where it is needed, we do that by
moving the data and compute resources.
▪ This will optimize bandwidth use and lower
latency.
▪ CDN’s are one of the most common types of edge
computing.
▪ 80%+ of large enterprises have already
implemented or are in the profess of implementing an edge computing strategy.

⮚ The Internet of Things (IoT)

▪ It is really anything “Smart”: Smart TVs, Thermostats, Lightbulbs, Cars, anything
that connects to the internet in some way (that didn’t before).
▪ They can be an easy way into your smart device, as most are never patched
(many don’t even have
the option).
▪ Most devices have
very basic security (if
any). They use the
default login/password
and they often use
well-known ports,
making them easy to
target. We harden
here, we patch,
segment the network,
lock ports, and change
defaults.
▪ They are not only simple to hack but can also provide attackers an easy way
onto your network. If you use it in your organization or at home, segment that
part of the network off from everything else and lock it down.

21 | Page
[Link]
 CISSP Domain 3 Lecture notes
➢ Emanations and Covert Channels
⚫ Emanations - Often Electromagnetic Emanations.
▪ Information that can be disseminated from the electrical changes from a system
or a wire.
▪ It is possible to log a user’s keystrokes on a smart phone using the motion
sensor.
▪ It is unintentional information-bearing signals, which - if intercepted and
analyzed - can lead to a compromise.
▪ We can protect against Electromagnetic Emanations with heavy metals, but we
would have 80 lbs. (40 kgs.) laptops.
⚫ Covert Channels – Creates the capability to transfer information using channels not
intended to do so.
▪ Covert Timing Channels: Operations that affect the "real response time
observed" by the receiver.
⬥ Most common is username/password - wrong username takes 100ms to
confirm, wrong password takes 600ms to confirm, you get the "Wrong
username or password" error, but an attacker can tell when they use a
correct username because of the delay difference.
▪ Covert Storage Channels: Hidden information through the modification of a
stored object.
⬥ Certain file sizes have a certain meaning.
⬥ Attackers can add data in payload if outbound ICMP packets (Unless we
need it, block outbound ICMP packets).
▪ Steganography - Hiding a message within another media (invisible ink and the
hidden clues in da Vinci's paintings).
⬥ The messages can be hidden in anything really,
most commonly images and soundtracks.
⬥ On images like this one, the program changes the
shading of some of the pixels of the image. To the
naked eye, it is not noticeable, but a lot of
information can be hidden in the images this way.
⬥ Hidden in the bottom image is the first chapter of
Great Expectations (Charles Dickens, 1867 Edition
- 4 pages at font size 11, 1827 words, 7731
characters).
▪ Digital Watermarks encode data into a file.
⬥ The watermark may be hidden, using
steganography, or visible watermarks.
⬥ Often used to fingerprint files (the file is
identified as yours).

22 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ System Vulnerabilities, Threats, and Countermeasures
● Malware
▪ Malware (Malicious Code) - This is the catch-all name for any malicious
software used to compromise systems or data.
⬥ Viruses - require some sort of human interaction and are often
transmitted by USB sticks or other portable devices.
When the program is executed, it replicates itself by inserting its
own code into other programs.
🞂 Macro (document) Viruses: Written in Macro Languages,
embedded in other documents (Word, Outlook).
🞂 Boot Sector Viruses:
Infect the boot sector
or the Master Boot
Record, ensuring
they run every time
the PC boots.
🞂 Stealth Viruses: Try
to hide themselves
from the OS and
antivirus software.
🞂 Polymorphic Viruses:
Change their signature to avoid the antivirus signature
definitions.
🞂 Multipart (Multipartite) Viruses: Spread across multiple vectors.
They are often hard to get rid of because even if you clean the
file infections, the virus may still be in the boot sector and vice-
versa.
⬥ Worms - spread through self-propagation - they need no human
interaction; they do both the payload damage and replicate through
aggressive network use (also makes them easier to spot).
⬥ Trojans - malicious code embedded in a program that is normal. This
can be games, attachments, website clicks, etc. …
⬥ Rootkits - Replace some of the OS/Kernel with a malicious payload. User
rootkits work on Ring 3 and Kernel rootkits on Ring 0.
⬥ Logic Bombs - Malicious code that executes at a certain time or event -
they are dormant until the event (IF/THEN).
🞂 IF Bob is not getting an annual bonus over $10,000, THEN
execute malicious code.
🞂 IF date and time is 5/15/18 [Link], THEN execute malicious
code.

23 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Packers – Programs to compress
*.exe files, which can be used to
hide malware in an executable,
neutral technology.
⬥ Antivirus Software - tries to protect
us against malware.
🞂 Signature based - looks for
known malware signatures -
MUST be updated
constantly.
🞂 Heuristic (Behavioral) based - looks for abnormal behavior - can
result in a lot of false positives.
▪ Server (Service) Side Attacks:
⬥ Attacks directly from an attacker to a target.
⬥ Defense in Depth can mitigate some of these.
⬥ The term "Server" does not mean only servers, just that the attack is
directly aimed at the end target. (They come to you).
▪ Client-Side Attacks:
⬥ The client initiates, then gets infected with malicious content usually
from web browsers or instant messaging applications. (You go to them).
⬥ Since most firewalls protect inbound mostly, client-side attacks are
often more successful.

⮚ Web Architecture Attacks

● Applets: Small applications often embedded into other software (web browsers).
▪ They are executable, downloaded from a server and installed locally on the
client.
▪ Applets are commonly written in Java or ActiveX (control).
⬥ Java applets run in a sandbox environment - segmenting the java from
the OS (limiting some threats), OS agnostic.
⬥ ActiveX runs with certificates (not sandbox) - since ActiveX is an MS
product it interacts more with the OS (Windows only).

● OWASP (Open Web Application Security Project) 2021 - has a Top 10 of the most
common web security issues.
▪ A01:2021-Broken Access Control
▪ A02:2021-Cryptographic Failures
▪ A03:2021-Injection
▪ A04:2021-Insecure Design
▪ A05:2021-Security Misconfiguration
▪ A06:2021-Vulnerable and Outdated Components
▪ A07:2021-Identification and Authentication Failures
▪ A08:2021-Software and Data Integrity Failures
▪ A09:2021-Security Logging and Monitoring Failures
▪ A10:2021-Server-Side Request Forgery

24 | Page
[Link]
 CISSP Domain 3 Lecture notes
● XML (Extensible Markup Language) is a markup language designed as a standard way to
encode documents and data.
▪ It is similar to HTML, but more universal.
▪ It is mainly used for Web but does not have to be, it can be used to store
application configuration, output from auditing tools, and many other things.
● SOA (Service-Oriented Architecture) is a style of software design where services are
provided to the other components by application components, through a
communication protocol over a network.
▪ The basic principles of service-oriented architecture are independent of
vendors, products, and technologies.
▪ SOA is intended to allow multiple different applications to be consumers of
services.

⮚ Database Security
● Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file
depending on who accesses it.
▪ The real information may be available to subjects with Top Secret clearance, but
different information will be available to staff with Secret or lower clearance.
● Aggregation is a collection or gathering of data together for the purpose of statistical
analysis. (You see the bigger picture rather than the individual pieces of data).
● Inference requires deducing from evidence and reasoning rather than from explicit
statements.
● Data mining is the computing process of discovering patterns in large data sets.
▪ It uses methods combining machine learning, statistics, and database systems.
● Data Analytics is looking at what normal operations look like, then allowing us to
identify abuse more proactively from insider threats or compromised accounts.
We mitigate the attacks with Defense in Depth (again) – We secure the building, the entrances,
the doors, the network, the servers, the OS, the DB, screen the employees, … We have solid
policies, procedures, standards, and guidelines.

⮚ Mobile Security
● The more external devices we connect, the more complex policies, procedures, and
standards we need.
● Mobile devices are really anything “mobile” – External hard disks, USB drives, CDs,
laptops, cell phones,...
● Most internal threats are not malicious people. They just don’t know any better, didn’t
think about it or figured they wouldn’t get found out.
● Good security policies should lock down USB ports, CD drives, network ports, wireless
networks, disable autorun on media, use full disk encryption, have remote wipe
capabilities, raise user awareness training on where (if anywhere) mobile devices are
allowed. (Defense in Depth)

25 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Cell phones are the mobile devices most often lost – Current Android and iOS phones all
have full disk encryption.
▪ We can add a lot more features to our
company cell phones to make them more
secure.
▪ Remote wipe, find my device, lock after x
minutes, number of failed passwords, disable
removable storage, …
▪ We can also use a centralized management
system: MDM (Mobile Device Management)
controls a lot of settings.
⬥ App Black/White list, Storage
Segmentation, Remote Access Revocation, Configuration Pushes,
Backups.
⬥ More controversial: Track the location of employees, monitor their data
traffic and calls.

● Laptops, Smartphones and Tablets are great

productivity tools, but they (just like anything else)
have to be secured properly or they are a liability.
▪ BYOD (Bring Your Own Device) - There should
be clear corporate
policies/procedures/guidelines.
▪ On/off boarding - How is the return of mobile
devices handled and enforced?
▪ It is much harder to standardize on BYOD. Is
support staff ready for that many devices, OSs, applications?
▪ Should we use MDM?
▪ How do we handle patch and virus management?

⮚ Industrial Control System

● ICS – (Industrial Control System) is a general term for several types of control systems
and associated instrumentation used in industrial production technology.
▪ SCADA (Supervisory Control And Data Acquisition) is a control system
architecture that uses computers, networked data communications and
graphical user interface (GUI) for high-level process supervisory management.
⬥ The operator interfaces which enable monitoring and the issuing of
process commands, such as controller set point changes, are handled
through the SCADA supervisory computer system.
⬥ However, the real-time control logic or controller calculations are
performed by networked modules which connect to the field sensors
and actuators.
▪ DCS (Distributed Control Systems) is a computerized control system for a
process or plant in which autonomous controllers are distributed throughout
the system, but there is central operator supervisory control.

26 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ PLC (Programmable Logic Controllers) is an industrial digital computer which has
been ruggedized and adapted for the control of manufacturing processes such
as assembly lines, robotic devices or any activity that requires high reliability
control, ease of programming and process fault diagnosis.
▪ DNP3 (Distributed Network Protocol)
⬥ A set of communications
protocols used between
components in process
automation systems.
⬥ Mainly used in utilities
such as electric and water
companies.
⬥ It plays a crucial role in
SCADA systems, where it is
used by SCADA Master Stations (Control Centers), Remote Terminal
Units (RTUs), and Intelligent Electronic Devices (IEDs).
⬥ It is primarily used for communications between a master station and
RTUs or IEDs.

⮚ Cryptography – The Science of Secure Communication

● For the exam, what you need to know is that cryptography helps us:
▪ Keep our secrets secret (Confidentiality) ← This is what most people think all
cryptography does.
▪ Keep our data unaltered (Integrity).
▪ Provide a way to verify (Authentication) our Subjects; it can also provide non-
repudiation.
● Cryptography has been used for thousands of years to keep secrets secret.
● Encryption should be strong enough to be unbreakable or at least take a very long time
to break; there obviously needs to be a balance between Confidentiality and Availability.
● Modular Math:
▪ Cryptography uses a lot of modular math.
▪ For the exam you need to know what it is, but you don't need to know how to
do it.
▪ Numbers "wrap around" after they reach a certain value (modulus), which is
also why it is called clock math.
▪ Adding "X" (24) to "E" (5) = "C" (3) - The English alphabet wraps around after the
26th letter (modulus).

● Definitions:
▪ Cryptology is the science of securing communications.
▪ Cryptography creates messages where the meaning is hidden.
▪ Cryptanalysis is the science of breaking encrypted communication.
⬥ Cryptanalysis is used to breach cryptographic security systems and gain
access to the contents of encrypted messages, even if the cryptographic
key is unknown.

27 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ It uses mathematical
analysis of the
cryptographic
algorithm, as well as
side-channel attacks
that do not target
weaknesses in the
cryptographic
algorithms
themselves, but
instead exploit weaknesses in their implementation and the devices that
run them.
▪ Cipher is a cryptographic algorithm.
⬥ Plaintext (Cleartext) is an unencrypted message.
⬥ Ciphertext is an encrypted message.
⬥ Encryption converts the plaintext to a ciphertext.
⬥ Decryption turns a ciphertext back into a plaintext.
▪ Book Cipher - Use of a well-known text (Often a book) as the key.
⬥ Messages would then look like 244.2.13, 12.3.7, 41.42.1. ...
⬥ The person reviewing the message would look at page 244, sentence 2,
word 13, then page 12, sentence 3, word 7, page 41, sentence 42 word
1, ...
▪ Running-Key Cipher – uses a well-known text as a key as well but uses a
previously agreed upon phrase.
⬥ If we use the CISSP Code of Ethics preamble "The safety and welfare of
society and the common good..."
⬥ The sender would add the plaintext message to the letters from the key,
and the receiver would subtract the letters from the key.

⮚ Cryptography
● Mono and Polyalphabetic Ciphers:
▪ Monoalphabetic Ciphers -
Substitutes one letter for
another - "T" would be "W" for
instance - very easy to break
with frequency analysis (or Letter frequency use in English
even without).
▪ Polyalphabetic Ciphers -
Similar but uses different
starting points each round, "T"
may be "W" on first round, but
"D" on second round, more
secure, but still not very
secure.

28 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Frequency Analysis (analyzing the frequency of a certain character) – In English
“E” is used 12.7% of the time. Given enough encrypted substitution text,
you can break it just with that.

● Exclusive Or (XOR)
XOR is very useful in basic cryptography; we add a key to the
plaintext to make the ciphertext. If we have the Key, we can
decipher the Cipher text. Used in most symmetric encryption
(or at least used in the algorithm behind it).
▪ Confusion is the relationship between the plaintext and
ciphertext; it should be as random (confusing) as possible.
▪ Diffusion is how the order of the plaintext should be
“diffused” (dispersed) in the ciphertext.
▪ Substitution replaces one character for another, this provides
confusion.
▪ Permutation (transposition) provides confusion by
rearranging the characters of the plaintext.

● The History of Cryptography (yes, this is testable).

▪ Spartan Scytale - Message written
lengthwise on a long thin piece of
parchment wrapped around a certain
size round stick. By itself it would make
no sense, but if rewrapped around a
stick of the same diameter it would be
decipherable.
▪ Caesar Cipher (Substitution) - Done by
switching Letters by a certain number of spots in the alphabet. “Pass the exam"
moved 3 back would be “Mxpp qeb buxj.”
▪ The Vigenère cipher is a polyalphabetic cipher named
after Blaise de Vigenère, a French cryptographer who
lived in the 16th century.
⬥ The alphabet is repeated 26 times to form
a matrix (Vigenère Square).
⬥ It uses the plaintext (x axis) and a key (y axis).
🞂 If the plaintext is CISSP and the key is
THOR, the ciphertext would be VPGJI.
🞂 The key wraps if the plaintext is longer
than the key (it normally is).
▪ Cipher Disk - 2 concentric disks with alphabets on
them, either just as agreed upon "T" is "D" (monoalphabetic) or "T" is "D" again,

29 | Page
[Link]
 CISSP Domain 3 Lecture notes
but the inner disk is turned in a pre-agreed upon direction and turns every X
number of letters (decoder rings).
▪ Enigma - Rotary based. Used 3 rotors early on, which was
broken, so the Germans added 1 rotor, making it much
harder. Breaking the Enigma was responsible for ending
the war early and saving millions of lives.
▪ Purple (US name) - Japanese rotary based, very similar to
the Enigma.
⬥ Broken by the US, England, and Russia (3 rotors).
⬥ When the Russians learned Japan was not
attacking them, they moved the majority of their
eastern troops to Moscow to fight the
Germans. They had decoded that Japan
was going for Southeast Asia
▪ One-Time Pad:
⬥ Cryptographic algorithm where plaintext is
combined with a random key.
⬥ It is the only existing mathematically
unbreakable encryption.
🞂 While it is unbreakable it is also very
impractical.
🞂 It has ONE use per pad; they should
never be reused.
🞂 Characters on the pad have to be truly random.
🞂 The pads are kept secure.
▪ Vernam Cipher (The first known use of a one-time pad).
⬥ It used bits, and the bits were XORed to the plaintext bits.
▪ Project VENONA was a project by the US and the UK to break the KGB’s
encryption from 1943 to 1980.
⬥ The KGB used one-time pads (unbreakable if not reused) for sensitive
transmissions.
⬥ The KGB reused pads, many messages were decoded, leading to the
arrest of many high-profile US residents.
▪ The Jefferson Disk (Bazeries Cylinder) - is a cipher system using a set of wheels
or disks, each with the 26 letters of the alphabet arranged around the edge.
Jefferson (US president) invented it, and Bazeries
improved it.
⬥ The order of the letters is different for
each disk and is usually scrambled in some
random way.
⬥ Each disk is marked with a unique
number.
⬥ A hole in the center of the disks allows
them to be stacked on an axle.

30 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ The disks are removable and can be mounted on the axle in any order
desired.
⬥ The order of the disks is the cipher key, and both sender and receiver
must arrange the disks in the same predefined order.
⬥ Jefferson's device had 36 disks.
▪ SIGABA:
⬥ A rotor machine used by the United States
throughout World War II and into the
1950s, similar to the Enigma.
⬥ It was more complex, and was built after
examining the weaknesses of the Enigma.
⬥ No successful cryptanalysis of the machine
during its service lifetime is publicly
known.
⬥ It used 3x5 sets of rotors.
⬥ The SIGABA was very large, heavy, expensive, difficult to operate,
mechanically complex, and fragile.

● With the common use of Cryptography, many governments realized how important it
was that cryptographic algorithms were added to export restrictions in the same
category as munitions.
▪ COCOM (Coordinating Committee of Multilateral Export Controls) 1947 – 1994.
⬥ Was used to prevent the export of "Critical Technologies" from
“Western” countries to the "Iron Curtain" countries during the cold war.
⬥ Encryption is considered "Critical Technologies"
▪ Wassenaar Arrangement - 1996 – present.
⬥ Similar to COCOM, but with former "Iron Curtain" countries being
members
⬥ Limits exports on military and "dual-use” technologies. Cryptography is
part of that.
⬥ Some nations also use it to prevent their citizens from having strong
encryption (easier to spy on your own people if they can't use strong
cryptography).

● Asymmetric vs Symmetric Encryption and Hybrid

▪ Asymmetric
⬥ Pros: It does not need a pre-shared key,
only 2x users = total keys.
⬥ Cons: It is much slower; it is weaker per
bit.
▪ Symmetric:
⬥ Pros: Much faster, stronger per bit.
⬥ Cons: Needs a pre-shared key, n(n-1)/2
users, becomes unmanageable with many users.
▪ Hybrid Encryption:

31 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Uses Asymmetric encryption to share a Symmetric Key (session key).
⬥ We use the security over an unsecure media from Asymmetric for the
initial exchange and we use the speed and higher security of the
Symmetric for the actual data transfer.
⬥ The Asymmetric Encryption may send a new session key every so often
to ensure security.

● Symmetric Encryption:
▪ DES - Data Encryption Standard (Single DES).
⬥ For the exam it may be called DEA (algorithm) or DES (standard)
⬥ No longer secure and it has multiple attack vectors published.
⬥ Symmetric – 64-bit block cipher – 56-bit key, 16 rounds of encryption,
uses Feistel.
DES has 5 different modes it can encrypt data with, they include: Block, Stream,
Initialization Vector and if encryption errors propagate to the next block.
⬥ ECB (Electronic Code Book) - The simplest and weakest, no initialization
vector or chaining.
🞂 2 separate encryptions with same plaintext would produce
identical ciphertext.
⬥ CBC (Cipher Block Chaining) - Uses initialization vectors and chaining.
🞂 The first block uses an initial Vector and every subsequent block
uses XOR from the first block
🞂 The weakness is an encryption error which will propagate
through all blocks after the error since they build on each other,
breaking integrity.
⬥ CFB (Cipher Feedback) Very similar to CBC, but uses stream cipher, not
block.
🞂 It uses feedback (chaining in a stream cipher), initialization
vector and it has the same error propagation.
⬥ OFB (Output Feedback) Similar to CFB, but instead of the previous
ciphertext for the XOR it uses the subkey before it is XORed to the
plaintext.
🞂 Doing it this way makes the encryption errors NOT propagate.
⬥ CTR (Counter) - Similar to OFB, but it uses the Feedback differently, the
way it uses the Feedback can be simple as ascending numbers.
🞂 First block XORed with 1, second block with 2, third block with
3, since the Feedback is predictable it can be done in parallel.
▪ 3 DES (Triple DES):
⬥ Was developed to extend life of DES systems while getting ready for
AES.
⬥ Symmetric – 64-bit block cipher – 56-bit key, 16 rounds of encryption,
uses Feistel.
⬥ 3 rounds of DES vs 1.
🞂 K1 (keymode1) - 3 different keys with 112-bit key strength.
🞂 K2 (keymode2) - 2 different keys with 80-bits and 1/3 same key.

32 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 K3 (keymode3) – Same key 3 times, just as insecure as DES
(encrypt/decrypt/encrypt).
⬥ Considered secure until 2030 and still commonly used (K1).
▪ IDEA (International Data Encryption Algorithm):
⬥ Designed to replace DES.
⬥ Symmetric, 128-bit key, 64-bit block size, considered safe.
⬥ Not widely used now since it is patented and
slower than AES.
▪ AES - Advanced Encryption Standard (Rijndael).
⬥ Symmetric.
⬥ Considered secure.
⬥ Open source.
⬥ Uses both transposition and substitution.
⬥ Widely used today.
⬥ AES operates on a 4 × 4 column-major order
matrix of bytes.

⬥ Initial Round:
🞂 AddRoundKey — each byte is combined with a block of the
round key using bitwise XOR.
⬥ Rounds:
🞂 SubBytes — a non-linear substitution
step where each byte is replaced with
another according to a lookup table.
🞂 ShiftRows — a transposition step
where the last three rows of the state
are shifted a certain number of steps.
🞂 MixColumns — a mixing operation
which operates on the columns,
combining the four bytes in each
column.
⬥ Final Round (no MixColumns):
🞂 SubBytes
🞂 ShiftRows
🞂 AddRoundKey
⬥ The key size used for an AES
cipher specifies the number of
repetitions of transformation
rounds that convert the plaintext
into the ciphertext.
⬥ The number of cycles depends on
the key length:
🞂 10 cycles for 128-bit
keys.
🞂 12 cycles for 192-bit keys.

33 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 14 cycles for 256-bit keys.

▪ Blowfish - publish domain.

⬥ Uses Feistel.
⬥ Symmetric, block cipher, 64-bit blocks, 32 – 448-bit key lengths.
⬥ No longer considered secure.
⬥ Developer recommends using Twofish.
▪ Twofish
⬥ Uses Feistel.
⬥ Symmetric, block cipher 128-bit blocks, key length 128, 192, 256 bits.
⬥ Considered secure.
▪ Feistel cipher (Feistel network)
⬥ The Cipher splits a plaintext block into two halves (L and R).
⬥ The process goes through several rounds, the right half of the
block does not change.
⬥ The right half (Rn) is XORed with a subkey (Kn) for each round (F).
⬥ The XORed value (F) is XORed with the left block (Ln).
⬥ The recipient reverses the subkey order and XORs to
get the plaintext.
⬥ Feistel or modified Feistel Algorithms:
🞂 Blowfish, Camellia, CAST-128, DES, FEAL, ICE,
KASUMI, LOKI97, Lucifer, MARS, MAGENTA,
MISTY1, RC5, TEA, Triple DES, Twofish, XTEA, …
⬥ Generalized Feistel Algorithms:
🞂 CAST-256, MacGuffin, RC2, RC6, Skipjack.
▪ RC4:
⬥ Used by WEP/WPA/SSL/TLS.
⬥ Pseudorandom keystream.
⬥ No longer considered secure.
⬥ Symmetric, Stream cipher, 40 – 2048-bit key length.
▪ RC5:
⬥ Symmetric, Block Cipher, 32, 64, and 128-bit blocks, Key length 0 –
2040-bits, uses Feistel.
⬥ Considered Secure (if high enough blocks/key).
▪ RC6 – AES3 Finalist:
⬥ Based on RC5, but changed to meet AES requirements, uses Feistel.
⬥ Symmetric, Block Cipher, 128-bit blocks, 128, 192, and 256-bit key
length.
⬥ Considered Secure.

● Asymmetric Encryption (Public Key Encryption)

We have used symmetric encryption for 1000s of years. Asymmetric is, however,
a new player. In the 1970s, multiple Asymmetric keys were developed, including
Diffie-Hellman (DH - 1976) and RSA (Rivest, Shamir and Adleman - 1977).

34 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Asymmetric Encryption uses 2 keys: A Public Key and a Private Key (Key Pair).
⬥ Your Public Key is publicly available.
🞂 Used by others to encrypt messages sent to you. Since the key is
asymmetric, the cipher text can't be decrypted with your public
Key.
⬥ Your Private Key - You keep this safe.
🞂 You use it to decrypt messages sent with your public key.
⬥ Also used for digital signatures, slightly reversed.
⬥ You encrypt with your private key and the recipient decrypts with your
public key.
▪ Prime Number Factorization:
⬥ Factoring large Prime numbers using a one-way factorization - It is easy
to multiply 2 numbers, but hard to discern the 2 numbers multiplied
from the result.
⬥ 1373 x 8081 = 11095213 - It will be hard to tell which numbers were
multiplied to get 11095213.
⬥ Between 1 and 10,000 there are 1229 prime numbers, and strong
encryption uses much higher prime numbers.
▪ Discrete Logarithms:
⬥ Another one-way function - this one uses Logarithms, which is the
opposite of exponentiation.
⬥ 5 to the 12th power = 244140625 but asking 244140625 is 5 to the what
power is much harder.
⬥ Discrete Logarithms apply the concept to groups, making them much
harder so solve.
▪ RSA cryptography
⬥ New keypair from very large prime numbers - creates public/private key
pair.
⬥ Used to exchange symmetric keys, it is slow, and the algorithm was
patent protected (1977-1997 - 20 years).
⬥ Asymmetric, 1094-4096bit key, Considered secure.
⬥ RSA-704 uses these 2 prime numbers, remember I said LARGE prime
numbers were factorized:
8143859259110045265727809126284429335877899002167627883200
914172429324360133004116702003240828777970252499
9091213529597818878440658302600437485892608310328358720428
512168960411528640933367824950788367956756806141
⬥ They then produce this result, and while this number is known, figuring
out the 2 prime numbers is very difficult:
7403756347956171282804679609742957314259318888923128908493
6232638972765034028266276891996419625117843995894330502127
5853701189680982867331732731089309005525051168770632990723
96380786710086096962537934650563796359

35 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Diffie–Hellman (DH) key exchange is a method of securely exchanging
cryptographic keys over a public channel and was one of the first public-key
protocols.
⬥ It is one of the earliest practical examples of public key exchange
implemented within the field of cryptography.
⬥ The Diffie–Hellman key exchange method allows two parties that have
no prior knowledge of each other to jointly establish a shared secret key
over an insecure channel.
🞂 This key can then be used to encrypt subsequent
communications using a symmetric key cipher.
▪ Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete
Logarithms applied to elliptical curves. Much stronger per bit than normal
discrete Logarithms.
⬥ Often found on low-power devices since they can use shorter key
lengths and be as secure.
⬥ Patented, so less used since it is patented and costs money to use, 256-
bit ECC key is just as strong as a 3,072-bit RSA key.
▪ ElGamal is an asymmetric key encryption algorithm for public-key cryptography
which is based on the Diffie–Hellman key exchange. ElGamal encryption is used
in the free GNU Privacy Guard software, recent versions of PGP, and other
cryptosystems.
▪ DSA (Digital Signature Algorithm) uses a different algorithm for signing and
encryption than RSA, yet provides the same level of security. Key generation has
two phases.
⬥ The first phase is a choice of algorithm parameters which may be shared
between different users of the system, while the second phase
computes public and private keys for a single user.
⬥ DSA is a variant of the ElGamal signature scheme, which should not be
confused with ElGamal encryption.
▪ Knapsack (Merkle–Hellman knapsack cryptosystem) is one-way.
⬥ The public key is used only for encryption, and the private key is used
only for decryption, making it unusable for authentication by
cryptographic signing.
⬥ No longer secure.

● Hash Functions (One-Way Hash Functions) are used for Integrity:

▪ A variable-length plaintext is hashed into a fixed-length value hash or MD
(Message Digest).
▪ It is used to prove the Integrity of the data has not changed. Even changing a
comma in a 1000-page document will produce an entirely new hash.
▪ Collisions: When 2 hashes of different data provide the same hash. It is possible,
but very unlikely.
▪ MD5 (Message Digest 5):
⬥ 128bit Fixed-Length hash, used very widely until a flaw was found
making it possible to produce collisions in a reasonable amount of time.

36 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ While not a chosen-text collision, it is still a collision.
⬥ Still widely used.
▪ MD6 (Message Digest 6):
⬥ Was not used for very long; was supposed to replace MD5, but SHA2/3
were better.
⬥ It was in the running for the SHA3 race but withdrawn due to flaws.

▪ Just 1 bit change completely changes the hash.

▪ Using Great Expectations (Charles Dickens
1867 Edition again, 4 pages at font size
11, 1827 words, 7731 characters).
▪ Hash#1 is the original
2b72b2c18554112e36bd0db4f27f1d89
▪ Hash#2 is with 1 comma removed
21b78d32ed57a684e7702b4a30363161
▪ Just a single “.” added will change the
hash value to
5058f1af8388633f609cadb75a75dc9d
Remember: variable-length input, fixed-length output.

▪ SHA1 (Secure Hash Algorithm 1):

⬥ 160bit Hash Value.
⬥ Found to have weak collision avoidance, but still commonly used.

▪ SHA2 (Secure Hash Algorithm 2):

⬥ Considered collision resistant.
⬥ Somewhat used now, relatively new.
▪ SHA3 (Secure Hash Algorithm 3):
⬥ Finalized in August 2015.
▪ HAVAL (Hash of Variable Length):
⬥ The Message Digest (MD) length is variable (128, 169, 192, 224,
256bits).
⬥ Uses the MD design principles but is faster.
⬥ Not widely used.
▪ RIPEMD:
⬥ Developed outside of defense to ensure no government backdoors.
⬥ 128, 256, 320bit hashes.
⬥ Not widely used.
⬥ No longer secure.
▪ RIPEMD160:
⬥ Redesigned, fixing flaws of RIPEMD.
⬥ 160bit hashes.
⬥ Not widely used.
⬥ Considered secure.

37 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Salt (Salting):
⬥ Random data that is used as an additional input to a one-way function
that "hashes" a password or passphrase.
⬥ Salts are very similar to nonces.
⬥ The primary function of salts is to defend
against dictionary attacks or a pre-
compiled rainbow table attack.
▪ Nonce: (arbitrary number that may only be used
once):
⬥ It is often a random or pseudo-random
number issued in an authentication protocol to ensure that old
communications cannot be reused in replay attacks.
⬥ They can also be useful as initialization vectors and in cryptographic
hash function.

● Cryptographic Attacks
▪ Steal the Key: Modern encryption being so difficult to break, it is easier to
recover the private key.
⬥ Law enforcement does this when they get search warrants, to recover
the private key from the PC or phone of someone charged with a crime.
⬥ Attackers do this by gaining access to your system or key repository;
they can then decrypt your data.
▪ Brute Force:
⬥ Uses the entire key space (every possible key); with enough time, any
plaintext can be decrypted.
⬥ Effective against all key-based ciphers except the one-time pad; it would
eventually decrypt it, but it would also generate so many false positives
that the data would be useless.
▪ Key stretching: Adding 1-2 seconds to password verification.
⬥ If an attacker is brute forcing password and needs millions of attempts,
it will become an unfeasible attack vector.
▪ Digraph attack: Similar to frequency analysis/attacks, but looks at common
pairs of letters (TH, HE, IN, ER).
▪ Man-in-the-Middle Attack (MITM):
⬥ The attacker secretly relays and may alter
communication between two parties, who
believe they are directly communicating
with each other.
⬥ The attacker must be able to intercept all
relevant messages passing between the
two victims.
⬥ They can alter the information, just steal it
or inject new messages.
▪ Session Hijacking (TCP Session Hijacking):

38 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ An attacker takes over a web user’s session ID and masquerades as the
authorized user.
⬥ Once the session ID has been accessed, through session prediction the
attacker pretends to be the user, and as that user, can do anything the
user is authorized to do on the network.
▪ Social Engineering
⬥ Much easier than breaking the key is convincing the key holder to hand
it over to the “help desk”.
FREE ICECREAM!
🞂 A very successful social
engineering attack was a
Pen-Test company
driving up in front of a
company office
with "Free Ice Cream”
and company logo signs
on an ice cream van.
🞂 The employees had to
enter their username
and password to ‘prove’
they were real
employees. They were rewarded with an “approved" message
and got their free ice cream.
🞂 The Pen-Testers got 90%+ of the employees’ usernames and
passwords from those who were there that day.

▪ Rainbow Tables:
⬥ Pre-made list of plaintexts and matching ciphertexts.
⬥ Often Passwords and matching Hashes, a table can contain 1,000,000s
of pairs.
▪ Known Plaintext:
⬥ You know the plaintext and the ciphertext and using those, you try to
figure out the key.
▪ Chosen Plaintext:
⬥ Similar to Known Plaintext, but the attacker chooses the plaintext, then
tries to figure out the key.
▪ Adaptive Chosen Plaintext:
⬥ Same as Chosen Plaintext, the attacker “adapts" the following rounds
dependent on the previous rounds.
▪ Meet-in-the-Middle:
⬥ A known plaintext attack, the intruder has to know some parts of
plaintext and their ciphertexts used to break ciphers which have two or
more secret keys for multiple encryptions using the same algorithm.
▪ Known Key - (Not really known, because if it was, the attacker would have the
key).

39 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ The attacker knows 'something' about the key, making it easier to
break.
⬥ The password could be exactly 8 characters, first character has to be
upper case and last has to be a number.
▪ Differential Cryptanalysis:
⬥ Tries to find the “difference" between the related plaintexts; if the
plaintexts are only a few bits different, can we discern anything? Can we
see non-randomness?
⬥ The same bit should have a 50/50 chance of flipping; areas where this is
not so can be a clue to the key.
▪ Linear Cryptanalysis:
⬥ A type of known plaintext attack where the attacker has a lot of
plaintext/ciphertext pairs created with the same key.
⬥ The attacker studies the pairs to learn information about the key used
to create the ciphertext.
▪ Differential Linear Cryptanalysis is Differential and Linear Cryptanalysis
combined.
▪ Side Channel Attacks:
⬥ Attackers use physical data to break a crypto system. This can be CPU
cycles, power consumption while encrypting/decrypting, ...
▪ Implementation Attacks:
⬥ Some vulnerability is left from the implementation of the application,
system or service.
⬥ It is almost always easier to find a flaw in the system than to break the
cryptography.
⬥ Is the key stored somewhere in plaintext? Is the key stored somewhere
not very secure? Is anything stored in memory?
▪ Key Clustering:
⬥ When 2 different Symmetric Keys used on the same plaintext produce
the same ciphertext, both can decrypt ciphertext from the other key.
▪ Pass the Hash:
⬥ If an attacker obtains a hashed password, they can gain access to the
system by using the stolen hash and the user ID.
▪ Kerberos exploitation:
⬥ Overpass the Hash or Pass the Key.
🞂 Similar to PtH but used when NTLM is disabled on a network.
🞂 Even when NTLM is disabled, the systems generate an NTLM
hash and store it in memory.
🞂 The attacker requests a TGT with the user's hash to gain access
to network resources.
⬥ Pass the Ticket:
🞂 The attackers attempt to collect tickets held in the [Link]
process.
🞂 The attackers then inject the ticket impersonating the user.
⬥ Silver Ticket:

40 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 The attacker uses the NTLM hash of a service account to make a
ticket-granting service (TGS) ticket.
🞂 Service accounts use TGS tickets instead of TGT tickets.
🞂 The silver ticket gives the attacker all the privileges granted to
that specific service account.
⬥ Golden Ticket:
🞂 The attacker gains access to the hash of the Kerberos service
account and can create any tickets they want within Active
Directory.
🞂 The account signs and encrypts all Kerberos tickets on a domain
with a hash of its own password.
🞂 The password never changes, meaning the hash also never
changes.
⬥ Kerberos Brute-Force:
🞂 Attackers can guess passwords and usernames by using the
Python script [Link] on Linux or Rubeus on Windows
because Kerberos will report whether a username is valid or
not.
⬥ ASREPRoast:
🞂 Used to identify users who do not have Kerberos pre-
authentication enabled.
🞂 Pre-authentication can help to prevent password guessing
attacks.
🞂 If pre-authentication is not enabled, the attacker sends an
authentication request to the KDC.
🞂 The KDC replies with a TGT, encrypted with the client's
password.
🞂 This enables the attacker to decrypt the ticket and the client's
password using offline attacks.
⬥ Kerberoasting:
🞂 The attacker collects encrypted TGS tickets (because these are
for service accounts, it is TGS rather than TGT).
🞂 When enough are collected, the attacker can try to decrypt
them offline.
🞂 Services running in the context of user accounts would use a
TGS ticket.
🞂 The attacker is trying to find users that don't have Kerberos pre-
authentication enabled on their accounts.
▪ Fault injection
⬥ The attacker is trying to compromise the integrity of cryptographic
devices by introducing external faults.
⬥ Active side-channel attacks, trying to stress the device.
⬥ Power (high/low), temperature, and light are all potential factors.

41 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Implementing Cryptography:
▪ PKI (Public Key Infrastructure):
⬥ Uses Asymmetric and Symmetric Encryption as well as Hashing to
provide and manage digital certificates.
⬥ To ensure PKI works well, we keep the private key secret.
⬥ We also store a copy of the key pair somewhere central and secure (key
repository).
⬥ We have policies in place that require 2 Security Administrators to
retrieve the key pair (if only 1 person did it, chances of key compromise
would be higher).
⬥ If users lose their private key and if no key repository is kept, anything
encrypted with the public key is inaccessible.
▪ Key Escrow:
⬥ Keys are kept by a 3rd party organization (often law enforcement).

▪ Digital Signatures:
Provides Integrity and Non-
Repudiation.
I want to send an email to Bob.
🞂 My email is Hashed, the hash
is encrypted with my private
key (the encrypted Hash is my
Digital Signature), I attach the
signature to the email and
send it.
🞂 Bob receives it, he generates
a hash, and decrypts my
signature with my public key. If the hash he generated and the
hash he unencrypted match, the email is not altered.
⬥ Digital certificates are public keys signed with a digital signature.
🞂 Server based - SSL for instance – is assigned to the server
(stored on the server).
🞂 Client based - Digital Signature – is assigned to a person (stored
on your PC).
🞂 CA (Certification Authority):
🞂 Issues and revokes certificates.
🞂 Can be run internally in your organization or in public
(Verisign or GoDaddy, for instance).
🞂 ORA (Organizational Registration Authorities):
🞂 Done within an organization.
🞂 Authenticates the certificate holder prior to certificate
issuance.
🞂 CRL (Certification Revocation List):
🞂 Maintained by the CA.

42 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Certificates are revoked if a private key is compromised,
if an employee leaves the organization, etc.
🞂 Server side, starting to be replaced by OCSP
(client/server-side hybrid).
🞂 OCSP (Online Certification Status Protocol):
🞂 Client/server hybrid, better balance, faster, keeps lists
of revoked certificates.

▪ The Clipper chip was a chipset that was developed and promoted by the United
States National Security Agency (NSA) as an encryption device that “secured”
voice and data messages with a built-in backdoor.
⬥ It was intended to be adopted by telecommunications companies for
voice/data transmission but was abandoned after public outcry and was
later found to have many security flaws (it used Skipjack).

▪ MAC (Message Authentication Code) – The exam uses MAC for several
concepts; it will be spelled out which one it is.
⬥ Hash function using a key.
⬥ CBC-MAC, for instance, uses Cipher Block Chaining from a symmetric
encryption (like DES).
⬥ Provides integrity and authenticity.
▪ HMAC (Hashed Message Authentication Code) combines a shared key with
hashing.
⬥ A pre-shared key is exchanged.
⬥ The sender uses XOR to combine the plaintext with a shared key, then
hashes the output using a hashing algorithm (Could be HMAC-MD5 or
HMAC-SHA-1).
⬥ That hash is then combined with the key again, creating an HMAC.
⬥ The receiver does the same and compares their HMAC with the sender’s
HMAC.
⬥ If the two HMACs are identical, the sender is authenticated.
▪ SSL and TLS – Confidentiality and
Authentication for web traffic.
Cryptographic protocols for web
browsing, email, internet faxing,
instant messaging, and VOIP. You
download the server’s digital
certificate, which includes the
site’s public key.
⬥ SSL (Secure Socket Layer) -
Currently on v3.0.
🞂 Mostly used for web
traffic.
⬥ TLS (Transport Layer Security)
- More secure than SSL v3.0.

