I just passed my cissp today. I have some notes from my boot Camp I will pass along when I get home… Know crypto very well. A lot about BCP and risk management.
CISSP
READ SLOW ! READ TWICE!
Protect life is our 1 duty
Sr. Management is ultimately responsible for security
Security supports the business not the other way around
everything we do has to come from policy
Sr. management is the only one that can accept risk
you can only transfer financial risk
training and awareness are mandatory
vpn computer regardless of where it sits is part of trusted network
paper is a media
patterns are bad
Never spend more on a control than what the access is worth
Day one:
Security and risk management:
Risk- pain and likelihood of action happening to you.
C.I.A: CONFIDENTIALITY – LEAST PRIVILEGE, NEED TO KNOW, ACCESS CONTROLS
INTEGRITY – CHECKSUMS, HASHES, DIGITAL SIGNATURES, PARITY BITS, SEPARATION OF DUTIES, DUAL CONTROLS
AVAILABILITY- BACKUPS, SUCCESSION PLANNING
policy should be only be 2 pages long and express management wishes policy should be vague not confusing
standards- bulleted list procedure- number list baseline – min security standard for each device guide lines – not mandatory – helps with doing new projects
budget dictates: staff numbers, level of security protection req. , task to be performed, regulations to be met, staff qualification level , training required, degree of metrics tracking.
Metrics- measurements can be collected to provide information on the long term trends and illustrate day to day workload – have to quantifiable
NEED TO KNOW! Only the access to what you NEED TO KNOW
We are accountable for ensuring the protections of all the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability
governance- policy, standard, baseline (Due Diligence) Compliance- rules (due care)
due diligence is prep for due care – example writing down the rules .
Due care is the the act of compliance
assurance is due diligence
Compliance does not mean you are security
pci – payment card industry – not a regulation- is a contract law.
Computer crimes: computer is Incidental to the crime computer assessed to crime computer is required
intellectual property: patent- protect novel ideas , 20 years from date of application copyright- good for 70 years after death of author- works of art or research trademark laws- symbols that represent the good will of a company trade secrets – example are coke cola recipe. Something you dont want to patent or copyright.
You must expend effort to protect them.
knowing when it has been stolen or tampered with.
The wassenaar arrangement contributes to regional and international security sand stability promotes transparency and greater prevents destabilizing accumulation
Privacy- the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.
event- measurable or observable
incident- measurable or observable that is bad
breach- incident that disclosure data
ethics
1 protect society 2 act honorably 3 protect principals 4 protect professional
Business continuity
develop and document project scope and plan
first step in building the BC program is project initiation and management
1. obtain Sr management support to forward the projects 2. define a project scope objectives to be achieved and planning assumptions 3. estimate project resources needed to e successful both human and financial resources 4. define time line and major project deliverables.
Business impact analysis
steps 1. understanding your business 2. analyze the information – identify the impact in time of loss or interruption quantitative analysis- examples : financial loss – extra expenses – regulatory issue qualitative analysis – example- damage to reputation 3. determine Maximum tolerable downtime and other criteria -MTD recovery time objective- RTO – (RTO<MTD) best practice RTO should be Half MTD recovery point objective – how much data are you willing to lose 4. evaluate resource requirements
Employment candidate screening
job descriptions reference checks background investigations education, licensing, certification verification
need to know and job description go hand and hand
segregation of duties – catch errors separation of duties – catch fraud one individual should not have the capability to execute all steps of a particular process forces collusion In order to commit fraud failure to separate duties could result in individuals embezzling money from the company without the involvement of the others
Job Rotation- reduce risk of fraud
need to know least privilege just the amount needed to preform the job
mandatory vacations irregularities may surface through Terminations voluntary- involuntary- Third party controls vendor, consultant, contractors Privacy all individual have a reasonable expectation of privacy communication about organization privacy policies is key to ensuring and acceptance of waiver of reasonable expectation of privacy
Risk Management concept
Threats- threat agent – actor using threat to attack a vulnerability Vulnerability- weakness countermeasure- mitigated risk impact- result of attack likelihood- residual risk- risk leftover after countermeasure
COSO – fraud ITIL- it dept. as a service organization COBIT- auditors – controls ISO27000- overview and vocabulary iso27002- best practice
ALE= ARO X SLE —- beer = arosle PROBABILITY X IMPACT
countermeasure
accountability
Crypto-
encoding doesnt protect confidentiality – not encrypted
kirkofs law – published algorithms – much stronger published algorithms –
core ingredients 1 substitution – changed values
2 transposition or permutation- moves values
3. exclusive or – 1100 if different its a 1 or if same its a 0 1010 –————- 0110
out of band – cant send key the same time of message
one time pad- key has to be at least as long as plain text. Can only use it once. Considered unbreakable because have no pattern in the key.
Send key with massage encrypted asymmetric
symmetric key is – session , shared , secret. – it can not be a private key-
higher the key the stronger the encryption in this class
initialization vector introduce randomness
Cipher mode Int. vector Process Errors Message size block Ecb (electronic code book) No Parallel Contained Very short yes Cbc (cipher block chaining) Yes Serial Contained Short yes Cfb (cipher feedback) Yes Serial Contained Medium Head start Ofb (output feedback) Yes Serial/parallel Cascade Long if stable both Counter mode No Parallel Contained Long Yes
Stream is more hardware, block is more software.
Private key is more secure than secret key in symmetric
asymmetric provides non repudiation
asymmetric is much slower than symmetric.
Encrypt keys or hashes
asymmetric is very scalable –
RSA – public key semi prime and private key is super prime
HASH: provides a fingerprint of a text- uniquely identifies –
hashes are for integrity
encrypted with private key is called signing not digital signing
encrypt a hash with private key is digital signing – integrity and non repudiation
cryptanalyst- 305 pg
cipher-text only
known plain text
chosen plaintext – gardening
chosen ciphertext
known cipher-text
Data owner is the person that assigns rights
data custodian- makes sure the wishes of data owner are accomplished-
information owner- provides subject matter expert
categorization
ports to know
25 -smtp 80- http 443- ssl tls
all people seem to need data processing
application – dns , http, ldap, smtp, dhcp – network application not programs like word or excel.
presentation- translation – ascii and ebcdic- compression and decompression – encryption unless happens some where else.
session- pap- pptc-rpc- is where I build tunnels –
transport – tcp- error correction and udp- broadcast – assign port address 16bit
network – logical addressing ip addressing ipv4 32bit and ipv6 128bit– routers, gateways – packets- Open shortest path first (ospf) – igmp- ipsec- distance vector multi cast routing protocol
data link – addressing in MAC addressing – switches and bridges – use frames
physical
TCP/IP layers – read question and look at 1-4 which model
4 application- session, presentation, application
3 Transportation – transport
2 Internet- network
1 Network Access- physical and data link
ipv6 – improves security , much larger address field, improved quality of service
internet- internet outside untrusted network
intranet- internal network – trusted network
extranet – outside semi-trusted – dmz
screen subnet host- Interface 1 is the public interface and connects to the Internet. Interface 2 connects to a DMZ (demilitarized zone) to which hosted public services are attached. Interface 3 connects to an intranet for access to and from internal networks.
Need to know from email:
common esl bcpdrp saml elliptical curve ipsec tcpip vs osi mapping mac vs dac html5 7 types of controls rto vs rpo iso27000-2 if you dont need it dont collect it raid reference model
iso 27000 – overview and vocabulary iso 27000-1- isms- information security management system- plan do check circle iso 27000-2- code of practice – best practices – crypto, physical security iso 27000-3- implement isms- iso 27000-4- metrics measure isms iso 27000-5 risk management iso 27000-6 certification and accreditation iso 27000-7 auditing
ipsec
SA = security association – SPI= security perimeter index IKE- key exchange ISAKMP= key management
ESP- encapsulating security payload AH- authentication header
wap gap- wpa2 in plain text before it hits tunnel
end to end you cant do deep packet inspection link encryption can do deep packet inspection
wap-gap- in plain text from access point to switch/router
certification – does what it says it does accreditation – does what we need it to. – after certification
project management- triple restraint – time -cost -scope
conduct risk management throughout the Software development life cycle-
CMM- capability maturity models for software phases
1 – adhoc 2- standard process 3- engineer the process and document 4- metrics to measure to improve product 5- continuous improvement culture