Please enable JavaScript.
Coggle requires JavaScript to display documents.
THE CISSP Exam - Coggle Diagram
THE CISSP Exam
Domain 3: Communcation
WAN
X25
Frame Relay
ATM
MPLS
Wireless
Wifi
Protocols
802.11a,b,g.n.ac.ax
Encryption
WEP
TKIP
WAP\WPA2
WiMAX
802.16
CSM\CDMA
Microwave
Internet Protocol Addresses(IP)
IPv4 vs IPv6
IPv4 Network Classes
Private IPv4 Addresses
Converged Protocols
VoIP
iSCSI &* FCoE
Network Authentication
PAP
CHAP
EAP
PEAP
Network Attacks
Phases
Reconnaissance
Enumeration
Vulnerability Analysis
Exploitation
Eavesdropping
SYN Flodding
IP Spoofing
DOS\DDOS
Man in the Middle
ARP Posiioning
Vritualization
VLAN
SDN
Common Commands
ipconfig
ping
traceroute
whois
Domain 3: Security Architecture
Cryptography
Cryptographic Services
Confidentiality
Integrity
is Hashing
Authenticity
Non-Repudiation
Origin
Delivery
Access Controls
Cryptographic Terminology
Plaintext
Encrypt
Key\Crypto Variable
Ciphertext
Decrypt
Key Clustering
Work Factor
Initalization Vector (Nonce)
Avalanche
Confusion
Diffusion
Secret Wrtiting
Hidden
Steganography
Null Cipher
Scrambled (Cryptography)
One-Way
Hashing
MD5
SHA-1
Sha-2
SHA-3
Two-Way
Symmetric
Block
DES,3DES, AES, CAST-128, SAFE, Blowfish, Twofish, RC5/RC6
Block Modes: ECB, CBC, CFB, OFB, CTR
Stream
RC4
Asymmetric
Factoring
RSA
Discrete Log
Diffie Hellmann (Key Exchange)
Elliptic Curve (ECC)
El Gamal
DSA
Digital Signatures
Digital Certifications
Substituion
Caesar Cypher
Monoalphabetic
Polyalphabetic
Running
One-time Pads
Transposition
Spartan Scytale
Raile Fence (Zig Zag)
Securing Vulnerabilities
Vulnerabilities in Systems
Single Point of Failure
Redundancy
Bypass Controls
Mitigating Controls
TOCTOU (Race Condition)
Increase Frequency of re-authentication
Emanations
Shielding (TEMPEST)
White Noise
Control Zones
Covert Channels
Analysis and Design
Aggregation and Inference
Polyinstation
Mobile Devices
Policy Training & Procedures
Remote Access Security
End-point security
OWASP Mobile Top 10
M1 - Improper Platform Usage
M2 - Insecure Data Storage
M3 - Inscure Communication
M4 - Insecure Authentication
M6 Insufficient Cryptography
M6 - Insecure Authentication
Client Code Quality
M8 - Code Tampering
M9 - Reverse Engineering
M10 - Extranous Functionality
Web Based Vulnerabilities
Cross Site Scripting (XSS) [Targets Client]
Stored (Persistent)
Reflected (Most Common)
DOM
Cross Site Request Forgery (CSRF) [Targets: Server]
SQL Injection
Input Validation
Models
Enterprise Security Architecture
Zachman
SABSA
TOGAF
Security Models
Lattice Bassed
Bell-LaPadula
Confidenality
Simple Security Property
Star Property
Strong Star Property
Bib
Integrity
Simple Integrity Property
Star Integrity Property
Lipner Implementation
Rule Based
Clark-Wilson
3 goals of Integrity
3 Clark Wilson Rules
Brewer-Nash
Prevent Conflicts of interest
Graham-Demming
Harrison-Ruzzo-Ullman
Frameworks
Security
ISO 27001
ISO 27002
NIST 800-53
COBIT
COSO
ITIL
HIPPA
SOX
Privacy
OECD Guidelines
GDPR
Risk
NIST 800-37
ISO 31000
COSO
ISACA Risk IT
Evaluation Criteria
Certification
TCSEC (Orange Book)
Confidentailty Only
Single Box Only
Functional Levels
D1 - Failed or Not Tested
C1 - Weak protection machanims
C2 - Strict login procedures
B1 - Security Labels
B2 - Security labels and verification of no covert channels
B3 - Security labels verification of no covert channels, and must stay secure during start-uip
A1- Verfieid Design
ITSEC
Confidenality and Integrity
Networked Devices
Same Functional Levels as TSEC
Assurance Levels (E0-E6)
Common Criteria
ISO 15408
Protection Profile
Target of Evaluation
Security Targets
Functoinal and Assurance Requirements
Eassign EAL
EAL1 - Functionally Tested
EAL2 - Structurally tested
EAL3 - Methodically Tested and Checked
EAL4 - Methodically designed, tested and review
EAL5 - Semi formally designed and tested
EAL6 - Semi Formally verified designed and tested
EAL7 - Formally verified designed and tested
Trusted Computing Base (TCB)
Reference Monitor Concept
Subject
Mediation
Rules
Logging and Monitoring
Object
Hardware Components
Processor
Storage
Primary
Secondary
Virtual Memory
Software Components
System Kernel
Firmware
Middleware
Protection Mechanims
Process Isolation
Memory Segmentation
Time Division Multiplexing
Processor States
Problem
Supervisor
Operating System Models
User Mode
Kenerl Mode
Ring Protection Model
Ring 3: User Programs
Ring 0: System Kernel
Secure Memory Management
Data Hiding
Defense in Depth
Security Kernel
Completeness
Isolation
Verifiability
Domain 7: Security Operations
Malware
Types
Virus
Worm
Companion
Macro
Multipartite
Polymorphic
Rojan
Botnes
Boot Sector
Hoaxes\Pranks
Logic Bomb
Stealth
Ransomware
RootKit
Spyware\Adware
Data Diddler
Salami Attack
Zero Day
Anti-Malware
Policy
Training and Awareness
Prevention
Whitelist
Network Segmentation
Detection
Signature Based Scanners
Heuristic Scanners
Activity Monitors
Change Detection
Contionous Updates
Patching
Determine if Patch is available
Threat Intelligence
Vendor Notification
Pro active Checking
Agent
Agentless
Passive
Implement through change Managment
#
Timing
Deploy
Automated
Manual
Change Managment
Change Request
Assess Impace
Emergency Change
Standard Process
Approval
Based on impact, severity, etc
CCB, CAB, ECAB
Build and test
Notificaiton
Implemtn
Validation
Test new functionality
Regression Testing
Version and Baseline
Recovery Stratgies
Backup Storage
Archive Bit
Types of Backups
Mirror
Full
Incremental
Differental
Validation
Checksums
CRC
Data Storage
Offsite
Tape Rotation
RPO
Spare Parts
Cold
Warm
Hot
RAID -Redundant Array of Indpendent Disks
RAID 0 - Striping
RAID 1 - Mirroring
RAID 10 -Striping and Mirroring
RAID 5 - Parity
High Availability System
Clustering
Redundancy
Recovery Sites
Types of Sites
Cold
Warm
Hot
Mobile
Redundant
Geographically remote
Business Continuity Management (BCM): Focuses on Critical and essential functions of business
Goals of BCM
Safety of People
Minimize Damage
Survival of Business
Business Impact Assessment
Identify Critical Processes and Systems
Measurements of Time
RPI
RTO
WRT
MTD
Owner Approval of this and associated costs
Typoes of Plans
Business Continutity Plan (BCP)
Disaster Recovery Plan (DRP)
Testing Plans
Read-THrough Checklist
Walkgthrough
Simulation
Parrallel
Full Interruption and Full Scale
Restoration Order
Most Critical First
Depndency Charts
Romain 8 - Software Development Security
Secure Software Development
System Life Cycle (SLC)
Software Development Life Cycle (SDLC)
Plan and Management Approval