43 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Used for securing web traffic (less common).
🞂 Used for internet chat and email client access.

▪ IPSEC (Internet Protocol Security):

⬥ Set of protocols that provide a cryptographic layer to IP traffic (IPv4 and
IPv6).
⬥ IPv4 was designed for secure research/military networks, but that is not
how we use it now (bolt on security).
⬥ IPSEC is often used for VPNs (Virtual Private Network) - local
feel/security traffic over the internet.
⬥ AH and ESP - Can be used together or separately.
🞂 AH (Authentication Header):
🞂 Provides Authentication and Integrity for each packet.
🞂 Does NOT provide confidentiality (think of it as a digital
signature for data).
🞂 Protects against "replay attacks."
🞂 ESP (Encapsulation Security Payload):
🞂 Provides confidentiality.
🞂 It can provide Authentication and Integrity.
⬥ SA (Security Association):
🞂 Simplex one-way communication (Like a walkie talkie).
🞂 Can be used to negotiate ESP or AH parameters.
🞂 If 2 systems use ESP to communicate, they need 1 SA for each
direction (2 total).
🞂 If they use AH and ESP, they will use 4 SAs (2x2).
🞂 A unique 32 bit SPI (Security Parameter Index) is used to identify
each SA connection.
⬥ ISAKMP (Internet Security And Key Management Protocol):
🞂 Manages the SA creation process and key exchange mechanics.
⬥ Tunnel mode encrypts and authenticates the entire package (including
headers).
⬥ Transport mode only encrypts and authenticates the payload. This is
used for systems that speak IPSEC.
⬥ IKE (Internet Key Exchange):
🞂 IPSEC can use different types of encryption and hashes. For
example, it can use MD5 or SHA-1/2 for integrity and 3DES or
AES for confidentiality.
🞂 IKE negotiates the algorithm selection process.
🞂 The 2 sides of an IPSEC tunnel will normally use IKE to negotiate
to the highest and fastest level of security, selecting AES over
single DES for confidentiality if both sides support AES, for
example.

▪ Pretty Good Privacy (PGP):

44 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Provides privacy and authentication for data communication. Can
provide confidentiality, integrity, authentication, and non-repudiation.
⬥ PGP is used for signing, encrypting, and decrypting texts, e-mails, files,
directories, and whole disk partitions, and to increase the security of e-
mail communications.
⬥ PGP uses a serial combination of hashing, data compression, symmetric-
key cryptography, and finally public-key cryptography; each step uses
one of several supported algorithms.
⬥ Uses a Web of Trust model to authenticate digital certificates, if you
trust me, you trust everyone I trust.
▪ MIME (Multipurpose Internet Mail Extensions) provides a standard way to
format email, including characters, sets, and attachments.
▪ S/MIME (Secure/MIME) uses PKI to encrypt and authenticate MIME-encoded
email.
⬥ The client or client’s email server (called an S/MIME gateway) can
perform the encryption.

⮚ Physical Security
As part of physical security, we also design "Design-in-Depth" into our plan.
▪ Preventative Controls:
⬥ Prevents action from happening – Tall fences, locked doors, bollards.
▪ Detective Controls:
⬥ Controls that detect an attack (before, during or after) – CCTV, alarms.
▪ Deterrent Controls:
⬥ Controls that deter an attack – fences, security guards, dogs, lights,
Beware of the Dog signs.

▪ Compensating Controls:
⬥ Controls that compensate for other controls that are impossible or too
costly to implement. We may not be able to move our datacenter or
change the foundation, but we can add absorbers under the sub-floor,
in the racks, …
▪ Administrative Controls:
⬥ Controls that give us administrative framework – compliance, policies,
procedures.

45 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Perimeter defense:
▪ Fences (Deterrence, Preventative):
⬥ Smaller fences such as 3ft. (1m) can be a deterrence, while
taller ones, such as 8ft. (2.4m) can be a prevention
mechanism.
⬥ The idea of the fences is to ensure entrance/exits from the
facility happen through only a few entry points (doors,
gates, turnstiles).
▪ Gates (Deterrence, Preventative):
⬥ Placed at control points at the perimeter.
⬥ Used with the fences to ensure access only happens
through a few entry points.
⬥ ASTM Standard:
🞂 Class I Residential (your house)
🞂 Class II Commercial/General Access (parking garage).
🞂 Class III Industrial/Limited Access (loading dock for 18-wheeler
trucks).
🞂 Class IV Restricted Access (airport or prison).
▪ Bollards (Preventative):
⬥ Used to prevent cars or trucks from entering an
area while allowing foot traffic to pass.
⬥ Often shops use planters or similar; it looks
prettier but achieves the same goal.
⬥ Most are static heavy-duty objects, but some
cylindrical versions can also be electronically
raised or lowered to allow authorized traffic past
a "no traffic" point. Some are permanent fixtures
and can be removed with a key or other unlock
functions.
▪ Lights (Detective and Deterrence):
⬥ Lights should be used to fully illuminate the entire
area.
⬥ Lights can be static, motion activated (static) or
automatic/manual Fresnel lights (search lights).
⬥ Measured in lumen - 1 lumen per square foot or
lux - 1 lumen per square meter more commonly used.
▪ CCTV (Closed Circuit Television) (Detective, Deterrence) - used to monitor the
facility’s perimeter and inside it.

46 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Older cameras are analog and use video tapes for storage (often VHS);
quality is often bad, unclear.
⬥ Modern cameras are digital and
use CCD (Charged Couple
Discharge); also use a DVR (Digital
Video Recorder).
⬥ Organizations may have retention
requirements either from policies
or legislation that require a certain
retention of their video (this could
be bank ATM, data center or entry
point footage).
⬥ Cameras can be either static or non-static (automatic or manual).
🞂 We have all seen the spy or heist movies where they avoid them
by knowing the patterns and timers.
🞂 This risk can be mitigated with a randomizer or pseudo
randomizer, we want to ensure full coverage.

▪ Locks (Preventative):
⬥ Key locks:
🞂 Requires a physical key to unlock;
keys can be shared/copied.
🞂 Key Bitting Code (How far the key is
bitten down for that section.) – Can
be copied and replicated without the
key from either the numbers or a
photo of it.
🞂 Pin Tumbler Lock (or Yale lock) – A
lock mechanism that uses pins of
varying lengths to prevent
the lock from opening without the correct key.
🞂 Lock Picking - with a lock pick set
or bumping, opening a lock without
the key.
🞂 Any key lock can be picked
or bumped, how long it
takes depends on the
quality of the lock.
🞂 Lock pick sets lift the pins
in the tumbler, opening the
lock.

47 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Lock Bumping - Using a shaved-down key that matches the lock,
the attacker “bumps“ the key handle with a hammer or
screwdriver which makes the pins jump, then the attacker
quickly turns the key.
🞂 Master Keys open any lock in a given area or
security zone.
🞂 Both who has them and where they are
kept should be very closely guarded at
all times.
🞂 Core Key is used to remove a lock core in
"interchangeable core locks."
🞂 An interchangeable core, or IC, is a
compact keying mechanism in a specific
figure-eight shape.
🞂 Relies upon a specialized "control" key for insertion and
extraction of the core.
🞂 Should be kept secure and access should be very
restricted.
⬥ Combination Locks:
🞂 Not very secure and have limited accountability even
with unique codes.
🞂 Should be used for low security areas.
🞂 Can be Dial type (think safe), Button
or Keypad.
🞂 Very susceptible to brute force,
shoulder surfing and are often
configured with weak security (I
know of a good deal of places where
the code is the street number).
🞂 Over time, the buttons used for the
code will have more wear and tear.
🞂 For 4-number PIN where 4 keys are used, the possible
combinations are no longer 10,000, but 256; if 3 keys, then 81
options.
▪ Smart Cards (contact or contactless):
⬥ They contain a computer circuit, using ICC
(Integrated Circuit Card).
⬥ Contact Cards - Inserted into a machine to be
read.
🞂 This can be credit cards you insert into
the chip reader or the DOD CAC
(Common Access Card).
⬥ Contactless Cards - can be read by proximity.
🞂 Key fobs or credit cards where you just hold it close to a reader.

48 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 They use an RFID (Radio Frequency Identification) tag
(transponder) which is then read by an RFID Transceiver.
▪ Magnetic Stripe Cards:
⬥ Swiped through a reader, no circuit.
⬥ Very easy to duplicate.
▪ Tailgating/Piggybacking:
⬥ Following someone authorized into an area you are not authorized to
be in.
⬥ Often combined with Social Engineering.
⬥ It is easy to do if your reason for being there seems plausible.
⬥ Bring a lot of food, a cake, and some balloons, have on clothes, ID badge
and tools that a repairman would, the options are endless.
▪ Mantrap:
⬥ A Mantrap is a room with 2 doors; Door 1 must close completely before
Door 2 can be opened.
⬥ Each door has a different authentication method (something you know,
something you have, something you are).
⬥ They can at times use weight sensors - Bob weighs 220lbs (100kg), the
weight measured by the pressure plate is 390lbs (177kg), someone is
probably in the room with Bob. Door 2 won’t open
until Bob is confirmed alone in the Mantrap with a
cart of old servers, normally done by the cameras in
the trap.
▪ Turnstiles (Preventative, Deterrence):
⬥ Also prevents tailgating, by allowing only 1 person to
enter per Authentication (think like in US subway
systems or amusement park entries, but for secure
areas they are often floor to ceiling turnstiles with
interlocking blades).
Both Mantraps and Turnstiles should be designed to allow safe
evacuation in case of an emergency. (Remember that people
are more important to protect than stuff.)

▪ Contraband Checks (Preventative, Detective, Deterrent):

⬥ Often seen in airports, courthouses, intelligence offices or other higher
security facilities.
⬥ Checking what you are bringing in or out of the building to ensure
nothing dangerous gets in or anything confidential gets out.

49 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ With technology
becoming
much smaller, these
are less effective
when it comes to
data theft; it is
easy to hide a
microSD
memory card,
which can contain
up to 1TB+ of data
per card.
▪ Motion Detectors (Detective, Deterrence):
⬥ Used to alert staff by triggering an alarm (silent or not).
⬥ Someone is here, did an authorized person pass the
checkpoint?
🞂 IF yes, then log the event and do nothing else
IF no, then alert/alarm.
⬥ Basic ones are light-based - They require light, making
them not very reliable.
⬥ Ultrasound, Microwave, Infrared or Laser (pew-pew!!)
🞂 Active sensors, they send energy (sound, wave
or light).
🞂 If the sound takes less time to return or the
pattern it receives back is altered, it means
someone is somewhere they should not be.
🞂 Photoelectric motion sensors send a beam of light to a sensor, if
broken the alarm sounds. These are the pew-pew lasers and
sorry, no, they are not green or red and they are rarely visible.

▪ Perimeter Alarms:
⬥ Door/window sensors – these are the thin strips around the edges of
either or contact sensors.
🞂 If opened, an alarm sounds; if broken, same effect.
🞂 Can be circumvented, but they are part of a layered defense.
⬥ Walls, windows, doors, and any other openings should be considered
equally strong.
⬥ Walls are inherently stronger; the rest need compensating measures
implemented (locks, alarms, sensors).
⬥ Glass is normally easy to break, but can be bullet and/or explosion
proof, or have a wire mesh in the middle.
⬥ Plexiglass can also be used, as it is stronger and does not shatter, but
can be melted.
⬥ Door hinges should always be on the inside (or hidden in the door).

50 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Just like the turnstiles and mantraps, doors (and in some cases
windows) should be designed to allow safe exit from the building in case
of an emergency. Often there is a "Panic Bar" that opens the door, but
they are also connected to alarms that sound when opened (clearly
labeled Emergency Only - Alarm WILL Sound).

▪ Walls, Floors, and Ceilings:

⬥ In line with our layered defense strategy, the strong security
encountered in getting to a data center does nothing if there is a crawl
space that an attacker can use.
⬥ We need to secure all possible ways into our Data Center or other
secure location.
⬥ Walls should be "slab to slab" (from the REAL floor to the REAL ceiling);
if sub-flooring or sub-ceilings are used, then they should be contained
within the slab to slab walls.
⬥ Walls, floors, and ceilings should be made of materials (where it makes
sense) that are secure enough for that location, e.g. don't have
sheetrock around your Data Center because I can cut that with a knife.
⬥ Walls, floors, and ceilings should have an appropriate fire rating.
🞂 So should your doors, but walls, floors and ceilings are more
often overlooked.
🞂 This is to protect the Data Center from outside fire and just as
well the rest of the building from a Data Center fire.

▪ Guards – (Deterrent, Detective, Preventative, Compensating)

⬥ Guards can serve many diverse purposes for an
organization.
⬥ They can check credentials/ID Cards, monitor CCTV
cameras, monitor environmental controls (HVAC), react to
incidents, act as a deterrent, and so much more.
⬥ Professional Guards - Professional training and/or
schooling; armed.
⬥ Amateur Guards - No professional training or schooling;
armed.
⬥ Pseudo Guard - Unarmed guard.
⬥ Guards should have a very clear set of rules and regulations.
⬥ Social engineering attacks are common and should be prevented
with training to raise awareness.

51 | Page
[Link]
 CISSP Domain 3 Lecture notes
▪ Dogs (Deterrent, Detective, Compensating):
⬥ Most often used in controlled, enclosed areas.
⬥ Liability can be an issue.
⬥ Dogs are trained to corner suspects and
attack someone who’s fleeing. People often
panic when they encounter a dog and run.
⬥ Even if they’re in a secure area, the
organization may still be liable for injuries.
⬥ Can also be internal authorized employees
walking out the wrong door or trying to take a
shortcut.
⬥ They panic and the dog attacks.

▪ Restricted Work Areas and Escorts.

⬥ To track and funnel authorized visitors, we can use visitor badges, visitor
logs, and escorts.
⬥ Non-electronic visitor badges are easy to make copies of and easy to
fake.
⬥ Electronic can be just a cheap re-programmable magnetic strip (like for
hotel rooms, easy to copy). Make sure they have a short window of use,
or more secure individually printed ones for each visit, and only used
once.
⬥ The return of all badges and physical sign-out should be enforced when
the visitor leaves.
⬥ When a vendor is coming to repair, install or remove something in your
facility, they need to be checked in and escorted from the entry point to
where they are going to work by an employee, and the employee
should stay with the vendor until the work is completed.
⬥ The vendor’s employees should already have passed a security check
when they were hired; the vendor is liable.
⬥ This sounds and is boring, but it is more likely to prevent the vendor
from compromising your security than if they were free to roam the
facility and the data center unsupervised.

● Site Selection, Design, and Configuration:

Before building a new facility, it is very important to do proper research and
planning. Multiple factors need to be considered, but for the exam you need to
think about the security ones.
▪ Site Selection:

52 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Greenfield - Not built on yet,
undeveloped land.
⬥ Topography - the physical shape of the
landscape - hills, valleys, trees, streams.
Most often used at military sites where
they can leverage (sometimes by
altering) the topology for better security.
⬥ Utilities - How reliable is the power, the
internet in the area?
⬥ Crime - How high are the crime rates in the area? How close are the
police?

▪ Site Design:
⬥ Site Marking:
🞂 Do not advertise your data center’s (or other critical) locations.
🞂 The more nondescript and boring
the building is, the less attention it
gets (security through obscurity).
🞂 A determined attacker can
obviously find the information,
but the harder you make it, the
less your chances are of being
compromised.
🞂 Example: Don't name your credit card processing server
creditcard001.

▪ Shared Tenancy and Neighbors

⬥ Sharing your building with someone else poses other security risks; the
people working at or visiting those organizations are already past the
perimeter.
⬥ Their bad security posture can be a risk to yours.
⬥ Attackers can set up base right next door, they can eavesdrop and
attack on your wireless without causing much suspicion.
⬥ Think of the many movies with bank robberies or great heists where
they go through a neighbor’s wall, ceiling or floor.
⬥ These all have a basis in reality from real robbers who did just that.

▪ Wiring Closets
⬥ If shared, the other tenants have access to your network. You can lock it
down, but it is still a big security concern. I have seen a place where
one tenant had all their equipment bolted to the wall, but the wires
were exposed; it would be easy to attach a sniffer to that.

▪ Demarc - Point of Demarcation (POD):

53 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Where the ISP (Internet Service Provider) terminates their
phone/internet lines and your network begins; most buildings only have
one.
⬥ When shared, it is a security concern that other tenants have access.
Can they access your equipment?
⬥ IPv4 is not inherently secure and ISP connections are not either. You
must add the security on your end.
⬥ It is desired to have strong Access Control for the Demarc. If not
possible, find another location. (IAAA)
⬥ For secure sites or sites that need high uptime, it is common to have
multiple Demarcs from multiple ISPs. How segmented and secure each
Demarc is depends on your information security posture.

▪ Server Rooms and Data Centers:

⬥ Many Data Centers were designed for our past requirements and not
how much data we move today.
⬥ Pop-up server rooms are built when we outgrow our current Data
Center and we bolt-on somewhere in the building that was NOT built for
that purpose.
⬥ They often lack proper walls, floors, ceilings, flood prevention; bolted-
on and not designed-in is less secure.
⬥ I have seen a bolt-on server room where there were showers and
bathrooms just above it. What a fun day they would have if the
floor/ceiling started leaking.
⬥ Data Center Build or Expansion:
🞂 How much HVAC (Heating, Ventilation and Air Conditioning) do
we need for now/future use?
🞂 Which natural events do we need to factor in for where we are
(e.g. hurricanes, floods, tornadoes)?
🞂 Do we have enough Power for current/future
use; is the grid stable? Are blackouts or
brownouts common? Brownout = drop in
voltage (lights flicker). Blackout = power is
interrupted completely.
🞂 Power:
🞂 What size of generators do we need?
🞂 How large of a UPS (Uninterruptible
Power Supply) do we need? Huge
battery bank also ensures consistent
voltage.
🞂 Fire Suppression:
🞂 Dry pipe vs. wet pipe.
🞂 Halon/Chemical/FM200.
🞂 Fire extinguishers.

54 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Media Storage and Locations:
Where and how you store your offline data/media and (preferably) offsite is
dictated by internal policies, procedures, and compliance requirements.
▪ All storage media should be encrypted (Data at Rest).
▪ Media (often tape) should be stored at an offsite facility.
▪ The facility should be climate controlled (temperature and
humidity) less strict than a data center, standards still apply.
⬥ Tape will deteriorate at a certain temperature just as
disks will corrode at a certain humidity.
⬥ The storage facility should be secure, licensed, and
bonded (both for transport and storage), lost data is
just as lost, but they are liable.
▪ Multiple incidents have happened when this was done, and
break-ins relieved the employees of the tapes, which in many
cases were NOT encrypted. Welcome to $10,000, $100,000 or $1,000,000
fines/lawsuits or loss of revenue from the bad publicity hit. (Data at Rest should
always be encrypted).

● Asset Tracking:
Keeping an accurate inventory of all our assets is important; we can't protect
what we don't know we have. We covered this a little in our risk analysis
section, but other than identifying the assets, we also should have it as part of
our technology refresh cycle to record the Asset Serial Number, Model Number,
and often an internal Asset ID.
▪ Hardware Hardening:
⬥ On our servers - we harden the server.
🞂 Apply all patches, block ports not needed, delete default users,
… most places are good about this.
⬥ Workstations are often overlooked.
▪ Disabling the USB Ports, CD drives and any other port that can introduce
malware to our network.
⬥ Physically: Disabled on motherboard or port itself blocked, easy to
bypass - not very secure.
⬥ Logically: Locked in Windows services or through AD (Active Directory)
is not easy to bypass (if done right) - more secure.

55 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ Environmental Controls
● Electricity
It is important to have clean, reliable power for our servers, disk arrays, network
equipment.
⬥ Loss of power can affect our availability and the Integrity of our data.
⬥ Nothing can be accessed and power fluctuations can damage hardware
and corrupt data.
▪ Power Fluctuation Terms:
⬥ Blackout - Long loss
of power.
⬥ Fault - Short loss of
power.
⬥ Brownout - Long
low voltage.
⬥ Sag - Short low voltage.
⬥ Surge - Long high voltage.
⬥ Spike - Short high voltage.

▪ Surge Protectors, UPSs and Generators are

used to get clean power.
⬥ Surge Protectors - Protect equipment
from high voltage.
⬥ UPSs (Uninterruptible Power
Supplies):
🞂 Ensure constant clean power
to the systems.
🞂 Have large battery banks that
take over in the event of a
power outage, they also act as surge protectors.
▪ Generator:
⬥ Fueled generators are programmed to manually or automatically
(preferred) kick in during a power outage event.
⬥ Will run as long as they have fuel, must be maintained.
▪ PDU (Power Distribution Unit) can be in rack or not.

▪ EMI (Electromagnetic Interference)

⬥ Disturbance generated by an external source that affects an electrical
circuit by electromagnetic induction, electrostatic coupling or
conduction.
⬥ In our world this includes circuits, power cables, network cables, ...
⬥ Often, this is an issue with network cables that are not shielded properly
or run too closely to power cables. Magnetism from one cable “crosses”
over to a neighbor cable (crosstalk).
⬥ This can impact the Integrity (data corruption), Confidentiality (data
sniffed), and Availability (data unavailable).

56 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Crosstalk is avoided with proper cable management and by using STP
(Shielded Twisted Pair) cables, not UTP (Unshielded Twisted Pair)
cables.
⬥ Power cables should never be run close to copper data cables.
⬥ Fiber optic cables are used when it makes sense (not susceptible to EMI
or sniffing, since they are glass).
⬥ On the exam, if asked for the cheapest secure cables, fiber > copper,
while not as cheap they are way more secure.

● HVAC:
▪ Heat:
⬥ Many data centers are kept too
cold, the last decade’s research
has shown it is not needed.
⬥ Common temperature levels
range from 68–77 °F (20–25 °C) -
with an allowable range of 59–
90 °F (15–32 °C).
⬥ Keeping a data center too cold
wastes money and raises
humidity.
▪ Pressure:
⬥ Keeping positive pressure keeps outside contaminants out.
▪ Humidity:
⬥ Humidity should be kept between 40% and 60% rH (Relative Humidity).
⬥ Low humidity will cause static electricity and high humidity will corrode
metals (electronics).
▪ Drains:
⬥ Many data centers use subflooring
where water and contaminants (mostly
dust) can gather. If an HVAC unit
malfunctions, it can leak water.
⬥ It is important to have sensors in the
subfloor for both water and dust, and to
regularly vacuum the space.

57 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Static Electricity:
▪ Can be mitigated by proper humidity control, grounding all circuits, using
antistatic wrist straps and work surfaces.
▪ All personnel working with internal computer equipment (motherboards, insert
cards, memory sticks, hard disks) should ground themselves before working
with the hardware.

Antistatic shoes.
Not the prettiest thing I Antistatic wrist wrap.
ever saw, but effective!

● Heat, Flame, and Particle/Smoke Detectors:

All used for detecting fires or potential fires, they are connected to warning
lights, sirens, and suppression systems.
▪ Heat Detectors:
⬥ Configured to trigger when a certain threshold is exceeded (Rise of 10° F
in < 5 minutes or rising above 90° F).
▪ Smoke Detectors: (Ionization or Photoelectric):
⬥ Ionization detectors have a small radioactive source which creates a
small electric charge.
⬥ Photoelectric uses LED (Light Emitting Diode) and a photoelectric sensor
that produces a small charge while receiving light.
⬥ Both trigger when smoke or any higher particle density interrupts the
radioactivity or light.
▪ Flame Detectors:
⬥ Flame detectors detect infrared or ultraviolet light emitted by fire.
⬥ They require line of sight to detect the flame.

⮚ Personnel Safety, Training and Awareness

Personnel safety is always most important.
⬥ You may like your servers more but save the co-worker first. (This is
very testable).
⬥ Organizations should have clear policies, procedures, and standards
for evacuations.
⬥ Evacuation routes should be clearly marked
and known by all staff.
⬥ Meeting points should be established (can
also stop staff from reentering the building
looking for a coworker who is already
somewhere else outside).

58 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Evacuation roles are established; a pre-appointed person ensures all
staff is out of the building and another is the meeting point leader.
⬥ Plans are in place for disabled employees (elevators are not working at
this time).
⬥ Fire/evacuation drills are held quarterly or annually.
⬥ All exit doors (or special emergency-only doors) have the “panic bar”
(crash bar).
⬥ Just like in the data center, we have warning sirens and lights
throughout the building to alert staff to exit.

● Personnel Safety:
▪ Early Warning Systems (Duress Warning Systems):
⬥ Warning systems are used to provide immediate
alerts to personnel/people in the event of
emergencies, severe weather, threat of violence,
chemical contamination, ...
⬥ Duress systems are mostly local and can use
overhead speakers, sirens or automated
communications like email, pagers, text messages or
automated phone calls.

⮚ ABCD Fires and Suppression

● Fire suppression
Fire suppression is done by removing one of the 3 requirements a fire has.
▪ A fire needs Oxygen, Heat, and Fuel to burn.
⬥ Removing any of the 3 will put the fire out.
⬥ Removing Oxygen is done by replacing the
oxygen in the room with something else or
covering the fire so the burning material
doesn’t have oxygen access (Halon, FM200,
Argon).
⬥ Removing Heat is done by adding chemicals or
water to the fire, cooling it down.
⬥ Removing Fuel is rarely done since the fuel is
our equipment.

59 | Page
[Link]
 CISSP Domain 3 Lecture notes
● Fire Classes:
▪ Remember that the certification is
International, so answer
appropriately for the question’s
scenario, not for where you live.
▪ Answer all questions from a
management or risk advisor level and
in a top-down security organization.
▪ Appropriate fire suppression and
extinguishers should be deployed in
all areas.

● Automatic Fire Suppression Systems:

▪ Water:
⬥ Removes the “heat” leg of the fire triangle by lowering the
temperature.
⬥ Is the safest suppression agent, but for
Data Centers:
🞂 Water + hardware = dead
hardware.
⬥ Electricity could always be cut before
water is used.
⬥ Sprinkler Systems:
🞂 Sprinklers have different types
of bulbs for
different temperatures.
🞂 Should be connected to alarm/warning sirens and lights.
🞂 Each sprinkler head is independent; it will trigger if the
temperature for that bulb is met.
🞂 Wet Pipe: Sprinkler heads are closed. The pipes for the sprinkler
system have water until the sprinkler.
🞂 Dry Pipe: Sprinkler heads are closed.
🞂 The pipe contains compressed air and a valve that stays
shut as long as the air is present.
🞂 Used in areas where frost might be an issue or where
water can be an issue.
🞂 I have seen dry pipe in a data center; scary for me but
was built in as a last resort.
🞂 Deluge: Sprinkler heads are open.
🞂 Similar to Dry Pipe, but sprinkler heads are open, a
deluge valve holds water back, normal air in pipes.

60 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Pre-Action:
🞂 Single interlock: Water released into pipes when the fire
alarm goes off and when head opens.
🞂 Double interlock: Similar to Dry Pipe, water is not
released until fire alarm sounds off and the sprinkler is
open.

▪ Gases: All gas fire suppression systems must have a visible and audible
countdown so staff can exit the area.
⬥ CO2:
🞂 Should only be used in unmanned areas.
🞂 It is colorless and odorless and causes people in it to pass out
and then die.
🞂 Staff working in an area where CO2 is used should be properly
trained in CO2 safety.
⬥ Halon 1301 has been the industry standard for protecting high-value
assets from fire since the mid-1960s.
🞂 It has many benefits; it is fast-acting, safe for assets, and
requires little storage space.
🞂 It is no longer used widely because it depletes atmospheric
ozone and is potentially harmful to humans.
🞂 In some countries legislation requires the systems to be
removed; in others it is OK to use them still (with recycled
Halon), but systems have not been installed since 1994 (The
Montreal Accord).

The Montreal Accord (197 countries) banned the use and production of
new Halon. A few exceptions for “essential uses” include things like
inhalers for asthma and fire suppression systems in submarines and
aircraft.
⬥ Halon Replacements (other halocarbons and inert gases):
🞂 Argon: 50% Argon gas and 50% Nitrogen gas
🞂 FE-13 (Fluoroform): Low
toxicity, low
reactivity, and high
density. Breathable up
to 30% concentration.
🞂 FM-200 (HFC-227ea):
Low toxicity, most
are designed to provide
a concentration of 6.25-
9% heptafluoropropane.

61 | Page
[Link]
 CISSP Domain 3 Lecture notes
🞂 Inergen: Nitrogen (52%), Argon (40%), and Carbon Dioxide (8%);
the air is still breathable, but the fire is put out.
🞂 Breathing is more labored due to increased CO2.
● Fire Suppression:
▪ Fire Extinguishers:
⬥ A fire extinguisher is an active fire protection
device used to extinguish or control small fires,
often in emergency situations.
⬥ All portable fire extinguishers should be
marked with the type of fire they are designed
to extinguish.
⬥ Never use a fire extinguisher on a fire it was
not intended for.
⬥ Use the PASS method to extinguish a fire with
a portable fire extinguisher:
🞂 Pull the pin in the handle.
🞂 Aim at the base of the fire.
🞂 Squeeze the lever slowly.
🞂 Sweep from side to side.
⬥ Soda-Acid Extinguishers mix a solution of water and sodium
bicarbonate with an acid (in a vial, which is broken) to expel pressurized
water onto a fire.
⬥ Dry Powder Extinguishers (sodium chloride, graphite, ternary eutectic
chloride).
🞂 Lowers the temperature and removes oxygen in the area.
🞂 Primarily used for metal fires (sodium, magnesium, graphite).
⬥ Wet Chemical (potassium acetate, potassium carbonate, potassium
citrate).
🞂 Extinguishes the fire by forming an air-excluding soapy foam
blanket over the burning oil and by the water content cooling
the oil below its ignition temperature.

62 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ Final Points to Remember
Virtualization
▪ Virtualization also poses new vulnerabilities because the technology is new-ish
and very complex.
▪ Clients on the same host should be on the same network segment
(Internal/DMZ). A host should never house both zones.
▪ Clients should be logically separated on the network like physical servers would
be (HR, Accounting, IT VLANs).
● Cloud Computing
(There is no 'Cloud‘, it is just another computer somewhere else).
▪ When we use cloud computing we build or outsources some part of our IT
Infrastructure, storage, applications.
▪ This can be done for many good reasons, but most are cost related. It is cheaper
to have someone larger or more specialized in that one area doing it for us.
▪ As with any other outsourcing, make sure you have the right to audit, pen test
(clearly agreed upon criteria), conduct vulnerability assessment, and check that
the vendor is compliant with your industry and the standards you adhere to.
● Web Architecture and Attacks
▪ The internet is a very complex place. Security is often added on as an
afterthought and not designed in as it should be.
▪ On top of that the internet was never intended to be what it is today; it was
originally designed to be a secure closed network.
● Mobile Security
▪ The more external devices we connect, the more complex policies, procedures,
and standards we need.
▪ Mobile devices are really anything
“mobile” – External hard disks, USB
drives, CDs, laptops, cell phones, ...
▪ Most internal threats are not
malicious people. They just don’t
know any better, didn’t think about it
or figured they wouldn’t get found
out.
▪ Good security policies should lock
down USB ports, CD drives, network
ports, wireless networks, disable autorun on media, use full disk encryption,
have remote wipe capabilities, raise user awareness training on where (if
anywhere) mobile devices are allowed. (Defense in Depth)
● Cryptography
▪ For the exam, what you need to know is that cryptography helps us:
⬥ Keep our secrets secret (Confidentiality) ← This is what most people
think all cryptography does.
⬥ Keep our data unaltered (Integrity).

63 | Page
[Link]
 CISSP Domain 3 Lecture notes
⬥ Provide a way to verify (Authentication) our Subjects; it can also
provide non-repudiation.
▪ Cryptography has been used for thousands of years to keep secrets secret.
▪ Encryption should be strong enough to be unbreakable or at least take a very
long time to break; there obviously needs to be a balance between
Confidentiality and Availability.
▪ Modular Math:
⬥ Cryptography uses a lot of modular math.
⬥ For the exam you need to know what it is, but you don't need to know
how to do it.
⬥ Numbers "wrap around" after they reach a certain value (modulus),
which is also why it is called clock math.
Adding "X" (24) to "E" (5) = "C" (3) - The English alphabet wraps around after the
26th letter (modulus).
● Hashing
Just 1 bit changed completely changes the hash.
Using Great Expectations (Charles
Dickens 1867 Edition again, 4 pages at font
size 11, 1827 words, 7731 characters).
▪ Hash#1 is the original
▪ 2b72b2c18554112e36bd0db4f27f1d89
▪ Hash#2 is with 1 comma removed
▪ 21b78d32ed57a684e7702b4a30363161
▪ Just a single “.” added will change the hash
value to
5058f1af8388633f609cadb75a75dc9d
Remember: variable-length input, fixed-length output.
● Physical Security
▪ Both Mantraps and Turnstiles should be designed to allow safe evacuation
in case of an emergency. (Remember that people are more important to
protect than stuff.)

64 | Page
[Link]
 CISSP Domain 3 Lecture notes
⮚ What we covered in the third CBK Domain:
In this chapter we talked about how we protect our assets.
✔ How the domain has 3 major knowledge areas (prior to the 2015 exam update,
each had their own domain).
✔ Security Architecture and Design:
🞂 The common security models.
🞂 The architecture, design, virtualization, cloud, and solutions we
use to protect our assets.
🞂 How computers work (basics) and how they are logically
segmented.
🞂 Threats to our applications, systems, and devices.

✔ Cryptography:
🞂 The history of cryptography, types of encryption, hashes,
cryptography attacks, and digital signatures.
✔ Physical Security
🞂 Site and facility secure design principles, perimeter defense,
HVAC, power, and fire suppression.

65 | Page
[Link]
 CISSP Domain 4 Lecture notes

Welcome to the Fourth CBK Domain.

 In this domain we cover:
• Common network models
• We cover how the internet/intranet works with:
▪ IP addresses: IPv4, IPv6, Private and Public Addresses.
▪ Common well-known ports.
▪ DNS, ARP, DHCP, NAT, PAT, and the other protocols we use to make our
network function.
▪ How we secure our communication on our local network and the internet.
▪ Micro-segmentation, wireless, and cellular networks.
▪ Common Attack types and how to mitigate them.
• Networking equipment and how we secure the different types.
▪ Routers, switches, firewalls, cables, …
• Network topologies and technologies.
▪ LAN, WAN, Ring, Star, Mesh.

This chapter focuses on how our Network and Communications channels work and how to protect them.
CBK 4 makes up 14% of the exam questions.

 Network Basics and Definitions:

 We use defense-in-depth on our internal network and when our data traverses
the internet.
▪ We do this by ensuring all our network devices, protocols, and traffic are as
secure as possible.
▪ Simplex is a one-way communication (One system transmits, the other
listens).
▪ Half-duplex communication sends or receives at one time only (Only one
system can transmit at a time).
▪ Full-duplex communication sends and receives simultaneously. (Both
systems can transmit/receive simultaneously).
▪ Baseband networks have one channel and can only send one signal at a
time.
⬧ Ethernet is baseband: “1000base-T” STP cable is a 1000-megabit,
baseband, Shielded Twisted Pair cable.
▪ Broadband networks have multiple channels and can send and receive
multiple signals at a time.
▪ The Internet is a global collection of peered WAN networks, it really is a
patchwork of ISPs.
▪ An Intranet is an organization's privately owned network, most larger
organizations have them.
▪ An Extranet is a connection between private Intranets, often connecting
business partners' Intranets.

1|Page
[Link]
 CISSP Domain 4 Lecture notes
• Circuit Switching - Expensive, but
always available, used less often.
▪ A dedicated communications
channel through the network.
▪ The circuit guarantees the full
bandwidth.
▪ The circuit functions as if the
nodes were physically
connected by a cable.
• Packet Switching - Cheap, but no
capacity guarantee, very widely used
today.
▪ Data is sent in packets but take
multiple different paths to the
destination.
▪ The packets are reassembled at
the destination.
▪ QoS (Quality of Service) gives
specific traffic priority over
other traffic.
 Most commonly VOIP (Voice Over IP) or other UDP Traffic needing close
to real time communication.
 Other non-real time traffic is down prioritized, the 0.25 second delay
won’t be noticed.
• PAN (Personal Area Network) - A personal area network is a computer network
used for communication among computers and other information technological
devices close to one person (PCs, printers, scanners, consoles …).
▪ Can include wired (USB and FireWire) and wireless devices (Bluetooth and
infrared
• LAN (Local Area Network) - A network that connects computers and devices in a
limited geographical area such as a home, school, office building or campus.
• Each computer or device on the network is a node, wired LANs are most likely based
on Ethernet technology.
• MAN (Metropolitan Area Network) – A large computer network that usually spans
a city or a large campus.
• WAN (Wide Area Network) - A computer network that covers a large geographic
area such as a city, country, or spans even intercontinental distances. Combines
many types of media such as telephone lines, cables, and airwaves.
• VPN (Virtual Private Network) - A VPN network sends private data over an insecure
network, most often the Internet.
▪ Your data is sent across a public network, but looks and feels private.

2|Page
[Link]
 CISSP Domain 4 Lecture notes
• GAN (Global Area Network) - A global area network, is a network used for
supporting mobile users across a number of wireless LANs, satellite coverage areas,
… the transition from one to the next can be seamless.

 Definitions:
• The OSI Model (Open Systems Interconnect):
▪ A layered network model that standardizes the communication functions of
a telecommunication or computing system regardless of their underlying
internal structure and technology.
▪ The model partitions a communication system into abstraction layers, the
model has 7 layers.
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.
▫ 7-1 All People Seem To Need Data Processing.
▫ 1-7 Please Do Not Throw Sausage Pizza Away.
▪ Know the PDUs (Data, Segments, Packets, Frames, Bits).
▪ The model is less used now and used as a
reference point.
▪ Know it for the exam, it is testable.

• The OSI Model:

▪ Layer 1 - Physical Layer:
⬧ Wires, Fiber, Radio waves, hub, part of
NIC, connectors (wireless).
⬧ Cable types:
▫ Copper TP (Twisted Pair) Least
secure, eavesdropping,
interference, easy tap into, but
also cheap.
▫ Fiber is more secure, not
susceptible to eavesdropping,
harder to use, can break, higher
cost.
⬧ Topologies:
▫ Bus, Star, Ring, Mesh partial/full.
⬧ Threats:
▫ Data emanation, theft, eavesdropping, sniffing, interference.

3|Page
[Link]
 CISSP Domain 4 Lecture notes
▪ Layer 2 - Data Link Layer:
⬧ Transports data between 2
nodes connected to same
network.
⬧ LLC – Logical Link Control –
error detection.
⬧ MAC address (BIA) – a
unique identifier on the
network card.
▫ Can be spoofed very easily, both for good and not so good
reasons.
▫ 48-bit hexadecimal first 24 manufacturer identifier, last 24
unique.
▫ 64-bit hexadecimal first 24 manufacturer identifier, last 40
unique.
▫ Threats - MAC Spoofing, MAC Flooding.
⬧ ARP (Address Resolution Protocol) Layer 2/3.
⬧ CSMA/CD – Ethernet – minimized with switches vs. hubs.
⬧ CSMA/CA – Wireless.
⬧ Token passing – Similar to the talking stick, not really used anymore.

▪ Layer 3 - Network Layer:

⬧ Expands to many different nodes (IP) – The Internet is IP based.
⬧ Isolates traffic into broadcast domains.
⬧ Protocols:
▫ IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX.
⬧ Threats:
▫ Ping of Death, Ping Floods, Smurf – spoof source and directed
broadcast, IP modifications, DHCP attacks, …
⬧ If the exam asks which layer a protocol with “I” is and you do not
remember answer layer 3.
▫ IP, IGMP, IGRP, IPSEC, IKE, ISAKMP, … are all layer 3, all except
IMAP which is layer 7.

