CISSP
Domains
Security and Risk Management. ... 01
Asset Security. ... 02
Security Architecture and Engineering. ... 03
Communication and Network Security. ... 04
Identity and Access Management. ... 05
Security Assessment and Testing. ... 06
Security Operations. ...07
Software Development Security ... 08
Domain 01
Senior management is responsible for all mergers, acquisitions, and divestitures.
Due care Due diligence
RISK MANAGEMENT
risk management should be done at least once a year or any time when there is a major change in an organization
Risk management options
retention
mitigration
sharing
avoidance
acceptance
transfer
SECURITY CONTROLS
RISK ASSESSMENT
01 context establishment
02 risk identification
03 risk analysis
04 risk evaluation
05 risk treatment
06 review and monitor
00 consultation and communication
Types
Preventative
Detective
Corrective
Compensatory
Bckup Generator
Server Isolation
Hot Site
Security Awareness Training
Firewall
Security Guard
IPS
Anti Virus
System Monitorig
IDS
Motion Detector IDS
IPS
Anti Virus
Pen Testing
Vulnerability Assessment
OS Upgrade Patches
Backup Data Restoral
Anti Virus
Vulnerability Mitigation
Technical
Physical
Administrative
Directive
Deterrent
Recovery
Here you figure out what the main risk that your company can face like networks datacenters assets etc
CIA
Confidentiality
Integrity
Availability
Controls implemented through policies and procedure
Segregations of duties
STRIDE Threat Modeling
Spoofing with Identity
Tampering with data
Repudiation
Information Disclosure
Denial of service
Elevation of privileges
Threat Models
Service Level Agreement (SLA's)
a contract between a service provider and a customer that outlines the level of service the provider will deliver.
Security is dictated by what?
business requirements
contractual requirements
Industry Standards
Privacy requirements
Regulatory Requirements
Non Disclosure Agreements (NDA's)
Compliance Policy Requirements
Acceptable Use Policy (AUP)
VAST
OCTAVE
STRIDE
Recovery Plans
Disaster Recovery Plan (DRP)
Business Continuity Plan (BCP)
Important elements of BRP and DRP
Maximum Allowable Downtime or Maximum Tolerable Downtime (MAD/MTD)
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Business Impact Analysis (BIA)
Domain 02
Assets
People
Based on value
Information
Data
Hardware
Software
Systems
Processes
Devices
Intellectual property
Corporate Reputation
Assets Value
Qualitative Research
Quantitative Research
Exact value of that asset
rough idea or guess value of that asset
Asset Classification
Assets are classified based on their value and criticality
Assets are classified using 2 measures
01 Replacement value of that asset
02 impact on the business at the loss of that asset
Data classification policy
who will have access to data
should data be encrypted or not
how data is secured while processing, transmitted and stored
how long that data is to be retained
what is the appropriate use of that data
methods for the disposal of stored data
standards
CIS controls
GDPR
ISO 27001
PCI DSS
Asset protection and classification key
Data Subject
Data Custodian
Data Owner
Data Steward
Data Controller
An individual who is the subject of a personal data
An individual who is accountable for that data
who is responsible for defining the rules and purpose needed to store the data.
Data Processor
An internal or 3rd party that processes the data
Defines what kind of data is it
an individual or organization responsible for the technical environment and day-to-day management of data
Asset Retention
Data Protection Method
Baseline
Low risk
Medium risk
High risk
Access, process, no encryption, no labelling, no monitoring
Access password, Symmetric encryption(one key to encrypt and decrypt), no labeling, timely monitoring
click to edit
Data Remanence
It is defined as the residual data remaining on some sort of data after the data has been deleted or erased
How to tackle data remanence
Clearing
Purging
Destruction
physically destroying the data eg hard drive in a way that it can not be restored like breaking it using hammer or in boiling water or burning it down to ashes.
erase all the data in a way that it can not be recovered by normal known recovery techniques however it can be restored using special tools
virtually destroying the data in a way that it can not be recovered by any method making it almost impossible to restore.
Data Destruction Methods
Overwriting
Degaussing
Encryption
Formatting hard drive multiple times
attaching strong magnet with hard disk which as a result erases all data in that hard disk.
Domain 03
Models
Bell laPadula model
Biba model
focus on integrity
focus on confidentiality
Brewer nash model aka chinese wall model
conflict of interest
Clark wilson model
focus on integrity and payment security
click to edit
Implementations of security controls
Abstraction layers
Application layer 01
Application Programming Interface (API) 02
Operating system (OS) kernel 03
Hardware Abstraction Layer (HAL) 04
Hardware 05
Encryptions
Code signing and validation
Generic computer model
Audit and Monitoring
Virtualization/Sandbox
Establishing Information Governance and retention Policies
Understand where the data exist 01
Classify and define data 02
Archeive and manage data 03
Top mitigations
Know what you have 01
path and manage what you have 02
Asses monitor and log 03
click to edit
Systems
Client based systems
Server based systems
database system
Industrial Control System
Cloud
Saas
Paas
Iaas
migrate to it
Consume it
Build upon it
Kinds of cloud model
Private cloud
Public
community
Cryptography
Symmetric key
Asymmetric key
cypher text
Jumble words
Quantum cryptography
Same key to encrypt and decrypt
key or crypto variable
Public key to encrypt and Private key to decrypt and vice versa
key that is used to encrypt and decrypt data
non repudiation
means you cannot deny that you didn't read the data.