Requirements Analysis
Design
Development
Waterfall
Cannot go Back
Agile
Springs
Scrum Master
DevOps
Combine Dev. QA and Operations
SecDevOps
Testing
Canary
Certification
Deployment
Accredidation
Operatoin
Disposal
Maturity Models
APIs
REST
SOAP
Bake in Security
Obfuscation
Lexical, Data, Control Flow
Acquiring Software
Assess Vendors
Contracts \ SLAs
Software Security Weaknesses and Vulnerabilties
Buffer Overfloew
SQL Injection
XSS\CSRF
Cover Channels
Backdoors and Trapdoors
Memory Object Reuse
TOCTOU
Citizen Developers
Secure Programming
Input Validation
Session Managment
Polyinstation
Databases
Components of a Database Management System(DBMS)
Hardware
Software
Database
Tables
Rows= Tuples\Records
Columns = Attributions
Cells = Feilds
Primary and Foreign Key
Language (SQL)
Users
Data
Maintaing Data Integrity
Concurrency
Locks
ACID
Atomicity
Consistency
Isolation
Durabiltiy
SQL Injection
Domain 6 - Security Assessment and Testing
Identifying Vulnerabilities
Vulnerability Assessment
Penetration Testing
Process
Reconnaissance
Enumeration
Vulnerabililty Analysis
Execution
Document FIndings
Testing Techniques
Perspective
Internal
External
Approach
Blind
Double Blind
Knowledge
Zero (Black Box)
Partial (Gray Box)
Full (White Box)
Types of Scans
Credentialed\Authenticated
Uncredentialed\Unauthenticated
GBanner Grabbing
Fingerprinting
Interpretting and understanding Results
CVE
CVSS
False Positves vs False Negatives
Security Assessment and Testing
Validation
Verification
Rigour
Testing a System
Unit
Interface
Integration
System
Testing Techniques
Methods and Tools
Manual
Automated
Runtime
Statis
Dynamic
Fuzz
Access to Code
White
Black
Techniques
Positive
Negative
Misues
Boundry Value Analysis
Equivalence Partition
Operational
Real User Monitoring
Synthetic Performance Monitoring
Regression Testing
Tests\Assessors
Internal
External
Third Party
SOC1
SOC2
Type 1
Type 2
SOC3
Roles
Executive Managment
Audit Committee
Security Officer
Copmliance Manager
Internal Auditors
External Audoitrs
Metrics
Focus
KPIs
KRIs
Domain 1: Security and Risk Managment
Privacy: State or condition of being free from being observed or disturbed by other people
Privacy Policy
Standards, Procedures, Baselines, Gudelines
Personal Data
PII, SPI, PHI, PI
Direct Identifiers
Indirect Identifiers
Online Identifiers
Information Lifecycle
Creation\Update
Store
Use
Share
Archive
Destroy
OECD Guidelines
Collection Limitation
Data QUality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
GDPR
SUpervisory Authorities (SA)
Cannot Achieve Privacy without Security
Domain 2: Asset Security
Asset Classification
Asset Inventory
Assign Ownership
Classification (Base on Value)
Data Classification Policy
Standards, procedures, Baselines, Guidelines
Classification
Labeling
Examples: Public, Secret, Top Secret
Marking
Categroziation
Protection (Based on Classification)
Roles
Data Owner\Controller
Data Processor
Data Custodian
Data Stweard
Data Subject
Data at Rest
Encryption
Access Control
Backups
Data In Motion
End-to-End Encryption
Link Encryption
Onion Encryption
Data in Use
Archival
Defensible Destruction
Destruction
Total Media Destruction
Dhred\Disintegrate\Drill
Purging
Degaussing
Crypto Shredding
Clearing
Overwrite\Wipe\Erasure
Formatting