4|Page
[Link]
 CISSP Domain 4 Lecture notes
▪ Layer 4: Transport Layer:
⬧ SSL/TLS Layer 4 to 7.
⬧ UDP (User Datagram Protocol):
▫ Connectionless
protocol,
unreliable, VOIP,
Live video,
gaming, “real time’’.
▫ Timing is more
important than
delivery confirmation.
▫ Sends message,
doesn’t care if it arrives or in which order.
▫ Attack: Fraggle attack – works the same way as smurf but may
be more successful since it uses UDP and not ICMP.
⬧ TCP (Transmission Control Protocol):
▫ Reliable, Connection orientated, Guaranteed delivery, 3-way
handshake, slower/more overhead, data reassembled.
▫ Attacks: SYN floods – half open TCP sessions, client sends
1,000s of SYN requests, but never the ACK.
⬧ TCP Flags (9 bits 1-bit flags) (Control bits).
▫ NS: ECN-nonce concealment protection.
▫ CWR (Congestion Window Reduced) flag is set by the sending
host to indicate that it received a TCP segment with the ECE flag
set and had responded in congestion control mechanism.
▫ ECE: ECN-Echo has a dual role, depending on the value of the
SYN flag.
▫ URG (1 bit): Indicates that the Urgent pointer field is significant.
▫ ACK (1 bit): Indicates that the Acknowledgment field is
significant.
▫ PSH (1 bit): Push function. Asks to push the buffered data to the
receiving application.
▫ RST (1 bit): Resets the connection.
▫ SYN (1 bit): Synchronize sequence numbers. Only the first
packet sent from each end have this flag set.
▫ FIN (1 bit): Last package from sender.

▪ Layer 5 – Session Layer:

⬧ Establishes connection between 2 applications: Setup > Maintenance >
Tear Down.

5|Page
[Link]
 CISSP Domain 4 Lecture notes
▪ Layer 6 - Presentation Layer:
⬧ Only layer with no protocols.
⬧ Formatting, compressing, encryption (file level).

▪ Layer 7 - Application Layer:

⬧ Presents data to user (applications/websites).
⬧ HTTP, HTTPS, FTP, SNMP, IMAP, POP, and many more.
⬧ Non-Repudiation, certificates, application proxies, deep packet
inspection, content inspection, AD integration.

• The higher you go up the layers, the slower it is. Speed is traded for intelligence.
• Threats to Level 5-7: Virus, worms, trojans, buffer overflow, application, or OS
vulnerabilities.

6|Page
[Link]
 CISSP Domain 4 Lecture notes
• The TCP/IP Model (Internet Protocol Suite):
▪ A conceptual model that provides end-to-end data communication.
▪ Specifying how data should be packetized, addressed, transmitted,
routed, and received.
▪ It has four layers which are used to sort all related protocols according to
the scope of networking involved.
▪ From lowest to highest:
⬧ The link layer, containing communication methods for data that
remains within a single network segment.
⬧ The internet layer, connecting independent networks, thus
providing internetworking.
⬧ The transport layer, handling host-to-host communication.
⬧ The application layer, provides process-to-process data exchange
for applications.

▪ The link and physical layer has the networking scope of the local
network connection to which a host is attached.
⬧ Used to move packets between the Internet layer interfaces of two
different hosts on the same network.
⬧ The process of transmitting and receiving packets on a given link can
be controlled both in the software device driver for the network
card, as well as on firmware or specialized chipsets.
⬧ These perform functions such as adding a packet header to prepare
it for transmission, then transmit the frame over a physical medium.
⬧ The TCP/IP model includes specifications of translating the network
addressing methods used in the Internet Protocol to link layer
addresses, such as Media Access Control (MAC) addresses.
⬧ The link and physical layer = OSI layer 1-2.

▪ Internet/Internetwork layer is responsible for sending packets across

potentially multiple networks.
⬧ Requires sending data from the source network to the destination
network (routing).
⬧ The Internet Protocol performs two basic functions:
▫ Host addressing and identification: This is done with a
hierarchical IP addresses.

7|Page
[Link]
 CISSP Domain 4 Lecture notes
▫ Packet routing: Sending the packets of data (datagrams)
from the source to the destination by forwarding them to
the next network router closer to the final destination.
⬧ Internet/Internetwork layer = OSI layer 3.

▪ The transport layer establishes basic data channels that applications use
for task-specific data exchange.
⬧ Its responsibility includes end-to-end message transfer independent
of the underlying network, along with error control, segmentation,
flow control, congestion control, and application addressing (port
numbers).
⬧ Data is sent connection-oriented (TCP) or connectionless (UDP).
⬧ The transport layer = OSI layer 4.

▪ The application layer includes the protocols used by applications for

providing user services or exchanging application data over the network
(HTTP, FTP, SMTP, DHCP, IMAP).
▪ Data coded according to application layer protocols are encapsulated
into transport layer protocol units, which then use lower layer protocols
for data transfer.
▪ The transport layer and the lower-level layers are unconcerned with the
specifics of application layer protocols.
▪ Routers and switches do not typically examine the encapsulated traffic,
rather they just provide a conduit for it. However, some firewall and
bandwidth throttling applications must interpret application data.
▪ The TCP/IP reference model distinguishes between user protocols and
support protocols.
▪ The application layer = OSI layer 5, 6, and 7.
• Each layer of the model adds or removes encapsulation (encapsulation / de-
capsulation).
• The higher we go, the slower and smarter the stack is, just like the OSI model.

8|Page
[Link]
 CISSP Domain 4 Lecture notes
 MAC address (BIA):
• A unique identifier on the network card.
• Can be spoofed pretty easily, both for good and less good reasons.
• EUI/MAC-48 are 48bits (original design).
▪ The first 24 are the manufacturer identifier.
▪ The last 24 are unique and identify the host.
• EUI-64 Mac Addresses use 24bit for manufacturer, but 40 for unique ID.
▪ The first 24 are the manufacturer identifier.
▪ The last 40 are unique and identify the host.
• Both are widely used today and used by both IPv4 and IPv6.
▪ For 48bit MAC’s IPv6 modified it into 64bit MAC’s by adding FF:FE to the
device identifier.

9|Page
[Link]
 CISSP Domain 4 Lecture notes
 Protocols:
• IP Addresses:
▪ First deployed for production in the ARPANet in 1983, ARPANet later
became the internet.
▪ IP was developed in the 1970’s for secure closed networks (DARPA -
Defense Advanced Research Projects Agency). Security was not built in
but was bolted on later.
▪ IPv4 is a connectionless protocol for use on packet-switched networks.
▪ It operates on a best effort delivery model, it does not guarantee
delivery, it also does not assure proper sequencing or avoidance of
duplicate delivery. We have added protocols on top of IP to ensure those.
▪ IPv4 is the IT route's most Internet traffic today, but we are slowly
moving towards IPv6.
⬧ The move towards IPv6 is mainly dictated by IPv4 Addresses being
depleted years ago.
▪ IPv4 has around 4.2 billion IP addresses and of those ~4 billion are usable
internet addresses.
⬧ There are currently over 35 billion mobile devices on the internet, 75
billion is predicted by 2025.
⬧ All major cellphone carriers in the US use IPv6 for all cell phones.
⬧ IPv4 has 4,294,967,296 addresses where IPv6 has
340,282,366,920,938,463,463,374,607,431,768,211,456.

• IP Addresses and Ports:

▪ When we send traffic, we use both the Source IP and Port as well as
Destination IP and Port. This ensures we know where we are going, and
when the traffic returns it knows where to return to.
▪ The IP addresses can be seen as the number of an apartment building.
⬧ The Port number is your apartment
number.
⬧ If you have 50 browser tabs open, each tab
has its own port number(s).
▪ Well-known Ports:
⬧ 0-1023 - Mostly used for protocols.
▪ Registered Ports:
⬧ 1024 to 49151 - Mostly used for vendor
specific applications.
▪ Dynamic, Private or Ephemeral Ports:
⬧ 49152–65535 - Can be used by anyone for anything.

10 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Common Ports:
▪ 20 TCP FTP data transfer.
▪ 21 TCP FTP control.
▪ 22 TCP/UDP Secure Shell (SSH).
▪ 23 TCP Telnet unencrypted text communications.
▪ 25 TCP Simple Mail Transfer Protocol (SMTP), can also
use port 2525.
▪ 80 TCP/UDP Hypertext Transfer Protocol (HTTP), can also
use port 8008 and 8080.
▪ 110 TCP Post Office Protocol, version 3 (POP3).
▪ 137 UDP NetBIOS Name Service, used for name
registration and resolution.
▪ 138 TCP/UDP NetBIOS Datagram Service.
▪ 143 TCP Internet Message Access Protocol (IMAP).
▪ 443 TCP Hypertext Transfer Protocol over TLS/SSL
(HTTPS).
▪ 3389 TCP/UDP Microsoft Terminal Server (RDP).
• IP Addresses and Ports:
▪ A Socket:
⬧ 1 set of IP and Port.
⬧ UDP only uses 1 socket (connectionless), TCP uses 2 in a pair, 2
individual sockets making the pair.
▪ Socket Pairs (TCP):
⬧ 2 sets of IP and Port (Source and Destination).
⬧ My Pair for the top one is:
▫ Source pair:[Link]:49691
▫ Destination pair: [Link]:https
▫ Well-known ports are often translated, port 443 is https.

11 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• IPv4/IPv6 Address Space Management:
▪ IANA (Internet Assigned Numbers Authority) governs the IP's address
allocation.
▪ IANA is a department of ICANN (Internet Corporation for Assigned Names
and Numbers).
▪ The world is divided into RIR (Regional Internet Registry) regions and
organizations in those areas delegate the address space they have control
over.
⬧ AFRINIC (African Network Information Center): Africa.
⬧ ARIN (American Registry for Internet Numbers): United States, Canada,
several parts of the Caribbean region, and Antarctica.
⬧ APNIC (Asia-Pacific Network Information Centre): Asia, Australia, New
Zealand, and neighboring countries.
⬧ LACNIC (Latin America and Caribbean Network Information Centre):
Latin America and parts of the Caribbean region.
⬧ RIPE NCC (Réseaux IP Européens Network Coordination Centre) Europe,
Russia, Middle East, and Central Asia.

12 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• IP Address and Traffic Types:
▪ Unicast, Multicast, and Broadcast Traffic:
⬧ Unicast - one-to-one traffic (Client to Server): The traffic is from a client
to a host or reversed.
▫ To capture all unicast traffic on a network, we use
promiscuous mode on specific clients' network cards
(Network IDSs/IPSs) and the switch port they are attached
to has to be configured as a Span-port.
⬧ Multicast - one-to-many (predefined): The traffic is sent to everyone in
a predefined list.
⬧ Broadcast - one-to-all (on a LAN network): The traffic is sent to
everyone.
▫ Limited L3 Broadcast: Uses the [Link] broadcast
IP address, routers do not pass (they drop it).
▫ Limited L2 broadcast: Uses [Link] broadcast MAC
address, routers do not pass.
▫ Directed broadcast: Sent to anyone logically connected to
the same network.
• A [Link]/24 will send to all hosts on
that network, regardless if it is physically
behind the same router or not. Accounting
could have a VLAN spanning 3 separate remote
buildings, the broadcast would be sent to them
all.

• IPv4 (Internet Protocol version 4) addresses:

▪ IPv4 addresses are made up of 4 octets (dotted-decimal notation) and
broken further down in a 32bit integer binary.
▪ We use IP addresses to make it readable to normal people, it is easier to
read 4 sets of numbers than a 32 bits string of 0s and 1s.
▪ Similarly, websites are really
just IP addresses translated
with DNS, which is then
translated into binary.
▪ It is easier to remember
[Link], than it is to
remember [Link] or
[Link].

13 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• IPv4:
▪Public IP Addresses (Internet routable addresses):
⬧ Used to communicate over the internet between hosts.
▪ Private Addresses (RFC 1918 – Not routable on the internet):
Other notable IP spaces:
⬧ [Link] [Link] 16777216 [Link]/8 Loopback IPs
⬧ [Link] [Link] 1048576 [Link]/16 Link-Local
⬧ [Link] [Link] 65536 [Link] Broadcast
▪ As a band-aid solution to extend the depletion of IPv4 Addresses NAT and
PAT were added:
▪ NAT (Network Address Translation):
⬧ Static NAT Translates 1-1, we need 1 Public IP per Private IP we use,
not practical and not sustainable.
⬧ Pool NAT: Also still 1-1, but a pool was available to all clients not
assigned to specific clients.
▪ PAT (Port Address Translation):
⬧ PAT was introduced to solve that issue, it uses IP AND Port
number.
⬧ Also called One-to-Many or NAT Overload since it translates
One public IP to Many private IPs.

14 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Classful IP Networks were used early on the
internet for public addresses. Networks
were VERY large, some with 16 million+ IPs.
Very inefficient use of IP addresses.
▪ CIDR (Classless Inter-Domain Routing) (also
called slash notation):
⬧ We used CIDR to break our addresses
into smaller logical segment, this
saves addresses, we can make
suitable sized IP ranges for our
subnets and it is easier to add
security to our subnets if they are
logically segmented.
⬧ This would be the CIDR notation for
our earlier IP address:
[Link]/24.
⬧ This was done to the /24, indicates
how many IPs are in that subnet,
from that we know the broadcast
and the range of host addresses.
⬧ Our /24 address would have 256
addresses, 255 are usable for hosts.
⬧ Earlier the first (0) and last (255) in a
/24 could not be used, but now with
newer technology and protocol use,
only 255 is not usable since it is the
broadcast address.

▪ IP Headers contain:
⬧ Version: IP version 4.
⬧ IHL: Length of the IP header.
⬧ QoS (Quality of Service).
⬧ Identification, Flags, Offset: used for IP fragmentation.
⬧ TTL (Time To Live): to prevent routing loops.
⬧ Protocol: Protocol number for TCP, UDP,...
⬧ Source and Destination IP addresses.
⬧ Optional: Options and padding.
⬧ MTU (Maximum Transmission Unit) - normally 1500 bytes in
Ethernet usage.

15 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▫ If a packet exceeds that size a router along the path may
fragment into smaller packets.

• IPv6:
▪ IPv6 is 128bit in hexadecimal numbers (uses 0-9 and a-f).
▪ 8 groups of 4 hexadecimals, making addresses look like this:
⬧ [Link]
▪ The IPv6 address space is huge compared to IPv4.
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
⬧ 34 with 37 0s total or 79 with 27 0s as many addresses as IPv4.
⬧ Every square foot on the planet can have 65000 IP addresses.
▪ IPSec is built in, not bolted on like
with IPv4.
▪ Mostly switched behind the
scenes today, many organizations
do not have Dual Stack
equipment in place.
▪ Used by major US ISPs for cell
phones (and to some extend the
connection to your modem).
▪ To make the address more
manageable 1 set of 0s can be shortened with :: above you see the last 16
0s being shortened to [Link]
▪ Our MAC address is [Link]
▪ It is a EUI-48 address we add
“fffe” (for EUI-64)
[Link]
▪ Set the U/L bit
[Link]
⬧ (The use of the
universal/local bit in the
Modified EUI-64 format
identifier is to allow
development of future

16 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
technology that can take advantage of interface identifiers with
universal scope).
⬧ Add our network prefix ([Link])
[Link]
⬧ Remove largest group of 0s
2001::b8:20fa:22ff:fe52:888a
⬧ Link Local address (only for local)
fe80::b8:20fa:22ff:fe52:888a
▪ IP Headers contain:
⬧ Version: IP version 6 (4 bits)
⬧ Traffic Class/Priority (8bits).
⬧ Flow Label/QoS management (20 bits).
⬧ Payload length in bytes(16 bits).
⬧ Next Header (8 bits).
⬧ Time To Live (TTL)/Hop Limit (8 bits).
⬧ Source IP address (128 bits).
⬧ Destination IP address (128 bits).
⬧ MTU (Maximum Transmission Unit) - normally 1500 bytes in
Ethernet usage.
▫ If a packet exceeds that size a router along the path may
fragment into smaller packets.

17 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• ARP (Address Resolution Protocol):
▪ Translates IP Addresses into MAC Addresses.
⬧ OSI Data/Network Layer or Network/Internet Layer.
▪ ARP is a simple and trusting
protocol, anyone can respond
to an ARP request.
▪ ARP (cache) Poisoning: An
attacker sends fake responses
to ARP requests, often done
repeatedly for critical ARP
entries (Default Gateway).
⬧ A countermeasure
can be hardcoding
ARP entries.
▪ RARP (Reverse ARP) is used by
diskless workstations to get
IPs.

• ICMP (Internet Control Message Protocol):

▪ Used to help IP, for Ping (Echo request/reply) and TTL Exceeds in
Traceroute.
▪ Often used for troubleshooting.
▪ An ICMP Echo Request is sent to the IP, which then sends an ICMP reply
back (or not).
▪ Originally used (and still) to see if a host is up or down.
▪ Today if we get an Echo reply we know the host is up, but no reply does
not mean it is down.
▪ Firewalls and routers can block ICMP replies.

18 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Traceroute:
▪ Uses ICMP to trace a network route.
▪ Traceroute uses the TTL value in
somewhat reverse.
▪ We send a message with TTL 1.
⬧ The first router decrements the
TTL to 0 and sends an ICMP
Time Exceed message back,
First Hop is now identified.
▪ We send message 2 with TTL 2, 2nd
router does the same, it is identified.
▪ We do that over and over till the
destination is reached (maximum 30
hops).
• Telnet:
▪ Remote access over a network.
▪ Uses TCP port 23, all data is plaintext including usernames and passwords,
should not be used.
▪ Attackers with network access can easily sniff credentials and alter data
and take control of telnet sessions.
• SSH (Secure Shell):
▪ Designed to replace or add security to unsecure protocols Telnet, FTP,
HTTP,...
▪ V1 had vulnerabilities long ago and v2 has as well recently.
▪ Provides a 'secure' connection over an unsecured network (the internet).
▪ The Snowden leak in 2013 showed the NSA can 'sometimes' decrypt SSL
and get access to the data.
▪ On July 6th 2017 WikiLeaks confirmed the CIA (ONLY this one time it is the
Central Intelligence Agency) has developed a tool to crack the SSH
protocol.
⬧ BothanSpy is an implant that targets the SSH client program Xshell
on the Microsoft Windows platform.
⬧ Gyrfalcon is an implant that targets the OpenSSH client on Linux
platforms centos, debian, rhel, suse, ubuntu.
• FTP (File Transfer Protocol) - Transfers files to and from servers:
▪ No confidentiality or Integrity checks.
▪ Should also not be used, since the vast majority of what we transport is
over unsecure networks.
▪ Uses TCP Port 21 for the control collection - commands are sent here.
▪ Uses TCP Port 20 for the data collection - the actual data is sent here.
• SFTP (SSH /Secure File Transfer Protocol) - Uses SSH to add security to FTP.
• FTPS (FTP Secure) - Uses TLS and SSL to add security to FTP.

19 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• TFTP (Trivial FTP):
▪ Uses UDP Port 69.
▪ No authentication or directory structure, files are written and read from
one directory /tftpboot.
▪ Used for "Bootstrapping" - Downloading an OS over the network for
diskless workstations.
▪ Used for saving router configuration.

• Email Protocols:
1. The MUA (Mail User Agent) formats the message and using SMTP sends the
message to the MSA (Mail Submission Agent).
2. The MSA determines the destination address provided in the SMTP protocol, in
this case jane@[Link]. The MSA resolves the fully qualified domain name of the
mail server in the DNS.
3. The DNS server for the domain [Link] ([Link]) responds with any MX (Mail
eXchange) records listing for that domain, in this case [Link], an MTA
(Message Transfer Agent) server run by the recipient's ISP.
4. [Link] sends the message to [Link] using SMTP. This server may need to
forward the message to other MTAs before the message reaches the final MDA.
5. The MDA delivers it to the mailbox of user Jane.
6. Jane's MUA picks up the message using either the Post Office Protocol (POP3) or
the Internet Message Access Protocol (IMAP).

20 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• DNS (Domain Name System):
▪ Translates server names into IP Addresses, uses TCP and UDP Port 53
▪ [Link] can get translated into [Link] or
[Link] depending on requester's IP.
▪ Uses gethostbyname() and gethostbyaddress()
▪ Authoritative name servers - The authority for a given name space.
▪ Recursive name server - Tries to resolve names it does not already know.
▪ Cache name server - Keeps previously resolved names in a temporary
cache.
▪ DNS uses UDP for most requests and natively has no authentication. .
▪ DNS Poisoning is similar to ARP poisoning, an attacker sends a fake
address/name combo to another DNS server when asked and the server
keeps it in its DNS records until it expires.

• DNSSEC (DNS Security Extensions):

▪ Provides Authentication and Integrity using PKI Encryption.
▪ Does not provide Confidentiality - Think of it a digital signature for DNS.

• SNMP (Simple Network Management Protocol):

▪ Mostly used to monitor devices on our network (routers, switches,
servers, HVAC, UPS ...).
▪ An SNMP client agent is enabled or installed on the client.
▪ The device can report port up/down, traffic utilization, temperature,
memory use, HDD allocation,...
▪ SNMPv1 and SNMPv2 sends data in cleartext.
▪ SNMPv2 is still widely used, but should be avoided.
⬧ An attacker on the network can sniff the traffic, often the default
community strings are used "public and "private".
⬧ If an attacker gains access to the private (write) string they can re-
configure the device, shut it or interfaces down,...
▪ SNMPv3 uses encryption to provide CIA (Confidentiality, Integrity, and
Availability).
⬧ This should be the standard across any organization.

21 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• HTTP and HTTPS - Transport HTML data.
▪ HTTP (Hypertext Transfer Protocol):
⬧ Uses TCP port 80
(8008 and 8080),
unencrypted
website data sent
across the internet.
• HTTPS (HTTP Secure):
▪ Uses TCP Port 443
(8443), encrypted data
sent over the internet.
• HTML (Hypertext Markup
Language):
▪ The actual language
webpages are written in.
▪ Not to be confused with HTTP/HTTPS.

• BOOTP (Bootstrap Protocol):

▪ Used for diskless workstations, used to determines OS (Downloaded with
tftp) and IP Address.
▪ Most system BIOSs support
BOOTP, they can then load
the OS without a disk.
• DHCP (Dynamic Host Configuration
Protocol):
▪ The common protocol we
use to assign IPs. Controlled
by a DHCP Server for your
environment.
▪ You most likely already use it
on your home network, this
is how when you connect a
cable or connect wireless,
you are online right away.
• Both BOOTP and DHCP use UDP Port 67
for the BOOTP/DHCP Server and UDP
Port 68 for the Client.

22 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
 Cables:
• Networking Cables:
▪ When it comes to networking cables, most people think RJ45 Copper
Ethernet cables, many more types are used
though.
▪ Networking cables all come with pros and
cons, some are cheap, some more secure,
some faster, ...
▪ They can also pose different security
vulnerabilities depending on the cable type
and the environment.
▪ EMI (Electromagnetic Interference):
⬧ Magnetism that can disrupt data
availability and integrity.
▪ Crosstalk is the signal crossing from one cable to another, this can be a
confidentiality issue.
▪ Attenuation is the signal getting weaker the farther it travels.
⬧ Copper lines have attenuation, with DSL the farther you are
from the DSLAM (Digital Subscriber Line Access Multiplexer) the
lower speed you get.

• Twisted Pair Cables:

▪ UTP (Unshielded Twisted Pair):
▪ Pairs of twisted pairs of cable.
⬧ Twisting them makes them less
susceptible of EMI.
⬧ 1 cable sends and 1 receives data.
⬧ The tighter the cables are twisted,
the less susceptible to EMI. For
example, CAT3 pairs (less tight) are
more susceptible to EMI than CAT6
(more tight).
▪ STP (Shielded Twisted Pair):
⬧ Has extra metal mesh shielding
around each pair of cables, making
them less susceptible to EMI, but
also making the cables thicker,
stiffer, and more expensive.

23 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Coax (Coaxial) Cables:
▪ Most commonly used for cable TV and Internet services.
▪ Coax Cables have built in layers:
⬧ Copper core in the middle.
⬧ A plastic insulator around the middle core.
⬧ A copper braid/shield around the insulator.
⬧ A plastic outer layer.
▪ The braid/shield makes it less susceptible to EMI and the thicker core can
provide higher speeds.

• Fiber Optic Cables Use light to carry data (vs. electricity for copper cables):
Pros: Speed 1 Petabit per second, 35miles/50 km over a single fiber.
⬧ Distance, it has no attenuation like copper, a single uninterrupted
cable can be 150 miles+ (240km+) long.
⬧ Not susceptible to EMI.
⬧ More secure than copper since it can't be sniffed as easily as
copper.
▪ Cons: Price, more difficult to use, you can break the glass in the cable if
you are not careful.
▪ Single-Mode fiber - A Single strand of fiber
carries a single mode of light (down the
center), used for long distance cables (Often
used in IP-Backbones).
▪ Multi-Mode fiber - Uses multiple modes (light
colors) to carry multiple data streams
simultaneously, this is done with WDM
(Wavelength Division Multiplexing).

24 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• All cable measurements are in metric system (m/km).
• Only 3 countries in the world do not use metric system (Burma (Myanmar), Liberia,
and the United States).
▪ 1Kbps - Kilobits per second
⬧ 1,000 bps (103)
▪ 1Mbps - Megabit per second
⬧ 1,000,000 bps (106)
▪ 1Gbps - Gigabit per second
⬧ 1,000,000,000 bps (109)
▪ 1Tbps - Terabit per second
⬧ 1,000,000,000,000 bps (1012)
▪ 1Pbps - Petabit per second
⬧ 1,000,000,000,000,000 bps (1015)

25 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
 LAN Technologies and Protocols:
• Network topology describes the layout and topologies of interconnections between
devices and network segments.
• Ethernet and Wi-Fi are the two most common transmission technologies in use for
local area networks.
• At the data link layer and physical layer, a wide variety of LAN topologies have been
used, including ring, bus, mesh, and star.
• At the higher layers, NetBEUI, IPX/SPX, and AppleTalk used to be common, but
TCP/IP is now the de facto standard.
• Fiber-optic is commonly used between switches to servers and for backbone data
transfers; rarely used for desktops.
• Ethernet is baseband and uses copper TP, coax, and fiber cables.
▪ Ethernet was also not built for how we use networks today, so we bolt on
functionality we want
• Wireless technologies are often built into Smartphones, tablets, and laptops.
▪ In a wireless LAN, users can move unrestricted in the coverage area, the
transfer from one wireless access point to another is often completely
seamless.

• CSMA (Carrier Sense Multiple Access):

▪ Clients on a network check to see if the shared line is in use, if not they
will send their data.
▪ Clients listen to see if the line is idle: If idle, they send; if in use, they wait
a random amount of time (milliseconds).
• CSMA/CD (CSMA/Collision Detection):
▪ Used for systems that can send and receive at the same time like
Ethernet.
▪ If 2 clients listen at the same time and see the line is clear they can both
transmit at the same time causing collisions, CD is added to help with
that scenario.
▪ Clients listen to see if the line is idle: If idle, they send; if in use, they wait
a random amount of time (milliseconds).
⬧ While transmitting, they monitor the network.
⬧ If more input is received than sent, another workstation is also
transmitting.
• They send a Jam signal to tell the other nodes to stop
sending.
• Wait for a random amount of time before starting to
retransmit.
• CSMA CA (CSMA/Collision Avoidance):
▪ Used for systems that can either send or receive like wireless.
▪ They check if the line is idle: If idle, they send; if in use, they wait a
random amount of time (milliseconds).
⬧ Slightly different than CD, on Ethernet networks clients are normally
aware of other clients, on wireless that is not always the case.

26 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
⬧ If a lot of congestion, the client can send a RTS (Request To Send),
and if the host (the wireless access point) replies with a CTS (Clear
To Send), similar to a token, the client will transmit.
⬧ This goes some way to alleviating the problem of hidden nodes, in a
wireless network, the Access Point only issues a Clear to Send to
one node at a time.

 Legacy Lan Systems:

• ARCNET (Attached Resource Computer Network):
▪ Used network tokens for traffic, no collisions.
▪ Used a Star topology.
▪ 2.5Mbps.

• Token Ring:
▪ Used network tokens for traffic, no collisions.
▪ Used a Ring topology.
▪ 16Mbps.

• FDDI (Fiber Distributed Data Interface):

▪ Used token-bus for traffic, no collisions.
▪ Used a Ring topology.
▪ Used fiber and not copper so not susceptible to EMI.
▪ 100Mbps.

 Physical LAN Topologies:

• Bus:
▪ All nodes are connected in a line, each node inspects traffic and passes it
along.
▪ Not very stable, a single break in the
cable will break the signal to all nodes
past that point, including
communication between nodes way
past the break.
▪ Faulty NICs (Network Interface Card)
can also break the chain.
• Tree (Hierarchical):
▪ The base of the Tree topology controls
the traffic, this was often the
mainframe.

27 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Ring:
▪ All nodes are connected in a ring.
• Star:
▪ All nodes are connected to a
central device.
▪ This is what we normally use for
Ethernet, our nodes are connected
to a switch.
▪ Provides better fault tolerance, a
break in a cable or a faulty NIC will
only effect that one node.
▪ If we use a switch, no token
passing, or collision detection is
needed since each node is on its
own segment.
▪ If we use hubs, collisions will still
occur; but I hope none are around
anymore, not just how slow they
are, but more how unsecure they
are now.
• Mesh:
▪ Nodes are connected to each other in either a partial mesh or a full
mesh.
▪ Partial Mesh:
⬧ Nodes are directly connected to some other nodes.
▪ Full Mesh:
⬧ All nodes are directly
connected to all other
nodes.
⬧ More redundant but
requires a lot more cables
and NICs.
⬧ Often used in HA (High
Availability)
environments, with
cluster servers for
keepalives.

28 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
 WAN (Wide Area Network) Technologies and Protocols:
• The internet is built of 1000s of WAN ISPs (Internet Service Providers) and Long-Haul
providers.
• Legacy Connections:
▪ Some are still in use today, but they are
getting more rare, early on high-speed
internet connections were mostly used by
business.
▪ For the exam, know the basics about them
but no more.
• T1 (US): Dedicated 1.544 Mbps circuit carrying 24 64-
bit DS0 (Digital Circuit) Channels, this was done with
24 circuit-switched phone channels. Often also called
DS1.
• T3 (US): 28 bundled T1 lines, creating a dedicated
44.736 Mbps circuit.
• E1 (Europe): Dedicated 2.048 circuit carrying 30
channels.
• E3 (Europe): 16 bundled E1 lines, creating a dedicated
34.368 Mbps circuit.
▪ Frame Relay:
⬧ Packet-Switching L2 protocol, it has no error recovery and only
focuses on speed. Higher level protocols can provide that if needed.
⬧ PVC (Permanent Virtual Circuit):
▫ Always up, ready to transmit data.
▫ Form logical end-to-end links mapped over a physical
network.
⬧ SVC (Switched Virtual Circuit):
▫ Calls up when it needs to
transmit data and closes
the call when it is done.
⬧ Uses DLCI (Data Link Connection
Identifiers) to identify the virtual
connection, this way the receiving
end knows which connection an
information frame belongs to.

29 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ X.25:
⬧ Used to be a standard protocol suite for packet switched WAN
communication.
⬧ An X.25 WAN consists of Packet-Switching Exchange (PSE) nodes as
the networking hardware and leased lines, plain old telephone
service connections, or ISDN connections as physical links.
⬧ Uses error correction which can add latency.
▪ SONET (Synchronous Optical Networking):
⬧ Carries multiple T circuits over fiber optics.
⬧ Uses a physical ring topology.

• MPLS (Multiprotocol Label Switching):

▪ Directs data from one node to the next based on short path labels and
not IP addresses.
▪ The labels identify virtual links/paths between
distant nodes and not the endpoint.
▪ Encapsulate packets for other
protocols/technologies (T1/E1, ATM, Frame
Relay, and DSL).
▪ Packet-forwarding decisions are made only on
the contents of this label and not by examining
the packet.
▪ With this, MPLS can create end-to-end circuits
across any type of transport medium using any
protocol.
▪ MPLS operates at a layer that is considered between the OSI models Data
link layer (L2) and Network layer (L3), often referred to as a layer 2.5
protocol.
▪ Often used to connect geographically distant locations of an organization
with MPLS VPN connections.

30 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Software-Defined Wide Area Network (SD-WAN)
▪ 85%+ of surveyed companies have deployed or plan to deploy within 2
years (Cisco/FortiNet).
▪ Why we are seeing a move towards SD-WAN:
⬧ Higher cheaper bandwidth,
flexibility and scalability of
bandwidth allocation, and
traffic engineering.
⬧ Ability to utilize many
different connection types
(DSL, cable, fiber, satellite,
4G/5G, ...).
⬧ Near real-time failover
between connection types.
⬧ Centralized easier
management, better insights,
reporting, and statistics.
⬧ Better performance with
intelligent routing, it can
choose the optimal network
circuit for a given application or type of traffic.
⬧ Rapid deployment with pre-configured appliances or virtual
appliances.
⬧ Secure connectivity - IPSec and next-generation firewall.
• SDLC (Synchronous Data Link Control):
▪ A synchronous L2 WAN protocol that uses polling to transmit data.
▪ Polling is similar to token passing but with the primary node polls and
secondary nodes, allowing them to transmit data when polled.
▪ Combined nodes can act as primary or secondary but using NRM
transmission only.
• HDLC (High-Level Data Link Control):
▪ The successor to SDLC.
▪ Adds error correction and flow control and two additional modes
(ARM/ABM).
• The three modes of HDLC and the one of SDLC are:
▪ NRM (Normal Response Mode): Secondary nodes transmit when given
permission by the primary only.
▪ ARM (Asynchronous Response Mode): Secondary nodes may initiate
communication with the primary node.
▪ ABM (Asynchronous Balanced Mode): When nodes act as primary or
secondary, initiating transmissions without receiving permission. This is
most commonly used mode.

31 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• DNP3 (Distributed Network Protocol):
▪ We already covered this in
the last domain, but it
being a network protocol,
here it is again.
▪ A set of communications
protocols used between
components in process
automation systems.
▪ Mainly used in utilities such
as electric and water
companies.
▪ It plays a crucial role in SCADA systems.
▪ Used by SCADA for communication between a Master Station (Control
Centers) and Remote Terminal Units (RTUs), and/or Intelligent Electronic
Devices (IEDs).

• Storage Protocols:
▪ SAN (Storage Area Network) protocols provide a cost-effective way that
uses existing network infrastructure technologies and protocols to
connect servers to storage.
▪ A SAN allows block-level file access across a network,
it acts like an attached hard drive.
▪ FCoE (Fiber Channel over Ethernet):
⬧ The fiber Channel’s HBA (Host Bus Adapters)
are unique cards to interface with storage;
can be combined with the network interface
(NIC) for economies of scale.
⬧ FCoE uses Ethernet, not TCP/IP, and because
of that it is not routable.
▪ FCIP (Fiber Channel over IP): Encapsulates fiber
channel frames via TCP/IP.
▪ VSAN (Virtual Storage Area Network):
⬧ A collection of ports from a set of connected
fiber channel switches that form a virtual
fabric.
⬧ Ports within a single switch can be
partitioned into multiple VSANs; despite
sharing hardware and multiple switches, can
join a number of ports to form a single VSAN.

32 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Storage Protocols
▪ iSCSI (Internet Small Computer System Interface):
⬧ Leverages existing networking infrastructure and protocols to
interface with storage.
⬧ Uses the higher layers
of the TCP/IP model for
communication and
can be routed like any
IP protocol (so can
FCIP).
⬧ Can be used for storage
across a WAN.
⬧ Uses LUNs (Logical Unit
Numbers) to provide
for addressing storage
across the network.
⬧ LUNs can also be used
for basic access control
for network accessible
storage.

• VoIP (Voice over Internet Protocol):

▪ A group of technologies for the delivery of voice communications and
multimedia sessions over IP networks.
▪ The digital information is packetized and transmitted using UDP IP
packets over a packet-switched network.
▪ They transport audio streams using special media delivery protocols that
encode audio and video with audio codecs and video codecs.
▪ VoIP is commonly used on VoIP phones, smartphones, PCs, and on
Internet access devices; calls and text messages can be sent over 3G, 4G
or Wi-Fi.
▪ The security concerns of VoIP telephone systems are similar to those of
any Internet-connected device.
▪ Hackers who know about VoIP vulnerabilities can deploy denial-of-service
attacks, harvest customer data, record conversations, and compromise
voicemail messages.
▪ The quality of internet connection determines the quality of the calls;
where data traffic is more forgiving, VoIP is UDP and needs real time
error free connections.

33 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Where regular phones may work, VoIP phone service will not work if
there is a power outage or when the internet connection is down.
▪ We use many different VoIP protocols:
SIP (Session Initiation Protocol), H.323,
MGCP (Media Gateway Control
Protocol), Gateway Control Protocol,
RTP (Real-time Transport Protocol),
RTCP (Real-time Transport Control
Protocol),...
• SDN (Software-Defined Networking):
▪ Allows network administrators via
software to initialize, control, change,
and manage network behavior
dynamically.
▪ Addresses the static architecture of
traditional networks that doesn't
support the dynamic, scalable
computing and storage needs of more
modern computing environments such
as data centers.
▪ This is done by separating the router’s
control plane from the data plane, the
control plane makes routing decisions, the data plane forwards data
through the router.
▪ Giving us the option to be hardware vendor agnostic.

• Virtual eXtensible LAN (VXLAN):

▪ It is an encapsulation protocol that allows VLANs to span subnets and
physically distant locations.
▪ VXLAN can support up to 16 million virtual networks, whereas VLAN is
limited to 4,096.
▪ To implement micro-segmentation without restricting segments to only
local entities.
• Software-defined Wide Area Network (SD-WAN):
▪ Derived from SDN, used to connect distant data centers, locations, and
cloud services over WAN links.
• SDx (Software-Defined Everything):
▪ Any function that can be performed by or automated by software. This
includes networking, storage, data center, compute, security, WAN,
really anything.

34 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• A wireless computer network that links two or more devices using a wireless
distribution method within a limited area (a home,
a school, a coffee shop, or an office building).
• Gives users the ability to move around within a
locally covered area and be connected to the
network.
• Often multiple APs (Access Points) are set up
throughout an office building to give seamless
roaming coverage for the employees.
• WLAN normally also provides an Internet
connection, but not always.
• Most modern WLANs are based on IEEE 802.11
standards and are marketed under the Wi-Fi brand
name.
• Wi-Fi makes us more mobile and our connection
more seamless, but it is easier to compromise than
cabled internet connection.

• Wi-Fi Attacks:
▪ Rogue Access Points:
⬧ An unauthorized access point that
has been added to our network
without our knowledge.
⬧ This can be malicious by an
attacker or just an employee
wanting Wi-Fi somewhere with
bad coverage.
⬧ Without our security posture, they
are a very big concern.
⬧ Can be somewhat mitigated with
Port security on the Switches and
by scanning for Rogue access
points.
⬧ Can compromise confidentiality
and integrity.

35 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Jamming/Interference:
⬧ This can be a lot of traffic on
the Wi-Fi frequencies or done
by attackers to disrupt our
network (DOS).
⬧ If interference is an issue, we
can change to other channels
if any less crowded channels
are available or to different
frequencies if our equipment
supports it.
⬧ The 2.4 GHz band is used by
Bluetooth, microwaves,
cordless phones, baby
monitors, Wi-Fi,…
⬧ Can compromise integrity and
availability.
▪ Evil Twin:
⬧ An evil twin is used when attackers are trying to create rogue
access points so as to gain access to the network or access to
information that is being put through a network.
⬧ Can be done on your network or not, the attacker simply names
their access point the same
as ours but with no security
and user devices
automatically connect to
them.
⬧ Can compromise
confidentiality and integrity.

36 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• 802.11 Standards:
▪ The 802.11 is a set of
media access control
(MAC) and physical layer
(PHY) specifications for
implementing WLAN
computer communication
in the 2.4, 3.7, 5, and 6
GHz frequency bands.
▪ There are more 802.11
protocols but for the
exam know these.
▪ The 2.4 GHz frequency
can be very crowded;
wireless, Bluetooth,
microwaves, cordless
phones, and baby monitors,... use that frequency.
▪ The 5 GHz frequency is normally less crowded and has less interference
than 2.4 GHz.
▪ Now with the 6 GHz being available, one of it’s largest selling points is a
completely non-crowded frequency.
▪ 5 and 6 GHz is a higher frequency with shorter waves, it does not
penetrate walls, Floors, and other obstructions, as well as the longer 2.4
GHz waves.
▪ It is easy to change the channel your Wi-Fi to a less crowded one.
▪ Some access points management
software can dynamically change
the channels on individual access
points to find better channels and
provide less overlap.

37 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• 802.11 Wireless NICs:
▪ Operate in four different modes:
⬧ Managed/Client mode:
▫ A wireless access point is required.
▫ Clients connect to an access point in
managed mode; once connected, clients
communicate with the access point only,
they can't directly communicate with
other clients.
⬧ Infrastructure mode:
▫ A wireless access point is required.
▫ Client must use the same SSID (service
set identifier) as the access point and if
encryption is enabled, they must share
the same keys or other authentication
parameters.
⬧ Ad-hoc mode network:
▫ The WNIC does not require an access
point but can interface with all other
wireless nodes directly.
▫ All the nodes in an ad hoc network must
have the same channel and SSID.
▫ A computer connected to the Internet
via a wired NIC may advertise an ad-hoc WLAN to allow
internet sharing.
⬧ Monitor mode or RFMON (Radio Frequency Monitor) mode:
▫ Enables a computer with a WNIC to monitor all traffic
received from the wireless network.
▫ Unlike promiscuous mode, which is also used for packet
sniffing, monitor mode allows packets to be captured
without having to associate with an access point or ad hoc
network first.

