top of page

How Brandon Cracked His CISSP Exam

I just passed my cissp today. I have some notes from my boot Camp I will pass along when I get home… Know crypto very well. A lot about BCP and risk management.



Protect life is our 1 duty

Sr. Management is ultimately responsible for security

Security supports the business not the other way around

everything we do has to come from policy

Sr. management is the only one that can accept risk

you can only transfer financial risk

training and awareness are mandatory

vpn computer regardless of where it sits is part of trusted network

paper is a media

patterns are bad

Never spend more on a control than what the access is worth

Day one:

Security and risk management:

Risk- pain and likelihood of action happening to you.




policy should be only be 2 pages long and express management wishes policy should be vague not confusing

standards- bulleted list procedure- number list baseline – min security standard for each device guide lines – not mandatory – helps with doing new projects

budget dictates: staff numbers, level of security protection req. , task to be performed, regulations to be met, staff qualification level , training required, degree of metrics tracking.

Metrics- measurements can be collected to provide information on the long term trends and illustrate day to day workload – have to quantifiable

NEED TO KNOW! Only the access to what you NEED TO KNOW

We are accountable for ensuring the protections of all the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability

governance- policy, standard, baseline (Due Diligence) Compliance- rules (due care)

due diligence is prep for due care – example writing down the rules .

Due care is the the act of compliance

assurance is due diligence

Compliance does not mean you are security

pci – payment card industry – not a regulation- is a contract law.

Computer crimes: computer is Incidental to the crime computer assessed to crime computer is required

intellectual property: patent- protect novel ideas , 20 years from date of application copyright- good for 70 years after death of author- works of art or research trademark laws- symbols that represent the good will of a company trade secrets – example are coke cola recipe. Something you dont want to patent or copyright.

You must expend effort to protect them.

knowing when it has been stolen or tampered with.

The wassenaar arrangement contributes to regional and international security sand stability promotes transparency and greater prevents destabilizing accumulation

Privacy- the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.

event- measurable or observable

incident- measurable or observable that is bad

breach- incident that disclosure data


1 protect society 2 act honorably 3 protect principals 4 protect professional

Business continuity

develop and document project scope and plan

first step in building the BC program is project initiation and management

1. obtain Sr management support to forward the projects 2. define a project scope objectives to be achieved and planning assumptions 3. estimate project resources needed to e successful both human and financial resources 4. define time line and major project deliverables.

Business impact analysis

steps 1. understanding your business 2. analyze the information – identify the impact in time of loss or interruption quantitative analysis- examples : financial loss – extra expenses – regulatory issue qualitative analysis – example- damage to reputation 3. determine Maximum tolerable downtime and other criteria -MTD recovery time objective- RTO – (RTO<MTD) best practice RTO should be Half MTD recovery point objective – how much data are you willing to lose 4. evaluate resource requirements

Employment candidate screening

job descriptions reference checks background investigations education, licensing, certification verification

need to know and job description go hand and hand

segregation of duties – catch errors separation of duties – catch fraud one individual should not have the capability to execute all steps of a particular process forces collusion In order to commit fraud failure to separate duties could result in individuals embezzling money from the company without the involvement of the others

Job Rotation- reduce risk of fraud

need to know least privilege just the amount needed to preform the job

mandatory vacations irregularities may surface through Terminations voluntary- involuntary- Third party controls vendor, consultant, contractors Privacy all individual have a reasonable expectation of privacy communication about organization privacy policies is key to ensuring and acceptance of waiver of reasonable expectation of privacy

Risk Management concept

Threats- threat agent – actor using threat to attack a vulnerability Vulnerability- weakness countermeasure- mitigated risk impact- result of attack likelihood- residual risk- risk leftover after countermeasure

COSO – fraud ITIL- it dept. as a service organization COBIT- auditors – controls ISO27000- overview and vocabulary iso27002- best practice





encoding doesnt protect confidentiality – not encrypted

kirkofs law – published algorithms – much stronger published algorithms –

core ingredients 1 substitution – changed values

2 transposition or permutation- moves values

3. exclusive or – 1100 if different its a 1 or if same its a 0 1010 –————- 0110

out of band – cant send key the same time of message

one time pad- key has to be at least as long as plain text. Can only use it once. Considered unbreakable because have no pattern in the key.

Send key with massage encrypted asymmetric

symmetric key is – session , shared , secret. – it can not be a private key-

higher the key the stronger the encryption in this class

initialization vector introduce randomness

Cipher mode Int. vector Process Errors Message size block Ecb (electronic code book) No Parallel Contained Very short yes Cbc (cipher block chaining) Yes Serial Contained Short yes Cfb (cipher feedback) Yes Serial Contained Medium Head start Ofb (output feedback) Yes Serial/parallel Cascade Long if stable both Counter mode No Parallel Contained Long Yes

Stream is more hardware, block is more software.

Private key is more secure than secret key in symmetric

asymmetric provides non repudiation

asymmetric is much slower than symmetric.

Encrypt keys or hashes

asymmetric is very scalable –

RSA – public key semi prime and private key is super prime

HASH: provides a fingerprint of a text- uniquely identifies –

hashes are for integrity

encrypted with private key is called signing not digital signing

encrypt a hash with private key is digital signing – integrity and non repudiation

cryptanalyst- 305 pg

cipher-text only

known plain text

chosen plaintext – gardening

chosen ciphertext

known cipher-text

Data owner is the person that assigns rights

data custodian- makes sure the wishes of data owner are accomplished-

information owner- provides subject matter expert


ports to know

25 -smtp 80- http 443- ssl tls

all people seem to need data processing

application – dns , http, ldap, smtp, dhcp – network application not programs like word or excel.

presentation- translation – ascii and ebcdic- compression and decompression – encryption unless happens some where else.

session- pap- pptc-rpc- is where I build tunnels –

transport – tcp- error correction and udp- broadcast – assign port address 16bit

network – logical addressing ip addressing ipv4 32bit and ipv6 128bit– routers, gateways – packets- Open shortest path first (ospf) – igmp- ipsec- distance vector multi cast routing protocol

data link – addressing in MAC addressing – switches and bridges – use frames


TCP/IP layers – read question and look at 1-4 which model

4 application- session, presentation, application

3 Transportation – transport

2 Internet- network

1 Network Access- physical and data link

ipv6 – improves security , much larger address field, improved quality of service

internet- internet outside untrusted network

intranet- internal network – trusted network

extranet – outside semi-trusted – dmz

screen subnet host- Interface 1 is the public interface and connects to the Internet. Interface 2 connects to a DMZ (demilitarized zone) to which hosted public services are attached. Interface 3 connects to an intranet for access to and from internal networks.

Need to know from email:

common esl bcpdrp saml elliptical curve ipsec tcpip vs osi mapping mac vs dac html5 7 types of controls rto vs rpo iso27000-2 if you dont need it dont collect it raid reference model

iso 27000 – overview and vocabulary iso 27000-1- isms- information security management system- plan do check circle iso 27000-2- code of practice – best practices – crypto, physical security iso 27000-3- implement isms- iso 27000-4- metrics measure isms iso 27000-5 risk management iso 27000-6 certification and accreditation iso 27000-7 auditing


SA = security association – SPI= security perimeter index IKE- key exchange ISAKMP= key management

ESP- encapsulating security payload AH- authentication header

wap gap- wpa2 in plain text before it hits tunnel

end to end you cant do deep packet inspection link encryption can do deep packet inspection

wap-gap- in plain text from access point to switch/router

certification – does what it says it does accreditation – does what we need it to. – after certification

project management- triple restraint – time -cost -scope

conduct risk management throughout the Software development life cycle-

CMM- capability maturity models for software phases

1 – adhoc 2- standard process 3- engineer the process and document 4- metrics to measure to improve product 5- continuous improvement culture


bottom of page