Types
Originator key
Recipient key
Cryptanalysis
the guy in the middle who tries to decrypt the data while the data is flowing from sender to receiver.
Cryptology
combination of cryptography (code making) and cryptanalysis (code breaking)
Hash
Hash works on integrity of the data. It does not provide any encryption
You calculate the hash of the data before sending the data and after receiving the data. Both hashes should be same otherwise there is some changes made by some in the middle of the flow of data.
Key space in cryptography
probability method to break a key
substitution in cryptography
substitute one letter with another letter for encryption purpose.
transposition in cryptography
rearranging the order of data for encryption purpose
Confusion in cryptography
Confusion means cipher text gives no clues about the original text. Achieved using substitution.
Diffusion in cryptography
Diffusion increases the redundancy of the plain text by sending across rows and columns. Achieved using transposition and permutation.
Avalanche effect in cryptography
where a little change in an input like using spaces in a data can have a significant change on its key.
Key clustering in cryptography
It is done by generating multiple keys using the same cipher text
Synchronous in cryptography
Each encryption and decryption is done immediately.
Asynchronous in cryptography
Each encryption and decryption is done slowly
Digital Signatures / Digital Certificates
fast
slow
Use for website protections to secure the data
CA (Certificate Authority)
Trusted entity who deals with digital certificates
free open source certificate generator
Openssl cert generator
self signed certificate generator
RA (registration authority)
registers the issued digital certificate.
Methods of cryptography
Stream cipher
Block cipher
Process fixed-size blocks of data, usually 64 or 128 bits, to produce ciphertext.
Bit by bit
Encryption algorithms
DES
TripleDES
Blowfish
AES
RC4
Initialization Vector (IV)
It is a random starting point which starts the process of encryption making sure that it adds complexity and randomness to the encryption process.
Steganography
Hide data underneath something for data integrity
Provides confidentiality and proof of origin
MIC (message integrity control)
MAC ( message authentication code)
HMAC (hash message authentication code
Attacks on hashing algorithms and MACs
Brute force
Cryptanalysis
Key management practices
Key recovery
Dual control and split knowledge
Key Escrow
Creation of keys
Automated key generation
Truly random
Asymmetric key length
Cryptographic Attacks
Types
Brute force
Chosen plain text
known cipher text
Birthday attack
Cryptanalysis
Cipher only attack
Chosen cipher text
Known plain text
Dictionary attack
Rainbow tables
Replay attack
Algebraic attacks
Attacking the random number generator
Implementation attacks
Fault analysis
Side channel analysis
Probing attacks
Man in the middle attack
Temporary files
Social engineering for key discovery
Physical security
Domain 04
OSI MODEL
Application layer 01
Presentation layer 02
Session layer 03
Transport layer 04
Network layer 05
Data link layer 06
Physical layer 07
Data
Data
Data
Segments
Packets
Bits
Frames
Where end users interacts with the application and the application interacts with the Network process.
Data representation and encryption. Make sure the address is correct and data is in readable form.
Establish session for interhost connection.
Provides end-to-end communication control and ensures complete data transfer. It includes error checking and data flow control.
Path determination and IP (logical address)
Responsible for node-to-node data transfer and error detection/correction. It ensures that data is transferred reliably over the physical link.
The card travels via trucks, planes, and other physical means to reach the destination.
It is like selecting a gift.
It is like the gift wrapping and checking if the address of the destination is correct and in understandable format or not.
Hand over your gift to postal service. This is like the interaction between different postal services, maintaining a continuous process until delivery.
The postal service ensures that your card will be delivered reliably, tracking its path, and ensuring it doesn't get lost.
The postal service determines the best route for the card to take, perhaps sending it through various sorting centers and other countries.
Each local post office and sorting center handles the card, ensuring it gets to the next point correctly.
Deals with the physical connection between devices and the transmission and reception of raw bitstreams over a physical medium.
TCP IP MODEL
Application layer 01
Host to host transport layer 02
Internet layer 03
Network layer 04
Protocols
FTP
SNMP
Telnet
SMTP
DNS
RIP
Protocols
TCP
UDP
Protocols
IP
ARP
Ethernet
Uses MAC (media access control) address and LLC (logical link control).
Uses IP addresses.
Protocols
ARP (Address resolution protocol)
Works at MAC layer.
Its purpose is to provide direct communication between two devices within the same LAN.
Others
VLANs
Switches
03 Networking layer
(IPv4) Internet protocol networking
(IPv6) Internet protocol networking
Routers
Are used to connect LAN with WAN. It also provides a default gateway.
Switches
It is used to connect devices within LAN.
Firewalls
04 Transport layer
Protocols
Protocols and term
MAC
LLC
ARP
Ethernet
IP
Switches
Routers
TCP
UDP
SSL
TLS
SCTP
TCP
UDP
Ports
total ports
0 - 65,535
HTTP
80
HTTPS
443
Well known ports
0 - 1023
Registered ports
1024 - 49,151
Dynamic ports
49,152 - 65,535
It does not have any security in it by itself thus its a must to establish a security on it .
07 Application layer
Protocols
DNS
WWW
HTTP
HTTPS
SMTP
Telnet
FTP
DHCP
Provides an IP addrress
Provides a naming system for IP addresses.
SNMP
LDAP
SDN (Software Defined Networking)
CDN (Content Delivery Network)
Firewall
Rules are pre defined.
Filter incoming and outgoing traffic.
Types of firewalls
Static packet filtering firewall
Allows all outgoing tcp connections
Only allows incoming DNS, SMTP and FTP services
Denies all other servces.
Stateful inspection firewall
Next generation firewall
Advanced form of firewall
(IDS/IPS0 Intrusion detection and prevention systems.
Whitelisting/Blacklisting
NAC (network access control devices)
Endpoint security
PAT (Port address translation)
Proxy types
Proxy filewalls
Devices inside a LAN has its own unique private IP address provided by router. when the device access the internet, it will use the router as a default gateway and will use a public IP provided by ISP (internet service provider) to the router while accessing internet
Public IP can be static or dynamic
Private IP remains consistent
VOIP (Voice over IP)
Remote access tunelling/ Virtual provate etwork (VPN)
Screen Scraper
Remote access
VPN
ports
SSH
Telecommuting
Domain 05
Types of IAM
Centralised
Decentralised
Hybrid
Physical access controls (PACS)
System accout access review
Provisioning and deprovisioning
Identification and Authentication of people, Devices and Services.
Single/Multi factor authentication
Identity and access management plan and implementation.
Biometrics
fingerprint
Face scan
Hand Geometry.
Voice recognition
Iris pattern.
Retinal snanning
Signature Dynamics
Vascular patterns
Keystrock Dynamics
Authorization
False acceptance rate and false rejection rate
Session management.
Session information stores in cookie.
Registration and proofing of identity.
Credential management systems
Federated identity management systems (FIMs)
Single ID can be used in multiple places.
Integrate identity management as a third party
Frameworks
SAML
OAuth
LDAP
On prem
Cloud
Third party
Types Of Access Control
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Non Discretionary Access Control (NDAC)
Role Based Access Control (RBAC)
Rule Based Access Control (RBAC)
Attribute Based Access Control (ABAC)
Owner of the resource can choose whom to give access of the resource.
Authority can decide whom to give access of the resource not an individual.
Set of rules determine
Based on roles
Predefined rules determine
Domain 06
Penetration testing
Offensive hacking
VA assessment
White Hat Hackers (good guys)
Grey Hat Hackers (Bug Bounty)
Black Hat Hackers (cyber criminals)
Log Reviews
SAST
Static Code Review
DAST
White Box Testing
Hackers know the application details
Black box testing
Hacker does not know any application details
Static Testing
Done b4 code deployment
Dynamic testing
Expensive as done after the code is deployed
Manual Testing
Automated Testing
Areas
Log review
Code Review
Fuzz testing tools
Throws large chunks of data to the application in order to check its stability and availability
Misuse Case Testing
Domain 07
Service Level Agreement (SLAs)
Separation Of Duties
Job Rotation
Change Management
Asset Inventory/Asset Management
Information Lifecycle
create 01
Store 02
Use 03
Share 04
Archive 05
Destroy 06
configuration management
Access Management
Privileged Account Management
Temporary Access Privilege
Need To Know/Least Privilege
Patch And Vulnerability Management
Media Management
Hardware And Software Asset Management
Third Party Provided Security Services
Sand Boxing
Honeypot/Honeynets
A fake setup to catch cyber criminals
Anti Malware
Information Security Incident Management Policy
External and Internal parties should involve
Incident Response Plan
Administrative policies
Detection 01
Response 02
Mitigation 03
Reporting 04
Recovery 05
Remediation 06
Lessons Learned 07
Regulatory Requirements
Evidences collection and Handling
SIEM
IDS/IPS
Data Loss Prevention
Backup Storage Strategies
Multiple Processing Sites
Domain 08
SDLC
Requirement Gathering 01
Design 02
Implementation 03
Testing 04
Evolution 05
Security
Security
Methodologies
Waterfall Model
Secure Coding Guidelines and Standards
Trap door/Back door
click to edit