38 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• SS (Service Set) is a set consisting of all the devices associated with an organization's
WLAN (Wireless Local Area Network).
• SSID (Service Set Identifier) is the name of the wireless access point you see when
you connect.
▪ Clients must know the SSID before joining that WLAN.
▪ The SSID is a configuration
parameter.
▪ SSIDs are normally broadcasted,
but we can disable the broadcast
in the access point configuration.
▪ It is a security measure we want to
use, but it is easy to bypass.
▪ We can also use MAC address
filtering on our wireless access
points, this is another limited
security feature.
▪ MAC addresses are sent in
plaintext on 802.11 WLANs, it is
easy to sniff and spoof.

• WEP (Wired Equivalent Privacy) protocol, early 802.11 wireless security (1997).
▪ No longer secure, should not be used.
▪ Attackers can break any WEP key in a few minutes.
▪ It was designed to not conflict with the Wassenaar
Arrangement’s 40bit limit on encryption and because
of that, it was designed weaker than it should have
been.
▪ Many access points still have the WEP option today,
but most are preconfigured with WPA2/PSK or
WPA3/SAE3.
▪ WEP uses 10 or 26 hexadecimal digits (40 or 104
bits).
▪ It was used widely years back and was often the first
security choice presented to users by router
configuration tools.
▪ WEP frames do not use timestamp and have no
replay protection, attackers can inject traffic by
replaying previously sniffed WEP frames.

39 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• WPA (Wi-Fi Protected Access) (2003):
▪ Interim standard to address WEP issues, should not be used.
▪ Uses RC4 and TKIP (Temporal Key Integrity Protocol).
⬧ Neither are considered secure anymore.
⬧ TKIP uses a per-packet key, meaning that it dynamically
generates a new 128-bit key for each packet and preventing the
types of attacks that compromised WEP.
▪ WPA has been designed specifically to work with wireless hardware
produced prior to the introduction of the WPA protocol.

• WPA2 (Wi-Fi Protected Access II), also called RSN (Robust Security Network) (2004):
▪ Most commonly used but a slow move towards WPA3; the most secure
form of WPA2 is WPA2-PSK (Pre-Shared Key) using AES.
▪ AES provides confidentiality and CCMP (Counter Mode CBC MAC
Protocol), a Message Integrity Check (MIC), which provides integrity. It
can be configured to use older less secure protocols (TKIP).

• WPA3 (Wi-Fi Protected Access III) (2020)

▪ Current standard but transition from WPA2 is slow.
▪ 192-bit key strength and WPA3 replaces the pre-shared key (PSK)
exchange with Simultaneous Authentication of Equals (SAE) exchange,
uses AES-256 in GCM mode with SHA-384 as HMAC.

• Bluetooth:
▪ A wireless technology standard for exchanging data
over short distances using 2.4 GHz from fixed and
mobile devices and building personal area networks
(PANs).
▪ Bluetooth has three classes of devices; while designed
for short-distance networking, Class 1 can reach up to
100 meters.
▪ Class 1: 100 meters, 2: 10 meters, 3: under 10 meters.
▪ Bluetooth implements confidentiality, authentication,
and key derivation with custom algorithms based on
the SAFER+ block cipher.
▪ The E0 stream cipher is used for encrypting packets,
granting confidentiality, and is based on a shared
cryptographic secret, namely a previously generated
link key or master key.
▪ Cryptanalysis of E0 has proven it to be weak, attacks show the true
strength to be 38 bits or even less.
▪ Bluetooth key generation is generally based on a Bluetooth PIN which
must be entered on one or both devices.
▪ Bluetooth security is to some extent security through obscurity, it
assumes the 48-bit MAC address of the Bluetooth adapter is not known.

40 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Even when disabled, Bluetooth devices may be discovered by guessing
the MAC address.
▪ The first 24 bits are the OUI, which can be easily guessed,
the last 24 bits can be discovered with brute-force
attacks.

▪ Attacks:
⬧ Bluejacking: Sending unsolicited messages over
Bluetooth, most often harmless but annoying.
⬧ Bluesnarfing: Unauthorized access of
information from a Bluetooth device: phones,
desktops, laptops, ...
⬧ Bluebugging: The attacker gains total access
and control of your device; it can happen when
your device is left in the discoverable state.
▫ Only possible on older phones with outdated OSs, newer
smartphones constantly update their OS.
▪ Countermeasures:
⬧ Enable Bluetooth only when you needed it.
⬧ Enable Bluetooth discovery only when necessary and disable
discovery when your devices are paired.
⬧ Do not enter link keys or PINs when unexpectedly prompted to
do so.
⬧ Remove paired devices when you do not use them.
⬧ Regularly update firmware on all Bluetooth enabled devices.

• Li-Fi:
▪ Uses light to transmit data and position between devices.
▪ Can send high-speed data using visible light, ultraviolet, and infrared
spectrums.
▪ Can be used in areas prone to EMI (Electromagnetic interference), such
as aircraft cabins, hospitals, and nuclear power plants.
▪ Speeds (currently) up to 100 Gbit.
▪ Light can reflect off walls and still reach 70 Mbit without requiring a
direct line of sight.
▪ Pros: Not the same capacity as Wi-Fi (radio frequency exhaustion) and
can be used in places where Wi-Fi is prohibited.
▪ Cons: Short-range, not always reliable, and high cost of implementation.

41 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Zigbee:
▪ Mesh wireless network with low power, low data rate, and close
proximity.
▪ Simple and less complex compared to other
WPANs (Wireless Personal Area Networks) such
as Bluetooth or Wi-Fi.
▪ It has a range of 10 to 100 meters, but it requires
line-of-sight. Data rates vary between 20 kbit/s
(868 MHz band) and 250 kbit/s (2.4 GHz band).
• Satellite:
▪ For many years, satellite internet was a relatively
slow and expensive option.
▪ You have a modem, as with any other internet
connection, as well as a satellite dish (2-3 ft. or
60-90 cm).
▪ Typical satellite connections have had a latency
of 500 ms and speeds ranging from 10 to 50
Mbps.
▪ Starlink is currently testing speeds ranging from
20-200 Mbps down to 15-50 Mbps up, with
latencies ranging from 15-40 ms.

 Cellular Networks:
• Cellular networks/mobile networks are communication networks where the last leg
is wireless.
• The network is divided into cells and distributed across areas, with each cell
containing at least one fixed-location
transceiver, if not more.
• These base stations provide network
coverage to the cell, allowing it to
transmit voice, data, and other types of
content.
• To avoid interference and provide
guaranteed service quality within each
cell, a cell typically uses a different set
of frequencies than neighboring cells.

42 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• 3G:
▪ Bandwidth: 2 Mbps, latency: 100-500 ms,
average speed 144 kbps.
• 4G:
▪ Bandwidth: 200 Mbps, latency: 20-30 ms,
average speed 25 Mbps, 16km (10 miles).
• 5G:
▪ Bandwidth: 5-20 Gbps, latency: <10 ms, average
speed 200-400 Mbps, 500m (1500 ft).
▪ High frequency, short-range, and can be blocked
by anything metal and even just solid objects.
▪ A lot more 5G towers are needed to get
coverage.

 Secure Network Devices and Protocols:

• We have different network devices through the OSI and TCP/IP models and many
have protocols specific to that device.
• Layer 1 Devices:
▪ Repeaters receive a signal and retransmit it.
⬧ They are used to extend transmissions so that the signal can
cover longer distances.
▪ Hubs are repeaters with more than 2 ports.
⬧ All traffic is sent out all ports; no Confidentiality or Integrity,
half-duplex, and not secure at
all.
• Layer 2 Devices:
▪ Bridges are 2 port switches used to
separate collision domains, sends traffic
across the 2 domains, but traffic from
one domain is not seen on the other
unless sent there.

43 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Switches are bridges with more than 2 ports.
⬧ Each port is its own collision
domain, fixing some of the issues
with collisions.
⬧ Can range from 4 to 500+ ports.
⬧ Use MAC addresses to direct
traffic.
⬧ Good switch security includes:
▫ Shutting unused ports down.
▫ Put ports in specific VLANs.
▫ Using the MAC Sticky command
to only allow that MAC to use
the port, either with a warning
or shut command if another
MAC accesses the port.
▫ Use VLAN pruning for Trunk
ports.

• Layer 2 Protocols:
▪ VLAN (Virtual LAN) is a broadcast domain that is partitioned and isolated
at layer 2.
⬧ Specific ports on a switch are assigned to a certain VLAN.
⬧ The Payroll VLAN is in 2 different buildings and spans multiple
switches.
⬧ VLANs use tags within network packets and tag handling in
networking systems, replicating
the appearance and functionality
of network traffic that is physically
on a single network but acts as if it
is split between separate
networks.
⬧ It allows networks and devices that
must be kept separate to share the
same physical devices without
interacting, for simplicity, security,
traffic management, and/or cost
reduction.
⬧ VLAN Trunks - Ports connecting
two switches to span VLANs across
them.
⬧ VLANs share bandwidth, a VLAN
trunk can use link aggregation,
quality-of-service prioritization or
both to route data efficiently.

44 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Virtual eXtensible Local Area Network (VXLAN):
▪ Made and widely used for cloud computing with organizations that have
mass tenants. (think AWS, Google or similar).
▪ Solves the issue with only having 4094 maximum VLANs.

• Layer 3 Devices:
▪ Routers:
⬧ Normally have a few ports vs. a lot on switches.
⬧ For our organizations, they are in the data centers.
⬧ In your home, they are often combined with a switch and
wireless in one box.
⬧ Forward traffic based on source and
destination IPs and ports.
⬧ Connecting our LANs to the WAN.
⬧ Send traffic to the most specific route in
their routing table.
⬧ Static route is a preconfigured route,
always sends traffic there for a certain
subnet.
⬧ Default gateway sends all non-local traffic to an ISP for
instance.
⬧ Dynamic route is learned from another routing via a routing
protocol (OSPF, EIGRP, BGP, IS-IS).
⬧ Metric is used to determine the best route to a destination.

45 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Routers have two operation planes:
⬧ Control Plane:
▫ A router maintains a routing table that lists which route
should be used to forward a data packet and through which
physical interface connection.
▫ It uses internal pre-configured static routes or by learning
routes using a dynamic routing protocol.
▫ Static and dynamic routes are stored in the RIB (Routing
Information Base).
▫ The control-plane logic then strips non-essential directives
from the RIB and builds an FIB (Forwarding Information
Base) to be used by the forwarding-plane.
⬧ Forwarding Plane:
▫ The router forwards data packets between incoming and
outgoing interface connections.
▫ It routes them to the correct network type using information
that the packet header contains.
▫ It uses data recorded in the routing table control plane.

• Layer 3 Protocols:
▪ We configure static routes for the certain paths, it is not scalable and
would be impossible to maintain manually.
▪ To help with that, we use dynamic routes learned through routing
protocols.
⬧ Convergence is when a set of routers have the same routing
information about the network they are in.
⬧ For routers to converge, they must have all available routes
from each other via routing protocols, all routers agree on what
the network topology looks like.
⬧ Any change in the network that affects routing tables will break
the convergence temporarily until this change has been
successfully communicated to all other routers.
⬧ All IGP (Interior Gateway Protocols) rely on convergence to
function right.
⬧ When dynamic is enabled, every participating router will
exchange what they know about the network.
⬧ How it is done and how much is shared depends on the routing
protocol used.
⬧ The Exterior Gateway Routing Protocol BGP typically never
converges because the Internet is too big for changes to be
communicated fast enough.

46 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Distance vector routing protocols:
⬧ Only focus on how far the
destination is in.
Hops (how many routers in between
here and there).
⬧ Do not care about bandwidth,
they just use the shortest path.
⬧ In the example on the right the
traffic will go over the 1Mbps
link even with it being 1/1000th
the speed of the 1Gbps links.
⬧ Not very used anymore, today
we use Link-state routing
protocols.
▪ RIP (Routing Information Protocol): Uses UDP port 520 for its transport
protocol.
⬧ One of the oldest distance-vector routing protocols which uses
the hop count as a routing metric.
⬧ Uses maximum hops to prevent routing loops, the maximum
number of hops for RIP is 15, a hop count of 16 is considered an
infinite distance and the route is considered unreachable,
routes are updated every 30 seconds.
⬧ RIP uses split horizon, route poisoning, and hold-down to
prevent incorrect information from propagating.
⬧ Hold-down timers are started per route entry when the hop
count is changing from lower value to higher value.
▫ This allows the route to get stabilized, during this time no
update can be done to that routing entry.
⬧ Route poisoning is used to prevent a router from sending
packets through a route that has become invalid.
▫ Provides updates with unreachable hop counts immediately
to all the nodes in the network.
⬧ Split-horizon route advertisement is used to prevent routing
loops by stopping a router from advertising a route back onto
the interface it learned the route from.
⬧ Split-horizon routing with poison reverse is a variant of split-
horizon route advertising where a router actively advertises
routes as unreachable over the interface over which they were
learned by setting the route metric to infinite.
⬧ That immediately removes most looping routes before they can
propagate through the network.

47 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Link-state routing protocols:
⬧ Each node independently runs an algorithm over the map to
determine the shortest path from itself to every other node in
the network.
⬧ The collection of best paths will then form the nodes routing
table.
⬧ It is based on a link cost across each path which includes
available bandwidth among other things.
⬧ Routing tables are synchronized at start up and updates are
only when topology changes occur.
⬧ OSPF (Open Shortest Path First): Used within a single routing
domain which is logically divided into areas.
▫ Can be used on IPv4 (v2) and IPv6 (v3) networks and
supports CIDR addressing model.
▫ Detects changes in the topology, such as link failures, and
converges on a new loop-free routing tables within seconds.
▫ Does not use a transport protocol (UDP/TCP) but
encapsulates the data directly in IP packets with protocol
number 89.
▪ Link-state routing protocols:
⬧ BGP (Border Gateway Protocol):
▫ The routing protocol used for the Internet.
▫ BGP routes between AS (Autonomous Systems) which are
networks with multiple Internet connections.
▫ Has some distance vector properties but is considered a path
vector routing protocol.
▫ BGP makes routing decisions based on paths, network
policies or rule-sets.
▫ BGP routing tables
are massive, some
routers can have
100,000s of routes.
▫ BGP currently has
860,000+ IPv4 and
100,000 IPv6 routes.
▫ IPv4 BGP is
predicted to grow by
50-60,000 per year
and IPv6 by 30-
40,000 per year.

48 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Firewalls: A firewall typically establishes a barrier between a trusted, secure internal
network, and another outside network, like the Internet.
▪ Packet filtering firewalls, OSI Layer 1-3.
⬧ Packet filters act by inspecting the
"packets" which are transferred
between clients.
⬧ If a packet does not match the
packet filter's set of filtering rules,
the packet filter will drop the packet
or reject it and send error responses
to the source.
⬧ Any packet that matches one of the
Permits is allowed to pass.
⬧ Rules are checked in order, the
attacker's traffic is dropped on the
3rd filter rule. Drop anything trying
to access [Link].
⬧ The internal machines can access
the server since their IPs are
whitelisted in the first rule.
▪ Stateful filtering firewalls, OSI Layer 1-4.
⬧ Records all connections passing through and determines
whether a packet is the start of a new connection, a part of an
existing connection or not part of any connection.
⬧ Static rules are still used, these rules can now contain
connection state as one of their criteria.
⬧ Some DOS attacks
bombard the firewall
with thousands of fake
connection packets
trying to overwhelm
the firewall by filling
its connection state
memory.

49 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ A proxy server can act as a firewall by
responding to input packets in the manner
of an application while blocking other
packets.
▪ A proxy server is a gateway from one
network to another for a specific network
application in the sense that it functions as
a proxy on behalf of the network user.

▪ Application layer firewalls, OSI Layer 7.

⬧ The key benefit of application layer firewalls is that they can
understand certain applications and protocols.
⬧ They see the entire packet, the packet isn't decrypted until
layer 6, any other firewall can only inspect the packet but not
the payload.
⬧ They can detect if an unwanted application or service is
attempting to bypass the firewall using a protocol on an
allowed port or detect if a protocol is being used any malicious
way.
▪ Network firewalls filter traffic between two or more networks, either
software appliances running on general purpose hardware or hardware-
based firewall.
▪ Host-based firewalls provide a layer of software security on one host
that controls network traffic in and out of that single machine.
▪ Next-generation firewall (NGFW)
⬧ NGFW combines traditional firewall technologies with deep
packet inspection (DPI) and network security systems (IDS/IPS,
malware filtering and antivirus).
⬧ Packet inspection in traditional firewalls only looks at the
protocol header of the packet DPI also looks at the actual data
the packet is carrying.
⬧ Next-generation firewalls tries to include more layers of the OSI
model, improving filtering of network traffic that is dependent
on the packet contents.
⬧ DPI firewalls track the progress of web browsing sessions and
can tell if a packet payload, when assembled with other packets
in an HTTP server reply, is actually a legitimate HTML-formatted
response.

50 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Firewalls Design:
▪ A Bastion Host is a special purpose host designed and configured to
withstand attacks.
⬧ Normally hosts a single
application, all other services are
removed or limited to reduce the
threat to the host.
⬧ It is hardened in this manner
because of its location and
purpose which is either on the
outside of a firewall or in a DMZ
(demilitarized zone) and usually
involves access from untrusted
networks or computers.
▪ A Dual-Homed Host has two network
interfaces, one connected to a trusted
network and the other connected to an
untrusted network (Internet).
⬧ The dual-homed host doesn't
route.
⬧ Any user wanting to access the trusted network from the
outside, needs to log into the dual-homed host and then access
the trusted network from there.
⬧ No longer really used, mostly used premodern firewalls.
▪ Screened Host Architecture:
⬧ An older flat network design using one
router to filter external traffic to and
from a bastion host via ACLs.
⬧ The bastion host can reach other
internal resources, but the router's ACL
denies direct internal/external
connectivity.
⬧ The difference between dual-homed
host and screened host design is
screened host uses a screening router,
which filters Internet traffic to other
internal systems.
⬧ Screened host network design does not
use defense-in-depth: a failure of the
bastion host puts the entire trusted network at risk.
⬧ Screened subnet architecture evolved as a result, using network
defense in depth by using DMZs.

51 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ Screened Subnet Architecture:
⬧ A screened subnet firewall is a variation of the dual-homed and
screened host firewall.
⬧ It can be used to separate components of the firewall onto
separate systems, achieving greater throughput and flexibility,
although at some cost to simplicity.
⬧ As each component system of the screened subnet firewall
needs to implement only a specific task, each system is less
complex to configure.
⬧ A screened subnet
firewall is often used to
establish a DMZ
(demilitarized zone).
⬧ Good design uses 2
different brands of
firewalls to avoid both having
the same vulnerabilities.

▪ DMZs:
⬧ Normal DMZs use 2 firewalls in a screened subnet, but they can
also be three-legged DMZs which only use 1 firewall.
⬧ Physical or logical subnetwork that contains and exposes an
organization's external-facing
services to an untrusted network,
like the Internet.
⬧ It adds an additional layer of
security to our organization's
LAN, an external network node
can access only what is exposed
in the DMZ, while the rest of the
organization's network is
firewalled.
▪ Firewalls are designed to fail closed, if they
crash, get flooded with traffic or are shut
down, they block all traffic.
▪ To get some redundancy we often use
firewall pairs and have the firewall in a
mesh topology, this way one firewall
failure will just shift the traffic paths.

52 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Modem (Modulator/Demodulator):
▪ Dial-up modems: Take binary data and modulate it into analog sound
that can be sent over phone networks designed to carry the human
voice.
▪ The receiving modem then demodulate the analog sound
back into binary data.
▪ ADSL modems (asymmetric digital subscriber line): TP
telephone cable can carry signals with higher frequencies
than the cable’s normal frequency rating.
▪ The signal strength drops the longer the cable
(Attenuation).
▪ Cable modems use infrastructure originally intended to
carry television signals and therefore designed from the outset to carry
higher frequencies.
▪ A single cable can carry radio, television, and broadband internet services
without interference.
▪ Newer types of broadband modems are also available, including satellite
and power line modems.

• DTE (Data Terminal Equipment):

▪ An end device often a desktop or a server (called tail circuits) that
converts user information into signals or reconverts received signals.
▪ A DTE device communicates with the data DCE (Data Circuit-terminating
Equipment).

• DCE is often a modem, it sits between the data terminal equipment (DTE) and a data
transmission circuit.
▪ The DCE does the signal conversion, coding, and line clocking and may be
a part of the DTE or intermediate equipment.
▪ Interfacing equipment may be required to couple the
data terminal equipment (DTE) into a transmission
circuit or channel and from a transmission circuit or
channel into the DTE.
▪ The DCE is at the end of an ISP’s network, it connects to
the customer DTE.
• The circuit is synchronous and both sides must synchronize to a
clock signal provided by the DCE.
• The Demarc is the point where the DTE and DCE meet, where the
network passes from ISP responsibility to customer.

53 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
 Secure Communications:
• Securing our data-in-motion is one of the most difficult tasks we have.
• The internet and IPv4 was never built to be secure and just like anywhere else we
need to find the right balance of Confidentiality, Integrity, and Availability.
• Authentication Protocols:
▪ Communications or cryptographic protocols designed to transfer
authentication data between two entities.
▪ They authenticate to the connecting entity (often a server) as well as
authenticate themselves(often a server or desktop) by declaring the type
of information needed for authentication as well as syntax.
▪ It is the most important layer of protection needed for secure
communication between networks.
▪ PAP (Password Authentication Protocol):
⬧ Authentication is initialized by client/user by sending packet
with credentials (username and password) at the beginning of
the connection.
⬧ One of the oldest authentication protocols, no longer secure.
The credentials are being transmitted over the network in plain
text making it vulnerable to simple attacks like Eavesdropping
and man-in-the-middle attacks.
▪ CHAP (Challenge-Handshake Authentication Protocol):
⬧ Provides protection against replay attacks by the peer through
the use of an incrementally changing identifier and of a variable
challenge-value.
⬧ Requires that both the client and server know the plaintext of a
shared secret like a password, it is never sent over the network.
⬧ Providing better security compared to PAP which is vulnerable
for both these reasons.
⬧ Used by PPP (Point to Point Protocol) servers to validate the
remote clients.
⬧ CHAP periodically verifies the identity of the client by using a
three-way handshake.
⬧ The CHAP server stores plaintext passwords of each client, an
attacker gaining access to the server can steal all the client
passwords
stored on it.

54 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ 802.1X defines the encapsulation of the EAP (Extensible Authentication
Protocol).
⬧ 802.1X authentication involves three parties: a supplicant, an
authenticator, and an AS (authentication server).
⬧ The supplicant is a client device (normally a workstation) that
wants to attach to the LAN/WLAN, normally software running
on the client that provides credentials to the authenticator.
⬧ The authenticator is a network device, a switch or wireless AP.
⬧ The AS (Authentication server) is typically a host running
software supporting the RADIUS and EAP protocols.
⬧ In some cases, the
authentication
server software
may be running on
the authenticator
hardware.
⬧ EAP is widely used
in 802.11 (Wi-Fi),
the WPA, and
WPA2 standards; it
was adopted with
100+ EAP Types as
the official
authentication mechanism.
▪ PEAP (Protected EAP):
⬧ A protocol that encapsulates EAP within a encrypted and
authenticated TLS (Transport Layer Security) tunnel.
⬧ Developed by Cisco Systems, Microsoft, and RSA Security.
▪ EAP-MD5:
⬧ Very weak forms of EAP. It offers client to server authentication
only, where most others provide mutual authentication.
⬧ Vulnerable to man in the middle attacks and password attacks.
▪ LEAP (Lightweight Extensible Authentication Protocol):
⬧ Cisco distributed the protocol through the CCX (Cisco Certified
Extensions) as part of getting 802.1X and dynamic WEP
adoption into the industry in the absence of a standard.
⬧ No native support of LEAP in the Windows OS.
▪ EAP-TLS (EAP-Transport Layer Security):
⬧ Uses PKI, requiring both server and client-side certificates.
⬧ Establishes a secure TLS tunnel used for authentication.
⬧ This makes it very secure but also complex and expensive.

55 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ EAP-TTLS (EAP Tunneled Transport Layer Security):
⬧ Simpler than EAP-TLS by dropping the client-side certificate
requirement, allowing other authentication methods for client-
side authentication.
⬧ This makes it easier to deploy but also less secure.
▪ PANA (Protocol for Carrying Authentication for Network Access):
⬧ Allows a device to authenticate itself with a network to be
granted access.
⬧ EAP will be used for authentication protocol, key distribution,
key agreement, and key derivation protocols.
▪ SLIP (Serial Line Internet Protocol):
⬧ An encapsulation of IP designed to work over serial ports and
modem connections.
⬧ On PCs it has been replaced by PPP, which is better engineered,
has more features, and does not require its IP address
configuration to be set before it is established.
⬧ On microcontrollers, SLIP is still the preferred way of
encapsulating IP packets because of the very small overhead.
▪ PPP (Point-to-Point Protocol):
⬧ Used over many types of physical networks including serial
cable, phone line, trunk line, cellular telephone, ...
⬧ PPP is also used over Internet access connections.
⬧ ISPs (Internet Service Providers) have used PPP for customer
dial-up access to the Internet since IP packets cannot be
transmitted over a modem line on their own without some data
link protocol.
▪ VPN (Virtual Private Network):
⬧ Extends a private network
across a public network
and users can send and
receive data across shared
or public networks as if
they were on the private
network.
⬧ VPNs may allow employees
and satellite offices to
securely access the
organization's intranet.
⬧ They are used to securely
connect.
⬧ Can also be used to get
around geo-restrictions
and censorship or to
connect to proxy servers for the purpose of protecting personal
identity and location.

56 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
⬧ Created by establishing a virtual point-to-point connection
using dedicated connections, virtual tunneling protocols or
traffic encryption.
▪ PPTP (Point-to-Point Tunneling Protocol):
⬧ Obsolete method for implementing virtual private networks
because of many known security issues.
⬧ PPTP uses a TCP control channel and a GRE tunnel to
encapsulate PPP packets.
⬧ No built-in encryption or authentication and PPP being
tunneled to implement security.
▪ L2TP (Layer 2 Tunneling Protocol):
⬧ Tunneling protocol used to support VPNs or as part of the
delivery of services by ISPs.
⬧ No built-in encryption or confidentiality, it relies on an
encryption protocol that it passes within the tunnel to provide
privacy.

• IPSEC (Internet Protocol Security):

▪ SA (Security Association): Simplex one-way communication, can be used
to negotiate ESP (Encapsulation Security Payload) or AH (Authentication
Header) parameters.
⬧ If 2 systems use ESP to communicate, they need 1 SA for each
direction (2 total); if AH and ESP, 4 total.
⬧ A unique 32bit SPI (Security Parameter Index) is used to identify
each SA connection.
▪ ISAKMP (Internet Security And Key Management Protocol):
⬧ Manages the SA creation process.
▪ Tunnel mode encrypts and authenticates the entire package (including
headers).
▪ Transport mode only encrypts and authenticates the payload, used for
systems that speak IPSEC.
▪ IKE (Internet Key Exchange):
⬧ IPsec can use different types of encryption (3DES or AES) and
hashes (MD5, SHA1, SHA2, …).
⬧ IKE negotiates the algorithm selection process.
⬧ The 2 sides of an IPsec tunnel will normally use IKE to negotiate
to the highest and fastest level of security, selecting AES over
single DES for confidentiality if both sides support AES, for
example.

57 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
▪ IPSec can protect data flows between a pair of hosts (host-to-host), a pair
of security gateways (network-to-network), and a security
gateway and a host (network-to-host).
▪ IPSec is an end-to-end security scheme operating in the
Internet Layer of the TCP/IP model, only IPsec protects all
application traffic over an IP network.
▪ IPsec can automatically secure applications at the IP layer.
• SSL and TLS – Confidentiality and Authentication for web traffic.
▪ Cryptographic protocols for web browsing, email, Internet
faxing, instant messaging, and VOIP.
▪ You download the server’s digital certificate which
includes the sites public key.
▪ SSL (Secure Socket Layer) Currently on v3.0.
⬧ Mostly used for web traffic.
▪ TLS (Transport Layer Security) More secure than SSL v3.0.
⬧ Used for internet chat and email client access
and used for securing web traffic.

• ISDN (Integrated Services Digital Network) - OSI layer 1-3.

▪ Used for digital transmission of voice, video, data, and other network
services over the traditional circuits of the public switched telephone
network.
▪ A circuit-switched telephone network system which also provides access
to packet switched networks.
▪ It offers circuit-switched connections (for either voice or data) and
packet-switched connections (for data) in increments of 64 kilobit/s but
could be higher with channel bonding.

• DSL (Digital Subscriber Line) is a family of technologies that are used to transmit
digital data over telephone line.
▪ Often used to describe ADSL (Asymmetric DSL), the most common DSL
technology.
▪ DSL service can be delivered side by side with wired telephone service on
the same line, this is possible because DSL uses higher frequency bands
for data.
▪ At the customer Demarc, a DSL filter on each non-DSL outlet blocks any
high-frequency interference to enable simultaneous use of the voice and
DSL services.

58 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Callback is a modem-based authentication system.
▪ Was mostly used for securing dial-up connections.
▪ The client computer calls the server computer.
▪ After a greeting the client identifies itself, usually with a
username.
▪ The server disconnects the call.
▪ Depending on the username and a list of users' phone
numbers, the server will then establish a second call back to
the client computer.
▪ The client computer expecting this returned call will then
answer and communications between the two computers will
proceed normally.

• Caller ID does the same, but the user has to be calling from the right
number.
▪ It can easily be faked, many phones or phone companies
allow the end user pick their caller ID.

• Remote Administration is controlling a computer from a remote location, we do this

through software.
▪ A remote location may refer to a computer in the next room or to one
across the world.
▪ Any computer with an Internet connection can be remotely
administered.

• RDP (Remote Desktop Protocol) - A Microsoft proprietary protocol.

▪ The user uses RDP client software for this, and the other computer must
run RDP server software.
▪ Providing a user with a GUI (Graphical User Interface) by default, the
server listens on TCP and UDP 3389.
• VNC (Virtual Network Computing) - Non-MS proprietary and can run on most OSs
(Using screen scraping).
▪ It was at first used for remote administration of computers but is also
being used more and more now for Remote Desktop Protocol for multi-
user environments and helpdesk RDP access.

• Newer versions use HTTPS (TCP port 443) and has the GUI contained in a browser.
▪ You install the software on the system you want to access and the one
you want to access from, set up username/password and you can control
that system from anywhere.
▪ Commonly used include: Chrome Remote Desktop, LogMeIn, GoToMyPC,
[Link],…

59 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• VDI (Virtualized Desktop Infrastructure/Interface):
▪ Thin Clients:
⬧ Diskless Workstation (Diskless node) has all the normal
hardware/firmware except the disk, it has the lower-level OS
(the BIOS) which performs the POST and it then downloads the
kernel and OS.
⬧ Thin Client Applications - We use a Web
Browser to connect to the application on a
server on port 80 (HTTP) or port 443 (HTTPS),
the full application is housed and executed
on the server vs. on your PC.
⬧ Often stripped of non-essentials like CD
drives, most ports,...

▪ Zero Clients:
⬧ Getting more popular for VDI because they
are even slimmer and more cost-effective
than thin clients.
⬧ These are client devices that require no
configuration and have nothing stored on
them.
⬧ They are sold by Dell, Fujitsu, HP, Pano
Logic,...

• IM (Instant Messaging):
▪ Short messages are typically sent between two parties (one-to-one) or
many to many (group IMs).
▪ Some IM applications can use push technology to provide real-time text
which transmits messages character by character as they are typed,
others send when you hit enter.
▪ More advanced instant messaging can add file transfer, clickable
hyperlinks, Voice over IP, and video chat.
▪ Commonly used chat protocols today include IRC, Jabber, Lync, and still
used but very limited ICQ and AIM.
▪ Today most IM’ing is done embedded in other applications like Facebook,
LinkedIn, Twitter, or WhatsApp.
▪ Many IM applications and protocols are not designed with security in
mind, they are designed for usability.
⬧ A report on the level of safety offered by instant messengers,
only 2 out of 18 instant IM apps they looked got “nothing of
concern” on sending sensitive attachments and mining/selling
customer data, the rest got “not recommended”. The most
popular messenger has 25 “not recommended” and only 6
“nothing of concern” when looking at privacy and security.

60 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
⬧ IM connections are often sent in plain text, making them
vulnerable to eavesdropping.
⬧ Software often requires the user to open UDP ports, increasing
the threat posed by potential security vulnerabilities.

• Web Conferencing:
▪ An umbrella term for different types of online collaborative services
including webinars, webcasts, and peer-level web meetings.
▪ Commonly used ones are WebEx, Zoom, GoToMeeting, Google Meet,
TeamViewer, ...
▪ Done over TCP/IP connections, services often use real-time point-to-
point communications as well as multicast communications from one
sender to many receivers.
▪ It offers data streams of text-based messages, voice, and video chat to be
shared simultaneously across geographically dispersed locations.
▪ Applications where web conferencing is used: Meetings, training events,
lectures or presentations one-to-one or many-to-many like IMs.
▪ The use of web conferencing should align with your organizations
policies, some may, if not implemented right be a security vulnerability.
▪ They can bypass some security by using SSL/TLS tunnels and acceptable
products should be hardened.

• CDN (Content Distribution Network):

▪ A geographically dispersed network of
proxy servers and data centers.
▪ The client is sent to the server node with
the lowest latency in MS.
▪ The client's webpages, software download,
and video streaming are faster.
▪ The provider saves on cost, sending traffic
short distances vs. long distance and it
provides redundancy and some DDOS
protection.
▪ The idea is to distribute service spatially
relative to end-users to provide high
availability and high performance.
▪ Many different services can be provided
over CDNs : video streaming, software
downloads, web and mobile content
acceleration, licensed/managed CDN,
transparent caching, and services to
measure CDN performance, load balancing,
multi-CDN switching and analytics, and cloud intelligence.

61 | P a g e
[Link]
 CISSP Domain 4 Lecture notes
• Third-party Connectivity:
▪ Medium size enterprises typically have 20 or more third-party providers. I
believe the hospital where I worked in Hawaii had more than 200 third-
party providers.
▪ How do we ensure they are secure enough and conform to our policies
and procedures?
▪ Many never have direct contact with IT or IT-Security.
▪ We must conduct a thorough risk assessment to ensure that whatever
they provide does not jeopardize our security posture, or we must accept
the risk.
▪ We should have MOUs/MOAs and ISAs (Interconnection Security
Agreement).

• Network Access Control (NAC):

▪ Automatic detection and response to ensure our systems are in
adherence with our security policies.
▪ Can helps us with the prevention or reduction of 0-day and known
attacks.
▪ Along with ensuring that security policies are adhered to at all times.

 What we covered in the Fourth CBK Domain:

• In this domain we covered how our Network and Communications channels work
and how to protect them.
• The OSI and TCP/IP logical models.
• How the internet/intranet works with:
▪ IP addresses: IPv4, IPv6, Private, and Public Addresses.
▪ Common ports.
▪ DNS, ARP, DHCP, NAT, PAT, and the other protocols we use to make our
network function.
▪ The networking routing protocols.
▪ How we secure our communication on our local network and the
internet.
▪ Micro-segmentation, wireless, and cellular networks.
▪ Common Attack types and how to mitigate them.
• Networking equipment and how we secure the different types.
▪ Repeaters, Hubs, Routers, Switches, Firewalls, cable types, ...
• Network topologies and technologies.
▪ LAN, WAN, Ring, Star, Mesh,...

62 | P a g e
[Link]
 CISSP Domain 4 Lecture notes

63 | P a g e
[Link]
 CISSP Domain 5 Lecture notes

Welcome to the Fifth CBK Domain:

 In this domain we cover:
• Physical and logical assets control.
▪ The logical and physical controls we implement.
• Identification and authentication of people and devices.
▪ How we identify and authenticate our authorized users.
• Identity as a service (e.g., cloud identities).
• Third-party identity services (e.g., on-premise).
• Access control attacks.
▪ Common attacks, and how we mitigate them with defense in depth.
• Identity and access provisioning lifecycle (e.g., provisioning review).

This chapter focuses on how we identify our assets, the platforms we use for them, how we provide
authorized access and prevent unauthorized access to the assets and the asset and identity lifecycle.
CBK 5 makes up 13% of the exam questions.

 Access Control:
• Our Access Control is determined by our policies, procedures, and standards.
• This outlines how we grant access whom to what:
▪ We use least privilege, need to know, and we give our staff and systems exactly
the access they need and no more.
• Access control spans all the layers of our defense in depth model, different permissions
are granted to different subjects depending on their need to access the systems or data
and that adheres to the procedures for that area.
• We covered some of this when we talked about physical security, how we use fences,
locks, turnstiles, bollards, ...
• How do we Identify, Authenticate, Authorize
our subjects, and how we keep them
Accountable (IAAA).
• We never use group logins or accounts; they
have no accountability.

1|Page
[Link]
 CISSP Domain 5 Lecture notes
 IAAA Access Management:
• Identification:
▪ Your name, username, ID number, employee number, SSN etc.
• Authentication:
▪ Should always be done with Multifactor Authentication!
⬧ Something you know - Type 1 Authentication (passwords, pass phrase,
PIN etc.).
⬧ Something you have - Type 2 Authentication (ID, Passport, Smart Card,
Token, cookie on PC etc.).
⬧ Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, Iris Scan, Facial geometry etc.).

• Multi-factor authentication requires authentication from 2 or more categories.

▪ Card and Pin, fingerprint and password qualify, but password and username
does not (both are something you know).

• Something you know - Type 1 Authentication:

▪ Passwords, pass phrase, PIN etc., also called Knowledge factors.
▪ The subject uses these to authenticate their identity, if they know the secret,
they must be who they say they are.
▪ This is the most commonly used form of authentication, and a password is the
most common knowledge factor.
▪ The user is required to prove knowledge of a secret in order to authenticate.
▪ Variations include both longer ones formed from multiple words (a passphrase)
and the shorter purely numeric PINs (personal identification number) commonly
used for cash machines (ATM’s).
▪ It is the weakest form of authentication and can easily be compromised.
▪ Secret questions like "Where were you born?" are poor examples of a
knowledge factor, it is known by a lot of people and can often be researched
easily.
⬧ Sarah Palin had her email account hacked during the 2008 US
Presidential campaign using her secret questions. Since she used basic
ones (high school and birthday, …) the hackers could easily find that
information online, he reset her password with the information and
gained full control of her email account.

