CISSP_Notes.txt

1. Always assume Discretionary Access Control (DAC)
2.  
3. Always assume a large company (100+)
4.  
5. Don’t get wrapped up in US Law (in many countries, in some countries = ignore US law)
6.  
7. Example: Reasonable expectation of privacy while using business systems. In US, there is usually no expectation of privacy. In EU, there is an expectation of privacy by law.
8.  
9. If they don’t tell you budget is a concern, assume budget is not concern and go with the Cadillac answer
10.  
11. Don’t forget about Physical Security (a lot of times a lock and key could be the best answer), Don't forget about availability
12.  
13. Take breaks! If you don’t know what a question is asking, try taking a break.
14.  
15. When the test asks about 'senior management': Unless told otherwise, assume they mean CEO, CFO, and board of directors.
16.  
17. When we talk about accounting, we're talking about writing log entries and holding people accountable.
18.  
19. When talking about auditing, we're talking about reading those log entries.
20.  
21. When trying to decide between different answers, 1 answer will appeal to sys admin, 1 will appeal to manager. Pick the manager.
22.  
23. i.e. if you have multiple answers and 1 says 'do what policy says' that’s going to be the answer.
24.  
25. If you come across a question and you think it's an easy win, read it again. It's probably a trick.
26.  
27. Be aware of "Answer Bias"
28.  
29. If you read a multiple choice question, you have a bias towards A or B and bias against C or D.
30.  
31. Overcome by reading answers first, and questions second.
32.  
33.  
34.  
35.  
36.  
37.  
38.  
39. General Axioms:
40.  
41. Number 1 goal is to protect life
42.  
43. Building is on fire, they want you to run into building to get backup tapes.
44.  
45. Always assume getting people out of the building is first priority even when stated otherwise.
46.  
47. Everyone is responsible for security
48.  
49. Janitor with no login is responsible too. After he sweeps server room, he must lock the door behind him.
50.  
51. Senior Management is ultimately Responsbile for security
52.  
53. CISO is accountable, but senior management is responsible.
54.  
55. Senior management writes the security policy, CISO uses that to do their job.
56.  
57. If there is a breach CISO is fired, senior management puts another CISO in place.
58.  
59. Never spend more for a control than what you are protecting. (Single loss expectancy * Annual rate of occurance)
60.  
61. $500 car that you pay $1500 a year on to protect. Not a good investment.
62.  
63. We don’t accept risk, only senior management can accept risk. We advise on what risks to accept.
64.  
65. Can't transfer ultimate responsibility, just some of the fallout i.e. financial responsibility
66.  
67. If you're reading a network question and it covers layer 1-4, recheck the model.
68.  
69. Training and awareness are mandatory. This includes cross-training.
70.  
71. Cross-training
72.  
73. Staffing for resilience
74.  
75. Paper is a media.
76.  
77. Consider paper the same way you would a hard drive.
78.  
79. Patterns are bad (Cryptography)
80.  
81. Senior Management can do whatever they want.
82.  
83. Our job is to make sure when they make the decision, they have a basic understanding of the risks. As long as they do, they can make whatever decision they want.
84.  
85. IT Security supports the business, not vice versa.
86.  
87. If it wasn't this way, we'd just get rid of half the things they do.
88.  
89. An attack on availability could be just slowing down the system, rather than knocking it out.
90.  
91. Making a system run at degraded speed is a successful attack
92.  
93. Digital signatures don't do shit for confidentiality. Only integrity and non-repudiation.
94.  
95. No single control can be considered perfect.
96.  
97. Does this mean you need multiple or that you should assume each one is inherently flawed?
98.  
99. eCommerce = Encryption.
100.  
101. If they mention eCommerce, they want you to be aware of you handling credit cards.
102.  
103. PCI
104.  
105. Requirement 4 = protect data in transit
106.  
107. Best way to protect data in transit? Encryption.
108.  
109. No way to inspect an encrypted payload
110.  
111.  
112.  
113. Users = Subjects
114.  
115. Subject
116.  
117. Anything that wants to get to an object.
118.  
119.  
120.  
121. Before a subject can get to an object, it should have a 'referee' i.e. something that grants or denies access.
122.  
123. Security kernel
124.  
125. Contains rules that allow the referee to make decisions.
126.  
127. Audit file
128.  
129. Keeps a protected log of all subjects, what objects they accessed and preferably reasoning from the kernel
130.  
131.  
132.  
133.  
134.  
135. Is this a reference monitor?
136.  
