Unseen Topics of CISSP You Must Know

blog-post-5

In this article, we will cover the topics which are relevant for the cissp exam, which mostly candidate used to ignore. We have prioritized the topic based on likelihood and impact in the exam because by the end of the day my objective is to protect you from the risk of 800 USD Loss

(ISC)2 Code of Professional Ethics
Risk Management
1. Risk Identification
2. Risk Analysis
  1. Qualititative
  2. Quantiatives
3. Risk Evaluation
4. Risk Treatment (Based on risk tolerance factor)
  1. risk mitigation
  2. risk transfer = when likelihood is low impact is high
  3. risk avoidance
  4. Risk Acceptance
5. The scenario-based calculation for Risk Analysis, straight calculator, ALE = SLE [AV * EF] * ARO
6. Ultimate goal of risk management is to reduce risk to an acceptable level
7. value of control formula
  1. (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
  2. When selecting countermeasures, you must consider factors such as security-effectiveness, cost effectiveness, and operational impact.
Threat Modelling
1. STRIDE
  1. Spoofing
  2. Tampering
  3. Repudiation
  4. Information disclosure
  5. DOS
  6. Elevation of privilege
2. threat modelling perform in design stage
3. Threat Modelling Steps
  1. Creating an application diagram.
  2. Identifying threats.
  3. Mitigating threats.
  4. Validating that threats have been mitigated.
OWAS Top 10 Vulnerabilities (Cross-Site Scripting, Cross-Site Forgery, SQL Injection Etc) and Countermeasure
1. cross site scripting countermeasure
  1. input validation of values
2. cross site forgery
  1. session token synchronization
  2. random session token
3. SQL injection countermeasure
  1. parametized query or stored procedure
Good Understanding of ARP Poisoning and mitigation factor
Control Types and Categories and associated Primary Objective
1. Type
  1. Administrative
  2. Technical
  3. Physical
2. Catagories
  1. Deterent
  2. Directive
  3. Preventive
  4. Compensating
  5. Detective
  6. Corrective
  7. Recovery
Buﬀer Overflow= Surpassing the limits of the data type and passing validation
RAID 0, 1, 5, 1+0 or 0+1 (10). 0 for speed/striping, which one is better
Type of Recovery site. ( Hot Site, Cold Site )
Understanding of BCP,DR (MTD, RTO,RPO) Usage
1. MTD : Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without suffering unacceptable consequences, perhaps threatening the actual survivability of the organization
2. RTO : maximum period of time in which a business process must be restored after a disaster.
3. RPO = maximum period of time in which data might be lost if a disaster strikes.
IPSec VPN. Know SA, ESP, AH, transport and tunnel mode, and IKE
1. Protocol
  1. AH (integrity and authentictiy
  2. ESP (confidentiality , integrity and authenticity)
2. Modes
  1. transport modes = end to end encryption = less secure
  2. tunnel modes = link encryption = more secure
PPP PAP, CHAP, EAP. Functions available in each layer
Usage of (PAP, CHAP, EAP)
1. PAP = Sent password in plain text
2. CHAP = Initiate with challenge and handshake process to prevent replay attack
3. EAP = is more scalable
  1. EAP – LEAP = Password Based
  2. EAP – TLS = Certificate maintained on client side and server side, but maintenance is an challenge (But most Secure)
  3. EAP – PEAP = Not required certificate on the client side but not open source
  4. EAP TTLS = Alternate of EAP-PEAP but not required certificate on the client side
4. Check video for more details
CDN
1. Improve availability but impact regulatory concern
SSH
1. It provides strong encryption, server authentication,integrity protection and compression
DNS Security
1. provide integrity and authenticity to records
WEP VS WPA VS WPA (Algorithm Usage)
1. WEP = 64 Bit (RC 4) Algorithm (IV Limitation)
2. WPA = 128 Bith (RC4) TKIP
3. WPA2 = 128 More Robust (AES)
You must Know EAL1 to EAL7
ISO 27001 security standards and policies. ISO 27002 best-practice security procedures
Standards, guidelines, and procedures are supporting elements of a policy and
provide specific implementation details of the policy.
DATA Privacy
1. Best way to protect the organization from data privacy liablities is limit in collection of data or minimaztion of data
2. CANADA = Personal Information Protection and Electronic Documents Act (PIPEDA)
3. The US = In US we don’t have national Privacy Regulation, we have industry-specific regulation -:
  1. FERPA (Family Educational Rights and Privacy Act) = that prevents the disclosure of personally identifiable data in student records to third parties without parental consent.
  2. COPPA (Children’s Online Privacy Protection Act) = The primary objective of COPPA is to enable parents to have control over what information is collected online from their children under age 13.
  3. HIPAA(Health Insurance Portability and Accountability Act) is United States legislation that implements data privacy and security provisions for protecting medical information.)