2|Page
[Link]
 CISSP Domain 5 Lecture notes
▪ Passwords:
⬧ It is always easier to guess or steal passwords than it is to break the
encryption.
⬧ We have password policies to ensure they are as secure as possible.
▫ They should contain minimum length, upper/lower case letters,
numbers and symbols, they should not contain full words or
other easy to guess phrases.
▫ They have an expiration date, password reuse policy and
minimum use before users can change it again.
▫ Common and less secure passwords often contain:
→ The name of a pet, child, family member, significant
other, anniversary dates, birthdays, birthplace, favorite
holiday, something related to a favorite sports team, or
the word "password".
→ Winter2017 is not a good password, even if it does fulfil
the password requirements.
⬧ Key Stretching – Adding 1-2 seconds to password verification.
▫ If an attacker is brute forcing a password and needs millions of
tries it will become an unfeasible attack.
⬧ Keylogging (Keystroke Logging):
▫ A keylogger is added to the user's
computer and it records every keystroke
the user enters.
▫ Hardware, attached to the USB port
where the keyboard is plugged in.
→ Can either call home or needs to
be removed to retrieve the
information
▫ Software, a program installed on the computer.
→ The computer is often compromised by a trojan, where
the payload is the keylogger or a backdoor.
→ The keylogger calls home or uploads the keystrokes to a
server at regular intervals.
⬧ Brute Force Attacks (Limit number of wrong logins):
▫ Uses the entire key space (every possible key), with enough
time any ciphertext can be decrypted.
▫ Effective against all key based ciphers except the one-time pad,
it would eventually decrypt it, but it would also generate so
many false positives the data would be useless.
⬧ Dictionary Attacks (Limit number of wrong logins, do not allow
dictionary words in passwords):
▫ Based on a pre-arranged listing, often dictionary words

3|Page
[Link]
 CISSP Domain 5 Lecture notes
▫ Often succeed because people choose short passwords that are
ordinary words and numbers at the end.
⬧ Rainbow Tables Attacks (Limit number of wrong logins, Salts):
▫ Pre-made list of plaintexts and matching ciphertext.
▫ Often Passwords and matching Hashes a table can have
1,000,000's of pairs.
⬧ Salt (Salting):
▫ Random data that is used as an additional input to a one-way
function that hashes a password or passphrase.
▫ Salts are very similar to nonce.
▫ The primary function of salts is to defend against dictionary
attacks or a pre-compiled rainbow table attack.
⬧ Nonce (arbitrary number that may only be used once):
▫ It is often a random or pseudo-random number issued in an
authentication protocol to ensure that old communications
cannot be reused in replay attacks.
▫ They can also be useful as initialization vectors and in
cryptographic hash function.
⬧ Clipping Levels: Clipping levels are in place to prevent administrative
overhead.
▫ It allows authorized users who forget or mistype their password
to still have a couple of extra tries.
▫ It prevents password guessing by locking the user account for a
certain timeframe (an hour), or until unlocked by an
administrator.
⬧ Many systems store a cryptographic hash of passwords.
▫ If an attacker can get access to the file of hashed passwords
guessing can be done off-line, rapidly testing candidate
passwords against the true password's hash value.
▫ This will circumvent the clipping levels, stealing is always easier
than decrypting it.
⬧ Some access systems store user passwords in plaintext, they are used to
compare user log on attempts.
▫ We need to secure every link in the chain, attackers will go for
the weakest one, it is often people, but can just as well be our
systems.
▪ Password Management:
⬧ We covered some password requirements, here are the official
recommendations by the U.S. Department of Defense and Microsoft.
▫ Password history = set to remember 24 passwords.
▫ Maximum password age = 90 days.

4|Page
[Link]
 CISSP Domain 5 Lecture notes
▫ Minimum password age = 2 days (to prevent users from cycling
through 24 passwords to return to their favorite password
again).
▫ Minimum password length = 14 characters.
▫ Passwords must meet complexity requirements = true.
▫ Store password using reversible encryption = false.

• Something you have - Type 2 Authentication:

▪ ID, passport, smart card, token, cookie on PC, these are
called Possession factors.
⬧ The subject uses these to authenticate their
identity, if they have the item, they must be who
they say they are.
⬧ Simple forms can be credit cards, you have the
card, and you know the pin, that is multifactor
authentication.
⬧ Most also assume a shared trust, you have your
passport, it looks like you on the picture, we trust
the issuer, so we assume the passport is real.
▪ Single-Use Passwords:
⬧ Having passwords which are only valid once makes many potential
attacks ineffective, just like one-time pads.
⬧ While they are passwords, it is something you have in your possession,
not something you know.
⬧ Some are one-time-pads with a challenge-response or just a pin or
phase sent to your phone or email you need to enter to confirm the
transaction or the login.
⬧ Most users find single use passwords extremely inconvenient.
⬧ They are widely implemented in online banking, where they are known
as TANs (Transaction Authentication Numbers).
⬧ Most private users only do a few transactions each week, the single-use
passwords has not led to customers refusing to use it.
▫ It is their money; they actually care about keeping those safe.

5|Page
[Link]
 CISSP Domain 5 Lecture notes
▪ Smart Cards and Tokens (contact or contactless):
⬧ They contain a computer circuit using an ICC (Integrated Circuit Chip).
⬧ Contact Cards - Inserted into a
machine to be read.
▫ This can be credit cards
you insert into the chip
reader or the DOD CAC
(Common Access Card).
⬧ Contactless Cards - can be read
by proximity.
▫ Key fobs or credit cards
where you just hold it
close to a reader.
▫ They use a RFID (Radio
Frequency Identification)
tag (transponder) which is
then read by a RFID
Transceiver.
▪ Magnetic Stripe Cards:
⬧ Swiped through a reader, no circuit.
⬧ Very easy to duplicate.
▪ Tokens:
⬧ HOTP and TOTP can be either hardware or
software based.
⬧ Cellphone software applications are more
common now.
▫ HOTP (HMAC-based One-Time
Password):
→ Shared secret and incremental
counter, generate code when
asked, valid till used.
▫ TOTP (Time-based One-Time
Password):
→ Time based with shared secret,
often generated every 30 or 60
seconds, synchronized clocks
are critical.

6|Page
[Link]
 CISSP Domain 5 Lecture notes
▪ A Wisconsin company Three Square Market (32M) is offering to implant tiny
radio-frequency chips in its employees.
▪ They say the employees are lining up for the
technology.
▪ Employees who have the rice-grain-sized RFID chip
implanted between their thumb and forefinger can
then use it "to make purchases in their break room
micro market, open doors, login to computers, use
the copy machine,"
▪ "The chip is not trackable and only contains
information you choose to associate with it," the
company said, "This chip does not have GPS
capabilities."
▪ I would never do this; I understand they save 5
seconds at the copier.
⬧ I just have an innate skepticism when
companies say, “We can’t, or we won’t use this for anything else than
intended”.
⬧ History proves they rarely do just that.

• Something you are - Type 3 Authentication

(Biometrics):
▪ Fingerprint, iris scan, facial geometry etc.,
these are also called realistic authentication.
⬧ The subject uses these to
authenticate their identity, if they
are that, they must be who they say
they are.
⬧ Something that is unique to you, this
one comes with more issues than
the two other common
authentication factors.
⬧ We can allow unauthorized people
into our facilities or systems if we
accept someone by mistake. (False
Accept)
⬧ We can prevent our authorized
people from entering our facilities if
we refuse them by mistake. (False
Reject).

7|Page
[Link]
 CISSP Domain 5 Lecture notes
▪ Errors for Biometric Authentication:
⬧ FRR (False rejection rate) Type 1 error:
▫ Authorized
users are
rejected.
▫ This can be too
high settings -
99% accuracy
on biometrics.
⬧ FAR (False accept rate)
Type 2 error:
▫ Unauthorized
user is granted
access.
▫ This is a very
serious error.
⬧ We want a good mix of FRR and FAR where they meet on the graph is
the CER (Crossover Error Rate), this is where we want to be.

▪ Biometric identifiers are often categorized as physiological and behavioral

characteristics.
⬧ Physiological Characteristics uses the shape of the body, these do not
change unless a drastic event occurs.
▫ Fingerprint, palm veins, facial recognition, DNA, palm print,
hand geometry, iris recognition, retina, and odor.
⬧ Behavioral Characteristics uses the pattern of behavior of a person,
these can change, but most often revert back to the baseline.
▫ Typing rhythm, how you walk, signature and voice.

▪ Issues with Biometric Authentication:

⬧ We also need to respect and protect our employee’s privacy:
▫ Some fingerprint patterns are related to chromosomal diseases.
▫ Iris patterns could reveal genetic sex, retina scans can show if a
person is pregnant or diabetic.
⬧ Hand vein patterns could reveal vascular diseases.
⬧ Most behavioral biometrics could reveal neurological diseases, etc.
⬧ While passwords and smart cards should be safe because you keep
them a secret and secure, biometrics is inherently not and something
others can easily find out.

8|Page
[Link]
 CISSP Domain 5 Lecture notes
⬧ Attackers can take pictures of your face, your fingerprints,
your hands, your ears and print good enough copies to get
past a biometric scan.
⬧ It is possible to copy fingerprints from your high-resolution
social media posts if you do a peace sign like the one on the
right here.
⬧ How you type, sign your name and your voice pattern can
be recorded, also not too difficult to cheat biometrics if it is
worth the effort.
⬧ Some types are still inherently more secure, but they are
often also more invasive.
⬧ Lost passwords and ID cards can be replaced with new different ones,
biometrics can’t.
⬧ Which should make us question even more the mass collection of
biometric data.
▫ When Home Depot loses 10 million credit card numbers it is
bad, but they can be reissued.
▫ The US Office of Personnel Management got hacked and lost 5.6
million federal employees’ fingerprints.
▫ The FBI has a database with 52 million facial images and
Homeland Security and U.S. Customs and Border Patrol is
working on adding the iris scans and 170 million foreigner
fingerprints to the FBI’s database.
▫ The compromises of the future will have much more wide-
reaching ramifications than the ones we have seen until now.

9|Page
[Link]
 CISSP Domain 5 Lecture notes
• Authorization:
▪ We use Access Control models to determine what a subject is allowed to access.
▪ What and how we implement depends on the organization and what our
security goals are, type can often be chosen dependent on which leg of the CIA
Triad is the most important one to us.
▪ If it is Confidentiality, we would most likely go with
Mandatory Access Control.
▪ If it is Availability, we would most likely go with
Discretionary Access Control.
▪ If it is Integrity, we would most likely go with
Role Based Access Control or Attribute
Based Access Control.
▪ There technically is also RUBAC (Rule
Based Access Control), it is mostly
used on firewalls with IF/THEN
statements but can be used in
conjunction with the other models to
provide defense in depth.

• DAC (Discretionary Access Control) - Often used when Availability is most important:
▪ Access to an object is assigned at the discretion of the object owner.
▪ The owner can add, remove rights, commonly used by most OS's’.
▪ Uses DACL’s (Discretionary ACL), based on user identity.

• MAC (Mandatory Access Control) - Often used when Confidentiality is most important:
▪ Access to an object is determined by labels and clearance, this is often used in
the military or in organizations where confidentiality is very important.
▪ Labels: Objects have Labels assigned to them; the subject's clearance must
dominate the object's label.
⬧ The label is used to allow Subjects with the right clearance access them.
⬧ Labels are often more granular than just “Top Secret”, they can be “Top
Secret – Nuclear”.
▪ Clearance: Subjects have Clearance assigned to them.
⬧ Based on a formal decision on a subject's current and future
trustworthiness.
⬧ The higher the clearance the more in depth the background checks
should be.

10 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• RBAC (Role-Based Access Control) - Often used when Integrity is most important:
▪ Policy neutral access control mechanism defined around roles and privileges.
▪ A role is assigned permissions, and subjects in that role are added to the group,
if they move to another position they are moved to the permissions group for
that position.
▪ It makes administration of 1,000's of users and 10,000's of permissions much
easier to manage.
▪ The most commonly used form of access control.
▪ If implemented right it can also enforce separation of duties and prevent
authorization/privilege creep.
⬧ We move employees transferring within the organization from one role
to another and we do not just add the new role to the old one.

• ABAC (Attribute-Based Access Control):

• Access to objects is granted based on subjects, objects, AND
environmental conditions.
▪ Attributes could be:
⬧ Subject (user) – Name, role, ID,
clearance, etc.
⬧ Object (resource) – Name, owner, and date of
creation.
⬧ Environment – Location and/or
time of access, and threat levels.
▪ Expected to be used by 70% of large
enterprises within the next 5 years, versus
around 25% today.
▪ Can also be referred to as policy-based access control
(PBAC) or claims-based access control (CBAC).

11 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• Context-Based Access Control:
▪ Access to an object is controlled based on certain contextual parameters, such
as location, time, sequence of responses, access history.
▪ Providing the username and password combination followed by a challenge and
response mechanism such as CAPTCHA, filtering the access based on MAC
addresses on wireless, or a firewall filtering the data based on packet analysis
are all examples of context-dependent access control mechanisms.

• Content-Based Access Control:

▪ Access is provided based on the attributes or content of an object, then it is
known as a content-dependent access control.
▪ In this type of control, the value and attributes of the content that is being
accessed determine the control requirements.
▪ Hiding or showing menus in an application, views in databases, and access to
confidential information are all content-dependent.

• Accountability (often referred to as Auditing):

▪ Traces an Action to a Subject's Identity:
⬧ Proves who performed given action, it provides non-repudiation.
⬧ Group or shared accounts are never OK, they have zero accountability.
⬧ Uses audit trails and logs, to associate a subject with its actions.

12 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
 Access Control:
• Access Control Systems:
▪ We can use centralized and/or
decentralized (distributed) access
control systems, depending on which
type makes the most sense. Both
options provide different benefits.
▪ Access control decisions are made by
comparing the credential to an
access control list.
▪ This look-up can be done by a host or
server, by an access control panel, or
by a reader.
▪ Most common is hub and spoke with
a control panel as the hub, and the
readers as the spokes.
▪ Today most private organizations use
Role Based Access Control (RBAC).
⬧ You are in Payroll you get the
payroll staff access and
permissions, if you move to
HR, you lose your payroll
access and get HR access
assigned.
▪ Normal systems are much larger, but you get the idea from this drawing how
they would connect.
▪ In a perfect world, access control systems should be physically and logically
segmented from the rest of our IP Network, in reality it is most often segmented
logically with VLANs, but in many cases not even that.

13 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
▪ Centralized Pro’s (Decentralized Con’s):
⬧ All systems and locations have the same security posture.
⬧ Easier to manage: All records, configurations and policies are centralized
and only configured once per policy.
▫ Attackers look for the weakest link in our chain, if a small
satellite office is not following our security posture, they can be
an easy way onto our network.
⬧ It is more secure, only a few people have access and can make changes
to the system.
⬧ It can also provide separation of duties, the local admin can’t
edit/delete logs from their facility.
⬧ SSO can be used for user access to multiple systems with one login.
▪ Centralized Con’s (Decentralized Pro’s):
⬧ Traffic overhead and response time, how long does it take for a door
lock to authenticate the user against the database at the head office?
⬧ Is connectivity to the head office stable, is important equipment on
redundant power and internet?

▪ Hybrid:
⬧ Centrally controlled; access lists for that location are pushed to a local
server on a daily/hourly basis; local administrators have no access.
⬧ We must still ensure that the local site follows the organization's
security posture in all other areas.
▪ Just-In-Time (JIT) Provisioning:
⬧ Allows us to use third-party websites without checking if all of our
employees have accounts on those sites.
⬧ Users log in on a third-party site, and on their first visit, the JIT system
confirms the employee with our systems and creates the user account
on their systems, most commonly using SAML.

▪ OpenID Connect (OIDC)/Open Authorization:

⬧ Adds an identity layer to OAuth 2.0, allowing 3rd party applications or
sites to verify the identity of a user.
⬧ You can use your Google or Facebook account to log into 1000s of other
sites.

▪ Risk-Based Access Control:

⬧ Access decisions are made based on risk assessment.
⬧ Done using machine learning, which analyzes behavioral and contextual
data analytics to calculate risk for each access.

14 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• Identity and Access Provisioning:
▪ We can have multiple identities per entity
and each identity can have multiple
attributes.
⬧ I can be staff, alumni, and enrolled
student at a college.
⬧ As staff I could have access to
different areas and data than I
would as alumni and student.
⬧ Companies can have the same, they
can be the parent company, then
smaller companies under the parent
umbrella, all with different
attributes.

• Identity and Access Provisioning Lifecycle:

▪ This is a suggested lifecycle example from “Identity Management Design Guide
with IBM Tivoli Identity Manager”.
▪ You obviously don’t have to implement it verbatim but find a clear policy that
works for your organization.
⬧ Life cycle rules provide administrators with the ability to define life cycle
operations to be executed as the result of an event. Life cycle rules are
especially useful in automating recurring administrative tasks.
▫ Password policy compliance checking.
▫ Notifying users to change their passwords before they expire.
▫ Identifying life cycle changes such as accounts that are inactive
for more than 30 consecutive days.
▫ Identifying new accounts that have not been used for more
than 10 days following their creation.
▫ Identifying accounts that are candidates for deletion because
they have been suspended for more than 30 days.
▫ When a contract expires, identifying all accounts belonging to a
business partner or contractor’s employees and revoking their
access rights.

15 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• Federated Identity:
▪ How we link a person's electronic identity and attributes across multiple distinct
identity management systems.
▪ FIDM (Federated Identity Management):
⬧ Having a common set of policies, practices and protocols in place to
manage the identity and trust into IT users and devices across
organizations.
⬧ SSO is a subset of federated identity management, it only uses
authentication and technical interoperability.
▪ Technologies used for federated identity include SAML, OAuth, OpenID, Security
Tokens, Microsoft Azure Cloud Services, Windows Identity Foundation...
⬧ SAML (Security Assertion Markup Language):
▫ An XML-based, open-standard data format for exchanging
authentication and authorization data between parties.
▫ The single most important requirement that SAML addresses is
web browser SSO.
▪ SSO (Single Sign-on):
⬧ Users use a single sign-on for multiple
systems.
⬧ Often deployed in organizations where
users have to access 10+ systems, and they
think it is too burdensome to remember all
those passwords.
⬧ SSO have the same strong password
requirements as normal single system
passwords.
⬧ If an attacker compromises a single
password, they have access to everything
that user can access.

▪ Super Sign-on:
⬧ One login can allow you to access many
systems and sites.
⬧ Social media logins are common super
sign-ons, if an account is compromised an
attacker can often access multiple other
sites or systems, the social media account is linked all the other
systems.

16 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• IDaaS (Identity as a Service):
▪ Identity and access management that is built, hosted and managed by a third-
party service provider.
▪ Native cloud based IDaaS solutions can provide SSO functionality through the
cloud, Federated Identity Management for Access Governance, Password
Management, ...
▪ Hybrid IAM solutions from vendors like Microsoft and Amazon provide cloud-
based directories that link with on-premises IAM systems.

 Access Control - Authentication Protocols:

• Communications or cryptographic protocols designed to transfer authentication data
between two entities.
• They authenticate to the connecting entity (often a server) as well as authenticate itself
(often a server or desktop) by declaring the type of information needed for
authentication as well as syntax.
• It is the most important layer of protection needed for secure communication between
networks.
• Kerberos:
▪ Authentication protocol that works on the basis of tickets to allow nodes
communicating over a non-secure network to prove their identity to each other
in a secure manner.
▪ The protocol was named after the character Kerberos (or Cerberus) from Greek
mythology, the three-headed guard dog of Hades.
▪ It is based on a client–server model and it provides mutual authentication both
the user and the server verify each other's identity.
▪ Messages are protected against eavesdropping and replay attacks.
▪ Builds on symmetric keys and requires a trusted third party, and can optionally
use PKI during certain phases of authentication.
▪ Uses UDP port 88 by default, used in Active Directory from Windows 2000 and
onwards, and many Unix OS’s.
⬧ Pros: Easy for end users, centralized control and easy to administer.
⬧ Cons: Single point of failure, access to everything with single password.

17 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• Kerberos:
1. Send TGT request sending only plaintext user ID.
2. Sends session key encrypted
with user's secret key + TGT
encrypted with TGS secret key.
3. TGT + Service request
encrypted with the client/TGS
session key.
4. Client to server ticket encrypted with
server's secret key + client/session key encrypted
with the client/TGS session key.
5. Client/session key encrypted with the client/TGS
session key + new authenticator encrypted with the
client/server session key.
6. Timestamp authentication Client/Server Session Key.

• SESAME (Secure European System for Applications in a Multi-vendor Environment):

▪ Often called the successor to KERBEROS, it addresses some of the issues of
Kerberos.
▪ It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext
storage of symmetric keys issue.
▪ Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute
Certificates) instead of Kerberos’ tickets.
▪ Not widely used, Kerberos is widely used since it is natively in most OS’s.

• RADIUS (Remote Authentication Dial-In User Service):

▪ A networking protocol that provides centralized
Authentication, Authorization, and Accounting
management for users who connect and use a
network service.
▪ Widely used by ISP's (Internet service providers) and
large organizations to manage access to IP networks,
AP's, VPN's, Servers, 802.1x,...
▪ Uses a client/server protocol that runs in the
application layer and can use either TCP or UDP as
transport.
▪ Network access servers, the gateways that control
access to a network, usually contain a RADIUS client
component that communicates with the RADIUS
server.
▪ Uses UDP ports 1812 for authentication and 1813 for
accounting, can use TCP as the transport layer with TLS for security.

18 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
• Diameter:
▪ Also provides centralized AAA (Authentication, Authorization, and Accounting)
management for users who connect and use a network service.
▪ Was intended as a replacement for RADIUS, but the use cases changed, and
both now have different uses.
▪ Diameter is largely used in the 3G space, RADIUS is used elsewhere.
▪ Uses 32bit for the AVP field (4.2 billion AVPs), RADIUS uses 8bit and only has
256 possible AVPs.
▪ Use SCTP (Stream Control Transmission Protocol) or TCP as default.
▪ Not directly backwards compatible but provides an upgrade path for RADIUS.
▪ One of the largest barriers to having Diameter replace RADIUS is that switches
and Access Points typically implement RADIUS, but not Diameter. Uses SCTP or
TCP.

• TACACS (The Terminal Access Controller Access Control System):

▪ Centralized access control system requiring users to send an ID and reusable
(vulnerable) passwords for authentication.
▪ Uses TCP/UDP port 49.
▪ TACACS has generally been replaced by TACACS+ and RADIUS.

• TACACS+:
▪ Provides better password protection by using two-factor strong authentication.
▪ Not backwards compatible with TACACS.
▪ Uses TCP port 49 for authentication with the TACACS+ server.
▪ Similar to RADIUS, but RADIUS only encrypts the password TACACS+, encrypts
the entire data package.

• PAP (Password Authentication Protocol):

▪ Authentication is initialized by client/user by sending packet with credentials
(username and password) at the beginning of the connection.
▪ One of the oldest authentication protocols, no longer secure. Credentials are
sent over the network in plain text.

• CHAP (Challenge-Handshake Authentication Protocol):

▪ Provides protection against replay attacks by the peer through the use of an
incrementally changing identifier and of a variable challenge-value.
▪ Requires the client and server know the plaintext of a shared secret, but it is
never sent over the network.
▪ Providing better security compared to PAP which is vulnerable for both these
reasons.
▪ Used by PPP (Point to Point Protocol) servers to validate the remote clients.

19 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
▪ CHAP periodically verifies the identity of the client by using a three-way
handshake.
▪ The CHAP server stores plaintext passwords of each client, an attacker gaining
access to the server can steal all the client passwords stored on it.

• AD (Active Directory):
▪ Directory service that Microsoft developed for Windows domain networks.
▪ Included in most Windows Server OS as a set of processes and services.
▪ Originally it was only in charge of centralized domain management, as of
Windows Server 2008, AD became an umbrella term for a broad range of
directory-based identity-related services.
▪ A server running Active Directory Domain Services (AD DS) is a domain
controller,
▪ The DC authenticates and authorizes all subjects in a domain, networks can
have one or more domains.
▪ Uses LDAP (Lightweight Directory Access Protocol) versions 2 and 3, Microsoft's
version of Kerberos, and DNS.
▪ Each domain can have a separate authentication process, users, network
components and data objects.
▪ Uses groups to control access by users to data objects, often used as a RBAC
where roles are assigned to groups, where the group has access rights.
▪ Can use Trust domains which allow users in one domain to access resources in
another.
⬧ One-way Trust: One domain allows access to users on another domain,
but the other domain does not allow access to users on the first
domain.
⬧ Two-way Trust: Two domains allow access to users on both domains.
⬧ Trusted Domain: The domain that is trusted; whose users have access
to the trusting domain.
⬧ Transitive Trust: A trust that can extend beyond two domains to other
trusted domains in the forest.
⬧ Intransitive (non-transitive) Trust: A one way trust that does not
extend beyond two domains.

20 | P a g e
[Link]
 CISSP Domain 5 Lecture notes
 What we covered in the Fifth CBK Domain:
• In this domain we covered:
▪ How we identify, classify, and assign labels to our objects and clearance to our
subjects, and the access control models and platforms we use for doing so.
▪ How we provide authorized objects access and prevent unauthorized access.
▪ The logical and physical controls we implement.
▪ How we identify and authenticate our authorized users, how we use
multifactor authentication and the strengths and weaknesses of each
authentication factor.
▪ We looked at IDaaS, SSO, and super sign-on.
▪ Access control attacks and what we can do to mitigate them.
▪ Identity and access provisioning lifecycle (e.g., provisioning review).

21 | P a g e
[Link]
 CISSP Domain 6 Lecture notes

Welcome to the Sixth CBK Domain:

 In this domain we cover:
• Assessment and test strategies.
▪ How and what do want to test? Which type of tests do we use, and do we want
intrusive or non-intrusive?
• Security process data (e.g., management and operational controls).
▪ Are our administrative processes as secure as we think they are, and as they
should be?
• Security control testing.
▪ We test both the technical and administrative controls we have in place.
• Test outputs (e.g., automated, manual).
▪ How we report our findings, we need to do this as effectively as possible.
▪ We in layman’s terms convey what the vulnerabilities and test results mean to
senior management.
• Security architecture vulnerabilities.

This chapter focuses on how we assess and test the security measures we have in place, this is done to
ensure we are as secure as we think we are and to improve our security posture.
CBK 6 makes up 12% of the exam questions.

 Assessment and Test Strategies:

• Key Terms:
▪ Static Testing – We passively test the code, we do not run it.
▪ Dynamic Testing – We tests code while executing it.
▪ Fuzzing (Fuzz Testing) – A black box testing that submits random, malformed
data as inputs into software programs to determine if they will crash.
▪ Penetration Testing (Pen Testing) – We pay someone to test our security by
trying to compromise our safeguards. This is testing both our organization’s
physical and logical perimeter.
▪ Synthetic Transactions/Monitoring - Building scripts or tools that simulate
normal user activity in an application.
• Security Assessments:
▪ A full picture approach to assessing how effective our access controls are, they
have a very broad scope.
▪ Security assessments often span multiple areas, and can use some or all of these
components:
⬧ Policies, procedures, and other administrative controls.
⬧ Assessing the real world-effectiveness of administrative controls.
⬧ Change management.
⬧ Architectural review.
⬧ Penetration tests.
⬧ Vulnerability assessments.
⬧ Security audits.

1|Page
[Link]
 CISSP Domain 6 Lecture notes
• Security Audit: A test against a published standard.
▪ SOC 2 Type 1 or 2, PCI-DSS, HIPAA…
• Internal, external, and 3rd-Party Audits:
▪ Unstructured Audits (internal):
⬧ Internal auditors to improve our security and find flaws, often done
before an external audit.
▪ External audits:
⬧ Similar to internal audits. An external company audits our controls to
find flaws and improve our security posture.
▪ Structured Audits (3rd party):
⬧ External auditors who validate our compliance, often done for a
regulatory body, they are experts and the audit adds credibility.
⬧ Can also be a knowledge transfer for the organization, required annually
in many organizations.

• SOC1: Focus on service organization controls relevant to internal control over financial
reporting.
▪ For internal use and available to the organization.
▪ Type I: Opinion on design effectiveness of controls. Type I, cover single point in
time.
▪ Type II: Opinion on design and reporting effectiveness of controls. Type II,
covers a minimum six month time period.

• SOC 2: Assess internal controls for compliance and operations.

▪ Must meet trust service criteria defined by AICPA: Security, Availability,
Processing Integrity, Confidentiality, and Privacy.
▪ Type I: Report on management’s description of a service organization’s system
and the suitability of the design of controls. Type I, cover single point in time.
▪ Type II: Report on management’s description of a service organization’s system
and the suitability of the design and operating effectiveness of controls. Type II,
covers a minimum six month time period.
⬧ The purpose of type II reports is to validate/verify that an organization
meets the requirements as stated in the published standard.
⬧ Proves organization controls listed are operational and enforced.
⬧ Better and more expensive than Type I reports.

2|Page
[Link]
 CISSP Domain 6 Lecture notes
• SOC 3: Similar to SOC 2 report but much
more generalized, shorter, and a less
sensitive document.
▪ More public facing document
▪ Includes only the auditor’s opinion
and limited description of controls
▪ The examination covers both design
and operating effectiveness of the
controls relevant to applicable trust
service principles (security
availability, processing integrity ,
confidentiality, and privacy).

• Security Audit Logs:

▪ Reviewing security audit logs in an IT system is one of the easiest ways to verify
that access control mechanisms are working as intended.
▪ Reviewing audit logs is primarily a detective control.
▪ NIST Special Publication 800-92 suggests the following log types should be
collected and audited:
⬧ Network Security Software/Hardware:
▫ Antivirus logs, IDS/IPS logs, remote access software (such as
VPN logs), web proxy, vulnerability management,
authentication servers, routers and firewalls.
⬧ Operating System:
▫ System events, audit records, applications, client requests and
server responses, usage information, significant operational
actions.
▪ Centralized Logging:
⬧ Should be automated, secure and even administrators should have
limited access.
⬧ Often a central repository is hashed and never touched, and a
secondary copy is analyzed to ensure integrity.
⬧ Logs should have a retention policy to ensure we are compliant and we
keep the logs as long as we need them.
⬧ Checking logs is often an afterthought and rarely done, where do we
start?
⬧ Since they are often keeping everything, there can be 10's of millions of
lines of log info, we need to implement systems to automate this as
much as makes sense.

3|Page
[Link]
 CISSP Domain 6 Lecture notes
• Security Audit Logs (Audit Trail):
▪ Audit record management typically faces five distinct problems:
1. Logs are not reviewed on a regular and timely basis.
2. Audit logs and audit trails are not stored for a long enough time
period.
3. Logs are not standardized or viewable by correlation toolsets - they
are only viewable from the system being audited.
4. Log entries and alerts are not prioritized.
5. Audit records are only reviewed for the bad stuff.

• Vulnerability Scanning/Testing:
▪ A vulnerability scanner tool is used to scan a network or system for a list of
predefined vulnerabilities such as system misconfiguration, outdated software,
or a lack of patching.
▪ It is very important to understand the output from a vulnerability scan, they can
be 100's of pages for some systems, and how do the vulnerabilities map to
Threats and Risks (Risk = Threat x Vulnerability).
▪ When we understand the true Risk, we can then plan our mitigation.
▪ Common vulnerability scanners could be Nessus or OpenVAS, both list
vulnerabilities in Critical, High, Medium, Low, and Informational.

4|Page
[Link]
 CISSP Domain 6 Lecture notes
• Penetration Testing (Pen Testing), often called Ethical Hacking:
▪ Test if the vulnerabilities are exploitable.
▪ An authorized simulated attack on our organization that looks for security
weaknesses, potentially gaining access to the systems, buildings and data.
▪ It is very important to have very clear rules of engagement defined in a SOW
(Statement Of Work)
⬧ Which IP ranges, time frame, tools, POC, how to test, what to test, …
⬧ We confirm with our legal team before hiring Pen Testers, even if you
allow it what they do may still be illegal.
▪ Senior management set the goals for the Pen testing.
⬧ Why are we doing it? What are we trying to achieve? They have to sign
off on it.
▪ If we are the pen testers, we are there to test and document the vulnerabilities,
not to fix them.
⬧ We provide the report to senior management and they decide which
vulnerabilities they want to address.
▪ Use multiple attack vectors and Pen testing uses an iterative process that is
similar to Agile project planning.
▪ Discovery (planning): Finding the vulnerabilities, design the attacks.
▪ Gaining Access: Access the network.
▪ Escalate Privileges: Get higher-level access, ultimately we want admin access.
▪ System Browsing: Gain additional access, often back to discovery again with our
new knowledge level and access.
▪ Install Additional tools: With our elevated access we can install more tools and
exploit new attack surfaces, can go back to Gaining Access.
▪ Finally when done, they report the findings.

5|Page
[Link]
 CISSP Domain 6 Lecture notes
▪ Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment
> Exploitation > Reporting.
▪ Very similar to a black hat methodology.
▪ Black hats often spend less time planning, and instead of reporting they cover
their tracks.
⬧ They delete/modify logs and any other tracks they left and if possible
install backdoors, so they can keep exploiting our environments.
▪ A Pen tester has a very clear SOW and they do not compromise system and data
integrity.
▪ The Pen tester may also not be allowed to access certain files (PII/PHI), but a
dummy file is created in the same location, if the Pen tester can get to the
target file, they could get to the actual data file.
▪ The Pen testing is done in clearly defined time windows, often in maintenance
windows after hours, the point is to prove we are vulnerable, not disrupt our
business.
▪ Some low impact Pen tests can also be done on DR environments, to not effect
our live environments, but they are often less useful since most DR
environments are not a mirror copy of the production environment.
▪ Black Box Pen Testing (Zero Knowledge):
⬧ The attacker had no knowledge about the organization other than
publicly available information.
⬧ They start from the point an external attacker would.
▪ White (Crystal/Clear) Box Pen testing (Full Knowledge):
⬧ The attacker has knowledge of the internal network and access to it like
a privileged employee would.
⬧ Normally Administrator access employee with full knowledge of our
environment.
▪ Gray (Grey) Box Pen Testing (Partial Knowledge):
⬧ The attacker has limited knowledge, a normal user, vendor or someone
with limited environment knowledge.
▪ Do not confuse these with Black, Gray, or White Hat Hackers.
⬧ White Hat Hackers: Professional Pen Testers trying to find flaws so we
can fix it (Ethical Hackers).
⬧ Black Hat Hackers: Malicious hackers, trying to find flaws to exploit
them (Crackers - they crack the code).
⬧ Gray/Grey Hat Hackers: They are somewhere between the white and
black hats.
▪ Breach and Attack Simulation (BAS):
⬧ Uses automated tools to simulate complex cyberattacks on-demand
across all attack vectors.
⬧ Combines red and blue team approaches (purple teaming) — automates
it and provides us with breach and assault platforms with continuous
coverage.
⬧ They can be running 24/7/365, giving us much more in-depth visibility
into the real state of our defense readiness.

6|Page
[Link]
 CISSP Domain 6 Lecture notes
⬧ Breach simulation is used to simulate attacks on endpoints (malware),
data exfiltration, malware attacks, APT attacks that move laterally
through a network, targeting the most valuable assets.

▪ Compliance Checks:
⬧ Are the security controls we put in place sufficient to ensure compliance
with the regulations that our organization must follow? (PCI-DSS, HIPAA,
SOC2, and so on).
⬧ Audits can be part of it, but they are a point-in-time event, whereas
compliance checks are ongoing, and compliance should be the
beginning of our risk management program.
▪ Think like an attacker would, start with the easiest attack first, the users.
▪ Low technical tools can be just as effective as sophisticated tools,
▪ Many organizations have strong perimeter defense, but no defense in depth,
once you get past 1 or 2 barriers you can access most things.
▪ Social Engineering uses people skills to bypass security controls.
⬧ Can be used in a combination with many other attacks, especially client-
side attacks or physical tests.
⬧ Attacks are often more successful if they use one or more of these
approaches:
▫ Authority (someone you trust or are afraid of) - Look and
sound like an authority figure, be in charge, this can be in a
uniform or a suit. Most effective with impersonation, whaling,
and vishing attacks.
▫ Intimidation (If you don't bad thing happens) - Virus on the
network, credit card compromised, lawsuit against your
company, intimidation is most effective with impersonation and
vishing attacks.

▪ Social Engineering Attacks:

⬧ Consensus (Following the crowd, everyone else was doing it) - Fake
reviews on a website, using consensus/social proof is most effective
with Trojans and hoaxes.
⬧ Scarcity (If you don't act now, it is too late) - New iPhone out, only 200
available, often effective with phishing and Trojan attacks.
⬧ Urgency (It has to happen now or else) - The company will be sued for
$1,000,000 if these papers are not filled out before Friday, often used
with Phishing.
⬧ Familiarity (Have a common ground, or build it) - Knowing something
about the victim ahead of time and then reference it can raises chances
of a successful attack drastically. People want to be helpful, if they feel
like they know you they want to even more. Often successful with
vishing and in-person social engineering.

7|Page
[Link]
 CISSP Domain 6 Lecture notes
▪ War Dialing:
⬧ Uses modem to dial a series of phone numbers, looking for an
answering modem carrier tone, the penetration tester then attempts to
access the answering system.
⬧ Not really done anymore, but know it for the exam.
▪ War Driving (access point mapping):
⬧ Driving or walking around, mapping access points and trying to gain
access to them.
▪ Network Attacks
⬧ Client-side attacks, server-side attacks, or Web application attacks.
▪ Wireless Tests:
⬧ Evaluate the risk related to potential access to your wireless network.
⬧ Uses the password combination & sniffing technique for cracking
unsecured wireless network, so a proper set up is required for making
the whole process semi-automated and automated.

▪ Penetration Testing Tools and Methodology:

⬧ Just like hackers, Pen testers use many different tools to test, both
published tools and own creations.
⬧ Be VERY careful if testing these out, do not use them outside your own
network, and only on internal networks with written permission.
⬧ Penetration testing tools:
▫ Open source Metasploit - [Link]
▫ Closed source Core Impact - [Link]
▫ Immunity Canvas - [Link]
▫ Top 125 Network Security Tools - [Link]
▫ Kali Linux - [Link]
▪ Semi Real-Time Attack Maps:
⬧ [Link]
⬧ [Link]

▪ Exception Handling:
⬧ An exception is raised or thrown when an application encounters an
error (programming error, division by zero, invalid argument, creating
an object when the system is out of memory, and so on).
⬧ Most applications would by default terminate, but an exception handler
can stop that.

▪ Ethical Disclosure:
⬧ As IT Security professionals, we need to act ethically — disclose
unknown vulnerabilities discovered during security testing.
⬧ We'd most likely put in place compensating controls to address the
vulnerability.
⬧ We'd notify the vendor, giving them time to create a patch or other
form of fix (white hat).

8|Page
[Link]
 CISSP Domain 6 Lecture notes
⬧ If they do not act, we may disclose it to a larger audience; however, this
raises security concerns now that attackers are aware of the
vulnerability — they can attack before others have applied to
compensate controls or repair.

• Software Testing:
▪ Historically we have built functional software and tested it for just that stability
and functionality, security has been an afterthought if considered at all.
Software needs to be designed securely, built in not bolted on.
▪ Normal software can have millions of line of code and about 1% of that contains
vulnerabilities.
▪ Many security breaches happen because our software is easy to compromise.
▪ Static Testing - Passively testing the code, it is not running.
⬧ This is walkthroughs, syntax checking, and code reviews.
⬧ Looks at the raw source code itself looking for evidence of known
insecure practices, functions, libraries, or other characteristics having
been used in the source code.
⬧ There are 100's of static code analysis tools available depending on
programming language.
▪ Dynamic Testing – Actively testing the code while executing it.
⬧ Can uncover flaws that exist in the particular implementation and
interaction of code that static analysis missed. Software can run and
code execute with flaws.
▪ Code testing uses white and black box terms just like in Pen testing.
⬧ White Box Software Testing:
▫ The tester has full access to program source code, data
structures, variables,...
⬧ Black Box Software Testing:
▫ The tester has no details, just the software, they then test for
functionality and security flaws.
▪ TM/RTM (Requirements Traceability Matrix):
⬧ Normally a table, used to map customer requirements to the testing
plan using a many-to-many relationship comparison.
⬧ A requirements traceability matrix may be used to check if the current
project requirements are being met, and to help in the creation of a
request for proposal, software requirements specification, various
deliverable documents, and project plan tasks.

9|Page
[Link]
 CISSP Domain 6 Lecture notes
▪ Software Testing Levels:
⬧ Unit Testing:
▫ Tests that verify the functionality of a specific section of code.
▫ In an object-oriented environment, this is usually at the class
level, and the minimal unit tests include the constructors and
destructors.
▫ Usually written by developers as they work on code (white-box),
to ensure that the specific function is working as expected.
⬧ Integration Testing:
▫ Seeks to verify the interfaces between components against a
software design.
▫ Integration testing works to expose defects in the interfaces and
interaction between integrated components/modules.
▫ Progressively larger groups of software components are tested
until the software works as a system.

⬧ Component Interface Testing:

▫ Testing can be used to check the handling of data passed
between various units, or subsystem components, beyond full
integration testing between those units.
▫ Tests a completely integrated system to verify that the system
meets its requirements.
⬧ Operational Acceptance:
▫ Used to conduct operational readiness (pre-release) of a
product, service or system as part of a quality management
system.

▪ Software Testing Types:

⬧ Installation Testing:
▫ Assures that the system is installed correctly and working at
actual customer's hardware.
⬧ Regression Testing:
▫ Finding defects after a major code change has occurred.
▫ Looks for software regressions, as degraded or lost features,
including old bugs that have come back.
⬧ Fuzzing (Fuzz Testing):
▫ Testing that provides a lot of different inputs in order to try to
cause unauthorized access or for the application to enter
unpredictable state or crash.
▫ If the program crashes or hangs the fuzz test failed.
▫ The Fuzz tester can enter values into the script or use pre-
compiled random or specific values.
▫ Mutating fuzzing – The tester analyses real info and modifies it
iteratively.