137. Can it block a subject from getting to an object?
138.  
139. Yes: It is a reference monitor
140.  
141. No: it is not a reference monitor.
142.  
143.  
144.  
145. Complete Mediation
146.  
147. Even if you've been through the reference monitor a million times and were granted access a million times. You should not circumvent the reference monitor as at a minimum, you want an audit file which the reference monitor will generate.
148.  
149.  
150. Covert Channel
151.  
152. Anything that circumvents a reference monitor.
153.  
154. Confidentiality
155.  
156. Keeping secrets secret.
157.  
158. Enemy of Confidentiality is Disclosure
159.  
160. How do you protect confidentiality?
161.  
162. Encryption
163.  
164. Logical Access control
165.  
166. Physical Access Control
167.  
168.  
169.  
170. Integrity
171.  
172. Can you trust the data?
173.  
174. Has the data been changed?
175.  
176. Was it correct when it was collected?
177.  
178. Enemy of Integrity is Alteration
179.  
180. How do you provide Integrity
181.  
182. Hashing
183.  
184. Goals of integrity:
185.  
186. Stop unauthorized changes from unauthorized subject
187.  
188. Threat agents
189.  
190. Stop unauthorized changes from authorized subject
191.  
192. Mistakes and errors
193.  
194. Maintain data consistency
195.  
196.  
197.  
198. Availability
199.  
200. Data is available to authorized users when they need it.
201.  
202. Enemy of availability is Destruction or downtime
203.  
204.  
205.  
206.  
207.  
208. D.A.D.D.
209.  
210. Enemies of CIA
211.  
212. Disclosure
213. Alteration
214. Destruction/Downtime
215.  
216.  
217.  
218. Risk Appetite
219.  
220. How much risk is senior management comfortable taking on in the organization?
221.  
222.  
223.  
224.  
225.  
226. CISO
227.  
228. Manage security infrastructure
229.  
230. Metrics - If you can't measure it, you can't improve it.
231.  
232. Advise Senior management on security risks
233.  
234.  
235.  
236. Metrics
237.  
238. Comes from 2 places
239.  
240. Measurement Variation
241.  
242. Don’t change the way you're measuring. Stay consistent to see trends over time.
243.  
244. Process variation
245.  
246. The actual variation that is happening in the process
247.  
248.  
249.  
250.  
251.  
252. Policy
253.  
254. Brief, high-level statement
255.  
256. "Policy should never be longer than 2 pages"
257.  
258. Don't leave policy up for interpretation.
259.  
260. e.g. "We will be HIPAA compliant."
261.  
262.  
263.  
264. Standards
265.  
266. "Bulleted list"
267.  
268.  
269.  
270. Procedures
271.  
272. "Numbered list"
273.  
274.  
275.  
276. Baselines
277.  
278. Minimum security configuration for different systems.
279.  
280. Senior management is responsible for establishing baselines.
281.  
282. Baseline info may be collected from vendors, open standards, etc.
283.  
284.  
285.  
286. Scoping
287.  
288. Go through everything a baseline talks about, decide what works and what doesn’t.
289.  
290. Armed guards are too much for us, but security cameras is a good fit.
291.  
292. Tailoring
293.  
294. Make the baseline specific to your business.
295.  
296. 16 cameras, 8 inside, 8 outside.
297.  
298.  
299.  
300.  
301.  
302. Guidelines
303.  
304. Generalized ideas on how management would expect something to be completed that may not have a set of standards/procedures/baselines in existence
305.  
306.  
307.  
308.  
309.  
310. Governance leads into Compliance leads into Assurance
311.  
312.  
313.  
314. Due Dilligence
315.  
316. Making the rules
317.  
318. What would any reasonably prudent person do? "Prudent person rule"
319.  
320. An individual should make every effort to complete his or her responsibilities in an accurate and timely manner
321.  
322. Due Care
323.  
324. Everyone following the rules
325.  
326.  
327. Superficial Security Frameworks:
328.  
329.  
330.  
331. ITIL - Information Technology Infrastructure Library
332.  
333. Continual Service Improvement
334.  
335.  
336.  
337. COSO - Committee of sponsoring organizations
338.  
339. All about financial Fraud
340.  
341.  
342.  
343. COBIT - Control objectives for Information and related Technologies
344.  
345. Developed by ISACA
346.  
347. Auditors use this to define what controls you should have
348.  
349.  
350.  
351.  
352.  
353.  
354.  
355.  
356.  
357. Real Security Frameworks
358.  
359.  
360.  
361. ISO 27000
362.  
