CISSP Study Notes From CISSP Prep Guide

3y ago
142 Views
32 Downloads
815.68 KB
104 Pages
Last View : 5d ago
Last Download : 5m ago
Upload by : Bria Koontz
Transcription

CISSP Study Notes from CISSP Prep GuideThese notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains ofComputer Security by Ronald L. Krutz, Russell Dean V ines, Edward M . Stroz and are not intendedto be a replacement to the book.In addition to the CISSP Prep Guide I used the following resources to prepare for the exam: The Information Security Management Handbook, Fourth Edition by Micki Krause and HaroldF. Tipton The revised Michael Overly notes The Boson Questions #2 and #3 Lots of misc. websites A nd of course www.cccure.orgGood Luck!JWG, CISSPCISSP STUDY NOTES FRO M CISSP PREP GUIDE . 1DOMA IN 1 – SECURITY MA NA GEMENT PRA CTICES. 2DOMA IN 2 – A CCESS CO NTROL SYSTEMS. 7DOMA IN 3 – TELECOM A ND NETWORK SECURITY . 14DOMA IN 4 – CRYPTOGRA PHY. 39DOMA IN 5 – SECURITY A RCHITECTURE A ND M ODELS . 51DOMA IN 6 – OPERA TIO NS SECURITY . 62DOMA IN 7 – A PPLICA TIONS A ND SYSTEM DEV ELOPMENT . 69DOMA IN 8 – BUSINESS CONTINUITY A ND DISA STER RECOV ERY PLA NNING . 77DOMA IN 9 – LA W, INV ESTIGA TION A ND ETHICS. 85DOMA IN 10 – PHYSICA L SECURITY . 951

Domain 1 – Security Management PracticesThe Big Three - C. I. A . Confidentiality – Prevent disclosure of data Integrity – Prevent modification of data A vailability – Ensure reliable timely access to dataOther Important Concepts Identification – Means in which user claims Identity A uthentication – Establishes the users Identity A ccountability – Systems ability to determine actions of users A uthorization – rights and permissions granted to an individual Privacy – Level of confidentiality that a user is givenObjective of Security is to reduce effects of threats and vulnerabilities to a tolerable level.Risk A nalysisA ssess the following: Impact of the threat Risk of the threat occurring (likelihood)Controls reduce both the impact of the threat and the likelihood of the threat, important in costbenefit of controls.Data Classification Data classification has high level enterprise wide benefit Demonstrates organizations commitment to security Helps identify sensitive and vital information Supports C.I.A . May be required for legal regulatory reasonsData owners are responsible for defining the sensitivity level of the data.Government Classification Terms: Unclassified – Neither sensitive nor classified, public release is acceptable Sensitive But Unclassified (SBU) – Minor secret, no serious damage if disclosed Confidential – disclosure could cause damage to National Security Secret - disclosure could cause serious damage to National Security Top Secret – Highest Level - disclosure could cause exponentially grave damage to N ationalSecurityIn addition must have a Need to Know – just because you have “ secret” clearance does not mean all“ secret” data just data with a need to know.A dditional Public Classification Terms Public – similar to unclassified, should not be disclosed but is not a problem if it is Sensitive – data protected from loss of Confidentiality and integrity Private – data that is personal in nature and for company use only Confidential – very sensitive for internal use only - could seriously negatively impact thecompanyClassification Criteria V alue - number one criteria, if it is valuable it should be protected2

A ge – value of data lowers over time, automatic de-classificationUseful Life – If the information is made obsolete it can often be de-classifiedPersonal A ssociation – If the data contains personal information it should remain classifiedDistribution may be required in the event of the following: Court Order – may be required by court order Government Contracts – government contractors may need to disclose classified information Senior Level A pproval – senior executives may approve releaseInformation Classification RolesOwner May be executive or manager Owner has final corporate responsibility of the data protection Makes determination of classification level Reviews classification level regularly for appropriateness Delegates responsibility of data protection to the CustodianCustodian Generally IT systems personnel Running regular backups and testing recovery Performs restoration when required Maintains records in accordance with the classification policyUser A nyone the routinely uses the data Must follow operating procedures Must take due care to protect Must use computing resources of the company for company purposes onlyPolicies Standards, Guidelines and Procedures Policies are the highest level of documentation Standards, Guidelines and Procedures derived from policies Should be created first, but are no more important than the restSenior Management Statement – general high-level statement A cknowledgment of importance of computing resources Statement of Support for information security Commitment to authorize lower level Standards, Guidelines and ProceduresRegulatory Policies – company is required to implement due to legal or regulatory requirements Usually very detailed and specific to the industry of the organization Two main purposes To ensure the company is following industry standard procedures To give the company confidence they are following industry standard proceduresA dvisory Polices – not mandated but strongly suggested. Company wants employees to consider these mandatory. A dvisory Policies can have exclusions for certain employees or job functionsInformative Policies Exist simply to inform the reader No implied or specified requirements3

