CISSP STUDY GUIDE

1. YOUR ROLE IS AS A RISK ADVISOR – DO NOT FIX PROBLEMS

2. WHO IS RESPONSIBLE FOR SECURITY?
3. HOW MUCH SECURITY IS ENOUGH?
4. ALL DECISIONS START WITH RISK MANAGEMENT BY EVALUATING YOUR ASSETS
5. THINK “END GAME”
6. “SECURITY TRANSCENDS TECHNOLOGY”
7. PHYSICAL SECURITY IS ALWAYS FIRST CHOICE
8. HEY TECHNICAL PEOPLE, STAY OUT OF THE WEEDS
9. INCORPORATE SECURITY INTO THE DESIGN AS OPPOSED TO ADDING IT LATER
10. LAYERED DEFENSE!

Some of the things that I learned along the way, mostly from the bootcamp, that really helped me:
 Think Like A Manager
 Watch Out for Absolutes - this was from the bootcamp - typically absolutes are telling one way or the other. If an answer
contains "any" or "all" and the question does not contain the word not - typically that answer can be eliminated. If the
question does contain the word not - the answer containing "any" or "all" typically was is the right one
 People Over Everything
 Ready, Aim, Fire - pretty common saying, but whenever you're asked to do something "first".. you don't act. It's not "Fire,
Ready, Aim", it's "Ready, Aim, Fire". The "Ready" part comes first, make sure what you're doing is right, or gather evidence,
before you do anything
 Answer Only What the Question Is Asking You - big point that was harped on in the bootcamp. Read the question, then read
the question again. Great - now read A, read A again, read B, read B again.. you see where I'm going. It truly is a reading
comprehension test, some answers may look great but they don't really have much to do with what is being asked. Read very
carefully, and eliminate answers that don't have much or anything to do with the question being asked.
 Look for the Answer in the Question - There are times (and this happened at least 3 times on the exam) where the question
had certain words in it, that were also contained in only one of the answers. If the words of the answer can be found in the
question, that's a good answer to hone in on, and is probably the right one.

STANDARDS TO REMEMBER: OTHER STUFF TO REMEMBER:

15408 – Common Criteria Biba No WURD
27001 - ISMS Bell No WDRU
27002 – Best Practices Clark-Wilson Well Formed, Authorized, Separation
802.1x - port-based Network Access Control (PNAC) Brew Chinese Wall
802.1q - VLANS Please do not throw sausage people away
802.11a/b/g/n – 5/2/2/25, 50,11,50,500 LITA 2-1-1-3
802.11i – improved security for WLAN Software Assessment = inside company own processes
X500 - LDAP Software Evaluation = outside company product selection
X503 SLE = AV * EF
X509v3 – Public Key Infrastructure ALE = SLE * ARO
NIST 800-137 – IS Continuous Monitoring
8foot3strands – fences
8foot2 – lights
60/20 - temp/humidity range

1
 CISSP STUDY GUIDE
CISSP Study Guide

CIA Triad and DAD Triad

 Confidentiality deals with preventing Disclosure

 Integrity deals with preventing Alteration of data

 Availability deals with preventing Denial of Service

(ISC)2 Code of Ethics Canons

 Protect society, the commonwealth, and the infrastructure.

 Act honorably, honestly, justly, responsibly, and legally.

 Provide diligent and competent service to principals.

 Advance and protect the profession.

Protecting Privacy

 Fair Information Practice Principles:

o Open framework

o Standards for privacy

o Avoid over-collection or over retention

o Considers privacy as part of cyber security

 Confidentiality Agreement helps to protect employer secrets

 Acceptable Use Policy (written) defines privacy expectations for internal people, use banners for external

 PII: Name, SSN, Address or Email, Phone Number, IP/MAC, Vehicle registration, etc.

 4th amendment: right of the people to be secure in their persons, houses, papers, and effects against

unreasonable searches and seizures

 Federal Privacy Act of 1974: Prevents phone taps and opening people’s email, protects from big brother

watching them. Census taking, and legal needs can still break privacy

 Regulatory Compliance

o Administrative Law – regulatory law, such as FDA, EPA, etc

o Civil/Tort Law – lawsuits between individuals and businesses that result in damages or loss, either

found liable or not liable

o Criminal Law – crimes against society, handled by law enforcement, fines or imprisonment

 Management is ultimately responsible for following laws and proving compliance.

o SOX – accurate corporate accountability with regards to financial recordkeeping

o GLB (Gramm-Leach-Bliley) – pertains to banking consumer privacy and information disclosure

2
 CISSP STUDY GUIDE
o PCI-DSS: safe handling of sensitive info related to credit card purchase. NOT a US law, directed by

the credit card companies and PCI. Conduct audits, store tokens and not CC#’s

o COPPA: For kids, if less than 13yo must protect data, $11k fine if violated.

 World Trade Organization gives Copyright Owners choice if data can be commercially rented.

 Wassenar Arrangement = crypto exception

 Risk Assessment = Prepare, Conduct, Communicate, Maintain

 Delphi = QUALATATIVE | $$ = QUANTATATIVE

 Threat Modeling: STRIDE, DREAD, PASTA

STRIDE

Threat Desired property

Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiability
Information disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization

 Digital Signatures provide everything but Confidentiality.

 The passage of time can affect Classification

 Hardware encryption = going to use RC4

 Risk Management Framework: Categorize, Select, Implement, Access,

Authorize, Monitor

 Testing the technology is Certification, signing off on the risk/acceptance is

Approval.