363. ISO/IEC 27000
364.  
365. General Overview
366.  
367.  
368.  
369. Information security management systems
370.  
371. Overview and vocabulary
372.  
373.  
374.  
375. ISO/IEC 27001
376.  
377. Actual standard, includes ISMS and Requirements
378.  
379.  
380.  
381. Information technology - Security Techniques - Information security management systems
382.  
383. Requirements. The 2013 release of the standard specifies an information security management system in the same formalized, structured and succinct manner as other ISO standards specify other kinds of management systems.
384.  
385.  
386.  
387. ISO/IEC 27002
388.  
389. Listing of example controls that could be used to meet 27001 requirements
390.  
391.  
392.  
393. Code of practice for information security controls
394.  
395. essentially a detailed catalog of information security controls that might be managed through the ISMS
396.  
397.  
398.  
399. ISO/IEC 27003
400.  
401. Information security management system implementation guidance
402.  
403.  
404.  
405. ISO/IEC 27004
406.  
407. Guidelines for metrics
408.  
409. Information security management
410.  
411. Monitoring, measurement, analysis and evaluation
412.  
413.  
414.  
415. ISO/IEC 27005
416.  
417. Information security risk management
418.  
419. (NIST SP800-39)
420.  
421.  
422.  
423. ISO/IEC 27006
424.  
425. Requirements for bodies providing audit and certification of information security management systems
426.  
427.  
428.  
429. ISO 22301
430.  
431. Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity
432.  
433.  
434.  
435. NIST SP-800
436.  
437. US Specific
438.  
439. Not as heavily placed into the CISSP test any more as the test is meant to be 'international'
440.  
441.  
442.  
443.  
444.  
445.  
446.  
447. Compliance Frameworks
448.  
449.  
450.  
451. PCI-DSS
452.  
453. Actual Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
454.  
455. Review requirements 1-12 and Appendix A
456.  
457.  
458.  
459. Only applies to organizations that do business directly with members of the PCI council. (i.e. VISA, MasterCard, Discover, etc.)
460.  
461.  
462.  
463. PCI is not a law, it is a contract.
464.  
465.  
466.  
467. PAN - Primary Account Number
468.  
469. Credit Card Number, Expiration Date, CVV
470.  
471.  
472.  
473. Tokenization
474.  
475. Replace confidential information with placeholders for identification ("tokens")
476.  
477. e.g. replace the credit card number of "0000-0000-0000-000" with "Token-CreditCard-1"
478.  
479.  
480.  
481. QSA - Qualified Security Assessor
482.  
483. PCI Auditors
484.  
485.  
486.  
487.  
488. Business Impact Analysis: BIA
489. ========================
490.  
491. Gather Info
492.  
493. What all things do you do?
494.  
495. Identify what's critical
496.  
497. Map relationships between critical items and dependencies
498.  
499. "Doing the math"
500.  
501. Calculate "MTD" Maximum Tolerable Downtime
502.  
503. Calculate "RTO" - recovery time objective
504.  
505. Amount of time required to recover
506.  
507. Can be split into 2 parts.
508.  
509. Part 1 - RTO "amount of time to order a part"
510.  
511. Part 2 - 'WRT' Work Recovery Time "amount of time to install the ordered parts
512.  
513. Calculate "RPO" - Recovery Point objective
514.  
515. If a problem is encountered, how much date/time are you able to lose? i.e. If you backups are every 24 hours, your RPO should say you're willing to lose up to 24 hours of data if you were to restore to the last backup.
516.  
517. Perform Cost/Benefit analysis
518.  
519. Develop continuity plans
520.  
521. Perform cost/benefit analysis
522.  
523.  
524.  
525.  
526. usiness Continuity - Disaster Recovery - Incident Response
527.  
528.  
529.  
530. Means different things in practice, for this week and this week, consider these as completely separate islands.
531.  
532.  
533.  
534.  
535.  
536. Business continuity.
537.  
538. Critical Business functions, plans to get them back online fast enough.
539.  
540.  
541.  
542. Disaster recovery
543.  
544. When an incident is SO BAD that you had to 'move'
545.  
546.  
547.  
548. Incident Response
549.  
550.  
551.  
552.  
553.  
554. What's considered critical?
555.  
556. Whatever senior management says is critical
557.  
558. Whatever keeps the cash register ringing
559.  
560.  
561.  
562. What's considered not critical
563.  
564. Anything that doesn’t stop the cash register from ringing.
565.  
566.  
567.  
568.  
569.  
