Unseen Topics of CISSP You Must Know

blog-post-5

In this article, we will cover the topics which are relevant for the cissp exam, which mostly candidate used to ignore. We have prioritized the topic based on likelihood and impact in the exam because by the end of the day my objective is to protect you from the risk of 800 USD Loss

  1. (ISC)2 Code of Professional Ethics
  2.  The scenario-based calculation for Risk Analysis, straight calculator,  ALE = SLE [AV * EF] * ARO.
  3. RISK Treatment
  4. OWAS Top 10 Vulnerabilities (Cross-Site Scripting, Cross-Site Forgery, SQL Injection Etc) and Countermeasure
  5. Good Understanding of ARP Poisoning and mitigation factor
  6. Control Types and Categories and associated Primary Objective
    1. Type
      1. Administrative
      2. Technical
      3. Physical
    2. Catagories
      1. Deterent
      2. Directive
      3. Preventive
      4. Compensating
      5. Detective
      6. Corrective
      7. Recovery
  7. Buffer Overflow= Surpassing the limits of the data type and passing validation
  8. RAID 0, 1, 5, 1+0 or 0+1 (10). 0 for speed/striping, which one is better
  9. Type of Recovery site. ( Hot Site, Cold Site )
  10. Understanding of BCP,DR (MTD, RTO,RPO) Usage
  11. IPSec VPN. Know SA, ESP, AH, transport and tunnel mode, and IKE
  12. PPP PAP, CHAP, EAP. Functions available in each layer
  13. WEP VS WPA VS WPA (Algorithm Usage)
  14. You must Know EAL1 to EAL7
  15. ISO 27001 security standards and policies. ISO 27002 best-practice security procedures
  16. DATA Privacy
    1. Best way to protect the organization from data privacy liablities is limit in collection of data or minimaztion of data  
    2. CANADA Personal Information Protection and Electronic Documents Act (PIPEDA)
    3. The US = In US we don’t have national Privacy Regulation, we have industry-specific regulation -:
      1. FERPA (Family Educational Rights and Privacy Act) = that prevents the disclosure of personally identifiable data in student records to third parties without parental consent.
      2. COPPA (Children’s Online Privacy Protection Act) = The primary objective of COPPA is to enable parents to have control over what information is collected online from their children under age 13.
      3. HIPAA(Health Insurance Portability and Accountability Act) is United States legislation that implements data privacy and security provisions for protecting medical information.)
    4. EU (Europe Union)General Data Protection Regulation=the company must have the ability to demonstrate compliance
      1. These principles set out obligations for businesses and organizations that collect, process, and store individuals’ personal data
      2. Six principles for processing of personal data Lawfulness, fairness, and transparency
        1. Purpose limitation
        2. Data minimization
        3. Accuracy
        4. Storage limitation
        5. Integrity and confidentiality
    5. OECD Privacy Principles
      1. Collection Limitation Principle
      2. Data Quality Principle
      3. Purpose Specification Principle
      4. Use Limitation Principle
      5. Security Safeguards Principle
      6. Openness Principle
      7. Individual Participation Principle
      8. Accountability Principle
  17. Common Criteria (ISO 15408) for evaluating security products
    1. Protection Profile
    2. Security Target
    3. EALs 1-7
  18. Usage of SOC Report
  19. Good Understanding on type of Roles (Owner, Custodian, Data Controller, and Data Processor)
  20. Good Understanding of Federation. Usage of SAML, XACML, OpenID,Oauth)
    1. SAML 
      1. TOKEN (Authentication and Authorization)
    2. XACML
      1. Manage Authorization’
      2. ABAC
    3. OAuth and OpenID
      1. Mobile application end-user
  21. SDLC stages
    1. Security at which phase?
    2. Each phase have different function
      1. Project initiation and planning
      2. Functional requirements gathering
      3. System design specifications
      4. Development and implementation
      5.  Documentation and common program controls
      6. Testing and evaluation control (certification and accreditation)
      7. Transition to production (implementation)
    3. System Life Cycle (SLC) extends with two more steps
      1. Operations and maintenance support
      2. Revisions and system replacement
  22. DEVOPS = Concern Lack of Strong Isolation
  23. OWASP
    1. Verification Levels
      1. ASVS Level 1 (opportunistic) is meant for all software.
      2. ASVS Level 2 (standard) = that contains sensitive data, which requires protection.
      3. ASVS Level 3 (advanced) = for most critical applications, applications that perform high-value transactions
  24. Database
    1. Inference is the ability to deduce (infer) hidden information by inspecting available information
    2. Aggregation is the combination of nonsensitive data from separate sources to create sensitive data
    3. making a deduction based on that information.
    4. Polyinstantiation used as a defense against some types of inference attacks
    5. Polymorphism used as a defense against some type of aggregation attack
    6. Database Transaction have four Characteristics -;
      1. ACID
    7. Data Mining Security Concern = Privacy Impact
  25. Usages of NAC and 802.1X
  26. BIA Objective
    1.  Determine criticality
    2.  Estimate MTD
    3. Evaluate resource requirements