    1. Covered Entity
      1. Health plans,
      2. Health care clearinghouses,
      3. Health care providers
4. EU (Europe Union)General Data Protection Regulation=the company must have the ability to demonstrate compliance
  1. These principles set out obligations for businesses and organizations that collect, process, and store individuals’ personal data
  2. Six principles for processing of personal data Lawfulness, fairness, and transparency
    1. Purpose limitation
    2. Data minimization
    3. Accuracy
    4. Storage limitation
    5. Integrity and confidentiality
    6. Accountability
  3. 72 Hour Breach Reporting
5. OECD Privacy Principles
Common Criteria (ISO 15408) for evaluating security products
1. Protection Profile
2. Security Target
3. EALs 1-7
Security Model
1. Bella-Padula = Confidentiality
2. Biba = Integrity
3. Clark wilson
  1. first commercial model focus on integrity
  2. separation of duties
4. BrewerNash
  1. prevent conflict of interest
Gas usage
1. FM 200 Is better then halon
Usage of SOC Report
Good Understanding of type of Roles (Owner, Custodian, Data Controller, and Data Processor)
1. Check Video
Good Understanding of Federation. Usage of SAML, XACML, OpenID,Oauth)
1. SAML
  1. Assertion (Authentication and Authorization)
2. XACML
  1. Manage Authorization’
  2. ABAC
3. OAuth
  1. Deal with Authorization
  2. Mobile application end-user
  3. Resource Owner
    1. An entity capable of granting access to a protected resource. When a resource owner is a person, it is referred to as an end user.
  4. Resource Server
    1. The server hosts the protected resources and is capable of accepting and responding to protected resource requests using access tokens.
  5. Authorization Server
    1. A client application makes protected requests on behalf of the resource owner and with its authorization.
4. OpenID
  1. Deal with authentication
SDLC stages
1. Security at which phase?
  1. check following videos
    1. Part 1
    2. Part 2
    3. Part 3
    4. Part 4
2. Each phase has a different function
  1. Project initiation and planning
  2. Functional requirements gathering
  3. System design speciﬁcations
  4. Development and implementation
  5. Documentation and common program controls
  6. Testing and evaluation control (certiﬁcation and accreditation)
    1. accreditation obtain on this phase
  7. Transition to production (implementation)
3. System Life Cycle (SLC) extends with two more steps
  1. Operations and maintenance support
  2. Revisions and system replacement
DEVOPS = Concern Lack of Strong Isolation
OWASP
1. Verification Levels
  1. ASVS Level 1 (opportunistic) is meant for all software.
  2. ASVS Level 2 (standard) = that contains sensitive data, which requires protection.
  3. ASVS Level 3 (advanced) = for most critical applications, applications that perform high-value transactions
Database
1. Inference is the ability to deduce (infer) hidden information by inspecting available information
  1. making a deduction based on that information.
2. Aggregation is the combination of nonsensitive data from separate sources to create sensitive data
3. Polyinstantiation is used as a defense against some types of inference attacks
4. Polymorphism is used as a defense against some type of aggregation attack
5. Database Transaction have four Characteristics -;
  1. ACID
6. Data Mining Security Concern = Privacy Impact
Usages of NAC and 802.1X
BIA Process
1. Identify business processes
2. Identify resources necessary to keep those processes running
3. Identify the impact on the process and ultimately on the business if the resources are not available or working properly
4. Identify priorities
BIA Objective
1. Determine criticality
2. Estimate MTD
3. Evaluate resource requirements
4. Check Video
Information security continuous monitoring
1. Define an ISCM strategy;
2. Establish an ISCM program;
3. Implement an ISCM program;
4. Analyze data and report findings;
5. Respond to findings;
6. Review and Update the ISCM strategy and program
DLP Usage
1. Data at Rest
2. Data in Transit
3. Data in Use
4. Reduce data breach risk
5. Protect critical business data and intellectual property
Data classification
1. Whereas data classification is focused on the identification of the sensitivity, criticality, and value of data
Data Destruction Process
1. Methods
  1. clear
    1. One method to sanitize media is to use software or hardware products to overwrite user addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device
  2. purge
    1. degaussing most effective method to remove data
  3. Destroy
    1. destroy the disk
  4. crypto shredding
    1. process of deleting data from cloud
Type of Attack
1. Ping of death: Sending a ping packet that violates the Maximum Transmission Unit (MTU)
2. Ping flooding: Flooding a system with several pings
3. Teardrop: A network layer (Layer 3) attack, sending malformed packets to confuse the operating system, which cannot reassemble the packet
