How Brandon Cracked His CISSP Exam

February 29, 2016

I just passed my cissp today. I have some notes from my boot Camp I will pass along when I get home… Know crypto very well. A lot about BCP and risk management.

 

CISSP

READ SLOW ! READ TWICE!

Protect life is our 1 duty

Sr. Management is ultimately responsible for security

Security supports the business not the other way around

everything we do has to come from policy

Sr. management is the only one that can accept risk

you can only transfer financial risk

training and awareness are mandatory

vpn computer regardless of where it sits is part of trusted network

paper is a media

patterns are bad

Never spend more on a control than what the access is worth

 

Day one:

Security and risk management:

Risk- pain and likelihood of action happening to you.

C.I.A: 
CONFIDENTIALITY – LEAST PRIVILEGE, NEED TO KNOW, ACCESS CONTROLS

INTEGRITY – CHECKSUMS, HASHES, DIGITAL SIGNATURES, PARITY BITS, SEPARATION OF DUTIES, DUAL CONTROLS

AVAILABILITY- BACKUPS, SUCCESSION PLANNING

policy should be only be 2 pages long and express management wishes
policy should be vague not confusing

standards- bulleted list
procedure- number list
baseline – min security standard for each device
guide lines – not mandatory – helps with doing new projects

budget dictates: staff numbers, level of security protection req. , task to be performed, regulations to be met, staff qualification level , training required, degree of metrics tracking.

Metrics- measurements can be collected to provide information on the long term trends and illustrate day to day workload – have to quantifiable


 
NEED TO KNOW! Only the access to what you NEED TO KNOW

We are accountable for ensuring the protections of all the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability

governance- policy, standard, baseline (Due Diligence)
Compliance- rules (due care)

due diligence is prep for due care – example writing down the rules .

Due care is the the act of compliance

assurance is due diligence

Compliance does not mean you are security

pci – payment card industry – not a regulation- is a contract law.

 

Computer crimes:
computer is Incidental to the crime 
computer assessed to crime
computer is required

 

intellectual property: 
patent- protect novel ideas , 20 years from date of application
copyright- good for 70 years after death of author- works of art or research
trademark laws- symbols that represent the good will of a company
trade secrets – example are coke cola recipe. Something you dont want to patent or copyright.

 

You must expend effort to protect them.

knowing when it has been stolen or tampered with.

The wassenaar arrangement 
contributes to regional and international security sand stability
promotes transparency and greater
prevents destabilizing accumulation

Privacy- the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.

event- measurable or observable

incident- measurable or observable that is bad

breach- incident that disclosure data

 

ethics

1 protect society
2 act honorably 
3 protect principals
4 protect professional

 
Business continuity

develop and document project scope and plan

first step in building the BC program is project initiation and management

1. obtain Sr management support to forward the projects
2. define a project scope objectives to be achieved and planning assumptions
3. estimate project resources needed to e successful both human and financial resources
4. define time line and major project deliverables.

 

Business impact analysis

steps
1. understanding your business
2. analyze the information – identify the impact in time of loss or interruption
quantitative analysis- examples : financial loss – extra expenses – regulatory issue 
qualitative analysis – example- damage to reputation
3. determine Maximum tolerable downtime and other criteria -MTD
recovery time objective- RTO – (RTO<MTD) best practice RTO should be Half MTD
recovery point objective – how much data are you willing to lose
4. evaluate resource requirements

Employment candidate screening

job descriptions
reference checks
background investigations
education, licensing, certification verification

need to know and job description go hand and hand

segregation of duties – catch errors
separation of duties – catch fraud
one individual should not have the capability to execute all steps of a particular process
forces collusion In order to commit fraud
failure to separate duties could result in individuals embezzling money from the company without the involvement of the others

Job Rotation- reduce risk of fraud

need to know 
least privilege 
just the amount needed to preform the job

mandatory vacations
irregularities may surface through
Terminations
voluntary- 
involuntary-
Third party controls
vendor, consultant, contractors
Privacy
all individual have a reasonable expectation of privacy
communication about organization privacy policies is key to ensuring and acceptance of waiver of reasonable expectation of privacy

Risk Management concept

Threats- 
threat agent – actor using threat to attack a vulnerability
Vulnerability- weakness
countermeasure- mitigated risk
impact- result of attack
likelihood- 
residual risk- risk leftover after countermeasure

COSO – fraud
ITIL- it dept. as a service organization
COBIT- auditors – controls
ISO27000- overview and vocabulary
iso27002- best practice

ALE= ARO X SLE —- beer = arosle
PROBABILITY X IMPACT

countermeasure

accountability

Crypto-

encoding doesnt protect confidentiality – not encrypted

kirkofs law – published algorithms – much stronger published algorithms –

core ingredients
1 substitution – changed values

2 transposition or permutation- moves values

3. exclusive or – 1100 if different its a 1 or if same its a 0
1010
–————-
0110

 

 

out of band – cant send key the same time of message

one time pad- key has to be at least as long as plain text. Can only use it once. Considered unbreakable because have no pattern in the key.