 Due Diligence = Preparing, Checking | Due Care = Act Responsibly,

Control (contract, etc)

 1st step is always ASSESS

 Data Owner responsible for classifying data

 OECD = Transborder Data Flow

Domain 2 – Managing Data

3
 CISSP STUDY GUIDE
 Data has a lifecycle: Create, Store, Use, Share, Archive, Destroy.

o Classify during creation phase

o Must be protected during all phases

 Data Owner is responsible and accountable for classifying and protecting the data, can often be upper management,

but can be delegated down.

 Data Custodian is the administrator who manages the application.

 Objects are classified, subjects must be cleared (get a clearance), in the end, both have labels, for example a person is

cleared to read TS, and the object/data is TS

 Metrics

o KGI (Key Goal Indicators): Attainable future state

o KPI (Key Performance Indicators): Measurable current state

 Configuration Management Database – information on systems and devices to help facilitate recovery from an event;

comes from ITIL.

 Media Management

o Optical and Solid-State: Physical destruction

o Destruction Policy is not followed if there is a legal hold

 Quality Control: internal standards

 Quality Assurance: external standards

 When presenting to upper management, always look for question relating to “knowing your audience”.

 Need-to-Know: Think/look for Data, Objects, Things

 Least Privilege: Think/look for Permissions, Account, Access

 Separation of Duties: multiple people required to complete critical/sensitive transactions

 Collusion: 2+ individuals subvert security

o To prevent, implement least privilege and spread out duties/responsibilities

 Anyone with access to privileged data is considered to have a privileged account, think CEO’s access. Monitor these
kinds of accounts more

 Classification Types
o Commercial

 Confidential

 Private

 Sensitive

 Public

o Military

 Top Secret

 Secret
4
 CISSP STUDY GUIDE
 Confidential

 Sensitive but Unclassified

 Unclassified

 Data at Rest

o Encrypt it with a symmetric algorithm (AES) 128, 192, 256bits

o TPM: chip on motherboard that supports encryption, supports full disk encryption.

o Symmetric Encryption = think confidentiality

 S-Rule: all algorithms with S in it are symmetric, UNLESS the algorithm starts with an R, then it is

asymmetric

 IDEA is also symmetric, used with PGP

 RC4/5/6 = also symmetric

 Data Remanence

o Residual information remaining on storage media

 HDD (In order of most impactful): Erase/Delete/High Level format (least effective), overwriting with

zeroes, degaussing, physical destruction (BEST).

 SDD: Destroy

 Cloud Environments: Crypto-Erase where you encrypt it with strong algorithm and throw away the

key, so it can never be recovered.

 Data in Transit

o Link Encryption: Performed by service provider (ISP). Encrypts all data along the communication path. Data is

decrypted and re-encrypted at each router/node.

o End-to-End Encryption: Performed by end-user. Data remains encrypted all the way to the remote end. Routing

info isn’t encrypted though. Think SSL/TLS, IPsec VPN, WPA/WPA2 (antenna to antenna).

o Both types can be used in combination.

o IPSec: Data in transit confidentiality assured by ESP, integrity assured by AH. Used over VPN (Oakley Key

Exchange Protocol – Diffie-Hellman)

 2 levels of security: AH (integrity through hashing entire packet) + ESP (Confidentiality through

encrypting the data packet, but not the header)

 2 transmission modes: Tunnel Mode (WAN, AH+ESP) and Transport Mode (LAN, ESP)

 IPSec operates on 2 layers of OSI Model: L2TP is Layer 2, ESP is Layer 3

 L2TP is made up of 2 sub-protocols (L2F and PPTP) PPTP was replaced by L2F

 2 phrases required to setup:

1. IKE Phase 1: 2 devices mutually authenticate to set up secure channel

2. IKE Phase 2: negotiate the encryption and exchange keys

 ESP doesn’t encrypt headers. Think about psychics lacking controls on their brains.
5
 CISSP STUDY GUIDE
 AH encrypts entire packet

 ⭐Test Q: to conduct DoS against org, modify CRL with the entity you are targeting so their cert appears revoked⭐

 PGP: no cert repository, uses Web of Trust; public keys must be downloaded before encrypted. Uses IDEA symmetric

algorithm.

 Hashing: One-way encryption. Usually MD5 (128bits) or SHA-1 (160 bits). Variable input, fixed output (length).

Confirms integrity, that no data has changed from original. MD5 more susceptible to collisions due to lower bits.

o Birthday Attack: can get identical hash from 2 different messages, causing a collision. Use longer hash to

mitigate.

o Rainbow Table: take the hash itself and backtrack it to the PW using huge list of words you’ve already hashed

to make associations. To prevent, salt the messages so their tables won’t find the hash in the list.

 Kerckhoff's principle is the concept that a cryptographic system should be designed to be secure, even if all its

details, except for the key, are publicly known.

 Symmetric Algorithms (FAST): RC4, AES, IDEA, DES, 3DES, BLOWFISH – 1 KEY.

o Can provide confidentiality, but not non-repudiation. Usually block cipher, but bit cipher is RC4 and faster.

o Session key, shared key, etc. is always symmetric, since there is only one.

 Asymmetric Algorithms (Most Scalable): RSA (most common), ECC, EL-Gamal, Diffie-Hellman (A REED) – 2 KEYS

o Use an encrypt and decrypt key, give away public, keep the private one.

o Keys are huge, 1024 – 4096 bits.

o ECC sometimes used with shorter keys where hardware is limited, such as on smartphone.

o Usually used for key exchange to get the symmetric key to the user/system. Not commonly used for large files as it’s

slow.

o Diffie-Hellman is an asymmetric algorithm designed to securely exchange a shared (symmetric) key.

 Key Space: 2^#ofbits in key length

 AES is the de facto symmetric key standard. 128, 192 and 256 bit keys. Longer keys = more overhead. Replaced DES

because it wasn’t secure enough. ⭐ 3DES replaced DES, minimum # of keys needed is 2. ⭐

 Hybrid = I use your public key to encrypt my symmetric key, that only you can open with your private key, thus

sharing the symmetric key with confidentiality.