4. Fraggle: A type of smurf attack that uses UDP echo packets instead of ICMP packet
5. Smurf Attack – The Smurf attack is a DDOS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.
Biometrics (FAR, FRR, CER) (Lower the CER is more accurate )
1. the retina is accurate
Access Controls
1. role based access control
  1. job function / roles types
2. Mandatory Access Control
  1. based on clearance
  2. very rigid
3. Abac based access control
  1. more granular
Good Understanding of placement of (Firewall/IDS/IPS/DMZ/etc)
Usage of CVSS
The objective of Security Assessment = Evident of Effective Security Control
Security and Risk Management: What comes after asset evaluation, threat, and vulnerability analysis? Safeguard or Countermeasure selection
Understanding of Covert Storage and Covert Timing
Hash or Hashing = Integrity (SHA is more Secure than MD5)
Cryptography Attack
1. Chosen Plaintext Attack: chooses plaintext to be encrypted, and the corresponding ciphertext is obtained
2. Adaptive Chosen Plaintext Attack: chooses plaintext to be encrypted; then based on the resulting ciphertext, he selects another sample to be encrypted
3. Chosen Ciphertext Attack: cryptanalyst prefer ciphertext to be decrypted, and the corresponding plaintext is obtained
4. Adaptive Chosen Ciphertext Attack : cryptanalyst prefers ciphertext to be decrypted; then based on the resulting ciphertext, he chooses another sample to be decrypted
5. Ciphertext Only Attack the cryptanalyst pick the ciphertext of several messages
6. Known Plaintext Attack (, the cryptanalyst has obtained the ciphertext and corresponding plaintext of several past messages, which he or she uses to decipher new messages.
7. The birthday attack – hash collisions.
ECC Better then RSA (less computation)
AES better than DES
Physical Access Control
1. 1. Deter (Prevent).
2. 2. Delay (e.g. Locks).
3. 3. Detect.(Alarms)
4. 4. Assess (Correct).
5. 5. Respond (Correct).
6. 6. Prevent, Detect, and Correct = Complete Control
Fire classification
1. Class A = Common Combustibles (Paper, Wood) = ASH
2. 2. Class B — Combustible Liquids. Use gas. = Boil
3. 3. Class C — Electrical. Use gas. = Current
4. 4. Class D — Metals. Use specialized Dry Powders. = Dry
Fiber Optic Cable provides better protection against EMI
How to protect against an SYN Request Flood Attack
PPP replaced SLIP
Change Management, Problem Management, and Incident Management Steps
1. change management used to maintain integrity
2. incident management used to reduce impact
3. problem management track root cause
4. patch management maintain uniformity of patches
Implementation of RADIUS, TACAS, and DIAMETER.
1. TACAS + is more secure and robust then RADIUS
2. Radius shared username in plain text and password only secret value
3. TACAS + Shared everything encrypted
4. Diameter alternate of RADIUS Open source more secure
Security Assessment and Testing: Fuzzy Logic Testing
1. Fuzzing type
  1. mutation fuzzing (Dumb)
  2. Generational fuzzing (Intelligent)
Type of Security Testing
1. SAST (Static Application Security Testing_ = with access to source code
2. DAST (Dynamic application Security Testing = testing with running application
3. Software composition analysis = Free and open source application (FOSS)
Security Assessment and Testing: Synthetic Transactions Testing
CPS (Cyber-Physical System)
1. primary concern Availability
2. ICS (Industrial Control System)
  1. Primary Concern with ICS (Availability and Integrity)
  2. Implement an ICS Security Risk Management Framework
    1. Define and inventory ICS assets
    2. Develop a security plan for ICS Systems.
    3. Perform a risk assessment.
    4. Define the mitigation controls.
  3. Security objectives for an ICS implementation should include the following:
    1. Restricting logical access to the ICS network and network activity
    2. Restricting physical access to the ICS network and devices.
    3. Protecting individual ICS components from exploitation
    4. Restricting unauthorized modification of data
    5. Ensuring that critical components are redundant and are on redundant networks.
    6. Disabling unused ports and services on ICS devices
    7. Restricting physical access to the ICS network and devices
    8. Tracking and monitoring audit trails on critical areas of the ICS.
3. IOT (Interent of Things)
  1. Strong Authentication
  2. Strong API used for data transfer
  3. Data Protection: It should be apparent how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
  4. Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
Cloud
1. Crypto erase technique used in the cloud to destroy data
2. Data security and GRC is the responsibility of Data Ower
3. Federation Solution best to be integrated with SAAS
4. IDAAS manage by professional nature of the job is administrative
5. Effective Contract avoid all governance risk
6. Cloud Access Security Broker = Objective is to provide Visiblity
7. Independent audit report build transparency between cloud user and cloud provider
8. Service Model
  1. IAAS = More control and more administration
  2. PAAS
  3. SAAS = Limited Control and Less Administration
9. Deployment Model
  1. Public Cloud
  2. Private Cloud
  3. Community Cloud
  4. Hybrid Cloud
    1. BCDR Cloud
    2. Cloud Bursting

Share this: