In this article, we will cover the topics which are relevant for the cissp exam, which mostly candidate used to ignore. We have prioritized the topic based on likelihood and impact in the exam because by the end of the day my objective is to protect you from the risk of 800 USD Loss
- (ISC)2 Code of Professional Ethics
- Risk Management
- Risk Identification
- Risk Analysis
- Qualititative
- Quantiatives
- Risk Evaluation
- Risk Treatment (Based on risk tolerance factor)
- risk mitigation
- risk transfer = when likelihood is low impact is high
- risk avoidance
- Risk Acceptance
- The scenario-based calculation for Risk Analysis, straight calculator, ALE = SLE [AV * EF] * ARO
- Ultimate goal of risk management is to reduce risk to an acceptable level
- value of control formula
- (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
- When selecting countermeasures, you must consider factors such as security-effectiveness, cost effectiveness, and operational impact.
- Threat Modelling
- STRIDE
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- DOS
- Elevation of privilege
- threat modelling perform in design stage
- Threat Modelling Steps
- Creating an application diagram.
- Identifying threats.
- Mitigating threats.
- Validating that threats have been mitigated.
- STRIDE
- OWAS Top 10 Vulnerabilities (Cross-Site Scripting, Cross-Site Forgery, SQL Injection Etc) and Countermeasure
- cross site scripting countermeasure
- input validation of values
- cross site forgery
- session token synchronization
- random session token
- SQL injection countermeasure
- parametized query or stored procedure
- cross site scripting countermeasure
- Good Understanding of ARP Poisoning and mitigation factor
- Control Types and Categories and associated Primary Objective
- Type
- Administrative
- Technical
- Physical
- Catagories
- Deterent
- Directive
- Preventive
- Compensating
- Detective
- Corrective
- Recovery
- Type
- Buffer Overflow= Surpassing the limits of the data type and passing validation
- RAID 0, 1, 5, 1+0 or 0+1 (10). 0 for speed/striping, which one is better
- Type of Recovery site. ( Hot Site, Cold Site )
- Understanding of BCP,DR (MTD, RTO,RPO) Usage
- MTD : Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without suffering unacceptable consequences, perhaps threatening the actual survivability of the organization
- RTO : maximum period of time in which a business process must be restored after a disaster.
- RPO = maximum period of time in which data might be lost if a disaster strikes.
- IPSec VPN. Know SA, ESP, AH, transport and tunnel mode, and IKE
- Protocol
- AH (integrity and authentictiy
- ESP (confidentiality , integrity and authenticity)
- Modes
- transport modes = end to end encryption = less secure
- tunnel modes = link encryption = more secure
- Protocol
- PPP PAP, CHAP, EAP. Functions available in each layer
- Usage of (PAP, CHAP, EAP)
- PAP = Sent password in plain text
- CHAP = Initiate with challenge and handshake process to prevent replay attack
- EAP = is more scalable
- EAP – LEAP = Password Based
- EAP – TLS = Certificate maintained on client side and server side, but maintenance is an challenge (But most Secure)
- EAP – PEAP = Not required certificate on the client side but not open source
- EAP TTLS = Alternate of EAP-PEAP but not required certificate on the client side
- Check video for more details
- CDN
- Improve availability but impact regulatory concern
- SSH
- It provides strong encryption, server authentication,integrity protection and compression
- DNS Security
- provide integrity and authenticity to records
- WEP VS WPA VS WPA (Algorithm Usage)
- WEP = 64 Bit (RC 4) Algorithm (IV Limitation)
- WPA = 128 Bith (RC4) TKIP
- WPA2 = 128 More Robust (AES)
- You must Know EAL1 to EAL7
- ISO 27001 security standards and policies. ISO 27002 best-practice security procedures
- Standards, guidelines, and procedures are supporting elements of a policy and
provide specific implementation details of the policy. - DATA Privacy
- Best way to protect the organization from data privacy liablities is limit in collection of data or minimaztion of data
- CANADA = Personal Information Protection and Electronic Documents Act (PIPEDA)
- The US = In US we don’t have national Privacy Regulation, we have industry-specific regulation -:
- FERPA (Family Educational Rights and Privacy Act) = that prevents the disclosure of personally identifiable data in student records to third parties without parental consent.
- COPPA (Children’s Online Privacy Protection Act) = The primary objective of COPPA is to enable parents to have control over what information is collected online from their children under age 13.
- HIPAA(Health Insurance Portability and Accountability Act) is United States legislation that implements data privacy and security provisions for protecting medical information.)
- Covered Entity
- Health plans,
- Health care clearinghouses,
- Health care providers
- Covered Entity
- EU (Europe Union)General Data Protection Regulation=the company must have the ability to demonstrate compliance
- These principles set out obligations for businesses and organizations that collect, process, and store individuals’ personal data
- Six principles for processing of personal data Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
- 72 Hour Breach Reporting
- OECD Privacy Principles
- Common Criteria (ISO 15408) for evaluating security products
- Protection Profile
- Security Target
- EALs 1-7
- Security Model
- Bella-Padula = Confidentiality
- Biba = Integrity
- Clark wilson
- first commercial model focus on integrity
- separation of duties
- BrewerNash
- prevent conflict of interest
- Gas usage
- FM 200 Is better then halon
- Usage of SOC Report
- Good Understanding of type of Roles (Owner, Custodian, Data Controller, and Data Processor)
- Good Understanding of Federation. Usage of SAML, XACML, OpenID,Oauth)
- SAML
- Assertion (Authentication and Authorization)
- XACML
- Manage Authorization’
- ABAC
- OAuth
- Deal with Authorization
- Mobile application end-user
- Resource Owner
- An entity capable of granting access to a protected resource. When a resource owner is a person, it is referred to as an end user.
- Resource Server
- The server hosts the protected resources and is capable of accepting and responding to protected resource requests using access tokens.
- Authorization Server
- A client application makes protected requests on behalf of the resource owner and with its authorization.
- OpenID
- Deal with authentication
- SAML
- SDLC stages
- Security at which phase?
- Each phase has a different function
- Project initiation and planning
- Functional requirements gathering
- System design specifications
- Development and implementation
- Documentation and common program controls
- Testing and evaluation control (certification and accreditation)
- accreditation obtain on this phase
- Transition to production (implementation)
- System Life Cycle (SLC) extends with two more steps
- Operations and maintenance support
- Revisions and system replacement
- DEVOPS = Concern Lack of Strong Isolation
- OWASP
- Verification Levels
- ASVS Level 1 (opportunistic) is meant for all software.
- ASVS Level 2 (standard) = that contains sensitive data, which requires protection.
- ASVS Level 3 (advanced) = for most critical applications, applications that perform high-value transactions
- Verification Levels
- Database
- Inference is the ability to deduce (infer) hidden information by inspecting available information
- making a deduction based on that information.
- Aggregation is the combination of nonsensitive data from separate sources to create sensitive data
- Polyinstantiation is used as a defense against some types of inference attacks
- Polymorphism is used as a defense against some type of aggregation attack
- Database Transaction have four Characteristics -;
- ACID
- Data Mining Security Concern = Privacy Impact
- Inference is the ability to deduce (infer) hidden information by inspecting available information
- Usages of NAC and 802.1X
- BIA Process
- Identify business processes
- Identify resources necessary to keep those processes running
- Identify the impact on the process and ultimately on the business if the resources are not available or working properly
- Identify priorities
- BIA Objective
- Determine criticality
- Estimate MTD
- Evaluate resource requirements
- Check Video
- Information security continuous monitoring
- Define an ISCM strategy;
- Establish an ISCM program;
- Implement an ISCM program;
- Analyze data and report findings;
- Respond to findings;
- Review and Update the ISCM strategy and program
- DLP Usage
- Data at Rest
- Data in Transit
- Data in Use
- Reduce data breach risk
- Protect critical business data and intellectual property
- Data classification
- Whereas data classification is focused on the identification of the sensitivity, criticality, and value of data
- Data Destruction Process
- Methods
- clear
- One method to sanitize media is to use software or hardware products to overwrite user addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device
- purge
- degaussing most effective method to remove data
- Destroy
- destroy the disk
- crypto shredding
- process of deleting data from cloud
- clear
- Methods
- Type of Attack
- Ping of death: Sending a ping packet that violates the Maximum Transmission Unit (MTU)
- Ping flooding: Flooding a system with several pings
- Teardrop: A network layer (Layer 3) attack, sending malformed packets to confuse the operating system, which cannot reassemble the packet
- Fraggle: A type of smurf attack that uses UDP echo packets instead of ICMP packet
- Smurf Attack – The Smurf attack is a DDOS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.
