Advertisement
opexxx

CISSP_Notes.txt

Aug 23rd, 2023 (edited)
251
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.58 KB | None | 0 0
  1. Always assume Discretionary Access Control (DAC)
  2.  
  3. Always assume a large company (100+)
  4.  
  5. Don’t get wrapped up in US Law (in many countries, in some countries = ignore US law)
  6.  
  7. Example: Reasonable expectation of privacy while using business systems. In US, there is usually no expectation of privacy. In EU, there is an expectation of privacy by law.
  8.  
  9. If they don’t tell you budget is a concern, assume budget is not concern and go with the Cadillac answer
  10.  
  11. Don’t forget about Physical Security (a lot of times a lock and key could be the best answer), Don't forget about availability
  12.  
  13. Take breaks! If you don’t know what a question is asking, try taking a break.
  14.  
  15. When the test asks about 'senior management': Unless told otherwise, assume they mean CEO, CFO, and board of directors.
  16.  
  17. When we talk about accounting, we're talking about writing log entries and holding people accountable.
  18.  
  19. When talking about auditing, we're talking about reading those log entries.
  20.  
  21. When trying to decide between different answers, 1 answer will appeal to sys admin, 1 will appeal to manager. Pick the manager.
  22.  
  23. i.e. if you have multiple answers and 1 says 'do what policy says' that’s going to be the answer.
  24.  
  25. If you come across a question and you think it's an easy win, read it again. It's probably a trick.
  26.  
  27. Be aware of "Answer Bias"
  28.  
  29. If you read a multiple choice question, you have a bias towards A or B and bias against C or D.
  30.  
  31. Overcome by reading answers first, and questions second.
  32.  
  33.  
  34.  
  35.  
  36.  
  37.  
  38.  
  39. General Axioms:
  40.  
  41. Number 1 goal is to protect life
  42.  
  43. Building is on fire, they want you to run into building to get backup tapes.
  44.  
  45. Always assume getting people out of the building is first priority even when stated otherwise.
  46.  
  47. Everyone is responsible for security
  48.  
  49. Janitor with no login is responsible too. After he sweeps server room, he must lock the door behind him.
  50.  
  51. Senior Management is ultimately Responsbile for security
  52.  
  53. CISO is accountable, but senior management is responsible.
  54.  
  55. Senior management writes the security policy, CISO uses that to do their job.
  56.  
  57. If there is a breach CISO is fired, senior management puts another CISO in place.
  58.  
  59. Never spend more for a control than what you are protecting. (Single loss expectancy * Annual rate of occurance)
  60.  
  61. $500 car that you pay $1500 a year on to protect. Not a good investment.
  62.  
  63. We don’t accept risk, only senior management can accept risk. We advise on what risks to accept.
  64.  
  65. Can't transfer ultimate responsibility, just some of the fallout i.e. financial responsibility
  66.  
  67. If you're reading a network question and it covers layer 1-4, recheck the model.
  68.  
  69. Training and awareness are mandatory. This includes cross-training.
  70.  
  71. Cross-training
  72.  
  73. Staffing for resilience
  74.  
  75. Paper is a media.
  76.  
  77. Consider paper the same way you would a hard drive.
  78.  
  79. Patterns are bad (Cryptography)
  80.  
  81. Senior Management can do whatever they want.
  82.  
  83. Our job is to make sure when they make the decision, they have a basic understanding of the risks. As long as they do, they can make whatever decision they want.
  84.  
  85. IT Security supports the business, not vice versa.
  86.  
  87. If it wasn't this way, we'd just get rid of half the things they do.
  88.  
  89. An attack on availability could be just slowing down the system, rather than knocking it out.
  90.  
  91. Making a system run at degraded speed is a successful attack
  92.  
  93. Digital signatures don't do shit for confidentiality. Only integrity and non-repudiation.
  94.  
  95. No single control can be considered perfect.
  96.  
  97. Does this mean you need multiple or that you should assume each one is inherently flawed?
  98.  
  99. eCommerce = Encryption.
  100.  