10 | P a g e
[Link]
 CISSP Domain 6 Lecture notes
⬧ All-Pairs Testing (Pairwise Testing):
▫ All-Pairs Testing is defined as a black-box test design technique
in which test cases are designed to execute all possible discrete
combinations of each pair of input parameters.
▫ The most common bugs in a program are generally triggered by
either a single input parameter or an interaction between pairs
of parameters.
▫ It uses carefully chosen test vectors, this can be done much
faster than an exhaustive search of all combinations of all
parameters, by parallelizing the tests of parameter pairs.
▫ If we have a very simple piece of software with 3 input
parameters:
▫ Server type A: Physical B: VM Vendor: A: Dell B: HP
Serial number: A Valid (5000) B Invalid
→ If we test all possible combinations we would test
2x2x5000 = 20000 combinations.
→ If we test all-pairs we would test 2x2x2 = 8
combinations – we only look at valid or invalid input.
⬧ Misuse Case Testing:
▫ Executing a malicious act against a system, attackers won't do
what normal users would, we need to test misuse to ensure our
application or software is safe.
⬧ Test Coverage Analysis:
▫ Identifies how much of the code was tested in relation to the
entire application.
▫ To ensure there are no significant gaps where a lack of testing
could allow for bugs or security issues to be present that
otherwise should have been discovered.
▫ With 50+ millions line of code in a Windows OS, often spot
checks on critical areas are only enforced.

▪ Now that we have completed our tests, just like on our log reviews, we need to
use it and analyze the data we got from the testing.
▪ It can be huge amounts of data, and we need to prioritize what we act on first,
what is acceptable and what is not.
▪ Think of the qualitative risk analysis, if it is low likelihood and low impact we
may leave it alone and focus on higher priority items.

11 | P a g e
[Link]
 CISSP Domain 6 Lecture notes
 What we covered in the Sixth CBK Domain:
• In this domain we covered how we test the actual security levels of our organization,
including vulnerability scanning, penetration testing, security assessments, and audits.
▪ The Vulnerability Scanning can show us half of the Risk = Threat × Vulnerability
equation.
▪ In the Penetration Testing we try to match those vulnerabilities with threats, so
we can show the actual risk, if there is no real threats to a vulnerability, we may
focus on vulnerabilities with actual threats.
▪ How we perform both Internal and External Audits and Full Security
Assessments.
▪ Finally how we review and test the code, the different methodologies and
approaches we use to test different elements of the code.

12 | P a g e
[Link]
 CISSP Domain 7 Lecture notes

Welcome to the Seventh CBK Domain:

 In this domain we cover:
• Investigations support and requirements, Logging and monitoring activities.
• Provisioning of resources, Foundational security operations concepts, Resource
protection techniques.
• Preventative measures, Patch and vulnerability management, Change management
processes.
• Incident management, Recovery strategies, Disaster recovery processes and plans,
Business continuity planning and exercises.
• Personnel safety concerns.

This chapter is how we secure our day-to-day operations, how we continue to function in a disaster event
and how we recover after an event. The domain also has some areas that just didn’t fit in elsewhere.
CBK 7 makes up 13% of the exam questions.

 CBK 7 Key Terms:

• BCP (Business Continuity Plan): Long-term plan to ensure the continuity of business
operations in a disaster event.
• DR (Disaster Recovery): Policies, procedures and tools to recover from a natural,
environmental or man made disaster.
• Collusion: An agreement between two or more individuals to subvert the security of a
system.
• COOP (Continuity of Operations Plan): A plan to maintain operations during a disaster.
• Disaster: Any disruptive event that interrupts normal system operations.
• DRP (Disaster Recovery Plan): Short-term plan to recover from a disruptive event, part
of our BCP.
• MTBF (Mean Time Between Failures): How long a new or repaired system or
component will function on average before failing.
• MTTR (Mean Time to Repair): How long it will take to recover a failed system.
• RAID (Redundant Array of Independent/Inexpensive Disks): Using multiple disk drives
to achieve greater data reliability, speed, and fault tolerance.
• Mirroring: Complete duplication of data to another disk, used by some levels of RAID.
• Striping: Spreading data writes across multiple disks to achieve performance gains, used
by some levels of RAID.

1|Page
[Link]
 CISSP Domain 7 Lecture notes
 Administrative Personnel Security Controls:
• Administrative Security:
▪ Provides the means to control people's operational access to data.
▪ Least Privilege:
⬧ We give employees the minimum necessary access they need, no more,
no less.
▪ Need to Know:
⬧ Even if you have access, if you do not need to know, then you should
not access the data.
(Kaiser employees).
▪ Separation of Duties:
⬧ More than one individual in one single task is an internal control
intended to prevent fraud and error.
⬧ We do not allow the same person to enter the purchase order and issue
the check.
⬧ For the exam assume the organization is large enough to use separation
of duties, in smaller organizations where that is not practical,
compensating controls should be in place.
▪ Job Rotation:
⬧ For the exam think of it to detect errors and frauds. It is easier to detect
fraud and there is less chance of collusion between individuals if they
rotate jobs.
⬧ It also helps with employees burnout and it helps employees
understand the entire business.
⬧ This can be to cost prohibitive for the exam/real life, make sure on the
exam the cost justifies the benefit.
▪ Mandatory Vacations:
⬧ Done to ensure one person is not always performing the same task,
someone else has to cover and it can keep fraud from happening or help
us detect it.
⬧ Their accounts are locked and an audit is performed on the accounts.
⬧ If the employee has been conducting fraud and covering it up, the audit
will discover it.
⬧ The best way to do this is to not give too much advance notice of
vacations.

• With the combination of all 5 we minimize some of the insider threats we may have.

2|Page
[Link]
 CISSP Domain 7 Lecture notes
• NDA (Non-Disclosure Agreement):
▪ We covered NDA's between our and other organizations, it is also normal to
have them for internal employees.
▪ Some employment agreements will include a clause restricting employees' use
and dissemination of company-owned confidential information.

• Background Checks:
▪ References, Degrees, Employment, Criminal, Credit history (less common, more
costly).
▪ For sensitive positions the background check is an ongoing process.

• Privilege Monitoring:
▪ The more access and privilege an employee has the more we keep an eye on
their activity.
▪ They are already screened more in depth and consistently, but they also have
access to many business critical systems, we need to audit their use of that
access.
▪ With more access comes more responsibility and scrutiny.

• Privileged Account/Access Management (PAM):

▪ Account (account safeguarded) vs. Access (Account + what can the account
access/do).
▪ We want to identify and monitor anyone with more access than the normal
user. The higher privileges they have the closer they should be monitored.
▪ We monitor the what/when/how/why/where of what is accessed.
▪ Full monitoring, limit privileges, MFA, monitor remote connections, logs/records
are immutable, anomaly detection,
continuous monitoring, full visibility of
all admins, and no group accounts.
▪ Users:
⬧ Regular users: Analyze
performance, improve
efficiency.
⬧ Privileged users: Access matrix,
what was changed?
⬧ All users: Sensitive data, critical
systems, insider/outsider
threats, and meeting
compliance/regulatory
requirements.
▪ Systems:
⬧ All servers (including jump
servers), all endpoints, and
remote workstations.

3|Page
[Link]
 CISSP Domain 7 Lecture notes
• Conduct Logging and Monitoring Activities:
▪ Logging = Managing all the logs from our applications and infrastructure, the
raw data.
▪ Monitoring = Making sure that our applications and infrastructure is available
and responds to user requests within an acceptable time frame, alerts us of
issues, the data being used.
• Threat Intelligence:
▪ Threat Feeds: A stream of raw current and potential threats.
⬧ We can use a threat intelligence feed to get actual usable data, such as
suspicious domains, malware hashes, potential malicious code, flagged
IPs.
⬧ We can then use that feed to compare to our ingress/egress traffic.
▪ Threat Hunting: Actively looking for threats on our network.
⬧ We assume attackers are able to access our network and have not been
detected, we aggressively search our systems for any threat indicator.
• User and Entity Behavior Analytics (UEBA):
▪ We use machine/deep learning to model typical and atypical user behavior,
setting a baseline.
▪ With the baseline, we can identify anomalies and threats sooner.
▪ For that we look at:
⬧ Use cases – How do normal users use our network and data?
⬧ Data sources – Data sources, normally a data lake/warehouse or SIEM,
should not be deployed directly.
⬧ Analytics – To build the baseline and detect anomalies.

 Administrative Security:
• Digital (Computer) Forensics:
▪ Focuses on the recovery and
investigation of material found in
digital devices, often in relation to
computer crime.
▪ Closely related to incident response,
forensics is based on gathering and
protecting the evidence, where
incidents responses are how we
react in an event breach.
▪ We preserve the crime scene and the
evidence, we can prove the integrity
of it at a later needed time, often
court.

4|Page
[Link]
 CISSP Domain 7 Lecture notes
▪ The Forensic Process:
⬧ Identify the potential evidence,
acquire the evidence, analyze the
evidence, make a report.
⬧ We need to be more aware of how
we gather our forensic evidence,
attackers are covering their tracks,
deleting the evidence and logs.
⬧ This can be through malware that is
only in volatile memory, if power is
shut off (to preserve the crime
scene), the malware is gone and the
evidence is lost.
⬧ Rather than shutting the system
down, we can if considered safe
disconnect it from the network and
take bit by bit copies of the memory,
drives, running processes and network
connection data.
▪ The evidence we collect must be accurate, complete, authentic, convincing,
admissible.
▪ Identification: Identify the evidence, what is left behind
▪ Preservation:
⬧ Everything is documented, chain of custody: Who had it when? What
was done? When did they do it?
⬧ Pull the original, put it in write protected machine, we make a hash.
⬧ We only do examinations and analysis on bit level copies, we confirm
they have the same hash as the original before and after examination
▪ Collection:
⬧ We examine and analyze the data, again document everything.
⬧ We handle the evidence as little as possible.
⬧ Work from most volatile to least volatile, starting with the RAM and
ending with the hard disks.
▪ We use our incidence response plan:
▪ This can include getting our HR and Legal departments involved.
▪ We ensure our evidence is acquired in a legal manner. Remember the US
Constitution 4th amendment.
⬧ The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be
violated.
▪ Anything subpoenaed, search warranted, turned over voluntarily and in exigent
circumstances (immediate danger of being destroyed), can allow law
enforcement to bypass the 4th amendment.
▪ Examination: Find the facts and document them, collecting the data.
▪ Analysis: Look at the data and look for meaning or reason.

5|Page
[Link]
 CISSP Domain 7 Lecture notes
▪ Presentation in Court: We present our findings and any other evidence.
▪ Decision: The court rules on the case.
▪ Forensic data is normally obtained from binary images of secondary storage and
portable storage devices like hard drives, flash drives, CDs, DVDs, and cell
phones, …
▪ We use a binary or bit stream image copy to ensure we get an exact copy of the
device, and not just a copy of certain sectors.
▪ Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB
Drives – NOT the data on them.
▪ Evidence Integrity – It is vital the evidence's integrity cannot be questioned, we
do this with hashes. Any forensics is done on copies and never the originals, we
check hash on both original and copy before and after the forensics.
▪ Chain of Custody – Chain of custody form, this is done to prove the integrity of
the data. No tampering was done.
⬧ Who handled it?
⬧ When did they handle it?
⬧ What did they do with it?
⬧ Where did they handle it?

• Artifacts (e.g., computer, network, mobile

device):
▪ Can be digital traces left behind by
attackers (logs and data generated by
those devices) but it can also be
physical devices (computers, mobile
devices, network devices) and other
forms of evidence.
▪ We need to preserve the artifacts both
to ensure they are useful in our
forensics and even more importantly,
if we ever go to court.
• Continuous monitoring:
▪ Exactly what it sounds like.
▪ All events are recorded for later
potential analysis.
▪ Helps us detect compliance and risk issues.

6|Page
[Link]
 CISSP Domain 7 Lecture notes
• Digital Forensics:
▪ Here are the four basic types of disk-based forensic data:
⬧ Allocated Space:
▫ The portions of the disk that are marked as actively containing
data.
⬧ Unallocated Space:
▫ The portions of the disk
that does not contain active
data.
▫ This is parts that have never
been allocated and
previously allocated parts
that have been marked
unallocated.
▫ When a file is deleted, the
parts of the disk that held
the deleted file are marked as
unallocated and made available
for use. (This is also why deleting a
file does nothing, the data is still there until
overwritten).
⬧ Slack Space:
▫ Data is stored in specific size chunks known as
clusters (clusters = sectors or blocks).
▫ A cluster is the minimum size that can be allocated by a file
system.
▫ If a particular file, or final portion of a file, does not require the
use of the entire cluster then some extra space will exist within
the cluster.
▫ This leftover space is known as slack space: it may contain old
data, or can be used intentionally by attackers to hide
information.
⬧ Bad Blocks/Clusters/Sectors:
▫ Hard disks end up with sectors that cannot be read due to some
physical defect.
▫ The sectors marked as bad will be ignored by the operating
system since no data could be read in those defective portions.
▫ Attackers can mark sectors or clusters as being bad in order to
hide data within this portion of the disk.

7|Page
[Link]
 CISSP Domain 7 Lecture notes
▪ Network Forensics:
⬧ A sub-branch of digital forensics where we look at the monitoring and
analysis of computer network traffic for the purposes of information
gathering, legal evidence, or intrusion detection.
⬧ Network investigations deal with volatile and dynamic information.
⬧ Network traffic is transmitted and then lost, so network forensics is
often a proactive investigation.
⬧ Network Forensics generally has two uses.
▫ The first type is monitoring a network for anomalous traffic and
identifying intrusions (IDS/IPS).
→ An attacker might be able to erase all log files on a
compromised host, a network-based evidence might be
the only evidence available for forensic analysis.
▫ The second type relates to law enforcement.
→ In this case analysis of captured network traffic can
include tasks such as reassembling transferred files,
searching for keywords and parsing human
communication such as emails or chat sessions.
⬧ Systems used to collect network data for forensics use usually come in
two forms:
▫ Catch-it-as-you-can:
→ All packets passing through a certain traffic point are
captured and written to storage with analysis being
done subsequently in batch mode.
→ This approach requires large amounts of storage.
▫ Stop, look and listen:
→ Each packet is analyzed in a basic way in memory and
only certain information is saved for future analysis.
→ This approach requires a faster processor to keep up
with incoming traffic.
▪ Embedded Device Forensics:
⬧ We have for decades analyzed and investigated standard systems,
traffic and hardware, but embedded devices is a new player.
⬧ They include SSD's, GPS', cell phones, PDA and much more.
⬧ They can contain a lot of information, but how do we safely retrieve it
while keeping the integrity of the data?
⬧ We talked about how the IoT (Internet Of Things) can be a security
concern, but all the devices can also hold a wealth of information.
▫ Where does the GPS say the car, phone or person was at a
certain time?
▫ When did the AC turn on? Can we assume someone was
home at that time?
▪ Forensic examiners may have to be able to access, interpret and analyze
embedded devices in their investigation.

8|Page
[Link]
 CISSP Domain 7 Lecture notes
▪ Forensic Software Analysis:
⬧ Comparing and/or reverse engineering software.
⬧ Reverse engineering malware is one of the most common examples.
⬧ Investigators often have a binary copy of a malware program and try to
deduce what it does.
⬧ Common tools are disassemblers and debuggers.
▪ Software forensics can also refer to intellectual property infringement. For the
exam this is not the type we talk about.

▪ Egress Monitoring:
⬧ Done to prevent data exfiltration both logically and physically.
⬧ For logical egress monitoring, we can use DLP systems.
▫ This can be both network-based and endpoint DLP systems.
▫ Even if the data is encrypted and we can’t decrypt it, we can still
prevent the egress from our network.
⬧ For physical egress monitoring, we could use guards, make sure the
trash and any other way things can be physically removed from our
organization are monitored and secured.

▪ Electronic Discovery (E-discovery):

⬧ The discovery in legal proceedings, litigation, government
investigations, or Freedom of Information Act requests, where the
information is in electronic format.
⬧ Considered different from paper information because of its intangible
form, volume, transience and persistence.
⬧ Usually accompanied by metadata that is not found in paper documents
and that can play an important part as evidence.
⬧ The preservation of metadata from electronic documents creates
special challenges to prevent spoliation.
⬧ Can be very costly and take a lot of time with the amounts of data we
store. Proper retention for backups can reduce this as well as what we
back up.
⬧ The Electronic Discovery Reference Model (EDRM):
▫ Information governance, identification, preservation,
collection, processing, review, analysis, production, and
presentation.

• Incident Management:
▪ Involves the monitoring and detection of security events on our systems, and
how we react in those events.
▪ It is an administrative function of managing and protecting computer assets,
networks and information systems.
▪ The primary purpose is to have a well understood and predictable response to
events and computer intrusions.

9|Page
[Link]
 CISSP Domain 7 Lecture notes
▪ We have very clear processes and responses, and our teams are trained in them
and know what to do when an event occurs.
▪ Incidents are very stressful situations, it is important staff knows exactly what to
do, that they have received ongoing training and understand the procedures.
▪ Incidences and events can generally be categorized in 3 classes:
⬧ Natural: Hurricanes, floods, earthquakes, blizzards,
anything that is caused by nature.
⬧ Human: Done intentionally or unintentionally by humans, these are by
far the most common.
⬧ Environmental: This is not nature, but the environments we work in,
the power grid, the internet connections, hardware failures, software
flaws,…
▪ Event:
⬧ An observable change in state, this is neither negative nor positive, it is
just something has changed.
⬧ A system powered on, traffic from one segment to another, an
application started.
▪ Alert:
⬧ Triggers warnings if certain event happens.
⬧ This can be traffic utilization above 75% or memory usage at 90% or
more for more than 2 minutes.
▪ Incident:
⬧ Multiple adverse events happening on our systems or network, often
caused by people.
▪ Problem:
⬧ Incidence with an unknown cause, we would follow similar steps to
incidence response.
⬧ More time would be spent on root cause analysis, we need to know
what happened so we can prevent it from happening again, this could
be a total internet outage or server crash.
▪ Inconvenience (Non-disasters):
⬧ Non-disruptive failures, hard disk failure, 1 server in a cluster is down,…
▪ Emergency (Crisis):
⬧ Urgent, event with the potential for loss of life or property.
▪ Disaster:
⬧ Our entire facility is unusable for 24 hours or longer.
⬧ If we are geographically diverse and redundant we can mitigate this a
lot.
⬧ Yes, a snowstorm can be a disaster.
▪ Catastrophe:
⬧ Our facility is destroyed.

10 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ We most common use a 8-step
lifecycle.
1. Preparation.
2. Detection (Identification).
3. Response (Containment).
4. Mitigation (Eradication).
5. Reporting.
6. Recovery.
7. Remediation.
8. Lessons Learned (Post-incident
Activity, Post Mortem, or Reporting).

▪ Preparation:
⬧ This is all the steps we take
to prepare for incidences.
⬧ We write the policies, procedures, we train our staff, we procure the
detection soft/hardware, we give our incidence response team the tools
they need to respond to an incident.
⬧ The more we train our team, the better they will handle the response,
the faster we recover, the better we preserve the crime scene (if there
is one), the less impactful an incident will be.
▪ Detection:
⬧ Events are analyzed to determine if they might be a security incident.
⬧ If we do not have strong detective capabilities in and around our
systems, we will most likely not realize we have a problem until long
after it has happened.
⬧ The earlier we detect the events, the earlier we can respond, IDS's can
help us detect, where IPS's can help us detect and prevent further
compromise.
⬧ The IDS's and IPS's can help us detect and prevent on a single network
segment, we also need something that can correlate all the information
from the entire network.
▪ Response:
⬧ The response phase is when the incident response team begins
interacting with affected systems and attempts to keep further damage
from occurring as a result of the incident.
⬧ This can be taking a system off the network, isolating traffic, powering
off the system, or however our plan dictates to isolate the system to
minimize both the scope and severity of the incident.
⬧ Knowing how to respond, when to follow the policies and procedures to
the letter and when not to, is why we have senior staff handle the
responses.
⬧ We make bit level copies of the systems, as close as possible to the time
of incidence to ensure they are a true representation of the incident.

11 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
⬧ IT Security is there to help the business, it may not be the choice of
senior management to disrupt business to contain or analyze, it is
ultimately a decision that is made by them.
⬧ We stop it from spreading, but that is it, we contain the event.
▪ Mitigation:
⬧ We understand the cause of the incident so that the system can be
reliably cleaned and restored to operational status later in the recovery
phase.
⬧ Organizations often remove the most obvious sign of intrusion on a
system or systems, but miss backdoors and other malware installed in
the attack.
⬧ The obvious sign is often left to be found, where the actual payload is
hidden. if that is detected or assumed, we often just rebuild the system
from scratch and restore application files from a known good backup,
but not system files.
⬧ To ensure the backup is good, we need to do root cause analysis, we
need a timeline for the intrusion, when did it start?
⬧ If it is from a known vulnerability we patch. If it's a newly discovered
vulnerability we mitigate it before exposing the newly built system to
the outside again.
⬧ If anything else can be learned about the attack, we can add that to our
posture.
⬧ Once eradication is complete, we start the recovery phase.
▪ Reporting:
⬧ We report throughout the process beginning with the detection, and we
start reporting immediately when we detect malicious activity.
⬧ The reporting has 2 focus areas: technical and non-technical.
⬧ The incident handling teams report the technical details of the incident
as they start the incident handling process, but they also notify
management of serious incidents.
⬧ The procedures and policies will outline when which level of
management needs to be informed and involved, it is commonly
forgotten until later and can be a RPE (Resume Producing Event).
⬧ Management will also involve other departments if needed, this could
be legal, PR or whomever has been identified in the policies or
procedures.
▪ Recovery:
⬧ We carefully restore the system or systems to operational status.
⬧ When the system is ready for reinsertion is determined by the business
unit responsible for the system.
⬧ We closely monitor the rebuilt or cleaned system carefully, it is possible
the attackers left backdoors or we did not remove all the infected
sectors.

12 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
⬧ Often the system(s) are reinserted off peak hours to minimize the effect
of the system(s) still being infected, or they can be introduced in a
controlled sandbox environment to see if the infection persists.
▪ Remediation:
⬧ The remediation happens during the mitigation phase, where
vulnerabilities on the impacted system or systems are mitigated.
⬧ Remediation continues after mitigation and becomes broader, this can
be patching all systems with the same vulnerability or change how the
organization authenticates.

▪ Lessons Learned:
⬧ This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
⬧ We can learn a lot from lessons learned, not just about the specific
incidence, but how well we handle them, what worked, what didn't.
⬧ How can we as an organization grow and become better next time we
have another incidence? While we may have fixed this one vulnerability
there are potentially 100's of new ones we know nothing about yet.
⬧ At the end of lessons learned we produce a report to senior
management, with our findings, we can only make suggestions, they are
ultimately in charge (and liable).
⬧ Often after major incidents organizations shift to a top-down approach
and will listen more to IT Security.
⬧ The outcome and changes of the Lessons Learned will then feed into
our preparation.
▪ Root-Cause Analysis:
⬧ We attempt to determine the underlying weakness or vulnerability that
allowed the incident to happen.
⬧ If we do not do the root-cause analysis we will most likely face the same
problem again.
⬧ We need to fix the vulnerability on the system(s) that were effected, but
also on any system in the organization that has that particular
vulnerability or set of vulnerabilities.
⬧ We could have a weak password policy and weak encryption, that could
be the root cause of a system compromise, we then would implement
countermeasures to remove the vulnerability.
⬧ If we do nothing and just fix the problem, the root of the issue still
persists, that is what we need to fix.

13 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 Preventive and Detective Controls:
• IDS’s and IPS’s:
▪ We use both IDS’s (Intrusion Detection Systems) and IPS’s (Intrusion Prevention
Systems) on our network to capture and alert or block traffic seen as malicious.
▪ They can be categorized into 2 types and with 2 different approaches toward
identifying malicious traffic.
⬧ Network-Based, placed on a network segment (a switch port in
promiscuous mode).
⬧ Host-Based, on a client, normally a server or workstation.
⬧ Signature (Pattern) Matching, similar to anti virus, it matches traffic
against a long list of known malicious traffic patterns.
⬧ Heuristic-Based (Behavioral), uses a normal traffic pattern baseline to
monitor for abnormal traffic.
▪ Just like firewalls, routers, servers, switches and everything else in our
environment they just see part of the larger picture, for full picture views and
data correlation we use a SIEM (Security Information and Event Management)
system or even better a SOAR (Security Orchestration, Automation, and
Response) system.
• IDS (Intrusion Detection System):
▪ They are passive, they monitor, but they take no action other than sending out
alerts.
▪ Events trigger alerts: Emails/text message to administrators or an alert on a
monitoring tool, but if not monitored right this can take hours before noticed.
• IPS (Intrusion Prevention System):
▪ Similar to IDS, but they also take action to malicious traffic, what they do with
the traffic is determined by configuration.
▪ Events trigger an action, drop/redirect traffic, often combined with the trigger
monitoring/administrator warnings, emails or text messages.
• IDS/IPS:
▪ Part of our layered defense.
▪ Basically they are packet sniffers with analysis engines.
• Network-Based, placed on a network segment (a switch port in promiscuous mode).
▪ Looks at a segment of our network, normally a switch, but can aggregate
multiple switches.
▪ Inspects Host/destination ports, IP's, protocols, content of traffic, but can
obviously not look in encrypted traffic.
▪ Can protect against DDOS, Port scans, brute force attacks, policy violations,…
▪ Deployed on one switch, port and NIC must be promiscuous and port must be a
span port.
• Host-Based, on a client, normally a server or workstation.
▪ We only look at a single system.
▪ Who is using the system, the resource usage, traffic,...
▪ It can be application specific, it doesn’t have to be the entire system we
monitor.
▪ If we do chose to do traffic analysis it will impact the host by slowing it down.

14 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Certain attacks can turn off HIDS/HIPS.
▪ Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can't
look at encrypted packets.
• Signature-Based:
▪ Looks for known malware signatures.
▪ Faster since they just check traffic against malicious signatures.
▪ Easier to set up and manage, someone else does the signatures for us.
▪ They are completely vulnerable to 0 day attacks, and have to be updated
constantly to keep up with new vulnerability patterns.
• Heuristic-Based (Behavioral):
▪ Looks for abnormal behavior - can produce a lot of false positives.
▪ We build a baseline of what normal network traffic looks like and all traffic is
matched to that baseline.
▪ Traffic not matching the baseline is handled depending on settings, they can
take a lot of tweaking.
▪ Can detect 'out of the ordinary' activity, not just attacks.
▪ Takes much more work and skills.

• Hybrid-Based systems combining both are more used now and check for both
signatures and abnormalities.

• Intrusion Events and Masking:

▪ IDS/IPS obviously then prompt attackers to develop attacks that try to avoid
detection.
⬧ Fragmentation: Sending fragmented packets, the attack can avoid the
detection system's ability to detect the attack signature.
⬧ Avoiding Defaults: The TCP port utilized by a protocol does not always
provide an indication to the protocol which is being transported.
Attackers can send malware over an unexpected port.
⬧ Low-Bandwidth Coordinated Attacks: A number of attackers (or agents)
allocate different ports or hosts to different attackers making it difficult
for the IDS to correlate the captured packets and deduce that a network
scan is in progress.
⬧ Address spoofing/proxying: attackers can use poorly secured or
incorrectly configured proxy servers to bounce an attack. If the source is
spoofed and bounced by a server then it makes it very difficult for IDS to
detect the origin of the attack.
⬧ Pattern Change Evasion: The attacker changes the data used slightly,
which may avoid detection.

15 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Alerts on IDS’s/IPS’s can, like biometrics, be one of 4 categories:
⬧ True Positive: An attack is happening and the system detects it and acts.
⬧ True Negative: Normal traffic on the network and the system detects it
and does nothing.
⬧ False Positive: Normal traffic and the system detects it and acts.
⬧ False Negative: An attack is happening the system does not detect it
and does nothing.
▪ We rarely talk about the “true” states since things are happening like they are
supposed to, we are interested in when it doesn’t and we prevent authorized
traffic or allow malicious traffic.

• SIEM (Security information and event management):

▪ Often pronounced SEM or SIM.
▪ Provides a holistic view of our organization’s events and incidents.
▪ Gathers from all our systems and looks at everything
▪ Centralizes the storage and interpretation of logs, traffic and allows near real-
time automated identification, analysis and recovery of security events.

16 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• SOAR (Security Orchestration, Automation, and Response):
▪ A software solution that uses AI to allows us to respond to some security
incidents automatically.
▪ SOAR vs. SIEM: Very similar, both detect/alert on security events, but using AI,
SOAR will also react to some events.
⬧ SIEMs often generate more alerts than a SOC team can handle, SOAR
can reduce that.
▪ SOAR combines all the comprehensive data we gather, has case management,
standardization, workflows, and analytics, and it can integrate with many of our
other solutions (Vulnerability Management (VM), IT Service Management
(ITSM), Threat Intelligence, …).
▪ All this can help our organization implement a detailed defense-in-depth
solution.

• Application Positive-listing:
▪ We can positive-list the applications we want to allow to run on our
environments, but it can also be compromised.
▪ We would positive-list against a trusted digital certificate, a known hash or path
and name, the latter is the least secure, an attacker can replace the file at the
path with a malicious copy.
▪ Building the trusted application positive-list takes a good deal of time, but is far
superior to negative-listing, there are 10,000’s of application and we can never
keep up with them.

• Removable Media Controls:

▪ Good security policies would also have us lock down USB ports, CD drives,
memory card ports and anything else where you can load malicious code onto
our systems from external devices.
▪ For servers we may rarely have to enable USB ports for firmware or other
updates, we would enable the ports while we use them and lock them right
away after, it is safer to be done centrally via group policies or similar.

• Honeypots and Honeynets:

▪ Honeypots:
⬧ System looking like a real system, but with the sole purpose of
attracting attackers.
⬧ They are used to learn about our vulnerabilities and how attackers
would circumvent our security measures.
⬧ Used both internally and externally, internal honeypots can alert us to
attackers and malware that made it past our security perimeter and
external honeypots teach us about the attack vectors attackers use.
⬧ External honeypots will get compromised on a regular basis, we analyze
the attack and ensure our internal systems are protected against that
type of attack.

17 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
⬧ Honeypots are rarely hardened completely, our actual data servers are
always hardened completely.
⬧ Always talk to your legal department before deploying honeypots.
▫ Remember the thin line between entrapment and enticement.
▫ What are the legal/liability ramifications if an attacker launches
a 3rd party attack from
your honeypot/net.
▫ Get very clear legal
guidelines issued before
deploying, and get senior
management's approval in
writing.
▪ Honeynets:
⬧ A network (real or simulated) of
honeypots, can be a full server
farm simulated with applications,
OS's and fake data.
⬧ Best practice segments the
honeynet from our actual network
by a DMZ/firewall.
⬧ The SIEM/SOAR systems collects
the data from our internal systems
as well as the honeynet.

• Configuration Management:
▪ When we receive or build new systems they often are completely open, before
we introduce them to our environment we harden them.
▪ We develop a long list of ports to close, services to disable, accounts to delete,
missing patches and many other things.
▪ Often it is easier to have OS images that are completely hardened and use the
image for the new system, we then update the image when new vulnerabilities
are found or patches need to be applied, often though we use a standard image
and just apply the missing patches.
▪ We do this for any device on our network, servers, workstations, phones,
routers, switches,...
▪ Pre-introduction into our production environment we run vulnerability scans
against the system to ensure we didn't miss anything (Rarely done on
workstations, should be done on servers/network equipment).
▪ Having a standard hardening baseline for each OS ensures all servers are
similarly hardened and there should be no weak links, we also have the
standardized hardening making troubleshooting much easier.
▪ Once a system is introduced to our production environment we monitor
changes away from our security baseline, most changes are administrators
troubleshooting or making workarounds, which may or may not be allowed, but
it could also be an attacker punching a path out of our network.

18 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 Asset Management:
• Patch Management:
▪ In order to keep our network secure we need to apply patches on a regular
basis.
▪ Whenever a vulnerability is discovered the software producer should release a
patch to fix it.
▪ Microsoft for instance have “Patch Tuesday” (2nd Tuesday of the month).
⬧ They release all their patches for that month.
⬧ If critical vulnerabilities are discovered they push those patches outside
of Patch Tuesday.
⬧ Most organizations give the patches a few weeks to be reviewed and
then implement them in their environment.
▪ We normally remember the OS patches, but can often forget about network
equipment updates, array updates, IoT updates and so on, if they are not
patched we are not fully using defense in depth and we can expose ourselves to
risk.
▪ I have seen places where full rack disk arrays were not encrypted and had not
been patched since installation over 10 years prior, the reasoning was poorly
designed data storage and updating would take the disks offline for up to an
hour, which for the organization was unacceptable.
▪ We use software to push our patches to all appropriate systems, this is easier,
we ensure all systems gets patched and they all get the same parts of the patch,
we may exclude some parts that have an adverse effect on our network.
▪ Common tools could be SCCM or WSUS, they do not only push patches, but any
software we want to distribute to our organization.
▪ We do the pushes after hours to not impact the availability during working
hours, normally done Friday or Saturday night somewhere between 01:00 am
and 04:00 am.
▪ Most places avoid midnight as a lot of backups and jobs run at that time, and
end no later than 04:00 am or 05:00 am to ensure systems are online by the
start of business the following day.

• Change Management:
▪ Our formalized process on how we handle changes to our environments.
▪ If done right we will have full documentation, understanding and we
communicate changes to appropriate parties.
▪ The change review board should be comprised of both IT and other operational
units from the organization, we may consider impacts on IT, but we are there to
serve the organization, they need to understand how it will impact them and
raise concerns if they have any.
▪ A change is proposed to the change board, they research in order to understand
the full impact of the change.
▪ The person or group submitting the change should clearly explain the reasons
for the change, the pro's and con's of implementing and not implementing, any

19 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
changes to systems and processes they know about and in general aide and
support the board with as much information as needed.
▪ The board can have senior leadership on it or they can have a predefined range
of changes they can approve and anything above that threshold they would
make recommendations but changes require senior leadership approval.
▪ There are many different models and process flows for change management,
some are dependent on organization structure, maturity, field of business and
many other factors.
⬧ A generalized flow would look like this:
1. Identifying the change.
2. Propose the change.
3. Assessing risks, impacts and benefits of implementing and
not implementing.
4. Provisional change approval, if testing is what we expect
this is the final approval.
5. Testing the change, if what we expected we proceed, if not
we go back.
6. Scheduling the change.
7. Change notification for impacted parties.
8. Implementing the change.
9. Post implementation reporting of the actual change impact.

▪ We closely monitor and audit changes, remember changes can hold residual risk
which we would then have to mitigate.
▪ Everything in the change control process should be documented and kept, often
auditors want to see that we have implemented proper change controls, and
that we actually follow the paper process we have presented them with.

20 | P a g e
[Link]
 CISSP Domain 7 Lecture notes

• 0-day Vulnerabilities:
▪ Vulnerabilities not generally known or discovered, the first time an attack is
seen is considered day 0, hence the name.
▪ From when a vulnerability is discovered it is now only a short timespan before
patches or signatures are released on major software.
▪ With millions of lines of code in a lot of software and the 1% errors we talked
about there will always be new attack surfaces and vulnerabilities to discover.
The only real defense against the 0 day exploits is defense in depth and when
discovered immediate patching as soon as it is available and we have tested it in
our test environments. Most signatures in IDS/IPS and anti virus auto update as
soon as new signatures are available.
▪ 0-day Vulnerability: The vulnerability that has not been widely discovered and
published.
▪ 0-day Exploit: Code that uses the 0-day vulnerability.
▪ 0-day Attack: The actual attack using the code.
▪ The Stuxnet worm that targeted Iran's nuclear centrifuges used 4 unique 0-day
exploits (previously unheard of).
▪ It was developed over 5+ years and estimated to have cost 100's of millions of
dollars.
▪ Stuxnet has three modules:
⬧ A worm that executes all routines related to the main payload of the
attack;
⬧ A link file that automatically executes the propagated copies of the
worm.
⬧ A rootkit responsible for hiding all malicious files and processes,
preventing detection of Stuxnet.
▪ It is introduced to the target environment by an infected USB flash drive.

21 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ The worm then propagates across the network, scanning for Siemens Step7
software on computers controlling a PLC, If both are not present, Stuxnet
becomes dormant inside the computer, it will still replicate the worm.
▪ If both are present, Stuxnet introduces the infected rootkit onto the PLC and
Step7 software, modifying the codes and giving unexpected commands to the
PLC while returning a loop of normal operations system values feedback to the
users.

 Continuity of Operations:
• Fault Tolerance:
▪ To ensure our internal SLAs and provide as high availability as possible we use as
high degree of redundancy and resiliency as makes sense to that particular
system and data set.
▪ Backups:
⬧ One of the first things that comes to mind when talking about fault
tolerance is backups of our data, while it is very important it is often like
log reviews an afterthought and treated with "Set it and forget it"
mentality.
⬧ For backups we use Full, Incremental, Differential and Copy backups,
and how we use them is determined on what we need from our
backups.
⬧ How much data we can stand to lose and how fast we want the backup
and restore process to be.
⬧ In our backup solution we make backup policies of what to back up,
what to exclude, how long to keep the data of the Full, Incremental and
Differential backups.
⬧ All these values are assigned dependent on what we back up, and
normal organizations would have different backup policies and apply
those to the appropriate data.
⬧ This could be Full 3, 6, 12, 36, 84 months and infinity, the retention is
often mandated by our policies and the regulations in our field of
business.
⬧ It is preferable to run backups outside of business hours, but if the
backup solution is a little older it can be required to run around the
clock, in that case we put the smaller and less important backups in the
daytime and the important larger ones after hours.
⬧ We often want to exclude parts of the system we are backing up, this
could be the OS, the trashcan, certain program folders, ... we just
backup what is important and rarely everything.
⬧ If a system is compromised and the issue is a rootkit, the rootkit would
persist on the backup if we did a full mirror restore, by eliminating some
of the system data we not only backup a lot less data, we also may
avoid the infection we are trying to remedy.
⬧ For very important data we may do hourly incremental or use another
form of data loss prevention (covered later in this chapter).

22 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
⬧ Full Backup:
▫ This backs everything up, the entire database (most often), or
the system.
▫ A full backup clears all archive bits.
▫ Dependent on the size of the data we may do infrequent full
backups, with large datasets it can take many hours for a full
backup.
▫ IF we need to restore on Thursday:
→ Restore with a single Wednesday full backup tape.
→ 1 tape.

⬧ Incremental Backup:
▫ Backs up everything that has changed since the last backup.
▫ Clears the archive bits.
▫ Incremental are often fast to do, they only backup what
has changed since the last incremental or full.
▫ The downside to them is if we
do a monthly full
backup and daily
incremental, we
have to get a full
restore and
could have to
use up to 30
tapes, this would
take a lot longer than
with 1 Full and 1
Differential.
▫ IF we need to restore on Thursday:
→ Restore with the full Sunday backup and Monday,
Tuesday, and Wednesday’s incremental tapes.
→ 4 tapes.

23 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
⬧ Differential Backup:
▫ Backs up everything since the last Full backup.
▫ Does not clear the archive bit.
▫ Faster to restore since we just need 2 tapes for a full restore,
the full and the differential.
▫ Backups take longer than the incremental, we are backing
everything since the last full.
▫ Never use both incremental and differential on the same data, it
is fine on the same backup solution, different data has different
needs.
▫ IF we need to restore on Thursday:
→ Restore with the Sunday full backup and Wednesday’s
incremental tapes.
→ 2 tapes.

⬧ Copy Backup:
▫ This is a full backup with one important difference, it does not
clear the archive bit.
▫ Often used before we do system updates, patches and similar
upgrades.
▫ We do not want to mess up the backup cycle, but we want to be
able to revert to a previous good copy if something goes wrong.
⬧ Archive Bit:
▫ For Windows the NTFS has an archive bit on file, it is a flag that
indicates if the file was changed since the last Full or
Incremental backup.

24 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• On our systems we build in fault tolerance to give them as high as
possible uptime, we do this with redundant hardware and
systems, one of the practices we use is RAID.
• RAID (Redundant Array of Independent/Inexpensive Disks):
▪ Comes in 2 basic forms, disk mirroring and disk striping.
⬧ Disk Mirroring:
▫ Writing the same data across multiple
hard disks, this is slower, the RAID
controller has to write all data twice.
▫ Uses at least 2 times as many disks for
the same data storage, needs at least 2
disks.
⬧ Disk Striping:
▫ Writing the data simultaneously
across multiple disks providing
higher write speed.
▫ Uses at least 2 disks, and in it self
does not provide redundancy.
▫ We use parity with striping for the
redundancy, often by XOR, if we
use parity for redundancy we need
at least 3 disks.

▪ There are many different types of RAID, for the exam I would know the above
terms and how RAID 0, 1 and 5 works.
▪ RAID 0:
⬧ Striping with no mirroring or parity, no fault tolerance, only provides
faster read write speed, requires at least 2 disks
▪ RAID 1:
⬧ Mirror set, 2 disks
with identical data,
and write function
is written to both
disks
simultaneously.

