Unseen Topics of CISSP You Must Know


In this article, we will cover the topics which are relevant for the cissp exam, which mostly candidate used to ignore. We have prioritized the topic based on likelihood and impact in the exam because by the end of the day my objective is to protect you from the risk of 800 USD Loss

  1. (ISC)2 Code of Professional Ethics
  2. Risk Management
    1. Risk Identification
    2. Risk Analysis
      1. Qualititative
      2. Quantiatives
    3. Risk Evaluation
    4. Risk Treatment  (Based on risk tolerance factor)
      1. risk mitigation
      2. risk transfer   = when likelihood is low impact is high
      3. risk avoidance
      4. Risk  Acceptance
    5. The scenario-based calculation for Risk Analysis, straight calculator,  ALE = SLE [AV * EF] * ARO
    6. Ultimate goal of risk management is to reduce risk to an acceptable level
    7. value of control formula
      1. (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
      2. When selecting countermeasures, you must consider factors such as security-effectiveness, cost effectiveness, and operational impact.
  3. Threat Modelling
    1. STRIDE
      1. Spoofing
      2. Tampering
      3. Repudiation
      4. Information disclosure
      5. DOS
      6. Elevation of privilege
    2. threat modelling perform in design stage
    3. Threat Modelling Steps
      1. Creating an application diagram.
      2. Identifying threats.
      3. Mitigating threats.
      4. Validating that threats have been mitigated.
  4. OWAS Top 10 Vulnerabilities (Cross-Site Scripting, Cross-Site Forgery, SQL Injection Etc) and Countermeasure
    1. cross site scripting countermeasure
      1. input validation of values
    2. cross site forgery
      1. session token synchronization
      2. random session token
    3. SQL injection countermeasure
      1. parametized query or stored procedure
  5. Good Understanding of ARP Poisoning and mitigation factor
  6. Control Types and Categories and associated Primary Objective
    1. Type
      1. Administrative
      2. Technical
      3. Physical
    2. Catagories
      1. Deterent
      2. Directive
      3. Preventive
      4. Compensating
      5. Detective
      6. Corrective
      7. Recovery
  7. Buffer Overflow= Surpassing the limits of the data type and passing validation
  8. RAID 0, 1, 5, 1+0 or 0+1 (10). 0 for speed/striping, which one is better
  9. Type of Recovery site. ( Hot Site, Cold Site )
  10. Understanding of BCP,DR (MTD, RTO,RPO) Usage
    1. MTD : Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without suffering unacceptable consequences, perhaps threatening the actual survivability of the organization
    2. RTO : maximum period of time in which a business process must be restored after a disaster.
    3. RPO = maximum period of time in which data might be lost if a disaster strikes.
  11. IPSec VPN. Know SA, ESP, AH, transport and tunnel mode, and IKE
    1. Protocol
      1. AH (integrity and authentictiy
      2. ESP (confidentiality , integrity and authenticity)
    2. Modes
      1. transport modes  = end to end encryption = less secure
      2. tunnel modes  = link encryption = more secure
  12. PPP PAP, CHAP, EAP. Functions available in each layer
  13. Usage of (PAP, CHAP, EAP)
    1. PAP = Sent password in plain text
    2. CHAP = Initiate with challenge and handshake process to prevent replay attack
    3. EAP = is more scalable 
      1. EAP – LEAP = Password Based
      2. EAP – TLS =  Certificate maintained on client side and server side, but maintenance is an challenge (But most Secure)
      3. EAP – PEAP = Not required certificate on the client side but not open source
      4. EAP TTLS = Alternate of EAP-PEAP but not required certificate on the client side
    4. Check video for more details 
  14. CDN
    1. Improve availability but impact regulatory concern
  15. SSH
    1. It provides strong encryption, server authentication,integrity protection and compression
  16. DNS Security
    1. provide integrity and authenticity to records
  17. WEP VS WPA VS WPA (Algorithm Usage)
    1. WEP = 64 Bit (RC 4) Algorithm (IV Limitation)
    2. WPA = 128 Bith (RC4) TKIP
    3. WPA2 = 128 More Robust (AES)
  18. You must Know EAL1 to EAL7
  19. ISO 27001 security standards and policies. ISO 27002 best-practice security procedures
  20. Standards, guidelines, and procedures are supporting elements of a policy and
    provide specific implementation details of the policy.