- Biometrics (FAR, FRR, CER) (Lower the CER is more accurate )
- the retina is accurate
- Access Controls
- role based access control
- job function / roles types
- Mandatory Access Control
- based on clearance
- very rigid
- Abac based access control
- more granular
- role based access control
- Good Understanding of placement of (Firewall/IDS/IPS/DMZ/etc)
- Usage of CVSS
- The objective of Security Assessment = Evident of Effective Security Control
- Security and Risk Management: What comes after asset evaluation, threat, and vulnerability analysis? Safeguard or Countermeasure selection
- Understanding of Covert Storage and Covert Timing
- Hash or Hashing = Integrity (SHA is more Secure than MD5)
- Cryptography Attack
- Chosen Plaintext Attack: chooses plaintext to be encrypted, and the corresponding ciphertext is obtained
- Adaptive Chosen Plaintext Attack: chooses plaintext to be encrypted; then based on the resulting ciphertext, he selects another sample to be encrypted
- Chosen Ciphertext Attack: cryptanalyst prefer ciphertext to be decrypted, and the corresponding plaintext is obtained
- Adaptive Chosen Ciphertext Attack : cryptanalyst prefers ciphertext to be decrypted; then based on the resulting ciphertext, he chooses another sample to be decrypted
- Ciphertext Only Attack the cryptanalyst pick the ciphertext of several messages
- Known Plaintext Attack (, the cryptanalyst has obtained the ciphertext and corresponding plaintext of several past messages, which he or she uses to decipher new messages.
- The birthday attack – hash collisions.
- ECC Better then RSA (less computation)
- AES better than DES
- Physical Access Control
- 1. Deter (Prevent).
- 2. Delay (e.g. Locks).
- 3. Detect.(Alarms)
- 4. Assess (Correct).
- 5. Respond (Correct).
- 6. Prevent, Detect, and Correct = Complete Control
- Fire classification
- Class A = Common Combustibles (Paper, Wood) = ASH
- 2. Class B — Combustible Liquids. Use gas. = Boil
- 3. Class C — Electrical. Use gas. = Current
- 4. Class D — Metals. Use specialized Dry Powders. = Dry
- Fiber Optic Cable provides better protection against EMI
- How to protect against an SYN Request Flood Attack
- PPP replaced SLIP
- Change Management, Problem Management, and Incident Management Steps
- change management used to maintain integrity
- incident management used to reduce impact
- problem management track root cause
- patch management maintain uniformity of patches
- Implementation of RADIUS, TACAS, and DIAMETER.
- TACAS + is more secure and robust then RADIUS
- Radius shared username in plain text and password only secret value
- TACAS + Shared everything encrypted
- Diameter alternate of RADIUS Open source more secure
- Security Assessment and Testing: Fuzzy Logic Testing
- Fuzzing type
- mutation fuzzing (Dumb)
- Generational fuzzing (Intelligent)
- Fuzzing type
- Type of Security Testing
- SAST (Static Application Security Testing_ = with access to source code
- DAST (Dynamic application Security Testing = testing with running application
- Software composition analysis = Free and open source application (FOSS)
- Security Assessment and Testing: Synthetic Transactions Testing
- CPS (Cyber-Physical System)
- primary concern Availability
- ICS (Industrial Control System)
- Primary Concern with ICS (Availability and Integrity)
- Implement an ICS Security Risk Management Framework
- Define and inventory ICS assets
- Develop a security plan for ICS Systems.
- Perform a risk assessment.
- Define the mitigation controls.
- Security objectives for an ICS implementation should include the following:
- Restricting logical access to the ICS network and network activity
- Restricting physical access to the ICS network and devices.
- Protecting individual ICS components from exploitation
- Restricting unauthorized modification of data
- Ensuring that critical components are redundant and are on redundant networks.
- Disabling unused ports and services on ICS devices
- Restricting physical access to the ICS network and devices
- Tracking and monitoring audit trails on critical areas of the ICS.
- IOT (Interent of Things)
- Strong Authentication
- Strong API used for data transfer
- Data Protection: It should be apparent how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
- Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
- Cloud
- Crypto erase technique used in the cloud to destroy data
- Data security and GRC is the responsibility of Data Ower
- Federation Solution best to be integrated with SAAS
- IDAAS manage by professional nature of the job is administrative
- Effective Contract avoid all governance risk
- Cloud Access Security Broker = Objective is to provide Visiblity
- Independent audit report build transparency between cloud user and cloud provider
- Service Model
- IAAS = More control and more administration
- PAAS
- SAAS = Limited Control and Less Administration
- Deployment Model
- Public Cloud
- Private Cloud
- Community Cloud
- Hybrid Cloud
- BCDR Cloud
- Cloud Bursting