25 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ RAID 5:
⬧ Block level striping with distributed parity, requires at least 3 disks.
⬧ Combined speed with redundancy.
• RAID will help with data loss when we
have a single disk failure if we use a
fault tolerant RAID type, if more than
one disk fails before the first is
replaced and rebuilt, we would need
to restore from our tapes.
• Most servers have the same disks with
the same manufacturer date, they will
hit their MTBF (Mean time between
failures) around the same time.
• Larger data centers often have SLA’s
with the hard disk/server vendor,
which also includes MTTR (Mean time
to repair).
• This could be within 4 or 8 hours the vendor has to be onsite with a replacement disk.

• System Redundancy:
▪ On top of the RAID and the backups we also try to provide system redundancy
as well as redundant parts on the systems.
▪ The most common system failures are from pieces with moving parts, this could
be disks, fans or PSU (power supplies).
▪ Most servers have redundant power supplies, extra fans, redundant NIC’s.
▪ The NIC and PSU serve a dual purpose, both for internal redundancy and
external. If a UPS fails, the server is still operational with just the 1 PSU getting
power.
▪ Redundant disk controllers are also reasonably common, we design and buy the
system to match the redundancy we need for that application.

26 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Often we have spare hardware on hand in the event of a failure, this could
include hard disks, PSU's, fans, memory, NICs.
▪ Many systems are built for some hardware to be hot-swappable, most
commonly HDD's, PSU's and fans.
▪ If the application or system is important we often also have multiple systems in
a cluster.
▪ Multiple servers often with a virtual IP, seen as a single server to users.
▪ Clustering is designed for fault tolerance, often combined with load balancing,
but not innately.
▪ Clustering can be active/active, this is load balancing, with 2 servers both
servers would actively process traffic.
▪ Active/passive: There is a designated primary active server and a secondary
passive server, they are connected and the passive sends a keep-alive or
heartbeat every 1-3 seconds, are you alive, are you alive,... AS long as the active
server responds the passive does nothing, if the active does not respond for
(normally) 3 keepalives the passive assumes the primary is dead and assumes
the primary role.
▪ In well designed environments the servers are geographically dispersed.
▪ We can also use other complementary backup strategies to give ourselves more
real time resilience, and faster recovery.
▪ Database Shadowing:
⬧ Exact real time copy of the database or files to another location.
⬧ It can be another disk in the same server, but best practice dictates
another geographical location, often on a different media.
▪ Electronic Vaulting (E-vaulting):
⬧ Using a remote backup service, backups are sent off-site electronically
at a certain interval or when files change.
▪ Remote Journaling:
⬧ Sends transaction log files to a remote location, not the files
themselves. The transactions can be rebuilt from the logs if we lose the
original files.

27 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 BCP and DRP:
• Any organization will encounter disasters every so often, how we try to avoid them, how
we mitigate them and how we recover when they happen is very important.
• If we do a poor job the organization may be severely impacted or have to close.
• Companies that had a major loss of data, 43% never reopen and 29% close within two
years.
• BCP (Business Continuity Plan):
▪ This is the process of creating the long-
term strategic business plans, policies
and procedures for continued operation
after a disruptive event.
▪ It is for the entire organization,
everything that could be impacted, not
just IT.
▪ Lists a range of disaster scenarios and the
steps the organization must take in any
particular scenario to return to regular
operations.
▪ BCP’s often contain COOP (Continuity of
Operations Plan), Crisis Communications
Plan, Critical Infrastructure Protection
Plan, Cyber Incident Response Plan, DRP
(Disaster Recovery Plan), ISCP
(Information System Contingency Plan),
Occupant Emergency Plan.
▪ What would we do if a critical supplier closed, the facility was hit by an
earthquake, what if we were snowed in and staff couldn't get to work,...
⬧ They are written ahead of time, and continually improved upon, it is an
iterative process.
⬧ We write the BCP with input from key staff and at times outside BCP
consultants.

• DRP (Disaster Recovery Plan):

▪ This is the process of creating the short-term plans, policies, procedures and
tools to enable the recovery or continuation of vital IT systems in a disaster.
▪ It focuses on the IT systems supporting critical business functions, and how we
get those back up after a disaster.
▪ DRP is a subset of our BCP.
▪ We look at what we would do if we get hit with a DDOS attack (can be in the
DRP or in our Cyber Incident Response Plan), a server gets compromised, we
experience a power outage, ...
▪ Often the how and system specific, where the BCP is more what and non-system
specific.

28 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• We categorize disasters in 3 categories: Natural, Human, or Environmental.
▪ Natural:
⬧ Anything caused by nature, this could be earthquakes, floods, snow,
tornados, ...
⬧ They can be very devastating, but are less common than the other types
of threats.
⬧ The natural disaster threats are different in different areas, we do the
risk analysis on our area.
⬧ For one site we could build our buildings and data center earthquake
resilient and another flood resilient.
▪ Human:
⬧ Anything caused by humans, they can be intentional or unintentional
disasters.
⬧ Unintentional could be an employee uses a personal USB stick on a PC
at work and spreads malware, just as bad as if an attacker had done it,
but the employee were just ignorant, lazy or didn't think it would
matter.
⬧ Intentional could be malware, terrorism, DOS attacks, hacktivism,
phishing, ...
▪ Environmental (Not to be confused with natural disasters):
⬧ Anything in our environment, could be power outage/spikes, hardware
failures, provider issues, ...

• Errors and Omissions (Human):

▪ The most common reason for disruptive events are internal employees, often
called errors and omissions.
▪ They are not intending to harm our organization, but they can inadvertently do
so by making mistakes or not following proper security protocols.
▪ This could be a mistype, leaving a door unlocked to go outside to smoke or
leaving a box of backup tapes somewhere not secure.
▪ They often have a minor impact, but if we have issues where they are deemed
very common or potentially damaging we can build in controls to mitigate them.
▪ We could put a double check in place for the mistype, an alarm on the unlocked
door that sounds after being open for 10 seconds, or very clear procedures and
controls for the transport of backup tapes.

• Electrical or Power Problems (Environmental):

▪ Are power outages common in our area?
▪ Do we have proper battery and generator backup to sustain our sites for an
extended period of time?
▪ We want the redundancy of UPS's and generators, they both supply constant
and clean power.
▪ These should always be in place in data centers, but what about our other
buildings?
▪ Power fluctuations can damage hardware.

29 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• Heat (Environmental):
▪ Many data centers are kept too cold, the last decades research has shown it is
not needed.
▪ Common temperature levels range from 68–77 °F (20–25 °C) - with an allowable
range 59–90 °F (15–32 °C).
▪ Keeping a Data Center too cold wastes money and raises humidity.

• Pressure (Environmental): Keeping positive pressure keeps outside contaminants out.

• Humidity (Environmental): Humidity should be kept between 40 and 60% rH (Relative

Humidity).
▪ Low humidity will cause static electricity and high humidity will corrode metals
(electronics).

• Warfare, Terrorism and Sabotage (Human):

▪ We still see plenty of conventional conflicts and wars, but there is much more
happening behind the veil of the internet, hacking for causes, countries, religion
and many more reasons.
▪ It makes sense to cripple a country's or region's infrastructure if you want to
invade or just destabilize that area.
▪ This could be for war, trade, influence or many other reasons, everything is so
interconnected we can shut down water, electricity or power from across the
world.
▪ The targets are not always the obvious targets, hospitals, air travel, shipping,
production,... are potential targets.
▪ State, Cause or Religious Hacking (Human):
⬧ Common, we often see the attacks happening 9-5 in that time zone, this
is a day job.
⬧ Approximate 120 countries have been developing ways to use the
internet as a weapon to target financial markets, government computer
systems and utilities.
⬧ Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet
(US/Israel), US Office of Personnel Management (China),…

30 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• Financially Motivated Attackers (Human):
▪ We are seeing more and more financially motivated attacks, they can be both
highly skilled or not.
▪ The lower skilled ones could be normal phishing attacks, social engineering or
vishing, these are often a
numbers game, but only a very
small percentage needs to pay
to make it worth the attack.
▪ The ones requiring more skills
could be stealing cardholder
data, identity theft, fake anti-
malware tools, or corporate
espionage,...
▪ Ransomware is a subtype of
financially motivated attacks, it
will encrypt a system until a
ransom is paid, if not paid the
system is unusable, if paid the
attacker may send instructions
on how to recover the system.
▪ Attackers just want the payday,
they don’t really care from
whom.

• Personnel Shortages(Human/Nature/Environmental):
▪ In our BCP, we also have to ensure that we have redundancy for our personnel
and how we handle cases where we have staff shortages.
▪ If we have 10% of our staff, how impacted is our organization?
▪ This can be caused by natural events (snow, hurricane) but is more commonly
caused by the flu or other viruses.
▪ Pandemics:
⬧ Organizations should identify critical staff by position not by name, and
have it on hand for potential epidemics. <Insert your own COVID-19
work experiences here.>
▪ Strikes:
⬧ A work stoppage caused by the mass refusal of employees to work.
⬧ Usually takes place in response to employee grievances.
⬧ How diminished of a workforce can we have to continue to function?
▪ Travel:
⬧ When our employees travel, we need to ensure both they and our data
is safe.
⬧ That may mean avoiding certain locations, limiting what they bring of
hardware and what they can access from the remote location.
⬧ If they need laptops/smartphones, we use encryption, device
monitoring, VPNs, and all other appropriate measures.

31 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• Our DRP (Disaster Recovery Plan) should answer at least three basic questions:
▪ What is the objective and purpose?
▪ Who will be the people or teams who will be responsible in case any disruptions
happen?
▪ What will these people do (our procedures) when the disaster hits?
• Normal plans are a lot more in depth and outline many different scenarios, they have a
clear definition of what a disaster is, who can declare it, who should be informed, how
often we send updates to whom, who does what,…
• It is easy to just focus on getting back up and running when we are in the middle of a
disaster, staff often forget about communication, preserving the crime scene (if any)
and in general our written procedures.

• DRP has a lifecycle of Mitigation, Preparation, Response and Recovery.

▪ Mitigation: Reduce the impact, and likeliness of a disaster.
▪ Preparation: Build programs, procedures and tools for our response.
▪ Response: How we react in a disaster, following the procedures.
▪ Recovery: Reestablish basic functionality and get back to full production.

• We have looked at the first 2 before, for now we will focus on Response and Recovery.
▪ Response: How we react in a disaster, following the procedures.
⬧ How we respond and how quickly we respond is essential in Disaster
Recovery.
⬧ We assess if the incident we were alerted to or discovered is serious and
could be a disaster, the assessment is an iterative process.
▫ The more we learn and as the team gets involved we can assess
the disaster better.
⬧ We notify appropriate staff to help with the incident (often a call tree or
automated calls), inform the senior management identified in our plans
and if indicated by the plan communicate with any other appropriate
staff.

32 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Recovery: Reestablish basic functionality and get back to full production.
⬧ We act on our assessment using the plan.
⬧ At this point all key stakeholders should be involved, we have a clearer
picture of the disaster and take the appropriate steps to recover. This
could be DR site, system rebuilds, traffic redirects,…

 Developing our BCP and DRP:

• Older versions of NIST 800-34 had these steps as a framework for building our BCP/DRP,
they are still very applicable.
• Project Initiation: We start the project, identify stakeholders, get C-level approval and
formalize the project structure.
• Scope the Project: We identify exactly what we are trying to do and what we are not.
• Business Impact Analysis: We identify and prioritize critical systems and components.
• Identify Preventive Controls: We identify the current and possible preventative controls
we can deploy.
• Recovery Strategy: How do we recover efficiently? What are our options? DR site,
system restore, cloud,...
• Plan Design and Development: We build a specific plan for recovery from a disaster,
procedures, guidelines and tools.
• Implementation, Training, and Testing: We test the plan to find gaps and we train staff
to be able to act on the plan.
• BCP/DRP Maintenance: It is an iterative process. Our organization develops, adds
systems, facilities or technologies and the threat landscape constantly changes, we have
to keep improving and tweaking our BCP and DRP.

• Senior management needs to be involved and committed to the BCP/DRP process,

without that it is just lip service.
▪ They need to be part of at least the initiation and the final approval of the plans.
▪ They are responsible for the plan, they own the plan and since they are
ultimately liable, they must show due-care and due-diligence.
▪ We need top-down IT security in our organization (the exam assumed we have
that).
▪ In serious disasters, it will be Senior Management or someone from our legal
department that will talk to the press.
▪ Most business areas often feel they are the most important area and because of
that their systems and facilities should receive the priority, senior management
being ultimately liable and the leaders of our organization, obviously have the
final say in priorities, implementations and the plans themselves.

33 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• BCP/DRP’s are often built using the waterfall project management methodology, we will
cover it in the next domain.

• The BCP team has sub-teams responsible for rescue, recovery and salvage in the event
of a disaster or disruption.
▪ Rescue Team (Activation/Notification):
⬧ Responsible for dealing with the disaster as it happens. Evacuates
employees, notifies the appropriate personnel (call trees) pulls the
network from the infected server or shuts down systems, and initial
damage assessment.
▪ Recovery Team (Failover):
⬧ Responsible for getting the alternate site up and running as fast as
possible or for getting the systems rebuilt.
⬧ We get the most critical systems up first.
▪ Salvage Team (Failback):
⬧ Responsible for returning our full infrastructure, staff and operations to
our primary site or a new facility if the old site was destroyed.
⬧ We get the least critical systems up first, we want to ensure the new
sites is ready and stable before moving the critical systems back.

• BIA (Business Impact Analysis):

▪ Identifies critical and non-critical organization systems, functions and activities.
▪ Critical is where disruption is considered unacceptable, the acceptability is also
based on the cost of recovery.
▪ A function may also be considered critical if dictated by law.
▪ For each critical (in scope) system, function or activity, two values are then
assigned:
▪ RPO (Recovery Point Objective): The acceptable amount of data that can not
be recovered.
⬧ The recovery point objective must ensure that the maximum tolerable
data loss for each system, function or activity is not exceeded.
⬧ If we only back up once a week, we accept up to a week of data loss.
▪ MTD (Maximum Tolerable Downtime) MTD ≥ RTO + WRT:
⬧ The time to rebuild the system and configure it for reinsertion into
production must be less than or equal to our MTD.
⬧ The total time a system can be inoperable before our organization is
severely impacted.
⬧ Remember companies that had a major loss of data, 43% never reopen
and 29% close within two years.
⬧ Other frameworks may use other terms for MTD, but for the exam know
and use MTD.
⬧ MAD (Maximum Allowable Downtime), MTO (Maximum Tolerable
Outage), MAO (Maximum Acceptable Outage), MTPoD (Maximum
Tolerable Period of Disruption).

34 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ RTO (Recovery Time Objective): The amount of time to restore the system
(hardware).
⬧ The recovery time objective must ensure that the MTD for each system,
function or activity is not exceeded.
▪ WRT (Work Recovery Time) (software):
⬧ How much time is required to configure a recovered system.
▪ MTBF (Mean Time Between Failures):
⬧ How long a new or repaired system or component will function on
average before failing, this can help us plan for spares and give us an
idea of how often we can expect hardware to fail.
▪ MTTR (Mean Time to Repair):
⬧ How long it will take to recover a failed system.
▪ MOR (Minimum Operating Requirements):
⬧ The minimum environmental and connectivity requirements for our
critical systems to function, can also at times have minimum system
requirements for DR sites.
⬧ We may not need a fully spec'd system to resume the business
functionality.

• MTBF (Mean Time Between Failures): How long a system or component will function
on average before failing.
• MTTR (Mean Time to Repair): How long it will take to recover a failed system.
• MOR (Minimum Operating Requirements):The minimum environmental and
connectivity requirements for our critical systems to function, can also at times have
minimum system requirements for DR sites.

35 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 Recovery Strategies:
• In our recovery process we have to consider the many factors that can impact us, we
need look at our options if our suppliers, contractors or the infrastructure are impacted
as well.
• We may be able to get our data center up and running in 12 hours, but if we have no
outside connectivity that may not matter.
• Supply chain:
▪ If an earthquake hits, do our local suppliers function, can we get supplies from
farther away, is the infrastructure intact?
• Infrastructure: How long can we be without water, sewage, power,…?
▪ We can use generators for power, but how long do we have fuel for?
▪ In prolonged power outages, we have pre-determined critical systems we leave
up and everything else is shut down to preserve power (fuel) and lessen HVAC
requirements.
• Recovery Strategies:
▪ From our MTD we can determine our approach to how we handle disasters and
the safeguards we put in place to mitigate or recover from them.
▪ Redundant Site:
⬧ Complete identical site to our production, receives a real time copy of
our data.
⬧ Power, HVAC, Raised floors, generators,…
⬧ If our main site is down the redundant site will automatically have all
traffic fail over to the redundant site.
⬧ The redundant site should be geographically distant, and have staff at it.
⬧ By far the most expensive recovery option, end users will never notice
the fail over.
▪ Hot Site:
⬧ Similar to the redundant site, but only houses critical applications and
systems, often on lower spec’d systems.
⬧ Still often a smaller but a full data center, with redundant UPS’s,
HVAC’s, ISP’s, generators,…
⬧ We may have to manually fail traffic over, but a full switch can take an
hour or less.
⬧ Near or real-time copies of data.
▪ Warm Site:
⬧ Similar to the hot site, but not with real or near-real time data, often
restored with backups.
⬧ A smaller but full data center, with redundant UPS’s, HVAC’s, ISP’s,
generators,…
⬧ We manually fail traffic over, a full switch and restore can take 4-24+
hrs.

36 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Cold Site:
⬧ A smaller but full data center, with redundant UPSs’, HVAC’s, ISP’s,
generators,…
⬧ No hardware or backups are at the cold site, they require systems to be
acquired, configured and applications loaded and configured.
⬧ This is by far the cheapest, but also longest recovery option, can be
weeks+.
▪ Reciprocal Agreement Site:
⬧ Your organization has a contract with another organization that they
will give you space in their data center in a disaster event and vice
versa.
⬧ This can be promised space or some racks with hardware completely
segmented off the network there.
▪ Mobile Site:
⬧ Basically a data center on wheels, often a container or trailer that can
be moved wherever by a truck.
⬧ Has HVAC, fire suppression, physical security, (generator),… everything
you need in a full data center.
⬧ Some are independent with generator and satellite internet, others
need power and internet hookups.
▪ Subscription/Cloud Site:
⬧ We pay someone else to have a minimal or full replica of our production
environment up and running within a certain number of hours (SLA).
⬧ They have fully built systems with our applications and receive backups
of our data, if we are completely down we contact them and they spin
the systems up and apply the latest backups.
⬧ How fast and how much is determined by our plans and how much we
want to pay for this type of insurance.

37 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 Other BCP Plans:
• Related Plans:
▪ Our BCP being the overarching plan also contains our other plans, including but
not limited to:
▪ COOP (Continuity of Operations Plan):
⬧ How we keep operating in a disaster, how do we get staff to alternate
sites, what are all the operational things we need to ensure we function
even if at reduced capacity for up to 30 days.
▪ Cyber Incident Response Plan:
⬧ How we respond in cyber events, can be part of the DRP or not. This
could be DDOS, worms, viruses,...
▪ OEP (Occupant Emergency Plan):
⬧ How do we protect our facilities, our staff and the environment in a
disaster event.
⬧ This could be fires, hurricanes, floods, criminal attacks, terrorism,...
⬧ Focuses on safety and evacuation, details how we evacuate, how often
we do the drills and the training staff should get.
▪ BRP (Business Recovery Plan):
⬧ Lists the steps we need to take to restore normal business operations
after recovering from a disruptive event.
⬧ This could be switching operations from an alternate site back to a
(repaired) primary site.
▪ Continuity of Support Plan:
⬧ Focuses narrowly on support of specific IT systems and applications.
⬧ Also called the IT Contingency Plan, emphasizing IT over general
business support.
▪ CMP (The Crisis Management Plan):
⬧ Gives us effective coordination among the management of the
organization in the event of an emergency or disruptive event.
⬧ Details what steps management must take to ensure that life and safety
of personnel and
property are
immediately protected
in case of a disaster.
▪ Crisis Communications Plan:
⬧ A subplan of the CMP.
⬧ How we communicate
internally and
externally during a
disaster.
⬧ Who is permitted to
talk to the press? Who
is allowed to
communicate what to
whom internally?

38 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Call Trees:
⬧ Each user in the tree calls a small number of people.
⬧ The calling tree is detailed in the communications plan and should be
printed out and at the home of staff, assume we have no network or
system access.
⬧ Starts from the bottom up and then top down.
⬧ The staff that discovers the incident calls their manager or director, they
then contact someone at a senior level (often the CEO).
⬧ The CEO calls the rest of the C-level leadership, they call their directors
and managers and the managers call their staff.
⬧ Obviously only where it is appropriate and needed for the recovery
effort or if staff is directly impacted by the disaster.
⬧ Should be done with 2 way confirmation, managers/directors should
confirm to their C-level executive that they did get a hold of the
identified staff.
⬧ Automated call trees are often a better idea than manual ones,
notifying people of the disaster is one of those things that tends to get
forgotten.
⬧ They are hosted at a remote location, often on SaaS, and key personnel
that are allowed to declare a disaster can activate them.
• Off Site Copies and Plans:
▪ We keep both digital and physical copies of all our plans at offsite locations,
assume we can’t access our data or our facilities. Relying on memory is a bad
idea.
▪ We also keep critical business records in the same manner.
• EOC (Emergency Operations Center):
▪ A central temporary command and control facility responsible for our
emergency management, or disaster management functions at a strategic level
during an emergency.
▪ It ensures the continuity of operation of our organization.
▪ We place the EOC in a secure location if the disaster is impacting a larger area.
• MOU/MOA (Memorandum of Understanding/Agreement):
▪ Staff signs a legal document acknowledging they are responsible for a certain
activity.
▪ If the test asks "A critical staff member didn't show, and they were supposed to
be there. What could have fixed that problem?" it would be the MOU/MOA.
While slightly different they are used interchangeably on the test.
• Executive Succession Planning:
▪ Senior leadership often are the only ones who can declare a disaster.
▪ We need to plan for if they are not available to do so.
▪ Their unavailability may be from the disaster or they may just be somewhere
without phone coverage.
▪ Organizations must ensure that there is always an executive available to make
decisions

39 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
▪ Our plans should clearly outline who should declare a disaster, if they are not
available, who is next in line and the list should be relatively long.
▪ Organizations often have the entire executive team at remote sessions or
conferences (it is not very smart).
• Employee Redundancy:
▪ We should have a high degree of skilled employee redundancy, just like we have
on our critical hardware.
▪ It is natural for key employees to move on, find a new job, retire or win the
lottery.
▪ If we do not prepare for it we can cripple our organization.
▪ Can be mitigated with training and job rotation.

 Testing the Plans:

• We have built our plans, now we need to see how complete and accurate they are, they
are living documents we continually improve them.
• Simulated Tests:
▪ DRP Review:
⬧ Team members who are part of the DRP team review the plan quickly
looking for glaring omissions, gaps or missing sections in the plan.
▪ Read-Through (Checklist):
⬧ Managers and functional areas go through the plan and check a list of
components needed for in the recovery process.
▪ Walk/Talk-through (Tabletop or Structured Walkthrough):
⬧ A group of managers and critical personnel sit down and talk through
the recovery process.
⬧ Can often expose gaps, omissions or just technical inaccuracies that
would prevent the recovery.
▪ Simulation Test (Walkthrough Drill):
⬧ Similar to the walkthrough (but different, do not confuse them).
⬧ The team simulates a disaster and the teams respond with their pieces
from the DRP.

• Physical Tests:
▪ Parallel Processing:
⬧ We bring critical components up at a secondary site using backups,
while the same systems are up at the primary site, after the last daily
backup is loaded we compare the two systems.
▪ Partial Interruption:
⬧ We interrupt a single application and fail it over to our secondary
facilities, often done off hours.
▪ Full Interruption:
⬧ We interrupt all applications and fail it over to our secondary facilities,
always done off hours.
▪ Both partial and full are mostly done by fully redundant organizations, build
your plans for your environment.

40 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• Testing:
▪ To ensure the plan is accurate, complete and effective, happens before we
implement the plan.
• Drills (Exercises):
▪ Walkthroughs of the plan, main focus is to train staff, and improve employee
response (think fire drills).
• Auditing:
▪ A 3rd party ensures that the plan is being followed, understood and the
measures in the plan are effective.

 Training for the Plans:

• For most of our plans we need to provide training for our staff on how they react and
handle their piece of the plan.
▪ We train evacuations, fire safety, CPR, first aid, and for the DRP the teams with
responsibilities needs to feel comfortable performing their tasks.
▪ If an employee is expected to restore a system from tape and they have never
done it is time to train them.
⬧ Do they know how to get the restore tapes (they are of course not kept
on premises).
▪ Does the UPS fail over automatically or does someone have to flip the switch,
does every data center employee know how to do that?
▪ It is each functional unit's responsibility they are ready for a disaster, they need
to provide the training (they are taught it), in the end what we need is
awareness (they actively use it).
▪ This is also where we would do as much as possible for the people redundancy.
⬧ New staff is trained on our systems as well as the emergency protocols
and how to perform their tasks.
⬧ If we only have one server administrator we better hope he is not on
vacation when our incident happens.

 Improving the Plans:

• The plans needs to be continually updated, it is an iterative process.
▪ Plans should be reviewed and updated at least every 12 months.
▪ If our organization has had a major change we also update the plans.
⬧ This could be:
▫ We acquired another company or we split off into several
companies.
▫ We changed major components of our systems (new backup
solution, new IP scheme,…).
▫ We had a disaster and we had a lot of gaps in our plans.
▫ A significant part of senior leadership has changed.
▪ When we update the plans older copies are retrieved and destroyed, and
current versions are distributed.

41 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
 After a Disruption or Test:
• Once we have had and recovered from a disruption or we have done our failover test
we do a lessons learned.
• Lessons Learned:
▪ This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
▪ We can learn a lot from lessons learned, not just about the specific incidence,
but how well we handle them, what worked, what didn't.
▪ What happened and didn’t happen is less important than how we improve for
next time.
▪ We do not place blame, the purpose is improving.
▪ How can we as an organization grow and become better next time we have
another incidence? While we may have fixed this one vulnerability there are
potentially 100's of new ones we know nothing about yet.
▪ The outcome and changes of the Lessons Learned will then feed into our
preparation and improvement of our BCP and DRP.

 After a Disruption:
• We only use our BCP/DRP's when our other countermeasures have failed.
• This makes the plans even more important. (Remember 2/3 of business with major data
loss close).
• When we make and maintain the plans there are some common pitfalls we want to
avoid:
▪ Lack of senior leadership support
▪ Lack of involvement from the business units
▪ Lack of critical staff prioritization
▪ Too narrow scope
▪ Inadequate telecommunications and supply chain management
▪ Lack of testing
▪ Lack of training and awareness
▪ Not keeping the BCP/DRP plans up to date, or no proper versioning controls

 BCP/DRP Frameworks:
• When building or updating our BCP/DRP plans, we can get a lot of guidance from these
frameworks, and just like the other standards and frameworks we use we often tailor
and tweak them to fit the needs of our organization.
• NIST 800-34:
▪ Provides instructions, recommendations, and considerations for federal
information system contingency planning. Contingency planning refers to
interim measures to recover information system services after a disruption.
• ISO 22301:
▪ Societal security, Business continuity management systems, specifies a
management system to manage an organization's business continuity plans,
supported by ISO 27031.

42 | P a g e
[Link]
 CISSP Domain 7 Lecture notes
• ISO/IEC-27031:
▪ Societal security, Business continuity management systems – Guidance, which
provides more pragmatic advice concerning business continuity management
• BCI (Business Continuity Institute):
▪ 6 step process of "Good Practice Guidelines (GPG)” the independent body of
knowledge for Business Continuity.

 What we covered in the Seventh CBK Domain:

• How we through Administrative Personnel Security can mitigate some inside threats.
• Who is allowed to do Digital Forensics and how we do it right.
• Events, Alerts, Incidents and Problems. What we react to and how we react.
• Incident management and responses.
• SIEM’s, IDS’s and IPS’s: both host and network based ones and what each of them can
and can’t do.
• Configuration management, patch management, change management.
• 0day vulnerabilities and how our only defense is defense in depth and at times
abnormality detection.
• Fault tolerance, backups, RAID, e-vaulting, remote journaling, database shadowing,
hardware and system redundancy.
• BCP and DRP’s:
▪ What we need to consider and how we prioritize our systems and facilities for
the plans.
▪ How we build, test, train and maintain the plans.
▪ How we react in a disaster scenario and recover from it.

43 | P a g e
[Link]
 CISSP Domain 8 Lecture notes

Welcome to the Eight CBK Domain:

 In this domain we cover:
• Security has for a long time been an afterthought in software development, we need to
design it in and not bolt it on.
• Security in the software development lifecycle.
⬧ How we include security in the software requirements of our SDLC.
▪ Development environment security controls.
⬧ How security should be designed and planned in, and should be a
requirement of our development.
▪ Software security effectiveness
⬧ How we assess the effectiveness of our software security controls
▪ Acquired software security impact.
⬧ How we test and secure software we buy from 3rd parties.

This chapter chapter is how we secure software as we develop it.

CBK 8 makes up 11% of the exam questions.

 Designing Security into our Software:

• The more breaches and compromises, the more we see the move towards security
being part of the scope of the software design project.
• We use software at our jobs, our personal lives, our homes, cars, power, water,...
• It is everywhere. And it has been, and still is, common to write functional code. Security
is an afterthought, or not considered at all.
• A large part of our defense-in-depth is to protect our assets, but ultimately most of it is
to protect our data/software.
• Software with security built in is much securer than software where it is added on later.
• It is common for programmers to make 15-50 mistakes per 1,000 lines of code. If using a
programming maturity framework, we can lower that to 1 error per 1,000 lines of code.
• Most of the errors are not a vulnerability, or really a concern, but the more we use
software in everything, the more critical the vulnerabilities become.
• Hacks have accelerated and stopped cars on highways, had planes change course
(hacked through bad security on the in-flight entertainment), power grids, elections,...

1|Page
[Link]
 CISSP Domain 8 Lecture notes
• Software-Defined Security (SDS):
▪ Security functions are removed from the hardware and become virtual network
functions (VNFs).
▪ SDS is software-managed, policy-driven, and governed security where most of
our security controls (IDS/IPS, network segmentation, access controls, …) are
automated and monitored by the software.

• Auditing and Logging of Changes:

▪ We need to be clear on change and configuration management.
▪ How changes are requested (Request, formal assessment, planning, design and
testing, implementation, final assessment), the controls we have in place
(request control, change control, and release control) and how they contribute
to security.
▪ How does our configuration management control the versions of software used
in an organization.

• Risk Analysis and Mitigation:

▪ With risk analysis and mitigation we identifying, assessing and mitigating the
risks, understanding how they might affect our (software) project, and figure
out what we can do to minimize the effects on our scope, schedule, cost, and
quality.
▪ Risks can be either opportunities or threats; they are scored
on the likelihood of occurrence and impact on a project.

2|Page
[Link]
 CISSP Domain 8 Lecture notes
 Programming Concepts:
• Machine Code:
▪ Software executed directly by the CPU, 0's and 1's understood by the CPU.
• Source Code:
▪ Computer programming language, written in text and is human understandable,
translated into machine code.
• Assembler Languages:
▪ Short mnemonics like ADD/SUB/JMP, which are matched with the full length
binary machine code; assemblers convert assembly language into machine
language. A disassembler does the reverse.
• Compiler Languages:
▪ Translates the higher level language into machine code and saves, often as
executables, compiled once and run multiple times.
• Interpreted Languages:
▪ Similar to compiler languages, but interprets the code each time it is run into
machine code.
• Bytecode:
▪ An interpreted code, in intermediary form, converted from source code to
interpreted, but still needs to be converted into machine code before it can run
on the CPU.
• Procedural Languages (Procedure-oriented):
▪ Uses subroutines, procedures and functions.
• Object-oriented Programming (OOP):
▪ Based on the concept of objects, which may contain data, in the form of fields,
often known as attributes, and code, in the form of procedures, often known as
methods.
▪ An object's procedures can access and often modify the data fields of the
objects with which they are associated.
▪ In OOP, computer programs are designed by making them out of objects that
interact with one another.
• 4th Generation languages (4GL):
▪ Fourth-generation languages are designed to reduce programming effort and
the time it takes to develop software, resulting in a reduction in the cost of
software development.
▪ Increases the efficiency by automating the creation of machine code.
▪ Often uses a GUI, drag and drop, and then generating the code, often used for
websites, databases and reports.
• Programming Languages and Generations:
▪ 1st generation: Machine Code
▪ 2nd Generation: Assembler languages
▪ 3rd Generation: C, C++, Java, Python, PHP, Perl, C#, BASIC, Pascal, Fortran,
ALGOL, COBOL, …
▪ 4th Generation: ABAP, Unix Shell, SQL, PL/SQL, Oracle Reports, R, …
▪ 5th Generation: Prolog, OPS5, Mercury, …

3|Page
[Link]
 CISSP Domain 8 Lecture notes
• CASE (Computer-Aided Software Engineering):
▪ Similar to and were partly inspired by computer-aided design (CAD) tools used
for designing hardware products.
▪ Used for developing high-quality, defect-free, and maintainable software.
▪ Often associated with methods for the development of information systems
together with automated tools that can be used in the software development
process.
▪ CASE software is classified into 3 categories:
⬧ Tools support specific tasks in the software life-cycle.
⬧ Workbenches combine two or more tools focused on a specific part of
the software life-cycle.
⬧ Environments combine two or more tools or workbenches and support
the complete software life-cycle.
• Top-Down Programming:
▪ Starts with the big picture, then breaks it down into smaller segments.
▪ An overview of the system is formulated, specifying, but not detailing, any first-
level subsystems.
▪ Each subsystem is then refined in yet greater detail, sometimes in many
additional subsystem levels, until the entire specification is reduced to base
elements.
▪ Procedural programming leans toward Top-Down, you start with one function
and add to it.
• Bottom-Up Programming:
▪ Piecing together of systems to build more complex systems, making the original
systems a sub-system of the overarching system.
▪ The individual base elements of the system are first specified in great detail,
they are then linked together to form larger subsystems, which then in turn are
linked, sometimes in many levels, until a complete top-level system is formed.
▪ OOP leans tends toward Bottom-Up, you start by developing your objects and
build up.

• Software Release:
▪ Open source:
⬧ We release the code publicly, where it can be tested, improved and
corrected, but it also allows attackers to find the flaws in the code.
▪ Closed Source:
⬧ We release the software, but keep the source code a secret, may be
sound business practice, but can also be security through obscurity.
▪ Proprietary Software:
⬧ Software protected by intellectual property and/or patents, often used
interchangeably with Closed Source software, but it really is not. It can
be both Open and Closed Source software.
⬧ Any software not released into the public domain is protected by
copyright.

4|Page
[Link]
 CISSP Domain 8 Lecture notes
▪ Free Software:
⬧ Freeware:
▫ Actually free software, it is free of charge to use.
⬧ Shareware:
▫ Fully functional proprietary software that is initially free to use.
▫ Often for trials to test the software, after 30 days you have to
pay to continue to use.
⬧ Crippleware:
▫ Partially functioning proprietary software, often with key
features disabled.
▫ The user is required to make a payment to unlock the full
functionality.
▪ EULAs (End-User License Agreements):
⬧ Electronic form where the user clicks “I agree” to the software terms
and conditions while installing the software.

• Software Licenses:
▪ Open source software can be protected by a variety of licensing agreement.
⬧ GNU (General Public License) also called GPL:
▫ Guarantees end users the freedom to run, study, share and
modify the software.
▫ A copyleft license, which means that derivative work can only
be distributed under the same license terms.
⬧ BSD (Berkeley Software Distribution):
▫ A family of permissive free software licenses, imposing minimal
restrictions on the use and redistribution of covered software.
▫ This is different than copyleft licenses, which have reciprocity
share-alike requirements.
⬧ Apache:
▫ Software must be free, distribute, modify and distribute the
modified software.
▫ Requires preservation of the copyright notice and disclaimer.

5|Page
[Link]
 CISSP Domain 8 Lecture notes
 Software Development Methodologies:
• There is a wide range of software development methodologies used today.
• In the past the Waterfall method was widely used, it is a very linear process, and does
not work very well with the iterative nature of software development.
• To remedy that problem other methods were developed Spiral, Sashimi, Agile and
Scrum.
• The individual phases are different from organization to organization, understand how
each methodology works and the phases flows.

• Waterfall:
▪ Very linear, each phase leads directly into the next.
▪ The unmodified waterfall model does not allow us to go back to the previous
phase.

6|Page
[Link]
 CISSP Domain 8 Lecture notes
• Sashimi Model (Waterfall with overlapping phases):
▪ Similar to waterfall, but we always have 2 overlapping phases, if we close one
phase, we add the next phase.
▪ The modified waterfall model allows us to go back to the previous phase but no
further.
• Agile Software Development:
▪ Describes a set of values and principles for software development under which
requirements and solutions evolve through the collaborative effort of self-
organizing cross-functional teams.
▪ Uses adaptive planning, evolutionary development, early delivery, and
continuous improvement, and it encourages rapid and flexible response to
change.
▪ There are many types of agile, for the exam know the flow.

7|Page
[Link]
 CISSP Domain 8 Lecture notes
▪ Manifesto for Agile Software Development:
⬧ What is valued in the manifesto:
▫ Individuals and Interactions more than processes and tools.
▫ Working Software more than comprehensive documentation.
▫ Customer Collaboration more than contract negotiation.
▫ Responding to Change more than following a plan.
⬧ The twelve principles in the manifesto:
1. Customer satisfaction by early and continuous delivery of
valuable software.
2. Welcome changing requirements, even in late development.
3. Working software is delivered frequently (weeks rather than
months).
4. Close, daily cooperation between business people and
developers.
5. Projects are built around motivated individuals, who should be
trusted.

8|Page
[Link]
 CISSP Domain 8 Lecture notes
6. Face-to-face conversation is the best form of communication
(co-location).
7. Working software is the primary measure of progress.
8. Sustainable development, able to maintain a constant pace.
9. Continuous attention to technical excellence and good design.
10. Simplicity—the art of maximizing the amount of work not
done—is essential.
11. Best architectures, requirements, and designs emerge from
self-organizing teams.
12. Regularly, the team reflects on how to become more effective,
and adjusts accordingly.

9|Page
[Link]
 CISSP Domain 8 Lecture notes
▪ Scrum:
⬧ Scrum is a framework for managing software development. Scrum is
designed for teams of approximately 10 individuals, and generally relies
on two-week development cycles, called "sprints", as well as short daily
stand-up meetings.
⬧ The three core roles in the Scrum framework.
▫ The Product Owner:
→ Representing the product's stakeholders, the voice of
the customer, and is accountable for ensuring that the
team delivers value to the business.
▫ Development Team:
→ Responsible for delivering the product at the end of
each sprint (sprint goal).
→ The team is made up of 3–9 individuals who do the
actual work (analysis, design, develop, test, technical
communication, document, etc.).
→ Development teams are cross-functional, with all of the
skills as a team necessary to create a product
increment.
▫ Scrum Master:
→ Facilitates and accountable for removing impediments
to the ability of the team to deliver the product goals
and deliverables.
→ Not a traditional team lead or project manager but acts
as a buffer between the team and any distracting
influences.
→ The scrum master ensures that the Scrum framework is
followed.
▪ XP (Extreme Programming):
⬧ Intended to improve software quality and responsiveness to changing
customer requirements.
⬧ Uses advocates frequent releases in short development cycles,
intended to improve productivity and introduce checkpoints at which
new customer requirements can be adopted.
⬧ XP uses:
▫ Programming in pairs or doing extensive code review.
▫ Unit testing of all code.
▫ Avoiding programming of features until they are actually
needed.
▫ Flat management structure.
▫ Code simplicity and clarity.
▫ Expecting changes in the customer's requirements as time
passes and the problem is better understood.
▫ Frequent communication with the customer and among
programmers.

10 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• The Spiral Model:
▪ A risk-driven process model
generator for software
projects.
▪ The spiral model has four
phases: Planning, Risk
Analysis, Engineering and
Evaluation.
▪ A software project
repeatedly passes through
these phases in iterations
(called Spirals in this model).
▪ The baseline spiral, starting
in the planning phase,
requirements are gathered
and risk is assessed.
▪ Each subsequent spiral
builds on the baseline spiral.