  101. If they mention eCommerce, they want you to be aware of you handling credit cards.
  102.  
  103. PCI
  104.  
  105. Requirement 4 = protect data in transit
  106.  
  107. Best way to protect data in transit? Encryption.
  108.  
  109. No way to inspect an encrypted payload
  110.  
  111.  
  112.  
  113. Users = Subjects
  114.  
  115. Subject
  116.  
  117. Anything that wants to get to an object.
  118.  
  119.  
  120.  
  121. Before a subject can get to an object, it should have a 'referee' i.e. something that grants or denies access.
  122.  
  123. Security kernel
  124.  
  125. Contains rules that allow the referee to make decisions.
  126.  
  127. Audit file
  128.  
  129. Keeps a protected log of all subjects, what objects they accessed and preferably reasoning from the kernel
  130.  
  131.  
  132.  
  133.  
  134.  
  135. Is this a reference monitor?
  136.  
  137. Can it block a subject from getting to an object?
  138.  
  139. Yes: It is a reference monitor
  140.  
  141. No: it is not a reference monitor.
  142.  
  143.  
  144.  
  145. Complete Mediation
  146.  
  147. Even if you've been through the reference monitor a million times and were granted access a million times. You should not circumvent the reference monitor as at a minimum, you want an audit file which the reference monitor will generate.
  148.  
  149.  
  150. Covert Channel
  151.  
  152. Anything that circumvents a reference monitor.
  153.  
  154. Confidentiality
  155.  
  156. Keeping secrets secret.
  157.  
  158. Enemy of Confidentiality is Disclosure
  159.  
  160. How do you protect confidentiality?
  161.  
  162. Encryption
  163.  
  164. Logical Access control
  165.  
  166. Physical Access Control
  167.  
  168.  
  169.  
  170. Integrity
  171.  
  172. Can you trust the data?
  173.  
  174. Has the data been changed?
  175.  
  176. Was it correct when it was collected?
  177.  
  178. Enemy of Integrity is Alteration
  179.  
  180. How do you provide Integrity
  181.  
  182. Hashing
  183.  
  184. Goals of integrity:
  185.  
  186. Stop unauthorized changes from unauthorized subject
  187.  
  188. Threat agents
  189.  
  190. Stop unauthorized changes from authorized subject
  191.  
  192. Mistakes and errors
  193.  
  194. Maintain data consistency
  195.  
  196.  
  197.  
  198. Availability
  199.  
  200. Data is available to authorized users when they need it.
  201.  
  202. Enemy of availability is Destruction or downtime
  203.  
  204.  
  205.  
  206.  
  207.  
  208. D.A.D.D.
  209.  
  210. Enemies of CIA
  211.  
  212. Disclosure
  213. Alteration
  214. Destruction/Downtime
  215.  
  216.  
  217.  
  218. Risk Appetite
  219.  
  220. How much risk is senior management comfortable taking on in the organization?
  221.  
  222.  
  223.  
  224.  
  225.  
  226. CISO
  227.  
  228. Manage security infrastructure
  229.  
  230. Metrics - If you can't measure it, you can't improve it.
  231.  
  232. Advise Senior management on security risks
  233.  
  234.  
  235.  
  236. Metrics
  237.  
  238. Comes from 2 places
  239.  
  240. Measurement Variation
  241.  
  242. Don’t change the way you're measuring. Stay consistent to see trends over time.
  243.  
  244. Process variation
  245.  
  246. The actual variation that is happening in the process
  247.  
  248.  
  249.  
  250.  
  251.  
  252. Policy
  253.  
  254. Brief, high-level statement
  255.  
  256. "Policy should never be longer than 2 pages"
  257.  
  258. Don't leave policy up for interpretation.
  259.  
  260. e.g. "We will be HIPAA compliant."
  261.  
  262.  
  263.  
  264. Standards
  265.  
  266. "Bulleted list"
  267.  
  268.  
  269.  
  270. Procedures
  271.  
  272. "Numbered list"
  273.  
  274.  
  275.  
  276. Baselines
  277.  