  21. DATA Privacy
    1. Best way to protect the organization from data privacy liablities is limit in collection of data or minimaztion of data  
    2. CANADA Personal Information Protection and Electronic Documents Act (PIPEDA)
    3. The US = In US we don’t have national Privacy Regulation, we have industry-specific regulation -:
      1. FERPA (Family Educational Rights and Privacy Act) = that prevents the disclosure of personally identifiable data in student records to third parties without parental consent.
      2. COPPA (Children’s Online Privacy Protection Act) = The primary objective of COPPA is to enable parents to have control over what information is collected online from their children under age 13.
      3. HIPAA(Health Insurance Portability and Accountability Act) is United States legislation that implements data privacy and security provisions for protecting medical information.)
        1. Covered Entity
          1. Health plans,
          2. Health care clearinghouses,
          3. Health care providers
    4. EU (Europe Union)General Data Protection Regulation=the company must have the ability to demonstrate compliance
      1. These principles set out obligations for businesses and organizations that collect, process, and store individuals’ personal data
      2. Six principles for processing of personal data Lawfulness, fairness, and transparency
        1. Purpose limitation
        2. Data minimization
        3. Accuracy
        4. Storage limitation
        5. Integrity and confidentiality
        6. Accountability
      3. 72 Hour Breach Reporting
    5. OECD Privacy Principles
      1. Collection Limitation Principle
      2. Data Quality Principle
      3. Purpose Specification Principle
      4. Use Limitation Principle
      5. Security Safeguards Principle
      6. Openness Principle
      7. Individual Participation Principle
      8. Accountability Principle
  22. Common Criteria (ISO 15408) for evaluating security products
    1. Protection Profile
    2. Security Target
    3. EALs 1-7
  23. Security Model
    1. Bella-Padula = Confidentiality
    2. Biba  = Integrity
    3. Clark wilson
      1. first commercial model focus on integrity
      2. separation of duties
    4. BrewerNash
      1. prevent conflict of interest
  24. Gas usage
    1. FM 200 Is better then halon
  25. Usage of SOC Report
  26. Good Understanding of type of Roles (Owner, Custodian, Data Controller, and Data Processor)
    1. Check Video
  27. Good Understanding of Federation. Usage of SAML, XACML, OpenID,Oauth)
    1. SAML 
      1. Assertion (Authentication and Authorization)
    2. XACML
      1. Manage Authorization’
      2. ABAC
    3. OAuth
      1. Deal with Authorization
      2. Mobile application end-user
      3. Resource Owner
        1. An entity capable of granting access to a protected resource. When a resource owner is a person, it is referred to as an end user.
      4. Resource Server
        1. The server hosts the protected resources and is capable of accepting and responding to protected resource requests using access tokens.
      5. Authorization Server
        1. A client application makes protected requests on behalf of the resource owner and with its authorization.
    4. OpenID
      1. Deal with authentication
  28. SDLC stages
    1. Security at which phase?
      1. check following videos
        1. Part 1
        2. Part 2
        3. Part 3
        4. Part 4
    2. Each phase has a different function
      1. Project initiation and planning
      2. Functional requirements gathering
      3. System design specifications
      4. Development and implementation
      5.  Documentation and common program controls
      6. Testing and evaluation control (certification and accreditation)
        1. accreditation obtain on this phase
      7. Transition to production (implementation)
    3. System Life Cycle (SLC) extends with two more steps
      1. Operations and maintenance support
      2. Revisions and system replacement
  29. DEVOPS = Concern Lack of Strong Isolation
  30. OWASP
    1. Verification Levels
      1. ASVS Level 1 (opportunistic) is meant for all software.
      2. ASVS Level 2 (standard) = that contains sensitive data, which requires protection.
      3. ASVS Level 3 (advanced) = for most critical applications, applications that perform high-value transactions
  31. Database
    1. Inference is the ability to deduce (infer) hidden information by inspecting available information
      1. making a deduction based on that information.
    2. Aggregation is the combination of nonsensitive data from separate sources to create sensitive data
    3. Polyinstantiation is used as a defense against some types of inference attacks
    4. Polymorphism is used as a defense against some type of aggregation attack
    5. Database Transaction have four Characteristics -;
      1. ACID
    6. Data Mining Security Concern = Privacy Impact
  32. Usages of NAC and 802.1X
  33. BIA Process
    1. Identify business processes
    2. Identify resources necessary to keep those processes running
    3. Identify the impact on the process and ultimately on the business if the resources are not available or working properly
    4. Identify priorities
  34. BIA Objective
    1.  Determine criticality
    2.  Estimate MTD
    3. Evaluate resource requirements
    4. Check Video 
  35. Information security continuous monitoring
    1. Define an ISCM strategy;
    2.  Establish an ISCM program;
    3. Implement an ISCM program;
    4. Analyze data and report findings;
    5. Respond to findings;
    6.  Review and Update the ISCM strategy and program
  36. DLP Usage
    1. Data at Rest
    2. Data in Transit
    3. Data in Use
    4. Reduce data breach risk
    5. Protect critical business data and intellectual property
  37. Data classification
    1. Whereas data classification is focused on the identification of the sensitivity, criticality, and value of data
  38. Data Destruction Process
    1. Methods
      1. clear
        1. One method to sanitize media is to use software or hardware products to overwrite user addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device
      2. purge
        1. degaussing most effective method to remove data
      3. Destroy
        1. destroy the disk
      4. crypto shredding
        1. process of deleting data from cloud
  39. Type of Attack
    1. Ping of death: Sending a ping packet that violates the Maximum Transmission Unit (MTU)
    2.  Ping flooding: Flooding a system with several pings
    3. Teardrop: A network layer (Layer 3) attack, sending malformed packets to confuse the operating system, which cannot reassemble the packet
    4.  Fraggle: A type of smurf attack that uses UDP echo packets instead of ICMP packet
    5. Smurf Attack – The Smurf attack is a DDOS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.
  40. Biometrics (FAR, FRR, CER) (Lower the CER is more accurate )
    1. the retina is accurate
  41. Access Controls
    1. role based access control
      1. job function / roles types
    2. Mandatory Access Control
      1. based on clearance
      2. very rigid
    3. Abac based access control
      1. more granular
  42. Good Understanding of placement of (Firewall/IDS/IPS/DMZ/etc)
  43. Usage of CVSS
  44. The objective of Security Assessment = Evident of Effective Security Control
  45. Security and Risk Management: What comes after asset evaluation, threat, and vulnerability analysis? Safeguard or Countermeasure selection
  46. Understanding of Covert Storage and Covert Timing
  47.  Hash or Hashing = Integrity (SHA is more Secure than MD5)
  48. Cryptography Attack
    1.  Chosen Plaintext Attack: chooses plaintext to be encrypted, and the corresponding ciphertext is obtained
    2.  Adaptive Chosen Plaintext Attack: chooses plaintext to be encrypted; then based on the resulting ciphertext, he selects another sample to be encrypted
    3.  Chosen Ciphertext Attack: cryptanalyst prefer ciphertext to be decrypted, and the corresponding plaintext is obtained
    4.  Adaptive Chosen Ciphertext Attack : cryptanalyst prefers ciphertext to be decrypted; then based on the resulting ciphertext, he chooses another sample to be decrypted
    5. Ciphertext Only Attack the cryptanalyst pick the ciphertext of several messages
    6. Known Plaintext Attack (, the cryptanalyst has obtained the ciphertext and corresponding plaintext of several past messages, which he or she uses to decipher new messages.
    7. The birthday attack – hash collisions.
  49. ECC Better then RSA (less computation)
  50. AES better than DES
  51. Physical Access Control
    1. 1. Deter (Prevent).
    2. 2. Delay (e.g. Locks).
    3. 3. Detect.(Alarms)
    4. 4. Assess (Correct).
    5. 5. Respond (Correct).
    6. 6. Prevent, Detect, and Correct = Complete Control
  52. Fire classification
    1. Class A = Common Combustibles (Paper, Wood) = ASH
    2. 2. Class B — Combustible Liquids. Use gas. = Boil
    3. 3. Class C — Electrical. Use gas. = Current
    4. 4. Class D — Metals. Use specialized Dry Powders. = Dry
  53. Fiber Optic Cable provides better protection against EMI
  54.  How to protect against an SYN Request Flood Attack
  55. PPP replaced SLIP
  56. Change ManagementProblem Management, and Incident Management Steps
    1. change management used to maintain integrity
    2. incident management used to reduce impact
    3. problem management track root cause
    4. patch management maintain uniformity of patches 
  57. Implementation of RADIUS, TACAS, and DIAMETER.
    1. TACAS + is more secure and robust then RADIUS
    2. Radius shared username in plain text and password only secret value
    3. TACAS + Shared everything encrypted
    4. Diameter alternate of RADIUS Open source more secure
  58. Security Assessment and Testing: Fuzzy Logic Testing
    1. Fuzzing type
      1. mutation fuzzing (Dumb)
      2. Generational fuzzing  (Intelligent)
  59. Type of Security Testing
    1. SAST (Static Application Security Testing_ = with access to source code
    2. DAST (Dynamic application Security Testing = testing with running application
    3. Software composition analysis =  Free and open source application (FOSS)
  60. Security Assessment and Testing: Synthetic Transactions Testing
  61. CPS (Cyber-Physical System)
    1. primary concern Availability    
    2. ICS (Industrial Control System)
      1. Primary Concern with ICS (Availability and Integrity)
      2.  Implement an ICS Security Risk Management Framework
        1. Define and inventory ICS assets
        2. Develop a security plan for ICS Systems.
        3. Perform a risk assessment.
        4. Define the mitigation controls.
      3. Security objectives for an ICS implementation should include the following:
        1. Restricting logical access to the ICS network and network activity
        2. Restricting physical access to the ICS network and devices.
        3. Protecting individual ICS components from exploitation
        4. Restricting unauthorized modification of data
        5. Ensuring that critical components are redundant and are on redundant networks.
        6. Disabling unused ports and services on ICS devices
        7. Restricting physical access to the ICS network and devices
        8. Tracking and monitoring audit trails on critical areas of the ICS.
    3. IOT (Interent of Things)
      1. Strong Authentication
      2. Strong API used for data transfer
      3. Data Protection: It should be apparent how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
      4. Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
  62. Cloud 
    1. Crypto erase technique used in the cloud to destroy data 
    2. Data security and GRC is the responsibility of Data Ower
    3. Federation Solution best to be integrated with SAAS
    4. IDAAS manage by professional nature of the job is administrative
    5. Effective Contract avoid all governance risk 
    6. Cloud Access Security Broker = Objective is to provide Visiblity
    7. Independent audit report build transparency between cloud user and cloud provider
    8. Service Model
      1. IAAS = More control and more administration
      2. PAAS
      3. SAAS = Limited Control and Less Administration
    9. Deployment Model
      1. Public Cloud
      2. Private Cloud
      3. Community Cloud
      4. Hybrid Cloud
        1. BCDR Cloud
        2. Cloud Bursting