• RAD (Rapid Application Development):

▪ Puts an emphasis on adaptability and the necessity of adjusting requirements in
response to knowledge gained as the project progresses.
▪ Prototypes are often used in addition to or sometimes even in place of design
specifications.
▪ Very suited for developing software that is driven by user interface
requirements.
▪ GUI builders are often called rapid application development tools.

• Prototyping:
▪ Breaks projects into smaller tasks, creating multiple prototypes of system design
features.
▪ A working model of software with some limited functionality, rather than
designing the full software up front.
▪ Has a high level of customer involvement, the customer inspects the prototypes
to ensure that the project is on track and meeting its objective.

11 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• SDLC (Software Development Life Cycle):
▪ The SDLC is not really a
methodology, but a
description of the phases
in the life cycle of software
development.
▪ These phases are (in
general), investigation,
analysis, design, build, test,
implement, maintenance
and support (and disposal).
▪ Can have security built into
each step of the process,
for the exam it always
does.
▪ If an answer about SDLC
does not list secure or
security, it would be wrong
and can be eliminated.
▪ Has a number of clearly
defined and distinct work
phases which are used by
systems engineers and
systems developers to plan
for, design, build, test, and deliver information systems.
▪ The aim is to produce high-quality systems that meet or exceed customer
expectations, based on customer requirements, by delivering systems which
move through each clearly defined phase, within scheduled time frames and
cost estimates.
▪ SDLC is used during the development of a project, it describes the different
stages involved in the project from the drawing board, through the completion
of the project.
▪ All software development methodologies follow the SDLC phases but the
method of doing that varies vastly between methodologies.
▪ Many different SDLC methodologies have been created, Waterfall, Spiral, Agile,
Rapid Prototyping,...
▪ In Scrum project a single user story goes through all the phases of the SDLC
within a single two-week sprint, where Waterfall projects can take many
months or several years to get through the phases.
▪ While very different they both contain the SDLC phases in which a requirement
is defined, then pass through the life cycle phases ending in the final phase of
maintenance and support.

12 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Projects, Programs and Portfolios:
▪ A project is a temporary endeavor, with a finite start and end, that is focused on
creating a unique product, service, or result.
▪ A program is a collection of related projects. Like a project, a program is
temporary, when the collection of projects are complete, the program is
complete.
▪ A portfolio is a collection of projects and programs that are managed as a group
to achieve strategic objectives.

• IPT (Integrated Product Team):

▪ A multidisciplinary group of people who are collectively responsible for
delivering a defined product or process.
▪ IPTs are used in complex development programs/projects for review and
decision making.
▪ The emphasis of the IPT is on involvement of all stakeholders (users, customers,
management, developers, contractors) in a collaborative forum.
▪ IPTs can be addressed at the program level, there may also be Oversight IPTs
(OIPTs), or Working-level IPTs (WIPTs).
▪ IPTs are created most often as part of structured systems engineering
methodologies, focusing attention on understanding the needs and desires of
each stakeholder.

13 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Source Code Escrow:
▪ The deposit of the source code of software with a third party escrow agent.
▪ Escrow is typically requested by a party licensing software (the licensee), to
ensure maintenance of the software instead of abandonment or orphaning.
▪ The software source code is released to the licensee if the licensor files for
bankruptcy or otherwise fails to maintain and update the software as promised
in the software license agreement.
• Source Code Repositories:
▪ Using public third party code repositories comes with some security concerns.
▪ Other than the provider security, one of the most important controls is using
multi-factor authentication.
▪ File archive and web hosting facility where a large amount of source code, for
software or for web pages, is kept, either publicly or privately.
▪ They are often used by open-source software projects and other multi-
developer projects to handle various versions. They help developers submit
patches of code in an organized fashion.
• API Security (Application Programming Interface):
▪ Allows an application to communicate with another application, operating
systems, databases, networks,...
▪ Many applications use API's, this could be to add super sign-on, integrate 2
applications, or many other things,...
▪ They are a good example of how we integrate for better usability, but often
security is overlooked.
▪ API's are the cause of a number of recent high-profile website security breaches
including Snap Chat, Pinterest and Instagram.
▪ We covered the OWASP top 10 web vulnerabilities in domain 3.
▪ OWASP also has an Enterprise Security API Toolkits project, which includes
these critical API controls:
▪ Authentication, Access control, Input validation, Output encoding/escaping,
Cryptography, Error handling and logging, Communication security, HTTP
security and Security configuration.
• Software Change and Configuration Management:
▪ Earlier in this domain we covered how software development has a lifecycle,
and in Domain 7 we covered configuration and change management.
▪ Both change and configuration management are very applicable to our software
development process, all the way from investigation/initiation to disposal of the
software.
▪ As with many of the concepts we cover they are to some extend logical,
configuration management tracks changes to a specific piece of software where
change management is all changes in the entire software development process.
▪ NIST 80-128: Guide for Security-Focused Configuration Management of
Information Systems uses these terms:
⬧ A Configuration Management Plan (CM Plan) is a comprehensive
description of the roles, responsibilities, policies, and procedures that
apply when managing the configuration of products and systems.

14 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
⬧ The basic parts of a CM Plan include:
▫ Configuration Control Board (CCB) – Establishment of and
charter for a group of qualified people with responsibility for
the process of controlling and approving changes throughout
the development and operational lifecycle of products and
systems, may also be referred to as a change control board.
▫ Configuration Item Identification – for selecting and naming
configuration items that need to be placed under CM.
▫ Configuration Change Control – Process for managing updates
to the baseline configurations for the configuration items.
▫ Configuration Monitoring – Process for assessing or testing the
level of compliance with the established baseline configuration
and mechanisms for reporting on the configuration status of
items placed under CM

• DevOps:
▪ Cooperation between development, operations, and Quality Assurance.
▪ Aligned with Agile, code is deployed rapidly, multiple
times a day.
▪ CI/CD (Continuous Integration/Continuous
Delivery):
The D in CD can also be referred to as
Deployment or Development.
⬧ Code rollouts may happen many
times per day, with that we need
to rely on much more automation
(integrating code repositories,
deployment, infrastructure changes,
software configuration management, and
moving code between development, testing,
production environments, …).
• DevSecOps:
▪ Evolved from DevOps to add security into the process.
▪ We want security to be integrated
throughout the development process.
▪ Security is not just added on later as an
afterthought, it is designed in.

15 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
 Databases:
• An organized collection of data.
• It is the collection of schemas, tables, queries, reports, views, and other objects.
• The data are typically organized to model aspects of reality in a way that supports
processes requiring information. This could be modelling the availability of rooms in
hotels in a way that supports finding a hotel with vacancies.

• DBMS (Database Management System):

▪ A computer software application that interacts with the user, other applications,
and the database itself to capture and analyze data.
▪ A general-purpose DBMS is designed to allow the definition, creation, querying,
update, and administration of databases.
▪ MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase,
SAP HANA, SQLite and IBM DB2.
• Database management systems are often classified according to the database model
they support, the most common database systems since the 1980s have all supported
the relational model as represented by the SQL language.
• A database model is a type of data model that determines the logical structure of a
database and fundamentally determines in which manner data can be stored,
organized, and manipulated. The most popular example of a database model is the
relational model (the SQL version), which uses a table-based format.
• Common logical data models for databases include:
▪ Navigational databases: Hierarchical database model, Network model, Graph
database.
▪ Relational model.
▪ Entity–relationship model, Enhanced entity–relationship model.
▪ Object model.
▪ Document model.
▪ Entity–attribute–value model.
▪ Star schema.

16 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Relational Model:
▪ Organizes data into one or more tables (or relations) of columns and rows, with
a unique key identifying each row.
▪ Rows are also called records or
tuples.
▪ Generally, each table/relation
represents one entity type.
▪ The rows represent instances of that
type of entity and the columns
representing values attributed to
that instance.
▪ Foreign Key:
⬧ They are in relational
databases the matching
primary key of a parent
database table.
⬧ It is always the primary key
in the local DB.
⬧ The SSN is Primary key in the
Paygrade/scale table, but
Foreign key in the Name
one, seen from the
Paygrade/scale table.

• Integrity:
▪ Referential integrity:
⬧ When every foreign key in
a secondary table matches
a primary key in the parent
table.
⬧ It is broken if not all
foreign keys match the
primary key.
▪ Semantic integrity:
⬧ Each attribute value is
consistent with the
attribute data type.
▪ Entity integrity:
⬧ Each tuple (row) has a
unique primary value that
is not null.

17 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ User-Defined Integrity:
⬧ A set of rules specified by a user, which do not belong to the entity,
domain and referential integrity categories.
⬧ If a database supports these features, it is the responsibility of the
database to ensure data integrity as well as the consistency model for
the data storage and retrieval.
⬧ If a database does not support these features it is the responsibility of
the applications to ensure data integrity while the database supports
the consistency model for the data storage and retrieval.
▪ Having a single, well controlled, and well defined data-integrity system
increases:
⬧ Stability: One centralized system performs all data integrity operations
⬧ Performance: All data integrity operations are performed in the same
tier as the consistency model.
⬧ Re-usability: All applications benefit from a single centralized data
integrity system.
⬧ Maintainability: One centralized system for all data integrity
administration.
▪ Modern databases support these features, and it has become the de facto
responsibility of the database to ensure data integrity.
▪ If our databases are older we can use companies or database systems, who
offer products and services to migrate legacy systems to modern databases.
▪ Databases normally run multiple threads simultaneously and they are all
capable of altering data.
▪ When two threads try to change the same record, the DBBMS will attempt to
commit the update.
▪ If the commit is unsuccessful, the DBMSs can do rollbacks/aborts and restore
from a save point.
▪ A database journal is a log of all database transactions.
▪ If a database become corrupted, the database can be reverted to a back-up
copy, and then transactions are replayed from the journal, restoring database
integrity.

• Database Normalization:
▪ Used to clean up the data in a database table to make it logically concise,
organized, and consistent.
▪ Removes redundant data, and improves the integrity and availability of the
database.
▪ Normalization has three forms (rules):
⬧ First Normal Form: Divides the base data into tables, primary key is
assigned to most or all tables.
⬧ Second Normal Form: Move data that is partially dependent on the
primary key to another table.
⬧ Third normal Form: Remove data that is not dependent on the primary
key.

18 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ The major benefits of using normalization include:
⬧ Greater overall database organization
⬧ Reduction of redundant data
⬧ Data consistency within the database
⬧ A much more flexible database design
⬧ A better handle on database security

• Database Views:
▪ Database tables may be queried, what we see when we query them is called a
database view.
▪ They can give users a view of the parts of the database they are allowed to
access.
▪ For a normal employee this could be their own employee data, where HR can
access all employee's data. Remember the need to know principle, even if you
have the access that doesn't mean you are allowed to access it.
• Data Dictionary:
▪ Contains a description of the database tables (metadata).
▪ It has the database view information, information about authorized database
administrators, user accounts names and privileges, auditing information,
database schema,...
▪ Database Schema:
⬧ Describes the attributes and values of the database tables.
⬧ Names should only contain letters, in the US SSN’s should only contain 9
numbers,…

• Database Query Language:

▪ Allow the creation, modification and deletion of database tables, the read/write
access for those tables,...
▪ Database query languages have at least two subsets of commands:
▪ Data Definition Language (DDL):
⬧ A standard for commands that define the different structures in a
database.
⬧ Creates, modifies, and removes database objects such as tables,
indexes, and users.
⬧ Common DDL statements are CREATE, ALTER, and DROP.
▪ Data Manipulation Language (DML).
⬧ Used for selecting, inserting, deleting and updating data in a database.
⬧ Common DML statements are SELECT, DELETE, INSERT, UPDATE.
▪ SQL or a SQL derivatives are by far the most common query languages.

19 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Hierarchical Databases
▪ Use a tree-like structure for how data is organized.
▪ The data is stored as records which are connected
to one another through links.
▪ A record is a collection of fields, with each field
containing only one value.
▪ The entity type of a record defines which fields the
record contains.

• Object-Oriented Databases (Object Database Management

Systems):
▪ Object databases store objects rather than data
such as integers, strings or real numbers.
▪ Objects are used in object oriented languages such
as Smalltalk, C++, Java,...
▪ Objects, in an object-oriented database, reference
the ability to develop a product, then define and
name it.
▪ The object can then be referenced, or called later,
as a unit without having to go into its complexities.
▪ Objects basically consist of the following:
▪ Attributes:
⬧ Data which defines the characteristics of an object.
⬧ This data may be simple such as integers, strings, and real numbers or it
may be a reference to a complex object.
▪ Methods:
⬧ Defines the behavior of an object and are what was formerly called
procedures or functions.
⬧ Objects contain both executable code and data.
▪ Classes:
⬧ Define the data and methods the object will contain, they are the
template for the object.
⬧ Does not itself contain data or methods but defines the data and
methods contained in the object.

20 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• We have covered these before, but it makes sense to revisit them now:
▪ Database Shadowing:
⬧ Exact real time copy of the database or files to another location.
⬧ It can be another disk in the same server, but best practices dictates
another geographical location, often on a different media.
▪ Electronic Vaulting (E-vaulting):
⬧ Using a remote backup service, backups are sent off-site electronically
at a certain interval or when files change.
▪ Remote Journaling:
⬧ Sends transaction log files to a remote location, not the files
themselves. The transactions can be rebuilt from the logs if we lose the
original files.

• Coupling:
▪ The degree of interdependence between software modules, a measure of how
closely connected two routines or modules are.
• Cohesion:
▪ Refers to the degree to which the elements inside a module belong together.
▪ Measures the strength of relationship between pieces of functionality within a
given module.
▪ In highly cohesive systems functionality is strongly related.
• Coupling is usually contrasted with cohesion.
• Low coupling often correlates with high cohesion, and vice versa.
• Low coupling is often a sign of a well-structured computer system and a good design,
and when combined with high cohesion, supports the general goals of high readability
and maintainability.
• ORB (Object Request Broker):
▪ Middleware which allows program calls to be made from one computer to
another via a network, providing location transparency through remote
procedure calls.
▪ ORBs promote interoperability of distributed object systems, enabling such
systems to be built by piecing together objects from different vendors, while
different parts communicate with each other via the ORB.
▪ Common object brokers included .NET remoting, COM, DCOM, and CORBA.
⬧ COM (Component Object Model):
▫ A language-neutral way of implementing objects that can be
used in environments different from the one in which they were
created, even across machine boundaries.
▫ It is used to enable inter-process communication object creation
in a large range of programming languages.

21 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ DCOM (Distributed COM):
⬧ The networked sequel to COM which adds to support communication
among objects on different computers—on a LAN, a WAN, or even the
Internet.
⬧ The application can be distributed at locations that make the most
sense to your customer and to the application itself.
⬧ DCOM includes Object Linking and Embedding (OLE), a way to link
documents to other documents.
⬧ Both COM and DCOM are slowly being replaced by [Link],
which can interoperate with DCOM, but offers more advanced
functionality than COM and DCOM.
▪ CORBA (Common Object Request Broker Architecture):
⬧ Open vendor neutral ORB standard defined by the Object Management
Group (OMG) designed to facilitate the communication of systems that
are deployed on diverse platforms.
⬧ Enables collaboration between systems on different operating systems,
programming languages, and computing hardware.
⬧ CORBA uses an object-oriented model although the systems that use
the CORBA do not have to be object-oriented.

• OOAD (Object-Oriented Analysis and Design):

▪ Iteration after iteration, the outputs of OOAD activities, analysis models for OOA
and design models for OOD respectively, will be refined and evolve continuously
driven by key factors like risks and business value.
▪ OOA (Object-Oriented Analysis):
⬧ Creates a model of the system's functional requirements that is
independent of implementation constraints.
⬧ Organizes requirements around objects, which integrate both behaviors
(processes) and states (data) modeled after real world objects that the
system interacts with.
⬧ The primary tasks are:
▫ Find the objects, Organize the objects, Describe how the objects
interact, Define the behavior of the objects, Define the internals
of the objects.
▪ OOD (Object-Oriented Design):
⬧ The developer applies the constraints to the conceptual model
produced in object-oriented analysis.
⬧ Such constraints could include the hardware and software platforms,
the performance requirements, persistent storage and transaction,
usability of the system, and limitations imposed by budgets and time.
⬧ Concepts in the analysis model which is technology independent, are
mapped onto implementing classes and interfaces resulting in a model
of the how the system is to be built on specific technologies.

22 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
⬧ Important topics during OOD also include the design of software
architectures by applying architectural patterns and design patterns
with object-oriented design principles.
▪ OOM (Object-Oriented Modeling):
⬧ Common approach to modeling applications, systems, and business
domains by using the object-oriented paradigm throughout the entire
development life cycles.
⬧ Heavily used by both OOA and OOD activities in modern software
engineering.

• The ACID model (Atomicity, Consistency, Isolation, and Durability):

▪ The ACID model is based on 4 parts:
⬧ Atomicity:
▫ All or nothing, if any
part of the transaction
fails, the entire
transaction fails.
⬧ Consistency:
▫ The database must be
consistent with the
rules, before and after
the transaction.
⬧ Isolation:
▫ One transaction must
be completed before
another transaction can
modify the same data.
⬧ Durability:
▫ Once transactions are
committed to the
database they must be preserved.

23 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
 Software Vulnerabilities and Attacks:
• OWASP (Open Web Application Security Project):
▪ Top 10 of the most common web security issues.

• OWASP:
▪ A01:2021 - Broken Access Control:
⬧ It is not implemented consistently across an entire application.
⬧ It can be done correctly in one location but incorrectly in another.
⬧ We need a centralized access control mechanism, and we write the
tricky logic once and reuse it everywhere.
⬧ This is essential both for writing the code correctly and for making it
easy to audit later.
⬧ Many access control schemes were not deliberately designed but have
simply evolved along with the website.
⬧ Inconsistent access control rules are often inserted in various locations
all over the code, making it near impossible to manage.
⬧ One especially dangerous type of access control vulnerability arises
from web-accessible administrative interfaces, frequently used to allow
site administrators to efficiently manage users, data, and content on
their site.

⬧ What can we do?

We can deny by default, limit user rights, use role-based access control,
strong passwords, MFA, log/act on access control failures, proper user
and session management,...
▪ [Link]

24 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ A02:2021 - Cryptographic Failures:
⬧ Sites are HTTP rather than HTTPS.
⬧ Data is sent in cleartext.
⬧ Backups, data at rest and data in transit are not encrypted
(stored/transmitted in plain text).
⬧ Using older, weaker, and deprecated encryption algorithms.
⬧ Using depreciated hash functions.
⬧ Not monitoring if data is being exfiltrated.
⬧ Improper use of initialization vectors.

⬧ What can we do?

We ensure we do not use depreciated encryption, data is identified and
protected properly, no clear-text, proper implementation of up-to-date
encryption/protocols/keys, no caching for responses with sensitive data,
only store sensitive data as long as required,…
▪ [Link]

▪ A03:2021 – Injection:
⬧ Can be any code injected into user forms. Often seen is SQL/NoSQL/OS
command/LDAP.
⬧ Attackers can do this because our software does not use:
▫ Strong enough input validation and data type limitations input
fields.
▫ Input length limitations.
⬧ CGI (Common Gateway Interface):
▫ Standard protocol for web servers to execute programs running
on a server that generates web pages dynamically. We use the
interface to ensure only proper input makes it to the database.
▫ The CGI separates the untrusted (user) from the trusted
(database).

⬧ What can we do?

▫ The fix is to do just that, we only allow users to input
appropriate data into the fields, only letters in names, numbers
in phone number, have dropdowns for country and state (if
applicable), we limit how many characters people can use per
cell, use secure APIs,...
▫ Separating the data from the web application logic.
▫ Implement settings and/or restrictions to limit data exposure in
case of successful injection attacks.
▪ [Link]

25 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ A04:2021 - Insecure Design:
⬧ When we design our web applications, we need to design them
securely.
⬧ This does not have to be design flaws, it can also be anything that is not
secure, any weakness that an attacker could exploit.
⬧ Not to be confused insecure implementation.
▫ We can have a securely designed app and still implement it
insecurely.
▫ However, we can't fix an insecure design with a flawless
implementation.
⬧ What can we do?
▫ We have our software developers use secure design patterns
and reference architectures to build applications.
▫ Our organization should have libraries with references and
patterns.
▫ Before finalizing our application design, we use a red team to do
threat modeling and penetration testing.
▪ [Link]

▪ A05:2021 - Security Misconfiguration:

⬧ Databases configured wrong.
⬧ Not removing out-of-the-box default access and settings.
⬧ Keeping default usernames and passwords.
⬧ VM, OS, webserver, DBMS, applications,… are not patched and up to
date.
⬧ Unnecessary features are enabled or installed. This could be open ports,
services, pages, accounts, privileges,...
⬧ With so much being cloud now, it is only natural that misconfiguration is
more prevalent, so many more options admins can disable.

⬧ What can we do?

⬧ It is pretty simple; server hardening, proper patching, do not disable
security features unless we are completely clear on why and we have
done proper risk analysis.
▪ [Link]

26 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ A06:2021 - Vulnerable and Outdated Components:
⬧ Vulnerable components can be both client and server-side (OS,
web/application server, database management system (DBMS),
applications, APIs and all components, runtime environments,
libraries,…).
⬧ Developers use deprecated code or objects that are known to be
unsecure.
▫ Mostly happens because developers are used to the old code or
the library, they could be uncertain about new code, or they are
afraid to break anything.

⬧ What can we do?

⬧ Proper patch management, scan for vulnerabilities, make sure we don’t
use deprecated code, keep a continuous inventory of both server-side
and client-side components and their dependencies, delete unused
programs and features.
▪ [Link]

▪ A07:2021 - Identification and Authentication Failures:

⬧ Sessions do not expire or
take too long to expire.
⬧ Session IDs are predictable
or part of the URL; 001, 002,
003, 004,…
⬧ Tokens, Session IDs,
Passwords,... are kept in
plaintext or are poorly
protected (poor encryption
and hashing).
⬧ Weak/default passwords
and knowledge based
password recovery.

⬧ What can we do?

⬧ MFA, sessions expires, non-
predictable sessions, no
plain-text anywhere, no
session ID in URL, proper
secure encryption, no
default/weak passwords, log
login failures, alert admins when detecting brute force, credential
stuffing, and any other attacks.
▪ [Link]
Identification_and_Authentication_Failures/

27 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ A08:2021 - Software and Data Integrity Failures:
⬧ When our applications use code, plugins, libraries, or modules from
untrusted sources.
⬧ Insecure CI/CD pipelines or unverified updates.
⬧ Software with automatic updates without enough integrity checks.

⬧ What can we do?

⬧ Use digital signatures/hashes to verify the code/data is from the right
source and is unaltered.
⬧ Make sure libraries and dependencies are using trusted repositories.
⬧ Deploy software supply chain tools to make sure components do not
contain known vulnerabilities.
⬧ Ensure our CI/CD pipeline has proper segregation, configuration, and
access control.
▫ This should ensure the integrity of the code throughout the
build and deploy processes.
▪ [Link]

▪ A09:2021 - Security Logging and Monitoring Failures:

⬧ When our intrusion monitoring and reporting system fail to catch and
report signs of intrusion.
⬧ Result of poor configuration, low thresholds, or logs saved just locally.
⬧ Attacks go unnoticed if we do not act on appropriate logs or alerts.

⬧ What can we do?

⬧ Implement proper monitoring and logging, ensure we log/report all
failed login attempts and server-side validations.
⬧ Logs are generated in a format that our log management system can
easily use, logs are kept long enough.
⬧ Logs are kept secure and protected against injection or any other type
of attack.
⬧ Audit trails on high-value transactions.
⬧ Have a proper incident response and recovery plan.
▪ [Link]
Security_Logging_and_Monitoring_Failures/

28 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ A10:2021 - Server-Side Request Forgery:
⬧ Web applications usually trigger
requests between HTTP servers,
to fetch remote resources, such
as software updates, or to
import metadata from a URL or
another web application.
⬧ Usually benign, but if not
implemented correctly, they can
make a server vulnerable to
SSRF.
⬧ Normally an attacker can’t
access an internal server
because it would be blocked by
the firewall. To get around that
the attacker can exploit an SSRF
vulnerability to launch their
attack using a vulnerable web
server.
⬧ The attacker changes a
parameter value in the
vulnerable web application to
create or control requests from
the vulnerable server.

⬧ What can we do?

▫ Network layer: Segment remote resource access functionality
in separate networks. Enforce “deny by default” to block all
non-essential intranet traffic.
▫ Application layer: Sanitize and validate all client-supplied input
data.
▫ Enforce the URL schema, port, and destination with a positive
allow list.
▫ Do not send raw responses to clients. Disable HTTP redirections.
▪ [Link]
Side_Request_Forgery_%28SSRF%29/

29 | P a g e
[Link]
 CISSP Domain 8 Lecture notes

▪ Insufficient Detection and Response:

⬧ Not detecting we have been compromised due to lack of controls
and/or detection applications.
⬧ Not performing our due diligence and due care on our applications,
systems, and our response to compromise.
⬧ Not responding in a proper way to compromise, not informing anyone,
informing too late, or just ignoring the incident (at best plugging the
leak).
⬧ We need to not just protect against this attack, but future similar
attacks, patch software, and applications, close ports.

▪ Unvalidated Redirects and Forwarding:

⬧ Not confirming URLs forward and redirecting us to the right page.
⬧ Mitigated with user awareness and spider/crawl our site to see if it
generates any redirects (HTTP response codes 300-307, typically 302).
▪ Cross-Site Request Forgery (CSRF):
⬧ Stolen session IDs or tokens.
⬧ Often phishing.
⬧ Passwords/Username saved in cookies.
⬧ Saved site passwords, not logging off when done, using the same
browser for sensitive and non-sensitive information.
⬧ Current browsers do mitigate some of this, they should use unique
session-specific tokens (random or pseudo-random), and validate
session tokens are not replayed.

30 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ Cross-Site Scripting (XSS):
⬧ Attackers inject client-side scripts into web pages viewed by other
users.
⬧ The vulnerability may be used by attackers to bypass access controls
such as the same-origin policy.
⬧ To prevent XSS, we can use proper input validation and data typing.
⬧ Set our server to redirect invalid requests, detect a simultaneous login
from two different IP addresses and invalidate the sessions, require
users to enter their passwords again before changing their registration
information, and set cookie with HttpOnly flag to prevent access from
JavaScript.

• Buffer Overflow (Buffer Overrun):

▪ An anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory locations, happen from
improper coding when a programmer fails to perform bounds checking.
▪ Buffers are areas of memory set aside to hold data, often while moving it from
one section of a program to another, or between programs.
▪ Buffer overflows can often be triggered by malformed inputs, if one assumes all
inputs will be smaller than a certain size and the buffer is created to be that size,
if an anomalous transaction produces more data it could cause it to write past
the end of the buffer.
▪ If this overwrites adjacent data or executable code, this may result in erratic
program behavior, including memory access errors, incorrect results, and
crashes.
▪ By sending in data designed to cause a buffer overflow, it is possible to write
into areas known to hold executable code, and replace it with malicious code.

31 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Race Condition (Race Hazard):
▪ Two or more programs may collide in their attempts to modify or access a file.
▪ This can be an attacker with access, altering files which can then result in data
corruption or privilege escalation.
▪ TOCTOU (Time of Check to Time of Use):
⬧ A software bug caused by changes in a system between the checking of
a condition (such as a security credential) and the use of the results of
that check.

• Privilege Escalation:
▪ Exploiting a bug, design flaw or configuration oversight in an OS or application
to gain access to resources that are normally protected from an application or
user.
▪ Attacker often use this to elevate the user account they have gained access to,
in order to get administrator access.
▪ The result is that an application with more privileges than intended by the
application developer or system administrator can perform unauthorized
actions.

• Backdoors:
▪ Often installed by attackers during an attack to allow them access to the
systems after the initial attack is over, to exfiltrating data over time or to come
back and compromise other systems.
▪ Bypassing normal authentication or encryption in a computer system, a product,
or an embedded device,...
▪ Backdoors are often used for securing remote access to a computer, or
obtaining access to plaintext in cryptographic systems.

• Ethical disclosure:
▪ What do you do when you discover a vulnerability? We covered some of this in
the white, gray, black hat hacker section.
▪ Full Disclosure: Tell everyone, make it public, assuming attackers already know
and are using it.
▪ Responsible/Partial Disclosure: Telling the vendor, they have time to develop a
patch and then disclose it.
⬧ If they do nothing we can revert to the full disclosure forcing them to
act.
▪ No Disclosure: Attackers finding a vulnerability would try to exploit it and keep
it secret as long as possible.

32 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Security Orchestration, Automation, and Response (SOAR):
▪ A software solution that uses AI to allows us to respond to some security
incidents automatically.
▪ SOAR vs. SIEM: Very similar, both detect and alert on security events, but using
AI, SOAR will also react to some security events.
⬧ SIEMs often generate more alerts than a SOC team can handle, SOAR
can help reduce the number of alerts and make workflows more
manageable.
▪ SOAR combines all the comprehensive data we gather, has case management,
standardization, workflows, and analytics, and it can integrate with many of our
other solutions (Vulnerability Management (VM), IT Service Management
(ITSM), Threat Intelligence, …).
▪ All this can help our organization implement a detailed defense-in-depth
solution.

• Operation and Maintenance:

▪ Once our finished software/project is handed off to operations, there will still be
some maintenance tasks our organization needs to perform.
▪ Our environment and the requirements for our applications is never static.
▪ We need a solid support team in place to make sure the software functions as
required, that any required changes are implemented using proper change
management, and that all this is done with security in mind.

• Integrated Development Environment (IDE):

▪ Applications that help in the development of other applications.
▪ They are designed to contain all programming tasks in a single application,
having a single central interface with all the tools the developer needs,
including:
⬧ The Code editor: For writing and editing source code, these editors are
different from text editors, they are designed to either simplify or
enhance the process of writing and editing the code.
⬧ Compiler: The compilers change our source code, which is written in a
human-readable language, into a form that computers can execute.
⬧ Debugger: Debuggers are used during the testing phase and can help
our developers debug their code.
⬧ Build automation tools: Tools to help automate common dev tasks to
save time.
⬧ On top of this some IDEs may also include:
▫ Class browser: Used to reference and study the properties of an
object-oriented class hierarchy.
▫ Object browser: Used to inspect objects present in a running
application program.
▫ Class hierarchy diagram: Helps devs to visualize the structures
of object-oriented programming code.

33 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Runtime:
▪ Runtime is the amount of time when a program is running. Starting when a
program is executed/started and stopping with the program terminated/closed.
▪ The term, runtime, is most often used in software development. Commonly
used with "runtime error," an error that occurs while a program is running. This
error is used to differentiate from other types of errors, like syntax errors and
compilation errors, which happen before a program is run.

• CMM (Capability Maturity Model):

▪ The maturity relates to the degree of formality and optimization of processes,
from ad hoc practices, to formally defined repeatable steps, to managed result
metrics, to active optimization of the processes.
▪ There are five levels defined in the model and, which describes where an
organization is, it also has practical steps to how to mature the organization to
get to the next level.
▪ Level 1: Initial
⬧ Processes at this level are normally undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and
reactive manner by users or events.
⬧ This provides a chaotic or unstable environment for the processes.
▪ Level 2: Repeatable
⬧ This level of maturity that some processes are repeatable, possibly with
consistent results.
⬧ Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of
stress.
▪ Level 3: Defined
⬧ This level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over
time.
⬧ These standard processes are in place.
⬧ The processes may not have been systematically or repeatedly utilized
enough for the users to become competent or the process to be
validated in a range of situations.
▪ Level 4: Managed (Capable)
⬧ Processes at this level uses process metrics, effective achievement of
the process objectives can be evidenced across a range of operational
conditions.
⬧ The suitability of the process in multiple environments has been tested
and the process refined and adapted.
⬧ Process users have experienced the process in multiple and varied
conditions, and are able to demonstrate competence.

34 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ Level 5: Optimizing
⬧ Processes at this level focus on continually improving process
performance through both incremental and innovative
technological changes/improvements.
⬧ Addressing statistical common causes of
process variation and changing the
process to improve process
performance.

Software Assurance Maturity Model (SAMM): [Link]

Software Assurance Maturity Model (SAMM)

• The Software Assurance Maturity Model (SAMM) is an open framework that provides an
effective and measurable way for all types of organizations to analyze and improve their
software security posture.
• The resources provided by SAMM aid in:
▪ Evaluating an organization’s existing software security practices.
▪ Building a balanced software security assurance program in well-defined
iterations.
▪ Demonstrating concrete improvements to a security assurance program.
▪ Defining and measuring security-related activities throughout an organization.

35 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• SAMM principles
▪ An organization’s behavior changes slowly over time.
▪ Changes must be iterative while working toward long-term goals.
▪ There is no single recipe that works for all organizations.
▪ A solution must enable risk-based choices tailored to the organization.
▪ Guidance related to security activities must be prescriptive.
▪ A solution must provide enough details for non-security-people.
▪ Overall, it must be simple, well-defined, and measurable.
• [Link]

• Acceptance Testing:
▪ There are many different testing types we use throughout the development
lifecycle.
▪ At the end of development we also use acceptance testing, we need to test it to
ensure it does what it is supposed to and it is robust and secure.

▪ The User Acceptance Test:

⬧ Is the software functional for the users who will be using it? It is tested
by the users and application managers.

▪ Operational Acceptance Testing:

⬧ Does the software and all of the components it interacts with ready
requirements for operation.
⬧ Tested by system administrators are the backups in place, do we have a
DR plan, how do we handle patching, is it checked for vulnerabilities,...?

▪ Contract Acceptance Testing:

⬧ Does the software fulfil the contract specifications? The
what/where/how of the acceptance is defined in the contract.

▪ Compliance Acceptance Testing:

⬧ Is the software compliant with the rules, regulations and laws of our
industry?

▪ Compatibility/Production Testing:
⬧ Does the software interface as expected with other applications or
systems?
⬧ Does the software perform as expected in our production environment
vs. the development environment?

36 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• Buying software from other companies:
▪ When we buy software from vendors either COTS (Commercial Off The Shelf) or
custom built software we need to ensure it is as secure as we need it to be.
▪ Vendors claims of security posture should until proven be seen as marketing
claims.
▪ We need to do our due care and due diligence, as well as use outside council if
needed.
▪ Many organizations deal with C-level executives going to conferences and
buying software that the organization may not want or need.
▪ Software development and procurement as well as any other project should be
carefully scoped, planned be based on a clear analysis of what the business
needs and wants.

▪ COTS (Commercial Off-the-Shelf) Software:

⬧ When buying COTS software we can, depending on how widely the
software is used, look at reviews, talk to current customers and users to
get a clearer understanding of the software capabilities and security.
⬧ Software roadmaps are nice, but only buy the software for what it can
actually do now, not what it can maybe do in the future.
⬧ We can use a clear RTM (requirements traceability matrix),
requirements are divided into "Must have, nice to have and maybe
should have".
⬧ We would then score the software candidates on the "Have's" and from
that we should be able to see feasible candidates, other factors such as
cost, maintenance also play a big part in the decision.
⬧ For large/expensive implementations it may also be possible for the
vendor to provide references to talk to.
⬧ We would also look at how financially sound the vendor looks to be, if
we spend $2,000,000 on software and the vendor goes out bankrupt in
3 months, we may have to spend another $2,000,000 all over again.

▪ Custom-Developed Third-Party Products:

⬧ Having someone else develop the software we need is also an option.
⬧ This is higher cost than COTS software, but also far more customizable.
⬧ The same questions and then some should be asked:
⬧ How good are they? Have they done this before? How secure are
they?,...
⬧ Do we own the code or do we rent it when it is done?
⬧ What happens if they go out of business?
⬧ Who will support it?
⬧ Do you have capable staff, that can support and tweak the software?
⬧ Is it secure or is it security through obscurity?
⬧ Many code shops are just that, only code shops, once the software is
accepted it is your problem to do the day to day maintenance, they may
contract for updates, but that is it.

37 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
Cloud Computing:
• Cloud Computing can be divided into 4 main types:
▪ Private Cloud Computing - Organizations build and run their own cloud
infrastructure (or they pay someone to do it for them).
▪ Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS,
Microsoft, Google, IBM).
▪ Hybrid Cloud Computing – A mix of Private and Public Cloud Computing. An
organization can choose to use Private Cloud for sensitive information and
Public Cloud for non-sensitive data.
▪ Community Cloud Computing – Only for use by a specific community of
consumers from organizations that have shared concerns. (Mission, policy,
security requirements, and/or compliance considerations.)
As with any other outsourcing, make sure you have the right to audit, pen test (clearly agreed
upon criteria), conduct vulnerability assessment, and check that the vendor is compliant with
your industry and the standards you adhere to.
▪ Platforms are normally offered as:
⬧ IaaS (Infrastructure as a Service) The vendor provides infrastructure up
to the OS, the customer adds the OS and up.
⬧ PaaS (Platform as a Service) The vendor provides pre-configured OSs,
then the customer adds all programs and applications.
⬧ SaaS (Software as a Service) The vendor provides the OS and
applications/programs. Either the customer interacts with the software
manually by entering data on the SaaS page, or data is automatically
pushed from your other applications to the SaaS application (Gmail,
Office 365, Dropbox, Payroll, …).

38 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
 AI (Artificial Intelligence):
• Intelligence exhibited by machines, rather
than humans or other animals.
• What true AI is, is a topic of discussion, what
was considered AI years ago we have
achieved and when once goal is reached the
AI definition is tweaked a little.
• From what we are seeing published we do in
my mind not currently have true AI, but very
highly simulated intelligence, that being said
IBM and Google do seem to be getting a lot
closer.
• It is also used when a machine mimics
cognitive functions that humans associate
with other human minds, such as learning
and problem solving.
• AI currently defined as advice that perceives
its environment and takes actions that
maximize its chance of success at some goal,
not through experience/programming, but
through reasoning.

• Expert Systems:
▪ A computer system that emulates the decision-making ability of a human
expert.
▪ Designed to solve complex problems by reasoning about knowledge,
represented mainly as if–then rules rather than through conventional
procedural code.
▪ An expert system is divided into two subsystems:
1. The knowledge base represents facts and rules.
2. The inference engine applies the rules to the known facts to deduce
new facts, and can also include explanation and debugging abilities.

39 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
• ANN's (Artificial Neural Networks):
▪ Computing systems inspired by the biological neural networks that constitute
animal brains, we make decisions based on 1000’s of memories, stories, the
situation and many other factors, the ANN tries to emulate that.
▪ The systems learn and progressively improve their performance, to do tasks,
generally without task-specific programming.
▪ They can learn to identify images that contain geckos by analyzing example
images that have been manually labeled as "gecko" or "no gecko" and using the
analytic results to identify geckos in other images.
▪ They are mostly used in areas that are difficult to express in a traditional
computer algorithm using rule-based programming.
▪ An ANN is based on a collection of connected units called artificial neurons.
▪ Each connection (synapse) between neurons can transmit a signal to another
neuron.
▪ Typically, neurons are organized in layers, different layers may perform different
transformations on their inputs.
▪ Signals travel from the first input, to the last output layer, at times after
traversing the layers multiple times.

• GP (Genetic Programming):
▪ A technique where computer programs are encoded as a set of genes that are
then modified (evolved) using an evolutionary algorithm often a GA (Genetic
Algorithm).
▪ The results are computer programs able to perform well in a predefined task.
▪ The methods used to encode a computer program in an artificial chromosome
and to evaluate its fitness with respect to the predefined task are central in the
GP technique and still the subject of active research.
▪ GP evolves computer programs, traditionally represented in memory as tree
structures.
▪ Trees can be easily evaluated in a recursive manner.
▪ Every tree node has an operator function and every terminal node has an
operand, making mathematical expressions easy to evolve and evaluate.
▪ Traditionally GP favors the use of programming languages that naturally
embody tree structures for example, Lisp or other functional programming
languages.
▪ The process is in its simple form like this:
⬧ Generate an initial population of random computer programs.
⬧ Execute each program in the population and assign it a fitness value
according to how well it solves the problem.
⬧ Create a new population of computer programs.
⬧ Copy the best existing programs
⬧ Create new computer programs by mutation.
⬧ Create new computer programs by crossover.

40 | P a g e
[Link]
 CISSP Domain 8 Lecture notes
▪ Genetic Algorithms and Genetic Programming have been used to program a
Pac-Man playing program, robotic soccer teams, networked intrusion detection
systems, and many others.

 What we covered in the Eighth CBK Domain:

This chapter we covered how we design security into our software as we develop it:

• Security in the software development lifecycle.

• Project Management methodologies.
• DevOps and DevSecOps.
• Development environment security controls.
• How we assess the effectiveness of our software security controls.
• OWASP top 10 and other software vulnerabilities.
• Software development maturity models.
• 3rd party software security.
• AI (Artificial Intelligence).

• CBK 8 makes up 10% of the exam questions.

41 | P a g e
[Link]