Send key with massage encrypted asymmetric

symmetric key is –
session , shared , secret. – it can not be a private key-

higher the key the stronger the encryption in this class

initialization vector introduce randomness

Cipher mode
Int. vector
Process
Errors
Message size
block
Ecb (electronic code book)
No
Parallel
Contained
Very short
yes
Cbc (cipher block chaining)
Yes
Serial
Contained
Short
yes
Cfb (cipher feedback)
Yes
Serial
Contained
Medium
Head start
Ofb (output feedback)
Yes
Serial/parallel
Cascade
Long if stable
both
Counter mode
No
Parallel
Contained
Long
Yes

Stream is more hardware, block is more software.

Private key is more secure than secret key in symmetric

asymmetric provides non repudiation

asymmetric is much slower than symmetric.

Encrypt keys or hashes

asymmetric is very scalable –

RSA – public key semi prime and private key is super prime

HASH: provides a fingerprint of a text- uniquely identifies –

hashes are for integrity

encrypted with private key is called signing not digital signing

encrypt a hash with private key is digital signing – integrity and non repudiation

cryptanalyst- 305 pg

cipher-text only

known plain text

chosen plaintext – gardening

chosen ciphertext

known cipher-text

Data owner is the person that assigns rights

data custodian- makes sure the wishes of data owner are accomplished-

information owner- provides subject matter expert

categorization

ports to know

25 -smtp
80- http
443- ssl tls


 
all people seem to need data processing

application – dns , http, ldap, smtp, dhcp – network application not programs like word or excel.

presentation- translation – ascii and ebcdic- compression and decompression – encryption unless happens some where else.

session- pap- pptc-rpc- is where I build tunnels –

transport – tcp- error correction and udp- broadcast – assign port address 16bit

network – logical addressing ip addressing ipv4 32bit and ipv6 128bit– routers, gateways – packets- Open shortest path first (ospf) – igmp- ipsec- distance vector multi cast routing protocol

data link – addressing in MAC addressing – switches and bridges – use frames

physical

TCP/IP layers – read question and look at 1-4 which model

4 application- session, presentation, application

3 Transportation – transport

2 Internet- network

1 Network Access- physical and data link

ipv6 – improves security , much larger address field, improved quality of service

internet- internet outside untrusted network

intranet- internal network – trusted network

extranet – outside semi-trusted – dmz

screen subnet host- 
Interface 1 is the public interface and connects to the Internet.
Interface 2 connects to a DMZ (demilitarized zone) to which hosted public services are attached.
Interface 3 connects to an intranet for access to and from internal networks.

Need to know from email:

common esl
bcpdrp
saml
elliptical curve
ipsec
tcpip vs osi mapping
mac vs dac
html5
7 types of controls
rto vs rpo
iso27000-2
if you dont need it dont collect it
raid
reference model

iso 27000 – overview and vocabulary
iso 27000-1- isms- information security management system- plan do check circle
iso 27000-2- code of practice – best practices – crypto, physical security
iso 27000-3- implement isms- 
iso 27000-4- metrics measure isms
iso 27000-5 risk management
iso 27000-6 certification and accreditation
iso 27000-7 auditing

ipsec

SA = security association – 
SPI= security perimeter index
IKE- key exchange
ISAKMP= key management

ESP- encapsulating security payload
AH- authentication header

wap gap- wpa2 in plain text before it hits tunnel

end to end you cant do deep packet inspection
link encryption can do deep packet inspection

wap-gap- in plain text from access point to switch/router

certification – does what it says it does
accreditation – does what we need it to. – after certification

project management- triple restraint – time -cost -scope

conduct risk management throughout the Software development life cycle-

CMM- capability maturity models for software
phases

1 – adhoc
2- standard process
3- engineer the process and document
4- metrics to measure to improve product
5- continuous improvement culture

 

Share on Facebook
Share on Twitter
Please reload

STUDY RESOURCES
MEMBERSHIP
  • 220+ CISSP VIDEOS
  • 625+ PRACTICE QUESTIONS
  • PDF NOTES
  • 1,100 FLASHCARDS
  • TELEGRAM GROUP
  • EMAIL UPDATES
  • $29.99 per month
  • $74.99 3-months
  • $144.99 6-months
CRACK THE EXAM

How Carlo Cracked His CISSP Exam

December 8, 2019

1/26
Please reload

LEARN ABOUT

© 2013 Study Notes and Theory
Terms and Conditions/Privacy Policy

Proudly created to make you

a better security professional.