  278. Minimum security configuration for different systems.
  279.  
  280. Senior management is responsible for establishing baselines.
  281.  
  282. Baseline info may be collected from vendors, open standards, etc.
  283.  
  284.  
  285.  
  286. Scoping
  287.  
  288. Go through everything a baseline talks about, decide what works and what doesn’t.
  289.  
  290. Armed guards are too much for us, but security cameras is a good fit.
  291.  
  292. Tailoring
  293.  
  294. Make the baseline specific to your business.
  295.  
  296. 16 cameras, 8 inside, 8 outside.
  297.  
  298.  
  299.  
  300.  
  301.  
  302. Guidelines
  303.  
  304. Generalized ideas on how management would expect something to be completed that may not have a set of standards/procedures/baselines in existence
  305.  
  306.  
  307.  
  308.  
  309.  
  310. Governance leads into Compliance leads into Assurance
  311.  
  312.  
  313.  
  314. Due Dilligence
  315.  
  316. Making the rules
  317.  
  318. What would any reasonably prudent person do? "Prudent person rule"
  319.  
  320. An individual should make every effort to complete his or her responsibilities in an accurate and timely manner
  321.  
  322. Due Care
  323.  
  324. Everyone following the rules
  325.  
  326.  
  327. Superficial Security Frameworks:
  328.  
  329.  
  330.  
  331. ITIL - Information Technology Infrastructure Library
  332.  
  333. Continual Service Improvement
  334.  
  335.  
  336.  
  337. COSO - Committee of sponsoring organizations
  338.  
  339. All about financial Fraud
  340.  
  341.  
  342.  
  343. COBIT - Control objectives for Information and related Technologies
  344.  
  345. Developed by ISACA
  346.  
  347. Auditors use this to define what controls you should have
  348.  
  349.  
  350.  
  351.  
  352.  
  353.  
  354.  
  355.  
  356.  
  357. Real Security Frameworks
  358.  
  359.  
  360.  
  361. ISO 27000
  362.  
  363. ISO/IEC 27000
  364.  
  365. General Overview
  366.  
  367.  
  368.  
  369. Information security management systems
  370.  
  371. Overview and vocabulary
  372.  
  373.  
  374.  
  375. ISO/IEC 27001
  376.  
  377. Actual standard, includes ISMS and Requirements
  378.  
  379.  
  380.  
  381. Information technology - Security Techniques - Information security management systems
  382.  
  383. Requirements. The 2013 release of the standard specifies an information security management system in the same formalized, structured and succinct manner as other ISO standards specify other kinds of management systems.
  384.  
  385.  
  386.  
  387. ISO/IEC 27002
  388.  
  389. Listing of example controls that could be used to meet 27001 requirements
  390.  
  391.  
  392.  
  393. Code of practice for information security controls
  394.  
  395. essentially a detailed catalog of information security controls that might be managed through the ISMS
  396.  
  397.  
  398.  
  399. ISO/IEC 27003
  400.  
  401. Information security management system implementation guidance
  402.  
  403.  
  404.  
  405. ISO/IEC 27004
  406.  
  407. Guidelines for metrics
  408.  
  409. Information security management
  410.  
  411. Monitoring, measurement, analysis and evaluation
  412.  
  413.  
  414.  
  415. ISO/IEC 27005
  416.  
  417. Information security risk management
  418.  
  419. (NIST SP800-39)
  420.  
  421.  
  422.  
  423. ISO/IEC 27006
  424.  
  425. Requirements for bodies providing audit and certification of information security management systems
  426.  
  427.  
  428.  
  429. ISO 22301
  430.  
  431. Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity
  432.  
  433.  
  434.  
  435. NIST SP-800
  436.  
  437. US Specific
  438.  
  439. Not as heavily placed into the CISSP test any more as the test is meant to be 'international'
  440.  
  441.  
  442.  
  443.  
  444.  
  445.  
  446.  
  447. Compliance Frameworks
  448.  
  449.  
  450.  
  451. PCI-DSS
  452.  
  453. Actual Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  454.  
  455. Review requirements 1-12 and Appendix A
  456.  