570. Business Continuity Plan
571.  
572. Perform "BIA" - business impact assessment
573.  
574. No discussion of probability. Only impact
575.  
576. BIA Plans -> pick an output
577.  
578. Put plans into place
579.  
580.  
581.  
582.  
583. Risk Assessments
584.  
585. 3 main steps
586.  
587. Identification
588.  
589. Risk analysis
590.  
591. Risk assessment
592.  
593. Qualitative Assessment
594.  
595. Measurement of impact and likelihood.
596.  
597. Low -> Medium -> High
598.  
599.  
600.  
601.  
602.  
603.  
604. Quantitative Risk Assessment
605.  
606. Annualized Loss Expectency (ALE) = Annual Rate of Occurance (ARO) * Single Loss Expectancy (SLE)
607.  
608. Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
609.  
610.  
611.  
612. ALE = ARO * (AV*EF)
613.  
614.  
615.  
616.  
617.  
618. Terms:
619.  
620. Annualized Rate of Occurance (ARO)
621.  
622. How many times per year a risk is expected to be realized.
623.  
624. Single Loss Expectancy
625.  
626. Amount of money expected to be lost when a risk is realized.
627.  
628. Asset Value
629.  
630. In real life to determine value of an asset, hire a consultant
631.  
632. "Test will likely give you the asset value"
633.  
634. Exposure Factor
635.  
636. Percentage of the asset's value that would be compromised if a risk is realized
637.  
638.  
639.  
640.  
641.  
642. Example:
643.  
644. Building burns to the ground.
645.  
646.  
647.  
648. ARO = .01 (likely to happen once every 100 years)
649.  
650. AV = 200,000 (building, all items inside, land the building sits on)
651.  
652. EF = 75% (only 75% because 25% of the asset's value is land, which would not be affected by the building burning down)
653.  
654.  
655.  
656. SLE = 200,000 * 0.75 = 150,000
657.  
658. ALE = .01 * 150,000 = $1,500
659.  
660.  
661.  
662.  
663.  
664. If insurance guy comes back saying fire insurance is $1000/year
665.  
666. In scenario you are paying $1000 to save $1500.
667.  
668. ROI = (Amount your saving - cost of control)/cost of control
669.  
670. ROI = (1500-1000)/1000
671.  
672. ROI = 50%
673.  
674.  
675. Risk Treatments
676.  
677.  
678.  
679. Acceptance
680.  
681. Accept the risk as a cost of doing business without necessarily doing anything
682.  
683.  
684.  
685. Avoidance
686.  
687. Don't do the ting that causes risk
688.  
689. look for alternatives to achieve same goal
690.  
691.  
692.  
693. Transference
694.  
695. Pay someone else to be liable for the financial impact
696.  
697. Ultimate responsibility stays with senior management
698.  
699.  
700.  
701. Mitigation
702.  
703. Invest in solutions to address the risk and hopefully prevent it.
704.  
705. Address probability or impact
706.  
707. Safeguards
708.  
709. Reduces probability
710.  
711. Countermeasures
712.  
713. Reduces impact
714.  
715.  
716.  
717. Risk Rejection
718.  
719. Stick your head in the sand
720.  
721. If you don’t know that you've been breached, due care is not required.
722.  
723.  
724.  
725.  
726. Control Types "3 slice pie" :
727.  
728. Administrative
729. Policy/Rules
730.  
731.  
732. Technical/Logical
733. Software
734.  
735.  
736. Physical
737. If you can touch it
738.  
739.  
740.  
741. Control Categories"7 slice pie"
742.  
743.  
744.  
745. ----- pre-incident ------
746.  
747.  
748.  
749. Directive
750.  
751. Policies on work computer, supervisor instruction
752.  
753. Safeguard
754.  
755.  
756.  
757. Deterrent
758.  
759. Discourages you from trying
760.  
761. Safeguard
762.  
763.  
764.  
765. Preventative
766.  
767. Stops you even if you try
768.  
769. Safeguard
770.  
771.  
772.  
773. ------ post incident -------
774.  
775.  
776.  
777. Detective
778.  
779. Can alert you if an incident occurs
780.  
781. Countermeasure
782.  
783.  
784.  
785. Corrective
786.  
787. First containment and/or eradication
788.  
789. Stops the bleeding
790.  
791. Countermeasure
792.  
793.  
794.  
795. Recovery
796.  
797. Resumes normal operation
798.  
799. Countermeasure
800.  
801.  
802.  
803. Compensating
804.  
805. Put in place in the absence of another control