Symmetric Encryption = FAST but lots of keys Asymmetric Encryption = Slow but handles keys better
DES/3DES The Diffie-Hellman Algorithm
The Advanced Encryption Standard (AES) RSA
International Data Encryption Algorithm (IDEA) El Gamal
Blowfish Elliptic Curve Cryptosystems (ECC)
RC4/5/6 Knapsack
**PKI uses Asymmetric**

 Keys Needed:

6
 CISSP STUDY GUIDE
o Asymmetric: 2N keys (n=# of users) e.g. 1000 users need 2000 keys OR 1000 key pairs, scales well.

o Symmetric: (N x (N – 1)) / 2 … e.g. 100 users: (100x99) / 2 = 4950 keys, does not scale well.

o XOR Function: If both are same, you get a 0, if different, you get a 1.

 Perfect Forward Secrecy ensures keys are only used for one session and never again.

 Confusion eliminates patterns in the cipher text when it is created.

 Diffusion makes changes throughout the entire ciphertext when a change is made.

 Quantum Cryptography uses photons and light to exchange keys.

 SSL replaced by TLS, because it’s not as secure.

 Covert Channels:

o Steganography – hiding data inside of files (images, mp3’s, etc). Can be used also to do digital watermarking.

o Covert Timing Channel – Process relays info to another by modulating time its use of resources

o Covert Storage Channel – Process writes data to a storage location and somewhere lower clears it and

exfiltrates it.

 Digital Rights Management locks down data to only use it how they want you to use it.

 Message Authentication Code is hash + secret/session/shared key. No non-repudiation due to it being a shared key.

PKI Key Management

 Certificate Authority (CA) come from outside companies, also internal exist that are not valid on the internet.

 Registration Authority (RA) is the middle man doing some of the work, accepts and verifies the registration

information, cannot revoke, but gathers info for the CA.

 Hierarchical Authority is where if you trust the Root CA, you trust all the subordinates as well.

 CA to CA trust (Root to Root Trust): think SSO/Federation

 Suspension is a temporary hold, Revocation is gone forever.

 Key Recovery from Escrow is accomplished by M of N, split the key, and you need M of N people to recover it.

 Digital Certificates prove Identity and Authentication. Associates a public key with the certificate owner. Usually

uses RSA algorithm.

Digital Certificates

 Provides integrity, authentication, and non-repudiation. Users can’t say they didn’t send the message, because

it was created with their private key. Provides everything but confidentiality!

 Does not provide confidentiality.

7
 CISSP STUDY GUIDE

Domain 3 – Security Engineering

 Security Architecture is the practice of applying comprehensive methods for an organizations security processes so

that they align with the organizations core goals and strategic direction. Use frameworks such as SABSA

(Sherwood).

 SDLC: Initiation, Development, Implementation, Operation, Disposal

 ⭐Security planning is best up-front during requirements, specifications or after business functional requirements.

 Maximized when placed in every phase

Subjects and Objects

 Subject = Users

o Active entity that requests access to an object

o Different subjects have different access levels

 Object = Resource

o Passive entity that contains information (e.g. file, record, memory location)

 Access = Must be Controlled

o Ability of subject to perform a task or interact with object

o Flow of info between subject and object

Formal Security Models

 State Machine: Based on objects & attributes

o Single – Policy Driven

o Multi – Data at two or more security levels

 Lattice Based: Defined Upper & Lower Bounds

o Mandatory Access Control (MAC) = restrict using labels.

o Multilevel lattice model = require data labels and classifications.

 Matrix Based Models: if/then = RBAC (rule) or ACL

o Access Control Matrix for each user is used to maintain integrity.

 Non-Interference Models: Create barriers between levels to prevent data leakage.

 Information Flow Models: monitors and controls data flow between objects at various levels, can be used to

detect unauthorized covert channels.

 System Security Modes

8
 CISSP STUDY GUIDE
o Dedicated Mode – all authenticated users can access all data

o System High Mode – need-to-know, clearance equal to systems highest object on machine

o Multilevel Security Mode – access some with need-to-know, formal approval, or with clearance.

 Bell-LaPadula Confidentiality Model

o Oldest/first DoD Model

o Tranquility state, you don’t change states, you are stuck.

o No Read Up and No Write Down (no WDRU) – No stealing secrets, and no divulging of secrets.

o Simple = Reading (reading is simple), Star = Writing (it’s WRITTEN in the stars)

o Strong Star = only read/write at your own level, no read/write anywhere up or down

 Biba Integrity Model

o Invocation Property – User can’t even request services from others above them (Secret can’t request info

from TS)

o Simple Integrity Axiom: No Write Up and No Read Down (no WURD) – keep the integrity, don’t look

at data below your current level, but access above you has better integrity so it’s okay to read it.

o Star Integrity Axiom: No Write Up, No Read from Down

 Clark & Wilson Integrity Model

o Addresses 3 Integrity goals:

 Authenticated and Authorized

 Prevents authorized and unauthorized users from making improper modifications

 Maintains internal and external consistency

o Requires “Well Formed Transactions” – steps in defined order always, authenticate those who do the

transactions.

o Calls for separation of duties.

 Brewer and Nash Model – Chinese Wall – Looks like confidentiality model

o Dynamic rules so user are only allowed to access data that is not in conflict with data they accessed

previously.

o Tries to ensure users do not make fraudulent modifications.

o Looks for conflicts of interest and tries to resolve them.

 Any other models only on exam for odd man out, if you see it, probably the answer.

Common Criteria: ISO/IEC 15408 – first truly international product evaluation guide

o Developed Protection Profiles for standard devices like firewalls, IDS, etc

o Developer builds a Target of Evaluation (TOE) (the actual product) to meet the Protection Profile

o Developer submits to lab, and if it passes, it is assigned an EAL Number.

 7,6,5 all have formally

9
 CISSP STUDY GUIDE
 4,3 all have methodically

 2,1 structural and functional

o The higher the EAL, the better.

o Assessment produces a checklist of security controls

o Authorization consists of an acceptance or rejection of the residual risk outlined in the assessment report.

Trusted Computer Base (TCB)

 The Total ComBination of protection mechanisms of hardware, software and firmware

 Boundary around these is called the Security Perimeter

 Applications use logical mapping.

 Many threads challenge is race condition

 OS protects itself using Protection Rings. Ring 0 = OS Kernal. HAL is implemented in system software ring. High

rings the more general/higher level things get.

 Reference Monitor = abstract machine that controls access, the General who controls access.

 Security Kernel = enforces and implements rules, the COL enforces it.

 Least Privilege: Least privileges they need to do their job. Unless specifically allowed, access is denied.

 Job Rotation: Move employees around in job responsibilities

o Avoids single point of failure

o Allows employees to grow reducing monotony

o Reduces likelihood employees will perform inappropriately if they fear being caught when next rotation

occurs

o Helps detect suspicious activities.

 Backdoor or Trapdoor

o Bypass access controls

o Can be software utility or an illegitimate user account

o Often installed as Trojan or malware

o Can be maintenance hooks so they can debug code, but is an area that can be attacked

o Rootkits/etc

o Allows attackers to enter the system at any time

o Compiled code at risk for malware/trojan because you can’t see it until it is executed.

 Asynchronous Attacks: Timing

o TOC/TOU – attack takes place after it checks the file but before the system uses that file

o Also known as race conditions

 Code Injection: injecting code like SQL or XML into input buffers. Mitigate with input validation

10
 CISSP STUDY GUIDE
 Buffer Overflow: too much information and data overwrites it’s correct area. Can crash, display protected info, or

let you execute code. Also fixed with input validation.

 XSS: Inject malicious script into a web page. Common way to steal login credentials

 CSFR: Browser snatches the session info and sends to attacker.

 Directory Traversal Attack: Attacker moves from root directory into restricted directories they shouldn’t have

access to.

 Open vs Closed: Open is deemed to be more secure because you can at least see the code.

 DLP: Locate and Catalog/Classify, Monitor the data, Enforce rules

 TEMPEST: detects emanations with a sniffer tool.

Facility Design & Construction

 Location considerations – consider the same is if you were buying a home

 Physical Security – Most important thing is LIFE

 Critical assets and highest security zone at center of building, design to avoid ramming, implement fences, lights,

guards.

 CPTED – Crime Prevention Through Environmental Design. Make things less appealing to intruders but make it

more home-like for employees so they feel safe and want to protect it.

 Layered Perimeter Defense: Curved driveways to reduce picking up speed. Maintain at least 100ft buffered zone

inside fences so people can see in and are less likely to try to come in.

 You want: No Drop Ceilings or Raised Floors, No windows (especially on 1st floor), use laminated tempered glass

if necessary. No Co-Tenants if possible!

 Physical Defense is the first line of defense

o Intruder Protection: Deter, Detect, Delay and Respond.

o Fencing: 8ft with 3 strands of barbed wire. This will deter determined intruders.

o PIDAS: object placed on fences that alerts when someone is trying to climb it

o Exterior Lighting: at least 8ft high, with 2 foot-candles

o Locks: know, have and are

o Electronic Access Control: no keys required

 Escorts required for visitor control, someone should also be responsible for deliveries, etc. Access logging is also

important, usually maintained by a guard.

 Guards can use discernment, guard dogs cannot.

 Alarms: ionization sensors can alert humans of entry or pathogen.

11
 CISSP STUDY GUIDE
 CCTV: BCD – Blindspot, Cache of important stuff, Doors are best locations for cameras. Short focal length is a

wide-angle view, while long focal length is a narrower view. Think about using a camera!

 HVAC cold air in, hot air out with racks. Chicken Coop uses natural outside air to cool data center.

 You want positive pressure, so when you open the door, air goes out.

 You want 60-80deg F, 40-60% humidity

 Plenum cabling helps prevent loss of life due to no chemicals when a fire occurs.

 For data center, use inert gas to suppress fire.

 Fire Extinguishers: A – Paper, B – Liquid, C – Electric, D – Metals, (PLEM) + K – Kitchen

 Sprinkler Systems: Wet Pipe is dirty water, Dry Pipe is empty until it activates, Preaction initiates when it thinks

there is one, takes time, Deluge is a lot of water, ca be hazardous to occupants. Do not use these in data centers

Network Security

 If you don’t know, it’s probably Data Link layer.

 Layer 1:

o Coax: multiple signals on one line, broadband, analog signal, multiplexing

o Twisted Pair: Subject to crosstalk; more twists = less crosstalk

o Fiber: Single Mode (long distance) and Multi-mode (usually in buildings). Usually run in pairs so one

sends and one receives.

o Plenum cabling prevents loss of life

 Unicast = 1 to 1, Multicast = 1 to many, Broadcast 1 to all

 Topologies: Bus and Ring is multiple points of failure, Star is 1 point of failure, Tree is just hierarchical bus, Mesh

provides HA and redundancy.

 OSI Model Need-to-Know

o Ports: FTP (pw sent cleartext), SSH (secure telnet), Telnet (not secure), SMTP (send mail), POP (receive

mail), IMAP (receive mail), DNS (name to IP), DHCP (assigns IP), HTTP/HTTPS, NTP(if modified can

cause Kerberos replay attack), SNMP (manage remote devices), RDP

o Layer 7: API, duplexing, FTP, SMTP, SSH, Telnet, HTTP, Web Browsing

o Layer 6: Formats (gif, jpg, midi, etc), file level encryption

o Layer 5: NetBIOS, NFS, SQL, RPC

o Layer 4: TCP - Reliable, UDP – Fast but unreliable, SSL, TLS, handshake layer, Christmas tree, syn flood,

seq# injection, etc. attack happens here

o Layer 3: IPV4/6, OSPF BGP, Routers, ping occurs here, end-to-end encryption

12
 CISSP STUDY GUIDE
o Layer 2: Ethernet, L2TP, Switches (LLC/MAC) ALL TUNNELING HAPPENS HERE, 802.2 and 802.3

o Layer 1: Physical Media & Patch Panels – amplifiers, repeaters, hub, etc.

o Checksum and CRC occurs at many layers of the OSI

o VoIP used UDP on layer 4

o IPv4: 32bits, 8 bits per each octet, 4 octets. 2 parts: network and host, depending on class.

o Loopback is 127.0.0.1 & APIPA = 169.254.X.X

o TCP/IP vs OSI

o Collision and Broadcast Domain: A collision occurs when two devices send a packet at the same time on

the shared network segment. ... Each port on a bridge, a switch or router is in a separate collision

domain. A broadcast domain is a domain in which a broadcast is forwarded.

13
 CISSP STUDY GUIDE

o Router forwards packets and is stateless by design, firewalls doesn’t forward, does stateful inspects.

o RIP (distance vector protocol) counts number of hops, OSPF decides baased on path and speed. OSPF is

preferable over

o Collision and Broadcast Domain: A collision occurs when two devices send a packet at the same time on

the shared network segment. ... Each port on a bridge, a switch or router is in a separate collision domain.

A broadcast domain is a domain in which a broadcast is forwarded

o IPv6 has no classes and is 128bits long, written in hex with no octets, instead uses blocks (8) and

separated by colon (:). No broadcast in IPv6. A public IP is called a Global Unicast (somewhere in the

2000 range). APIPA for IPv6 is called Link Local (FE80).

o Consecutive blocks of zeroes, you replace with ::, but can only use it once earliest in the address, and

you can eliminate leading zeroes, but not ones after a number/symbol. For example 00AB becomes

AB, but AB00 is still AB00.

o Loopback is ::1

o 0-9 and A-F, nothing will ever be above that.

 DNS Issues:

14
 CISSP STUDY GUIDE
o Zone Transfer – Block zone transfers TCP port 53 to remedy. Attack that would occur after this would be

footprinting.

o Dynamic Update – Require all DNS servers to digital sign updates/changes DNSSEC

 ARP Poisoning: attack that follows is Man-in-the-Middle

 ICMP operates on Layer 3, PING uses this protocol.

 SCADA (Supervisory Control and Data Acquisition) or Industrial Control System (ICS) is made up of PLCs,

and uses DNP3.

 Converge/Super Protocols are merged protocols like Zoom to run multiple types of data over one protocol suite.

E.g. video, chat, file sharing/etc all with one service. More robust and reduces cost of hardware and space.

 FCoE (Fiber Channel over Ethernet) allows Fiber channel to use 10Gbit Ethernet Networks.

 iSCSI (Internet Small Computer System Interface) is an IP based storage network for linking storage facilities. It

leverages switches to allow multiple clients over TCP/IP. This is a big threat for a Covert Storage Channel

attack.

 MPLS is used by ISPs to create private networks over the WANs. Frames are labeled and builds basically a

VLAN for different labels.

 VoIP is NOT SECURE, it uses Traffic Shaping for QoS, and uses SIP to initiate and RTP to use.

 Wireless is 802.11 (regular) and 802.11i (enhanced security). DSSS uses all of the bandwidth, FHSS uses part of

the bandwidth.

 802.11n bridged the gap between a (5GHz and 54Mbps) and b (2.4GHz and 11Mbps) since they didn’t

interoperate and runs at 108+Mbps.

 WEP is weak and was replaced by WPA, which had a longer key, had TKIP and a Message Integrity Checker,

and kept RC4 from WEP. This wasn’t good so we finally created WPA2.

o WPA2 = 802.11i = TKIP + AES (instead of RC4)

 Antenna to Antenna is end-to-end encryption.

 Types of Authentication for 802.11: 802.1x, pre-shared key, and open auth (obviously a terrible idea)

15
 CISSP STUDY GUIDE
o Pre-shared key issues: subject to dictionary attacks, subject brute force, subject to leeching, no accountability

available.

 Bluejacking – send spam anonymously to victims

 Bluesnarfing – steals info from a Bluetooth device

o Disabling discovery eliminates these threats

Mobile Systems

 Harden Phones when possible. PINs, encrypt, disable unnecessary apps and services, etc.

 BYOD: Limit devices, MDM solutions (may require a special AUP)

Firewalls

 Packet Filtering Firewall uses ACL to make access decisions, therefore it is Rule Based.

o Weak Firewall that sits on edge of perimeter.

 Dynamic Stateful Firewall keeps track of the “state” or dialog of the communication between internal and

external hosts. Builds a state table to monitor, and performs packet filtering like a standard firewall

o Strong Firewall comparatively

 DMZ contains anything that needs to get in and out easily from the outside. External DNS, mail servers, etc

usually sit here.

o Devices in the DMZ must be hardened systems (Bastion Host)

o Honeypots and edge perimeter firewall shouldn’t be considered Bastion Hosts

 Proxy Firewall sits as a middle man between connecting computers and copies the packets from one network to

the other, which makes it slower and there isn’t a direct connection between inside and outside. It hides the

source computer behind NAT/PAT.

o Stateful packet inspection

o Looks deeper into the packet for access decisions

o TOR is a special proxy that lets you hide your information between layers of masking and stay

anonymous

o HTTP decrypt/re-encrypt, etc can be done this way

 Harden everything you can

 Screened Subnet – Semi-Trusted

o A DMZ is created by implementing two screening routers

16
 CISSP STUDY GUIDE
 A Dual Homed Host is 1 host computer, with 2 NICs. One points outside, one points inside. Never allow inter-

routing between the 2 network cards.

 NAT allows a lot of users to share a single IP address.

 Dynamic NAT allows a lot of users to share a pool of IP addresses.

 Honeypots exist to distract, analyze and discover attackers and zero-day vulnerabilities. They do not exist to lure

attackers due to legal issues. Enticement is legal, Entrapment is illegal.

 IDS – a network burglar system that monitors but doesn’t stop.

 IPS – functions of IDS + it can block

 Behavioral/Anomaly/Heuristics – comparing current statistics to baseline activity. Anomaly generates a lot of

false-positives. Prefer Anomaly to Signature base, because it blocks more.

 Cloud Computing: 5 essential characteristics (Broad Network Access, Rapid Elasticity, Measured Service, On-

Demand Self-Service, Resource Pooling). 3 service models (SaaS, PaaS, IaaS). 4 deployment models (Public,

Private, Hybrid, Community). Deploy or develop in cloud = Platform as a Service

 Software Defined Networking (SDN):

o Purpose: take network traffic and separate the control from the forwarding layer (forwarding, data plane,

or infrastructure layer)

o Open Flow = protocol suite used for SDN

o Northbound Interfaces = API between application and control

o Southbound Interfaces = API between control and data plane

o Control to Data Plane Interface (SDN CDPI) = southbound plane

 Virtualized Network Storage: uses software to use multiple machines/servers to create virtual storage, for

example free space on computers to create virtualized storage location.

 Private VLAN: extends capabilities of regular VLAN capabilities. Isolates ports for enhanced security.

17
 CISSP STUDY GUIDE
Domain 5 – Access Control

 Native LDAP isn’t secure, susceptible to directory attacks.

 Kerberos - The primary weakness of Kerberos is that the KDC stores the plaintext keys of all principals (clients

and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the

Kerberos realm. The KDC and TGS are also single points of failure.

o Uses session keys (symmetric encryption)

o Uses Key Distribution Center (Auth Service and Ticket Granting Service) – single point of failure

o Does not use PKI, uses symmetric!

o Does not lock out

o Susceptible to replay attack if someone manipulates timing.

 Authentication methods - A key concept for implementing any type of access control is controlling the proper

authentication of subjects within the IT system. There are three basic authentication methods:

o something you know – requires testing the subject with some sort of challenge and response where the

subject must respond with a knowledgeable answer.

o something you have – requires that users possess something, such as a token, which proves they are an

authenticated user.

o something you are – is biometrics, which uses physical characteristics as a means of identification or

authentication.

o A fourth type of authentication is some place you are – describes location-based access control using

technologies such as the GPS, IP address-based geo location. these controls can deny access if the subject

is in incorrect location.

 Biometric Enrollment and Throughput - Enrollment describes the process of registering with a biometric system:

creating an account for the first time. Throughput describes the process of authenticating to a biometric system.

o Three metrics are used to judge biometric accuracy:

18
 CISSP STUDY GUIDE
o False Reject Rate (FRR) or Type I error- a false rejection occurs when an authorized subject is rejected by

the biometric system as unauthorized.

o False Accept Rate (FAR) or Type II error- a false acceptance occurs when an unauthorized subject is

accepted as valid.

o Crossover Error Rate (CER) – describes the point where the False Reject Rate (FRR) and False Accept

Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate

describes the overall accuracy of a biometric system.

o Stored as Templates in DB system

 Role Based = separation of duties, based on job classification

 Type 1 hypervisor: hypervisors run directly on the system hardware – A “bare metal” embedded hypervisor,

 Type 2 hypervisor: hypervisors run on a host operating system that provides virtualization services, such as I/O

device support and memory management.

Security Assessment & Databases

 Audits – Observe and then decide if you need short or deep dive.

o Internal yourself, or with external auditors

o External auditors audit a 3rd party

o 3rd Party Audits is best way to prove compliance with regulation and trustworthiness

 In black-box testing, the network and application details are unknown to the tester. In white-box testing, the

network and application infrastructure is provided to the tester, including configuration details. A grey-box

testing can be considered as a combination of black box and a white box. In this scenario, some information about

the infrastructure is known.

 Red Team attacks, Blue Team defends.

 Overt Test: Security is aware of the test

 Covert Test: Security is not aware.

 Penetration Testing exists to see if your organization can withstand a malicious attack. It also serves to see if staff

can easily spot these types of intrusions.

o ⭐Before: APPROVAL BY SENIOR MANAGEMENT⭐

o Could target physical, operational and electronic security objects, not only technical attacks.

o Discovery ➡ Gain Access ➡ Escalate Privileges ➡ System Browse ➡ Wipe Evidence/Keep Access

o Pivoting is where you start low and island-hop or pivot to get to a higher privileged account

 Synthetic transactions are generally used for performance monitoring, and hence, they are directly associated

with the availability tenet of the information security triad.

19
 CISSP STUDY GUIDE
 Stress tests are performed to test the robustness of the operational capabilities. Denial-of-Service (DoS) is a type

of test used to check the availability of a service under different conditions, such as multiple and simultaneous

requests.

 Concurrency tests are performed to test the application with concurrent user activity.

 Code review and testing involves testing the source code of an application for the presence of technical

vulnerabilities as well as performance and logical issues. A manual code review is performed to check for any

logical errors based on the application's structure.

 In a dynamic code review or testing of a program, the software is executed in a simulated system or a virtual

processor.

 In a static code review, a software code is analyzed without executing the program code.

 A misuse case test is the reverse of a use case test. In other words, doing a malicious act against a system is the

misuse case of a normal act.

 An API test involves the testing of the functionality, performance, and security of application programming

interfaces.

 In an Ad-Hoc environment, you want to use certificates/SSL/TLS to authenticate.

 NIST 800-137 – Continuous Monitoring – know steps generally

 Reports from testing must be specific, measurable, verifiable, etc.

 SOC 2 Reporting: CIA + Security and Privacy by company, usually gives the SOC 3 report (shorter) to the

company requesting. SOC 3 provides the pass/fail, that’s what you usually want.

Databases

 Relational Database

o Data is stored as a record, use SQL to interact with the data.

o Rows = Tuples, Column = Attribute

o Total # of Rows = Cardinality

o Total # of Columns = Degree

o Each Tuple has a Unique Primary Key

20
 CISSP STUDY GUIDE
o Anything that can define a row is a candidate key.

o A foreign key is a key in another table that references back to the other table.

o Database Normalization: making sure there are no duplicate primary keys.

o Database De-Normalization: pad it with extra or false info (Polyinstantiation = point them to the data

you want the person to see, to hide the real sensitive data. Same key/name, different data!)

o Distributed Databases are dispersed and connected logically

o Online Transaction Processing (OLTP) are multiple database systems clustered that are recorded and

committed in real-time. They must pass the ACID Test:

 Atomicity: either everything is done as a unit, or it is rolled back.

 Consistency: All data is consistent in all databases.

 Isolation: Transactions execute in isolation until completed.

 Durability: Once verified, it is committed and can’t be rolled back.

o Concurrency: Double Update occurs when two programs access the same element simultaneously.

Deadlock occurs when 2 processes are waiting on each other to release their resources so the other can

access. Can cause DoS and integrity issues.

o You must have the ability to Roll Back and recover from a change.

o 3 ways to mine data: Labels, metadata, REST API

 Object-Oriented Database

o Store large data like movies etc.

o Access/Search it by its metadata (unique reference key)

 Database Attacks:

o Aggregation – figuring it out based on available info

o Inference – deriving info from knowing about the system

 Trusted Front-End

o Adds multilevel security

o Users are restricted from seeing data using forms or views.

 Remote Journaling (log shipping) is a technique of backing up transactions (changes, not the entire db) to

another site allowing rollback or restor.

 Expert System is an AI tool that uses if/then logic to try to reason like a person

 Knowledge Based System tries to draw conclusions, inference engine.

 Artificial Neural Network (ANN) tries to mimic the human brain, connecting and learning items, matching

patterns, closest to human thinking.

Domain 7 – Computer Crime

21
 CISSP STUDY GUIDE
 Attacks against computers

 Financial crimes

 Abuse (sexploitation, harassment, etc.)

 Focus on unauthorized intrusion, alteration, etc.

Forensics

22
 CISSP STUDY GUIDE

Evidence

 Must be Authentic, Accurate, Complete, Convincing, Admissible

 E-Discovery: know where the data is, find it and document it.

 MOM: Means, Opportunities, Motive when trying to determine guilt.

 When you finish the investigation, the reports should follow SOP and be very thorough and standardized, as it

could be discovered by the other party. An investigators notebook is deemed as Hearsay and is used to refresh

memory only.

 Log files provide accountability of actions. They are detective controls. Be sure log files are secure so attackers

cannot scrub their tracks. Best way to archive is to write to a DVD-Write Only

 SIEM is near real-time and correlates. Modify old rules when you want to reduce false positives. You add new

rules to detect new threats.

 Synthetic Transactions is where you place bogus data inside of something to see if it can be seen by

administrators.

Egress Monitoring

 ACL: All traffic except allowed is denied

 Tripwire is a way to hash all data and then watch for it leaving the network.

 DLP has three components: discovery, monitor, enforcement.

Provisioning

 Use secure baselines

 Use A Configuration Management Database (an ITIL thing) to store current configurations and information on

who owns it, issues, requirements, etc. You do this for business continuity so you can go back and recover if

necessary.

Failure Preparation

 Fault Tolerance means if it fails you can fix it.

 Backup means if it fails you can restore it.

23
 CISSP STUDY GUIDE
 Fail-Secure is where it fails to a safe state where all access is blocked. (Bank Vault, security first)

 Fail-Open is where it fails open, so anyone can get to it. (Emergency Exit, safety first)

Business Continuity Planning

 STRATEGIC PLANNING

 Long term plan for survivability of the business

 Proactively plan for disruptive events

 Run by management, while disaster recovery is technical on-the-ground

 A function of Due Diligence.

 COOP is Continuity of Operations, where you move all essential functions (IT) are transferred to an alternate

site for up to 30 days.

 Must make a business case that covers impact and value to ensure management buy-in.

 CERT Team should have list of outside agencies, experts needed to contact if needed, steps on how to collect

evidence, items on report, how to treat systems in each situation.

 BCP Steps:

1. Policy Statement/Project initiation/Risk Assessment & Analysis

2. Business impact analysis (determine business processes, resource requirements, recover times needed)

3. Identify preventive control

4. Create contingency strategies – this step begins the disaster

5. Recovery strategy/detailed contingency plan

6. Implementation, training, and testing

7. BCP maintenance, update the plan

 RTO is Recovery Time Objective, which is the amount of time it takes to restore a system.

 WRT is Work Recovery Time, which is how much time it takes to get the system fully operational back into the

business process.

 MTD is Maximum Tolerable Downtime, which is the max time you can go without the system.

 RPO is Recovery Point Object, which is the backup schedule, so every 4 hours a backup, 4hrs is RPO.

 RTO + WRT must be less than or equal to MTD

 BIA (Step 2):

24
 CISSP STUDY GUIDE

o Emergency team notifies during activation

o Salvage team during reconstitution phase

 Shorter the RTO, the more $$ you must spend to get it back up faster.

 Preventative Controls (Step 3)

o MTBF (Mean Time Between Failure) – expected lifetime of component, used to calculate risk of utility

failure, also compare devices with this.

o MTTR (Mean Time to Repair) – time it takes to repair the device, maybe you need spares if it’s long.

o RAID – provides fault tolerance

 RAID 0 (Striping) – not fault tolerant, spread over 2 disks

 RAID 1 – Data is duplicated, not fault tolerant, min 2 disks

 RAID 5 – 3 or more disks, striped across with parity, if a disk fails, it is fault tolerant, min 3 disks

 RAID 6 – Double Parity, requires 4+ disks, can handle 2 disk failures, min 4 disks

 RAID 1+0 – benefits of fault tolerance RAID 1 and the speed of RAID 0

o Remote Vaulting is file copy to another site.

o Remote Journaling is shipping log data and transactions so you can perform rollback.

o Full Backup – One thing to restore

o Incremental Backup – fastest to backup, only backs up changes, needs the most disks, more often

backups. Full backup + one disk per day for example.

o Differential Backup – everything modified since last full on another disk. Full + Differential disks.

o Load Balancing = front end

o Clustering = back end

 Testing:
25
 CISSP STUDY GUIDE
o Checklist - paperwork

o Walkthrough/table-top – process flow, teams step through each step

o Simulation – scenario/drills/exercises, may shut down some non-critical functions. First real test.

o Parallel Testing – test the alternate sites

o Full Interruption Test – shut down and relocate

 CEO should not be speaking during disaster, controlled communication plans.

 3 phases: Notification by rescue team, Recovery phase by recovery team, Reconstitution by salvage team.

 Move most critical first to alternate site, least critical back to reconstitution to keep critical things up longest.

 Contingency Sites:

o Hot Site – up in minutes

o Warm Site – up in hours

o Cold Site – up in days/weeks

o Reciprocal/Memorandum of Agreement – with another company

Domain 8 - Secure Software Development Security

 Security from the beginning!! And in every phase!

 Agile Principals - Flexible, Fast, and Collaborative!

 Waterfall is linear. Logical steps like requirements, design, implement, verify, maintenance. Each step done

before the other, everything falls to next once done. One ends, next begins.

 Modified Waterfall you can go up 1 level but not good since you can only go up 1 level.

 Spiral was designed to deal with risk with 4 quadrants: Objective, Risk, Build Product, Plan Next phase. Each

spiral hits all 4 quadrants. This focuses on controlling risk. Prototype + Waterfall combo.

 Extreme Programming is an agile method that uses pairs of programmers.

 Object-Oriented Design is a black-box approach to the design of code, equipment or systems.

26
 CISSP STUDY GUIDE
o Run things together as a units (objects). Much faster as things run together in a group

o Highly cohesive when object and result are tightly together, low coupling. This is preferred. Makes them

easier to troubleshoot since less logical steps.

o High coupling when lots of objects on the chain.

o Polyinstantiation – same name but different data inside

o Polymorphism – one message to multiple objects but get different responses. It’s how different objects

respond to the same command.

o Abstraction is hiding details.

o SOAP can be used to exchange applications information over the internet (lacks security though).

o CORBA is middleware for letting different languages to talk to each other.

 SDLC focuses on security every phase.

 Machine Code is executed by the CPU (binary)

 Source Code is translated to machine code before executed by CPU

 Compilers take source code and make .exe, an Interpreter is interpreted line by line.

 Scrum Team – small team of developers

 Scrum Master – Senior member supporting the team

 Product Owner is the voice of the business to the developers.

 Secure SW Dev Lifecycle:

o Initiation

o Development

o Implementation

o Operations and management

o Disposal

 Disclosure of vulnerabilities should be responsible. Full Disclosure is to public and considered bad.

 Prototyping is a fast type of development, uses Rapid Application Deployment (RAD). Documentation is

usually lacking with how fast it is.

 Rugby is a subset of Agile, uses Sprints

 Clean Room Model is super high quality, perfectionist.

 Evaluation of S/W

o Capability Maturity Model (5 Levels)

 Moves up the chain 1-5, high # better. Only SW dev environment

27
 CISSP STUDY GUIDE

 Systems Security Engineering (SSE-CMM) – same as CMM, but addresses security also

 Software Assurance Maturity Model (SAMM) takes the process and breaks it up into 4 areas:

1. Governance

2. Construction/App Building

3. Verification of code/design/etc

4. Deployment

 During development, only static testing done!

 In Software testing, physical interface least likely to be tested.

 Static and White Box are more comprehensive since you go through each line.

 Verification = meets spec

 Validated = solved real world problem

 You need physical security over code, auditing, hardening, etc.

 Software Code Escrow is protection against the company going out of business, so a 3rd party has access to the

code, so you aren’t left without support/customization options.

 Software Assurance is confidence that it is free from vulnerabilities.

 Buffer overflow can crash, spit out privileged info, allow you to execute code, limit with input validations.

 XSS – JavaScript entered through a form or URL parameter to do something bad

 CSRF – trick the browser into doing an unwanted action

 SALAMI Attack is taking small pieces and exfiltrating them

 Session Hijacking is active

28