  457.  
  458.  
  459. Only applies to organizations that do business directly with members of the PCI council. (i.e. VISA, MasterCard, Discover, etc.)
  460.  
  461.  
  462.  
  463. PCI is not a law, it is a contract.
  464.  
  465.  
  466.  
  467. PAN - Primary Account Number
  468.  
  469. Credit Card Number, Expiration Date, CVV
  470.  
  471.  
  472.  
  473. Tokenization
  474.  
  475. Replace confidential information with placeholders for identification ("tokens")
  476.  
  477. e.g. replace the credit card number of "0000-0000-0000-000" with "Token-CreditCard-1"
  478.  
  479.  
  480.  
  481. QSA - Qualified Security Assessor
  482.  
  483. PCI Auditors
  484.  
  485.  
  486.  
  487.  
  488. Business Impact Analysis: BIA
  489. ========================
  490.  
  491. Gather Info
  492.  
  493. What all things do you do?
  494.  
  495. Identify what's critical
  496.  
  497. Map relationships between critical items and dependencies
  498.  
  499. "Doing the math"
  500.  
  501. Calculate "MTD" Maximum Tolerable Downtime
  502.  
  503. Calculate "RTO" - recovery time objective
  504.  
  505. Amount of time required to recover
  506.  
  507. Can be split into 2 parts.
  508.  
  509. Part 1 - RTO "amount of time to order a part"
  510.  
  511. Part 2 - 'WRT' Work Recovery Time "amount of time to install the ordered parts
  512.  
  513. Calculate "RPO" - Recovery Point objective
  514.  
  515. If a problem is encountered, how much date/time are you able to lose? i.e. If you backups are every 24 hours, your RPO should say you're willing to lose up to 24 hours of data if you were to restore to the last backup.
  516.  
  517. Perform Cost/Benefit analysis
  518.  
  519. Develop continuity plans
  520.  
  521. Perform cost/benefit analysis
  522.  
  523.  
  524.  
  525.  
  526. usiness Continuity - Disaster Recovery - Incident Response
  527.  
  528.  
  529.  
  530. Means different things in practice, for this week and this week, consider these as completely separate islands.
  531.  
  532.  
  533.  
  534.  
  535.  
  536. Business continuity.
  537.  
  538. Critical Business functions, plans to get them back online fast enough.
  539.  
  540.  
  541.  
  542. Disaster recovery
  543.  
  544. When an incident is SO BAD that you had to 'move'
  545.  
  546.  
  547.  
  548. Incident Response
  549.  
  550.  
  551.  
  552.  
  553.  
  554. What's considered critical?
  555.  
  556. Whatever senior management says is critical
  557.  
  558. Whatever keeps the cash register ringing
  559.  
  560.  
  561.  
  562. What's considered not critical
  563.  
  564. Anything that doesn’t stop the cash register from ringing.
  565.  
  566.  
  567.  
  568.  
  569.  
  570. Business Continuity Plan
  571.  
  572. Perform "BIA" - business impact assessment
  573.  
  574. No discussion of probability. Only impact
  575.  
  576. BIA Plans -> pick an output
  577.  
  578. Put plans into place
  579.  
  580.  
  581.  
  582.  
  583. Risk Assessments
  584.  
  585. 3 main steps
  586.  
  587. Identification
  588.  
  589. Risk analysis
  590.  
  591. Risk assessment
  592.  
  593. Qualitative Assessment
  594.  
  595. Measurement of impact and likelihood.
  596.  
  597. Low -> Medium -> High
  598.  
  599.  
  600.  
  601.  
  602.  
  603.  
  604. Quantitative Risk Assessment
  605.  
  606. Annualized Loss Expectency (ALE) = Annual Rate of Occurance (ARO) * Single Loss Expectancy (SLE)
  607.  
  608. Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
  609.  
  610.  
  611.  
  612. ALE = ARO * (AV*EF)
  613.  
  614.  
  615.  
  616.  
  617.  
  618. Terms:
  619.  
  620. Annualized Rate of Occurance (ARO)
  621.  