Standards, Guidelines and Procedures Contain actual detail of the policy How the policies should be implemented Should be kept separate from one another Different A udiences Security Controls are different for each policy type Updating the policy is more manageableStandards - Specify use of technology in a uniform way, compulsoryGuidelines – similar to standards but not compulsory, more flexibleProcedures – Detailed steps, required, sometimes called “ practices” , lowest levelBaselines – baselines are similar to standards, standards can be developed after the baseline isestablishedRoles and Responsibilities Senior Management – Has ultimate responsibility for security Infosec Officer – Has the functional responsibility for security Owner – Determines the data classification Custodian - Preserves C.I.A . User – Performs in accordance with stated policy A uditor – Examines SecurityRisk ManagementMitigate (reduce) risk to a level acceptable to the organization.Identification of Risk A ctual threat Possible consequences Probable frequency Likely hood of eventRisk A nalysis Identification of risks Benefit - cost justification of counter measuresRisk A nalysis Terms A sset – Resource, product, data Threat – A ction with a negative impact V ulnerability – A bsence of control Safeguard – Control or countermeasure Exposure Factor% of asset loss caused by threatSingle Loss Expectancy (SLE) – Expected financial loss for single eventSLE A sset V alue x Exposure Factor A nnualized Rate of Occurrence (A RO) – represents estimated frequency in which threat willoccur within one year A nnualized Loss Expectancy (A LE) – A nnually expected financial loss4

A LE SLE x A RORisk A nalysis Risk analysis is more comprehensive than a Business Impact A nalysis Quantitative – assigns objective numerical values (dollars) Qualitative – more intangible values (data) Quantitative is a major project that requires a detailed process planPreliminary Security Examination (PSE) Often conducted prior to the quantitative analysis. PSE helps gather elements that will be needed for actual RARisk A nalysis Steps1) Estimate of potential loss2) A nalyze potential threats3) Define the A nnualized Loss Expectancy (A LE)Categories of Threats Data Classification – malicious code or logic Information Warfare – technically oriented terrorism Personnel – Unauthorized system access A pplication / Operational – ineffective security results in data entry errors Criminal – Physical destruction, or vandalism Environmental – utility outage, natural disaster Computer Infrastructure – Hardware failure, program errors Delayed Processing – reduced productivity, delayed collections processingA nnualized Loss Expectancy (A LE) Risk analysis should contain the following: V aluation of Critical A ssets Detailed listing of significant threats Each threats likelihood Loss potential by threat Recommended remedial safeguardsRemedies Risk Reduction - implementation of controls to alter risk position Risk Transference – get insurance, transfer cost of a loss to insurance Risk A cceptance – A ccept the risk, absorb lossQualitative Scenario Procedure Scenario Oriented List the threat and the frequency Create exposure rating scale for each scenario Scenario written that address each major threat Scenario reviewed by business users for reality check Risk A nalysis team evaluates and recommends safeguards Work through each finalized scenario Submit findings to managementV alue A ssessment A sset valuation necessary to perform cost/ benefit analysis5

Necessary for insuranceSupports safeguard choicesSafeguard Selection Perform cost/ benefit analysis Costs of safeguards need to be considered including Purchase, development and licensing costs Installation costs Disruption to production Normal operating costsCost Benefit A nalysisA LE (PreControl) – A LE (PostControl) A nnualized value of the controlLevel of manual operations The amount of manual intervention required to operate the safeguard Should not be too difficult to operateA uditability and A ccountabilitySafeguard must allow for auditability and accountabilityRecovery A bility During and after the reset condition No asset destruction during activation or reset No covert channel access to or through the control during reset No security loss after activation or reset Defaults to a state that does not allow access until control are fully operationalSecurity A wareness TrainingBenefits of A wareness Measurable reduction in unauthorized access attempts Increase effectiveness of control Help to avoid fraud and abusePeriodic awareness sessions for new employees and refresh otherMethods of awareness improvement Live interactive presentations CBTs Publishing of posters and newsletters Incentives and awards Reminders, login bannersTraining & Education Security training for Operators Technical training Infosec training Manager training6

Domain 2 – A ccess Control SystemsC - ConfidentialityI - IntegrityA - A vailabilityConfidentiality Not disclosed to unauthorized personIntegrity Prevention of modification by unauthorized users Prevention of unauthorized changes by otherwise authorized users Internal and External Consistency Internal Consistency within the system (i.e. within a database the sum of subtotals is equal tothe sum of all units) External Consistency – database with the real world (i.e. database total is equal to the actualinventory in the warehouse)A vailability Timely accessThree things to consider Threats – potential to cause harm V ulnerabilities – weakness that can be exploited Risk – potential for harmControls Preventative – prevent harmful occurrence Detective – detect after harmful occurrence Corrective – restore after harmful occurrenceControls can be: A dministrative – polices and procedures Logical or Technical - restricted access Physical – locked doorsThree types of access rules:1. Mandatory access control (MA C): A uthorization of subject’s access to an object depends onlabels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity ofthe object Every Object is assigned a sensitivity level/ label and only users authorized up to thatparticular level can access the object A ccess depends on rules and not by the identity of the subjects or objects alone Only administrator (not owners) may change category of a resource — Orange book Blevel Output is labeled as to sensitivity level Unlike permission bits or A CLs, labels cannot ordinarily be changed Can’t copy a labeled file into another file with a different label Rule based A C2. Discretionary A ccess Control (DA C): Subject has authority, within certain limits, to specifywhat objects can be accessible (e.g., use of A CL) User-directed means a user has discretion Identity-based means discretionary access control is based on the subjects identity7

V ery common in commercial context because of flexibilityOrange book C levelRelies on object owner to control accessIdentity Based A C3. Non-Discretionary A ccess Control: Central authority determines what subjects can have accessto certain objects based on organization’ s security policy (good for high turnover) May be based on individual’ s role in the organization ( Role-Based) or the subject’sresponsibilities or duties (task-based)Lattice based – provides least access privileges of the access pair Greatest lower bound Lowest upper boundA dministrativeTechnicalPhysicalPreventativePolicies and procedures, preemployment background checks,strict hiring practices,employment agreements,friendly and unfriendly employeetermination procedures, vacationscheduling, labeling of sensitivematerials, increased supervision,security awareness training,behavior awareness, and sign-upprocedures to obtain access toinformation systems andnetworks.Logical system controls, smartcards, bio-metrics, menu shellRestrict physical access, guards,man trap, gatesIdentification and A uthenticationIdentification establishes accountabilityThree Factor A uthentication Something you know (password) Something you have (token) Something you are (biometrics)Sometimes - something you doPasswords Static – same each time Dynamic – changes each time you logonTokens – SmartcardsStatic Password (like software with pin) Owner A uthenticates to the token Token authenticates to the system8DetectivePolices and procedures, jobrotation, sharing ofresponsibilitiesIDS, logging, monitoring,clipping levelsMotion detectors, cameras,thermal detectors

Synchronous Dynamic Password Token – generates passcode value Pin – user knows Token and Pin entered into PC Must fit in valid time windowA synchronous Similar to synchronous, new password is generated asynchronously, No time windowChallenge Response System generates challenge string User enters into token Token generates response entered into workstation Mechanism in the workstation determines authenticationBiometrics – something you are Identify – one to many A uthenticate – one to oneFalse Rejection Rate (FRR) – Type I errorFalse A cceptance Rate (FA R) – Type II errorCrossover Error Rate – (CER) – CER % when FRR FA RBiometric Issues Enrollment Time – A cceptable rate is 2 minutes per person Throughput Time – acceptable rate is 10 people per minuteA cceptability Issues – privacy, physical, psychologicalTypes of Biometrics Fingerprints: A re made up of ridge endings and bifurcations exhibited by the friction ridges andother detailed characteristics that are called minutiae. Retina Scans: Scans the blood-vessel pattern of the retina on the backside of the eyeball. Iris Scans: Scan the colored portion of the eye that surrounds the pupil. Facial Scans: Takes attributes and characteristics like bone structures, nose ridges, eye widths,forehead sizes and chin shapes into account. Palm Scans: The palm has creases, ridges and grooves throughout it that are unique to a specificperson. Hand Geometry: The shape of a person’s hand (the length and width of the hand and fingers)measures hand geometry. V oice Print: Distinguishing differences in people’s speech sounds and patterns. Signature Dynamics: Electrical signals of speed and time that can be captured when a personwrites a signature. Keyboard Dynamics: Captures the electrical signals when a person types a certain phrase. Hand Topology: Looks at the size and width of an individual’s hand and fingers.Single Sign OnKerberos Symmetric key encryption KDC – Kerberos-trusted Key Distribution Center TGS – Ticket Granting Service A S – A uthentication Server9

Kerberos1. KDC knows secret keys of Client and Server2. KDC exchanges info with the Client and the Server using symmetric keys3. Using TGS grants temporary symmetric key4. Client and Server communicate using the temporary session keyInitial ExchangeClient sends Hash Password to the TGS Server, TGS verifies with the A uth. ServerTGS Server responds with:1) Key for Client and TGS server encrypted with Client Key [ K(c,tgs)] Kc2) Ticket Granting Ticket (TGT) [ K(c, tgs), c,a,v] K(tgs)Request for ServiceClient sends request for service to TGS with1) TGT [ K(c, tgs), c,a,v] K(tgs)2) A uthenticator K(c, tgs)TGS Issues Ticket for ServiceTGS sends Client back ticket for server and authenticator for server1) Ticket T(c,s) [ s,c,a,v,K(c,s)] Ks2) [ K(c,s)] K(c,tgs)Receive Service from ServerClient sends Server1) Ticket T(c,s) [ s,c,a,v,K(c,s)] Ks2) authenticator [ c,t,key] K(c,s)Kerberos weaknesses Replay is possible within time frame TGS and A uth server are vulnerable as they know everything Initial exchange passed on password authentication Keys are vulnerableSESA ME – Secure European System for A pplications in a Multi-vendor Environment Uses Needham-Schroeder protocol Uses public key cryptography Supports MD5 and CRC32 Hashing Uses two tickets1) One contains authentication2) One contains the access rights to the clientSESA ME weaknesses Only authenticates by using first block of message Initial exchange passed on password authentication SESA ME incorporates two certificates or tickets: One certificate provides authentication as inKerberos and the other certificate defines the access privileges that are assigned to a client.KryptoKnight Peer to peer relationship between KDC – Key Distribution Center and parties (Client andServer) NetSP is based on KryptoKnight Supported by RA CF A uthentication10

Key DistributionData PrivacyData IntegritySingle Sign-OnA dministrationA ccess Control - Centralized and DecentralizedCentralized RA DIUS - Remote A ccess Dial-In User Service (incorporates an A S and dynamic password) TA CA CS – Terminal A ccess Controller A ccess Control System (for network applications, staticpwd) TA CA CS – Terminal A ccess Controller A ccess Control System Plus, supports tokenauthenticationCHA P – Challenge Handshake A uthentication Protocol Supports encryption, protects passwordDecentralizedRelational Database Security Relational Databases support queries Object oriented databases do not support queriesRelational Database Data structures called tables (relations) Integrity Rules on allowable values Operators on the data in tablesPersistency – preservation of integrity through the use of nonvolatile storage mediaSchema Description of the database Defined by Data Description Layer (DDL)Database Management System (DBMS) provides access to the database A llows restriction of accessRelational Database Relation (table) is the basis of a relational database – relation is represented by a table Rows Records (tuples) Column A ttributesA ttribute-1A ttribute-2A ttribute-3Record-1Record-2Primary Key Unambiguously identifies a record

CISSP Study Notes from CISSP Prep Guide These notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz and are not intended to be a replacement to the book. In addition to the CISSP Prep Guide I used the following resources to prepare for the exam:

Related Documents:

Latest ISC exams,latest CISSP dumps,CISSP pdf,CISSP vce,CISSP dumps,CISSP exam questions,CISSP new questions,CISSP actual tests,CISSP practice tests,CISSP real exam questions Created Date: 2/12/2021 7:18:02 PM

Cissp cheat sheet all domains. Cissp cheat sheet 2022 pdf. Cissp cheat sheet 2022. Cissp cheat sheet domain 4. Cissp cheat sheet pdf. Cissp cheat sheet 2021. Cissp cheat sheet domain 1. Cissp cheat sheet reddit. We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements.

CISSP Study Notes from CISSP Prep Guide These notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz and are not intended to be a replacement to the book. In addition to the CISSP Prep Guide I used the following resources to prepare for the exam:

CISSP Exam Questions ISC2 CISSP Certification Practice Exam 2 Know Your CISSP Certification Well: The CISSP is best suitable for candidates who want to gain knowledge in the ISC2 Cybersecurity. Before you start your CISSP preparation you may struggle to get all the crucial CISSP materials like syllabus, sample questions, study guide.

CISSP Practice Exam Features: * CISSP Questions and Answers Updated Frequently * CISSP Practice Questions Verified by Expert Senior Certified Staff * CISSP Most Realistic Questions that Guarantee you a Pass on Your FirstTry * CISSP Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year Powered by TCPDF (www.tcpdf.org)

CISSP-ISSAP Exam Questions ISC2 ISSAP Certification Practice Exam 11 Study Guide to Crack ISC2 CISSP-ISSAP Exam: Getting details of the CISSP-ISSAP syllabus, is the first step of a study plan. This pdf is going to be of ultimate help. Completion of the syllabus is must to pass the CISSP-ISSAP exam. Making a schedule is vital.

CISSP Dumps, CISSP Braindumps, CISSP Real Exam Questions, CISSP Practice Test Created Date: 5/21/2019 12:41:58 AM .

know not: Am I my brother's keeper?” (Genesis 4:9) 4 Abstract In this study, I examine the protection of human rights defenders as a contemporary form of human rights practice in Kenya, within a broader socio-political and economic framework, that includes histories of activism in Kenya. By doing so, I seek to explore how the protection regime, a globally defined set of norms and .