  27. Information security continuous monitoring
    1. Define an ISCM strategy;
    2.  Establish an ISCM program;
    3. Implement an ISCM program;
    4. Analyze data and report findings;
    5. Respond to findings;
    6.  Review and Update the ISCM strategy and program
  28. DLP Usage
    1. Data at Rest
    2. Data in Transit
    3. Data in Use
  29. Data classification process
  30. Type of Attack
    1. Ping of death: Sending a ping packet that violates the Maximum Transmission Unit (MTU)
    2.  Ping flooding: Flooding a system with several pings
    3. Teardrop: A network layer (Layer 3) attack, sending malformed packets to confuse the operating system, which cannot reassemble the packet
    4.  Fraggle: A type of smurf attack that uses UDP echo packets instead of ICMP packet
    5. Smurf Attack – The Smurf attack is a DDOS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.
  31. Biometrics (FAR, FRR, CER) (Lower the CER is more accurate )
    1. the retina is accurate and best
  32. Good Understanding of placement of (Firewall/IDS/IPS/DMZ/etc)
  33. Usage of CVSS
  34. The objective of Security Assessment = Evident of Effective Security Control
  35. Security and Risk Management: What comes after asset evaluation, threat, and vulnerability analysis? Safeguard or Countermeasure selection
  36. Understanding of Covert Storage and Covert Timing
  37.  Hash or Hashing = Integrity (SHA is more Secure then MD5)
  38. Cryptography Attack
    1.  Chosen Plaintext Attack : chooses plaintext to be encrypted, and the corresponding ciphertext is obtained
    2.  Adaptive Chosen Plaintext Attack: chooses plaintext to be encrypted; then based on the resulting ciphertext, he selects another sample to be encrypted
    3.  Chosen Ciphertext Attack: cryptanalyst prefer ciphertext to be decrypted, and the corresponding plaintext is obtained
    4.  Adaptive Chosen Ciphertext Attack : cryptanalyst prefers ciphertext to be decrypted; then based on the resulting ciphertext, he chooses another sample to be decrypted
    5. Ciphertext Only Attack the cryptanalyst pick the ciphertext of several messages
    6. Known Plaintext Attack (, the cryptanalyst has obtained the ciphertext and corresponding plaintext of several past messages, which he or she uses to decipher new messages.
    7. The birthday attack – hash collisions.
  39. ECC Better then RSA (less computation)
  40. AES better than DES
  41. Physical Access Control
    1. 1. Deter (Prevent).
    2. 2. Delay (e.g. Locks).
    3. 3. Detect.(Alarms)
    4. 4. Assess (Correct).
    5. 5. Respond (Correct).
    6. 6. Prevent, Detect, and Correct = Complete Control
  42. Fire classification
    1. Class A = Common Combustibles (Paper, Wood) = ASH
    2. 2. Class B — Combustible Liquids. Use gas. = Boil
    3. 3. Class C — Electrical. Use gas. = Current
    4. 4. Class D — Metals. Use specialized Dry Powders. = Dry
  43. Fiber Optic Cable provides better protection against EMI
  44.  How to protect against an SYN Request Flood Attack
  45. PPP replaced SLIP 
  46.  Usage of (PAP, CHAP, EAP)
  47. Change ManagementProblem Management and Incident Management Steps
  48. Implementation of RADIUS, TACAST, DIAMETER.
  49. Security Assessment and Testing: Fuzzy Logic Testing
  50. Security Assessment and Testing: Synthetic Transactions Testing
  51. CPS (Cyber-Physical System)
    1. ICS (Industrial Control System)
      1. Primary Concern with ICS (Availability and Integrity)
      2.  Implement an ICS Security Risk Management Framework
        1. Define and inventory ICS assets
        2. Develop a security plan for ICS Systems.
        3. Perform a risk assessment.
        4. Define the mitigation controls.
      3. Security objectives for an ICS implementation should include the following:
        1. Restricting logical access to the ICS network and network activity
        2. Restricting physical access to the ICS network and devices.
        3. Protecting individual ICS components from exploitation
        4. Restricting unauthorized modification of data
        5. Ensuring that critical components are redundant and are on redundant networks.
        6. Disabling unused ports and services on ICS devices
        7. Restricting physical access to the ICS network and devices
        8. Tracking and monitoring audit trails on critical areas of the ICS.
    2. IOT (Interent of Things)
      1. Strong Authentication
      2. Strong API used for data transfer
      3. Data Protection: It should be apparent how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
      4. Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
  52. Cloud 
    1. Crypto erase technique used in the cloud to destroy data 
    2. Data security and GRC is the responsibility of Data Ower
    3. Federation Solution best to be integrated with SAAS
    4. IDAAS manage by professional nature of the job is administrative
    5. Effective Contract avoid all governance risk 
    6. Cloud Access Security Broker = Objective is to provide Visiblity
    7. Independent audit report build transparency between cloud user and cloud provider
    8. Service Model
      1. IAAS = More control and more administration
      2. PAAS
      3. SAAS = Limited Control and Less Administration
    9. Deployment Model
      1. Public Cloud
      2. Private Cloud
      3. Community Cloud
      4. Hybrid Cloud
        1. BCDR Cloud
        2. Cloud Bursting