  622. How many times per year a risk is expected to be realized.
  623.  
  624. Single Loss Expectancy
  625.  
  626. Amount of money expected to be lost when a risk is realized.
  627.  
  628. Asset Value
  629.  
  630. In real life to determine value of an asset, hire a consultant
  631.  
  632. "Test will likely give you the asset value"
  633.  
  634. Exposure Factor
  635.  
  636. Percentage of the asset's value that would be compromised if a risk is realized
  637.  
  638.  
  639.  
  640.  
  641.  
  642. Example:
  643.  
  644. Building burns to the ground.
  645.  
  646.  
  647.  
  648. ARO = .01 (likely to happen once every 100 years)
  649.  
  650. AV = 200,000 (building, all items inside, land the building sits on)
  651.  
  652. EF = 75% (only 75% because 25% of the asset's value is land, which would not be affected by the building burning down)
  653.  
  654.  
  655.  
  656. SLE = 200,000 * 0.75 = 150,000
  657.  
  658. ALE = .01 * 150,000 = $1,500
  659.  
  660.  
  661.  
  662.  
  663.  
  664. If insurance guy comes back saying fire insurance is $1000/year
  665.  
  666. In scenario you are paying $1000 to save $1500.
  667.  
  668. ROI = (Amount your saving - cost of control)/cost of control
  669.  
  670. ROI = (1500-1000)/1000
  671.  
  672. ROI = 50%
  673.  
  674.  
  675. Risk Treatments
  676.  
  677.  
  678.  
  679. Acceptance
  680.  
  681. Accept the risk as a cost of doing business without necessarily doing anything
  682.  
  683.  
  684.  
  685. Avoidance
  686.  
  687. Don't do the ting that causes risk
  688.  
  689. look for alternatives to achieve same goal
  690.  
  691.  
  692.  
  693. Transference
  694.  
  695. Pay someone else to be liable for the financial impact
  696.  
  697. Ultimate responsibility stays with senior management
  698.  
  699.  
  700.  
  701. Mitigation
  702.  
  703. Invest in solutions to address the risk and hopefully prevent it.
  704.  
  705. Address probability or impact
  706.  
  707. Safeguards
  708.  
  709. Reduces probability
  710.  
  711. Countermeasures
  712.  
  713. Reduces impact
  714.  
  715.  
  716.  
  717. Risk Rejection
  718.  
  719. Stick your head in the sand
  720.  
  721. If you don’t know that you've been breached, due care is not required.
  722.  
  723.  
  724.  
  725.  
  726. Control Types "3 slice pie" :
  727.  
  728. Administrative
  729. Policy/Rules
  730.  
  731.  
  732. Technical/Logical
  733. Software
  734.  
  735.  
  736. Physical
  737. If you can touch it
  738.  
  739.  
  740.  
  741. Control Categories"7 slice pie"
  742.  
  743.  
  744.  
  745. ----- pre-incident ------
  746.  
  747.  
  748.  
  749. Directive
  750.  
  751. Policies on work computer, supervisor instruction
  752.  
  753. Safeguard
  754.  
  755.  
  756.  
  757. Deterrent
  758.  
  759. Discourages you from trying
  760.  
  761. Safeguard
  762.  
  763.  
  764.  
  765. Preventative
  766.  
  767. Stops you even if you try
  768.  
  769. Safeguard
  770.  
  771.  
  772.  
  773. ------ post incident -------
  774.  
  775.  
  776.  
  777. Detective
  778.  
  779. Can alert you if an incident occurs
  780.  
  781. Countermeasure
  782.  
  783.  
  784.  
  785. Corrective
  786.  
  787. First containment and/or eradication
  788.  
  789. Stops the bleeding
  790.  
  791. Countermeasure
  792.  
  793.  
  794.  
  795. Recovery
  796.  
  797. Resumes normal operation
  798.  
  799. Countermeasure
  800.  
  801.  
  802.  
  803. Compensating
  804.  
  805. Put in place in the absence of another control
Tags: CISSP ISC2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement